Unreviewed, rolling out r222380.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-09-22  Commit Queue  <commit-queue@webkit.org>
2
3         Unreviewed, rolling out r222380.
4         https://bugs.webkit.org/show_bug.cgi?id=177352
5
6         Octane/box2d shows 8% regression (Requested by yusukesuzuki on
7         #webkit).
8
9         Reverted changeset:
10
11         "[DFG][FTL] Profile array vector length for array allocation"
12         https://bugs.webkit.org/show_bug.cgi?id=177051
13         http://trac.webkit.org/changeset/222380
14
15 2017-09-21  Yusuke Suzuki  <utatane.tea@gmail.com>
16
17         [DFG][FTL] Profile array vector length for array allocation
18         https://bugs.webkit.org/show_bug.cgi?id=177051
19
20         Reviewed by Saam Barati.
21
22         Currently, NewArrayBuffer allocation is penalized by JSC: While empty array gets 25 vector size (BASE_CONTIGUOUS_VECTOR_LEN),
23         new_array_buffer case gets 3 vector size (BASE_CONTIGUOUS_VECTOR_LEN). Surely, new_array_buffer can get larger vector size
24         if the number of its constant elements is larger than 3. But these created array may be grown by `push()` operation after
25         the allocation. In this case, new_array_buffer is penalized compared to empty array allocation.
26
27             empty array allocation,
28
29             var array = [];
30             array.push(0);
31             array.push(1);
32             array.push(2);
33             array.push(3);
34             array.push(4);
35
36             v.s. new_array_buffer case,
37
38             var array = [0];
39             array.push(1);
40             array.push(2);
41             array.push(3);
42             array.push(4);
43
44         In this case, the latter becomes slow. While we have a chance to reduce memory usage if new_array_buffer is not grown (and a bit likely),
45         we should allocate 3 to 25 vector size if it is likely grown. So we should get profile on the resulted array.
46
47         We select 25 to make it fit to one of size classes.
48
49         In this patch, we extend ArrayAllocationProfile to record vector length. And use this information when allocating array for new_array_buffer.
50         If the number of new_array_buffer constants is <= 25, array vector size would become 3 to 25 based on profiling. If the number of its constants
51         is larger than 25, we just use it for allocation as before.
52
53         Added microbenchmark and SixSpeed spread-literal.es5 shows improvement.
54
55             new-array-buffer-vector-profile       67.4706+-3.7625     ^     28.4249+-1.9025        ^ definitely 2.3736x faster
56             spread-literal.es5                   133.1443+-9.2253     ^     95.2667+-0.5740        ^ definitely 1.3976x faster
57
58         * bytecode/ArrayAllocationProfile.cpp:
59         (JSC::ArrayAllocationProfile::updateProfile):
60         (JSC::ArrayAllocationProfile::updateIndexingType): Deleted.
61         * bytecode/ArrayAllocationProfile.h:
62         (JSC::ArrayAllocationProfile::selectIndexingType):
63         (JSC::ArrayAllocationProfile::vectorLengthHint):
64         (JSC::ArrayAllocationProfile::ArrayAllocationProfile): Deleted.
65         * bytecode/CodeBlock.cpp:
66         (JSC::CodeBlock::updateAllArrayPredictions):
67         * dfg/DFGByteCodeParser.cpp:
68         (JSC::DFG::ByteCodeParser::parseBlock):
69         * dfg/DFGGraph.cpp:
70         (JSC::DFG::Graph::dump):
71         * dfg/DFGNode.h:
72         (JSC::DFG::Node::vectorLengthHint):
73         * dfg/DFGOperations.cpp:
74         * dfg/DFGOperations.h:
75         * dfg/DFGSpeculativeJIT64.cpp:
76         (JSC::DFG::SpeculativeJIT::compile):
77         * ftl/FTLLowerDFGToB3.cpp:
78         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
79         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
80         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
81         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
82         (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArrayInternal):
83         (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArray):
84         * runtime/ArrayConventions.h:
85         * runtime/JSArray.h:
86         (JSC::JSArray::tryCreate):
87
88 2017-09-21  Joseph Pecoraro  <pecoraro@apple.com>
89
90         Web Inspector: Remove support for CSS Regions
91         https://bugs.webkit.org/show_bug.cgi?id=177287
92
93         Reviewed by Matt Baker.
94
95         * inspector/protocol/CSS.json:
96         * inspector/protocol/OverlayTypes.json:
97
98 2017-09-21  Brian Burg  <bburg@apple.com>
99
100         Web Inspector: keyboard shortcut for "Reload page from origin" doesn't match Safari, and doesn't work
101         https://bugs.webkit.org/show_bug.cgi?id=177010
102         <rdar://problem/33134548>
103
104         Reviewed by Joseph Pecoraro.
105
106         Use "reload from origin" nomenclature instead of "reload ignoring cache".
107
108         * inspector/protocol/Page.json: Improve the comment, but don't change the
109         parameter name since this would be a divergence from legacy protocols.
110
111 2017-09-21  Joseph Pecoraro  <pecoraro@apple.com>
112
113         test262: test262/test/annexB/built-ins/RegExp/prototype/flags/order-after-compile.js ASSERTs
114         https://bugs.webkit.org/show_bug.cgi?id=177307
115
116         Reviewed by Michael Saboff.
117
118         * runtime/RegExpPrototype.cpp:
119         In r221160 we added support for the new RegExp flag (dotAll).
120         We needed to make space for it in FlagsString.
121
122 2017-09-20  Keith Miller  <keith_miller@apple.com>
123
124         JSC should use unified sources for platform specific files.
125         https://bugs.webkit.org/show_bug.cgi?id=177290
126
127         Reviewed by Michael Saboff.
128
129         Add a list of platform specific source files and update the
130         Generate Unified Sources phase of the Xcode build. I skipped WPE
131         since that seems to have failed for some reason that I didn't
132         fully understand. See:
133         https://webkit-queues.webkit.org/results/4611260
134
135         Also, fix duplicate symbols in Glib remote inspector files.
136
137         * CMakeLists.txt:
138         * JavaScriptCore.xcodeproj/project.pbxproj:
139         * PlatformGTK.cmake:
140         * PlatformMac.cmake:
141         * SourcesGTK.txt: Added.
142         * SourcesMac.txt: Added.
143         * inspector/remote/glib/RemoteInspectorServer.cpp:
144         (Inspector::RemoteInspectorServer::interfaceInfo):
145         (Inspector::RemoteInspectorServer::setTargetList):
146         (Inspector::RemoteInspectorServer::setupInspectorClient):
147         (Inspector::RemoteInspectorServer::setup):
148         (Inspector::RemoteInspectorServer::close):
149         (Inspector::RemoteInspectorServer::connectionClosed):
150         (Inspector::RemoteInspectorServer::sendMessageToBackend):
151         (Inspector::RemoteInspectorServer::sendMessageToFrontend):
152         (Inspector::dbusConnectionCallAsyncReadyCallback): Deleted.
153
154 2017-09-20  Stephan Szabo  <stephan.szabo@sony.com>
155
156         [Win] WTF: Add alias for process id to use in place of direct uses of pid_t
157         https://bugs.webkit.org/show_bug.cgi?id=177017
158
159         Reviewed by Alex Christensen.
160
161         * API/JSRemoteInspector.cpp:
162         (JSRemoteInspectorSetParentProcessInformation):
163         * API/JSRemoteInspector.h:
164         * inspector/remote/RemoteInspector.h:
165
166 2017-09-20  Keith Miller  <keith_miller@apple.com>
167
168         Rename source list file to Sources.txt
169         https://bugs.webkit.org/show_bug.cgi?id=177283
170
171         Reviewed by Saam Barati.
172
173         * CMakeLists.txt:
174         * JavaScriptCore.xcodeproj/project.pbxproj:
175         * Sources.txt: Renamed from Source/JavaScriptCore/sources.txt.
176
177 2017-09-20  Keith Miller  <keith_miller@apple.com>
178
179         Unreviewed, fix string capitalization
180
181         * JavaScriptCore.xcodeproj/project.pbxproj:
182
183 2017-09-20  Keith Miller  <keith_miller@apple.com>
184
185         JSC Xcode build should use unified sources for platform independent files
186         https://bugs.webkit.org/show_bug.cgi?id=177190
187
188         Reviewed by Saam Barati.
189
190         This patch changes the Xcode build to use unified sources. The
191         main difference from a development perspective is that instead of
192         added source files to Xcode they need to be added to the shared
193         sources.txt. For now, platform specific files are still added
194         to the JavaScriptCore target.
195
196         Because Xcode needs to know about all the files before we generate
197         them all the unified source files need to be added to the
198         JavaScriptCore framework target. As a result, if we run out of
199         bundle files more will need to be added to the project. Currently,
200         there are no spare files. If adding more bundle files becomes
201         problematic we can change this.
202
203         LowLevelInterpreter.cpp can't be added to the unified source list yet
204         due to a clang bug.
205
206         * CMakeLists.txt:
207         * JavaScriptCore.xcodeproj/project.pbxproj:
208         * sources.txt: Added.
209
210 2017-09-20  Per Arne Vollan  <pvollan@apple.com>
211
212         [Win] Cannot find script to generate unified sources.
213         https://bugs.webkit.org/show_bug.cgi?id=177014
214
215         Reviewed by Keith Miller.
216
217         The ruby script can now be found in WTF/Scripts in the forwarding headers folder.
218
219         * CMakeLists.txt:
220         * JavaScriptCore.vcxproj/JavaScriptCore.proj:
221
222 2017-09-20  Alberto Garcia  <berto@igalia.com>
223
224         Fix HPPA and Alpha builds
225         https://bugs.webkit.org/show_bug.cgi?id=177224
226
227         Reviewed by Alex Christensen.
228
229         * CMakeLists.txt:
230
231 2017-09-18  Filip Pizlo  <fpizlo@apple.com>
232
233         ErrorInstance and Exception need destroy methods
234         https://bugs.webkit.org/show_bug.cgi?id=177095
235
236         Reviewed by Saam Barati.
237         
238         When I made ErrorInstance and Exception into JSDestructibleObjects, I forgot to make them
239         follow that type's protocol.
240
241         * runtime/ErrorInstance.cpp:
242         (JSC::ErrorInstance::destroy): Implement this to fix leaks.
243         * runtime/ErrorInstance.h:
244         * runtime/Exception.h: Change how this is declared now that this is a DestructibleObject.
245
246 2017-09-18  Yusuke Suzuki  <utatane.tea@gmail.com>
247
248         [JSC] Consider dropping JSObjectSetPrototype feature for JSGlobalObject
249         https://bugs.webkit.org/show_bug.cgi?id=177070
250
251         Reviewed by Saam Barati.
252
253         Due to the security reason, our global object is immutable prototype exotic object.
254         It prevents users from injecting proxies into the prototype chain of the global object[1].
255         But our JSC API does not respect this attribute, and allows users to change [[Prototype]]
256         of the global object after instantiating it.
257
258         This patch removes this feature. Once global object is instantiated, we cannot change [[Prototype]]
259         of the global object. It drops JSGlobalObject::resetPrototype use, which involves GlobalThis
260         edge cases.
261
262         [1]: https://github.com/tc39/ecma262/commit/935dad4283d045bc09c67a259279772d01b3d33d
263
264         * API/JSObjectRef.cpp:
265         (JSObjectSetPrototype):
266         * API/tests/CustomGlobalObjectClassTest.c:
267         (globalObjectSetPrototypeTest):
268
269 2017-09-17  Yusuke Suzuki  <utatane.tea@gmail.com>
270
271         [DFG] Remove ToThis more aggressively
272         https://bugs.webkit.org/show_bug.cgi?id=177056
273
274         Reviewed by Saam Barati.
275
276         The variation of toThis() implementation is limited. So, we attempts to implement common toThis operation in AI.
277         We move scope related toThis to JSScope::toThis. And AI investigates proven value/structure's toThis methods
278         and attempts to fold/convert to efficient nodes.
279
280         We introduces GetGlobalThis, which just loads globalThis from semantic origin's globalObject. Using this,
281         we can implement JSScope::toThis in DFG. This can avoid costly toThis indirect function pointer call.
282
283         Currently, we just emit GetGlobalThis if necessary. We can further convert it to constant if we can put
284         watchpoint to JSGlobalObject's globalThis change. But we leave it for a future patch for now.
285
286         This removes GetGlobalThis from ES6 generators in common cases.
287
288         spread-generator.es6      303.1550+-9.5037          290.9337+-8.3487          might be 1.0420x faster
289
290         * dfg/DFGAbstractInterpreterInlines.h:
291         (JSC::DFG::isToThisAnIdentity):
292         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
293         * dfg/DFGClobberize.h:
294         (JSC::DFG::clobberize):
295         * dfg/DFGConstantFoldingPhase.cpp:
296         (JSC::DFG::ConstantFoldingPhase::foldConstants):
297         * dfg/DFGDoesGC.cpp:
298         (JSC::DFG::doesGC):
299         * dfg/DFGFixupPhase.cpp:
300         (JSC::DFG::FixupPhase::fixupNode):
301         * dfg/DFGNode.h:
302         (JSC::DFG::Node::convertToGetGlobalThis):
303         * dfg/DFGNodeType.h:
304         * dfg/DFGPredictionPropagationPhase.cpp:
305         * dfg/DFGSafeToExecute.h:
306         (JSC::DFG::safeToExecute):
307         * dfg/DFGSpeculativeJIT.cpp:
308         (JSC::DFG::SpeculativeJIT::compileGetGlobalThis):
309         * dfg/DFGSpeculativeJIT.h:
310         * dfg/DFGSpeculativeJIT32_64.cpp:
311         (JSC::DFG::SpeculativeJIT::compile):
312         * dfg/DFGSpeculativeJIT64.cpp:
313         (JSC::DFG::SpeculativeJIT::compile):
314         * ftl/FTLCapabilities.cpp:
315         (JSC::FTL::canCompile):
316         * ftl/FTLLowerDFGToB3.cpp:
317         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
318         (JSC::FTL::DFG::LowerDFGToB3::compileGetGlobalThis):
319         * runtime/JSGlobalLexicalEnvironment.cpp:
320         (JSC::JSGlobalLexicalEnvironment::toThis): Deleted.
321         * runtime/JSGlobalLexicalEnvironment.h:
322         * runtime/JSGlobalObject.cpp:
323         (JSC::JSGlobalObject::toThis): Deleted.
324         * runtime/JSGlobalObject.h:
325         (JSC::JSGlobalObject::addressOfGlobalThis):
326         * runtime/JSLexicalEnvironment.cpp:
327         (JSC::JSLexicalEnvironment::toThis): Deleted.
328         * runtime/JSLexicalEnvironment.h:
329         * runtime/JSScope.cpp:
330         (JSC::JSScope::toThis):
331         * runtime/JSScope.h:
332         * runtime/StrictEvalActivation.cpp:
333         (JSC::StrictEvalActivation::toThis): Deleted.
334         * runtime/StrictEvalActivation.h:
335
336 2017-09-17  Yusuke Suzuki  <utatane.tea@gmail.com>
337
338         Merge JSLexicalEnvironment and JSEnvironmentRecord
339         https://bugs.webkit.org/show_bug.cgi?id=175492
340
341         Reviewed by Saam Barati.
342
343         JSEnvironmentRecord is only inherited by JSLexicalEnvironment.
344         We can merge JSEnvironmentRecord and JSLexicalEnvironment.
345
346         * CMakeLists.txt:
347         * JavaScriptCore.xcodeproj/project.pbxproj:
348         * dfg/DFGSpeculativeJIT.cpp:
349         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
350         * dfg/DFGSpeculativeJIT32_64.cpp:
351         (JSC::DFG::SpeculativeJIT::compile):
352         * dfg/DFGSpeculativeJIT64.cpp:
353         (JSC::DFG::SpeculativeJIT::compile):
354         * ftl/FTLAbstractHeapRepository.h:
355         * ftl/FTLLowerDFGToB3.cpp:
356         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
357         (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
358         (JSC::FTL::DFG::LowerDFGToB3::compileGetClosureVar):
359         (JSC::FTL::DFG::LowerDFGToB3::compilePutClosureVar):
360         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
361         * jit/JITPropertyAccess.cpp:
362         (JSC::JIT::emitGetClosureVar):
363         (JSC::JIT::emitPutClosureVar):
364         (JSC::JIT::emitScopedArgumentsGetByVal):
365         * jit/JITPropertyAccess32_64.cpp:
366         (JSC::JIT::emitGetClosureVar):
367         (JSC::JIT::emitPutClosureVar):
368         * llint/LLIntOffsetsExtractor.cpp:
369         * llint/LowLevelInterpreter.asm:
370         * llint/LowLevelInterpreter32_64.asm:
371         * llint/LowLevelInterpreter64.asm:
372         * runtime/JSEnvironmentRecord.cpp: Removed.
373         * runtime/JSEnvironmentRecord.h: Removed.
374         * runtime/JSLexicalEnvironment.cpp:
375         (JSC::JSLexicalEnvironment::visitChildren):
376         (JSC::JSLexicalEnvironment::heapSnapshot):
377         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
378         * runtime/JSLexicalEnvironment.h:
379         (JSC::JSLexicalEnvironment::subspaceFor):
380         (JSC::JSLexicalEnvironment::variables):
381         (JSC::JSLexicalEnvironment::isValidScopeOffset):
382         (JSC::JSLexicalEnvironment::variableAt):
383         (JSC::JSLexicalEnvironment::offsetOfVariables):
384         (JSC::JSLexicalEnvironment::offsetOfVariable):
385         (JSC::JSLexicalEnvironment::allocationSizeForScopeSize):
386         (JSC::JSLexicalEnvironment::allocationSize):
387         (JSC::JSLexicalEnvironment::finishCreationUninitialized):
388         (JSC::JSLexicalEnvironment::finishCreation):
389         * runtime/JSModuleEnvironment.cpp:
390         (JSC::JSModuleEnvironment::create):
391         * runtime/JSObject.h:
392         (JSC::JSObject::isEnvironment const):
393         (JSC::JSObject::isEnvironmentRecord const): Deleted.
394         * runtime/JSSegmentedVariableObject.h:
395         * runtime/StringPrototype.cpp:
396         (JSC::checkObjectCoercible):
397
398 2017-09-15  Saam Barati  <sbarati@apple.com>
399
400         Arity fixup during inlining should do a 2 phase commit so it properly recovers the frame in case of exit
401         https://bugs.webkit.org/show_bug.cgi?id=176981
402
403         Reviewed by Yusuke Suzuki.
404
405         This patch makes inline arity fixup happen in two phases:
406         1. We get all the values we need and MovHint them to the expected locals.
407         2. We SetLocal them inside the callee's CodeOrigin. This way, if we exit, the callee's
408            frame is already set up. If any SetLocal exits, we have a valid exit state.
409            This is required because if we didn't do this in two phases, we may exit in
410            the middle of arity fixup from the caller's CodeOrigin. This is unsound because if
411            we did the SetLocals in the caller's frame, the memcpy may clobber needed parts
412            of the frame right before exiting. For example, consider if we need to pad two args:
413            [arg3][arg2][arg1][arg0]
414            [fix ][fix ][arg3][arg2][arg1][arg0]
415            We memcpy starting from arg0 in the direction of arg3. If we were to exit at a type check
416            for arg3's SetLocal in the caller's CodeOrigin, we'd exit with a frame like so:
417            [arg3][arg2][arg1][arg2][arg1][arg0]
418            And the caller would then just end up thinking its argument are:
419            [arg3][arg2][arg1][arg2]
420            which is incorrect.
421        
422        
423         This patch also fixes a couple of bugs in IdentitiyWithProfile:
424         1. The bytecode generator for this bytecode intrinsic was written incorrectly.
425            It needed to store the result of evaluating its argument in a temporary that
426            it creates. Otherwise, it might try to simply overwrite a constant
427            or a register that it didn't own.
428         2. We weren't eliminating this node in CSE inside the DFG.
429
430         * bytecompiler/NodesCodegen.cpp:
431         (JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile):
432         * dfg/DFGByteCodeParser.cpp:
433         (JSC::DFG::ByteCodeParser::inlineCall):
434         * dfg/DFGCSEPhase.cpp:
435
436 2017-09-15  JF Bastien  <jfbastien@apple.com>
437
438         WTF: use Forward.h when appropriate instead of Vector.h
439         https://bugs.webkit.org/show_bug.cgi?id=176984
440
441         Reviewed by Saam Barati.
442
443         There's no need to include Vector.h when Forward.h will suffice. All we need is to move the template default parameters from Vector, and then the forward declaration can be used in so many new places: if a header only takes Vector by reference, rvalue reference, pointer, returns any of these, or has them as members then the header doesn't need to see the definition because the declaration will suffice.
