Cache toString results for CoW arrays
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-05-31  Saam Barati  <sbarati@apple.com>
2
3         Cache toString results for CoW arrays
4         https://bugs.webkit.org/show_bug.cgi?id=186160
5
6         Reviewed by Keith Miller.
7
8         This patch makes it so that we cache the result of toString on
9         arrays with a CoW butterfly. This cache lives on Heap and is
10         cleared after every GC. We only cache the toString result when
11         the CoW butterfly doesn't have a hole (currently, all CoW arrays
12         have a hole, but this isn't an invariant we want to rely on). The
13         reason for this is that if there is a hole, the value may be loaded
14         from the prototype, and the cache may produce a stale result.
15         
16         This is a ~4% speedup on the ML subtest in ARES. And is a ~1% overall
17         progression on ARES.
18
19         * heap/Heap.cpp:
20         (JSC::Heap::finalize):
21         (JSC::Heap::addCoreConstraints):
22         * heap/Heap.h:
23         * runtime/ArrayPrototype.cpp:
24         (JSC::canUseFastJoin):
25         (JSC::holesMustForwardToPrototype):
26         (JSC::isHole):
27         (JSC::containsHole):
28         (JSC::fastJoin):
29         (JSC::arrayProtoFuncToString):
30
31 2018-05-31  Saam Barati  <sbarati@apple.com>
32
33         PutStructure AI rule needs to call didFoldClobberStructures when the incoming value's structure set is clear
34         https://bugs.webkit.org/show_bug.cgi?id=186169
35
36         Reviewed by Mark Lam.
37
38         If we don't do this, the CFA validation rule about StructureID being
39         clobbered but AI not clobbering or folding a clobber will cause us
40         to crash. Simon was running into this yesterday on arstechnica.com.
41         I couldn't come up with a test case for this, but it's obvious
42         what the issue is by looking at the IR dump at the time of the crash.
43
44         * dfg/DFGAbstractInterpreterInlines.h:
45         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
46
47 2018-05-31  Saam Barati  <sbarati@apple.com>
48
49         JSImmutableButterfly should align its variable storage
50         https://bugs.webkit.org/show_bug.cgi?id=186159
51
52         Reviewed by Mark Lam.
53
54         I'm also making the use of reinterpret_cast and bitwise_cast consistent
55         inside of JSImmutableButterfly. I switched everything to use bitwise_cast.
56
57         * runtime/JSImmutableButterfly.h:
58         (JSC::JSImmutableButterfly::toButterfly const):
59         (JSC::JSImmutableButterfly::fromButterfly):
60         (JSC::JSImmutableButterfly::offsetOfData):
61         (JSC::JSImmutableButterfly::allocationSize):
62
63 2018-05-31  Keith Miller  <keith_miller@apple.com>
64
65         DFGArrayModes needs to know more about CoW arrays
66         https://bugs.webkit.org/show_bug.cgi?id=186162
67
68         Reviewed by Filip Pizlo.
69
70         This patch fixes two issues in DFGArrayMode.
71
72         1) fromObserved was missing switch cases for when the only observed ArrayModes are CopyOnWrite.
73         2) DFGArrayModes needs to track if the ArrayClass is an OriginalCopyOnWriteArray in order
74         to vend an accurate original structure.
75
76         Additionally, this patch fixes some places in Bytecode parsing where we told the array mode
77         we were doing a read but actually doing a write. Also, DFGArrayMode will now print the
78         action it is expecting when being dumped.
79
80         * bytecode/ArrayProfile.h:
81         (JSC::hasSeenWritableArray):
82         * dfg/DFGArrayMode.cpp:
83         (JSC::DFG::ArrayMode::fromObserved):
84         (JSC::DFG::ArrayMode::refine const):
85         (JSC::DFG::ArrayMode::originalArrayStructure const):
86         (JSC::DFG::arrayActionToString):
87         (JSC::DFG::arrayClassToString):
88         (JSC::DFG::ArrayMode::dump const):
89         (WTF::printInternal):
90         * dfg/DFGArrayMode.h:
91         (JSC::DFG::ArrayMode::withProfile const):
92         (JSC::DFG::ArrayMode::isJSArray const):
93         (JSC::DFG::ArrayMode::isJSArrayWithOriginalStructure const):
94         (JSC::DFG::ArrayMode::arrayModesWithIndexingShape const):
95         * dfg/DFGByteCodeParser.cpp:
96         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
97         (JSC::DFG::ByteCodeParser::parseBlock):
98         * dfg/DFGFixupPhase.cpp:
99         (JSC::DFG::FixupPhase::fixupNode):
100         * dfg/DFGSpeculativeJIT.cpp:
101         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
102         * ftl/FTLLowerDFGToB3.cpp:
103         (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify):
104
105 2018-05-30  Yusuke Suzuki  <utatane.tea@gmail.com>
106
107         [JSC] Pass VM& parameter as much as possible
108         https://bugs.webkit.org/show_bug.cgi?id=186085
109
110         Reviewed by Saam Barati.
111
112         JSCell::vm() is slow compared to ExecState::vm(). That's why we have bunch of functions in JSCell/JSObject that take VM& as a parameter.
113         For example, we have JSCell::structure() and JSCell::structure(VM&), the former retrieves VM& from the cell and invokes structure(VM&).
114         If we can get VM& from ExecState* or the other place, it reduces the inlined code size.
115         This patch attempts to pass VM& parameter to such functions as much as possible.
116
117         * API/APICast.h:
118         (toJS):
119         (toJSForGC):
120         * API/JSCallbackObjectFunctions.h:
121         (JSC::JSCallbackObject<Parent>::getOwnPropertySlotByIndex):
122         (JSC::JSCallbackObject<Parent>::deletePropertyByIndex):
123         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
124         * API/JSObjectRef.cpp:
125         (JSObjectIsConstructor):
126         * API/JSTypedArray.cpp:
127         (JSObjectGetTypedArrayBuffer):
128         * API/JSValueRef.cpp:
129         (JSValueIsInstanceOfConstructor):
130         * bindings/ScriptFunctionCall.cpp:
131         (Deprecated::ScriptFunctionCall::call):
132         * bindings/ScriptValue.cpp:
133         (Inspector::jsToInspectorValue):
134         * bytecode/AccessCase.cpp:
135         (JSC::AccessCase::generateImpl):
136         * bytecode/CodeBlock.cpp:
137         (JSC::CodeBlock::CodeBlock):
138         * bytecode/ObjectAllocationProfileInlines.h:
139         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
140         * bytecode/ObjectPropertyConditionSet.cpp:
141         (JSC::generateConditionsForInstanceOf):
142         * bytecode/PropertyCondition.cpp:
143         (JSC::PropertyCondition::isWatchableWhenValid const):
144         (JSC::PropertyCondition::attemptToMakeEquivalenceWithoutBarrier const):
145         * bytecode/StructureStubClearingWatchpoint.cpp:
146         (JSC::StructureStubClearingWatchpoint::fireInternal):
147         * debugger/Debugger.cpp:
148         (JSC::Debugger::detach):
149         * debugger/DebuggerScope.cpp:
150         (JSC::DebuggerScope::create):
151         (JSC::DebuggerScope::put):
152         (JSC::DebuggerScope::deleteProperty):
153         (JSC::DebuggerScope::getOwnPropertyNames):
154         (JSC::DebuggerScope::defineOwnProperty):
155         * dfg/DFGAbstractInterpreterInlines.h:
156         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
157         * dfg/DFGAbstractValue.cpp:
158         (JSC::DFG::AbstractValue::mergeOSREntryValue):
159         * dfg/DFGArgumentsEliminationPhase.cpp:
160         * dfg/DFGArrayMode.cpp:
161         (JSC::DFG::ArrayMode::refine const):
162         * dfg/DFGByteCodeParser.cpp:
163         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
164         (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
165         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
166         (JSC::DFG::ByteCodeParser::check):
167         * dfg/DFGConstantFoldingPhase.cpp:
168         (JSC::DFG::ConstantFoldingPhase::foldConstants):
169         (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
170         * dfg/DFGFixupPhase.cpp:
171         (JSC::DFG::FixupPhase::fixupNode):
172         * dfg/DFGGraph.cpp:
173         (JSC::DFG::Graph::tryGetConstantProperty):
174         * dfg/DFGOperations.cpp:
175         * dfg/DFGSpeculativeJIT.cpp:
176         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
177         * dfg/DFGStrengthReductionPhase.cpp:
178         (JSC::DFG::StrengthReductionPhase::handleNode):
179         * ftl/FTLLowerDFGToB3.cpp:
180         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
181         * ftl/FTLOperations.cpp:
182         (JSC::FTL::operationPopulateObjectInOSR):
183         * inspector/InjectedScriptManager.cpp:
184         (Inspector::InjectedScriptManager::createInjectedScript):
185         * inspector/JSJavaScriptCallFrame.cpp:
186         (Inspector::JSJavaScriptCallFrame::caller const):
187         (Inspector::JSJavaScriptCallFrame::scopeChain const):
188         * interpreter/CallFrame.cpp:
189         (JSC::CallFrame::wasmAwareLexicalGlobalObject):
190         * interpreter/Interpreter.cpp:
191         (JSC::Interpreter::executeProgram):
192         (JSC::Interpreter::executeCall):
193         (JSC::Interpreter::executeConstruct):
194         (JSC::Interpreter::execute):
195         (JSC::Interpreter::executeModuleProgram):
196         * jit/JITOperations.cpp:
197         (JSC::getByVal):
198         * jit/Repatch.cpp:
199         (JSC::tryCacheInByID):
200         * jsc.cpp:
201         (functionDollarAgentReceiveBroadcast):
202         (functionHasCustomProperties):
203         * llint/LLIntSlowPaths.cpp:
204         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
205         (JSC::LLInt::setupGetByIdPrototypeCache):
206         (JSC::LLInt::getByVal):
207         (JSC::LLInt::handleHostCall):
208         (JSC::LLInt::llint_throw_stack_overflow_error):
209         * runtime/AbstractModuleRecord.cpp:
210         (JSC::AbstractModuleRecord::finishCreation):
211         * runtime/ArrayConstructor.cpp:
212         (JSC::constructArrayWithSizeQuirk):
213         * runtime/ArrayPrototype.cpp:
214         (JSC::speciesWatchpointIsValid):
215         (JSC::arrayProtoFuncToString):
216         (JSC::arrayProtoFuncToLocaleString):
217         (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
218         * runtime/AsyncFunctionConstructor.cpp:
219         (JSC::callAsyncFunctionConstructor):
220         (JSC::constructAsyncFunctionConstructor):
221         * runtime/AsyncGeneratorFunctionConstructor.cpp:
222         (JSC::callAsyncGeneratorFunctionConstructor):
223         (JSC::constructAsyncGeneratorFunctionConstructor):
224         * runtime/BooleanConstructor.cpp:
225         (JSC::constructWithBooleanConstructor):
226         * runtime/ClonedArguments.cpp:
227         (JSC::ClonedArguments::createEmpty):
228         (JSC::ClonedArguments::createWithInlineFrame):
229         (JSC::ClonedArguments::createWithMachineFrame):
230         (JSC::ClonedArguments::createByCopyingFrom):
231         (JSC::ClonedArguments::getOwnPropertySlot):
232         (JSC::ClonedArguments::materializeSpecials):
233         * runtime/CommonSlowPaths.cpp:
234         (JSC::SLOW_PATH_DECL):
235         * runtime/CommonSlowPaths.h:
236         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
237         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
238         (JSC::CommonSlowPaths::canAccessArgumentIndexQuickly):
239         * runtime/ConstructData.cpp:
240         (JSC::construct):
241         * runtime/DateConstructor.cpp:
242         (JSC::constructWithDateConstructor):
243         * runtime/DatePrototype.cpp:
244         (JSC::dateProtoFuncToJSON):
245         * runtime/DirectArguments.cpp:
246         (JSC::DirectArguments::overrideThings):
247         * runtime/Error.cpp:
248         (JSC::getStackTrace):
249         * runtime/ErrorConstructor.cpp:
250         (JSC::Interpreter::constructWithErrorConstructor):
251         (JSC::Interpreter::callErrorConstructor):
252         * runtime/FunctionConstructor.cpp:
253         (JSC::constructWithFunctionConstructor):
254         (JSC::callFunctionConstructor):
255         * runtime/GeneratorFunctionConstructor.cpp:
256         (JSC::callGeneratorFunctionConstructor):
257         (JSC::constructGeneratorFunctionConstructor):
258         * runtime/GenericArgumentsInlines.h:
259         (JSC::GenericArguments<Type>::getOwnPropertySlot):
260         * runtime/InferredStructureWatchpoint.cpp:
261         (JSC::InferredStructureWatchpoint::fireInternal):
262         * runtime/InferredType.cpp:
263         (JSC::InferredType::removeStructure):
264         * runtime/InferredType.h:
265         * runtime/InferredTypeInlines.h:
266         (JSC::InferredType::finalizeUnconditionally):
267         * runtime/IntlCollator.cpp:
268         (JSC::IntlCollator::initializeCollator):
269         * runtime/IntlCollatorConstructor.cpp:
270         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
271         * runtime/IntlCollatorPrototype.cpp:
272         (JSC::IntlCollatorPrototypeGetterCompare):
273         * runtime/IntlDateTimeFormat.cpp:
274         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
275         (JSC::IntlDateTimeFormat::formatToParts):
276         * runtime/IntlDateTimeFormatConstructor.cpp:
277         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
278         * runtime/IntlDateTimeFormatPrototype.cpp:
279         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
280         * runtime/IntlNumberFormat.cpp:
281         (JSC::IntlNumberFormat::initializeNumberFormat):
282         (JSC::IntlNumberFormat::formatToParts):
283         * runtime/IntlNumberFormatConstructor.cpp:
284         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
285         * runtime/IntlNumberFormatPrototype.cpp:
286         (JSC::IntlNumberFormatPrototypeGetterFormat):
287         * runtime/IntlObject.cpp:
288         (JSC::canonicalizeLocaleList):
289         (JSC::defaultLocale):
290         (JSC::lookupSupportedLocales):
291         (JSC::intlObjectFuncGetCanonicalLocales):
292         * runtime/IntlPluralRules.cpp:
293         (JSC::IntlPluralRules::initializePluralRules):
294         (JSC::IntlPluralRules::resolvedOptions):
295         * runtime/IntlPluralRulesConstructor.cpp:
296         (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf):
297         * runtime/IteratorOperations.cpp:
298         (JSC::iteratorNext):
299         (JSC::iteratorClose):
300         (JSC::iteratorForIterable):
301         * runtime/JSArray.cpp:
302         (JSC::JSArray::shiftCountWithArrayStorage):
303         (JSC::JSArray::unshiftCountWithArrayStorage):
304         (JSC::JSArray::isIteratorProtocolFastAndNonObservable):
305         * runtime/JSArrayBufferConstructor.cpp:
306         (JSC::JSArrayBufferConstructor::finishCreation):
307         (JSC::constructArrayBuffer):
308         * runtime/JSArrayBufferPrototype.cpp:
309         (JSC::arrayBufferProtoFuncSlice):
310         * runtime/JSArrayBufferView.cpp:
311         (JSC::JSArrayBufferView::unsharedJSBuffer):
312         (JSC::JSArrayBufferView::possiblySharedJSBuffer):
313         * runtime/JSAsyncFunction.cpp:
314         (JSC::JSAsyncFunction::createImpl):
315         (JSC::JSAsyncFunction::create):
316         (JSC::JSAsyncFunction::createWithInvalidatedReallocationWatchpoint):
317         * runtime/JSAsyncGeneratorFunction.cpp:
318         (JSC::JSAsyncGeneratorFunction::createImpl):
319         (JSC::JSAsyncGeneratorFunction::create):
320         (JSC::JSAsyncGeneratorFunction::createWithInvalidatedReallocationWatchpoint):
321         * runtime/JSBoundFunction.cpp:
322         (JSC::boundThisNoArgsFunctionCall):
323         (JSC::boundFunctionCall):
324         (JSC::boundThisNoArgsFunctionConstruct):
325         (JSC::boundFunctionConstruct):
326         (JSC::getBoundFunctionStructure):
327         (JSC::JSBoundFunction::create):
328         (JSC::JSBoundFunction::boundArgsCopy):
329         * runtime/JSCJSValue.cpp:
330         (JSC::JSValue::putToPrimitive):
331         * runtime/JSCellInlines.h:
332         (JSC::JSCell::setStructure):
333         (JSC::JSCell::methodTable const):
334         (JSC::JSCell::toBoolean const):
335         * runtime/JSFunction.h:
336         (JSC::JSFunction::createImpl):
337         * runtime/JSGeneratorFunction.cpp:
338         (JSC::JSGeneratorFunction::createImpl):
339         (JSC::JSGeneratorFunction::create):
340         (JSC::JSGeneratorFunction::createWithInvalidatedReallocationWatchpoint):
341         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
342         (JSC::constructGenericTypedArrayViewWithArguments):
343         (JSC::constructGenericTypedArrayView):
344         * runtime/JSGenericTypedArrayViewInlines.h:
345         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
346         (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
347         (JSC::JSGenericTypedArrayView<Adaptor>::deletePropertyByIndex):
348         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
349         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
350         (JSC::genericTypedArrayViewProtoFuncSlice):
351         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
352         * runtime/JSGlobalObject.cpp:
353         (JSC::JSGlobalObject::init):
354         (JSC::JSGlobalObject::exposeDollarVM):
355         (JSC::JSGlobalObject::finishCreation):
356         * runtime/JSGlobalObject.h:
357         * runtime/JSGlobalObjectFunctions.cpp:
358         (JSC::globalFuncEval):
359         * runtime/JSInternalPromise.cpp:
360         (JSC::JSInternalPromise::then):
361         * runtime/JSInternalPromiseConstructor.cpp:
362         (JSC::constructPromise):
363         * runtime/JSJob.cpp:
364         (JSC::JSJobMicrotask::run):
365         * runtime/JSLexicalEnvironment.cpp:
366         (JSC::JSLexicalEnvironment::getOwnPropertySlot):
367         (JSC::JSLexicalEnvironment::put):
368         * runtime/JSMap.cpp:
369         (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
370         * runtime/JSMapIterator.cpp:
371         (JSC::JSMapIterator::createPair):
372         * runtime/JSModuleLoader.cpp:
373         (JSC::JSModuleLoader::provideFetch):
374         (JSC::JSModuleLoader::loadAndEvaluateModule):
375         (JSC::JSModuleLoader::loadModule):
376         (JSC::JSModuleLoader::linkAndEvaluateModule):
377         (JSC::JSModuleLoader::requestImportModule):
378         * runtime/JSONObject.cpp:
379         (JSC::JSONProtoFuncParse):
380         * runtime/JSObject.cpp:
381         (JSC::JSObject::putInlineSlow):
382         (JSC::JSObject::putByIndex):
383         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
384         (JSC::JSObject::createInitialIndexedStorage):
385         (JSC::JSObject::createArrayStorage):
386         (JSC::JSObject::convertUndecidedToArrayStorage):
387         (JSC::JSObject::convertInt32ToArrayStorage):
388         (JSC::JSObject::convertDoubleToArrayStorage):
389         (JSC::JSObject::convertContiguousToArrayStorage):
390         (JSC::JSObject::convertFromCopyOnWrite):
391         (JSC::JSObject::ensureWritableInt32Slow):
392         (JSC::JSObject::ensureWritableDoubleSlow):
393         (JSC::JSObject::ensureWritableContiguousSlow):
394         (JSC::JSObject::ensureArrayStorageSlow):
395         (JSC::JSObject::setPrototypeDirect):
396         (JSC::JSObject::deleteProperty):
397         (JSC::callToPrimitiveFunction):
398         (JSC::JSObject::hasInstance):
399         (JSC::JSObject::getOwnNonIndexPropertyNames):
400         (JSC::JSObject::preventExtensions):
401         (JSC::JSObject::isExtensible):
402         (JSC::JSObject::reifyAllStaticProperties):
403         (JSC::JSObject::fillGetterPropertySlot):
404         (JSC::JSObject::defineOwnIndexedProperty):
405         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
406         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
407         (JSC::JSObject::putByIndexBeyondVectorLength):
408         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
409         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
410         (JSC::JSObject::getNewVectorLength):
411         (JSC::JSObject::increaseVectorLength):
412         (JSC::JSObject::reallocateAndShrinkButterfly):
413         (JSC::JSObject::shiftButterflyAfterFlattening):
414         (JSC::JSObject::anyObjectInChainMayInterceptIndexedAccesses const):
415         (JSC::JSObject::prototypeChainMayInterceptStoreTo):
416         (JSC::JSObject::needsSlowPutIndexing const):
417         (JSC::JSObject::suggestedArrayStorageTransition const):
418         * runtime/JSObject.h:
419         (JSC::JSObject::mayInterceptIndexedAccesses):
420         (JSC::JSObject::hasIndexingHeader const):
421         (JSC::JSObject::hasCustomProperties):
422         (JSC::JSObject::hasGetterSetterProperties):
423         (JSC::JSObject::hasCustomGetterSetterProperties):
424         (JSC::JSObject::isExtensibleImpl):
425         (JSC::JSObject::isStructureExtensible):
426         (JSC::JSObject::indexingShouldBeSparse):
427         (JSC::JSObject::staticPropertiesReified):
428         (JSC::JSObject::globalObject const):
429         (JSC::JSObject::finishCreation):
430         (JSC::JSNonFinalObject::finishCreation):
431         (JSC::getCallData):
432         (JSC::getConstructData):
433         (JSC::JSObject::getOwnNonIndexPropertySlot):
434         (JSC::JSObject::putOwnDataProperty):
435         (JSC::JSObject::putOwnDataPropertyMayBeIndex):
436         (JSC::JSObject::butterflyPreCapacity):
437         (JSC::JSObject::butterflyTotalSize):
438         * runtime/JSObjectInlines.h:
439         (JSC::JSObject::putDirectInternal):
440         * runtime/JSPromise.cpp:
441         (JSC::JSPromise::initialize):
442         (JSC::JSPromise::resolve):
443         * runtime/JSPromiseConstructor.cpp:
444         (JSC::constructPromise):
445         * runtime/JSPromiseDeferred.cpp:
446         (JSC::newPromiseCapability):
447         (JSC::callFunction):
448         * runtime/JSScope.cpp:
449         (JSC::abstractAccess):
450         * runtime/JSScope.h:
451         (JSC::JSScope::globalObject): Deleted.