444
445         * bytecode/HandlerInfo.h:
446         * heap/GCIncomingRefCounted.h:
447         * heap/GCSegmentedArray.h:
448         * wasm/js/JSWebAssemblyModule.h:
449
450 2017-09-14  Saam Barati  <sbarati@apple.com>
451
452         We should have a way of preventing a caller from making a tail call and we should use it for ProxyObject instead of using build flags
453         https://bugs.webkit.org/show_bug.cgi?id=176863
454
455         Reviewed by Keith Miller.
456
457         * CMakeLists.txt:
458         * JavaScriptCore.xcodeproj/project.pbxproj:
459         * runtime/ProxyObject.cpp:
460         (JSC::performProxyGet):
461         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
462         (JSC::ProxyObject::performHasProperty):
463         (JSC::ProxyObject::getOwnPropertySlotCommon):
464         (JSC::ProxyObject::performPut):
465         (JSC::performProxyCall):
466         (JSC::performProxyConstruct):
467         (JSC::ProxyObject::performDelete):
468         (JSC::ProxyObject::performPreventExtensions):
469         (JSC::ProxyObject::performIsExtensible):
470         (JSC::ProxyObject::performDefineOwnProperty):
471         (JSC::ProxyObject::performGetOwnPropertyNames):
472         (JSC::ProxyObject::performSetPrototype):
473         (JSC::ProxyObject::performGetPrototype):
474
475 2017-09-14  Saam Barati  <sbarati@apple.com>
476
477         Make dumping the graph print when both when exitOK and !exitOK
478         https://bugs.webkit.org/show_bug.cgi?id=176954
479
480         Reviewed by Keith Miller.
481
482         * dfg/DFGGraph.cpp:
483         (JSC::DFG::Graph::dump):
484
485 2017-09-14  Saam Barati  <sbarati@apple.com>
486
487         It should be valid to exit before each set when doing arity fixup when inlining
488         https://bugs.webkit.org/show_bug.cgi?id=176948
489
490         Reviewed by Keith Miller.
491
492         This patch makes it so that we can exit before each SetLocal when doing arity
493         fixup during inlining. This is OK because if we exit at any of these SetLocals,
494         we will simply exit to the beginning of the call instruction.
495         
496         Not doing this led to a bug where FixupPhase would insert a ValueRep of
497         a node before the actual node. This is obviously invalid IR. I've added
498         a new validation rule to catch this malformed IR.
499
500         * dfg/DFGByteCodeParser.cpp:
501         (JSC::DFG::ByteCodeParser::inliningCost):
502         (JSC::DFG::ByteCodeParser::inlineCall):
503         * dfg/DFGValidate.cpp:
504         * runtime/Options.h:
505
506 2017-09-14  Mark Lam  <mark.lam@apple.com>
507
508         AddressSanitizer: stack-buffer-underflow in JSC::Probe::Page::Page
509         https://bugs.webkit.org/show_bug.cgi?id=176874
510         <rdar://problem/34436415>
511
512         Reviewed by Saam Barati.
513
514         1. Make Probe::Stack play nice with ASan by:
515
516            a. using a local memcpy implementation that suppresses ASan on ASan builds.
517               We don't want to use std:memcpy() which validates stack memory because
518               we are intentionally copying stack memory beyond the current frame.
519
520            b. changing Stack::s_chunkSize to equal sizeof(uintptr_t) on ASan builds.
521               This ensures that Page::flushWrites() only writes stack memory that was
522               modified by a probe.  The probes should only modify stack memory that
523               belongs to JSC stack data structures.  We don't want to inadvertently
524               modify adjacent words that may belong to ASan (which may happen if
525               s_chunkSize is larger than sizeof(uintptr_t)).
526
527            c. fixing a bug in Page dirtyBits management for when the size of the value to
528               write is greater than s_chunkSize.  The fix in generic, but in practice,
529               this currently only manifests on 32-bit ASan builds because
530               sizeof(uintptr_t) and s_chunkSize are 32-bit, and we may write 64-bit
531               values.
532
533            d. making Page::m_dirtyBits 64 bits always.  This maximizes the number of
534               s_chunksPerPage we can have even on ASan builds.
535
536         2. Fixed the bottom most Probe::Context and Probe::Stack get/set methods to use
537            std::memcpy to avoid strict aliasing issues.
538
539         3. Optimized the implementation of Page::physicalAddressFor().
540
541         4. Optimized the implementation of Stack::set() in the recording of the low
542            watermark.  We just record the lowest raw pointer now, and only compute the
543            alignment to its chuck boundary later when the low watermark is requested.
544
545         5. Changed a value in testmasm to make the test less vulnerable to rounding issues.
546
547         No new test needed because this is already covered by testmasm with ASan enabled.
548
549         * assembler/ProbeContext.h:
550         (JSC::Probe::CPUState::gpr const):
551         (JSC::Probe::CPUState::spr const):
552         (JSC::Probe::Context::gpr):
553         (JSC::Probe::Context::spr):
554         (JSC::Probe::Context::fpr):
555         (JSC::Probe::Context::gprName):
556         (JSC::Probe::Context::sprName):
557         (JSC::Probe::Context::fprName):
558         (JSC::Probe::Context::gpr const):
559         (JSC::Probe::Context::spr const):
560         (JSC::Probe::Context::fpr const):
561         (JSC::Probe::Context::pc):
562         (JSC::Probe::Context::fp):
563         (JSC::Probe::Context::sp):
564         (JSC::Probe:: const): Deleted.
565         * assembler/ProbeStack.cpp:
566         (JSC::Probe::copyStackPage):
567         (JSC::Probe::Page::Page):
568         (JSC::Probe::Page::flushWrites):
569         * assembler/ProbeStack.h:
570         (JSC::Probe::Page::get):
571         (JSC::Probe::Page::set):
572         (JSC::Probe::Page::dirtyBitFor):
573         (JSC::Probe::Page::physicalAddressFor):
574         (JSC::Probe::Stack::lowWatermark):
575         (JSC::Probe::Stack::get):
576         (JSC::Probe::Stack::set):
577         * assembler/testmasm.cpp:
578         (JSC::testProbeModifiesStackValues):
579
580 2017-09-14  Yusuke Suzuki  <utatane.tea@gmail.com>
581
582         [JSC] Disable Arity Fixup Inlining until crash in facebook.com is fixed
583         https://bugs.webkit.org/show_bug.cgi?id=176917
584
585         Reviewed by Saam Barati.
586
587         * dfg/DFGByteCodeParser.cpp:
588         (JSC::DFG::ByteCodeParser::inliningCost):
589         * runtime/Options.h:
590
591 2017-09-14  Yusuke Suzuki  <utatane.tea@gmail.com>
592
593         [JSC] Add PrivateSymbolMode::{Include,Exclude} for PropertyNameArray
594         https://bugs.webkit.org/show_bug.cgi?id=176867
595
596         Reviewed by Sam Weinig.
597
598         We rarely require private symbols when enumerating property names.
599         This patch adds PrivateSymbolMode::{Include,Exclude}. If PrivateSymbolMode::Exclude
600         is specified, PropertyNameArray does not include private symbols.
601         This removes many ad-hoc `Identifier::isPrivateName()` in enumeration operations.
602
603         One additional good thing is that we do not need to filter private symbols out from PropertyNameArray.
604         It allows us to use Object.keys()'s fast path for Object.getOwnPropertySymbols.
605
606         object-get-own-property-symbols                48.6275+-1.0021     ^     38.1846+-1.7934        ^ definitely 1.2735x faster
607
608         * API/JSObjectRef.cpp:
609         (JSObjectCopyPropertyNames):
610         * bindings/ScriptValue.cpp:
611         (Inspector::jsToInspectorValue):
612         * bytecode/ObjectAllocationProfile.h:
613         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
614         * runtime/EnumerationMode.h:
615         * runtime/IntlObject.cpp:
616         (JSC::supportedLocales):
617         * runtime/JSONObject.cpp:
618         (JSC::Stringifier::Stringifier):
619         (JSC::Stringifier::Holder::appendNextProperty):
620         (JSC::Walker::walk):
621         * runtime/JSPropertyNameEnumerator.cpp:
622         (JSC::JSPropertyNameEnumerator::create):
623         * runtime/JSPropertyNameEnumerator.h:
624         (JSC::propertyNameEnumerator):
625         * runtime/ObjectConstructor.cpp:
626         (JSC::objectConstructorGetOwnPropertyDescriptors):
627         (JSC::objectConstructorAssign):
628         (JSC::objectConstructorValues):
629         (JSC::defineProperties):
630         (JSC::setIntegrityLevel):
631         (JSC::testIntegrityLevel):
632         (JSC::ownPropertyKeys):
633         * runtime/PropertyNameArray.h:
634         (JSC::PropertyNameArray::PropertyNameArray):
635         (JSC::PropertyNameArray::propertyNameMode const):
636         (JSC::PropertyNameArray::privateSymbolMode const):
637         (JSC::PropertyNameArray::addUncheckedInternal):
638         (JSC::PropertyNameArray::addUnchecked):
639         (JSC::PropertyNameArray::add):
640         (JSC::PropertyNameArray::isUidMatchedToTypeMode):
641         (JSC::PropertyNameArray::includeSymbolProperties const):
642         (JSC::PropertyNameArray::includeStringProperties const):
643         (JSC::PropertyNameArray::mode const): Deleted.
644         * runtime/ProxyObject.cpp:
645         (JSC::ProxyObject::performGetOwnPropertyNames):
646
647 2017-09-13  Mark Lam  <mark.lam@apple.com>
648
649         Rolling out r221832: Regresses Speedometer by ~4% and Dromaeo CSS YUI by ~20%.
650         https://bugs.webkit.org/show_bug.cgi?id=176888
651         <rdar://problem/34381832>
652
653         Not reviewed.
654
655         * JavaScriptCore.xcodeproj/project.pbxproj:
656         * assembler/MacroAssembler.cpp:
657         (JSC::stdFunctionCallback):
658         * assembler/MacroAssemblerPrinter.cpp:
659         (JSC::Printer::printCallback):
660         * assembler/ProbeContext.h:
661         (JSC::Probe:: const):
662         (JSC::Probe::Context::Context):
663         (JSC::Probe::Context::gpr):
664         (JSC::Probe::Context::spr):
665         (JSC::Probe::Context::fpr):
666         (JSC::Probe::Context::gprName):
667         (JSC::Probe::Context::sprName):
668         (JSC::Probe::Context::fprName):
669         (JSC::Probe::Context::pc):
670         (JSC::Probe::Context::fp):
671         (JSC::Probe::Context::sp):
672         (JSC::Probe::CPUState::gpr const): Deleted.
673         (JSC::Probe::CPUState::spr const): Deleted.
674         (JSC::Probe::Context::arg): Deleted.
675         (JSC::Probe::Context::gpr const): Deleted.
676         (JSC::Probe::Context::spr const): Deleted.
677         (JSC::Probe::Context::fpr const): Deleted.
678         * assembler/ProbeFrame.h: Removed.
679         * assembler/ProbeStack.cpp:
680         (JSC::Probe::Page::Page):
681         * assembler/ProbeStack.h:
682         (JSC::Probe::Page::get):
683         (JSC::Probe::Page::set):
684         (JSC::Probe::Page::physicalAddressFor):
685         (JSC::Probe::Stack::lowWatermark):
686         (JSC::Probe::Stack::get):
687         (JSC::Probe::Stack::set):
688         * bytecode/ArithProfile.cpp:
689         * bytecode/ArithProfile.h:
690         * bytecode/ArrayProfile.h:
691         (JSC::ArrayProfile::observeArrayMode): Deleted.
692         * bytecode/CodeBlock.cpp:
693         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize): Deleted.
694         * bytecode/CodeBlock.h:
695         (JSC::CodeBlock::addressOfOSRExitCounter):
696         * bytecode/ExecutionCounter.h:
697         (JSC::ExecutionCounter::hasCrossedThreshold const): Deleted.
698         (JSC::ExecutionCounter::setNewThresholdForOSRExit): Deleted.
699         * bytecode/MethodOfGettingAValueProfile.cpp:
700         (JSC::MethodOfGettingAValueProfile::reportValue): Deleted.
701         * bytecode/MethodOfGettingAValueProfile.h:
702         * dfg/DFGDriver.cpp:
703         (JSC::DFG::compileImpl):
704         * dfg/DFGJITCode.cpp:
705         (JSC::DFG::JITCode::findPC):
706         * dfg/DFGJITCode.h:
707         * dfg/DFGJITCompiler.cpp:
708         (JSC::DFG::JITCompiler::linkOSRExits):
709         (JSC::DFG::JITCompiler::link):
710         * dfg/DFGOSRExit.cpp:
711         (JSC::DFG::OSRExit::setPatchableCodeOffset):
712         (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const):
713         (JSC::DFG::OSRExit::codeLocationForRepatch const):
714         (JSC::DFG::OSRExit::correctJump):
715         (JSC::DFG::OSRExit::emitRestoreArguments):
716         (JSC::DFG::OSRExit::compileOSRExit):
717         (JSC::DFG::OSRExit::compileExit):
718         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
719         (JSC::DFG::jsValueFor): Deleted.
720         (JSC::DFG::restoreCalleeSavesFor): Deleted.
721         (JSC::DFG::saveCalleeSavesFor): Deleted.
722         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer): Deleted.
723         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer): Deleted.
724         (JSC::DFG::saveOrCopyCalleeSavesFor): Deleted.
725         (JSC::DFG::createDirectArgumentsDuringExit): Deleted.
726         (JSC::DFG::createClonedArgumentsDuringExit): Deleted.
727         (JSC::DFG::emitRestoreArguments): Deleted.
728         (JSC::DFG::OSRExit::executeOSRExit): Deleted.
729         (JSC::DFG::reifyInlinedCallFrames): Deleted.
730         (JSC::DFG::adjustAndJumpToTarget): Deleted.
731         (JSC::DFG::printOSRExit): Deleted.
732         * dfg/DFGOSRExit.h:
733         (JSC::DFG::OSRExitState::OSRExitState): Deleted.
734         * dfg/DFGOSRExitCompilerCommon.cpp:
735         * dfg/DFGOSRExitCompilerCommon.h:
736         * dfg/DFGOperations.cpp:
737         * dfg/DFGOperations.h:
738         * dfg/DFGThunks.cpp:
739         (JSC::DFG::osrExitGenerationThunkGenerator):
740         (JSC::DFG::osrExitThunkGenerator): Deleted.
741         * dfg/DFGThunks.h:
742         * jit/AssemblyHelpers.cpp:
743         (JSC::AssemblyHelpers::debugCall):
744         * jit/AssemblyHelpers.h:
745         * jit/JITOperations.cpp:
746         * jit/JITOperations.h:
747         * profiler/ProfilerOSRExit.h:
748         (JSC::Profiler::OSRExit::incCount): Deleted.
749         * runtime/JSCJSValue.h:
750         * runtime/JSCJSValueInlines.h:
751         * runtime/VM.h:
752
753 2017-09-13  Yusuke Suzuki  <utatane.tea@gmail.com>
754
755         [JSC] Move class/struct used in other class' member out of anonymous namespace
756         https://bugs.webkit.org/show_bug.cgi?id=176876
757
758         Reviewed by Saam Barati.
759
760         GCC warns if a class has a base or field whose type uses the anonymous namespace
761         and it is defined in an included file. This is because this possibly violates
762         one definition rule (ODR): if an included file has the anonymous namespace, each
763         translation unit creates its private anonymous namespace. Thus, each type
764         inside the anonymous namespace becomes different in each translation unit if
765         the file is included in multiple translation units.
766
767         While the current use in JSC is not violating ODR since these cpp files are included
768         only once for unified sources, specifying `-Wno-subobject-linkage` could miss
769         the actual bugs. So, in this patch, we just move related classes/structs out of
770         the anonymous namespace.
771
772         * dfg/DFGIntegerCheckCombiningPhase.cpp:
773         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::addition):
774         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::arrayBounds):
775         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::operator! const):
776         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::hash const):
777         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::operator== const):
778         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::dump const):
779         (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::RangeKeyAndAddend):
780         (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::operator! const):
781         (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::dump const):
782         (JSC::DFG::IntegerCheckCombiningPhase::Range::dump const):
783         * dfg/DFGLICMPhase.cpp:
784
785 2017-09-13  Devin Rousso  <webkit@devinrousso.com>
786
787         Web Inspector: Event Listeners section does not update when listeners are added/removed
788         https://bugs.webkit.org/show_bug.cgi?id=170570
789         <rdar://problem/31501645>
790
791         Reviewed by Joseph Pecoraro.
792
793         * inspector/protocol/DOM.json:
794         Add two new events: "didAddEventListener" and "willRemoveEventListener". These events do not
795         contain any information about the event listeners that were added/removed. They serve more
796         as indications that something has changed, and to refetch the data again via `getEventListenersForNode`.
797
798 2017-09-13  Yusuke Suzuki  <utatane.tea@gmail.com>
799
800         [JSC] Fix Array allocation in Object.keys
801         https://bugs.webkit.org/show_bug.cgi?id=176826
802
803         Reviewed by Saam Barati.
804
805         When isHavingABadTime() is true, array allocation does not become ArrayWithContiguous.
806         We check isHavingABadTime() in ownPropertyKeys fast path.
807         And we also ensures that ownPropertyKeys uses putDirect operation instead of put by a test.
808
809         * runtime/ObjectConstructor.cpp:
810         (JSC::ownPropertyKeys):
811
812 2017-09-12  Yusuke Suzuki  <utatane.tea@gmail.com>
813
814         [DFG] Optimize WeakMap::get by adding intrinsic and fixup
815         https://bugs.webkit.org/show_bug.cgi?id=176010
816
817         Reviewed by Filip Pizlo.
818
819         It reveals that Ember.js consumes 3.8% of execution time for WeakMap#get.
820         It is used for meta property for objects (see peekMeta function in Ember.js).
821
822         This patch optimizes WeakMap#get.
823
824         1. We use inlineGet to inline WeakMap#get operation in the native function.
825         Since this native function itself is very small, we should inline HashMap#get
826         entirely in this function.
827
828         2. We add JSWeakMapType and JSWeakSetType. This allows us to perform `isJSWeakMap()`
829         very fast. And this patch wires this to DFG and FTL to add WeakMapObjectUse and WeakSetObjectUse
830         to drop unnecessary type checking. We add fixup rules for WeakMapGet DFG node by using WeakMapObjectUse,
831         ObjectUse, and Int32Use.
832
833         3. We add intrinsic for WeakMap#get, and handle it in DFG and FTL. We use MapHash to
834         calculate hash value for the key's Object and use this hash value to look up value from
835         JSWeakMap's HashMap. Currently, we just call the operationWeakMapGet function in DFG and FTL.
836         It is worth considering that implementing this operation entirely in JIT, like GetMapBucket.
837         But anyway, the current one already optimizes the performance, so we leave this for the subsequent
838         patches.
839
840         We currently do not implement any other intrinsics (like, WeakMap#has, WeakSet) because they are
841         not used in Ember.js right now.
842
843         This patch optimizes WeakMap#get by 50%.
844
845                                  baseline                  patched
846
847         weak-map-key         88.6456+-3.9564     ^     59.1502+-2.2406        ^ definitely 1.4987x faster
848
849         * bytecode/DirectEvalCodeCache.h:
850         (JSC::DirectEvalCodeCache::tryGet):
851         * bytecode/SpeculatedType.cpp:
852         (JSC::dumpSpeculation):
853         (JSC::speculationFromClassInfo):
854         (JSC::speculationFromJSType):
855         (JSC::speculationFromString):
856         * bytecode/SpeculatedType.h:
857         * dfg/DFGAbstractInterpreterInlines.h:
858         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
859         * dfg/DFGByteCodeParser.cpp:
860         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
861         * dfg/DFGClobberize.h:
862         (JSC::DFG::clobberize):
863         * dfg/DFGDoesGC.cpp:
864         (JSC::DFG::doesGC):
865         * dfg/DFGFixupPhase.cpp:
866         (JSC::DFG::FixupPhase::fixupNode):
867         * dfg/DFGHeapLocation.cpp:
868         (WTF::printInternal):
869         * dfg/DFGHeapLocation.h:
870         * dfg/DFGNode.h:
871         (JSC::DFG::Node::hasHeapPrediction):
872         * dfg/DFGNodeType.h:
873         * dfg/DFGOperations.cpp:
874         * dfg/DFGOperations.h:
875         * dfg/DFGPredictionPropagationPhase.cpp:
876         * dfg/DFGSafeToExecute.h:
877         (JSC::DFG::SafeToExecuteEdge::operator()):
878         (JSC::DFG::safeToExecute):
879         * dfg/DFGSpeculativeJIT.cpp:
880         (JSC::DFG::SpeculativeJIT::speculateWeakMapObject):
881         (JSC::DFG::SpeculativeJIT::speculateWeakSetObject):
882         (JSC::DFG::SpeculativeJIT::speculate):
883         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
884         * dfg/DFGSpeculativeJIT.h:
885         (JSC::DFG::SpeculativeJIT::callOperation):
886         * dfg/DFGSpeculativeJIT32_64.cpp:
887         (JSC::DFG::SpeculativeJIT::compile):
888         * dfg/DFGSpeculativeJIT64.cpp:
889         (JSC::DFG::SpeculativeJIT::compile):
890         * dfg/DFGUseKind.cpp:
891         (WTF::printInternal):
892         * dfg/DFGUseKind.h:
893         (JSC::DFG::typeFilterFor):
894         (JSC::DFG::isCell):
895         * ftl/FTLCapabilities.cpp:
896         (JSC::FTL::canCompile):
897         * ftl/FTLLowerDFGToB3.cpp:
898         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
899         (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
900         (JSC::FTL::DFG::LowerDFGToB3::lowWeakMapObject):
901         (JSC::FTL::DFG::LowerDFGToB3::lowWeakSetObject):
902         (JSC::FTL::DFG::LowerDFGToB3::speculate):
903         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakMapObject):
904         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakSetObject):
905         * jit/JITOperations.h:
906         * runtime/HashMapImpl.h:
907         (JSC::WeakMapHash::hash):
908         (JSC::WeakMapHash::equal):
909         * runtime/Intrinsic.cpp:
910         (JSC::intrinsicName):
911         * runtime/Intrinsic.h:
912         * runtime/JSType.h:
913         * runtime/JSWeakMap.h:
914         (JSC::isJSWeakMap):
915         * runtime/JSWeakSet.h:
916         (JSC::isJSWeakSet):
917         * runtime/WeakMapBase.cpp:
918         (JSC::WeakMapBase::get):
919         * runtime/WeakMapBase.h:
920         (JSC::WeakMapBase::HashTranslator::hash):
921         (JSC::WeakMapBase::HashTranslator::equal):
922         (JSC::WeakMapBase::inlineGet):
923         * runtime/WeakMapPrototype.cpp:
924         (JSC::WeakMapPrototype::finishCreation):
925         (JSC::getWeakMap):
926         (JSC::protoFuncWeakMapGet):
927         * runtime/WeakSetPrototype.cpp:
928         (JSC::getWeakSet):
929
930 2017-09-12  Keith Miller  <keith_miller@apple.com>
931
932         Rename JavaScriptCore CMake unifiable sources list
933         https://bugs.webkit.org/show_bug.cgi?id=176823
934
935         Reviewed by Joseph Pecoraro.
936
937         This patch also changes the error message when the unified source
938         bundler fails to be more accurate.
939
940         * CMakeLists.txt:
941
942 2017-09-12  Keith Miller  <keith_miller@apple.com>
943
944         Do unified source builds for JSC
945         https://bugs.webkit.org/show_bug.cgi?id=176076
946
947         Reviewed by Geoffrey Garen.
948
949         This patch switches the CMake JavaScriptCore build to use unified sources.
950         The Xcode build will be upgraded in a follow up patch.
951
952         Most of the source changes in this patch are fixing static
953         variable/functions name collisions. The most common collisions
954         were from our use of "static const bool verbose" and "using
955         namespace ...". I fixed all the verbose cases and fixed the "using
956         namespace" issues that occurred under the current bundling
957         strategy. It's likely that more of the "using namespace" issues
958         will need to be resolved in the future, particularly in the FTL.
959
960         I don't expect either of these problems will apply to other parts
961         of the project nearly as much as in JSC. Using a verbose variable
962         is a JSC idiom and JSC tends use the same, canonical, class name
963         in multiple parts of the engine.
964
965         * CMakeLists.txt:
966         * b3/B3CheckSpecial.cpp:
967         (JSC::B3::CheckSpecial::forEachArg):
968         (JSC::B3::CheckSpecial::generate):
969         (JSC::B3::Air::numB3Args): Deleted.
970         * b3/B3DuplicateTails.cpp:
971         * b3/B3EliminateCommonSubexpressions.cpp:
972         * b3/B3FixSSA.cpp:
973         (JSC::B3::demoteValues):
974         * b3/B3FoldPathConstants.cpp:
975         * b3/B3InferSwitches.cpp:
976         * b3/B3LowerMacrosAfterOptimizations.cpp:
977         (): Deleted.
978         * b3/B3LowerToAir.cpp:
979         (JSC::B3::Air::LowerToAir::LowerToAir): Deleted.
980         (JSC::B3::Air::LowerToAir::run): Deleted.
981         (JSC::B3::Air::LowerToAir::shouldCopyPropagate): Deleted.
982         (JSC::B3::Air::LowerToAir::ArgPromise::ArgPromise): Deleted.
983         (JSC::B3::Air::LowerToAir::ArgPromise::swap): Deleted.
984         (JSC::B3::Air::LowerToAir::ArgPromise::operator=): Deleted.
985         (JSC::B3::Air::LowerToAir::ArgPromise::~ArgPromise): Deleted.
986         (JSC::B3::Air::LowerToAir::ArgPromise::setTraps): Deleted.
987         (JSC::B3::Air::LowerToAir::ArgPromise::tmp): Deleted.
988         (JSC::B3::Air::LowerToAir::ArgPromise::operator bool const): Deleted.
989         (JSC::B3::Air::LowerToAir::ArgPromise::kind const): Deleted.
990         (JSC::B3::Air::LowerToAir::ArgPromise::peek const): Deleted.
991         (JSC::B3::Air::LowerToAir::ArgPromise::consume): Deleted.
992         (JSC::B3::Air::LowerToAir::ArgPromise::inst): Deleted.
993         (JSC::B3::Air::LowerToAir::tmp): Deleted.
994         (JSC::B3::Air::LowerToAir::tmpPromise): Deleted.
995         (JSC::B3::Air::LowerToAir::canBeInternal): Deleted.
996         (JSC::B3::Air::LowerToAir::commitInternal): Deleted.
997         (JSC::B3::Air::LowerToAir::crossesInterference): Deleted.
998         (JSC::B3::Air::LowerToAir::scaleForShl): Deleted.
999         (JSC::B3::Air::LowerToAir::effectiveAddr): Deleted.
1000         (JSC::B3::Air::LowerToAir::addr): Deleted.
1001         (JSC::B3::Air::LowerToAir::trappingInst): Deleted.
1002         (JSC::B3::Air::LowerToAir::loadPromiseAnyOpcode): Deleted.
1003         (JSC::B3::Air::LowerToAir::loadPromise): Deleted.
1004         (JSC::B3::Air::LowerToAir::imm): Deleted.
1005         (JSC::B3::Air::LowerToAir::bitImm): Deleted.
1006         (JSC::B3::Air::LowerToAir::bitImm64): Deleted.
1007         (JSC::B3::Air::LowerToAir::immOrTmp): Deleted.
1008         (JSC::B3::Air::LowerToAir::tryOpcodeForType): Deleted.
1009         (JSC::B3::Air::LowerToAir::opcodeForType): Deleted.
1010         (JSC::B3::Air::LowerToAir::appendUnOp): Deleted.
1011         (JSC::B3::Air::LowerToAir::preferRightForResult): Deleted.
1012         (JSC::B3::Air::LowerToAir::appendBinOp): Deleted.
1013         (JSC::B3::Air::LowerToAir::appendShift): Deleted.
1014         (JSC::B3::Air::LowerToAir::tryAppendStoreUnOp): Deleted.
1015         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp): Deleted.
1016         (JSC::B3::Air::LowerToAir::createStore): Deleted.
1017         (JSC::B3::Air::LowerToAir::storeOpcode): Deleted.
1018         (JSC::B3::Air::LowerToAir::appendStore): Deleted.
1019         (JSC::B3::Air::LowerToAir::moveForType): Deleted.
1020         (JSC::B3::Air::LowerToAir::relaxedMoveForType): Deleted.
1021         (JSC::B3::Air::LowerToAir::print): Deleted.
1022         (JSC::B3::Air::LowerToAir::append): Deleted.
1023         (JSC::B3::Air::LowerToAir::appendTrapping): Deleted.
1024         (JSC::B3::Air::LowerToAir::finishAppendingInstructions): Deleted.
1025         (JSC::B3::Air::LowerToAir::newBlock): Deleted.
1026         (JSC::B3::Air::LowerToAir::splitBlock): Deleted.
1027         (JSC::B3::Air::LowerToAir::ensureSpecial): Deleted.
1028         (JSC::B3::Air::LowerToAir::ensureCheckSpecial): Deleted.
1029         (JSC::B3::Air::LowerToAir::fillStackmap): Deleted.
1030         (JSC::B3::Air::LowerToAir::createGenericCompare): Deleted.
1031         (JSC::B3::Air::LowerToAir::createBranch): Deleted.
1032         (JSC::B3::Air::LowerToAir::createCompare): Deleted.
1033         (JSC::B3::Air::LowerToAir::createSelect): Deleted.
1034         (JSC::B3::Air::LowerToAir::tryAppendLea): Deleted.
1035         (JSC::B3::Air::LowerToAir::appendX86Div): Deleted.
1036         (JSC::B3::Air::LowerToAir::appendX86UDiv): Deleted.
1037         (JSC::B3::Air::LowerToAir::loadLinkOpcode): Deleted.
1038         (JSC::B3::Air::LowerToAir::storeCondOpcode): Deleted.
1039         (JSC::B3::Air::LowerToAir::appendCAS): Deleted.
1040         (JSC::B3::Air::LowerToAir::appendVoidAtomic): Deleted.
1041         (JSC::B3::Air::LowerToAir::appendGeneralAtomic): Deleted.
1042         (JSC::B3::Air::LowerToAir::lower): Deleted.
1043         * b3/B3PatchpointSpecial.cpp:
1044         (JSC::B3::PatchpointSpecial::generate):
1045         * b3/B3ReduceDoubleToFloat.cpp:
1046         (JSC::B3::reduceDoubleToFloat):
1047         * b3/B3ReduceStrength.cpp:
1048         * b3/B3StackmapGenerationParams.cpp:
1049         * b3/B3StackmapSpecial.cpp:
1050         (JSC::B3::StackmapSpecial::repsImpl):
1051         (JSC::B3::StackmapSpecial::repForArg):
1052         * b3/air/AirAllocateStackByGraphColoring.cpp:
1053         (JSC::B3::Air::allocateStackByGraphColoring):
1054         * b3/air/AirEmitShuffle.cpp:
1055         (JSC::B3::Air::emitShuffle):
1056         * b3/air/AirFixObviousSpills.cpp:
1057         * b3/air/AirLowerAfterRegAlloc.cpp:
1058         (JSC::B3::Air::lowerAfterRegAlloc):
1059         * b3/air/AirStackAllocation.cpp:
1060         (JSC::B3::Air::attemptAssignment):
1061         (JSC::B3::Air::assign):
1062         * bytecode/AccessCase.cpp:
1063         (JSC::AccessCase::generateImpl):
1064         * bytecode/CallLinkStatus.cpp:
1065         (JSC::CallLinkStatus::computeDFGStatuses):
1066         * bytecode/GetterSetterAccessCase.cpp:
1067         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
1068         * bytecode/ObjectPropertyConditionSet.cpp:
1069         * bytecode/PolymorphicAccess.cpp:
1070         (JSC::PolymorphicAccess::addCases):
1071         (JSC::PolymorphicAccess::regenerate):
1072         * bytecode/PropertyCondition.cpp:
1073         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
1074         * bytecode/StructureStubInfo.cpp:
1075         (JSC::StructureStubInfo::addAccessCase):
1076         * dfg/DFGArgumentsEliminationPhase.cpp:
1077         * dfg/DFGByteCodeParser.cpp:
1078         (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
1079         (JSC::DFG::ByteCodeParser::inliningCost):
1080         (JSC::DFG::ByteCodeParser::inlineCall):
1081         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
1082         (JSC::DFG::ByteCodeParser::handleInlining):
1083         (JSC::DFG::ByteCodeParser::planLoad):
1084         (JSC::DFG::ByteCodeParser::store):
1085         (JSC::DFG::ByteCodeParser::parseBlock):
1086         (JSC::DFG::ByteCodeParser::linkBlock):
1087         (JSC::DFG::ByteCodeParser::linkBlocks):
1088         * dfg/DFGCSEPhase.cpp:
1089         * dfg/DFGInPlaceAbstractState.cpp:
1090         (JSC::DFG::InPlaceAbstractState::merge):
1091         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1092         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
1093         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
1094         * dfg/DFGMovHintRemovalPhase.cpp:
1095         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1096         * dfg/DFGPhantomInsertionPhase.cpp:
1097         * dfg/DFGPutStackSinkingPhase.cpp:
1098         * dfg/DFGStoreBarrierInsertionPhase.cpp:
1099         * dfg/DFGVarargsForwardingPhase.cpp:
1100         * ftl/FTLAbstractHeap.cpp:
1101         (JSC::FTL::AbstractHeap::compute):
1102         * ftl/FTLAbstractHeapRepository.cpp:
1103         (JSC::FTL::AbstractHeapRepository::decorateMemory):
1104         (JSC::FTL::AbstractHeapRepository::decorateCCallRead):
1105         (JSC::FTL::AbstractHeapRepository::decorateCCallWrite):
1106         (JSC::FTL::AbstractHeapRepository::decoratePatchpointRead):
1107         (JSC::FTL::AbstractHeapRepository::decoratePatchpointWrite):
1108         (JSC::FTL::AbstractHeapRepository::decorateFenceRead):
1109         (JSC::FTL::AbstractHeapRepository::decorateFenceWrite):
1110         (JSC::FTL::AbstractHeapRepository::decorateFencedAccess):
1111         (JSC::FTL::AbstractHeapRepository::computeRangesAndDecorateInstructions):
1112         * ftl/FTLLink.cpp:
1113         (JSC::FTL::link):
1114         * heap/MarkingConstraintSet.cpp:
1115         (JSC::MarkingConstraintSet::add):
1116         * interpreter/ShadowChicken.cpp:
1117         (JSC::ShadowChicken::update):
1118         * jit/BinarySwitch.cpp:
1119         (JSC::BinarySwitch::BinarySwitch):
1120         (JSC::BinarySwitch::build):
1121         * llint/LLIntData.cpp:
1122         (JSC::LLInt::Data::loadStats):
1123         (JSC::LLInt::Data::saveStats):
1124         * runtime/ArrayPrototype.cpp:
1125         (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
1126         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
1127         * runtime/ErrorInstance.cpp:
1128         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor): Deleted.
1129         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()): Deleted.
1130         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame const): Deleted.
1131         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index const): Deleted.
1132         * runtime/IntlDateTimeFormat.cpp:
1133         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1134         * runtime/PromiseDeferredTimer.cpp:
1135         (JSC::PromiseDeferredTimer::doWork):
1136         (JSC::PromiseDeferredTimer::addPendingPromise):
1137         (JSC::PromiseDeferredTimer::cancelPendingPromise):
1138         * runtime/TypeProfiler.cpp:
1139         (JSC::TypeProfiler::insertNewLocation):
1140         * runtime/TypeProfilerLog.cpp:
1141         (JSC::TypeProfilerLog::processLogEntries):
1142         * runtime/WeakMapPrototype.cpp:
1143         (JSC::protoFuncWeakMapDelete):
1144         (JSC::protoFuncWeakMapGet):
1145         (JSC::protoFuncWeakMapHas):
1146         (JSC::protoFuncWeakMapSet):
1147         (JSC::getWeakMapData): Deleted.
1148         * runtime/WeakSetPrototype.cpp:
1149         (JSC::protoFuncWeakSetDelete):
1150         (JSC::protoFuncWeakSetHas):
1151         (JSC::protoFuncWeakSetAdd):
1152         (JSC::getWeakMapData): Deleted.
1153         * testRegExp.cpp:
1154         (testOneRegExp):
1155         (runFromFiles):
1156         * wasm/WasmB3IRGenerator.cpp:
1157         (JSC::Wasm::parseAndCompile):
1158         * wasm/WasmBBQPlan.cpp:
1159         (JSC::Wasm::BBQPlan::moveToState):
1160         (JSC::Wasm::BBQPlan::parseAndValidateModule):
1161         (JSC::Wasm::BBQPlan::prepare):
1162         (JSC::Wasm::BBQPlan::compileFunctions):
1163         (JSC::Wasm::BBQPlan::complete):
1164         * wasm/WasmFaultSignalHandler.cpp:
1165         (JSC::Wasm::trapHandler):
1166         * wasm/WasmOMGPlan.cpp:
1167         (JSC::Wasm::OMGPlan::OMGPlan):
1168         (JSC::Wasm::OMGPlan::work):
1169         * wasm/WasmPlan.cpp:
1170         (JSC::Wasm::Plan::fail):
1171         * wasm/WasmSignature.cpp:
1172         (JSC::Wasm::SignatureInformation::adopt):
1173         * wasm/WasmWorklist.cpp:
1174         (JSC::Wasm::Worklist::enqueue):
1175
1176 2017-09-12  Michael Saboff  <msaboff@apple.com>
1177
1178         String.prototype.replace() puts extra '<' in result when a named capture reference is used without named captures in the RegExp
1179         https://bugs.webkit.org/show_bug.cgi?id=176814
1180
1181         Reviewed by Mark Lam.
1182
1183         The copy and advance indices where off by one and needed a little fine tuning.
1184
1185         * runtime/StringPrototype.cpp:
1186         (JSC::substituteBackreferencesSlow):
1187
1188 2017-09-11  Mark Lam  <mark.lam@apple.com>
1189
1190         More exception check book-keeping needed found by 32-bit JSC test failures.
1191         https://bugs.webkit.org/show_bug.cgi?id=176742
1192
1193         Reviewed by Michael Saboff and Keith Miller.
1194
1195         * dfg/DFGOperations.cpp:
1196
1197 2017-09-11  Mark Lam  <mark.lam@apple.com>
1198
1199         Make jsc dump the command line if JSC_dumpOption environment variable is set with a non-zero value.
1200         https://bugs.webkit.org/show_bug.cgi?id=176722
1201
1202         Reviewed by Saam Barati.
1203
1204         For PLATFORM(COCOA), I also dumped the JSC_* environmental variables that are
1205         in effect when jsc is invoked.
1206
1207         * jsc.cpp:
1208         (CommandLine::parseArguments):
1209
1210 2017-09-11  Ryan Haddad  <ryanhaddad@apple.com>
1211
1212         Unreviewed, rolling out r221854.
1213
1214         The test added with this change fails on 32-bit JSC bots.
1215
1216         Reverted changeset:
1217
1218         "[DFG] Optimize WeakMap::get by adding intrinsic and fixup"
1219         https://bugs.webkit.org/show_bug.cgi?id=176010
1220         http://trac.webkit.org/changeset/221854
1221
1222 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
1223
1224         [DFG] Optimize WeakMap::get by adding intrinsic and fixup
1225         https://bugs.webkit.org/show_bug.cgi?id=176010
1226
1227         Reviewed by Filip Pizlo.
1228
1229         It reveals that Ember.js consumes 3.8% of execution time for WeakMap#get.
1230         It is used for meta property for objects (see peekMeta function in Ember.js).
1231
1232         This patch optimizes WeakMap#get.
1233
1234         1. We use inlineGet to inline WeakMap#get operation in the native function.
1235         Since this native function itself is very small, we should inline HashMap#get
1236         entirely in this function.
1237
1238         2. We add JSWeakMapType and JSWeakSetType. This allows us to perform `isJSWeakMap()`
1239         very fast. And this patch wires this to DFG and FTL to add WeakMapObjectUse and WeakSetObjectUse
1240         to drop unnecessary type checking. We add fixup rules for WeakMapGet DFG node by using WeakMapObjectUse,
1241         ObjectUse, and Int32Use.
1242
1243         3. We add intrinsic for WeakMap#get, and handle it in DFG and FTL. We use MapHash to
1244         calculate hash value for the key's Object and use this hash value to look up value from
1245         JSWeakMap's HashMap. Currently, we just call the operationWeakMapGet function in DFG and FTL.
1246         It is worth considering that implementing this operation entirely in JIT, like GetMapBucket.
1247         But anyway, the current one already optimizes the performance, so we leave this for the subsequent
1248         patches.
1249
1250         We currently do not implement any other intrinsics (like, WeakMap#has, WeakSet) because they are
1251         not used in Ember.js right now.