452         Remove this JSScope::globalObject function since it is completely the same to JSObject::globalObject().
453
454         * runtime/JSSet.cpp:
455         (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
456         * runtime/JSSetIterator.cpp:
457         (JSC::JSSetIterator::createPair):
458         * runtime/JSStringIterator.cpp:
459         (JSC::JSStringIterator::clone):
460         * runtime/Lookup.cpp:
461         (JSC::reifyStaticAccessor):
462         (JSC::setUpStaticFunctionSlot):
463         * runtime/Lookup.h:
464         (JSC::getStaticPropertySlotFromTable):
465         (JSC::replaceStaticPropertySlot):
466         (JSC::reifyStaticProperty):
467         * runtime/MapConstructor.cpp:
468         (JSC::constructMap):
469         * runtime/NumberConstructor.cpp:
470         (JSC::NumberConstructor::finishCreation):
471         * runtime/ObjectConstructor.cpp:
472         (JSC::constructObject):
473         (JSC::objectConstructorAssign):
474         (JSC::toPropertyDescriptor):
475         * runtime/ObjectPrototype.cpp:
476         (JSC::objectProtoFuncDefineGetter):
477         (JSC::objectProtoFuncDefineSetter):
478         (JSC::objectProtoFuncToLocaleString):
479         * runtime/Operations.cpp:
480         (JSC::jsIsFunctionType): Deleted.
481         Replace it with JSValue::isFunction(VM&).
482
483         * runtime/Operations.h:
484         * runtime/ProgramExecutable.cpp:
485         (JSC::ProgramExecutable::initializeGlobalProperties):
486         * runtime/RegExpConstructor.cpp:
487         (JSC::constructWithRegExpConstructor):
488         (JSC::callRegExpConstructor):
489         * runtime/SamplingProfiler.cpp:
490         (JSC::SamplingProfiler::processUnverifiedStackTraces):
491         (JSC::SamplingProfiler::StackFrame::nameFromCallee):
492         * runtime/ScopedArguments.cpp:
493         (JSC::ScopedArguments::overrideThings):
494         * runtime/ScriptExecutable.cpp:
495         (JSC::ScriptExecutable::newCodeBlockFor):
496         (JSC::ScriptExecutable::prepareForExecutionImpl):
497         * runtime/SetConstructor.cpp:
498         (JSC::constructSet):
499         * runtime/SparseArrayValueMap.cpp:
500         (JSC::SparseArrayValueMap::putEntry):
501         (JSC::SparseArrayValueMap::putDirect):
502         * runtime/StringConstructor.cpp:
503         (JSC::constructWithStringConstructor):
504         * runtime/StringPrototype.cpp:
505         (JSC::replaceUsingRegExpSearch):
506         (JSC::replaceUsingStringSearch):
507         (JSC::stringProtoFuncIterator):
508         * runtime/Structure.cpp:
509         (JSC::Structure::materializePropertyTable):
510         (JSC::Structure::willStoreValueSlow):
511         * runtime/StructureCache.cpp:
512         (JSC::StructureCache::emptyStructureForPrototypeFromBaseStructure):
513         * runtime/StructureInlines.h:
514         (JSC::Structure::get):
515         * runtime/WeakMapConstructor.cpp:
516         (JSC::constructWeakMap):
517         * runtime/WeakSetConstructor.cpp:
518         (JSC::constructWeakSet):
519         * tools/HeapVerifier.cpp:
520         (JSC::HeapVerifier::reportCell):
521         * tools/JSDollarVM.cpp:
522         (JSC::functionGlobalObjectForObject):
523         (JSC::JSDollarVM::finishCreation):
524         * wasm/js/JSWebAssemblyInstance.cpp:
525         (JSC::JSWebAssemblyInstance::finalizeCreation):
526         * wasm/js/WasmToJS.cpp:
527         (JSC::Wasm::handleBadI64Use):
528         (JSC::Wasm::wasmToJSException):
529         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
530         (JSC::constructJSWebAssemblyCompileError):
531         (JSC::callJSWebAssemblyCompileError):
532         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
533         (JSC::constructJSWebAssemblyLinkError):
534         (JSC::callJSWebAssemblyLinkError):
535         * wasm/js/WebAssemblyModuleRecord.cpp:
536         (JSC::WebAssemblyModuleRecord::evaluate):
537         * wasm/js/WebAssemblyPrototype.cpp:
538         (JSC::instantiate):
539         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
540         (JSC::constructJSWebAssemblyRuntimeError):
541         (JSC::callJSWebAssemblyRuntimeError):
542         * wasm/js/WebAssemblyToJSCallee.cpp:
543         (JSC::WebAssemblyToJSCallee::create):
544
545 2018-05-30  Saam Barati  <sbarati@apple.com>
546
547         DFG combined liveness needs to say that the machine CodeBlock's arguments are live
548         https://bugs.webkit.org/show_bug.cgi?id=186121
549         <rdar://problem/39377796>
550
551         Reviewed by Keith Miller.
552
553         DFG's combined liveness was reporting that the machine CodeBlock's |this|
554         argument was dead at certain points in the program. However, a CodeBlock's
555         arguments are considered live for the entire function. This fixes a bug
556         where object allocation sinking phase skipped materializing an allocation
557         because it thought that the argument it was associated with, |this|, was dead.
558
559         * dfg/DFGCombinedLiveness.cpp:
560         (JSC::DFG::liveNodesAtHead):
561
562 2018-05-30  Daniel Bates  <dabates@apple.com>
563
564         Web Inspector: Annotate Same-Site cookies
565         https://bugs.webkit.org/show_bug.cgi?id=184897
566         <rdar://problem/35178209>
567
568         Reviewed by Brian Burg.
569
570         Update protocol to include cookie Same-Site policy.
571
572         * inspector/protocol/Page.json:
573
574 2018-05-29  Keith Miller  <keith_miller@apple.com>
575
576         Error instances should not strongly hold onto StackFrames
577         https://bugs.webkit.org/show_bug.cgi?id=185996
578
579         Reviewed by Mark Lam.
580
581         Previously, we would hold onto all the StackFrames until the the user
582         looked at one of the properties on the Error object. This patch makes us
583         only weakly retain the StackFrames and collect all the information
584         if we are about to collect any frame.
585
586         This patch also adds a method to $vm that returns the heaps count
587         of live global objects.
588
589         * heap/Heap.cpp:
590         (JSC::Heap::finalizeUnconditionalFinalizers):
591         * interpreter/Interpreter.cpp:
592         (JSC::Interpreter::stackTraceAsString):
593         * interpreter/Interpreter.h:
594         * runtime/Error.cpp:
595         (JSC::addErrorInfo):
596         * runtime/ErrorInstance.cpp:
597         (JSC::ErrorInstance::finalizeUnconditionally):
598         (JSC::ErrorInstance::computeErrorInfo):
599         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
600         (JSC::ErrorInstance::visitChildren): Deleted.
601         * runtime/ErrorInstance.h:
602         (JSC::ErrorInstance::subspaceFor):
603         * runtime/JSFunction.cpp:
604         (JSC::getCalculatedDisplayName):
605         * runtime/StackFrame.h:
606         (JSC::StackFrame::isMarked const):
607         * runtime/VM.cpp:
608         (JSC::VM::VM):
609         * runtime/VM.h:
610         * tools/JSDollarVM.cpp:
611         (JSC::functionGlobalObjectCount):
612         (JSC::JSDollarVM::finishCreation):
613
614 2018-05-30  Keith Miller  <keith_miller@apple.com>
615
616         LLInt get_by_id prototype caching doesn't properly handle changes
617         https://bugs.webkit.org/show_bug.cgi?id=186112
618
619         Reviewed by Filip Pizlo.
620
621         The caching would sometimes fail to track that a prototype had changed
622         and wouldn't update its set of watchpoints.
623
624         * bytecode/CodeBlock.cpp:
625         (JSC::CodeBlock::finalizeLLIntInlineCaches):
626         * bytecode/CodeBlock.h:
627         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
628         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::key const):
629         * bytecode/ObjectPropertyConditionSet.h:
630         (JSC::ObjectPropertyConditionSet::size const):
631         * bytecode/Watchpoint.h:
632         (JSC::Watchpoint::Watchpoint): Deleted.
633         * llint/LLIntSlowPaths.cpp:
634         (JSC::LLInt::setupGetByIdPrototypeCache):
635
636 2018-05-30  Caio Lima  <ticaiolima@gmail.com>
637
638         [ESNext][BigInt] Implement support for "%" operation
639         https://bugs.webkit.org/show_bug.cgi?id=184327
640
641         Reviewed by Yusuke Suzuki.
642
643         We are introducing the support of BigInt into remainder (a.k.a mod)
644         operation.
645
646         * runtime/CommonSlowPaths.cpp:
647         (JSC::SLOW_PATH_DECL):
648         * runtime/JSBigInt.cpp:
649         (JSC::JSBigInt::remainder):
650         (JSC::JSBigInt::rightTrim):
651         * runtime/JSBigInt.h:
652
653 2018-05-30  Saam Barati  <sbarati@apple.com>
654
655         AI for Atomics.load() is too conservative in always clobbering world
656         https://bugs.webkit.org/show_bug.cgi?id=185738
657         <rdar://problem/40342214>
658
659         Reviewed by Yusuke Suzuki.
660
661         It fails the assertion that Fil added for catching disagreements between
662         AI and clobberize. This patch fixes that. You'd run into this if you
663         manually enabled SAB in a build and ran any SAB tests.
664
665         * dfg/DFGAbstractInterpreterInlines.h:
666         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
667
668 2018-05-30  Michael Saboff  <msaboff@apple.com>
669
670         REGRESSION(r232212): Broke Win32 Builds
671         https://bugs.webkit.org/show_bug.cgi?id=186061
672
673         Reviewed by Yusuke Suzuki.
674
675         Changed Windows builds with the JIT disabled to generate and use LLIntAssembly.h
676         instead of LowLevelInterpreterWin.asm.
677
678         * CMakeLists.txt:
679
680 2018-05-30  Dominik Infuehr  <dinfuehr@igalia.com>
681
682         [MIPS] Fix build on MIPS32r1
683         https://bugs.webkit.org/show_bug.cgi?id=185944
684
685         Reviewed by Yusuke Suzuki.
686
687         Only use instructions on MIPS32r2 or later. mthc1 and mfhc1 are not supported
688         on MIPS32r1.
689
690         * offlineasm/mips.rb:
691
692 2018-05-29  Saam Barati  <sbarati@apple.com>
693
694         Add a version of JSVirtualMachine shrinkFootprint that runs when the VM goes idle
695         https://bugs.webkit.org/show_bug.cgi?id=186064
696
697         Reviewed by Mark Lam.
698
699         shrinkFootprint was implemented as:
700         ```
701         sanitizeStackForVM(this);
702         deleteAllCode(DeleteAllCodeIfNotCollecting);
703         heap.collectNow(Synchronousness::Sync);
704         WTF::releaseFastMallocFreeMemory();
705         ```
706         
707         However, for correctness reasons, deleteAllCode is implemented to do
708         work when the VM is idle: no JS is running on the stack. This means
709         that if shrinkFootprint is called when JS is running on the stack, it
710         ends up freeing less memory than it could have if it waited to run until
711         the VM goes idle.
712         
713         This patch makes it so we wait until idle before doing work. I'm seeing a
714         10% footprint progression when testing this against a client of the JSC SPI.
715         
716         Because this is a semantic change in how the SPI works, this patch
717         adds new SPI named shrinkFootprintWhenIdle. The plan is to move
718         all clients of the shrinkFootprint SPI to shrinkFootprintWhenIdle.
719         Once that happens, we will delete shrinkFootprint. Until then,
720         we make shrinkFootprint do exactly what shrinkFootprintWhenIdle does.
721
722         * API/JSVirtualMachine.mm:
723         (-[JSVirtualMachine shrinkFootprint]):
724         (-[JSVirtualMachine shrinkFootprintWhenIdle]):
725         * API/JSVirtualMachinePrivate.h:
726         * runtime/VM.cpp:
727         (JSC::VM::shrinkFootprintWhenIdle):
728         (JSC::VM::shrinkFootprint): Deleted.
729         * runtime/VM.h:
730
731 2018-05-29  Saam Barati  <sbarati@apple.com>
732
733         shrinkFootprint needs to request a full collection
734         https://bugs.webkit.org/show_bug.cgi?id=186069
735
736         Reviewed by Mark Lam.
737
738         * runtime/VM.cpp:
739         (JSC::VM::shrinkFootprint):
740
741 2018-05-29  Caio Lima  <ticaiolima@gmail.com>
742
743         [ESNext][BigInt] Implement support for "<" and ">" relational operation
744         https://bugs.webkit.org/show_bug.cgi?id=185379
745
746         Reviewed by Yusuke Suzuki.
747
748         This patch is changing the ``jsLess``` operation to follow the
749         semantics of Abstract Relational Comparison[1] that supports BigInt.
750         For that, we create 2 new helper functions ```bigIntCompareLess``` and
751         ```toPrimitiveNumeric``` that considers BigInt as a valid type to be
752         compared.
753
754         [1] - https://tc39.github.io/proposal-bigint/#sec-abstract-relational-comparison
755
756         * runtime/JSBigInt.cpp:
757         (JSC::JSBigInt::unequalSign):
758         (JSC::JSBigInt::absoluteGreater):
759         (JSC::JSBigInt::absoluteLess):
760         (JSC::JSBigInt::compare):
761         (JSC::JSBigInt::absoluteCompare):
762         * runtime/JSBigInt.h:
763         * runtime/JSCJSValueInlines.h:
764         (JSC::JSValue::isPrimitive const):
765         * runtime/Operations.h:
766         (JSC::bigIntCompareLess):
767         (JSC::toPrimitiveNumeric):
768         (JSC::jsLess):
769
770 2018-05-29  Yusuke Suzuki  <utatane.tea@gmail.com>
771
772         [Baseline] Merge loading functionalities
773         https://bugs.webkit.org/show_bug.cgi?id=185907
774
775         Reviewed by Saam Barati.
776
777         This patch unifies emitXXXLoad functions in 32bit and 64bit.
778
779         * jit/JITInlines.h:
780         (JSC::JIT::emitDoubleGetByVal):
781         * jit/JITPropertyAccess.cpp:
782         (JSC::JIT::emitDoubleLoad):
783         (JSC::JIT::emitContiguousLoad):
784         (JSC::JIT::emitArrayStorageLoad):
785         (JSC::JIT::emitIntTypedArrayGetByVal):
786         (JSC::JIT::emitFloatTypedArrayGetByVal):
787         Define register usage first, and share the same code in 32bit and 64bit.
788
789         * jit/JITPropertyAccess32_64.cpp:
790         (JSC::JIT::emitSlow_op_put_by_val):
791         Now C-stack is always enabled in JIT platform and temporary registers increases from 5 to 6 in x86.
792         We can remove this special handling.
793
794         (JSC::JIT::emitContiguousLoad): Deleted.
795         (JSC::JIT::emitDoubleLoad): Deleted.
796         (JSC::JIT::emitArrayStorageLoad): Deleted.
797
798 2018-05-29  Saam Barati  <sbarati@apple.com>
799
800         JSC should put bmalloc's scavenger into mini mode
801         https://bugs.webkit.org/show_bug.cgi?id=185988
802
803         Reviewed by Michael Saboff.
804
805         When we InitializeThreading, we'll now enable bmalloc's mini mode
806         if the VM is in mini mode. This is an 8-10% progression on the footprint
807         at end score in run-testmem, making it a 4-5% memory score progression.
808         It's between a 0-1% regression in its time score.
809
810         * runtime/InitializeThreading.cpp:
811         (JSC::initializeThreading):
812
813 2018-05-29  Caitlin Potter  <caitp@igalia.com>
814
815         [JSC] Fix Array.prototype.concat fast case when single argument is Proxy
816         https://bugs.webkit.org/show_bug.cgi?id=184267
817
818         Reviewed by Saam Barati.
819
820         Before this patch, the fast case for Array.prototype.concat was taken if
821         there was a single argument passed to the function, which is either a
822         non-JSCell, or an ObjectType JSCell not marked as concat-spreadable.
823         This incorrectly prevented Proxy objects from being spread when
824         they were the only argument passed to A.prototype.concat(), violating ECMA-262.
825
826         * builtins/ArrayPrototype.js:
827         (concat):
828
829 2018-05-27  Yusuke Suzuki  <utatane.tea@gmail.com>
830
831         [JSC] JSBigInt::digitDiv has undefined behavior which causes test failures
832         https://bugs.webkit.org/show_bug.cgi?id=186022
833
834         Reviewed by Darin Adler.
835
836         digitDiv performs Value64Bit >> 64 / Value32Bit >> 32, which is undefined behavior. And zero mask
837         creation has an issue (`s` should be casted to signed one before negating). They cause test failures
838         in non x86 / x86_64 environments. x86 and x86_64 work well since they have a fast path written
839         in asm.
840
841         This patch fixes digitDiv by carefully avoiding undefined behaviors. We mask the left value of the
842         rshift with `digitBits - 1`, which makes `digitBits` 0 while it keeps 0 <= n < digitBits values.
843         This makes the target rshift well-defined in C++. While produced value by the rshift covers 0 <= `s` < 64 (32
844         in 32bit envirnoment) cases, this rshift does not shift if `s` is 0. sZeroMask clears the value
845         if `s` is 0, so that `s == 0` case is also covered. Note that `s == 64` never happens since `divisor`
846         is never 0 here. We add assertion for that. We also fixes `sZeroMask` calculation.
847
848         This patch also fixes naming convention for constant values.
849
850         * runtime/JSBigInt.cpp:
851         (JSC::JSBigInt::digitMul):
852         (JSC::JSBigInt::digitDiv):
853         * runtime/JSBigInt.h:
854
855 2018-05-27  Yusuke Suzuki  <utatane.tea@gmail.com>
856
857         [WTF] Add clz32 / clz64 for MSVC
858         https://bugs.webkit.org/show_bug.cgi?id=186023
859
860         Reviewed by Daniel Bates.
861
862         Move clz32 and clz64 to WTF.
863
864         * runtime/MathCommon.h:
865         (JSC::clz32): Deleted.
866         (JSC::clz64): Deleted.