1252
1253         This patch optimizes WeakMap#get by 50%.
1254
1255                                  baseline                  patched
1256
1257         weak-map-key         88.6456+-3.9564     ^     59.1502+-2.2406        ^ definitely 1.4987x faster
1258
1259         * bytecode/DirectEvalCodeCache.h:
1260         (JSC::DirectEvalCodeCache::tryGet):
1261         * bytecode/SpeculatedType.cpp:
1262         (JSC::dumpSpeculation):
1263         (JSC::speculationFromClassInfo):
1264         (JSC::speculationFromJSType):
1265         (JSC::speculationFromString):
1266         * bytecode/SpeculatedType.h:
1267         * dfg/DFGAbstractInterpreterInlines.h:
1268         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1269         * dfg/DFGByteCodeParser.cpp:
1270         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1271         * dfg/DFGClobberize.h:
1272         (JSC::DFG::clobberize):
1273         * dfg/DFGDoesGC.cpp:
1274         (JSC::DFG::doesGC):
1275         * dfg/DFGFixupPhase.cpp:
1276         (JSC::DFG::FixupPhase::fixupNode):
1277         * dfg/DFGHeapLocation.cpp:
1278         (WTF::printInternal):
1279         * dfg/DFGHeapLocation.h:
1280         * dfg/DFGNode.h:
1281         (JSC::DFG::Node::hasHeapPrediction):
1282         * dfg/DFGNodeType.h:
1283         * dfg/DFGOperations.cpp:
1284         * dfg/DFGOperations.h:
1285         * dfg/DFGPredictionPropagationPhase.cpp:
1286         * dfg/DFGSafeToExecute.h:
1287         (JSC::DFG::SafeToExecuteEdge::operator()):
1288         (JSC::DFG::safeToExecute):
1289         * dfg/DFGSpeculativeJIT.cpp:
1290         (JSC::DFG::SpeculativeJIT::speculateWeakMapObject):
1291         (JSC::DFG::SpeculativeJIT::speculateWeakSetObject):
1292         (JSC::DFG::SpeculativeJIT::speculate):
1293         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
1294         * dfg/DFGSpeculativeJIT.h:
1295         (JSC::DFG::SpeculativeJIT::callOperation):
1296         * dfg/DFGSpeculativeJIT32_64.cpp:
1297         (JSC::DFG::SpeculativeJIT::compile):
1298         * dfg/DFGSpeculativeJIT64.cpp:
1299         (JSC::DFG::SpeculativeJIT::compile):
1300         * dfg/DFGUseKind.cpp:
1301         (WTF::printInternal):
1302         * dfg/DFGUseKind.h:
1303         (JSC::DFG::typeFilterFor):
1304         (JSC::DFG::isCell):
1305         * ftl/FTLCapabilities.cpp:
1306         (JSC::FTL::canCompile):
1307         * ftl/FTLLowerDFGToB3.cpp:
1308         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1309         (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
1310         (JSC::FTL::DFG::LowerDFGToB3::lowWeakMapObject):
1311         (JSC::FTL::DFG::LowerDFGToB3::lowWeakSetObject):
1312         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1313         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakMapObject):
1314         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakSetObject):
1315         * jit/JITOperations.h:
1316         * runtime/Intrinsic.cpp:
1317         (JSC::intrinsicName):
1318         * runtime/Intrinsic.h:
1319         * runtime/JSType.h:
1320         * runtime/JSWeakMap.h:
1321         (JSC::isJSWeakMap):
1322         * runtime/JSWeakSet.h:
1323         (JSC::isJSWeakSet):
1324         * runtime/WeakMapBase.cpp:
1325         (JSC::WeakMapBase::get):
1326         * runtime/WeakMapBase.h:
1327         (JSC::WeakMapBase::HashTranslator::hash):
1328         (JSC::WeakMapBase::HashTranslator::equal):
1329         (JSC::WeakMapBase::inlineGet):
1330         * runtime/WeakMapPrototype.cpp:
1331         (JSC::WeakMapPrototype::finishCreation):
1332         (JSC::getWeakMap):
1333         (JSC::protoFuncWeakMapGet):
1334         * runtime/WeakSetPrototype.cpp:
1335         (JSC::getWeakSet):
1336
1337 2017-09-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1338
1339         [JSC] Optimize Object.keys by using careful array allocation
1340         https://bugs.webkit.org/show_bug.cgi?id=176654
1341
1342         Reviewed by Darin Adler.
1343
1344         SixSpeed object-assign.es6 stresses Object.keys. Object.keys is one of frequently used
1345         function in JS apps. Luckily Object.keys has several good features.
1346
1347         1. Once PropertyNameArray is allocated, we know the length of the result array since
1348         we do not need to filter out keys listed in PropertyNameArray. The execption is ProxyObject,
1349         but it rarely appears. ProxyObject case goes to the generic path.
1350
1351         2. Object.keys does not need to access object after listing PropertyNameArray. It means
1352         that we do not need to worry about enumeration attribute change by touching object.
1353
1354         This patch adds a fast path for Object.keys's array allocation. We allocate the JSArray
1355         with the size and ArrayContiguous indexing shape.
1356
1357         This further improves SixSpeed object-assign.es5 by 13%.
1358
1359                                             baseline                  patched
1360         Microbenchmarks:
1361            object-keys-map-values       73.4324+-2.5397     ^     62.5933+-2.6677        ^ definitely 1.1732x faster
1362            object-keys                  40.8828+-1.5851     ^     29.2066+-1.8944        ^ definitely 1.3998x faster
1363
1364                                             baseline                  patched
1365         SixSpeed:
1366            object-assign.es5           384.8719+-10.7204    ^    340.2734+-12.0947       ^ definitely 1.1311x faster
1367
1368         BTW, the further optimization of Object.keys can be considered: introducing own property keys
1369         cache which is similar to the current enumeration cache. But this patch is orthogonal to
1370         this optimization!
1371
1372         * runtime/ObjectConstructor.cpp:
1373         (JSC::objectConstructorValues):
1374         (JSC::ownPropertyKeys):
1375         * runtime/ObjectConstructor.h:
1376
1377 2017-09-10  Mark Lam  <mark.lam@apple.com>
1378
1379         Fix all ExceptionScope verification failures in JavaScriptCore.
1380         https://bugs.webkit.org/show_bug.cgi?id=176662
1381         <rdar://problem/34352085>
1382
1383         Reviewed by Filip Pizlo.
1384
1385         1. Introduced EXCEPTION_ASSERT macros so that we can enable exception scope
1386            verification for release builds too (though this requires manually setting
1387            ENABLE_EXCEPTION_SCOPE_VERIFICATION to 1 in Platform.h).
1388
1389            This is useful because it allows us to run the tests more quickly to check
1390            if any regressions have occurred.  Debug builds run so much slower and not
1391            good for a quick turn around.  Debug builds are necessary though to get
1392            trace information without inlining by the C++ compiler.  This is necessary to
1393            diagnose where the missing exception check is.
1394
1395         2. Repurposed the JSC_dumpSimulatedThrows=true options to capture and dump the last
1396            simulated throw when an exception scope verification fails.
1397
1398            Previously, this option dumps the stack trace on all simulated throws.  That
1399            turned out to not be very useful, and slows down the debugging process.
1400            Instead, the new implementation captures the stack trace and only dumps it
1401            if we have a verification failure.
1402
1403         3. Fixed missing exception checks and book-keeping needed to allow the JSC tests
1404            to pass with JSC_validateExceptionChecks=true.
1405
1406         * bytecode/CodeBlock.cpp:
1407         (JSC::CodeBlock::finishCreation):
1408         * dfg/DFGOSRExit.cpp:
1409         (JSC::DFG::OSRExit::executeOSRExit):
1410         * dfg/DFGOperations.cpp:
1411         * interpreter/Interpreter.cpp:
1412         (JSC::eval):
1413         (JSC::loadVarargs):
1414         (JSC::Interpreter::unwind):
1415         (JSC::Interpreter::executeProgram):
1416         (JSC::Interpreter::executeCall):
1417         (JSC::Interpreter::executeConstruct):
1418         (JSC::Interpreter::prepareForRepeatCall):
1419         (JSC::Interpreter::execute):
1420         (JSC::Interpreter::executeModuleProgram):
1421         * jit/JITOperations.cpp:
1422         (JSC::getByVal):
1423         * jsc.cpp:
1424         (WTF::CustomGetter::customGetterAcessor):
1425         (GlobalObject::moduleLoaderImportModule):
1426         (GlobalObject::moduleLoaderResolve):
1427         * llint/LLIntSlowPaths.cpp:
1428         (JSC::LLInt::getByVal):
1429         (JSC::LLInt::setUpCall):
1430         * parser/Parser.h:
1431         (JSC::Parser::popScopeInternal):
1432         * runtime/AbstractModuleRecord.cpp:
1433         (JSC::AbstractModuleRecord::hostResolveImportedModule):
1434         (JSC::AbstractModuleRecord::resolveImport):
1435         (JSC::AbstractModuleRecord::resolveExportImpl):
1436         (JSC::getExportedNames):
1437         (JSC::AbstractModuleRecord::getModuleNamespace):
1438         * runtime/ArrayPrototype.cpp:
1439         (JSC::getProperty):
1440         (JSC::unshift):
1441         (JSC::arrayProtoFuncToString):
1442         (JSC::arrayProtoFuncToLocaleString):
1443         (JSC::arrayProtoFuncJoin):
1444         (JSC::arrayProtoFuncPop):
1445         (JSC::arrayProtoFuncPush):
1446         (JSC::arrayProtoFuncReverse):
1447         (JSC::arrayProtoFuncShift):
1448         (JSC::arrayProtoFuncSlice):
1449         (JSC::arrayProtoFuncSplice):
1450         (JSC::arrayProtoFuncUnShift):
1451         (JSC::arrayProtoFuncIndexOf):
1452         (JSC::arrayProtoFuncLastIndexOf):
1453         (JSC::concatAppendOne):
1454         (JSC::arrayProtoPrivateFuncConcatMemcpy):
1455         (JSC::arrayProtoPrivateFuncAppendMemcpy):
1456         * runtime/CatchScope.h:
1457         * runtime/CommonSlowPaths.cpp:
1458         (JSC::SLOW_PATH_DECL):
1459         * runtime/DatePrototype.cpp:
1460         (JSC::dateProtoFuncSetTime):
1461         (JSC::setNewValueFromTimeArgs):
1462         * runtime/DirectArguments.h:
1463         (JSC::DirectArguments::length const):
1464         * runtime/ErrorPrototype.cpp:
1465         (JSC::errorProtoFuncToString):
1466         * runtime/ExceptionFuzz.cpp:
1467         (JSC::doExceptionFuzzing):
1468         * runtime/ExceptionScope.h:
1469         (JSC::ExceptionScope::needExceptionCheck):
1470         (JSC::ExceptionScope::assertNoException):
1471         * runtime/GenericArgumentsInlines.h:
1472         (JSC::GenericArguments<Type>::defineOwnProperty):
1473         * runtime/HashMapImpl.h:
1474         (JSC::HashMapImpl::rehash):
1475         * runtime/IntlDateTimeFormat.cpp:
1476         (JSC::IntlDateTimeFormat::formatToParts):
1477         * runtime/JSArray.cpp:
1478         (JSC::JSArray::defineOwnProperty):
1479         (JSC::JSArray::put):
1480         * runtime/JSCJSValue.cpp:
1481         (JSC::JSValue::putToPrimitive):
1482         (JSC::JSValue::putToPrimitiveByIndex):
1483         * runtime/JSCJSValueInlines.h:
1484         (JSC::JSValue::toIndex const):
1485         (JSC::JSValue::get const):
1486         (JSC::JSValue::getPropertySlot const):
1487         (JSC::JSValue::equalSlowCaseInline):
1488         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1489         (JSC::constructGenericTypedArrayViewFromIterator):
1490         (JSC::constructGenericTypedArrayViewWithArguments):
1491         * runtime/JSGenericTypedArrayViewInlines.h:
1492         (JSC::JSGenericTypedArrayView<Adaptor>::set):
1493         * runtime/JSGlobalObject.cpp:
1494         (JSC::JSGlobalObject::put):
1495         * runtime/JSGlobalObjectFunctions.cpp:
1496         (JSC::decode):
1497         (JSC::globalFuncEval):
1498         (JSC::globalFuncProtoGetter):
1499         (JSC::globalFuncProtoSetter):
1500         (JSC::globalFuncImportModule):
1501         * runtime/JSInternalPromise.cpp:
1502         (JSC::JSInternalPromise::then):
1503         * runtime/JSInternalPromiseDeferred.cpp:
1504         (JSC::JSInternalPromiseDeferred::create):
1505         * runtime/JSJob.cpp:
1506         (JSC::JSJobMicrotask::run):
1507         * runtime/JSModuleEnvironment.cpp:
1508         (JSC::JSModuleEnvironment::getOwnPropertySlot):
1509         (JSC::JSModuleEnvironment::put):
1510         (JSC::JSModuleEnvironment::deleteProperty):
1511         * runtime/JSModuleLoader.cpp:
1512         (JSC::JSModuleLoader::provide):
1513         (JSC::JSModuleLoader::loadAndEvaluateModule):
1514         (JSC::JSModuleLoader::loadModule):
1515         (JSC::JSModuleLoader::linkAndEvaluateModule):
1516         (JSC::JSModuleLoader::requestImportModule):
1517         * runtime/JSModuleRecord.cpp:
1518         (JSC::JSModuleRecord::link):
1519         (JSC::JSModuleRecord::instantiateDeclarations):
1520         * runtime/JSONObject.cpp:
1521         (JSC::Stringifier::stringify):
1522         (JSC::Stringifier::toJSON):
1523         (JSC::JSONProtoFuncParse):
1524         * runtime/JSObject.cpp:
1525         (JSC::JSObject::calculatedClassName):
1526         (JSC::ordinarySetSlow):
1527         (JSC::JSObject::putInlineSlow):
1528         (JSC::JSObject::ordinaryToPrimitive const):
1529         (JSC::JSObject::toPrimitive const):
1530         (JSC::JSObject::hasInstance):
1531         (JSC::JSObject::getPropertyNames):
1532         (JSC::JSObject::toNumber const):
1533         (JSC::JSObject::defineOwnIndexedProperty):
1534         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1535         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
1536         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
1537         (JSC::validateAndApplyPropertyDescriptor):
1538         (JSC::JSObject::defineOwnNonIndexProperty):
1539         (JSC::JSObject::getGenericPropertyNames):
1540         * runtime/JSObject.h:
1541         (JSC::JSObject::get const):
1542         * runtime/JSObjectInlines.h:
1543         (JSC::JSObject::getPropertySlot const):
1544         (JSC::JSObject::getPropertySlot):
1545         (JSC::JSObject::getNonIndexPropertySlot):
1546         (JSC::JSObject::putInlineForJSObject):
1547         * runtime/JSPromiseConstructor.cpp:
1548         (JSC::constructPromise):
1549         * runtime/JSPromiseDeferred.cpp:
1550         (JSC::JSPromiseDeferred::create):
1551         * runtime/JSScope.cpp:
1552         (JSC::abstractAccess):
1553         (JSC::JSScope::resolve):
1554         (JSC::JSScope::resolveScopeForHoistingFuncDeclInEval):
1555         (JSC::JSScope::abstractResolve):
1556         * runtime/LiteralParser.cpp:
1557         (JSC::LiteralParser<CharType>::tryJSONPParse):
1558         (JSC::LiteralParser<CharType>::parse):
1559         * runtime/Lookup.h:
1560         (JSC::putEntry):
1561         * runtime/MapConstructor.cpp:
1562         (JSC::constructMap):
1563         * runtime/NumberPrototype.cpp:
1564         (JSC::numberProtoFuncToString):
1565         * runtime/ObjectConstructor.cpp:
1566         (JSC::objectConstructorSetPrototypeOf):
1567         (JSC::objectConstructorGetOwnPropertyDescriptor):
1568         (JSC::objectConstructorGetOwnPropertyDescriptors):
1569         (JSC::objectConstructorAssign):
1570         (JSC::objectConstructorValues):
1571         (JSC::toPropertyDescriptor):
1572         (JSC::objectConstructorDefineProperty):
1573         (JSC::defineProperties):
1574         (JSC::objectConstructorDefineProperties):
1575         (JSC::ownPropertyKeys):
1576         * runtime/ObjectPrototype.cpp:
1577         (JSC::objectProtoFuncHasOwnProperty):
1578         (JSC::objectProtoFuncIsPrototypeOf):
1579         (JSC::objectProtoFuncLookupGetter):
1580         (JSC::objectProtoFuncLookupSetter):
1581         (JSC::objectProtoFuncToLocaleString):
1582         (JSC::objectProtoFuncToString):
1583         * runtime/Options.h:
1584         * runtime/ParseInt.h:
1585         (JSC::toStringView):
1586         * runtime/ProxyObject.cpp:
1587         (JSC::performProxyGet):
1588         (JSC::ProxyObject::performPut):
1589         * runtime/ReflectObject.cpp:
1590         (JSC::reflectObjectDefineProperty):
1591         * runtime/RegExpConstructor.cpp:
1592         (JSC::toFlags):
1593         (JSC::regExpCreate):
1594         (JSC::constructRegExp):
1595         * runtime/RegExpObject.cpp:
1596         (JSC::collectMatches):
1597         * runtime/RegExpObjectInlines.h:
1598         (JSC::RegExpObject::execInline):
1599         (JSC::RegExpObject::matchInline):
1600         * runtime/RegExpPrototype.cpp:
1601         (JSC::regExpProtoFuncTestFast):
1602         (JSC::regExpProtoFuncExec):
1603         (JSC::regExpProtoFuncMatchFast):
1604         (JSC::regExpProtoFuncToString):
1605         (JSC::regExpProtoFuncSplitFast):
1606         * runtime/ScriptExecutable.cpp:
1607         (JSC::ScriptExecutable::newCodeBlockFor):
1608         (JSC::ScriptExecutable::prepareForExecutionImpl):
1609         * runtime/SetConstructor.cpp:
1610         (JSC::constructSet):
1611         * runtime/ThrowScope.cpp:
1612         (JSC::ThrowScope::simulateThrow):
1613         * runtime/VM.cpp:
1614         (JSC::VM::verifyExceptionCheckNeedIsSatisfied):
1615         * runtime/VM.h:
1616         * runtime/WeakMapPrototype.cpp:
1617         (JSC::protoFuncWeakMapSet):
1618         * runtime/WeakSetPrototype.cpp:
1619         (JSC::protoFuncWeakSetAdd):
1620         * wasm/js/WebAssemblyModuleConstructor.cpp:
1621         (JSC::WebAssemblyModuleConstructor::createModule):
1622         * wasm/js/WebAssemblyModuleRecord.cpp:
1623         (JSC::WebAssemblyModuleRecord::link):
1624         * wasm/js/WebAssemblyPrototype.cpp:
1625         (JSC::reject):
1626         (JSC::webAssemblyCompileFunc):
1627         (JSC::resolve):
1628         (JSC::webAssemblyInstantiateFunc):
1629
1630 2017-09-08  Filip Pizlo  <fpizlo@apple.com>
1631
1632         Error should compute .stack and friends lazily
1633         https://bugs.webkit.org/show_bug.cgi?id=176645
1634
1635         Reviewed by Saam Barati.
1636         
1637         Building the string portion of the stack trace after we walk the stack accounts for most of
1638         the cost of computing the .stack property. So, this patch makes ErrorInstance hold onto the
1639         Vector<StackFrame> so that it can build the string only once it's really needed.
1640         
1641         This is an enormous speed-up for programs that allocate and throw exceptions.
1642         
1643         It's a 5.6x speed-up for "new Error()" with a stack that is 4 functions deep.
1644         
1645         It's a 2.2x speed-up for throwing and catching an Error.
1646         
1647         It's a 1.17x speed-up for the WSL test suite (which throws a lot).
1648         
1649         It's a significant speed-up on many of our existing try-catch microbenchmarks. For example,
1650         delta-blue-try-catch is 1.16x faster.
1651
1652         * interpreter/Interpreter.cpp:
1653         (JSC::GetStackTraceFunctor::GetStackTraceFunctor):
1654         (JSC::GetStackTraceFunctor::operator() const):
1655         (JSC::Interpreter::getStackTrace):
1656         * interpreter/Interpreter.h:
1657         * runtime/Error.cpp:
1658         (JSC::getStackTrace):
1659         (JSC::getBytecodeOffset):
1660         (JSC::addErrorInfo):
1661         (JSC::addErrorInfoAndGetBytecodeOffset): Deleted.
1662         * runtime/Error.h:
1663         * runtime/ErrorInstance.cpp:
1664         (JSC::ErrorInstance::ErrorInstance):
1665         (JSC::ErrorInstance::finishCreation):
1666         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
1667         (JSC::ErrorInstance::visitChildren):
1668         (JSC::ErrorInstance::getOwnPropertySlot):
1669         (JSC::ErrorInstance::getOwnNonIndexPropertyNames):
1670         (JSC::ErrorInstance::defineOwnProperty):
1671         (JSC::ErrorInstance::put):
1672         (JSC::ErrorInstance::deleteProperty):
1673         * runtime/ErrorInstance.h:
1674         * runtime/Exception.cpp:
1675         (JSC::Exception::visitChildren):
1676         (JSC::Exception::finishCreation):
1677         * runtime/Exception.h:
1678         * runtime/StackFrame.cpp:
1679         (JSC::StackFrame::visitChildren):
1680         * runtime/StackFrame.h:
1681         (JSC::StackFrame::StackFrame):
1682
1683 2017-09-09  Mark Lam  <mark.lam@apple.com>
1684
1685         [Re-landing] Use JIT probes for DFG OSR exit.
1686         https://bugs.webkit.org/show_bug.cgi?id=175144
1687         <rdar://problem/33437050>
1688
1689         Not reviewed.  Original patch reviewed by Saam Barati.
1690
1691         Relanding r221774.
1692
1693         * JavaScriptCore.xcodeproj/project.pbxproj:
1694         * assembler/MacroAssembler.cpp:
1695         (JSC::stdFunctionCallback):
1696         * assembler/MacroAssemblerPrinter.cpp:
1697         (JSC::Printer::printCallback):
1698         * assembler/ProbeContext.h:
1699         (JSC::Probe::CPUState::gpr const):
1700         (JSC::Probe::CPUState::spr const):
1701         (JSC::Probe::Context::Context):
1702         (JSC::Probe::Context::arg):
1703         (JSC::Probe::Context::gpr):
1704         (JSC::Probe::Context::spr):
1705         (JSC::Probe::Context::fpr):
1706         (JSC::Probe::Context::gprName):
1707         (JSC::Probe::Context::sprName):
1708         (JSC::Probe::Context::fprName):
1709         (JSC::Probe::Context::gpr const):
1710         (JSC::Probe::Context::spr const):
1711         (JSC::Probe::Context::fpr const):
1712         (JSC::Probe::Context::pc):
1713         (JSC::Probe::Context::fp):
1714         (JSC::Probe::Context::sp):
1715         (JSC::Probe:: const): Deleted.
1716         * assembler/ProbeFrame.h: Copied from Source/JavaScriptCore/assembler/ProbeFrame.h.
1717         * assembler/ProbeStack.cpp:
1718         (JSC::Probe::Page::Page):
1719         * assembler/ProbeStack.h:
1720         (JSC::Probe::Page::get):
1721         (JSC::Probe::Page::set):
1722         (JSC::Probe::Page::physicalAddressFor):
1723         (JSC::Probe::Stack::lowWatermark):
1724         (JSC::Probe::Stack::get):
1725         (JSC::Probe::Stack::set):
1726         * bytecode/ArithProfile.cpp:
1727         * bytecode/ArithProfile.h:
1728         * bytecode/ArrayProfile.h:
1729         (JSC::ArrayProfile::observeArrayMode):
1730         * bytecode/CodeBlock.cpp:
1731         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
1732         * bytecode/CodeBlock.h:
1733         (JSC::CodeBlock::addressOfOSRExitCounter): Deleted.
1734         * bytecode/ExecutionCounter.h:
1735         (JSC::ExecutionCounter::hasCrossedThreshold const):
1736         (JSC::ExecutionCounter::setNewThresholdForOSRExit):
1737         * bytecode/MethodOfGettingAValueProfile.cpp:
1738         (JSC::MethodOfGettingAValueProfile::reportValue):
1739         * bytecode/MethodOfGettingAValueProfile.h:
1740         * dfg/DFGDriver.cpp:
1741         (JSC::DFG::compileImpl):
1742         * dfg/DFGJITCode.cpp:
1743         (JSC::DFG::JITCode::findPC): Deleted.
1744         * dfg/DFGJITCode.h:
1745         * dfg/DFGJITCompiler.cpp:
1746         (JSC::DFG::JITCompiler::linkOSRExits):
1747         (JSC::DFG::JITCompiler::link):
1748         * dfg/DFGOSRExit.cpp:
1749         (JSC::DFG::jsValueFor):
1750         (JSC::DFG::restoreCalleeSavesFor):
1751         (JSC::DFG::saveCalleeSavesFor):
1752         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
1753         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
1754         (JSC::DFG::saveOrCopyCalleeSavesFor):
1755         (JSC::DFG::createDirectArgumentsDuringExit):
1756         (JSC::DFG::createClonedArgumentsDuringExit):
1757         (JSC::DFG::OSRExit::OSRExit):
1758         (JSC::DFG::emitRestoreArguments):
1759         (JSC::DFG::OSRExit::executeOSRExit):
1760         (JSC::DFG::reifyInlinedCallFrames):
1761         (JSC::DFG::adjustAndJumpToTarget):
1762         (JSC::DFG::printOSRExit):
1763         (JSC::DFG::OSRExit::setPatchableCodeOffset): Deleted.
1764         (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const): Deleted.
1765         (JSC::DFG::OSRExit::codeLocationForRepatch const): Deleted.
1766         (JSC::DFG::OSRExit::correctJump): Deleted.
1767         (JSC::DFG::OSRExit::emitRestoreArguments): Deleted.
1768         (JSC::DFG::OSRExit::compileOSRExit): Deleted.
1769         (JSC::DFG::OSRExit::compileExit): Deleted.
1770         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure): Deleted.
1771         * dfg/DFGOSRExit.h:
1772         (JSC::DFG::OSRExitState::OSRExitState):
1773         (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite):
1774         * dfg/DFGOSRExitCompilerCommon.cpp:
1775         * dfg/DFGOSRExitCompilerCommon.h:
1776         * dfg/DFGOperations.cpp:
1777         * dfg/DFGOperations.h:
1778         * dfg/DFGThunks.cpp:
1779         (JSC::DFG::osrExitThunkGenerator):
1780         (JSC::DFG::osrExitGenerationThunkGenerator): Deleted.
1781         * dfg/DFGThunks.h:
1782         * jit/AssemblyHelpers.cpp:
1783         (JSC::AssemblyHelpers::debugCall): Deleted.
1784         * jit/AssemblyHelpers.h:
1785         * jit/JITOperations.cpp:
1786         * jit/JITOperations.h:
1787         * profiler/ProfilerOSRExit.h:
1788         (JSC::Profiler::OSRExit::incCount):
1789         * runtime/JSCJSValue.h:
1790         * runtime/JSCJSValueInlines.h:
1791         * runtime/VM.h:
1792
1793 2017-09-09  Ryan Haddad  <ryanhaddad@apple.com>
1794
1795         Unreviewed, rolling out r221774.
1796
1797         This change introduced three debug JSC test timeouts.
1798
1799         Reverted changeset:
1800
1801         "Use JIT probes for DFG OSR exit."
1802         https://bugs.webkit.org/show_bug.cgi?id=175144
1803         http://trac.webkit.org/changeset/221774
1804
1805 2017-09-09  Mark Lam  <mark.lam@apple.com>
1806
1807         Avoid duplicate computations of ExecState::vm().
1808         https://bugs.webkit.org/show_bug.cgi?id=176647
1809
1810         Reviewed by Saam Barati.
1811
1812         Because while computing ExecState::vm() is cheap, it is not free.
1813
1814         This patch also:
1815         1. gets rids of some convenience methods in CallFrame that implicitly does a
1816            ExecState::vm() computation.  This minimizes the chance of us accidentally
1817            computing ExecState::vm() more than necessary.
1818         2. passes vm (when available) to methodTable().
1819         3. passes vm (when available) to JSLockHolder.
1820
1821         * API/JSBase.cpp:
1822         (JSCheckScriptSyntax):
1823         (JSGarbageCollect):
1824         (JSReportExtraMemoryCost):
1825         (JSSynchronousGarbageCollectForDebugging):
1826         (JSSynchronousEdenCollectForDebugging):
1827         * API/JSCallbackConstructor.h:
1828         (JSC::JSCallbackConstructor::create):
1829         * API/JSCallbackObject.h:
1830         (JSC::JSCallbackObject::create):
1831         * API/JSContext.mm:
1832         (-[JSContext setException:]):
1833         * API/JSContextRef.cpp:
1834         (JSContextGetGlobalObject):
1835         (JSContextCreateBacktrace):
1836         * API/JSManagedValue.mm:
1837         (-[JSManagedValue value]):
1838         * API/JSObjectRef.cpp:
1839         (JSObjectMake):
1840         (JSObjectMakeFunctionWithCallback):
1841         (JSObjectMakeConstructor):
1842         (JSObjectMakeFunction):
1843         (JSObjectSetPrototype):
1844         (JSObjectHasProperty):
1845         (JSObjectGetProperty):
1846         (JSObjectSetProperty):
1847         (JSObjectSetPropertyAtIndex):
1848         (JSObjectDeleteProperty):
1849         (JSObjectGetPrivateProperty):
1850         (JSObjectSetPrivateProperty):
1851         (JSObjectDeletePrivateProperty):
1852         (JSObjectIsFunction):
1853         (JSObjectCallAsFunction):
1854         (JSObjectCallAsConstructor):
1855         (JSObjectCopyPropertyNames):
1856         (JSPropertyNameAccumulatorAddName):
1857         * API/JSScriptRef.cpp:
1858         * API/JSTypedArray.cpp:
1859         (JSValueGetTypedArrayType):
1860         (JSObjectMakeTypedArrayWithArrayBuffer):
1861         (JSObjectMakeTypedArrayWithArrayBufferAndOffset):
1862         (JSObjectGetTypedArrayBytesPtr):
1863         (JSObjectGetTypedArrayBuffer):
1864         (JSObjectMakeArrayBufferWithBytesNoCopy):
1865         (JSObjectGetArrayBufferBytesPtr):
1866         * API/JSWeakObjectMapRefPrivate.cpp:
1867         * API/JSWrapperMap.mm:
1868         (constructorHasInstance):
1869         (makeWrapper):
1870         * API/ObjCCallbackFunction.mm:
1871         (objCCallbackFunctionForInvocation):
1872         * bytecode/CodeBlock.cpp:
1873         (JSC::CodeBlock::CodeBlock):
1874         (JSC::CodeBlock::jettison):
1875         * bytecode/CodeBlock.h:
1876         (JSC::CodeBlock::addConstant):
1877         (JSC::CodeBlock::replaceConstant):
1878         * bytecode/PutByIdStatus.cpp:
1879         (JSC::PutByIdStatus::computeFromLLInt):
1880         (JSC::PutByIdStatus::computeFor):
1881         * dfg/DFGDesiredWatchpoints.cpp:
1882         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
1883         * dfg/DFGGraph.h:
1884         (JSC::DFG::Graph::globalThisObjectFor):
1885         * dfg/DFGOperations.cpp:
1886         * ftl/FTLOSRExitCompiler.cpp:
1887         (JSC::FTL::compileFTLOSRExit):
1888         * ftl/FTLOperations.cpp:
1889         (JSC::FTL::operationPopulateObjectInOSR):
1890         (JSC::FTL::operationMaterializeObjectInOSR):
1891         * heap/GCAssertions.h:
1892         * inspector/InjectedScriptHost.cpp:
1893         (Inspector::InjectedScriptHost::wrapper):
1894         * inspector/JSInjectedScriptHost.cpp:
1895         (Inspector::JSInjectedScriptHost::subtype):
1896         (Inspector::constructInternalProperty):
1897         (Inspector::JSInjectedScriptHost::getInternalProperties):
1898         (Inspector::JSInjectedScriptHost::weakMapEntries):
1899         (Inspector::JSInjectedScriptHost::weakSetEntries):
1900         (Inspector::JSInjectedScriptHost::iteratorEntries):
1901         * inspector/JSJavaScriptCallFrame.cpp:
1902         (Inspector::valueForScopeLocation):
1903         (Inspector::JSJavaScriptCallFrame::scopeDescriptions):
1904         (Inspector::toJS):
1905         * inspector/ScriptCallStackFactory.cpp:
1906         (Inspector::extractSourceInformationFromException):
1907         (Inspector::createScriptArguments):
1908         * interpreter/CachedCall.h:
1909         (JSC::CachedCall::CachedCall):
1910         * interpreter/CallFrame.h:
1911         (JSC::ExecState::atomicStringTable const): Deleted.
1912         (JSC::ExecState::propertyNames const): Deleted.
1913         (JSC::ExecState::emptyList const): Deleted.
1914         (JSC::ExecState::interpreter): Deleted.
1915         (JSC::ExecState::heap): Deleted.
1916         * interpreter/Interpreter.cpp:
1917         (JSC::Interpreter::executeProgram):
1918         (JSC::Interpreter::execute):
1919         (JSC::Interpreter::executeModuleProgram):
1920         * jit/JIT.cpp:
1921         (JSC::JIT::privateCompileMainPass):
1922         * jit/JITOperations.cpp:
1923         * jit/JITWorklist.cpp:
1924         (JSC::JITWorklist::compileNow):
1925         * jsc.cpp:
1926         (WTF::RuntimeArray::create):
1927         (WTF::RuntimeArray::getOwnPropertySlot):
1928         (WTF::DOMJITGetter::DOMJITAttribute::slowCall):
1929         (WTF::DOMJITFunctionObject::unsafeFunction):
1930         (WTF::DOMJITCheckSubClassObject::unsafeFunction):
1931         (GlobalObject::moduleLoaderFetch):
1932         (functionDumpCallFrame):
1933         (functionCreateRoot):
1934         (functionGetElement):
1935         (functionSetElementRoot):
1936         (functionCreateSimpleObject):
1937         (functionSetHiddenValue):
1938         (functionCreateProxy):
1939         (functionCreateImpureGetter):
1940         (functionCreateCustomGetterObject):
1941         (functionCreateDOMJITNodeObject):
1942         (functionCreateDOMJITGetterObject):
1943         (functionCreateDOMJITGetterComplexObject):
1944         (functionCreateDOMJITFunctionObject):
1945         (functionCreateDOMJITCheckSubClassObject):
1946         (functionGCAndSweep):
1947         (functionFullGC):
1948         (functionEdenGC):
1949         (functionHeapSize):
1950         (functionShadowChickenFunctionsOnStack):
1951         (functionSetGlobalConstRedeclarationShouldNotThrow):
1952         (functionJSCOptions):
1953         (functionFailNextNewCodeBlock):
1954         (functionMakeMasquerader):
1955         (functionDumpTypesForAllVariables):
1956         (functionFindTypeForExpression):
1957         (functionReturnTypeFor):
1958         (functionDumpBasicBlockExecutionRanges):
1959         (functionBasicBlockExecutionCount):
1960         (functionDrainMicrotasks):
1961         (functionGenerateHeapSnapshot):
1962         (functionEnsureArrayStorage):
1963         (functionStartSamplingProfiler):
1964         (runInteractive):
1965         * llint/LLIntSlowPaths.cpp:
1966         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1967         * parser/ModuleAnalyzer.cpp:
1968         (JSC::ModuleAnalyzer::ModuleAnalyzer):
1969         * profiler/ProfilerBytecode.cpp:
1970         (JSC::Profiler::Bytecode::toJS const):
1971         * profiler/ProfilerBytecodeSequence.cpp:
1972         (JSC::Profiler::BytecodeSequence::addSequenceProperties const):
1973         * profiler/ProfilerBytecodes.cpp:
1974         (JSC::Profiler::Bytecodes::toJS const):
1975         * profiler/ProfilerCompilation.cpp:
1976         (JSC::Profiler::Compilation::toJS const):
1977         * profiler/ProfilerCompiledBytecode.cpp:
1978         (JSC::Profiler::CompiledBytecode::toJS const):
1979         * profiler/ProfilerDatabase.cpp:
1980         (JSC::Profiler::Database::toJS const):
1981         * profiler/ProfilerEvent.cpp:
1982         (JSC::Profiler::Event::toJS const):
1983         * profiler/ProfilerOSRExit.cpp:
1984         (JSC::Profiler::OSRExit::toJS const):
1985         * profiler/ProfilerOrigin.cpp:
1986         (JSC::Profiler::Origin::toJS const):
1987         * profiler/ProfilerProfiledBytecodes.cpp:
1988         (JSC::Profiler::ProfiledBytecodes::toJS const):
1989         * runtime/AbstractModuleRecord.cpp:
1990         (JSC::identifierToJSValue):
1991         (JSC::AbstractModuleRecord::resolveExportImpl):
1992         (JSC::getExportedNames):
1993         * runtime/ArrayPrototype.cpp:
1994         (JSC::arrayProtoFuncToString):
1995         (JSC::arrayProtoFuncToLocaleString):
1996         * runtime/BooleanConstructor.cpp:
1997         (JSC::constructBooleanFromImmediateBoolean):
1998         * runtime/CallData.cpp:
1999         (JSC::call):
2000         * runtime/CommonSlowPaths.cpp:
2001         (JSC::SLOW_PATH_DECL):
2002         * runtime/CommonSlowPaths.h:
2003         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
2004         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
2005         * runtime/Completion.cpp:
2006         (JSC::checkSyntax):
2007         (JSC::evaluate):
2008         (JSC::loadAndEvaluateModule):
2009         (JSC::loadModule):
2010         (JSC::linkAndEvaluateModule):
2011         (JSC::importModule):
2012         * runtime/ConstructData.cpp:
2013         (JSC::construct):
2014         * runtime/DatePrototype.cpp:
2015         (JSC::dateProtoFuncToJSON):
2016         * runtime/DirectArguments.h:
2017         (JSC::DirectArguments::length const):
2018         * runtime/DirectEvalExecutable.cpp:
2019         (JSC::DirectEvalExecutable::create):
2020         * runtime/ErrorPrototype.cpp:
2021         (JSC::errorProtoFuncToString):
2022         * runtime/ExceptionHelpers.cpp:
2023         (JSC::createUndefinedVariableError):
2024         (JSC::errorDescriptionForValue):
2025         * runtime/FunctionConstructor.cpp:
2026         (JSC::constructFunction):
2027         * runtime/GenericArgumentsInlines.h:
2028         (JSC::GenericArguments<Type>::getOwnPropertyNames):
2029         * runtime/IdentifierInlines.h:
2030         (JSC::Identifier::add):
2031         * runtime/IndirectEvalExecutable.cpp:
2032         (JSC::IndirectEvalExecutable::create):
2033         * runtime/InternalFunction.cpp:
2034         (JSC::InternalFunction::finishCreation):
2035         (JSC::InternalFunction::createSubclassStructureSlow):
2036         * runtime/JSArray.cpp:
2037         (JSC::JSArray::getOwnPropertySlot):
2038         (JSC::JSArray::put):
2039         (JSC::JSArray::deleteProperty):
2040         (JSC::JSArray::getOwnNonIndexPropertyNames):
2041         (JSC::JSArray::isIteratorProtocolFastAndNonObservable):
2042         * runtime/JSArray.h:
2043         (JSC::JSArray::shiftCountForShift):
2044         * runtime/JSCJSValue.cpp:
2045         (JSC::JSValue::dumpForBacktrace const):
2046         * runtime/JSDataView.cpp:
2047         (JSC::JSDataView::getOwnPropertySlot):
2048         (JSC::JSDataView::deleteProperty):
2049         (JSC::JSDataView::getOwnNonIndexPropertyNames):
2050         * runtime/JSFunction.cpp:
2051         (JSC::JSFunction::getOwnPropertySlot):
2052         (JSC::JSFunction::deleteProperty):
2053         (JSC::JSFunction::reifyName):
2054         * runtime/JSGlobalObjectFunctions.cpp:
2055         (JSC::globalFuncEval):
2056         * runtime/JSInternalPromise.cpp:
2057         (JSC::JSInternalPromise::then):
2058         * runtime/JSLexicalEnvironment.cpp:
2059         (JSC::JSLexicalEnvironment::deleteProperty):
2060         * runtime/JSMap.cpp:
2061         (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
2062         * runtime/JSMapIterator.h:
2063         (JSC::JSMapIterator::advanceIter):
2064         * runtime/JSModuleEnvironment.cpp:
2065         (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
2066         * runtime/JSModuleLoader.cpp:
2067         (JSC::printableModuleKey):
2068         (JSC::JSModuleLoader::provide):
2069         (JSC::JSModuleLoader::loadAndEvaluateModule):
2070         (JSC::JSModuleLoader::loadModule):
2071         (JSC::JSModuleLoader::linkAndEvaluateModule):
2072         (JSC::JSModuleLoader::requestImportModule):
2073         * runtime/JSModuleNamespaceObject.h:
2074         * runtime/JSModuleRecord.cpp:
2075         (JSC::JSModuleRecord::evaluate):
2076         * runtime/JSONObject.cpp:
2077         (JSC::Stringifier::Stringifier):
2078         (JSC::Stringifier::appendStringifiedValue):
2079         (JSC::Stringifier::Holder::appendNextProperty):
2080         * runtime/JSObject.cpp:
2081         (JSC::JSObject::calculatedClassName):
2082         (JSC::JSObject::putByIndex):
2083         (JSC::JSObject::ordinaryToPrimitive const):
2084         (JSC::JSObject::toPrimitive const):
2085         (JSC::JSObject::hasInstance):
2086         (JSC::JSObject::getOwnPropertyNames):
2087         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
2088         (JSC::getCustomGetterSetterFunctionForGetterSetter):
2089         (JSC::JSObject::getOwnPropertyDescriptor):
2090         (JSC::JSObject::getMethod):
2091         * runtime/JSObject.h:
2092         (JSC::JSObject::createRawObject):
2093         (JSC::JSFinalObject::create):
2094         * runtime/JSObjectInlines.h:
2095         (JSC::JSObject::canPerformFastPutInline):
2096         (JSC::JSObject::putInlineForJSObject):
2097         (JSC::JSObject::hasOwnProperty const):
2098         * runtime/JSScope.cpp:
2099         (JSC::isUnscopable):
2100         (JSC::JSScope::resolveScopeForHoistingFuncDeclInEval):
2101         * runtime/JSSet.cpp:
2102         (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
2103         * runtime/JSSetIterator.h:
2104         (JSC::JSSetIterator::advanceIter):
2105         * runtime/JSString.cpp:
2106         (JSC::JSString::getStringPropertyDescriptor):
2107         * runtime/JSString.h:
2108         (JSC::JSString::getStringPropertySlot):
2109         * runtime/MapConstructor.cpp:
2110         (JSC::constructMap):
2111         * runtime/ModuleProgramExecutable.cpp:
2112         (JSC::ModuleProgramExecutable::create):
2113         * runtime/ObjectPrototype.cpp:
2114         (JSC::objectProtoFuncToLocaleString):
2115         * runtime/ProgramExecutable.h:
2116         * runtime/RegExpObject.cpp:
2117         (JSC::RegExpObject::getOwnPropertySlot):
2118         (JSC::RegExpObject::deleteProperty):
2119         (JSC::RegExpObject::getOwnNonIndexPropertyNames):
2120         (JSC::RegExpObject::getPropertyNames):
2121         (JSC::RegExpObject::getGenericPropertyNames):
2122         (JSC::RegExpObject::put):
2123         * runtime/ScopedArguments.h:
2124         (JSC::ScopedArguments::length const):
2125         * runtime/StrictEvalActivation.h:
2126         (JSC::StrictEvalActivation::create):
2127         * runtime/StringObject.cpp:
2128         (JSC::isStringOwnProperty):
2129         (JSC::StringObject::deleteProperty):
2130         (JSC::StringObject::getOwnNonIndexPropertyNames):
2131         * tools/JSDollarVMPrototype.cpp:
2132         (JSC::JSDollarVMPrototype::gc):
2133         (JSC::JSDollarVMPrototype::edenGC):
2134         * wasm/js/WebAssemblyModuleRecord.cpp:
2135         (JSC::WebAssemblyModuleRecord::evaluate):
2136
2137 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2138
2139         [DFG] NewArrayWithSize(size)'s size does not care negative zero
2140         https://bugs.webkit.org/show_bug.cgi?id=176300
2141
2142         Reviewed by Saam Barati.
2143
2144         NewArrayWithSize(size)'s size does not care negative zero as
2145         is the same to NewTypedArray. We propagate this information
2146         in DFGBackwardsPropagationPhase. This removes negative zero
2147         check in kraken fft's deinterleave function.