867
868 2018-05-27  Caio Lima  <ticaiolima@gmail.com>
869
870         [ESNext][BigInt] Implement "+" and "-" unary operation
871         https://bugs.webkit.org/show_bug.cgi?id=182214
872
873         Reviewed by Yusuke Suzuki.
874
875         This Patch is implementing support to "-" unary operation on BigInt.
876         It is also changing the logic of ASTBuilder::makeNegateNode to
877         calculate BigInt literals with properly sign, avoiding
878         unecessary operation. It required a refactoring into
879         JSBigInt::parseInt to consider the sign as parameter.
880
881         We are also introducing a new DFG Node called ValueNegate to handle BigInt negate
882         operations. With the introduction of BigInt, it is not true
883         that every negate operation returns a Number. As ArithNegate is a
884         node that considers its result is always a Number, like all other
885         Arith<Operation>, we decided to keep this consistency and use ValueNegate when
886         speculation indicates that the operand is a BigInt.
887         This design is following the same distinction between ArithAdd and
888         ValueAdd. Also, this new node will make simpler the introduction of
889         optimizations when we create speculation paths for BigInt in future
890         patches.
891
892         In the case of "+" unary operation on BigInt, the current semantic we already have
893         is correctly, since it needs to throw TypeError because of ToNumber call[1].
894         In such case, we are adding tests to verify other edge cases.
895
896         [1] - https://tc39.github.io/proposal-bigint/#sec-unary-plus-operator
897
898         * bytecompiler/BytecodeGenerator.cpp:
899         (JSC::BytecodeGenerator::addBigIntConstant):
900         * bytecompiler/BytecodeGenerator.h:
901         * bytecompiler/NodesCodegen.cpp:
902         (JSC::BigIntNode::jsValue const):
903         * dfg/DFGAbstractInterpreterInlines.h:
904         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
905         * dfg/DFGByteCodeParser.cpp:
906         (JSC::DFG::ByteCodeParser::makeSafe):
907         (JSC::DFG::ByteCodeParser::parseBlock):
908         * dfg/DFGClobberize.h:
909         (JSC::DFG::clobberize):
910         * dfg/DFGDoesGC.cpp:
911         (JSC::DFG::doesGC):
912         * dfg/DFGFixupPhase.cpp:
913         (JSC::DFG::FixupPhase::fixupNode):
914         * dfg/DFGNode.h:
915         (JSC::DFG::Node::arithNodeFlags):
916         * dfg/DFGNodeType.h:
917         * dfg/DFGPredictionPropagationPhase.cpp:
918         * dfg/DFGSafeToExecute.h:
919         (JSC::DFG::safeToExecute):
920         * dfg/DFGSpeculativeJIT.cpp:
921         (JSC::DFG::SpeculativeJIT::compileValueNegate):
922         (JSC::DFG::SpeculativeJIT::compileArithNegate):
923         * dfg/DFGSpeculativeJIT.h:
924         * dfg/DFGSpeculativeJIT32_64.cpp:
925         (JSC::DFG::SpeculativeJIT::compile):
926         * dfg/DFGSpeculativeJIT64.cpp:
927         (JSC::DFG::SpeculativeJIT::compile):
928         * ftl/FTLCapabilities.cpp:
929         (JSC::FTL::canCompile):
930         * ftl/FTLLowerDFGToB3.cpp:
931         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
932         (JSC::FTL::DFG::LowerDFGToB3::compileValueNegate):
933         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
934         * jit/JITOperations.cpp:
935         * parser/ASTBuilder.h:
936         (JSC::ASTBuilder::createBigIntWithSign):
937         (JSC::ASTBuilder::createBigIntFromUnaryOperation):
938         (JSC::ASTBuilder::makeNegateNode):
939         * parser/NodeConstructors.h:
940         (JSC::BigIntNode::BigIntNode):
941         * parser/Nodes.h:
942         * runtime/CommonSlowPaths.cpp:
943         (JSC::updateArithProfileForUnaryArithOp):
944         (JSC::SLOW_PATH_DECL):
945         * runtime/JSBigInt.cpp:
946         (JSC::JSBigInt::parseInt):
947         * runtime/JSBigInt.h:
948         * runtime/JSCJSValueInlines.h:
949         (JSC::JSValue::strictEqualSlowCaseInline):
950
951 2018-05-27  Dan Bernstein  <mitz@apple.com>
952
953         Tried to fix the 32-bit !ASSERT_DISABLED build after r232211.
954
955         * jit/JITOperations.cpp:
956
957 2018-05-26  Yusuke Suzuki  <utatane.tea@gmail.com>
958
959         [JSC] Rename Array#flatten to flat
960         https://bugs.webkit.org/show_bug.cgi?id=186012
961
962         Reviewed by Saam Barati.
963
964         Rename Array#flatten to Array#flat. This rename is done in TC39 since flatten
965         conflicts with the mootools' function name.
966
967         * builtins/ArrayPrototype.js:
968         (globalPrivate.flatIntoArray):
969         (flat):
970         (globalPrivate.flatIntoArrayWithCallback):
971         (flatMap):
972         (globalPrivate.flattenIntoArray): Deleted.
973         (flatten): Deleted.
974         (globalPrivate.flattenIntoArrayWithCallback): Deleted.
975         * runtime/ArrayPrototype.cpp:
976         (JSC::ArrayPrototype::finishCreation):
977
978 2018-05-25  Mark Lam  <mark.lam@apple.com>
979
980         for-in loops should preserve and restore the TDZ stack for each of its internal loops.
981         https://bugs.webkit.org/show_bug.cgi?id=185995
982         <rdar://problem/40173142>
983
984         Reviewed by Saam Barati.
985
986         This is because there's no guarantee that any of the loop bodies will be
987         executed.  Hence, there's no guarantee that the TDZ variables will have been
988         initialized after each loop body.
989
990         * bytecompiler/BytecodeGenerator.cpp:
991         (JSC::BytecodeGenerator::preserveTDZStack):
992         (JSC::BytecodeGenerator::restoreTDZStack):
993         * bytecompiler/BytecodeGenerator.h:
994         * bytecompiler/NodesCodegen.cpp:
995         (JSC::ForInNode::emitBytecode):
996
997 2018-05-25  Mark Lam  <mark.lam@apple.com>
998
999         MachineContext's instructionPointer() should handle null PCs correctly.
1000         https://bugs.webkit.org/show_bug.cgi?id=186004
1001         <rdar://problem/40570067>
1002
1003         Reviewed by Saam Barati.
1004
1005         instructionPointer() returns a MacroAssemblerCodePtr<CFunctionPtrTag>.  However,
1006         MacroAssemblerCodePtr's constructor does not accept a null pointer value and will
1007         assert accordingly with a debug ASSERT.  This is inconsequential for release
1008         builds, but to avoid this assertion failure, we should check for a null PC and
1009         return MacroAssemblerCodePtr<CFunctionPtrTag>(nullptr) instead (which uses the
1010         MacroAssemblerCodePtr(std::nullptr_t) version of the constructor instead).
1011
1012         Alternatively, we can change all of MacroAssemblerCodePtr's constructors to check
1013         for null pointers, but I rather not do that yet.  In general,
1014         MacroAssemblerCodePtrs are constructed with non-null pointers, and I prefer to
1015         leave it that way for now.
1016
1017         Note: this assertion failure only manifests when we have signal traps enabled,
1018         and encounter a null pointer deref.
1019
1020         * runtime/MachineContext.h:
1021         (JSC::MachineContext::instructionPointer):
1022
1023 2018-05-25  Mark Lam  <mark.lam@apple.com>
1024
1025         Enforce invariant that GetterSetter objects are invariant.
1026         https://bugs.webkit.org/show_bug.cgi?id=185968
1027         <rdar://problem/40541416>
1028
1029         Reviewed by Saam Barati.
1030
1031         The code already assumes the invariant that GetterSetter objects are immutable.
1032         For example, the use of @tryGetById in builtins expect this invariant to be true.
1033         The existing code mostly enforces this except for one case: JSObject's
1034         validateAndApplyPropertyDescriptor, where it will re-use the same GetterSetter
1035         object.
1036
1037         This patch enforces this invariant by removing the setGetter and setSetter methods
1038         of GetterSetter, and requiring the getter/setter callback functions to be
1039         specified at construction time.
1040
1041         * jit/JITOperations.cpp:
1042         * llint/LLIntSlowPaths.cpp:
1043         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1044         * runtime/GetterSetter.cpp:
1045         (JSC::GetterSetter::withGetter): Deleted.
1046         (JSC::GetterSetter::withSetter): Deleted.
1047         * runtime/GetterSetter.h:
1048         * runtime/JSGlobalObject.cpp:
1049         (JSC::JSGlobalObject::init):
1050         * runtime/JSObject.cpp:
1051         (JSC::JSObject::putIndexedDescriptor):
1052         (JSC::JSObject::putDirectNativeIntrinsicGetter):
1053         (JSC::putDescriptor):
1054         (JSC::validateAndApplyPropertyDescriptor):
1055         * runtime/JSTypedArrayViewPrototype.cpp:
1056         (JSC::JSTypedArrayViewPrototype::finishCreation):
1057         * runtime/Lookup.cpp:
1058         (JSC::reifyStaticAccessor):
1059         * runtime/PropertyDescriptor.cpp:
1060         (JSC::PropertyDescriptor::slowGetterSetter):
1061
1062 2018-05-25  Saam Barati  <sbarati@apple.com>
1063
1064         Make JSC have a mini mode that kicks in when the JIT is disabled
1065         https://bugs.webkit.org/show_bug.cgi?id=185931
1066
1067         Reviewed by Mark Lam.
1068
1069         This patch makes JSC have a mini VM mode. This currently only kicks in
1070         when the process can't JIT. Mini VM now means a few things:
1071         - We always use a 1.27x heap growth factor. This number was the best tradeoff
1072           between memory use progression and time regression in run-testmem. We may
1073           want to tune this more in the future as we make other mini VM changes.
1074         - We always sweep synchronously.
1075         - We disable generational GC.
1076         
1077         I'm going to continue to extend what mini VM mode means in future changes.
1078         
1079         This patch is a 50% memory progression and an ~8-9% time regression
1080         on run-testmem when running in mini VM mode with the JIT disabled.
1081
1082         * heap/Heap.cpp:
1083         (JSC::Heap::collectNow):
1084         (JSC::Heap::finalize):
1085         (JSC::Heap::useGenerationalGC):
1086         (JSC::Heap::shouldSweepSynchronously):
1087         (JSC::Heap::shouldDoFullCollection):
1088         * heap/Heap.h:
1089         * runtime/Options.h:
1090         * runtime/VM.cpp:
1091         (JSC::VM::isInMiniMode):
1092         * runtime/VM.h:
1093
1094 2018-05-25  Saam Barati  <sbarati@apple.com>
1095
1096         Have a memory test where we can validate JSCs mini memory mode
1097         https://bugs.webkit.org/show_bug.cgi?id=185932
1098
1099         Reviewed by Mark Lam.
1100
1101         This patch adds the testmem CLI. It takes as input a file to run
1102         and the number of iterations to run it (by default it runs it
1103         20 times). Each iteration runs in a new JSContext. Each JSContext
1104         belongs to a VM that is created once. When finished, the CLI dumps
1105         out the peak memory usage of the process, the memory usage at the end
1106         of running all the iterations of the process, and the total time it
1107         took to run all the iterations.
1108
1109         * JavaScriptCore.xcodeproj/project.pbxproj:
1110         * testmem: Added.
1111         * testmem/testmem.mm: Added.
1112         (description):
1113         (Footprint::now):
1114         (main):
1115
1116 2018-05-25  David Kilzer  <ddkilzer@apple.com>
1117
1118         Fix issues with -dealloc methods found by clang static analyzer
1119         <https://webkit.org/b/185887>
1120
1121         Reviewed by Joseph Pecoraro.
1122
1123         * API/JSValue.mm:
1124         (-[JSValue dealloc]):
1125         (-[JSValue description]):
1126         - Move method implementations from (Internal) category to the
1127           main category since these are public API.  This fixes the
1128           false positive warning about a missing -dealloc method.
1129
1130 2018-05-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1131
1132         [Baseline] Remove a hack for DCE removal of NewFunction
1133         https://bugs.webkit.org/show_bug.cgi?id=185945
1134
1135         Reviewed by Saam Barati.
1136
1137         This `undefined` check in baseline is originally introduced in r177871. The problem was,
1138         when NewFunction is removed in DFG DCE, its referencing scope DFG node  is also removed.
1139         While op_new_func_xxx want to have scope for function creation, DFG OSR exit cannot
1140         retrieve this into the stack since the scope is not referenced from anywhere.
1141
1142         In r177871, we fixed this by accepting `undefined` scope in the baseline op_new_func_xxx
1143         implementation. But rather than that, just emitting `Phantom` for this scope is clean
1144         and consistent to the other DFG nodes like GetClosureVar.
1145
1146         This patch emits Phantom instead, and removes unnecessary `undefined` check in baseline.
1147         While we emit Phantom, it is not testable since NewFunction is guarded by MovHint which
1148         is not removed in DFG. And in FTL, NewFunction will be converted to PhantomNewFunction
1149         if it is not referenced. And scope node is kept by PutHint. But emitting Phantom is nice
1150         since it conservatively guards the scope, and it does not introduce any additional overhead
1151         compared to the current status.
1152
1153         * dfg/DFGByteCodeParser.cpp:
1154         (JSC::DFG::ByteCodeParser::parseBlock):
1155         * jit/JITOpcodes.cpp:
1156         (JSC::JIT::emitNewFuncExprCommon):
1157
1158 2018-05-23  Keith Miller  <keith_miller@apple.com>
1159
1160         Expose $vm if window.internals is exposed
1161         https://bugs.webkit.org/show_bug.cgi?id=185900
1162
1163         Reviewed by Mark Lam.
1164
1165         This is useful for testing vm internals when running LayoutTests.
1166
1167         * runtime/JSGlobalObject.cpp:
1168         (JSC::JSGlobalObject::init):
1169         (JSC::JSGlobalObject::visitChildren):
1170         (JSC::JSGlobalObject::exposeDollarVM):
1171         * runtime/JSGlobalObject.h:
1172
1173 2018-05-23  Keith Miller  <keith_miller@apple.com>
1174
1175         Define length on CoW array should properly convert to writable
1176         https://bugs.webkit.org/show_bug.cgi?id=185927
1177
1178         Reviewed by Yusuke Suzuki.
1179
1180         * runtime/JSArray.cpp:
1181         (JSC::JSArray::setLength):
1182
1183 2018-05-23  Keith Miller  <keith_miller@apple.com>
1184
1185         InPlaceAbstractState should filter variables at the tail from a GetLocal by their flush format
1186         https://bugs.webkit.org/show_bug.cgi?id=185923
1187
1188         Reviewed by Saam Barati.
1189
1190         Previously, we could confuse AI by overly broadening a type. This happens when a block in a
1191         loop has a local mutated following a GetLocal but never SetLocaled to the stack. For example,
1192
1193         Block 1:
1194         @1: GetLocal(loc42, FlushedInt32);
1195         @2: PutStructure(Check: Cell: @1);
1196         @3: Jump(Block 1);
1197
1198         Would cause us to claim that loc42 could be either an int32 or a some cell. However,
1199         the type of an local cannot change without writing to it.
1200
1201         This fixes a crash in destructuring-rest-element.js
1202
1203         * dfg/DFGInPlaceAbstractState.cpp:
1204         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
1205
1206 2018-05-23  Filip Pizlo  <fpizlo@apple.com>
1207
1208         Speed up JetStream/base64
1209         https://bugs.webkit.org/show_bug.cgi?id=185914
1210
1211         Reviewed by Michael Saboff.
1212         
1213         Make allocation fast paths ALWAYS_INLINE.
1214         
1215         This is a 1% speed-up on SunSpider, mostly because of base64. It also speeds up pdfjs by
1216         ~6%.
1217
1218         * CMakeLists.txt:
1219         * JavaScriptCore.xcodeproj/project.pbxproj:
1220         * heap/AllocatorInlines.h:
1221         (JSC::Allocator::allocate const):
1222         * heap/CompleteSubspace.cpp:
1223         (JSC::CompleteSubspace::allocateNonVirtual): Deleted.
1224         * heap/CompleteSubspace.h:
1225         * heap/CompleteSubspaceInlines.h: Added.
1226         (JSC::CompleteSubspace::allocateNonVirtual):
1227         * heap/FreeListInlines.h:
1228         (JSC::FreeList::allocate):
1229         * heap/IsoSubspace.cpp:
1230         (JSC::IsoSubspace::allocateNonVirtual): Deleted.
1231         * heap/IsoSubspace.h:
1232         (JSC::IsoSubspace::allocatorForNonVirtual):
1233         * heap/IsoSubspaceInlines.h: Added.
1234         (JSC::IsoSubspace::allocateNonVirtual):
1235         * runtime/JSCellInlines.h:
1236         * runtime/VM.h:
1237
1238 2018-05-23  Rick Waldron  <waldron.rick@gmail.com>
1239
1240         Conversion misspelled "Convertion" in error message string
1241         https://bugs.webkit.org/show_bug.cgi?id=185436
1242
1243         Reviewed by Saam Barati, Michael Saboff
1244
1245         * runtime/JSBigInt.cpp:
1246         (JSC::JSBigInt::toNumber const):
1247
1248 2018-05-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1249
1250         [JSC] Clean up stringGetByValStubGenerator
1251         https://bugs.webkit.org/show_bug.cgi?id=185864
1252
1253         Reviewed by Saam Barati.
1254
1255         We clean up stringGetByValStubGenerator.
1256
1257         1. Unify 32bit and 64bit implementations.
1258         2. Rename stringGetByValStubGenerator to stringGetByValGenerator, move it to ThunkGenerators.cpp.
1259         3. Remove string type check since this code is invoked only when we know regT0 is JSString*.
1260         4. Do not tag Cell in stringGetByValGenerator side. 32bit code stores Cell with tag in JITPropertyAccess32_64 side.
1261         5. Fix invalid use of loadPtr for StringImpl::flags. Should use load32.
1262
1263         * jit/JIT.h:
1264         * jit/JITPropertyAccess.cpp:
1265         (JSC::JIT::emitSlow_op_get_by_val):
1266         (JSC::JIT::stringGetByValStubGenerator): Deleted.
1267         * jit/JITPropertyAccess32_64.cpp:
1268         (JSC::JIT::emit_op_get_by_val):
1269         (JSC::JIT::emitSlow_op_get_by_val):
1270         (JSC::JIT::stringGetByValStubGenerator): Deleted.
1271         * jit/ThunkGenerators.cpp:
1272         (JSC::stringGetByValGenerator):
1273         * jit/ThunkGenerators.h:
1274
1275 2018-05-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1276
1277         [JSC] Use branchIfString/branchIfNotString instead of structure checkings
1278         https://bugs.webkit.org/show_bug.cgi?id=185810
1279
1280         Reviewed by Saam Barati.
1281
1282         Let's use branchIfString/branchIfNotString helper functions instead of
1283         checking structure with jsString's structure. It's easy to read. And
1284         it emits less code since we do not need to embed string structure's
1285         raw pointer in 32bit environment.
1286
1287         * jit/JIT.h:
1288         * jit/JITInlines.h:
1289         (JSC::JIT::emitLoadCharacterString):
1290         (JSC::JIT::checkStructure): Deleted.
1291         * jit/JITOpcodes32_64.cpp:
1292         (JSC::JIT::emitSlow_op_eq):
1293         (JSC::JIT::compileOpEqJumpSlow):
1294         (JSC::JIT::emitSlow_op_neq):
1295         * jit/JITPropertyAccess.cpp:
1296         (JSC::JIT::stringGetByValStubGenerator):
1297         (JSC::JIT::emitSlow_op_get_by_val):
1298         (JSC::JIT::emitByValIdentifierCheck):
1299         * jit/JITPropertyAccess32_64.cpp:
1300         (JSC::JIT::stringGetByValStubGenerator):
1301         (JSC::JIT::emitSlow_op_get_by_val):
1302         * jit/JSInterfaceJIT.h:
1303         (JSC::ThunkHelpers::jsStringLengthOffset): Deleted.
1304         (JSC::ThunkHelpers::jsStringValueOffset): Deleted.
1305         * jit/SpecializedThunkJIT.h:
1306         (JSC::SpecializedThunkJIT::loadJSStringArgument):
1307         * jit/ThunkGenerators.cpp:
1308         (JSC::stringCharLoad):
1309         (JSC::charCodeAtThunkGenerator):
1310         (JSC::charAtThunkGenerator):
1311         * runtime/JSString.h:
1312
1313 2018-05-22  Mark Lam  <mark.lam@apple.com>
1314
1315         BytecodeGeneratorification shouldn't add a ValueProfile if the JIT is disabled.
1316         https://bugs.webkit.org/show_bug.cgi?id=185896
1317         <rdar://problem/40471403>
1318
1319         Reviewed by Saam Barati.
1320
1321         * bytecode/BytecodeGeneratorification.cpp:
1322         (JSC::BytecodeGeneratorification::run):
1323
1324 2018-05-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1325
1326         [JSC] Fix CachedCall's argument count if RegExp has named captures
1327         https://bugs.webkit.org/show_bug.cgi?id=185587
1328
1329         Reviewed by Mark Lam.
1330
1331         If the given RegExp has named captures, the argument count of CachedCall in String#replace
1332         should be increased by one. This causes crash with assertion in test262. This patch corrects
1333         the argument count.
1334
1335         This patch also unifies source.is8Bit()/!source.is8Bit() code since they are now completely
1336         the same.
1337
1338         * runtime/StringPrototype.cpp:
1339         (JSC::replaceUsingRegExpSearch):
1340
1341 2018-05-22  Mark Lam  <mark.lam@apple.com>
1342
1343         StringImpl utf8 conversion should not fail silently.
1344         https://bugs.webkit.org/show_bug.cgi?id=185888
1345         <rdar://problem/40464506>
1346
1347         Reviewed by Filip Pizlo.
1348
1349         * dfg/DFGLazyJSValue.cpp:
1350         (JSC::DFG::LazyJSValue::dumpInContext const):
1351         * runtime/DateConstructor.cpp:
1352         (JSC::constructDate):
1353         (JSC::dateParse):
1354         * runtime/JSDateMath.cpp:
1355         (JSC::parseDate):
1356         * runtime/JSDateMath.h:
1357
1358 2018-05-22  Keith Miller  <keith_miller@apple.com>
1359
1360         Remove the UnconditionalFinalizer class
1361         https://bugs.webkit.org/show_bug.cgi?id=185881
1362
1363         Reviewed by Filip Pizlo.
1364
1365         The only remaining user of this API is
1366         JSWebAssemblyCodeBlock. This patch changes, JSWebAssemblyCodeBlock
1367         to use the newer template based API and removes the old class.
1368
1369         * JavaScriptCore.xcodeproj/project.pbxproj:
1370         * bytecode/CodeBlock.h:
1371         * heap/Heap.cpp:
1372         (JSC::Heap::finalizeUnconditionalFinalizers):
1373         * heap/Heap.h:
1374         * heap/SlotVisitor.cpp:
1375         (JSC::SlotVisitor::addUnconditionalFinalizer): Deleted.
1376         * heap/SlotVisitor.h:
1377         * heap/UnconditionalFinalizer.h: Removed.
1378         * wasm/js/JSWebAssemblyCodeBlock.cpp:
1379         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
1380         (JSC::JSWebAssemblyCodeBlock::visitChildren):
1381         (JSC::JSWebAssemblyCodeBlock::finalizeUnconditionally):
1382         (JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
1383         * wasm/js/JSWebAssemblyCodeBlock.h:
1384         * wasm/js/JSWebAssemblyModule.h:
1385
1386         * CMakeLists.txt:
1387         * JavaScriptCore.xcodeproj/project.pbxproj:
1388         * bytecode/CodeBlock.h:
1389         * heap/Heap.cpp:
1390         (JSC::Heap::finalizeUnconditionalFinalizers):
1391         * heap/Heap.h:
1392         * heap/SlotVisitor.cpp:
1393         (JSC::SlotVisitor::addUnconditionalFinalizer): Deleted.
1394         * heap/SlotVisitor.h:
1395         * heap/UnconditionalFinalizer.h: Removed.
1396         * wasm/js/JSWebAssemblyCodeBlock.cpp:
1397         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
1398         (JSC::JSWebAssemblyCodeBlock::visitChildren):
1399         (JSC::JSWebAssemblyCodeBlock::finalizeUnconditionally):
1400         (JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
1401         * wasm/js/JSWebAssemblyCodeBlock.h:
1402         * wasm/js/JSWebAssemblyModule.h:
1403
1404 2018-05-22  Keith Miller  <keith_miller@apple.com>
1405
1406         Unreviewed, fix internal build.
1407
1408         * runtime/JSImmutableButterfly.cpp:
1409
1410 2018-05-22  Saam Barati  <sbarati@apple.com>
1411
1412         DFG::LICMPhase should attempt to hoist edge type checks if hoisting the whole node fails
1413         https://bugs.webkit.org/show_bug.cgi?id=144525
1414
1415         Reviewed by Filip Pizlo.
1416
1417         This patch teaches LICM to fall back to hoisting a node's type checks when
1418         hoisting the entire node fails.
1419         
1420         This patch follow the same principles we use when deciding to hoist nodes in general:
1421         - If the pre header is control equivalent to where the current check is, we
1422         go ahead and hoist the check.
1423         - Otherwise, if hoisting hasn't failed before, we go ahead and gamble and
1424         hoist the check. If hoisting failed in the past, we will not hoist the check.
1425
1426         * dfg/DFGLICMPhase.cpp:
1427         (JSC::DFG::LICMPhase::attemptHoist):
1428         * dfg/DFGUseKind.h:
1429         (JSC::DFG::checkMayCrashIfInputIsEmpty):
1430
1431 2018-05-21  Filip Pizlo  <fpizlo@apple.com>
1432
1433         Get rid of TLCs
1434         https://bugs.webkit.org/show_bug.cgi?id=185846
1435
1436         Rubber stamped by Geoffrey Garen.
1437         
1438         This removes support for thread-local caches from the GC in order to speed up allocation a
1439         bit.
1440         
1441         We added TLCs as part of Spectre mitigations, which we have since removed.
1442         
1443         We will want some kind of TLCs eventually, since they allow us to:
1444         
1445         - have a global GC, which may be a perf optimization at some point.
1446         - allocate objects from JIT threads, which we've been wanting to do for a while.
1447         
1448         This change keeps the most interesting aspect of TLCs, which is the
1449         LocalAllocator/BlockDirectory separation. This means that it ought to be easy to implement
1450         TLCs again in the future if we wanted this feature.
1451         
1452         This change removes the part of TLCs that causes a perf regression, namely that Allocator is
1453         an offset that requires a bounds check and lookup that makes the rest of the allocation fast
1454         path dependent on the load of the TLC. Now, Allocator is really just a LocalAllocator*, so
1455         you can directly use it to allocate. This removes two loads and a check from the allocation
1456         fast path. In hindsight, I probably could have made that whole thing more efficient, had I
1457         allowed us to have a statically known set of LocalAllocators. This would have removed the
1458         bounds check (one load and one branch) and it would have made it possible to CSE the load of
1459         the TLC data structure, since that would no longer resize. But that's a harder change that
1460         this patch, and we don't need it right now.
1461         
1462         While reviewing the allocation hot paths, I found that CreateThis had an unnecessary branch
1463         to check if the allocator is null. I removed that check. AssemblyHelpers::emitAllocate() does
1464         that check already. Previously, the TLC bounds check doubled as this check.
1465         
1466         This is a 1% speed-up on Octane and a 2.3% speed-up on TailBench. However, the Octane
1467         speed-up on my machine includes an 8% regexp speed-up. I've found that sometimes regexp
1468         speeds up or slows down by 8% depending on which path I build JSC from. Without that 8%, this
1469         is still an Octane speed-up due to 2-4% speed-ups in earley, boyer, raytrace, and splay.
1470
1471         * JavaScriptCore.xcodeproj/project.pbxproj:
1472         * Sources.txt:
1473         * bytecode/ObjectAllocationProfileInlines.h:
1474         (JSC::ObjectAllocationProfile::initializeProfile):
1475         * dfg/DFGSpeculativeJIT.cpp:
1476         (JSC::DFG::SpeculativeJIT::compileCreateThis):
1477         * ftl/FTLLowerDFGToB3.cpp:
1478         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
1479         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1480         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
1481         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
1482         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1483         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
1484         * heap/Allocator.cpp:
1485         (JSC::Allocator::cellSize const):
1486         * heap/Allocator.h:
1487         (JSC::Allocator::Allocator):
1488         (JSC::Allocator::localAllocator const):
1489         (JSC::Allocator::operator== const):
1490         (JSC::Allocator::offset const): Deleted.
1491         * heap/AllocatorInlines.h:
1492         (JSC::Allocator::allocate const):
1493         (JSC::Allocator::tryAllocate const): Deleted.
1494         * heap/BlockDirectory.cpp:
1495         (JSC::BlockDirectory::BlockDirectory):
1496         (JSC::BlockDirectory::~BlockDirectory):
1497         * heap/BlockDirectory.h:
1498         (JSC::BlockDirectory::allocator const): Deleted.
1499         * heap/CompleteSubspace.cpp:
1500         (JSC::CompleteSubspace::allocateNonVirtual):
1501         (JSC::CompleteSubspace::allocatorForSlow):
1502         (JSC::CompleteSubspace::tryAllocateSlow):
1503         * heap/CompleteSubspace.h:
1504         * heap/Heap.cpp:
1505         (JSC::Heap::Heap):
1506         * heap/Heap.h:
1507         (JSC::Heap::threadLocalCacheLayout): Deleted.
1508         * heap/IsoSubspace.cpp:
1509         (JSC::IsoSubspace::IsoSubspace):
1510         (JSC::IsoSubspace::allocateNonVirtual):
1511         * heap/IsoSubspace.h:
1512         (JSC::IsoSubspace::allocatorForNonVirtual):
1513         * heap/LocalAllocator.cpp:
1514         (JSC::LocalAllocator::LocalAllocator):
1515         (JSC::LocalAllocator::~LocalAllocator):
1516         * heap/LocalAllocator.h:
1517         (JSC::LocalAllocator::cellSize const):
1518         (JSC::LocalAllocator::tlc const): Deleted.
1519         * heap/ThreadLocalCache.cpp: Removed.
1520         * heap/ThreadLocalCache.h: Removed.
1521         * heap/ThreadLocalCacheInlines.h: Removed.
1522         * heap/ThreadLocalCacheLayout.cpp: Removed.
1523         * heap/ThreadLocalCacheLayout.h: Removed.
1524         * jit/AssemblyHelpers.cpp:
1525         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
1526         (JSC::AssemblyHelpers::emitAllocate):
1527         (JSC::AssemblyHelpers::emitAllocateVariableSized):
1528         * jit/JITOpcodes.cpp:
1529         (JSC::JIT::emit_op_create_this):
1530         * runtime/JSLock.cpp:
1531         (JSC::JSLock::didAcquireLock):
1532         * runtime/VM.cpp:
1533         (JSC::VM::VM):
1534         (JSC::VM::~VM):
1535         * runtime/VM.h:
1536         * runtime/VMEntryScope.cpp:
1537         (JSC::VMEntryScope::~VMEntryScope):
1538         * runtime/VMEntryScope.h:
1539
1540 2018-05-22  Keith Miller  <keith_miller@apple.com>
1541
1542         We should have a CoW storage for NewArrayBuffer arrays.
1543         https://bugs.webkit.org/show_bug.cgi?id=185003
1544
1545         Reviewed by Filip Pizlo.
1546
1547         This patch adds copy on write storage for new array buffers. In
1548         order to do this there needed to be significant changes to the
1549         layout of IndexingType. The new indexing type has the following
1550         shape:
1551
1552         struct IndexingTypeAndMisc {
1553             struct IndexingModeIncludingHistory {
1554                 struct IndexingMode {
1555                     struct IndexingType {
1556                         uint8_t isArray:1;          // bit 0
1557                         uint8_t shape:3;            // bit 1 - 3
1558                     };
1559                     uint8_t copyOnWrite:1;          // bit 4
1560                 };
1561                 uint8_t mayHaveIndexedAccessors:1;  // bit 5
1562             };
1563             uint8_t cellLockBits:2;                 // bit 6 - 7
1564         };
1565
1566         For simplicity ArrayStorage shapes cannot be CoW. So the only
1567         valid CoW indexing shapes are ArrayWithInt32, ArrayWithDouble, and
1568         ArrayWithContiguous.
1569
1570         The backing store for a CoW array is a new class
1571         JSImmutableButterfly, which looks exactly the same as a normal
1572         butterfly except that it has a JSCell header. Like other
1573         butterflies, JSImmutableButterfies are allocated out of the
1574         Auxiliary Gigacage and are pointed to by JSCells in the same
1575         way. However, when marking JSImmutableButterflies they are marked
1576         as if they were a property.
1577
1578         With CoW arrays, the new_array_buffer bytecode will reallocate the
1579         shared JSImmutableButterfly if it sees from the allocation profile
1580         that the last array it allocated has transitioned to a different
1581         indexing type. From then on, all arrays created by that
1582         new_array_buffer bytecode will have the promoted indexing
1583         type. This is more or less the same as what we used to do. The
1584         only difference is that we don't promote all the way to array
1585         storage even if we have seen it before.
1586
1587         Transitioning from a CoW indexing mode occurs whenever someone
1588         tries to store to an element, grow the array, or add properties.
1589         Storing or growing the array will call into code that does the
1590         stupid thing of copying the butterfly then continue into the old
1591         code. This doesn't end up costing us as future allocations will
1592         use any upgraded indexing shape.  We get adding properties for
1593         free by just changing the indexing mode on transition (our C++
1594         code always updates the indexing mode).
1595
1596         * JavaScriptCore.xcodeproj/project.pbxproj:
1597         * Sources.txt:
1598         * bytecode/ArrayAllocationProfile.cpp:
1599         (JSC::ArrayAllocationProfile::updateProfile):
1600         * bytecode/ArrayAllocationProfile.h:
1601         (JSC::ArrayAllocationProfile::initializeIndexingMode):
1602         * bytecode/ArrayProfile.cpp:
1603         (JSC::dumpArrayModes):
1604         (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
1605         * bytecode/ArrayProfile.h:
1606         (JSC::asArrayModes):
1607         (JSC::arrayModeFromStructure):
1608         (JSC::arrayModesInclude):
1609         (JSC::hasSeenCopyOnWriteArray):
1610         * bytecode/BytecodeList.json:
1611         * bytecode/CodeBlock.cpp:
1612         (JSC::CodeBlock::finishCreation):
1613         * bytecode/InlineAccess.cpp:
1614         (JSC::InlineAccess::generateArrayLength):
1615         * bytecode/UnlinkedCodeBlock.h:
1616         (JSC::UnlinkedCodeBlock::addArrayAllocationProfile):
1617         (JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile):
1618         * bytecompiler/BytecodeGenerator.cpp:
1619         (JSC::BytecodeGenerator::newArrayAllocationProfile):
1620         (JSC::BytecodeGenerator::emitNewArrayBuffer):
1621         (JSC::BytecodeGenerator::emitNewArray):
1622         (JSC::BytecodeGenerator::emitNewArrayWithSize):
1623         (JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
1624         * bytecompiler/BytecodeGenerator.h:
1625         * bytecompiler/NodesCodegen.cpp:
1626         (JSC::ArrayNode::emitBytecode):
1627         (JSC::ArrayPatternNode::bindValue const):
1628         (JSC::ArrayPatternNode::emitDirectBinding):
1629         * dfg/DFGAbstractInterpreterInlines.h:
1630         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1631         * dfg/DFGArgumentsEliminationPhase.cpp:
1632         * dfg/DFGArgumentsUtilities.cpp:
1633         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
1634         * dfg/DFGArrayMode.cpp:
1635         (JSC::DFG::ArrayMode::fromObserved):
1636         (JSC::DFG::ArrayMode::refine const):
1637         (JSC::DFG::ArrayMode::alreadyChecked const):
1638         * dfg/DFGArrayMode.h:
1639         (JSC::DFG::ArrayMode::ArrayMode):
1640         (JSC::DFG::ArrayMode::action const):
1641         (JSC::DFG::ArrayMode::withSpeculation const):
1642         (JSC::DFG::ArrayMode::withArrayClass const):
1643         (JSC::DFG::ArrayMode::withType const):
1644         (JSC::DFG::ArrayMode::withConversion const):
1645         (JSC::DFG::ArrayMode::withTypeAndConversion const):
1646         (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
1647         (JSC::DFG::ArrayMode::arrayModesWithIndexingShape const):
1648         * dfg/DFGByteCodeParser.cpp:
1649         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1650         (JSC::DFG::ByteCodeParser::handleIntrinsicGetter):
1651         (JSC::DFG::ByteCodeParser::parseBlock):
1652         * dfg/DFGClobberize.h:
1653         (JSC::DFG::clobberize):
1654         * dfg/DFGConstantFoldingPhase.cpp:
1655         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1656         * dfg/DFGFixupPhase.cpp:
1657         (JSC::DFG::FixupPhase::fixupNode):
1658         (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion):
1659         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
1660         * dfg/DFGGraph.cpp:
1661         (JSC::DFG::Graph::dump):
1662         * dfg/DFGNode.h:
1663         (JSC::DFG::Node::indexingType):
1664         (JSC::DFG::Node::indexingMode):
1665         * dfg/DFGOSRExit.cpp:
1666         (JSC::DFG::OSRExit::compileExit):
1667         * dfg/DFGOperations.cpp:
1668         * dfg/DFGOperations.h:
1669         * dfg/DFGSpeculativeJIT.cpp:
1670         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1671         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
1672         (JSC::DFG::SpeculativeJIT::arrayify):
1673         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1674         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
1675         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1676         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
1677         (JSC::DFG::SpeculativeJIT::compileCreateRest):
1678         (JSC::DFG::SpeculativeJIT::compileArraySlice):
1679         (JSC::DFG::SpeculativeJIT::compileNewArrayBuffer):
1680         * dfg/DFGSpeculativeJIT32_64.cpp:
1681         (JSC::DFG::SpeculativeJIT::compile):
1682         * dfg/DFGSpeculativeJIT64.cpp:
1683         (JSC::DFG::SpeculativeJIT::compile):
1684         * dfg/DFGValidate.cpp:
1685         * ftl/FTLAbstractHeapRepository.h:
1686         * ftl/FTLLowerDFGToB3.cpp:
1687         (JSC::FTL::DFG::LowerDFGToB3::compilePutStructure):
1688         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
1689         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
1690         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
1691         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
1692         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargsWithSpread):
1693         (JSC::FTL::DFG::LowerDFGToB3::storeStructure):
1694         (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify):
1695         * ftl/FTLOperations.cpp:
1696         (JSC::FTL::operationMaterializeObjectInOSR):
1697         * generate-bytecode-files:
1698         * interpreter/Interpreter.cpp:
1699         (JSC::sizeOfVarargs):
1700         (JSC::loadVarargs):
1701         * jit/AssemblyHelpers.cpp:
1702         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
1703         * jit/AssemblyHelpers.h:
1704         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
1705         * jit/JITOperations.cpp:
1706         * jit/JITPropertyAccess.cpp:
1707         (JSC::JIT::emit_op_put_by_val):
1708         (JSC::JIT::emitSlow_op_put_by_val):
1709         * jit/Repatch.cpp:
1710         (JSC::tryCachePutByID):
1711         * llint/LowLevelInterpreter.asm:
1712         * llint/LowLevelInterpreter32_64.asm:
1713         * llint/LowLevelInterpreter64.asm:
1714         * runtime/Butterfly.h:
1715         (JSC::ContiguousData::Data::Data):
1716         (JSC::ContiguousData::Data::operator bool const):
1717         (JSC::ContiguousData::Data::operator=):
1718         (JSC::ContiguousData::Data::operator const T& const):
1719         (JSC::ContiguousData::Data::set):
1720         (JSC::ContiguousData::Data::setWithoutWriteBarrier):
1721         (JSC::ContiguousData::Data::clear):
1722         (JSC::ContiguousData::Data::get const):
1723         (JSC::ContiguousData::atUnsafe):
1724         (JSC::ContiguousData::at const): Deleted.
1725         (JSC::ContiguousData::at): Deleted.