2148
2149         * dfg/DFGBackwardsPropagationPhase.cpp:
2150         (JSC::DFG::BackwardsPropagationPhase::propagate):
2151
2152 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2153
2154         [DFG] PutByVal with Array::Generic is too generic
2155         https://bugs.webkit.org/show_bug.cgi?id=176345
2156
2157         Reviewed by Filip Pizlo.
2158
2159         Our DFG/FTL's PutByVal with Array::Generic is too generic implementation.
2160         We could have the case like,
2161
2162             dst[key] = src[key];
2163
2164         with string or symbol keys. But they are handled in slow path.
2165         This patch adds PutByVal(CellUse, StringUse/SymbolUse, UntypedUse). They go
2166         to optimized path that does not have generic checks like (isInt32() / isDouble() etc.).
2167
2168         This improves SixSpeed object-assign.es5 by 9.1%.
2169
2170         object-assign.es5             424.3159+-11.0471    ^    388.8771+-10.9239       ^ definitely 1.0911x faster
2171
2172         * dfg/DFGFixupPhase.cpp:
2173         (JSC::DFG::FixupPhase::fixupNode):
2174         * dfg/DFGOperations.cpp:
2175         (JSC::DFG::putByVal):
2176         (JSC::DFG::putByValInternal):
2177         (JSC::DFG::putByValCellInternal):
2178         (JSC::DFG::putByValCellStringInternal):
2179         (JSC::DFG::operationPutByValInternal): Deleted.
2180         * dfg/DFGOperations.h:
2181         * dfg/DFGSpeculativeJIT.cpp:
2182         (JSC::DFG::SpeculativeJIT::compilePutByValForCellWithString):
2183         (JSC::DFG::SpeculativeJIT::compilePutByValForCellWithSymbol):
2184         * dfg/DFGSpeculativeJIT.h:
2185         (JSC::DFG::SpeculativeJIT::callOperation):
2186         * dfg/DFGSpeculativeJIT32_64.cpp:
2187         (JSC::DFG::SpeculativeJIT::compile):
2188         * dfg/DFGSpeculativeJIT64.cpp:
2189         (JSC::DFG::SpeculativeJIT::compile):
2190         * ftl/FTLLowerDFGToB3.cpp:
2191         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
2192         * jit/JITOperations.h:
2193
2194 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2195
2196         [DFG][FTL] GetByVal(ObjectUse with Array::Generic, StringUse/SymbolUse) should be supported
2197         https://bugs.webkit.org/show_bug.cgi?id=176590
2198
2199         Reviewed by Saam Barati.
2200
2201         We add fixup edges for GetByVal(Array::Generic) to call faster operation instead of generic operationGetByVal.
2202
2203                                          baseline                  patched
2204
2205         object-iterate                5.8531+-0.3029            5.7903+-0.2795          might be 1.0108x faster
2206         object-iterate-symbols        7.4099+-0.3993     ^      5.8254+-0.2276        ^ definitely 1.2720x faster
2207
2208         * dfg/DFGFixupPhase.cpp:
2209         (JSC::DFG::FixupPhase::fixupNode):
2210         * dfg/DFGOperations.cpp:
2211         (JSC::DFG::getByValObject):
2212         * dfg/DFGOperations.h:
2213         * dfg/DFGSpeculativeJIT.cpp:
2214         (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithString):
2215         (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithSymbol):
2216         * dfg/DFGSpeculativeJIT.h:
2217         * dfg/DFGSpeculativeJIT32_64.cpp:
2218         (JSC::DFG::SpeculativeJIT::compile):
2219         * dfg/DFGSpeculativeJIT64.cpp:
2220         (JSC::DFG::SpeculativeJIT::compile):
2221         * ftl/FTLLowerDFGToB3.cpp:
2222         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2223
2224 2017-09-07  Mark Lam  <mark.lam@apple.com>
2225
2226         Use JIT probes for DFG OSR exit.
2227         https://bugs.webkit.org/show_bug.cgi?id=175144
2228         <rdar://problem/33437050>
2229
2230         Reviewed by Saam Barati.
2231
2232         This patch does the following:
2233         1. Replaces osrExitGenerationThunkGenerator() with osrExitThunkGenerator().
2234            While osrExitGenerationThunkGenerator() generates a thunk that compiles a
2235            unique OSR offramp for each DFG OSR exit site, osrExitThunkGenerator()
2236            generates a thunk that just executes the OSR exit.
2237
2238            The osrExitThunkGenerator() generated thunk works by using a single JIT probe
2239            to call OSRExit::executeOSRExit().  The JIT probe takes care of preserving
2240            CPU registers, and providing the Probe::Stack mechanism for modifying the
2241            stack frame.
2242
2243            OSRExit::executeOSRExit() replaces OSRExit::compileOSRExit() and
2244            OSRExit::compileExit().  It is basically a re-write of those functions to
2245            execute the OSR exit work instead of compiling code to execute the work.
2246
2247            As a result, we get the following savings:
2248            a. no more OSR exit ramp compilation time.
2249            b. no use of JIT executable memory for storing each unique OSR exit ramp.
2250
2251            On the negative side, we incur these costs:
2252
2253            c. the OSRExit::executeOSRExit() ramp may be a little slower than the compiled
2254               version of the ramp.  However, OSR exits are rare.  Hence, this small
2255               difference should not matter much.  It is also offset by the savings from
2256               (a).
2257
2258            d. the Probe::Stack allocates 1K pages for memory for buffering stack
2259               modifcations.  The number of these pages depends on the span of stack memory
2260               that the OSR exit ramp reads from and writes to.  Since the OSR exit ramp
2261               tends to only modify values in the current DFG frame and the current
2262               VMEntryRecord, the number of pages tends to only be 1 or 2.
2263
2264               Using the jsc tests as a workload, the vast majority of tests that do OSR
2265               exit, uses 3 or less 1K pages (with the overwhelming number using just 1 page).
2266               A few tests that are pathological uses up to 14 pages, and one particularly
2267               bad test (function-apply-many-args.js) uses 513 pages.
2268
2269            Similar to the old code, the OSR exit ramp still has 2 parts: 1 part that is
2270            only executed once to compute some values for the exit site that is used by
2271            all exit operations from that site, and a 2nd part to execute the exit.  The
2272            1st part is protected by a checking if exit.exitState has already been
2273            initialized.  The computed values are cached in exit.exitState.
2274
2275            Because the OSR exit thunk no longer compiles an OSR exit off-ramp, we no
2276            longer need the facility to patch the site that jumps to the OSR exit ramp.
2277            The DFG::JITCompiler has been modified to remove this patching code.
2278
2279         2. Fixed the bottom most Probe::Context and Probe::Stack get/set methods to use
2280            std::memcpy to avoid strict aliasing issues.
2281
2282            Also optimized the implementation of Probe::Stack::physicalAddressFor().
2283
2284         3. Miscellaneous convenience methods added to make the Probe::Context easier of
2285            use.
2286
2287         4. Added a Probe::Frame class that makes it easier to get/set operands and
2288            arguments in a given frame using the deferred write properties of the
2289            Probe::Stack.  Probe::Frame makes it easier to do some of the recovery work in
2290            the OSR exit ramp.
2291
2292         5. Cloned or converted some functions needed by the OSR exit ramp.  The original
2293            JIT versions of these functions are still left in place because they are still
2294            needed for FTL OSR exit.  A FIXME comment has been added to remove them later.
2295            These functions include:
2296
2297            DFGOSRExitCompilerCommon.cpp's handleExitCounts() ==>
2298                CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize()
2299            DFGOSRExitCompilerCommon.cpp's reifyInlinedCallFrames() ==>
2300                DFGOSRExit.cpp's reifyInlinedCallFrames()
2301            DFGOSRExitCompilerCommon.cpp's adjustAndJumpToTarget() ==>
2302                DFGOSRExit.cpp's adjustAndJumpToTarget()
2303
2304            MethodOfGettingAValueProfile::emitReportValue() ==>
2305                MethodOfGettingAValueProfile::reportValue()
2306
2307            DFGOperations.cpp's operationCreateDirectArgumentsDuringExit() ==>
2308                DFGOSRExit.cpp's createDirectArgumentsDuringExit()
2309            DFGOperations.cpp's operationCreateClonedArgumentsDuringExit() ==>
2310                DFGOSRExit.cpp's createClonedArgumentsDuringExit()
2311
2312         * JavaScriptCore.xcodeproj/project.pbxproj:
2313         * assembler/MacroAssembler.cpp:
2314         (JSC::stdFunctionCallback):
2315         * assembler/MacroAssemblerPrinter.cpp:
2316         (JSC::Printer::printCallback):
2317         * assembler/ProbeContext.h:
2318         (JSC::Probe::CPUState::gpr const):
2319         (JSC::Probe::CPUState::spr const):
2320         (JSC::Probe::Context::Context):
2321         (JSC::Probe::Context::arg):
2322         (JSC::Probe::Context::gpr):
2323         (JSC::Probe::Context::spr):
2324         (JSC::Probe::Context::fpr):
2325         (JSC::Probe::Context::gprName):
2326         (JSC::Probe::Context::sprName):
2327         (JSC::Probe::Context::fprName):
2328         (JSC::Probe::Context::gpr const):
2329         (JSC::Probe::Context::spr const):
2330         (JSC::Probe::Context::fpr const):
2331         (JSC::Probe::Context::pc):
2332         (JSC::Probe::Context::fp):
2333         (JSC::Probe::Context::sp):
2334         (JSC::Probe:: const): Deleted.
2335         * assembler/ProbeFrame.h: Added.
2336         (JSC::Probe::Frame::Frame):
2337         (JSC::Probe::Frame::getArgument):
2338         (JSC::Probe::Frame::getOperand):
2339         (JSC::Probe::Frame::get):
2340         (JSC::Probe::Frame::setArgument):
2341         (JSC::Probe::Frame::setOperand):
2342         (JSC::Probe::Frame::set):
2343         * assembler/ProbeStack.cpp:
2344         (JSC::Probe::Page::Page):
2345         * assembler/ProbeStack.h:
2346         (JSC::Probe::Page::get):
2347         (JSC::Probe::Page::set):
2348         (JSC::Probe::Page::physicalAddressFor):
2349         (JSC::Probe::Stack::lowWatermark):
2350         (JSC::Probe::Stack::get):
2351         (JSC::Probe::Stack::set):
2352         * bytecode/ArithProfile.cpp:
2353         * bytecode/ArithProfile.h:
2354         * bytecode/ArrayProfile.h:
2355         (JSC::ArrayProfile::observeArrayMode):
2356         * bytecode/CodeBlock.cpp:
2357         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
2358         * bytecode/CodeBlock.h:
2359         (JSC::CodeBlock::addressOfOSRExitCounter): Deleted.
2360         * bytecode/ExecutionCounter.h:
2361         (JSC::ExecutionCounter::hasCrossedThreshold const):
2362         (JSC::ExecutionCounter::setNewThresholdForOSRExit):
2363         * bytecode/MethodOfGettingAValueProfile.cpp:
2364         (JSC::MethodOfGettingAValueProfile::reportValue):
2365         * bytecode/MethodOfGettingAValueProfile.h:
2366         * dfg/DFGDriver.cpp:
2367         (JSC::DFG::compileImpl):
2368         * dfg/DFGJITCode.cpp:
2369         (JSC::DFG::JITCode::findPC): Deleted.
2370         * dfg/DFGJITCode.h:
2371         * dfg/DFGJITCompiler.cpp:
2372         (JSC::DFG::JITCompiler::linkOSRExits):
2373         (JSC::DFG::JITCompiler::link):
2374         * dfg/DFGOSRExit.cpp:
2375         (JSC::DFG::jsValueFor):
2376         (JSC::DFG::restoreCalleeSavesFor):
2377         (JSC::DFG::saveCalleeSavesFor):
2378         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
2379         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
2380         (JSC::DFG::saveOrCopyCalleeSavesFor):
2381         (JSC::DFG::createDirectArgumentsDuringExit):
2382         (JSC::DFG::createClonedArgumentsDuringExit):
2383         (JSC::DFG::OSRExit::OSRExit):
2384         (JSC::DFG::emitRestoreArguments):
2385         (JSC::DFG::OSRExit::executeOSRExit):
2386         (JSC::DFG::reifyInlinedCallFrames):
2387         (JSC::DFG::adjustAndJumpToTarget):
2388         (JSC::DFG::printOSRExit):
2389         (JSC::DFG::OSRExit::setPatchableCodeOffset): Deleted.
2390         (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const): Deleted.
2391         (JSC::DFG::OSRExit::codeLocationForRepatch const): Deleted.
2392         (JSC::DFG::OSRExit::correctJump): Deleted.
2393         (JSC::DFG::OSRExit::emitRestoreArguments): Deleted.
2394         (JSC::DFG::OSRExit::compileOSRExit): Deleted.
2395         (JSC::DFG::OSRExit::compileExit): Deleted.
2396         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure): Deleted.
2397         * dfg/DFGOSRExit.h:
2398         (JSC::DFG::OSRExitState::OSRExitState):
2399         (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite):
2400         * dfg/DFGOSRExitCompilerCommon.cpp:
2401         * dfg/DFGOSRExitCompilerCommon.h:
2402         * dfg/DFGOperations.cpp:
2403         * dfg/DFGOperations.h:
2404         * dfg/DFGThunks.cpp:
2405         (JSC::DFG::osrExitThunkGenerator):
2406         (JSC::DFG::osrExitGenerationThunkGenerator): Deleted.
2407         * dfg/DFGThunks.h:
2408         * jit/AssemblyHelpers.cpp:
2409         (JSC::AssemblyHelpers::debugCall): Deleted.
2410         * jit/AssemblyHelpers.h:
2411         * jit/JITOperations.cpp:
2412         * jit/JITOperations.h:
2413         * profiler/ProfilerOSRExit.h:
2414         (JSC::Profiler::OSRExit::incCount):
2415         * runtime/JSCJSValue.h:
2416         * runtime/JSCJSValueInlines.h:
2417         * runtime/VM.h:
2418
2419 2017-09-07  Michael Saboff  <msaboff@apple.com>
2420
2421         Add support for RegExp named capture groups
2422         https://bugs.webkit.org/show_bug.cgi?id=176435
2423
2424         Reviewed by Filip Pizlo.
2425
2426         Added parsing for both naming a captured parenthesis as well and using a named group in
2427         a back reference.  Also added support for using named groups with String.prototype.replace().
2428
2429         This patch does not throw Syntax Errors as described in the current spec text for the two
2430         cases of malformed back references in String.prototype.replace() as I believe that it
2431         is inconsistent with the current semantics for handling of other malformed replacement
2432         tokens.  I filed an issue for the requested change to the proposed spec and also filed
2433         a FIXME bug https://bugs.webkit.org/show_bug.cgi?id=176434.
2434
2435         This patch does not implement strength reduction in the optimizing JITs for named capture
2436         groups.  Filed https://bugs.webkit.org/show_bug.cgi?id=176464.
2437
2438         * dfg/DFGAbstractInterpreterInlines.h:
2439         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2440         * dfg/DFGStrengthReductionPhase.cpp:
2441         (JSC::DFG::StrengthReductionPhase::handleNode):
2442         * runtime/CommonIdentifiers.h:
2443         * runtime/JSGlobalObject.cpp:
2444         (JSC::JSGlobalObject::init):
2445         (JSC::JSGlobalObject::haveABadTime):
2446         * runtime/JSGlobalObject.h:
2447         (JSC::JSGlobalObject::regExpMatchesArrayWithGroupsStructure const):
2448         * runtime/RegExp.cpp:
2449         (JSC::RegExp::finishCreation):
2450         * runtime/RegExp.h:
2451         * runtime/RegExpMatchesArray.cpp:
2452         (JSC::createStructureImpl):
2453         (JSC::createRegExpMatchesArrayWithGroupsStructure):
2454         (JSC::createRegExpMatchesArrayWithGroupsSlowPutStructure):
2455         * runtime/RegExpMatchesArray.h:
2456         (JSC::createRegExpMatchesArray):
2457         * runtime/StringPrototype.cpp:
2458         (JSC::substituteBackreferencesSlow):
2459         (JSC::replaceUsingRegExpSearch):
2460         * yarr/YarrParser.h:
2461         (JSC::Yarr::Parser::CharacterClassParserDelegate::atomNamedBackReference):
2462         (JSC::Yarr::Parser::parseEscape):
2463         (JSC::Yarr::Parser::parseParenthesesBegin):
2464         (JSC::Yarr::Parser::tryConsumeUnicodeEscape):
2465         (JSC::Yarr::Parser::tryConsumeIdentifierCharacter):
2466         (JSC::Yarr::Parser::isIdentifierStart):
2467         (JSC::Yarr::Parser::isIdentifierPart):
2468         (JSC::Yarr::Parser::tryConsumeGroupName):
2469         * yarr/YarrPattern.cpp:
2470         (JSC::Yarr::YarrPatternConstructor::atomParenthesesSubpatternBegin):
2471         (JSC::Yarr::YarrPatternConstructor::atomNamedBackReference):
2472         (JSC::Yarr::YarrPattern::errorMessage):
2473         * yarr/YarrPattern.h:
2474         (JSC::Yarr::YarrPattern::reset):
2475         * yarr/YarrSyntaxChecker.cpp:
2476         (JSC::Yarr::SyntaxChecker::atomParenthesesSubpatternBegin):
2477         (JSC::Yarr::SyntaxChecker::atomNamedBackReference):
2478
2479 2017-09-07  Myles C. Maxfield  <mmaxfield@apple.com>
2480
2481         [PAL] Unify PlatformUserPreferredLanguages.h with Language.h
2482         https://bugs.webkit.org/show_bug.cgi?id=176561
2483
2484         Reviewed by Brent Fulgham.
2485
2486         * runtime/IntlObject.cpp:
2487         (JSC::defaultLocale):
2488
2489 2017-09-07  Joseph Pecoraro  <pecoraro@apple.com>
2490
2491         Augmented Inspector: Provide a way to inspect a DOM Node (DOM.inspect)
2492         https://bugs.webkit.org/show_bug.cgi?id=176563
2493         <rdar://problem/19639583>
2494
2495         Reviewed by Matt Baker.
2496
2497         * inspector/protocol/DOM.json:
2498         Add an event that is useful for augmented inspectors to inspect
2499         a node. Web pages will still prefer Inspector.inspect.