1726         * runtime/ButterflyInlines.h:
1727         (JSC::ContiguousData<T>::at const):
1728         (JSC::ContiguousData<T>::at):
1729         * runtime/ClonedArguments.cpp:
1730         (JSC::ClonedArguments::createEmpty):
1731         * runtime/CommonSlowPaths.cpp:
1732         (JSC::SLOW_PATH_DECL):
1733         * runtime/CommonSlowPaths.h:
1734         (JSC::CommonSlowPaths::allocateNewArrayBuffer):
1735         * runtime/IndexingType.cpp:
1736         (JSC::leastUpperBoundOfIndexingTypeAndType):
1737         (JSC::leastUpperBoundOfIndexingTypeAndValue):
1738         (JSC::dumpIndexingType):
1739         * runtime/IndexingType.h:
1740         (JSC::hasIndexedProperties):
1741         (JSC::hasUndecided):
1742         (JSC::hasInt32):
1743         (JSC::hasDouble):
1744         (JSC::hasContiguous):
1745         (JSC::hasArrayStorage):
1746         (JSC::hasAnyArrayStorage):
1747         (JSC::hasSlowPutArrayStorage):
1748         (JSC::shouldUseSlowPut):
1749         (JSC::isCopyOnWrite):
1750         (JSC::arrayIndexFromIndexingType):
1751         * runtime/JSArray.cpp:
1752         (JSC::JSArray::tryCreateUninitializedRestricted):
1753         (JSC::JSArray::put):
1754         (JSC::JSArray::appendMemcpy):
1755         (JSC::JSArray::setLength):
1756         (JSC::JSArray::pop):
1757         (JSC::JSArray::fastSlice):
1758         (JSC::JSArray::shiftCountWithAnyIndexingType):
1759         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1760         (JSC::JSArray::fillArgList):
1761         (JSC::JSArray::copyToArguments):
1762         * runtime/JSArrayInlines.h:
1763         (JSC::JSArray::pushInline):
1764         * runtime/JSCell.h:
1765         * runtime/JSCellInlines.h:
1766         (JSC::JSCell::JSCell):
1767         (JSC::JSCell::finishCreation):
1768         (JSC::JSCell::indexingType const):
1769         (JSC::JSCell::indexingMode const):
1770         (JSC::JSCell::setStructure):
1771         * runtime/JSFixedArray.h:
1772         * runtime/JSGlobalObject.cpp:
1773         (JSC::JSGlobalObject::init):
1774         (JSC::JSGlobalObject::haveABadTime):
1775         (JSC::JSGlobalObject::visitChildren):
1776         * runtime/JSGlobalObject.h:
1777         (JSC::JSGlobalObject::originalArrayStructureForIndexingType const):
1778         (JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation const):
1779         (JSC::JSGlobalObject::isOriginalArrayStructure):
1780         * runtime/JSImmutableButterfly.cpp: Added.
1781         (JSC::JSImmutableButterfly::visitChildren):
1782         (JSC::JSImmutableButterfly::copyToArguments):
1783         * runtime/JSImmutableButterfly.h: Added.
1784         (JSC::JSImmutableButterfly::createStructure):
1785         (JSC::JSImmutableButterfly::tryCreate):
1786         (JSC::JSImmutableButterfly::create):
1787         (JSC::JSImmutableButterfly::publicLength const):
1788         (JSC::JSImmutableButterfly::vectorLength const):
1789         (JSC::JSImmutableButterfly::length const):
1790         (JSC::JSImmutableButterfly::toButterfly const):
1791         (JSC::JSImmutableButterfly::fromButterfly):
1792         (JSC::JSImmutableButterfly::get const):
1793         (JSC::JSImmutableButterfly::subspaceFor):
1794         (JSC::JSImmutableButterfly::setIndex):
1795         (JSC::JSImmutableButterfly::allocationSize):
1796         (JSC::JSImmutableButterfly::JSImmutableButterfly):
1797         * runtime/JSObject.cpp:
1798         (JSC::JSObject::markAuxiliaryAndVisitOutOfLineProperties):
1799         (JSC::JSObject::visitButterflyImpl):
1800         (JSC::JSObject::getOwnPropertySlotByIndex):
1801         (JSC::JSObject::putByIndex):
1802         (JSC::JSObject::createInitialInt32):
1803         (JSC::JSObject::createInitialDouble):
1804         (JSC::JSObject::createInitialContiguous):
1805         (JSC::JSObject::convertUndecidedToInt32):
1806         (JSC::JSObject::convertUndecidedToDouble):
1807         (JSC::JSObject::convertUndecidedToContiguous):
1808         (JSC::JSObject::convertInt32ToDouble):
1809         (JSC::JSObject::convertInt32ToArrayStorage):
1810         (JSC::JSObject::convertDoubleToContiguous):
1811         (JSC::JSObject::convertDoubleToArrayStorage):
1812         (JSC::JSObject::convertContiguousToArrayStorage):
1813         (JSC::JSObject::createInitialForValueAndSet):
1814         (JSC::JSObject::convertInt32ForValue):
1815         (JSC::JSObject::convertFromCopyOnWrite):
1816         (JSC::JSObject::ensureWritableInt32Slow):
1817         (JSC::JSObject::ensureWritableDoubleSlow):
1818         (JSC::JSObject::ensureWritableContiguousSlow):
1819         (JSC::JSObject::ensureArrayStorageSlow):
1820         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
1821         (JSC::JSObject::switchToSlowPutArrayStorage):
1822         (JSC::JSObject::deletePropertyByIndex):
1823         (JSC::JSObject::getOwnPropertyNames):
1824         (JSC::canDoFastPutDirectIndex):
1825         (JSC::JSObject::defineOwnIndexedProperty):
1826         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1827         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
1828         (JSC::JSObject::putByIndexBeyondVectorLength):
1829         (JSC::JSObject::countElements):
1830         (JSC::JSObject::ensureLengthSlow):
1831         (JSC::JSObject::getEnumerableLength):
1832         (JSC::JSObject::ensureInt32Slow): Deleted.
1833         (JSC::JSObject::ensureDoubleSlow): Deleted.
1834         (JSC::JSObject::ensureContiguousSlow): Deleted.
1835         * runtime/JSObject.h:
1836         (JSC::JSObject::putDirectIndex):
1837         (JSC::JSObject::canGetIndexQuickly):
1838         (JSC::JSObject::getIndexQuickly):
1839         (JSC::JSObject::tryGetIndexQuickly const):
1840         (JSC::JSObject::canSetIndexQuickly):
1841         (JSC::JSObject::setIndexQuickly):
1842         (JSC::JSObject::initializeIndex):
1843         (JSC::JSObject::initializeIndexWithoutBarrier):
1844         (JSC::JSObject::ensureWritableInt32):
1845         (JSC::JSObject::ensureWritableDouble):
1846         (JSC::JSObject::ensureWritableContiguous):
1847         (JSC::JSObject::ensureLength):
1848         (JSC::JSObject::ensureInt32): Deleted.
1849         (JSC::JSObject::ensureDouble): Deleted.
1850         (JSC::JSObject::ensureContiguous): Deleted.
1851         * runtime/JSObjectInlines.h:
1852         (JSC::JSObject::putDirectInternal):
1853         * runtime/JSType.h:
1854         * runtime/RegExpMatchesArray.h:
1855         (JSC::tryCreateUninitializedRegExpMatchesArray):
1856         * runtime/Structure.cpp:
1857         (JSC::Structure::Structure):
1858         (JSC::Structure::addNewPropertyTransition):
1859         (JSC::Structure::nonPropertyTransition):
1860         * runtime/Structure.h:
1861         * runtime/StructureIDBlob.h:
1862         (JSC::StructureIDBlob::StructureIDBlob):
1863         (JSC::StructureIDBlob::indexingModeIncludingHistory const):
1864         (JSC::StructureIDBlob::setIndexingModeIncludingHistory):
1865         (JSC::StructureIDBlob::indexingModeIncludingHistoryOffset):
1866         (JSC::StructureIDBlob::indexingTypeIncludingHistory const): Deleted.
1867         (JSC::StructureIDBlob::setIndexingTypeIncludingHistory): Deleted.
1868         (JSC::StructureIDBlob::indexingTypeIncludingHistoryOffset): Deleted.
1869         * runtime/StructureTransitionTable.h:
1870         (JSC::newIndexingType):
1871         * runtime/VM.cpp:
1872         (JSC::VM::VM):
1873         * runtime/VM.h:
1874
1875 2018-05-22  Ryan Haddad  <ryanhaddad@apple.com>
1876
1877         Unreviewed, rolling out r232052.
1878
1879         Breaks internal builds.
1880
1881         Reverted changeset:
1882
1883         "Use more C++17"
1884         https://bugs.webkit.org/show_bug.cgi?id=185176
1885         https://trac.webkit.org/changeset/232052
1886
1887 2018-05-22  Alberto Garcia  <berto@igalia.com>
1888
1889         [CMake] Properly detect compiler flags, needed libs, and fallbacks for usage of 64-bit atomic operations
1890         https://bugs.webkit.org/show_bug.cgi?id=182622
1891         <rdar://problem/40292317>
1892
1893         Reviewed by Michael Catanzaro.
1894
1895         We were linking JavaScriptCore against libatomic in MIPS because
1896         in that architecture __atomic_fetch_add_8() is not a compiler
1897         intrinsic and is provided by that library instead. However other
1898         architectures (e.g armel) are in the same situation, so we need a
1899         generic test.
1900
1901         That test already exists in WebKit/CMakeLists.txt, so we just have
1902         to move it to a common file (WebKitCompilerFlags.cmake) and use
1903         its result (ATOMIC_INT64_REQUIRES_LIBATOMIC) here.
1904
1905         * CMakeLists.txt:
1906
1907 2018-05-22  Michael Catanzaro  <mcatanzaro@igalia.com>
1908
1909         Unreviewed, rolling out r231843.
1910
1911         Broke cross build
1912
1913         Reverted changeset:
1914
1915         "[CMake] Properly detect compiler flags, needed libs, and
1916         fallbacks for usage of 64-bit atomic operations"
1917         https://bugs.webkit.org/show_bug.cgi?id=182622
1918         https://trac.webkit.org/changeset/231843
1919
1920 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1921
1922         Use more C++17
1923         https://bugs.webkit.org/show_bug.cgi?id=185176
1924
1925         Reviewed by JF Bastien.
1926
1927         * Configurations/Base.xcconfig:
1928
1929 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1930
1931         [JSC] Remove duplicate methods in JSInterfaceJIT
1932         https://bugs.webkit.org/show_bug.cgi?id=185813
1933
1934         Reviewed by Saam Barati.
1935
1936         Some methods of JSInterfaceJIT are duplicate with AssemblyHelpers' ones.
1937         This patch removes these ones and use AssemblyHelpers' ones instead.
1938
1939         This patch also a bit cleans up ThunkGenerators' unnecessary ifdefs.
1940
1941         * jit/AssemblyHelpers.h:
1942         (JSC::AssemblyHelpers::tagFor):
1943         (JSC::AssemblyHelpers::payloadFor):
1944         * jit/JIT.h:
1945         * jit/JITArithmetic.cpp:
1946         (JSC::JIT::emit_op_unsigned):
1947         (JSC::JIT::emit_compareUnsigned):
1948         (JSC::JIT::emit_op_inc):
1949         (JSC::JIT::emit_op_dec):
1950         (JSC::JIT::emit_op_mod):
1951         * jit/JITCall32_64.cpp:
1952         (JSC::JIT::compileOpCall):
1953         * jit/JITInlines.h:
1954         (JSC::JIT::emitPutIntToCallFrameHeader):
1955         (JSC::JIT::updateTopCallFrame):
1956         (JSC::JIT::emitInitRegister):
1957         (JSC::JIT::emitLoad):
1958         (JSC::JIT::emitStore):
1959         (JSC::JIT::emitStoreInt32):
1960         (JSC::JIT::emitStoreCell):
1961         (JSC::JIT::emitStoreBool):
1962         (JSC::JIT::emitGetVirtualRegister):
1963         (JSC::JIT::emitPutVirtualRegister):
1964         (JSC::JIT::emitTagBool): Deleted.
1965         * jit/JITOpcodes.cpp:
1966         (JSC::JIT::emit_op_overrides_has_instance):
1967         (JSC::JIT::emit_op_is_empty):
1968         (JSC::JIT::emit_op_is_undefined):
1969         (JSC::JIT::emit_op_is_boolean):
1970         (JSC::JIT::emit_op_is_number):
1971         (JSC::JIT::emit_op_is_cell_with_type):
1972         (JSC::JIT::emit_op_is_object):
1973         (JSC::JIT::emit_op_eq):
1974         (JSC::JIT::emit_op_neq):
1975         (JSC::JIT::compileOpStrictEq):
1976         (JSC::JIT::emit_op_eq_null):
1977         (JSC::JIT::emit_op_neq_null):
1978         (JSC::JIT::emitSlow_op_eq):
1979         (JSC::JIT::emitSlow_op_neq):
1980         (JSC::JIT::emitSlow_op_instanceof_custom):
1981         (JSC::JIT::emitNewFuncExprCommon):
1982         * jit/JSInterfaceJIT.h:
1983         (JSC::JSInterfaceJIT::emitLoadInt32):
1984         (JSC::JSInterfaceJIT::emitLoadDouble):
1985         (JSC::JSInterfaceJIT::emitPutToCallFrameHeader):
1986         (JSC::JSInterfaceJIT::emitPutCellToCallFrameHeader):
1987         (JSC::JSInterfaceJIT::tagFor): Deleted.
1988         (JSC::JSInterfaceJIT::payloadFor): Deleted.
1989         (JSC::JSInterfaceJIT::intPayloadFor): Deleted.
1990         (JSC::JSInterfaceJIT::intTagFor): Deleted.
1991         (JSC::JSInterfaceJIT::emitTagInt): Deleted.
1992         (JSC::JSInterfaceJIT::addressFor): Deleted.
1993         * jit/SpecializedThunkJIT.h:
1994         (JSC::SpecializedThunkJIT::returnDouble):
1995         * jit/ThunkGenerators.cpp:
1996         (JSC::nativeForGenerator):
1997         (JSC::arityFixupGenerator):
1998
1999 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2000
2001         Unreviewed, reland InById cache
2002         https://bugs.webkit.org/show_bug.cgi?id=185682
2003
2004         Includes Dominik's 32bit fix.
2005
2006         * bytecode/AccessCase.cpp:
2007         (JSC::AccessCase::fromStructureStubInfo):
2008         (JSC::AccessCase::generateWithGuard):
2009         (JSC::AccessCase::generateImpl):
2010         * bytecode/BytecodeDumper.cpp:
2011         (JSC::BytecodeDumper<Block>::printInByIdCacheStatus):
2012         (JSC::BytecodeDumper<Block>::dumpBytecode):
2013         * bytecode/BytecodeDumper.h:
2014         * bytecode/BytecodeList.json:
2015         * bytecode/BytecodeUseDef.h:
2016         (JSC::computeUsesForBytecodeOffset):
2017         (JSC::computeDefsForBytecodeOffset):
2018         * bytecode/CodeBlock.cpp:
2019         (JSC::CodeBlock::finishCreation):
2020         * bytecode/InlineAccess.cpp:
2021         (JSC::InlineAccess::generateSelfInAccess):
2022         * bytecode/InlineAccess.h:
2023         * bytecode/StructureStubInfo.cpp:
2024         (JSC::StructureStubInfo::initInByIdSelf):
2025         (JSC::StructureStubInfo::deref):
2026         (JSC::StructureStubInfo::aboutToDie):
2027         (JSC::StructureStubInfo::reset):
2028         (JSC::StructureStubInfo::visitWeakReferences):
2029         (JSC::StructureStubInfo::propagateTransitions):
2030         * bytecode/StructureStubInfo.h:
2031         (JSC::StructureStubInfo::patchableJump):
2032         * bytecompiler/BytecodeGenerator.cpp:
2033         (JSC::BytecodeGenerator::emitInByVal):
2034         (JSC::BytecodeGenerator::emitInById):
2035         (JSC::BytecodeGenerator::emitIn): Deleted.
2036         * bytecompiler/BytecodeGenerator.h:
2037         * bytecompiler/NodesCodegen.cpp:
2038         (JSC::InNode::emitBytecode):
2039         * dfg/DFGAbstractInterpreterInlines.h:
2040         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2041         * dfg/DFGByteCodeParser.cpp:
2042         (JSC::DFG::ByteCodeParser::parseBlock):
2043         * dfg/DFGCapabilities.cpp:
2044         (JSC::DFG::capabilityLevel):
2045         * dfg/DFGClobberize.h:
2046         (JSC::DFG::clobberize):
2047         * dfg/DFGConstantFoldingPhase.cpp:
2048         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2049         * dfg/DFGDoesGC.cpp:
2050         (JSC::DFG::doesGC):
2051         * dfg/DFGFixupPhase.cpp:
2052         (JSC::DFG::FixupPhase::fixupNode):
2053         * dfg/DFGJITCompiler.cpp:
2054         (JSC::DFG::JITCompiler::link):
2055         * dfg/DFGJITCompiler.h:
2056         (JSC::DFG::JITCompiler::addInById):
2057         (JSC::DFG::InRecord::InRecord): Deleted.
2058         (JSC::DFG::JITCompiler::addIn): Deleted.
2059         * dfg/DFGNode.h:
2060         (JSC::DFG::Node::convertToInById):
2061         (JSC::DFG::Node::hasIdentifier):
2062         (JSC::DFG::Node::hasArrayMode):
2063         * dfg/DFGNodeType.h:
2064         * dfg/DFGPredictionPropagationPhase.cpp:
2065         * dfg/DFGSafeToExecute.h:
2066         (JSC::DFG::safeToExecute):
2067         * dfg/DFGSpeculativeJIT.cpp:
2068         (JSC::DFG::SpeculativeJIT::compileInById):
2069         (JSC::DFG::SpeculativeJIT::compileInByVal):
2070         (JSC::DFG::SpeculativeJIT::compileIn): Deleted.
2071         * dfg/DFGSpeculativeJIT.h:
2072         * dfg/DFGSpeculativeJIT32_64.cpp:
2073         (JSC::DFG::SpeculativeJIT::compile):
2074         * dfg/DFGSpeculativeJIT64.cpp:
2075         (JSC::DFG::SpeculativeJIT::compile):
2076         * ftl/FTLCapabilities.cpp:
2077         (JSC::FTL::canCompile):
2078         * ftl/FTLLowerDFGToB3.cpp:
2079         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2080         (JSC::FTL::DFG::LowerDFGToB3::compileInByVal):
2081         (JSC::FTL::DFG::LowerDFGToB3::compileInById):
2082         (JSC::FTL::DFG::LowerDFGToB3::compileIn): Deleted.
2083         * jit/AssemblyHelpers.h:
2084         (JSC::AssemblyHelpers::boxBoolean):
2085         * jit/ICStats.h:
2086         * jit/JIT.cpp:
2087         (JSC::JIT::JIT):
2088         (JSC::JIT::privateCompileMainPass):
2089         (JSC::JIT::privateCompileSlowCases):
2090         (JSC::JIT::link):
2091         * jit/JIT.h:
2092         * jit/JITInlineCacheGenerator.cpp:
2093         (JSC::JITInByIdGenerator::JITInByIdGenerator):
2094         (JSC::JITInByIdGenerator::generateFastPath):
2095         * jit/JITInlineCacheGenerator.h:
2096         (JSC::JITInByIdGenerator::JITInByIdGenerator):
2097         * jit/JITOperations.cpp:
2098         * jit/JITOperations.h:
2099         * jit/JITPropertyAccess.cpp:
2100         (JSC::JIT::emit_op_in_by_id):
2101         (JSC::JIT::emitSlow_op_in_by_id):
2102         * jit/JITPropertyAccess32_64.cpp:
2103         (JSC::JIT::emit_op_in_by_id):
2104         (JSC::JIT::emitSlow_op_in_by_id):
2105         * jit/Repatch.cpp:
2106         (JSC::tryCacheInByID):
2107         (JSC::repatchInByID):
2108         (JSC::resetInByID):
2109         (JSC::tryCacheIn): Deleted.
2110         (JSC::repatchIn): Deleted.
2111         (JSC::resetIn): Deleted.
2112         * jit/Repatch.h:
2113         * llint/LowLevelInterpreter.asm:
2114         * llint/LowLevelInterpreter64.asm:
2115         * parser/NodeConstructors.h:
2116         (JSC::InNode::InNode):
2117         * runtime/CommonSlowPaths.cpp:
2118         (JSC::SLOW_PATH_DECL):
2119         * runtime/CommonSlowPaths.h:
2120         (JSC::CommonSlowPaths::opInByVal):
2121         (JSC::CommonSlowPaths::opIn): Deleted.
2122
2123 2018-05-21  Commit Queue  <commit-queue@webkit.org>
2124
2125         Unreviewed, rolling out r231998 and r232017.
2126         https://bugs.webkit.org/show_bug.cgi?id=185842
2127
2128         causes crashes on 32 JSC bot (Requested by realdawei on
2129         #webkit).
2130
2131         Reverted changesets:
2132
2133         "[JSC] JSC should have consistent InById IC"
2134         https://bugs.webkit.org/show_bug.cgi?id=185682
2135         https://trac.webkit.org/changeset/231998
2136
2137         "Unreviewed, fix 32bit and scope release"
2138         https://bugs.webkit.org/show_bug.cgi?id=185682
2139         https://trac.webkit.org/changeset/232017
2140
2141 2018-05-21  Jer Noble  <jer.noble@apple.com>
2142
2143         Complete fix for enabling modern EME by default
2144         https://bugs.webkit.org/show_bug.cgi?id=185770
2145         <rdar://problem/40368220>
2146
2147         Reviewed by Eric Carlson.
2148
2149         * Configurations/FeatureDefines.xcconfig:
2150
2151 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2152
2153         Unreviewed, fix 32bit and scope release
2154         https://bugs.webkit.org/show_bug.cgi?id=185682
2155
2156         * jit/JITOperations.cpp:
2157         * jit/JITPropertyAccess32_64.cpp:
2158         (JSC::JIT::emitSlow_op_in_by_id):
2159
2160 2018-05-20  Filip Pizlo  <fpizlo@apple.com>
2161
2162         Revert the B3 compiler pipeline's treatment of taildup
2163         https://bugs.webkit.org/show_bug.cgi?id=185808
2164
2165         Reviewed by Yusuke Suzuki.
2166         
2167         While trying to implement path specialization (bug 185060), I reorganized the B3 pass pipeline.
2168         But then path specialization turned out to be a negative result. This reverts the pipeline to the
2169         way it was before that work.
2170         
2171         1.5% progression on V8Spider-CompileTime.
2172
2173         * b3/B3Generate.cpp:
2174         (JSC::B3::generateToAir):
2175
2176 2018-05-20  Yusuke Suzuki  <utatane.tea@gmail.com>
2177
2178         [DFG] CheckTypeInfoFlags should say `eliminated` if it is removed in constant folding phase
2179         https://bugs.webkit.org/show_bug.cgi?id=185802
2180
2181         Reviewed by Saam Barati.
2182
2183         * dfg/DFGConstantFoldingPhase.cpp:
2184         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2185
2186 2018-05-18  Filip Pizlo  <fpizlo@apple.com>
2187
2188         DFG should inline InstanceOf ICs
2189         https://bugs.webkit.org/show_bug.cgi?id=185695
2190
2191         Reviewed by Yusuke Suzuki.
2192         
2193         This teaches the DFG how to inline InstanceOf ICs into a MatchStructure node. This can then
2194         be folded to a CheckStructure + JSConstant.
2195         
2196         In the process of testing this, I found a bug where LICM was not hoisting things that
2197         depended on ExtraOSREntryLocal because that might return SpecEmpty. I fixed that by teaching
2198         LICM how to materialize CheckNotEmpty on demand whenever !HoistingFailed.
2199         
2200         This is a ~5% speed-up on boyer.
2201         
2202         ~2x speed-up on the instanceof-always-hit-one, instanceof-always-hit-two, and
2203         instanceof-sometimes-hit microbenchmarks.
2204
2205         * JavaScriptCore.xcodeproj/project.pbxproj:
2206         * Sources.txt:
2207         * bytecode/GetByIdStatus.cpp:
2208         (JSC::GetByIdStatus::appendVariant):
2209         (JSC::GetByIdStatus::filter):
2210         * bytecode/GetByIdStatus.h:
2211         (JSC::GetByIdStatus::operator bool const):
2212         (JSC::GetByIdStatus::operator! const): Deleted.
2213         * bytecode/GetByIdVariant.h:
2214         (JSC::GetByIdVariant::operator bool const):
2215         (JSC::GetByIdVariant::operator! const): Deleted.
2216         * bytecode/ICStatusUtils.h: Added.
2217         (JSC::appendICStatusVariant):
2218         (JSC::filterICStatusVariants):
2219         * bytecode/InstanceOfStatus.cpp: Added.
2220         (JSC::InstanceOfStatus::appendVariant):
2221         (JSC::InstanceOfStatus::computeFor):
2222         (JSC::InstanceOfStatus::computeForStubInfo):
2223         (JSC::InstanceOfStatus::commonPrototype const):
2224         (JSC::InstanceOfStatus::filter):
2225         * bytecode/InstanceOfStatus.h: Added.
2226         (JSC::InstanceOfStatus::InstanceOfStatus):
2227         (JSC::InstanceOfStatus::state const):
2228         (JSC::InstanceOfStatus::isSet const):
2229         (JSC::InstanceOfStatus::operator bool const):
2230         (JSC::InstanceOfStatus::isSimple const):
2231         (JSC::InstanceOfStatus::takesSlowPath const):
2232         (JSC::InstanceOfStatus::numVariants const):
2233         (JSC::InstanceOfStatus::variants const):
2234         (JSC::InstanceOfStatus::at const):
2235         (JSC::InstanceOfStatus::operator[] const):
2236         * bytecode/InstanceOfVariant.cpp: Added.
2237         (JSC::InstanceOfVariant::InstanceOfVariant):
2238         (JSC::InstanceOfVariant::attemptToMerge):
2239         (JSC::InstanceOfVariant::dump const):
2240         (JSC::InstanceOfVariant::dumpInContext const):
2241         * bytecode/InstanceOfVariant.h: Added.
2242         (JSC::InstanceOfVariant::InstanceOfVariant):
2243         (JSC::InstanceOfVariant::operator bool const):
2244         (JSC::InstanceOfVariant::structureSet const):
2245         (JSC::InstanceOfVariant::structureSet):
2246         (JSC::InstanceOfVariant::conditionSet const):
2247         (JSC::InstanceOfVariant::prototype const):
2248         (JSC::InstanceOfVariant::isHit const):
2249         * bytecode/StructureStubInfo.cpp:
2250         (JSC::StructureStubInfo::StructureStubInfo):
2251         * bytecode/StructureStubInfo.h:
2252         (JSC::StructureStubInfo::considerCaching):
2253         * dfg/DFGAbstractInterpreterInlines.h:
2254         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2255         * dfg/DFGByteCodeParser.cpp:
2256         (JSC::DFG::ByteCodeParser::parseBlock):
2257         * dfg/DFGClobberize.h:
2258         (JSC::DFG::clobberize):
2259         * dfg/DFGConstantFoldingPhase.cpp:
2260         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2261         * dfg/DFGDoesGC.cpp:
2262         (JSC::DFG::doesGC):
2263         * dfg/DFGFixupPhase.cpp:
2264         (JSC::DFG::FixupPhase::fixupNode):
2265         * dfg/DFGGraph.cpp:
2266         (JSC::DFG::Graph::dump):
2267         * dfg/DFGGraph.h:
2268         * dfg/DFGLICMPhase.cpp:
2269         (JSC::DFG::LICMPhase::attemptHoist):
2270         * dfg/DFGNode.cpp:
2271         (JSC::DFG::Node::remove):
2272         * dfg/DFGNode.h:
2273         (JSC::DFG::Node::hasMatchStructureData):
2274         (JSC::DFG::Node::matchStructureData):
2275         * dfg/DFGNodeType.h:
2276         * dfg/DFGSafeToExecute.h:
2277         (JSC::DFG::safeToExecute):
2278         * dfg/DFGSpeculativeJIT.cpp:
2279         (JSC::DFG::SpeculativeJIT::compileMatchStructure):
2280         * dfg/DFGSpeculativeJIT.h:
2281         * dfg/DFGSpeculativeJIT32_64.cpp:
2282         (JSC::DFG::SpeculativeJIT::compile):
2283         * dfg/DFGSpeculativeJIT64.cpp:
2284         (JSC::DFG::SpeculativeJIT::compile):
2285         * ftl/FTLCapabilities.cpp:
2286         (JSC::FTL::canCompile):
2287         * ftl/FTLLowerDFGToB3.cpp:
2288         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2289         (JSC::FTL::DFG::LowerDFGToB3::compileMatchStructure):
2290
2291 2018-05-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2292
2293         [JSC] JSC should have consistent InById IC
2294         https://bugs.webkit.org/show_bug.cgi?id=185682
2295
2296         Reviewed by Filip Pizlo.
2297
2298         Current our op_in IC is adhoc: It is only emitted in DFG and FTL layers,
2299         when we found that DFG::In's parameter is constant string. We should
2300         align this IC to the other ById ICs to clean up and remove adhoc code
2301         in DFG and FTL.
2302
2303         This patch cleans up our "In" IC by aligning it to the other ById ICs.
2304         We split op_in bytecode to op_in_by_id and op_in_by_val. op_in_by_val
2305         is the same to the original op_in. For op_in_by_id, we use JITInByIdGenerator
2306         to emit InById IC code. In addition, our JITInByIdGenerator and op_in_by_id
2307         has a inline access cache for own property case, which is the same to
2308         JITGetByIdGenerator.
2309
2310         And we split DFG::In to DFG::InById and DFG::InByVal. InByVal is the same
2311         to the original In DFG node. DFG AI attempts to lower InByVal to InById
2312         if AI figured out that the property name is a constant string. And in
2313         InById node, we use JITInByIdGenerator code.
2314
2315         This patch cleans up DFG and FTL's adhoc In IC code.
2316
2317         In a subsequent patch, we should introduce InByIdStatus to optimize
2318         InById in DFG and FTL. We would like to have a new InByIdStatus instead of
2319         reusing GetByIdStatus since GetByIdStatus becomes too complicated, and
2320         AccessCase::Types are different from them (AccessCase::InHit / InMiss).
2321
2322         * bytecode/AccessCase.cpp:
2323         (JSC::AccessCase::fromStructureStubInfo):
2324         (JSC::AccessCase::generateWithGuard):
2325         * bytecode/BytecodeDumper.cpp:
2326         (JSC::BytecodeDumper<Block>::printInByIdCacheStatus):
2327         (JSC::BytecodeDumper<Block>::dumpBytecode):
2328         * bytecode/BytecodeDumper.h:
2329         * bytecode/BytecodeList.json:
2330         * bytecode/BytecodeUseDef.h:
2331         (JSC::computeUsesForBytecodeOffset):
2332         (JSC::computeDefsForBytecodeOffset):
2333         * bytecode/CodeBlock.cpp:
2334         (JSC::CodeBlock::finishCreation):
2335         * bytecode/InlineAccess.cpp:
2336         (JSC::InlineAccess::generateSelfInAccess):
2337         * bytecode/InlineAccess.h:
2338         * bytecode/StructureStubInfo.cpp:
2339         (JSC::StructureStubInfo::initInByIdSelf):
2340         (JSC::StructureStubInfo::deref):
2341         (JSC::StructureStubInfo::aboutToDie):
2342         (JSC::StructureStubInfo::reset):
2343         (JSC::StructureStubInfo::visitWeakReferences):
2344         (JSC::StructureStubInfo::propagateTransitions):
2345         * bytecode/StructureStubInfo.h:
2346         (JSC::StructureStubInfo::patchableJump):
2347         * bytecompiler/BytecodeGenerator.cpp:
2348         (JSC::BytecodeGenerator::emitInByVal):
2349         (JSC::BytecodeGenerator::emitInById):
2350         (JSC::BytecodeGenerator::emitIn): Deleted.
2351         * bytecompiler/BytecodeGenerator.h:
2352         * bytecompiler/NodesCodegen.cpp:
2353         (JSC::InNode::emitBytecode):
2354         * dfg/DFGAbstractInterpreterInlines.h:
2355         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2356         * dfg/DFGByteCodeParser.cpp:
2357         (JSC::DFG::ByteCodeParser::parseBlock):
2358         * dfg/DFGCapabilities.cpp:
2359         (JSC::DFG::capabilityLevel):
2360         * dfg/DFGClobberize.h:
2361         (JSC::DFG::clobberize):
2362         * dfg/DFGConstantFoldingPhase.cpp:
2363         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2364         * dfg/DFGDoesGC.cpp:
2365         (JSC::DFG::doesGC):
2366         * dfg/DFGFixupPhase.cpp:
2367         (JSC::DFG::FixupPhase::fixupNode):
2368         * dfg/DFGJITCompiler.cpp:
2369         (JSC::DFG::JITCompiler::link):
2370         * dfg/DFGJITCompiler.h:
2371         (JSC::DFG::JITCompiler::addInById):
2372         (JSC::DFG::InRecord::InRecord): Deleted.
2373         (JSC::DFG::JITCompiler::addIn): Deleted.
2374         * dfg/DFGNode.h:
2375         (JSC::DFG::Node::convertToInById):
2376         (JSC::DFG::Node::hasIdentifier):
2377         (JSC::DFG::Node::hasArrayMode):
2378         * dfg/DFGNodeType.h:
2379         * dfg/DFGPredictionPropagationPhase.cpp:
2380         * dfg/DFGSafeToExecute.h:
2381         (JSC::DFG::safeToExecute):
2382         * dfg/DFGSpeculativeJIT.cpp:
2383         (JSC::DFG::SpeculativeJIT::compileInById):
2384         (JSC::DFG::SpeculativeJIT::compileInByVal):
2385         (JSC::DFG::SpeculativeJIT::compileIn): Deleted.
2386         * dfg/DFGSpeculativeJIT.h:
2387         * dfg/DFGSpeculativeJIT32_64.cpp:
2388         (JSC::DFG::SpeculativeJIT::compile):
2389         * dfg/DFGSpeculativeJIT64.cpp:
2390         (JSC::DFG::SpeculativeJIT::compile):
2391         * ftl/FTLCapabilities.cpp:
2392         (JSC::FTL::canCompile):
2393         * ftl/FTLLowerDFGToB3.cpp:
2394         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2395         (JSC::FTL::DFG::LowerDFGToB3::compileInByVal):
2396         (JSC::FTL::DFG::LowerDFGToB3::compileInById):
2397         (JSC::FTL::DFG::LowerDFGToB3::compileIn): Deleted.
2398         * jit/ICStats.h:
2399         * jit/JIT.cpp:
2400         (JSC::JIT::JIT):
2401         (JSC::JIT::privateCompileMainPass):
2402         (JSC::JIT::privateCompileSlowCases):
2403         (JSC::JIT::link):
2404         * jit/JIT.h:
2405         * jit/JITInlineCacheGenerator.cpp:
2406         (JSC::JITInByIdGenerator::JITInByIdGenerator):
2407         (JSC::JITInByIdGenerator::generateFastPath):
2408         * jit/JITInlineCacheGenerator.h:
2409         (JSC::JITInByIdGenerator::JITInByIdGenerator):
2410         * jit/JITOperations.cpp:
2411         * jit/JITOperations.h:
2412         * jit/JITPropertyAccess.cpp:
2413         (JSC::JIT::emit_op_in_by_id):
2414         (JSC::JIT::emitSlow_op_in_by_id):
2415         * jit/JITPropertyAccess32_64.cpp:
2416         (JSC::JIT::emit_op_in_by_id):
2417         (JSC::JIT::emitSlow_op_in_by_id):
2418         * jit/Repatch.cpp:
2419         (JSC::tryCacheInByID):
2420         (JSC::repatchInByID):
2421         (JSC::resetInByID):
2422         (JSC::tryCacheIn): Deleted.
2423         (JSC::repatchIn): Deleted.
2424         (JSC::resetIn): Deleted.
2425         * jit/Repatch.h:
2426         * llint/LowLevelInterpreter.asm:
2427         * llint/LowLevelInterpreter64.asm:
2428         * parser/NodeConstructors.h:
2429         (JSC::InNode::InNode):
2430         * runtime/CommonSlowPaths.cpp:
2431         (JSC::SLOW_PATH_DECL):
2432         * runtime/CommonSlowPaths.h:
2433         (JSC::CommonSlowPaths::opInByVal):
2434         (JSC::CommonSlowPaths::opIn): Deleted.
2435
2436 2018-05-18  Commit Queue  <commit-queue@webkit.org>
2437
2438         Unreviewed, rolling out r231982.
2439         https://bugs.webkit.org/show_bug.cgi?id=185793
2440
2441         Caused layout test failures (Requested by realdawei on
2442         #webkit).
2443
2444         Reverted changeset:
2445
2446         "Complete fix for enabling modern EME by default"
2447         https://bugs.webkit.org/show_bug.cgi?id=185770
2448         https://trac.webkit.org/changeset/231982
2449
2450 2018-05-18  Keith Miller  <keith_miller@apple.com>
2451
2452         op_in should mark if it sees out of bounds accesses
2453         https://bugs.webkit.org/show_bug.cgi?id=185792
2454
2455         Reviewed by Filip Pizlo.
2456
2457         This would used to cause us to OSR loop since we would always speculate
2458         we were in bounds in HasIndexedProperty.
2459
2460         * bytecode/ArrayProfile.cpp:
2461         (JSC::ArrayProfile::observeIndexedRead):
2462         * bytecode/ArrayProfile.h:
2463         * runtime/CommonSlowPaths.h:
2464         (JSC::CommonSlowPaths::opIn):
2465
2466 2018-05-18  Mark Lam  <mark.lam@apple.com>
2467
2468         Add missing exception check.
2469         https://bugs.webkit.org/show_bug.cgi?id=185786
2470         <rdar://problem/35686560>
2471
2472         Reviewed by Michael Saboff.
2473
2474         * runtime/JSPropertyNameEnumerator.h:
2475         (JSC::propertyNameEnumerator):
2476
2477 2018-05-18  Jer Noble  <jer.noble@apple.com>
2478
2479         Complete fix for enabling modern EME by default
2480         https://bugs.webkit.org/show_bug.cgi?id=185770
2481         <rdar://problem/40368220>
2482
2483         Reviewed by Eric Carlson.
2484
2485         * Configurations/FeatureDefines.xcconfig:
2486
2487 2018-05-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2488
2489         Unreviewed, fix exception checking, part 2
2490         https://bugs.webkit.org/show_bug.cgi?id=185350
2491
2492         * dfg/DFGOperations.cpp:
2493         (JSC::DFG::putByValInternal):
2494         * jit/JITOperations.cpp:
2495         * runtime/CommonSlowPaths.h:
2496         (JSC::CommonSlowPaths::putDirectAccessorWithReify):
2497
2498 2018-05-16  Filip Pizlo  <fpizlo@apple.com>
2499
2500         JSC should have InstanceOf inline caching
2501         https://bugs.webkit.org/show_bug.cgi?id=185652
2502
2503         Reviewed by Saam Barati.
2504         
2505         This adds a polymorphic inline cache for instanceof. It caches hits and misses. It uses the
2506         existing PolymorphicAccess IC machinery along with all of its heuristics. If we ever generate
2507         too many cases, we emit the generic instanceof implementation instead.
2508         
2509         All of the JIT tiers use the same InstanceOf IC. It uses the existing JITInlineCacheGenerator
2510         abstraction.
2511         
2512         This is a ~40% speed-up on instanceof microbenchmarks. It's a *tiny* (~1%) speed-up on
2513         Octane/boyer. I think I can make that speed-up bigger by inlining the inline cache.
2514
2515         * API/tests/testapi.mm:
2516         (testObjectiveCAPIMain):
2517         * JavaScriptCore.xcodeproj/project.pbxproj:
2518         * Sources.txt:
2519         * b3/B3Effects.h:
2520         (JSC::B3::Effects::forReadOnlyCall):
2521         * bytecode/AccessCase.cpp:
2522         (JSC::AccessCase::guardedByStructureCheck const):
2523         (JSC::AccessCase::canReplace const):
2524         (JSC::AccessCase::visitWeak const):
2525         (JSC::AccessCase::generateWithGuard):
2526         (JSC::AccessCase::generateImpl):
2527         * bytecode/AccessCase.h:
2528         * bytecode/InstanceOfAccessCase.cpp: Added.
2529         (JSC::InstanceOfAccessCase::create):
2530         (JSC::InstanceOfAccessCase::dumpImpl const):
2531         (JSC::InstanceOfAccessCase::clone const):
2532         (JSC::InstanceOfAccessCase::~InstanceOfAccessCase):
2533         (JSC::InstanceOfAccessCase::InstanceOfAccessCase):
2534         * bytecode/InstanceOfAccessCase.h: Added.