2500
2501 2017-09-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2502
2503         [JSC] Remove "malloc" and "free" from JSC/API
2504         https://bugs.webkit.org/show_bug.cgi?id=176331
2505
2506         Reviewed by Keith Miller.
2507
2508         Remove "malloc" and "free" manual calls in JSC/API.
2509
2510         * API/JSValue.mm:
2511         (createStructHandlerMap):
2512         * API/JSWrapperMap.mm:
2513         (parsePropertyAttributes):
2514         (makeSetterName):
2515         (copyPrototypeProperties):
2516         Use RetainPtr<NSString> to keep NSString. We avoid repeated "char*" to "NSString" conversion.
2517
2518         * API/ObjcRuntimeExtras.h:
2519         (adoptSystem):
2520         Add adoptSystem to automate calling system free().
2521
2522         (protocolImplementsProtocol):
2523         (forEachProtocolImplementingProtocol):
2524         (forEachMethodInClass):
2525         (forEachMethodInProtocol):
2526         (forEachPropertyInProtocol):
2527         (StringRange::StringRange):
2528         (StringRange::operator const char* const):
2529         (StringRange::get const):
2530         Use CString for backend.
2531
2532         (StructBuffer::StructBuffer):
2533         (StructBuffer::~StructBuffer):
2534         (StringRange::~StringRange): Deleted.
2535         Use fastAlignedMalloc/astAlignedFree to get aligned memory.
2536
2537 2017-09-06  Mark Lam  <mark.lam@apple.com>
2538
2539         constructGenericTypedArrayViewWithArguments() is missing an exception check.
2540         https://bugs.webkit.org/show_bug.cgi?id=176485
2541         <rdar://problem/33898874>
2542
2543         Reviewed by Keith Miller.
2544
2545         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2546         (JSC::constructGenericTypedArrayViewWithArguments):
2547
2548 2017-09-06  Saam Barati  <sbarati@apple.com>
2549
2550         Air should have a Vector of prologue generators instead of a HashMap representing an optional prologue generator
2551         https://bugs.webkit.org/show_bug.cgi?id=176346
2552
2553         Reviewed by Mark Lam.
2554
2555         * b3/B3Procedure.cpp:
2556         (JSC::B3::Procedure::Procedure):
2557         (JSC::B3::Procedure::setNumEntrypoints):
2558         * b3/B3Procedure.h:
2559         (JSC::B3::Procedure::setNumEntrypoints): Deleted.
2560         * b3/air/AirCode.cpp:
2561         (JSC::B3::Air::defaultPrologueGenerator):
2562         (JSC::B3::Air::Code::Code):
2563         (JSC::B3::Air::Code::setNumEntrypoints):
2564         * b3/air/AirCode.h:
2565         (JSC::B3::Air::Code::setPrologueForEntrypoint):
2566         (JSC::B3::Air::Code::prologueGeneratorForEntrypoint):
2567         (JSC::B3::Air::Code::setEntrypoints):
2568         (JSC::B3::Air::Code::setEntrypointLabels):
2569         * b3/air/AirGenerate.cpp:
2570         (JSC::B3::Air::generate):
2571         * ftl/FTLLowerDFGToB3.cpp:
2572         (JSC::FTL::DFG::LowerDFGToB3::lower):
2573
2574 2017-09-06  Saam Barati  <sbarati@apple.com>
2575
2576         ASSERTION FAILED: op() == CheckStructure in Source/JavaScriptCore/dfg/DFGNode.h(443)
2577         https://bugs.webkit.org/show_bug.cgi?id=176470
2578
2579         Reviewed by Mark Lam.
2580
2581         Update Node::convertToCheckStructureImmediate's assertion to allow
2582         the node to either be a CheckStructure or CheckStructureOrEmpty.
2583
2584         * dfg/DFGNode.h:
2585         (JSC::DFG::Node::convertToCheckStructureImmediate):
2586
2587 2017-09-05  Saam Barati  <sbarati@apple.com>
2588
2589         isNotCellSpeculation is wrong with respect to SpecEmpty
2590         https://bugs.webkit.org/show_bug.cgi?id=176429
2591
2592         Reviewed by Michael Saboff.
2593
2594         The isNotCellSpeculation(SpeculatedType t) function was not taking into account
2595         SpecEmpty in the set for t. It should return false when SpecEmpty is present, since
2596         the empty value will fail a NotCell check. This bug would cause us to erroneously
2597         generate NotCellUse UseKinds for inputs that are the empty value, causing repeated OSR exits.
2598
2599         * bytecode/SpeculatedType.h:
2600         (JSC::isNotCellSpeculation):
2601
2602 2017-09-05  Saam Barati  <sbarati@apple.com>
2603
2604         Make the distinction between entrypoints and CFG roots more clear by naming things better
2605         https://bugs.webkit.org/show_bug.cgi?id=176336
2606
2607         Reviewed by Mark Lam and Keith Miller and Michael Saboff.
2608
2609         This patch does renaming to make the distinction between Graph::m_entrypoints
2610         and Graph::m_numberOfEntrypoints more clear. The source of confusion is that
2611         Graph::m_entrypoints.size() is not equivalent to Graph::m_numberOfEntrypoints.
2612         Graph::m_entrypoints is really just the CFG roots. In CPS, this vector has
2613         size >= 1. In SSA, the size is always 1. This patch renames Graph::m_entrypoints
2614         to Graph::m_roots. To be consistent, this patch also renames Graph's m_entrypointToArguments
2615         field to m_rootToArguments.
2616         
2617         Graph::m_numberOfEntrypoints retains its name. This field is only used in SSA
2618         when compiling with EntrySwitch. It represents the logical number of entrypoints
2619         the compilation will end up with. Each EntrySwitch has m_numberOfEntrypoints
2620         cases.
2621
2622         * dfg/DFGByteCodeParser.cpp:
2623         (JSC::DFG::ByteCodeParser::parseBlock):
2624         (JSC::DFG::ByteCodeParser::parseCodeBlock):
2625         * dfg/DFGCFG.h:
2626         (JSC::DFG::CFG::roots):
2627         (JSC::DFG::CPSCFG::CPSCFG):
2628         * dfg/DFGCPSRethreadingPhase.cpp:
2629         (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
2630         * dfg/DFGDCEPhase.cpp:
2631         (JSC::DFG::DCEPhase::run):
2632         * dfg/DFGGraph.cpp:
2633         (JSC::DFG::Graph::dump):
2634         (JSC::DFG::Graph::determineReachability):
2635         (JSC::DFG::Graph::blocksInPreOrder):
2636         (JSC::DFG::Graph::blocksInPostOrder):
2637         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2638         * dfg/DFGGraph.h:
2639         (JSC::DFG::Graph::isRoot):
2640         (JSC::DFG::Graph::isEntrypoint): Deleted.
2641         * dfg/DFGInPlaceAbstractState.cpp:
2642         (JSC::DFG::InPlaceAbstractState::initialize):
2643         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
2644         (JSC::DFG::createPreHeader):
2645         * dfg/DFGMaximalFlushInsertionPhase.cpp:
2646         (JSC::DFG::MaximalFlushInsertionPhase::run):
2647         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
2648         * dfg/DFGOSREntrypointCreationPhase.cpp:
2649         (JSC::DFG::OSREntrypointCreationPhase::run):
2650         * dfg/DFGPredictionInjectionPhase.cpp:
2651         (JSC::DFG::PredictionInjectionPhase::run):
2652         * dfg/DFGSSAConversionPhase.cpp:
2653         (JSC::DFG::SSAConversionPhase::run):
2654         * dfg/DFGSpeculativeJIT.cpp:
2655         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
2656         (JSC::DFG::SpeculativeJIT::linkOSREntries):
2657         * dfg/DFGTypeCheckHoistingPhase.cpp:
2658         (JSC::DFG::TypeCheckHoistingPhase::run):
2659         * dfg/DFGValidate.cpp:
2660
2661 2017-09-05  Joseph Pecoraro  <pecoraro@apple.com>
2662
2663         test262: Completion values for control flow do not match the spec
2664         https://bugs.webkit.org/show_bug.cgi?id=171265
2665
2666         Reviewed by Saam Barati.
2667
2668         * bytecompiler/BytecodeGenerator.h:
2669         (JSC::BytecodeGenerator::shouldBeConcernedWithCompletionValue):
2670         When we care about having proper completion values (global code
2671         in programs, modules, and eval) insert undefined results for
2672         control flow statements.
2673
2674         * bytecompiler/NodesCodegen.cpp:
2675         (JSC::SourceElements::emitBytecode):
2676         Reduce writing a default `undefined` value to the completion result to
2677         only once before the last statement we know will produce a value.
2678
2679         (JSC::IfElseNode::emitBytecode):
2680         (JSC::WithNode::emitBytecode):
2681         (JSC::WhileNode::emitBytecode):
2682         (JSC::ForNode::emitBytecode):
2683         (JSC::ForInNode::emitBytecode):
2684         (JSC::ForOfNode::emitBytecode):
2685         (JSC::SwitchNode::emitBytecode):
2686         Insert an undefined to handle cases where code may break out of an
2687         if/else or with statement (break/continue).
2688
2689         (JSC::TryNode::emitBytecode):
2690         Same handling for break cases. Also, finally block statement completion
2691         values are always ignored for the try statement result.
2692
2693         (JSC::ClassDeclNode::emitBytecode):
2694         Class declarations, like function declarations, produce an empty result.
2695
2696         * parser/Nodes.cpp:
2697         (JSC::SourceElements::lastStatement):
2698         (JSC::SourceElements::hasCompletionValue):
2699         (JSC::SourceElements::hasEarlyBreakOrContinue):
2700         (JSC::BlockNode::lastStatement):
2701         (JSC::BlockNode::singleStatement):
2702         (JSC::BlockNode::hasCompletionValue):
2703         (JSC::BlockNode::hasEarlyBreakOrContinue):
2704         (JSC::ScopeNode::singleStatement):
2705         (JSC::ScopeNode::hasCompletionValue):
2706         (JSC::ScopeNode::hasEarlyBreakOrContinue):
2707         The only non-trivial cases need to loop through their list of statements
2708         to determine if this has a completion value or not. Likewise for
2709         determining if there is an early break / continue, meaning a break or
2710         continue statement with no preceding statement that has a completion value.
2711
2712         * parser/Nodes.h:
2713         (JSC::StatementNode::next):
2714         (JSC::StatementNode::hasCompletionValue):
2715         Helper to check if a statement nodes produces a completion value or not.
2716
2717 2017-09-04  Saam Barati  <sbarati@apple.com>
2718
2719         typeCheckHoistingPhase may emit a CheckStructure on the empty value which leads to a dereference of zero on 64 bit platforms
2720         https://bugs.webkit.org/show_bug.cgi?id=176317
2721
2722         Reviewed by Keith Miller.
2723
2724         It turns out that TypeCheckHoistingPhase may hoist a CheckStructure up to 
2725         the SetLocal of a particular value where the value is the empty JSValue.
2726         On 64-bit platforms, the empty value is zero. This means that the empty value
2727         passes a cell check. This will lead to a crash when we dereference null to load
2728         the value's structure. This patch teaches TypeCheckHoistingPhase to be conservative
2729         in the structure checks it hoists. On 64-bit platforms, instead of emitting a
2730         CheckStructure node, we now emit a CheckStructureOrEmpty node. This node allows
2731         the empty value to flow through. If the value isn't empty, it'll perform the normal
2732         structure check that CheckStructure performs. For now, we only emit CheckStructureOrEmpty
2733         on 64-bit platforms since a cell check on 32-bit platforms does not allow the empty
2734         value to flow through.
2735
2736         * dfg/DFGAbstractInterpreterInlines.h:
2737         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2738         * dfg/DFGArgumentsEliminationPhase.cpp:
2739         * dfg/DFGClobberize.h:
2740         (JSC::DFG::clobberize):
2741         * dfg/DFGConstantFoldingPhase.cpp:
2742         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2743         * dfg/DFGDoesGC.cpp:
2744         (JSC::DFG::doesGC):
2745         * dfg/DFGFixupPhase.cpp:
2746         (JSC::DFG::FixupPhase::fixupNode):
2747         * dfg/DFGNode.h:
2748         (JSC::DFG::Node::convertCheckStructureOrEmptyToCheckStructure):
2749         (JSC::DFG::Node::hasStructureSet):
2750         * dfg/DFGNodeType.h:
2751         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2752         * dfg/DFGPredictionPropagationPhase.cpp:
2753         * dfg/DFGSafeToExecute.h:
2754         (JSC::DFG::SafeToExecuteEdge::SafeToExecuteEdge):
2755         (JSC::DFG::SafeToExecuteEdge::operator()):
2756         (JSC::DFG::SafeToExecuteEdge::maySeeEmptyChild):
2757         (JSC::DFG::safeToExecute):
2758         * dfg/DFGSpeculativeJIT.cpp:
2759         (JSC::DFG::SpeculativeJIT::emitStructureCheck):
2760         (JSC::DFG::SpeculativeJIT::compileCheckStructure):
2761         * dfg/DFGSpeculativeJIT.h:
2762         * dfg/DFGSpeculativeJIT32_64.cpp:
2763         (JSC::DFG::SpeculativeJIT::compile):
2764         * dfg/DFGSpeculativeJIT64.cpp:
2765         (JSC::DFG::SpeculativeJIT::compile):
2766         * dfg/DFGTypeCheckHoistingPhase.cpp:
2767         (JSC::DFG::TypeCheckHoistingPhase::run):
2768         * dfg/DFGValidate.cpp:
2769         * ftl/FTLCapabilities.cpp:
2770         (JSC::FTL::canCompile):
2771         * ftl/FTLLowerDFGToB3.cpp:
2772         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2773         (JSC::FTL::DFG::LowerDFGToB3::compileCheckStructureOrEmpty):
2774
2775 2017-09-04  Saam Barati  <sbarati@apple.com>
2776
2777         Support compiling catch in the FTL
2778         https://bugs.webkit.org/show_bug.cgi?id=175396
2779
2780         Reviewed by Filip Pizlo.
2781
2782         This patch implements op_catch in the FTL. It extends the DFG implementation
2783         by supporting multiple entrypoints in DFG-SSA. This patch implements this
2784         by introducing an EntrySwitch node. When converting to SSA, we introduce a new
2785         root block with an EntrySwitch that has the previous DFG entrypoints as its
2786         successors. By convention, we pick the zeroth entry point index to be the
2787         op_enter entrypoint. Like in B3, in DFG-SSA, EntrySwitch just acts like a
2788         switch over the entrypoint index argument. DFG::EntrySwitch in the FTL
2789         simply lowers to B3::EntrySwitch. The EntrySwitch in the root block that
2790         SSAConversion creates can not exit because we would both not know where to exit
2791         to in the program: we would not have valid OSR exit state. This design also
2792         mandates that anything we hoist above EntrySwitch in the new root block
2793         can not exit since they also do not have valid OSR exit state.
2794         
2795         This patch also adds a new metadata node named InitializeEntrypointArguments.
2796         InitializeEntrypointArguments is a metadata node that initializes the flush format for
2797         the arguments at a given entrypoint. For a given entrypoint index, this node
2798         tells AI and OSRAvailabilityAnalysis what the flush format for each argument
2799         is. This allows each individual entrypoint to have an independent set of
2800         argument types. Currently, this won't happen in practice because ArgumentPosition
2801         unifies flush formats, but this is an implementation detail we probably want
2802         to modify in the future. SSAConversion will add InitializeEntrypointArguments
2803         to the beginning of each of the original DFG entrypoint blocks.
2804         
2805         This patch also adds the ability to specify custom prologue code generators in Air.
2806         This allows the FTL to specify a custom prologue for catch entrypoints that
2807         matches the op_catch OSR entry calling convention that the DFG uses. This way,
2808         the baseline JIT code OSR enters into op_catch the same way both in the DFG
2809         and the FTL. In the future, we can use this same mechanism to perform stack
2810         overflow checks instead of using a patchpoint.
2811
2812         * b3/air/AirCode.cpp:
2813         (JSC::B3::Air::Code::isEntrypoint):
2814         (JSC::B3::Air::Code::entrypointIndex):
2815         * b3/air/AirCode.h:
2816         (JSC::B3::Air::Code::setPrologueForEntrypoint):
2817         (JSC::B3::Air::Code::prologueGeneratorForEntrypoint):
2818         * b3/air/AirGenerate.cpp:
2819         (JSC::B3::Air::generate):
2820         * dfg/DFGAbstractInterpreterInlines.h:
2821         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2822         * dfg/DFGBasicBlock.h:
2823         * dfg/DFGByteCodeParser.cpp:
2824         (JSC::DFG::ByteCodeParser::parseBlock):
2825         (JSC::DFG::ByteCodeParser::parse):
2826         * dfg/DFGCFG.h:
2827         (JSC::DFG::selectCFG):
2828         * dfg/DFGClobberize.h:
2829         (JSC::DFG::clobberize):
2830         * dfg/DFGClobbersExitState.cpp:
2831         (JSC::DFG::clobbersExitState):
2832         * dfg/DFGCommonData.cpp:
2833         (JSC::DFG::CommonData::shrinkToFit):
2834         (JSC::DFG::CommonData::finalizeCatchEntrypoints):
2835         * dfg/DFGCommonData.h:
2836         (JSC::DFG::CommonData::catchOSREntryDataForBytecodeIndex):
2837         (JSC::DFG::CommonData::appendCatchEntrypoint):
2838         * dfg/DFGDoesGC.cpp:
2839         (JSC::DFG::doesGC):
2840         * dfg/DFGFixupPhase.cpp:
2841         (JSC::DFG::FixupPhase::fixupNode):
2842         * dfg/DFGGraph.cpp:
2843         (JSC::DFG::Graph::dump):
2844         (JSC::DFG::Graph::invalidateCFG):
2845         (JSC::DFG::Graph::ensureCPSCFG):
2846         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2847         * dfg/DFGGraph.h:
2848         (JSC::DFG::Graph::isEntrypoint):
2849         * dfg/DFGInPlaceAbstractState.cpp:
2850         (JSC::DFG::InPlaceAbstractState::initialize):
2851         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
2852         * dfg/DFGJITCode.cpp:
2853         (JSC::DFG::JITCode::shrinkToFit):
2854         (JSC::DFG::JITCode::finalizeOSREntrypoints):
2855         * dfg/DFGJITCode.h:
2856         (JSC::DFG::JITCode::catchOSREntryDataForBytecodeIndex): Deleted.
2857         (JSC::DFG::JITCode::appendCatchEntrypoint): Deleted.
2858         * dfg/DFGJITCompiler.cpp:
2859         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
2860         (JSC::DFG::JITCompiler::makeCatchOSREntryBuffer):
2861         * dfg/DFGMayExit.cpp:
2862         * dfg/DFGNode.h:
2863         (JSC::DFG::Node::isEntrySwitch):
2864         (JSC::DFG::Node::isTerminal):
2865         (JSC::DFG::Node::entrySwitchData):
2866         (JSC::DFG::Node::numSuccessors):
2867         (JSC::DFG::Node::successor):
2868         (JSC::DFG::Node::entrypointIndex):
2869         * dfg/DFGNodeType.h:
2870         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2871         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
2872         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
2873         * dfg/DFGOSREntry.cpp:
2874         (JSC::DFG::prepareCatchOSREntry):
2875         * dfg/DFGOSREntry.h:
2876         * dfg/DFGOSREntrypointCreationPhase.cpp:
2877         (JSC::DFG::OSREntrypointCreationPhase::run):
2878         * dfg/DFGPredictionPropagationPhase.cpp:
2879         * dfg/DFGSSAConversionPhase.cpp:
2880         (JSC::DFG::SSAConversionPhase::SSAConversionPhase):
2881         (JSC::DFG::SSAConversionPhase::run):
2882         * dfg/DFGSafeToExecute.h:
2883         (JSC::DFG::safeToExecute):
2884         * dfg/DFGSpeculativeJIT.cpp:
2885         (JSC::DFG::SpeculativeJIT::linkOSREntries):
2886         * dfg/DFGSpeculativeJIT32_64.cpp:
2887         (JSC::DFG::SpeculativeJIT::compile):
2888         * dfg/DFGSpeculativeJIT64.cpp:
2889         (JSC::DFG::SpeculativeJIT::compile):
2890         * dfg/DFGStaticExecutionCountEstimationPhase.cpp:
2891         (JSC::DFG::StaticExecutionCountEstimationPhase::run):
2892         * dfg/DFGValidate.cpp:
2893         * ftl/FTLCapabilities.cpp:
2894         (JSC::FTL::canCompile):
2895         * ftl/FTLCompile.cpp:
2896         (JSC::FTL::compile):
2897         * ftl/FTLLowerDFGToB3.cpp:
2898         (JSC::FTL::DFG::LowerDFGToB3::lower):
2899         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2900         (JSC::FTL::DFG::LowerDFGToB3::compileExtractCatchLocal):
2901         (JSC::FTL::DFG::LowerDFGToB3::compileGetStack):
2902         (JSC::FTL::DFG::LowerDFGToB3::compileEntrySwitch):
2903         (JSC::FTL::DFG::LowerDFGToB3::speculate):
2904         (JSC::FTL::DFG::LowerDFGToB3::appendOSRExitDescriptor):
2905         (JSC::FTL::DFG::LowerDFGToB3::appendOSRExit):
2906         (JSC::FTL::DFG::LowerDFGToB3::blessSpeculation):
2907         * ftl/FTLOutput.cpp:
2908         (JSC::FTL::Output::entrySwitch):
2909         * ftl/FTLOutput.h:
2910         * jit/JITOperations.cpp:
2911
2912 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2913
2914         [DFG][FTL] Efficiently execute number#toString()
2915         https://bugs.webkit.org/show_bug.cgi?id=170007
2916
2917         Reviewed by Keith Miller.
2918
2919         In JS, the natural way to convert number to string with radix is `number.toString(radix)`.
2920         However, our IC only cares about cells. If the base value is a number, it always goes to the slow path.
2921
2922         While extending our IC for number and boolean, the most meaningful use of this IC is calling `number.toString(radix)`.