2535         (JSC::InstanceOfAccessCase::prototype const):
2536         * bytecode/ObjectPropertyCondition.h:
2537         (JSC::ObjectPropertyCondition::hasPrototypeWithoutBarrier):
2538         (JSC::ObjectPropertyCondition::hasPrototype):
2539         * bytecode/ObjectPropertyConditionSet.cpp:
2540         (JSC::generateConditionsForInstanceOf):
2541         * bytecode/ObjectPropertyConditionSet.h:
2542         * bytecode/PolymorphicAccess.cpp:
2543         (JSC::PolymorphicAccess::addCases):
2544         (JSC::PolymorphicAccess::regenerate):
2545         (WTF::printInternal):
2546         * bytecode/PropertyCondition.cpp:
2547         (JSC::PropertyCondition::dumpInContext const):
2548         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
2549         (JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint const):
2550         (WTF::printInternal):
2551         * bytecode/PropertyCondition.h:
2552         (JSC::PropertyCondition::absenceWithoutBarrier):
2553         (JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier):
2554         (JSC::PropertyCondition::hasPrototypeWithoutBarrier):
2555         (JSC::PropertyCondition::hasPrototype):
2556         (JSC::PropertyCondition::hasPrototype const):
2557         (JSC::PropertyCondition::prototype const):
2558         (JSC::PropertyCondition::hash const):
2559         (JSC::PropertyCondition::operator== const):
2560         * bytecode/StructureStubInfo.cpp:
2561         (JSC::StructureStubInfo::StructureStubInfo):
2562         (JSC::StructureStubInfo::reset):
2563         * bytecode/StructureStubInfo.h:
2564         (JSC::StructureStubInfo::considerCaching):
2565         * dfg/DFGByteCodeParser.cpp:
2566         (JSC::DFG::ByteCodeParser::parseBlock):
2567         * dfg/DFGFixupPhase.cpp:
2568         (JSC::DFG::FixupPhase::fixupNode):
2569         * dfg/DFGInlineCacheWrapper.h:
2570         * dfg/DFGInlineCacheWrapperInlines.h:
2571         (JSC::DFG::InlineCacheWrapper<GeneratorType>::finalize):
2572         * dfg/DFGJITCompiler.cpp:
2573         (JSC::DFG::JITCompiler::link):
2574         * dfg/DFGJITCompiler.h:
2575         (JSC::DFG::JITCompiler::addInstanceOf):
2576         * dfg/DFGOperations.cpp:
2577         * dfg/DFGSpeculativeJIT.cpp:
2578         (JSC::DFG::SpeculativeJIT::usedRegisters):
2579         (JSC::DFG::SpeculativeJIT::compileInstanceOfForCells):
2580         (JSC::DFG::SpeculativeJIT::compileInstanceOf):
2581         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject): Deleted.
2582         * dfg/DFGSpeculativeJIT.h:
2583         * dfg/DFGSpeculativeJIT64.cpp:
2584         (JSC::DFG::SpeculativeJIT::cachedGetById):
2585         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
2586         * ftl/FTLLowerDFGToB3.cpp:
2587         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
2588         (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
2589         (JSC::FTL::DFG::LowerDFGToB3::compileNumberIsInteger):
2590         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
2591         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
2592         (JSC::FTL::DFG::LowerDFGToB3::getById):
2593         (JSC::FTL::DFG::LowerDFGToB3::getByIdWithThis):
2594         * jit/ICStats.h:
2595         * jit/JIT.cpp:
2596         (JSC::JIT::privateCompileSlowCases):
2597         (JSC::JIT::link):
2598         * jit/JIT.h:
2599         * jit/JITInlineCacheGenerator.cpp:
2600         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
2601         (JSC::JITInlineCacheGenerator::finalize):
2602         (JSC::JITByIdGenerator::JITByIdGenerator):
2603         (JSC::JITByIdGenerator::finalize):
2604         (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator):
2605         (JSC::JITInstanceOfGenerator::generateFastPath):
2606         (JSC::JITInstanceOfGenerator::finalize):
2607         * jit/JITInlineCacheGenerator.h:
2608         (JSC::JITInlineCacheGenerator::reportSlowPathCall):
2609         (JSC::JITInlineCacheGenerator::slowPathBegin const):
2610         (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator):
2611         (JSC::finalizeInlineCaches):
2612         (JSC::JITByIdGenerator::reportSlowPathCall): Deleted.
2613         (JSC::JITByIdGenerator::slowPathBegin const): Deleted.
2614         * jit/JITOpcodes.cpp:
2615         (JSC::JIT::emit_op_instanceof):
2616         (JSC::JIT::emitSlow_op_instanceof):
2617         * jit/JITOperations.cpp:
2618         * jit/JITOperations.h:
2619         * jit/JITPropertyAccess.cpp:
2620         (JSC::JIT::privateCompileGetByValWithCachedId):
2621         (JSC::JIT::privateCompilePutByValWithCachedId):
2622         * jit/RegisterSet.cpp:
2623         (JSC::RegisterSet::stubUnavailableRegisters):
2624         * jit/Repatch.cpp:
2625         (JSC::tryCacheIn):
2626         (JSC::tryCacheInstanceOf):
2627         (JSC::repatchInstanceOf):
2628         (JSC::resetPatchableJump):
2629         (JSC::resetIn):
2630         (JSC::resetInstanceOf):
2631         * jit/Repatch.h:
2632         * runtime/Options.h:
2633         * runtime/Structure.h:
2634
2635 2018-05-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2636
2637         Unreviewed, fix exception checking
2638         https://bugs.webkit.org/show_bug.cgi?id=185350
2639
2640         * runtime/CommonSlowPaths.h:
2641         (JSC::CommonSlowPaths::putDirectWithReify):
2642         (JSC::CommonSlowPaths::putDirectAccessorWithReify):
2643
2644 2018-05-17  Michael Saboff  <msaboff@apple.com>
2645
2646         We don't throw SyntaxErrors for runtime generated regular expressions with errors
2647         https://bugs.webkit.org/show_bug.cgi?id=185755
2648
2649         Reviewed by Keith Miller.
2650
2651         Added a new helper that creates the correct exception to throw for each type of error when
2652         compiling a RegExp.  Using that new helper, added missing checks for RegExp for the cases
2653         where we create a new RegExp from an existing one.  Also refactored other places that we
2654         throw SyntaxErrors after a failed RegExp compile to use the new helper.
2655
2656         * runtime/RegExp.h:
2657         * runtime/RegExpConstructor.cpp:
2658         (JSC::regExpCreate):
2659         (JSC::constructRegExp):
2660         * runtime/RegExpPrototype.cpp:
2661         (JSC::regExpProtoFuncCompile):
2662         * yarr/YarrErrorCode.cpp:
2663         (JSC::Yarr::errorToThrow):
2664         * yarr/YarrErrorCode.h:
2665
2666 2018-05-17  Saam Barati  <sbarati@apple.com>
2667
2668         Remove shrinkFootprint test from apitests since it's flaky
2669         https://bugs.webkit.org/show_bug.cgi?id=185754
2670
2671         Reviewed by Mark Lam.
2672
2673         This test is flaky as it keeps failing on certain people's machines.
2674         Having a test about OS footprint seems like it'll forever be doomed
2675         to being flaky.
2676
2677         * API/tests/testapi.mm:
2678         (testObjectiveCAPIMain):
2679
2680 2018-05-17  Saam Barati  <sbarati@apple.com>
2681
2682         defaultConstructorSourceCode needs to makeSource every time it's called
2683         https://bugs.webkit.org/show_bug.cgi?id=185753
2684
2685         Rubber-stamped by Mark Lam.
2686
2687         The bug here is multiple VMs can be running concurrently to one another
2688         in the same process. They may each ref/deref something that isn't ThreadSafeRefCounted
2689         if we copy a static SourceCode. instead, we create a new one each time
2690         this function is called.
2691
2692         * builtins/BuiltinExecutables.cpp:
2693         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
2694
2695 2018-05-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2696
2697         [JSC] Use AssemblyHelpers' type checking functions as much as possible
2698         https://bugs.webkit.org/show_bug.cgi?id=185730
2699
2700         Reviewed by Saam Barati.
2701
2702         Let's use AssemblyHelpers' type checking functions as much as possible. This hides the complex
2703         bit and register operations for type tagging of JSValue. It is really useful when we would like
2704         to tweak type tagging representation since the code is collected into AssemblyHelpers. And
2705         the named function is more readable than some branching operations.
2706
2707         We also remove unnecessary branching functions in JIT / JSInterfaceJIT. Some of them are duplicate
2708         to AssemblyHelpers' one.
2709
2710         We add several new type checking functions to AssemblyHelpers. Moreover, we add branchIfXXX(GPRReg)
2711         functions even for 32bit environment. In 32bit environment, this function takes tag register. This
2712         semantics is aligned to the existing branchIfCell / branchIfNotCell.
2713
2714         * bytecode/AccessCase.cpp:
2715         (JSC::AccessCase::generateWithGuard):
2716         * dfg/DFGSpeculativeJIT.cpp:
2717         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
2718         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
2719         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
2720         (JSC::DFG::SpeculativeJIT::compileSpread):
2721         (JSC::DFG::SpeculativeJIT::speculateCellTypeWithoutTypeFiltering):
2722         (JSC::DFG::SpeculativeJIT::speculateCellType):
2723         (JSC::DFG::SpeculativeJIT::speculateNumber):
2724         (JSC::DFG::SpeculativeJIT::speculateMisc):
2725         (JSC::DFG::SpeculativeJIT::compileExtractValueFromWeakMapGet):
2726         (JSC::DFG::SpeculativeJIT::compileCreateThis):
2727         (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf):
2728         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
2729         * dfg/DFGSpeculativeJIT32_64.cpp:
2730         (JSC::DFG::SpeculativeJIT::emitCall):
2731         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2732         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2733         (JSC::DFG::SpeculativeJIT::compile):
2734         * dfg/DFGSpeculativeJIT64.cpp:
2735         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
2736         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
2737         (JSC::DFG::SpeculativeJIT::emitCall):
2738         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2739         (JSC::DFG::SpeculativeJIT::compile):
2740         (JSC::DFG::SpeculativeJIT::convertAnyInt):
2741         * ftl/FTLLowerDFGToB3.cpp:
2742         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
2743         * jit/AssemblyHelpers.h:
2744         (JSC::AssemblyHelpers::branchIfInt32):
2745         (JSC::AssemblyHelpers::branchIfNotInt32):
2746         (JSC::AssemblyHelpers::branchIfNumber):
2747         (JSC::AssemblyHelpers::branchIfNotNumber):
2748         (JSC::AssemblyHelpers::branchIfBoolean):
2749         (JSC::AssemblyHelpers::branchIfNotBoolean):
2750         (JSC::AssemblyHelpers::branchIfEmpty):
2751         (JSC::AssemblyHelpers::branchIfNotEmpty):
2752         (JSC::AssemblyHelpers::branchIfUndefined):
2753         (JSC::AssemblyHelpers::branchIfNotUndefined):
2754         (JSC::AssemblyHelpers::branchIfNull):
2755         (JSC::AssemblyHelpers::branchIfNotNull):
2756         * jit/JIT.h:
2757         * jit/JITArithmetic.cpp:
2758         (JSC::JIT::emit_compareAndJump):
2759         (JSC::JIT::emit_compareAndJumpSlow):
2760         * jit/JITArithmetic32_64.cpp:
2761         (JSC::JIT::emit_compareAndJump):
2762         (JSC::JIT::emit_op_unsigned):
2763         (JSC::JIT::emit_op_inc):
2764         (JSC::JIT::emit_op_dec):
2765         (JSC::JIT::emitBinaryDoubleOp):
2766         (JSC::JIT::emit_op_mod):
2767         * jit/JITCall.cpp:
2768         (JSC::JIT::compileCallEval):
2769         (JSC::JIT::compileOpCall):
2770         * jit/JITCall32_64.cpp:
2771         (JSC::JIT::compileCallEval):
2772         (JSC::JIT::compileOpCall):
2773         * jit/JITInlines.h:
2774         (JSC::JIT::emitJumpSlowCaseIfNotJSCell):
2775         (JSC::JIT::emitJumpIfBothJSCells):
2776         (JSC::JIT::emitJumpSlowCaseIfJSCell):
2777         (JSC::JIT::emitJumpIfNotInt):
2778         (JSC::JIT::emitJumpSlowCaseIfNotInt):
2779         (JSC::JIT::emitJumpSlowCaseIfNotNumber):
2780         (JSC::JIT::emitJumpIfCellObject): Deleted.
2781         (JSC::JIT::emitJumpIfCellNotObject): Deleted.
2782         (JSC::JIT::emitJumpIfJSCell): Deleted.
2783         (JSC::JIT::emitJumpIfInt): Deleted.
2784         * jit/JITOpcodes.cpp:
2785         (JSC::JIT::emit_op_instanceof):
2786         (JSC::JIT::emit_op_is_undefined):
2787         (JSC::JIT::emit_op_is_cell_with_type):
2788         (JSC::JIT::emit_op_is_object):
2789         (JSC::JIT::emit_op_to_primitive):
2790         (JSC::JIT::emit_op_jeq_null):
2791         (JSC::JIT::emit_op_jneq_null):
2792         (JSC::JIT::compileOpStrictEq):
2793         (JSC::JIT::compileOpStrictEqJump):
2794         (JSC::JIT::emit_op_to_number):
2795         (JSC::JIT::emit_op_to_string):
2796         (JSC::JIT::emit_op_to_object):
2797         (JSC::JIT::emit_op_eq_null):
2798         (JSC::JIT::emit_op_neq_null):
2799         (JSC::JIT::emit_op_to_this):
2800         (JSC::JIT::emit_op_create_this):
2801         (JSC::JIT::emit_op_check_tdz):
2802         (JSC::JIT::emitNewFuncExprCommon):
2803         (JSC::JIT::emit_op_profile_type):
2804         * jit/JITOpcodes32_64.cpp:
2805         (JSC::JIT::emit_op_instanceof):
2806         (JSC::JIT::emit_op_is_undefined):
2807         (JSC::JIT::emit_op_is_cell_with_type):
2808         (JSC::JIT::emit_op_is_object):
2809         (JSC::JIT::emit_op_to_primitive):
2810         (JSC::JIT::emit_op_not):
2811         (JSC::JIT::emit_op_jeq_null):
2812         (JSC::JIT::emit_op_jneq_null):
2813         (JSC::JIT::emit_op_jneq_ptr):
2814         (JSC::JIT::emit_op_eq):
2815         (JSC::JIT::emit_op_jeq):
2816         (JSC::JIT::emit_op_neq):
2817         (JSC::JIT::emit_op_jneq):
2818         (JSC::JIT::compileOpStrictEq):
2819         (JSC::JIT::compileOpStrictEqJump):
2820         (JSC::JIT::emit_op_eq_null):
2821         (JSC::JIT::emit_op_neq_null):
2822         (JSC::JIT::emit_op_to_number):
2823         (JSC::JIT::emit_op_to_string):
2824         (JSC::JIT::emit_op_to_object):
2825         (JSC::JIT::emit_op_create_this):
2826         (JSC::JIT::emit_op_to_this):
2827         (JSC::JIT::emit_op_check_tdz):
2828         (JSC::JIT::emit_op_profile_type):
2829         * jit/JITPropertyAccess.cpp:
2830         (JSC::JIT::emit_op_get_by_val):
2831         (JSC::JIT::emitGetByValWithCachedId):
2832         (JSC::JIT::emitGenericContiguousPutByVal):
2833         (JSC::JIT::emitPutByValWithCachedId):
2834         (JSC::JIT::emit_op_get_from_scope):
2835         (JSC::JIT::emit_op_put_to_scope):
2836         (JSC::JIT::emitWriteBarrier):
2837         (JSC::JIT::emitIntTypedArrayPutByVal):
2838         (JSC::JIT::emitFloatTypedArrayPutByVal):
2839         * jit/JITPropertyAccess32_64.cpp:
2840         (JSC::JIT::emit_op_get_by_val):
2841         (JSC::JIT::emitContiguousLoad):
2842         (JSC::JIT::emitArrayStorageLoad):
2843         (JSC::JIT::emitGetByValWithCachedId):
2844         (JSC::JIT::emitGenericContiguousPutByVal):
2845         (JSC::JIT::emitPutByValWithCachedId):
2846         (JSC::JIT::emit_op_get_from_scope):
2847         (JSC::JIT::emit_op_put_to_scope):
2848         * jit/JSInterfaceJIT.h:
2849         (JSC::JSInterfaceJIT::emitLoadJSCell):
2850         (JSC::JSInterfaceJIT::emitLoadInt32):
2851         (JSC::JSInterfaceJIT::emitLoadDouble):
2852         (JSC::JSInterfaceJIT::emitJumpIfNumber): Deleted.
2853         (JSC::JSInterfaceJIT::emitJumpIfNotNumber): Deleted.
2854         (JSC::JSInterfaceJIT::emitJumpIfNotType): Deleted.
2855         * jit/Repatch.cpp:
2856         (JSC::linkPolymorphicCall):
2857         * jit/ThunkGenerators.cpp:
2858         (JSC::virtualThunkFor):
2859         (JSC::absThunkGenerator):
2860         * tools/JSDollarVM.cpp:
2861         (WTF::DOMJITNode::checkSubClassSnippet):
2862         (WTF::DOMJITFunctionObject::checkSubClassSnippet):
2863
2864 2018-05-17  Saam Barati  <sbarati@apple.com>
2865
2866         Unreviewed. Fix the build after my attempted build fix broke the build.
2867
2868         * builtins/BuiltinExecutables.cpp:
2869         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
2870         (JSC::BuiltinExecutables::createDefaultConstructor):
2871         * builtins/BuiltinExecutables.h:
2872
2873 2018-05-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2874
2875         [JSC] Remove reifyPropertyNameIfNeeded
2876         https://bugs.webkit.org/show_bug.cgi?id=185350
2877
2878         Reviewed by Saam Barati.
2879
2880         reifyPropertyNameIfNeeded is in the middle of putDirectInternal, which is super critical path.
2881         This is a virtual call, and it is only used by JSFunction right now. Since this causes too much
2882         cost, we should remove this from the critical path.
2883
2884         This patch removes this function call from the critical path. And in our slow paths, we call
2885         helper functions which calls reifyLazyPropertyIfNeeded if the given value is a JSFunction.
2886         While putDirect is a bit raw API, our slow paths just call it. This helper wraps this calls
2887         and care the edge cases. The other callsites of putDirect should know the type of the given
2888         object and the name of the property (And avoid these edge cases).
2889
2890         This improves SixSpeed/object-assign.es6 by ~4% on MacBook Pro. And this patch does not cause
2891         regressions of the existing tests.
2892
2893                                            baseline                  patched
2894         Kraken:
2895             json-parse-financial        35.522+-0.069      ^      34.708+-0.097         ^ definitely 1.0234x faster
2896
2897         SixSpeed:
2898             object-assign.es6         145.8779+-0.2838     ^    140.1019+-0.8007        ^ definitely 1.0412x faster
2899
2900         * dfg/DFGOperations.cpp:
2901         (JSC::DFG::putByValInternal):
2902         (JSC::DFG::putByValCellInternal):
2903         * jit/JITOperations.cpp:
2904         * llint/LLIntSlowPaths.cpp:
2905         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2906         * runtime/ClassInfo.h:
2907         * runtime/CommonSlowPaths.h:
2908         (JSC::CommonSlowPaths::putDirectWithReify):
2909         (JSC::CommonSlowPaths::putDirectAccessorWithReify):
2910         * runtime/JSCell.cpp:
2911         (JSC::JSCell::reifyPropertyNameIfNeeded): Deleted.
2912         * runtime/JSCell.h:
2913         * runtime/JSFunction.cpp:
2914         (JSC::JSFunction::reifyPropertyNameIfNeeded): Deleted.
2915         * runtime/JSFunction.h:
2916         * runtime/JSObject.cpp:
2917         (JSC::JSObject::putDirectAccessor):
2918         (JSC::JSObject::putDirectNonIndexAccessor):
2919         * runtime/JSObject.h:
2920         * runtime/JSObjectInlines.h:
2921         (JSC::JSObject::putDirectInternal):
2922
2923 2018-05-17  Saam Barati  <sbarati@apple.com>
2924
2925         Unreviewed. Try to fix windows build.
2926
2927         * builtins/BuiltinExecutables.cpp:
2928         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
2929
2930 2018-05-16  Saam Barati  <sbarati@apple.com>
2931
2932         UnlinkedFunctionExecutable doesn't need a parent source override field since it's only used for default class constructors
2933         https://bugs.webkit.org/show_bug.cgi?id=185637
2934
2935         Reviewed by Keith Miller.
2936
2937         We had this general mechanism for overriding an UnlinkedFunctionExecutable's parent
2938         source code. However, we were only using this for default class constructors. There
2939         are only two types of default class constructors. This patch makes it so that
2940         we just store this information inside of a single bit, and ask for the source
2941         code as needed instead of holding it in a nullable field that is 24 bytes in size.
2942         
2943         This brings UnlinkedFunctionExecutable's size down from 184 bytes to 160 bytes.
2944         This has the consequence of making it allocated out of a 160 byte size class
2945         instead of a 224 byte size class. This should bring down its memory footprint
2946         by ~40%.