2923         So, in this patch, we first add a fast path for this in DFG by using watchpoint. We set up a watchpoint for
2924         Number.prototype.toString. And if this watchpoint is kept alive and GetById(base, "toString")'s base should be
2925         speculated as Number, we emit Number related Checks and convert GetById to Number.prototype.toString constant.
2926         It removes costly GetById slow path, and makes it non-clobbering node (JSConstant).
2927
2928         In addition, we add NumberToStringWithValidRadixConstant node. We have NumberToStringWithRadix node, but it may
2929         throw an error if the valid value is incorrect (for example, number.toString(2000)). So its clobbering rule is
2930         conservatively use read(World)/write(Heap). But in reality, `number.toString` is mostly called with the constant
2931         radix, and we can easily figure out this radix is valid (2 <= radix && radix < 32).
2932         We add a rule to the constant folding phase to convert NumberToStringWithRadix to NumberToStringWithValidRadixConstant.
2933         It ensures that it has valid constant radix. And we relax our clobbering rule for NumberToStringWithValidRadixConstant.
2934
2935         Added microbenchmarks show performance improvement.
2936
2937                                                       baseline                  patched
2938
2939         number-to-string-with-radix-cse           43.8312+-1.3017     ^      7.4930+-0.5105        ^ definitely 5.8496x faster
2940         number-to-string-with-radix-10             7.2775+-0.5225     ^      2.1906+-0.1864        ^ definitely 3.3222x faster
2941         number-to-string-with-radix               39.7378+-1.4921     ^     16.6137+-0.7776        ^ definitely 2.3919x faster
2942         number-to-string-strength-reduction       94.9667+-2.7157     ^      9.3060+-0.7202        ^ definitely 10.2049x faster
2943
2944         * dfg/DFGAbstractInterpreterInlines.h:
2945         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2946         * dfg/DFGClobberize.h:
2947         (JSC::DFG::clobberize):
2948         * dfg/DFGConstantFoldingPhase.cpp:
2949         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2950         * dfg/DFGDoesGC.cpp:
2951         (JSC::DFG::doesGC):
2952         * dfg/DFGFixupPhase.cpp:
2953         (JSC::DFG::FixupPhase::fixupNode):
2954         * dfg/DFGGraph.h:
2955         (JSC::DFG::Graph::isWatchingGlobalObjectWatchpoint):
2956         (JSC::DFG::Graph::isWatchingArrayIteratorProtocolWatchpoint):
2957         (JSC::DFG::Graph::isWatchingNumberToStringWatchpoint):
2958         * dfg/DFGNode.h:
2959         (JSC::DFG::Node::convertToNumberToStringWithValidRadixConstant):
2960         (JSC::DFG::Node::hasValidRadixConstant):
2961         (JSC::DFG::Node::validRadixConstant):
2962         * dfg/DFGNodeType.h:
2963         * dfg/DFGPredictionPropagationPhase.cpp:
2964         * dfg/DFGSafeToExecute.h:
2965         (JSC::DFG::safeToExecute):
2966         * dfg/DFGSpeculativeJIT.cpp:
2967         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructor):
2968         (JSC::DFG::SpeculativeJIT::compileNumberToStringWithValidRadixConstant):
2969         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnNumber): Deleted.
2970         * dfg/DFGSpeculativeJIT.h:
2971         * dfg/DFGSpeculativeJIT32_64.cpp:
2972         (JSC::DFG::SpeculativeJIT::compile):
2973         * dfg/DFGSpeculativeJIT64.cpp:
2974         (JSC::DFG::SpeculativeJIT::compile):
2975         * dfg/DFGStrengthReductionPhase.cpp:
2976         (JSC::DFG::StrengthReductionPhase::handleNode):
2977         * ftl/FTLCapabilities.cpp:
2978         (JSC::FTL::canCompile):
2979         * ftl/FTLLowerDFGToB3.cpp:
2980         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2981         (JSC::FTL::DFG::LowerDFGToB3::compileNumberToStringWithValidRadixConstant):
2982         * runtime/JSGlobalObject.cpp:
2983         (JSC::JSGlobalObject::JSGlobalObject):
2984         (JSC::JSGlobalObject::init):
2985         (JSC::JSGlobalObject::visitChildren):
2986         * runtime/JSGlobalObject.h:
2987         (JSC::JSGlobalObject::numberToStringWatchpoint):
2988         (JSC::JSGlobalObject::numberProtoToStringFunction const):
2989         * runtime/NumberPrototype.cpp:
2990         (JSC::NumberPrototype::finishCreation):
2991         (JSC::toStringWithRadixInternal):
2992         (JSC::toStringWithRadix):
2993         (JSC::int32ToStringInternal):
2994         (JSC::numberToStringInternal):
2995         * runtime/NumberPrototype.h:
2996
2997 2017-09-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2998
2999         [DFG] Consider increasing the number of DFG worklist threads
3000         https://bugs.webkit.org/show_bug.cgi?id=176222
3001
3002         Reviewed by Saam Barati.
3003
3004         Attempt to add one more thread to DFG worklist. DFG compiler sometimes takes
3005         very long time if the target function is very large. However, DFG worklist
3006         has only one thread before this patch. Therefore, one function that takes
3007         too much time to be compiled can prevent the other functions from being
3008         compiled in DFG or upper tiers.
3009
3010         One example is Octane/zlib. In zlib, compiling "a1" function in DFG takes
3011         super long time (447 ms) because of its super large size of the function.
3012         While this function never gets compiled in FTL due to its large size,
3013         it can be compiled in DFG and takes super long time. Subsequent "a8" function
3014         compilation in DFG is blocked by this "a1". As a consequence, the benchmark
3015         takes very long time in a1/Baseline code, which is slower than DFG of course.
3016
3017         While FTL has a bit more threads, DFG worklist has only one thread. This patch
3018         adds one more thread to DFG worklist to alleviate the above situation. This
3019         change significantly improves Octane/zlib performance.
3020
3021                                     baseline                  patched
3022
3023         zlib           x2     482.32825+-6.07640    ^   408.66072+-14.03856      ^ definitely 1.1803x faster
3024
3025         * runtime/Options.h:
3026
3027 2017-09-04  Sam Weinig  <sam@webkit.org>
3028
3029         [WebIDL] Unify and simplify EnableBySettings with the rest of the runtime settings
3030         https://bugs.webkit.org/show_bug.cgi?id=176312
3031
3032         Reviewed by Darin Adler.
3033
3034         * runtime/CommonIdentifiers.h:
3035
3036             Remove WebCore specific identifiers from CommonIdentifiers. They have been moved
3037             to WebCoreBuiltinNames in WebCore.
3038
3039 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3040
3041         Remove "malloc" and "free" use
3042         https://bugs.webkit.org/show_bug.cgi?id=176310
3043
3044         Reviewed by Darin Adler.
3045
3046         Use Vector instead.
3047
3048         * API/JSWrapperMap.mm:
3049         (selectorToPropertyName):
3050
3051 2017-09-03  Darin Adler  <darin@apple.com>
3052
3053         Try to fix Windows build.
3054
3055         * runtime/JSGlobalObjectFunctions.cpp: #include <unicode/utf8.h>.
3056
3057 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3058
3059         [WTF] Add C++03 allocator interface for GCC < 6
3060         https://bugs.webkit.org/show_bug.cgi?id=176301
3061
3062         Reviewed by Darin Adler.
3063
3064         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3065
3066 2017-09-03  Chris Dumez  <cdumez@apple.com>
3067
3068         Unreviewed, rolling out r221555.
3069
3070         Did not fix Windows build
3071
3072         Reverted changeset:
3073
3074         "Unreviewed attempt to fix Windows build."
3075         http://trac.webkit.org/changeset/221555
3076
3077 2017-09-03  Chris Dumez  <cdumez@apple.com>
3078
3079         Unreviewed attempt to fix Windows build.
3080
3081         * runtime/JSGlobalObjectFunctions.cpp:
3082
3083 2017-09-03  Chris Dumez  <cdumez@apple.com>
3084
3085         Unreviewed, rolling out r221552.
3086
3087         Broke the build
3088
3089         Reverted changeset:
3090
3091         "[WTF] Add C++03 allocator interface for GCC < 6"
3092         https://bugs.webkit.org/show_bug.cgi?id=176301
3093         http://trac.webkit.org/changeset/221552
3094
3095 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3096
3097         [WTF] Add C++03 allocator interface for GCC < 6
3098         https://bugs.webkit.org/show_bug.cgi?id=176301
3099
3100         Reviewed by Darin Adler.
3101
3102         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3103
3104 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3105
3106         [JSC] Clean up BytecodeLivenessAnalysis
3107         https://bugs.webkit.org/show_bug.cgi?id=176295
3108
3109         Reviewed by Saam Barati.
3110
3111         Previously, computeDefsForBytecodeOffset was a bit customizable.
3112         This is used for try-catch handler's liveness analysis. But after
3113         careful generatorification implementation, it is now not necessary.
3114         This patch drops this customizability.
3115
3116         * bytecode/BytecodeGeneratorification.cpp:
3117         (JSC::GeneratorLivenessAnalysis::computeDefsForBytecodeOffset): Deleted.
3118         (JSC::GeneratorLivenessAnalysis::computeUsesForBytecodeOffset): Deleted.
3119         * bytecode/BytecodeLivenessAnalysis.cpp:
3120         (JSC::BytecodeLivenessAnalysis::computeKills):
3121         (JSC::BytecodeLivenessAnalysis::computeDefsForBytecodeOffset): Deleted.
3122         (JSC::BytecodeLivenessAnalysis::computeUsesForBytecodeOffset): Deleted.
3123         * bytecode/BytecodeLivenessAnalysis.h:
3124         * bytecode/BytecodeLivenessAnalysisInlines.h:
3125         (JSC::BytecodeLivenessPropagation::stepOverInstruction):
3126         (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBytecodeOffset):
3127         (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBlock):
3128         (JSC::BytecodeLivenessPropagation::getLivenessInfoAtBytecodeOffset):
3129         (JSC::BytecodeLivenessPropagation::runLivenessFixpoint):
3130         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::stepOverInstruction): Deleted.
3131         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::computeLocalLivenessForBytecodeOffset): Deleted.
3132         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::computeLocalLivenessForBlock): Deleted.
3133         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::getLivenessInfoAtBytecodeOffset): Deleted.
3134         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::runLivenessFixpoint): Deleted.
3135
3136 2017-09-03  Sam Weinig  <sam@webkit.org>
3137
3138         Remove CanvasProxy
3139         https://bugs.webkit.org/show_bug.cgi?id=176288
3140
3141         Reviewed by Yusuke Suzuki.
3142
3143         CanvasProxy does not appear to be in any current HTML spec
3144         and was disabled and unimplemented in our tree. Time to 
3145         get rid of it.
3146
3147         * Configurations/FeatureDefines.xcconfig:
3148
3149 2017-09-02  Oliver Hunt  <oliver@apple.com>
3150
3151         Need an API to get the global context from JSObjectRef
3152         https://bugs.webkit.org/show_bug.cgi?id=176291
3153
3154         Reviewed by Saam Barati.
3155
3156         Very simple additional API, starting off as SPI on principle.
3157
3158         * API/JSObjectRef.cpp:
3159         (JSObjectGetGlobalContext):
3160         * API/JSObjectRefPrivate.h:
3161         * API/tests/testapi.c:
3162         (main):
3163
3164 2017-09-02  Yusuke Suzuki  <utatane.tea@gmail.com>
3165
3166         [DFG] Relax arity requirement
3167         https://bugs.webkit.org/show_bug.cgi?id=175523
3168
3169         Reviewed by Saam Barati.
3170
3171         Our DFG pipeline gives up inlining when the arity of the target function is more than the number of the arguments.
3172         It effectively prevents us from inlining and optimizing functions, which takes some optional arguments in the form
3173         of the pre-ES6.
3174
3175         This patch removes the above restriction by performing the arity fixup in DFG.
3176
3177         SixSpeed shows improvement when we can inline arity-mismatched functions. (For example, calling generator.next()).
3178
3179                                        baseline                  patched
3180
3181         defaults.es5             1232.1226+-20.6775    ^    442.3326+-26.1883       ^ definitely 2.7855x faster
3182         rest.es6                    5.3406+-0.8588     ^      3.5812+-0.5388        ^ definitely 1.4913x faster
3183         spread-generator.es6      320.9107+-12.4808         310.4295+-12.0047         might be 1.0338x faster
3184         generator.es6             318.3514+-9.6023     ^    286.4974+-12.6203       ^ definitely 1.1112x faster
3185
3186         * bytecode/InlineCallFrame.cpp:
3187         (JSC::InlineCallFrame::dumpInContext const):
3188         * bytecode/InlineCallFrame.h:
3189         (JSC::InlineCallFrame::InlineCallFrame):
3190         * dfg/DFGAbstractInterpreterInlines.h:
3191         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3192         * dfg/DFGArgumentsEliminationPhase.cpp:
3193         * dfg/DFGArgumentsUtilities.cpp:
3194         (JSC::DFG::argumentsInvolveStackSlot):
3195         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
3196         * dfg/DFGByteCodeParser.cpp:
3197         (JSC::DFG::ByteCodeParser::setLocal):
3198         (JSC::DFG::ByteCodeParser::setArgument):
3199         (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
3200         (JSC::DFG::ByteCodeParser::flush):
3201         (JSC::DFG::ByteCodeParser::getArgumentCount):
3202         (JSC::DFG::ByteCodeParser::inliningCost):
3203         (JSC::DFG::ByteCodeParser::inlineCall):
3204         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
3205         (JSC::DFG::ByteCodeParser::parseBlock):
3206         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
3207         * dfg/DFGCommonData.cpp:
3208         (JSC::DFG::CommonData::validateReferences):
3209         * dfg/DFGConstantFoldingPhase.cpp:
3210         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3211         * dfg/DFGGraph.cpp:
3212         (JSC::DFG::Graph::isLiveInBytecode):
3213         * dfg/DFGGraph.h:
3214         (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
3215         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
3216         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
3217         * dfg/DFGOSRExit.cpp:
3218         (JSC::DFG::OSRExit::emitRestoreArguments):
3219         * dfg/DFGOSRExitCompilerCommon.cpp:
3220         (JSC::DFG::reifyInlinedCallFrames):
3221         * dfg/DFGPreciseLocalClobberize.h:
3222         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
3223         * dfg/DFGSpeculativeJIT.cpp:
3224         (JSC::DFG::SpeculativeJIT::emitGetLength):
3225         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
3226         * dfg/DFGStackLayoutPhase.cpp:
3227         (JSC::DFG::StackLayoutPhase::run):
3228         * ftl/FTLCompile.cpp:
3229         (JSC::FTL::compile):
3230         * ftl/FTLLowerDFGToB3.cpp:
3231         (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
3232         (JSC::FTL::DFG::LowerDFGToB3::getArgumentsLength):
3233         * ftl/FTLOperations.cpp:
3234         (JSC::FTL::operationMaterializeObjectInOSR):
3235         * interpreter/StackVisitor.cpp:
3236         (JSC::StackVisitor::readInlinedFrame):
3237         * jit/AssemblyHelpers.h:
3238         (JSC::AssemblyHelpers::argumentsStart):
3239         * jit/SetupVarargsFrame.cpp:
3240         (JSC::emitSetupVarargsFrameFastCase):
3241         * runtime/ClonedArguments.cpp:
3242         (JSC::ClonedArguments::createWithInlineFrame):
3243         * runtime/CommonSlowPaths.h:
3244         (JSC::CommonSlowPaths::numberOfExtraSlots):
3245         (JSC::CommonSlowPaths::numberOfStackPaddingSlots):
3246         (JSC::CommonSlowPaths::numberOfStackPaddingSlotsWithExtraSlots):
3247         (JSC::CommonSlowPaths::arityCheckFor):
3248         * runtime/StackAlignment.h:
3249         (JSC::stackAlignmentBytes):
3250         (JSC::stackAlignmentRegisters):
3251
3252 2017-09-01  Yusuke Suzuki  <utatane.tea@gmail.com>
3253
3254         [FTL] FTL allocation for async Function is incorrect
3255         https://bugs.webkit.org/show_bug.cgi?id=176214
3256
3257         Reviewed by Saam Barati.
3258
3259         In FTL, allocating async function / async generator function was incorrectly using
3260         JSFunction logic. While it is not observable right now since sizeof(JSFunction) == sizeof(JSAsyncFunction),
3261         but it is a bug.
3262
3263         * ftl/FTLLowerDFGToB3.cpp:
3264         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
3265
3266 2017-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
3267
3268         [JSC] Fix "name" and "length" of Proxy revoke function
3269         https://bugs.webkit.org/show_bug.cgi?id=176155
3270
3271         Reviewed by Mark Lam.
3272
3273         ProxyRevoke's length should be configurable. And it does not have
3274         its own name. We add NameVisibility enum to InternalFunction to
3275         control visibility of the name.
3276
3277         * runtime/InternalFunction.cpp:
3278         (JSC::InternalFunction::finishCreation):
3279         * runtime/InternalFunction.h:
3280         * runtime/ProxyRevoke.cpp:
3281         (JSC::ProxyRevoke::finishCreation):
3282
3283 2017-08-31  Saam Barati  <sbarati@apple.com>
3284
3285         Throwing an exception in the DFG/FTL should not cause a jettison
3286         https://bugs.webkit.org/show_bug.cgi?id=176060
3287         <rdar://problem/34143348>
3288
3289         Reviewed by Keith Miller.
3290
3291         Throwing an exception is not something that should be a jettison-able
3292         OSR exit. We used to count Throw/ThrowStaticError towards our OSR exit
3293         counts which could cause a CodeBlock to jettison and recompile. This
3294         was dumb. Throwing an exception is not a reason to jettison and
3295         recompile in the way that a speculation failure is. This patch
3296         treats Throw/ThrowStaticError as true terminals in DFG IR.
3297
3298         * bytecode/BytecodeUseDef.h:
3299         (JSC::computeUsesForBytecodeOffset):
3300         * dfg/DFGAbstractInterpreterInlines.h:
3301         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3302         * dfg/DFGByteCodeParser.cpp:
3303         (JSC::DFG::ByteCodeParser::parseBlock):
3304         * dfg/DFGClobberize.h:
3305         (JSC::DFG::clobberize):
3306         * dfg/DFGFixupPhase.cpp:
3307         (JSC::DFG::FixupPhase::fixupNode):
3308         * dfg/DFGInPlaceAbstractState.cpp:
3309         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
3310         * dfg/DFGNode.h:
3311         (JSC::DFG::Node::isTerminal):
3312         (JSC::DFG::Node::isPseudoTerminal):
3313         (JSC::DFG::Node::errorType):
3314         * dfg/DFGNodeType.h:
3315         * dfg/DFGOperations.cpp:
3316         * dfg/DFGOperations.h:
3317         * dfg/DFGPredictionPropagationPhase.cpp:
3318         * dfg/DFGSpeculativeJIT.cpp:
3319         (JSC::DFG::SpeculativeJIT::compileThrow):
3320         (JSC::DFG::SpeculativeJIT::compileThrowStaticError):
3321         * dfg/DFGSpeculativeJIT.h:
3322         (JSC::DFG::SpeculativeJIT::callOperation):
3323         * dfg/DFGSpeculativeJIT32_64.cpp:
3324         (JSC::DFG::SpeculativeJIT::compile):
3325         * dfg/DFGSpeculativeJIT64.cpp:
3326         (JSC::DFG::SpeculativeJIT::compile):
3327         * ftl/FTLLowerDFGToB3.cpp:
3328         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3329         (JSC::FTL::DFG::LowerDFGToB3::compileThrow):
3330         (JSC::FTL::DFG::LowerDFGToB3::compileThrowStaticError):
3331         * jit/JITOperations.h:
3332
3333 2017-08-31  Saam Barati  <sbarati@apple.com>
3334
3335         Graph::methodOfGettingAValueProfileFor compares NodeOrigin instead of the semantic CodeOrigin
3336         https://bugs.webkit.org/show_bug.cgi?id=176206
3337
3338         Reviewed by Keith Miller.
3339
3340         Mark fixed the main issue in Graph::methodOfGettingAValueProfileFor in r208560
3341         when he fixed it from overwriting invalid parts of the ArithProfile when the
3342         currentNode and