2947
2948         * builtins/BuiltinExecutables.cpp:
2949         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
2950         (JSC::BuiltinExecutables::createDefaultConstructor):
2951         (JSC::BuiltinExecutables::createExecutable):
2952         * builtins/BuiltinExecutables.h:
2953         * bytecode/UnlinkedFunctionExecutable.cpp:
2954         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2955         (JSC::UnlinkedFunctionExecutable::link):
2956         * bytecode/UnlinkedFunctionExecutable.h:
2957         * runtime/CodeCache.cpp:
2958         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
2959
2960 2018-05-16  Saam Barati  <sbarati@apple.com>
2961
2962         VM::shrinkFootprint should call collectNow(Sync) instead of collectSync so it also eagerly sweeps
2963         https://bugs.webkit.org/show_bug.cgi?id=185707
2964
2965         Reviewed by Mark Lam.
2966
2967         * runtime/VM.cpp:
2968         (JSC::VM::shrinkFootprint):
2969
2970 2018-05-16  Caio Lima  <ticaiolima@gmail.com>
2971
2972         [ESNext][BigInt] Implement support for "/" operation
2973         https://bugs.webkit.org/show_bug.cgi?id=183996
2974
2975         Reviewed by Yusuke Suzuki.
2976
2977         This patch is introducing the support for BigInt into divide
2978         operation int LLInt and JIT layers.
2979
2980         * dfg/DFGOperations.cpp:
2981         * runtime/CommonSlowPaths.cpp:
2982         (JSC::SLOW_PATH_DECL):
2983         * runtime/JSBigInt.cpp:
2984         (JSC::JSBigInt::divide):
2985         (JSC::JSBigInt::copy):
2986         (JSC::JSBigInt::unaryMinus):
2987         (JSC::JSBigInt::absoluteCompare):
2988         (JSC::JSBigInt::absoluteDivLarge):
2989         (JSC::JSBigInt::productGreaterThan):
2990         (JSC::JSBigInt::inplaceAdd):
2991         (JSC::JSBigInt::inplaceSub):
2992         (JSC::JSBigInt::inplaceRightShift):
2993         (JSC::JSBigInt::specialLeftShift):
2994         (JSC::JSBigInt::digit):
2995         (JSC::JSBigInt::setDigit):
2996         * runtime/JSBigInt.h:
2997
2998 2018-05-16  Saam Barati  <sbarati@apple.com>
2999
3000         Constant fold CheckTypeInfoFlags on ImplementsDefaultHasInstance
3001         https://bugs.webkit.org/show_bug.cgi?id=185670
3002
3003         Reviewed by Yusuke Suzuki.
3004
3005         This patch makes it so that we constant fold CheckTypeInfoFlags for
3006         ImplementsDefaultHasInstance inside of AI/constant folding. We constant
3007         fold in three ways:
3008         - When the incoming value is a constant, we just look at its inline type
3009         flags. Since those flags never change after an object is created, this
3010         is sound.
3011         - Based on the incoming value having a finite structure set. We just iterate
3012         all structures and ensure they have the bit set.
3013         - Based on speculated type. To do this, I split up SpecFunction into two
3014         subheaps where one is for functions that have the bit set, and one for
3015         functions that don't have the bit set. The latter is currently only comprised
3016         of JSBoundFunctions. To constant fold, we check that the incoming
3017         value only has the SpecFunction type with ImplementsDefaultHasInstance set.
3018
3019         * bytecode/SpeculatedType.cpp:
3020         (JSC::speculationFromClassInfo):
3021         * bytecode/SpeculatedType.h:
3022         * dfg/DFGAbstractInterpreterInlines.h:
3023         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3024         * dfg/DFGConstantFoldingPhase.cpp:
3025         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3026         * dfg/DFGSpeculativeJIT.cpp:
3027         (JSC::DFG::SpeculativeJIT::compileCheckTypeInfoFlags):
3028         * dfg/DFGStrengthReductionPhase.cpp:
3029         (JSC::DFG::StrengthReductionPhase::handleNode):
3030         * runtime/JSFunction.cpp:
3031         (JSC::JSFunction::JSFunction):
3032         (JSC::JSFunction::assertTypeInfoFlagInvariants):
3033         * runtime/JSFunction.h:
3034         (JSC::JSFunction::assertTypeInfoFlagInvariants):
3035         * runtime/JSFunctionInlines.h:
3036         (JSC::JSFunction::JSFunction):
3037
3038 2018-05-16  Devin Rousso  <webkit@devinrousso.com>
3039
3040         Web Inspector: create a navigation item for toggling the overlay rulers/guides
3041         https://bugs.webkit.org/show_bug.cgi?id=185644
3042
3043         Reviewed by Matt Baker.
3044
3045         * inspector/protocol/OverlayTypes.json:
3046         * inspector/protocol/Page.json:
3047
3048 2018-05-16  Commit Queue  <commit-queue@webkit.org>
3049
3050         Unreviewed, rolling out r231845.
3051         https://bugs.webkit.org/show_bug.cgi?id=185702
3052
3053         it is breaking Apple High Sierra 32-bit JSC bot (Requested by
3054         caiolima on #webkit).
3055
3056         Reverted changeset:
3057
3058         "[ESNext][BigInt] Implement support for "/" operation"
3059         https://bugs.webkit.org/show_bug.cgi?id=183996
3060         https://trac.webkit.org/changeset/231845
3061
3062 2018-05-16  Filip Pizlo  <fpizlo@apple.com>
3063
3064         DFG models InstanceOf incorrectly
3065         https://bugs.webkit.org/show_bug.cgi?id=185694
3066
3067         Reviewed by Keith Miller.
3068         
3069         Proxies mean that InstanceOf can have effects. Exceptions mean that it's illegal to DCE it or
3070         hoist it.
3071
3072         * dfg/DFGAbstractInterpreterInlines.h:
3073         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3074         * dfg/DFGClobberize.h:
3075         (JSC::DFG::clobberize):
3076         * dfg/DFGHeapLocation.cpp:
3077         (WTF::printInternal):
3078         * dfg/DFGHeapLocation.h:
3079         * dfg/DFGNodeType.h:
3080
3081 2018-05-16  Andy VanWagoner  <andy@vanwagoner.family>
3082
3083         Add support for Intl NumberFormat formatToParts
3084         https://bugs.webkit.org/show_bug.cgi?id=185375
3085
3086         Reviewed by Yusuke Suzuki.
3087
3088         Add flag for NumberFormat formatToParts. Implement formatToParts using
3089         unum_formatDoubleForFields. Because the fields are nested and come back
3090         in no guaranteed order, the simple algorithm to convert them to the
3091         desired format is roughly O(n^2). However, even with Number.MAX_VALUE
3092         it appears to perform well enough for the initial implementation. Another
3093         issue has been created to improve this algorithm.
3094
3095         This requires ICU v59+ for unum_formatDoubleForFields, so it is disabled
3096         on macOS, since only v57 is available.
3097
3098         * Configurations/FeatureDefines.xcconfig:
3099         * runtime/IntlNumberFormat.cpp:
3100         (JSC::IntlNumberFormat::UFieldPositionIteratorDeleter::operator() const):
3101         (JSC::IntlNumberFormat::partTypeString):
3102         (JSC::IntlNumberFormat::formatToParts):
3103         * runtime/IntlNumberFormat.h:
3104         * runtime/IntlNumberFormatPrototype.cpp:
3105         (JSC::IntlNumberFormatPrototype::create):
3106         (JSC::IntlNumberFormatPrototype::finishCreation):
3107         (JSC::IntlNumberFormatPrototypeFuncFormatToParts):
3108         * runtime/IntlNumberFormatPrototype.h:
3109         * runtime/Options.h:
3110
3111 2018-05-16  Caio Lima  <ticaiolima@gmail.com>
3112
3113         [ESNext][BigInt] Implement support for "/" operation
3114         https://bugs.webkit.org/show_bug.cgi?id=183996
3115
3116         Reviewed by Yusuke Suzuki.
3117
3118         This patch is introducing the support for BigInt into divide
3119         operation int LLInt and JIT layers.
3120
3121         * dfg/DFGOperations.cpp:
3122         * runtime/CommonSlowPaths.cpp:
3123         (JSC::SLOW_PATH_DECL):
3124         * runtime/JSBigInt.cpp:
3125         (JSC::JSBigInt::divide):
3126         (JSC::JSBigInt::copy):
3127         (JSC::JSBigInt::unaryMinus):
3128         (JSC::JSBigInt::absoluteCompare):
3129         (JSC::JSBigInt::absoluteDivLarge):
3130         (JSC::JSBigInt::productGreaterThan):
3131         (JSC::JSBigInt::inplaceAdd):
3132         (JSC::JSBigInt::inplaceSub):
3133         (JSC::JSBigInt::inplaceRightShift):
3134         (JSC::JSBigInt::specialLeftShift):
3135         (JSC::JSBigInt::digit):
3136         (JSC::JSBigInt::setDigit):
3137         * runtime/JSBigInt.h:
3138
3139 2018-05-16  Alberto Garcia  <berto@igalia.com>
3140
3141         [CMake] Properly detect compiler flags, needed libs, and fallbacks for usage of 64-bit atomic operations
3142         https://bugs.webkit.org/show_bug.cgi?id=182622
3143
3144         Reviewed by Michael Catanzaro.
3145
3146         We were linking JavaScriptCore against libatomic in MIPS because
3147         in that architecture __atomic_fetch_add_8() is not a compiler
3148         intrinsic and is provided by that library instead. However other
3149         architectures (e.g armel) are in the same situation, so we need a
3150         generic test.
3151
3152         That test already exists in WebKit/CMakeLists.txt, so we just have
3153         to move it to a common file (WebKitCompilerFlags.cmake) and use
3154         its result (ATOMIC_INT64_REQUIRES_LIBATOMIC) here.
3155
3156         * CMakeLists.txt:
3157
3158 2018-05-15  Yusuke Suzuki  <utatane.tea@gmail.com>
3159
3160         [JSC] Check TypeInfo first before calling getCallData when we would like to check whether given object is a function
3161         https://bugs.webkit.org/show_bug.cgi?id=185601
3162
3163         Reviewed by Saam Barati.
3164
3165         Rename TypeOfShouldCallGetCallData to OverridesGetCallData. And check OverridesGetCallData
3166         before calling getCallData when we would like to check whether a given object is callable
3167         since getCallData is a virtual call. When we call the object anyway, directly calling getCallData
3168         is fine. But if we would like to check whether the object is callable, we can have non
3169         callable objects frequently. In that case, we should not call getCallData if we can avoid it.
3170
3171         To do this cleanly, we refactor JSValue::{isFunction,isCallable}. We add JSCell::{isFunction,isCallable}
3172         and JSValue ones call into these functions. Inside JSCell::{isFunction,isCallable}, we perform
3173         OverridesGetCallData checking before calling getCallData.
3174
3175         We found that this virtual call exists in JSON.stringify's critial path. Checking
3176         OverridesGetCallData improves Kraken/json-stringify-tinderbox by 2-4%.
3177
3178                                                baseline                  patched
3179
3180             json-stringify-tinderbox        38.807+-0.350      ^      37.216+-0.337         ^ definitely 1.0427x faster
3181
3182         In addition to that, we also add OverridesGetCallData flag to JSFunction while we keep JSFunctionType checking fast path
3183         since major cases are covered by this fast JSFunctionType checking.
3184
3185         * API/JSCallbackObject.h:
3186         * dfg/DFGAbstractInterpreterInlines.h:
3187         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3188         * dfg/DFGOperations.cpp:
3189         * dfg/DFGSpeculativeJIT.cpp:
3190         (JSC::DFG::SpeculativeJIT::compileIsObjectOrNull):
3191         (JSC::DFG::SpeculativeJIT::compileIsFunction):
3192         * ftl/FTLLowerDFGToB3.cpp:
3193         (JSC::FTL::DFG::LowerDFGToB3::isExoticForTypeof):
3194         * jit/AssemblyHelpers.h:
3195         (JSC::AssemblyHelpers::emitTypeOf):
3196         * runtime/ExceptionHelpers.cpp:
3197         (JSC::createError):
3198         (JSC::createInvalidFunctionApplyParameterError):
3199         * runtime/FunctionPrototype.cpp:
3200         (JSC::functionProtoFuncToString):
3201         * runtime/InternalFunction.h:
3202         * runtime/JSCJSValue.h:
3203         * runtime/JSCJSValueInlines.h:
3204         (JSC::JSValue::isFunction const):
3205         (JSC::JSValue::isCallable const):
3206         * runtime/JSCell.h:
3207         * runtime/JSCellInlines.h:
3208         (JSC::JSCell::isFunction):
3209         ALWAYS_INLINE works well for my environment.
3210         (JSC::JSCell::isCallable):
3211         * runtime/JSFunction.h:
3212         * runtime/JSONObject.cpp:
3213         (JSC::Stringifier::toJSON):
3214         (JSC::Stringifier::toJSONImpl):
3215         (JSC::Stringifier::appendStringifiedValue):
3216         * runtime/JSObjectInlines.h:
3217         (JSC::createListFromArrayLike):
3218         * runtime/JSTypeInfo.h:
3219         (JSC::TypeInfo::overridesGetCallData const):
3220         (JSC::TypeInfo::typeOfShouldCallGetCallData const): Deleted.
3221         * runtime/Operations.cpp:
3222         (JSC::jsTypeStringForValue):
3223         (JSC::jsIsObjectTypeOrNull):
3224         * runtime/ProxyObject.h:
3225         * runtime/RuntimeType.cpp:
3226         (JSC::runtimeTypeForValue):
3227         * runtime/RuntimeType.h:
3228         * runtime/Structure.cpp:
3229         (JSC::Structure::Structure):
3230         * runtime/TypeProfilerLog.cpp:
3231         (JSC::TypeProfilerLog::TypeProfilerLog):
3232         (JSC::TypeProfilerLog::processLogEntries):
3233         * runtime/TypeProfilerLog.h:
3234         * runtime/VM.cpp:
3235         (JSC::VM::enableTypeProfiler):
3236         * tools/JSDollarVM.cpp:
3237         (JSC::functionFindTypeForExpression):
3238         (JSC::functionReturnTypeFor):
3239         (JSC::functionHasBasicBlockExecuted):
3240         (JSC::functionBasicBlockExecutionCount):
3241         * wasm/js/JSWebAssemblyHelpers.h:
3242         (JSC::getWasmBufferFromValue):
3243         * wasm/js/JSWebAssemblyInstance.cpp:
3244         (JSC::JSWebAssemblyInstance::create):
3245         * wasm/js/WebAssemblyFunction.cpp:
3246         (JSC::callWebAssemblyFunction):
3247         * wasm/js/WebAssemblyInstanceConstructor.cpp:
3248         (JSC::constructJSWebAssemblyInstance):
3249         * wasm/js/WebAssemblyModuleRecord.cpp:
3250         (JSC::WebAssemblyModuleRecord::link):
3251         * wasm/js/WebAssemblyPrototype.cpp:
3252         (JSC::webAssemblyInstantiateFunc):
3253         (JSC::webAssemblyInstantiateStreamingInternal):
3254         * wasm/js/WebAssemblyWrapperFunction.cpp:
3255         (JSC::WebAssemblyWrapperFunction::finishCreation):
3256
3257 2018-05-15  Devin Rousso  <webkit@devinrousso.com>
3258
3259         Web Inspector: Add rulers and guides
3260         https://bugs.webkit.org/show_bug.cgi?id=32263
3261         <rdar://problem/19281564>
3262
3263         Reviewed by Matt Baker.
3264
3265         * inspector/protocol/OverlayTypes.json:
3266
3267 2018-05-14  Keith Miller  <keith_miller@apple.com>
3268
3269         Remove butterflyMask from DFGAbstractHeap
3270         https://bugs.webkit.org/show_bug.cgi?id=185640
3271
3272         Reviewed by Saam Barati.
3273
3274         We don't have a butterfly indexing mask anymore so we don't need
3275         the abstract heap information for it anymore.
3276
3277         * dfg/DFGAbstractHeap.h:
3278         * dfg/DFGClobberize.h:
3279         (JSC::DFG::clobberize):
3280
3281 2018-05-14  Andy VanWagoner  <andy@vanwagoner.family>
3282
3283         [INTL] Handle error in defineProperty for supported locales length
3284         https://bugs.webkit.org/show_bug.cgi?id=185623
3285
3286         Reviewed by Saam Barati.
3287
3288         Adds the missing RETURN_IF_EXCEPTION after defineOwnProperty for the
3289         length of the supported locales array.
3290
3291         * runtime/IntlObject.cpp:
3292         (JSC::supportedLocales):
3293
3294 2018-05-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3295
3296         [JSC] Tweak LiteralParser to improve lexing performance
3297         https://bugs.webkit.org/show_bug.cgi?id=185541
3298
3299         Reviewed by Saam Barati.
3300
3301         This patch attemps to improve LiteralParser performance.
3302
3303         This patch improves Kraken/json-parse-financial by roughly ~10%.
3304                                            baseline                  patched
3305
3306             json-parse-financial        65.810+-1.591      ^      59.943+-1.784         ^ definitely 1.0979x faster
3307
3308         * parser/Lexer.cpp:
3309         (JSC::Lexer<T>::Lexer):
3310         * runtime/ArgList.h:
3311         (JSC::MarkedArgumentBuffer::takeLast):
3312         Add takeLast() for idiomatic last() + removeLast() calls.
3313
3314         * runtime/LiteralParser.cpp:
3315         (JSC::LiteralParser<CharType>::Lexer::lex):
3316         Do not have mode in its template parameter. While lex function is large, this mode is not used in a critical path.
3317         We should not include this mode in its template parameter to reduce the code size.
3318         And we do not use template parameter for a terminator since duplicating ' and " code for lexString is not good.
3319         Also, we construct TokenType table to remove bunch of unnecessary switch cases.
3320
3321         (JSC::LiteralParser<CharType>::Lexer::next):
3322         (JSC::isSafeStringCharacter):
3323         Take mode in its template parameter. But do not take terminator character in its template parameter.
3324
3325         (JSC::LiteralParser<CharType>::Lexer::lexString):
3326         (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
3327         Duplicate while statements manually since this is a critical path.
3328
3329         (JSC::LiteralParser<CharType>::parse):
3330         Use takeLast().
3331
3332         * runtime/LiteralParser.h:
3333
3334 2018-05-14  Dominik Infuehr  <dinfuehr@igalia.com>
3335
3336         [MIPS] Use btpz to compare against 0 instead of bpeq
3337         https://bugs.webkit.org/show_bug.cgi?id=185607
3338
3339         Reviewed by Yusuke Suzuki.
3340
3341         Fixes build on MIPS since MIPS doesn't have an instruction to
3342         compare a register against an immediate. Since the immediate is just 0
3343         in this case the simplest solution is just to use btpz instead of bpeq
3344         to compare to 0.
3345
3346         * llint/LowLevelInterpreter.asm:
3347
3348 2018-05-12  Filip Pizlo  <fpizlo@apple.com>
3349
3350         CachedCall::call() should be faster
3351         https://bugs.webkit.org/show_bug.cgi?id=185583
3352
3353         Reviewed by Yusuke Suzuki.
3354         
3355         CachedCall is an optimization for String.prototype.replace(r, f) where f is a function.
3356         Unfortunately, because of a combination of abstraction and assertions, this code path had a
3357         lot of overhead. This patch reduces this overhead by:
3358         
3359         - Turning off some assertions. These assertions don't look to have security value; they're
3360           mostly for sanity. I turned off stack alignment checks and VM state checks having to do
3361           with whether the JSLock is held. The JSLock checks are not relevant when doing a cached
3362           call, considering that the caller would have already been strongly assuming that the JSLock
3363           is held.
3364         
3365         - Making more things inlineable.
3366         
3367         This looks like a small (4% ish) speed-up on SunSpider/string-unpack-code.
3368
3369         * JavaScriptCore.xcodeproj/project.pbxproj:
3370         * interpreter/CachedCall.h:
3371         (JSC::CachedCall::call):
3372         * interpreter/Interpreter.cpp:
3373         (JSC::checkedReturn): Deleted.
3374         * interpreter/Interpreter.h:
3375         (JSC::Interpreter::checkedReturn):
3376         * interpreter/InterpreterInlines.h:
3377         (JSC::Interpreter::execute):
3378         * jit/JITCode.cpp:
3379         (JSC::JITCode::execute): Deleted.
3380         * jit/JITCodeInlines.h: Added.
3381         (JSC::JITCode::execute):
3382         * llint/LowLevelInterpreter.asm:
3383         * runtime/StringPrototype.cpp: