[ESNext][BigInt] Implement support for "%" operation
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-05-30  Caio Lima  <ticaiolima@gmail.com>
2
3         [ESNext][BigInt] Implement support for "%" operation
4         https://bugs.webkit.org/show_bug.cgi?id=184327
5
6         Reviewed by Yusuke Suzuki.
7
8         We are introducing the support of BigInt into remainder (a.k.a mod)
9         operation.
10
11         * runtime/CommonSlowPaths.cpp:
12         (JSC::SLOW_PATH_DECL):
13         * runtime/JSBigInt.cpp:
14         (JSC::JSBigInt::remainder):
15         (JSC::JSBigInt::rightTrim):
16         * runtime/JSBigInt.h:
17
18 2018-05-30  Saam Barati  <sbarati@apple.com>
19
20         AI for Atomics.load() is too conservative in always clobbering world
21         https://bugs.webkit.org/show_bug.cgi?id=185738
22         <rdar://problem/40342214>
23
24         Reviewed by Yusuke Suzuki.
25
26         It fails the assertion that Fil added for catching disagreements between
27         AI and clobberize. This patch fixes that. You'd run into this if you
28         manually enabled SAB in a build and ran any SAB tests.
29
30         * dfg/DFGAbstractInterpreterInlines.h:
31         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
32
33 2018-05-30  Michael Saboff  <msaboff@apple.com>
34
35         REGRESSION(r232212): Broke Win32 Builds
36         https://bugs.webkit.org/show_bug.cgi?id=186061
37
38         Reviewed by Yusuke Suzuki.
39
40         Changed Windows builds with the JIT disabled to generate and use LLIntAssembly.h
41         instead of LowLevelInterpreterWin.asm.
42
43         * CMakeLists.txt:
44
45 2018-05-30  Dominik Infuehr  <dinfuehr@igalia.com>
46
47         [MIPS] Fix build on MIPS32r1
48         https://bugs.webkit.org/show_bug.cgi?id=185944
49
50         Reviewed by Yusuke Suzuki.
51
52         Only use instructions on MIPS32r2 or later. mthc1 and mfhc1 are not supported
53         on MIPS32r1.
54
55         * offlineasm/mips.rb:
56
57 2018-05-29  Saam Barati  <sbarati@apple.com>
58
59         Add a version of JSVirtualMachine shrinkFootprint that runs when the VM goes idle
60         https://bugs.webkit.org/show_bug.cgi?id=186064
61
62         Reviewed by Mark Lam.
63
64         shrinkFootprint was implemented as:
65         ```
66         sanitizeStackForVM(this);
67         deleteAllCode(DeleteAllCodeIfNotCollecting);
68         heap.collectNow(Synchronousness::Sync);
69         WTF::releaseFastMallocFreeMemory();
70         ```
71         
72         However, for correctness reasons, deleteAllCode is implemented to do
73         work when the VM is idle: no JS is running on the stack. This means
74         that if shrinkFootprint is called when JS is running on the stack, it
75         ends up freeing less memory than it could have if it waited to run until
76         the VM goes idle.
77         
78         This patch makes it so we wait until idle before doing work. I'm seeing a
79         10% footprint progression when testing this against a client of the JSC SPI.
80         
81         Because this is a semantic change in how the SPI works, this patch
82         adds new SPI named shrinkFootprintWhenIdle. The plan is to move
83         all clients of the shrinkFootprint SPI to shrinkFootprintWhenIdle.
84         Once that happens, we will delete shrinkFootprint. Until then,
85         we make shrinkFootprint do exactly what shrinkFootprintWhenIdle does.
86
87         * API/JSVirtualMachine.mm:
88         (-[JSVirtualMachine shrinkFootprint]):
89         (-[JSVirtualMachine shrinkFootprintWhenIdle]):
90         * API/JSVirtualMachinePrivate.h:
91         * runtime/VM.cpp:
92         (JSC::VM::shrinkFootprintWhenIdle):
93         (JSC::VM::shrinkFootprint): Deleted.
94         * runtime/VM.h:
95
96 2018-05-29  Saam Barati  <sbarati@apple.com>
97
98         shrinkFootprint needs to request a full collection
99         https://bugs.webkit.org/show_bug.cgi?id=186069
100
101         Reviewed by Mark Lam.
102
103         * runtime/VM.cpp:
104         (JSC::VM::shrinkFootprint):
105
106 2018-05-29  Caio Lima  <ticaiolima@gmail.com>
107
108         [ESNext][BigInt] Implement support for "<" and ">" relational operation
109         https://bugs.webkit.org/show_bug.cgi?id=185379
110
111         Reviewed by Yusuke Suzuki.
112
113         This patch is changing the ``jsLess``` operation to follow the
114         semantics of Abstract Relational Comparison[1] that supports BigInt.
115         For that, we create 2 new helper functions ```bigIntCompareLess``` and
116         ```toPrimitiveNumeric``` that considers BigInt as a valid type to be
117         compared.
118
119         [1] - https://tc39.github.io/proposal-bigint/#sec-abstract-relational-comparison
120
121         * runtime/JSBigInt.cpp:
122         (JSC::JSBigInt::unequalSign):
123         (JSC::JSBigInt::absoluteGreater):
124         (JSC::JSBigInt::absoluteLess):
125         (JSC::JSBigInt::compare):
126         (JSC::JSBigInt::absoluteCompare):
127         * runtime/JSBigInt.h:
128         * runtime/JSCJSValueInlines.h:
129         (JSC::JSValue::isPrimitive const):
130         * runtime/Operations.h:
131         (JSC::bigIntCompareLess):
132         (JSC::toPrimitiveNumeric):
133         (JSC::jsLess):
134
135 2018-05-29  Yusuke Suzuki  <utatane.tea@gmail.com>
136
137         [Baseline] Merge loading functionalities
138         https://bugs.webkit.org/show_bug.cgi?id=185907
139
140         Reviewed by Saam Barati.
141
142         This patch unifies emitXXXLoad functions in 32bit and 64bit.
143
144         * jit/JITInlines.h:
145         (JSC::JIT::emitDoubleGetByVal):
146         * jit/JITPropertyAccess.cpp:
147         (JSC::JIT::emitDoubleLoad):
148         (JSC::JIT::emitContiguousLoad):
149         (JSC::JIT::emitArrayStorageLoad):
150         (JSC::JIT::emitIntTypedArrayGetByVal):
151         (JSC::JIT::emitFloatTypedArrayGetByVal):
152         Define register usage first, and share the same code in 32bit and 64bit.
153
154         * jit/JITPropertyAccess32_64.cpp:
155         (JSC::JIT::emitSlow_op_put_by_val):
156         Now C-stack is always enabled in JIT platform and temporary registers increases from 5 to 6 in x86.
157         We can remove this special handling.
158
159         (JSC::JIT::emitContiguousLoad): Deleted.
160         (JSC::JIT::emitDoubleLoad): Deleted.
161         (JSC::JIT::emitArrayStorageLoad): Deleted.
162
163 2018-05-29  Saam Barati  <sbarati@apple.com>
164
165         JSC should put bmalloc's scavenger into mini mode
166         https://bugs.webkit.org/show_bug.cgi?id=185988
167
168         Reviewed by Michael Saboff.
169
170         When we InitializeThreading, we'll now enable bmalloc's mini mode
171         if the VM is in mini mode. This is an 8-10% progression on the footprint
172         at end score in run-testmem, making it a 4-5% memory score progression.
173         It's between a 0-1% regression in its time score.
174
175         * runtime/InitializeThreading.cpp:
176         (JSC::initializeThreading):
177
178 2018-05-29  Caitlin Potter  <caitp@igalia.com>
179
180         [JSC] Fix Array.prototype.concat fast case when single argument is Proxy
181         https://bugs.webkit.org/show_bug.cgi?id=184267
182
183         Reviewed by Saam Barati.
184
185         Before this patch, the fast case for Array.prototype.concat was taken if
186         there was a single argument passed to the function, which is either a
187         non-JSCell, or an ObjectType JSCell not marked as concat-spreadable.
188         This incorrectly prevented Proxy objects from being spread when
189         they were the only argument passed to A.prototype.concat(), violating ECMA-262.
190
191         * builtins/ArrayPrototype.js:
192         (concat):
193
194 2018-05-27  Yusuke Suzuki  <utatane.tea@gmail.com>
195
196         [JSC] JSBigInt::digitDiv has undefined behavior which causes test failures
197         https://bugs.webkit.org/show_bug.cgi?id=186022
198
199         Reviewed by Darin Adler.
200
201         digitDiv performs Value64Bit >> 64 / Value32Bit >> 32, which is undefined behavior. And zero mask
202         creation has an issue (`s` should be casted to signed one before negating). They cause test failures
203         in non x86 / x86_64 environments. x86 and x86_64 work well since they have a fast path written
204         in asm.
205
206         This patch fixes digitDiv by carefully avoiding undefined behaviors. We mask the left value of the
207         rshift with `digitBits - 1`, which makes `digitBits` 0 while it keeps 0 <= n < digitBits values.
208         This makes the target rshift well-defined in C++. While produced value by the rshift covers 0 <= `s` < 64 (32
209         in 32bit envirnoment) cases, this rshift does not shift if `s` is 0. sZeroMask clears the value
210         if `s` is 0, so that `s == 0` case is also covered. Note that `s == 64` never happens since `divisor`
211         is never 0 here. We add assertion for that. We also fixes `sZeroMask` calculation.
212
213         This patch also fixes naming convention for constant values.
214
215         * runtime/JSBigInt.cpp:
216         (JSC::JSBigInt::digitMul):
217         (JSC::JSBigInt::digitDiv):
218         * runtime/JSBigInt.h:
219
220 2018-05-27  Yusuke Suzuki  <utatane.tea@gmail.com>
221
222         [WTF] Add clz32 / clz64 for MSVC
223         https://bugs.webkit.org/show_bug.cgi?id=186023
224
225         Reviewed by Daniel Bates.
226
227         Move clz32 and clz64 to WTF.
228
229         * runtime/MathCommon.h:
230         (JSC::clz32): Deleted.
231         (JSC::clz64): Deleted.
232
233 2018-05-27  Caio Lima  <ticaiolima@gmail.com>
234
235         [ESNext][BigInt] Implement "+" and "-" unary operation
236         https://bugs.webkit.org/show_bug.cgi?id=182214
237
238         Reviewed by Yusuke Suzuki.
239
240         This Patch is implementing support to "-" unary operation on BigInt.
241         It is also changing the logic of ASTBuilder::makeNegateNode to
242         calculate BigInt literals with properly sign, avoiding
243         unecessary operation. It required a refactoring into
244         JSBigInt::parseInt to consider the sign as parameter.
245
246         We are also introducing a new DFG Node called ValueNegate to handle BigInt negate
247         operations. With the introduction of BigInt, it is not true
248         that every negate operation returns a Number. As ArithNegate is a
249         node that considers its result is always a Number, like all other
250         Arith<Operation>, we decided to keep this consistency and use ValueNegate when
251         speculation indicates that the operand is a BigInt.
252         This design is following the same distinction between ArithAdd and
253         ValueAdd. Also, this new node will make simpler the introduction of
254         optimizations when we create speculation paths for BigInt in future
255         patches.
256
257         In the case of "+" unary operation on BigInt, the current semantic we already have
258         is correctly, since it needs to throw TypeError because of ToNumber call[1].
259         In such case, we are adding tests to verify other edge cases.
260
261         [1] - https://tc39.github.io/proposal-bigint/#sec-unary-plus-operator
262
263         * bytecompiler/BytecodeGenerator.cpp:
264         (JSC::BytecodeGenerator::addBigIntConstant):
265         * bytecompiler/BytecodeGenerator.h:
266         * bytecompiler/NodesCodegen.cpp:
267         (JSC::BigIntNode::jsValue const):
268         * dfg/DFGAbstractInterpreterInlines.h:
269         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
270         * dfg/DFGByteCodeParser.cpp:
271         (JSC::DFG::ByteCodeParser::makeSafe):
272         (JSC::DFG::ByteCodeParser::parseBlock):
273         * dfg/DFGClobberize.h:
274         (JSC::DFG::clobberize):
275         * dfg/DFGDoesGC.cpp:
276         (JSC::DFG::doesGC):
277         * dfg/DFGFixupPhase.cpp:
278         (JSC::DFG::FixupPhase::fixupNode):
279         * dfg/DFGNode.h:
280         (JSC::DFG::Node::arithNodeFlags):
281         * dfg/DFGNodeType.h:
282         * dfg/DFGPredictionPropagationPhase.cpp:
283         * dfg/DFGSafeToExecute.h:
284         (JSC::DFG::safeToExecute):
285         * dfg/DFGSpeculativeJIT.cpp:
286         (JSC::DFG::SpeculativeJIT::compileValueNegate):
287         (JSC::DFG::SpeculativeJIT::compileArithNegate):
288         * dfg/DFGSpeculativeJIT.h:
289         * dfg/DFGSpeculativeJIT32_64.cpp:
290         (JSC::DFG::SpeculativeJIT::compile):
291         * dfg/DFGSpeculativeJIT64.cpp:
292         (JSC::DFG::SpeculativeJIT::compile):
293         * ftl/FTLCapabilities.cpp:
294         (JSC::FTL::canCompile):
295         * ftl/FTLLowerDFGToB3.cpp:
296         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
297         (JSC::FTL::DFG::LowerDFGToB3::compileValueNegate):
298         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
299         * jit/JITOperations.cpp:
300         * parser/ASTBuilder.h:
301         (JSC::ASTBuilder::createBigIntWithSign):
302         (JSC::ASTBuilder::createBigIntFromUnaryOperation):
303         (JSC::ASTBuilder::makeNegateNode):
304         * parser/NodeConstructors.h:
305         (JSC::BigIntNode::BigIntNode):
306         * parser/Nodes.h:
307         * runtime/CommonSlowPaths.cpp:
308         (JSC::updateArithProfileForUnaryArithOp):
309         (JSC::SLOW_PATH_DECL):
310         * runtime/JSBigInt.cpp:
311         (JSC::JSBigInt::parseInt):
312         * runtime/JSBigInt.h:
313         * runtime/JSCJSValueInlines.h:
314         (JSC::JSValue::strictEqualSlowCaseInline):
315
316 2018-05-27  Dan Bernstein  <mitz@apple.com>
317
318         Tried to fix the 32-bit !ASSERT_DISABLED build after r232211.
319
320         * jit/JITOperations.cpp:
321
322 2018-05-26  Yusuke Suzuki  <utatane.tea@gmail.com>
323
324         [JSC] Rename Array#flatten to flat
325         https://bugs.webkit.org/show_bug.cgi?id=186012
326
327         Reviewed by Saam Barati.
328
329         Rename Array#flatten to Array#flat. This rename is done in TC39 since flatten
330         conflicts with the mootools' function name.
331
332         * builtins/ArrayPrototype.js:
333         (globalPrivate.flatIntoArray):
334         (flat):
335         (globalPrivate.flatIntoArrayWithCallback):
336         (flatMap):
337         (globalPrivate.flattenIntoArray): Deleted.
338         (flatten): Deleted.
339         (globalPrivate.flattenIntoArrayWithCallback): Deleted.
340         * runtime/ArrayPrototype.cpp:
341         (JSC::ArrayPrototype::finishCreation):
342
343 2018-05-25  Mark Lam  <mark.lam@apple.com>
344
345         for-in loops should preserve and restore the TDZ stack for each of its internal loops.
346         https://bugs.webkit.org/show_bug.cgi?id=185995
347         <rdar://problem/40173142>
348
349         Reviewed by Saam Barati.
350
351         This is because there's no guarantee that any of the loop bodies will be
352         executed.  Hence, there's no guarantee that the TDZ variables will have been
353         initialized after each loop body.
354
355         * bytecompiler/BytecodeGenerator.cpp:
356         (JSC::BytecodeGenerator::preserveTDZStack):
357         (JSC::BytecodeGenerator::restoreTDZStack):
358         * bytecompiler/BytecodeGenerator.h:
359         * bytecompiler/NodesCodegen.cpp:
360         (JSC::ForInNode::emitBytecode):
361
362 2018-05-25  Mark Lam  <mark.lam@apple.com>
363
364         MachineContext's instructionPointer() should handle null PCs correctly.
365         https://bugs.webkit.org/show_bug.cgi?id=186004
366         <rdar://problem/40570067>
367
368         Reviewed by Saam Barati.
369
370         instructionPointer() returns a MacroAssemblerCodePtr<CFunctionPtrTag>.  However,
371         MacroAssemblerCodePtr's constructor does not accept a null pointer value and will
372         assert accordingly with a debug ASSERT.  This is inconsequential for release
373         builds, but to avoid this assertion failure, we should check for a null PC and
374         return MacroAssemblerCodePtr<CFunctionPtrTag>(nullptr) instead (which uses the
375         MacroAssemblerCodePtr(std::nullptr_t) version of the constructor instead).
376
377         Alternatively, we can change all of MacroAssemblerCodePtr's constructors to check
378         for null pointers, but I rather not do that yet.  In general,
379         MacroAssemblerCodePtrs are constructed with non-null pointers, and I prefer to
380         leave it that way for now.
381
382         Note: this assertion failure only manifests when we have signal traps enabled,
383         and encounter a null pointer deref.
384
385         * runtime/MachineContext.h:
386         (JSC::MachineContext::instructionPointer):
387
388 2018-05-25  Mark Lam  <mark.lam@apple.com>
389
390         Enforce invariant that GetterSetter objects are invariant.
391         https://bugs.webkit.org/show_bug.cgi?id=185968
392         <rdar://problem/40541416>
393
394         Reviewed by Saam Barati.
395
396         The code already assumes the invariant that GetterSetter objects are immutable.
397         For example, the use of @tryGetById in builtins expect this invariant to be true.
398         The existing code mostly enforces this except for one case: JSObject's
399         validateAndApplyPropertyDescriptor, where it will re-use the same GetterSetter
400         object.
401
402         This patch enforces this invariant by removing the setGetter and setSetter methods
403         of GetterSetter, and requiring the getter/setter callback functions to be
404         specified at construction time.
405
406         * jit/JITOperations.cpp:
407         * llint/LLIntSlowPaths.cpp:
408         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
409         * runtime/GetterSetter.cpp:
410         (JSC::GetterSetter::withGetter): Deleted.
411         (JSC::GetterSetter::withSetter): Deleted.
412         * runtime/GetterSetter.h:
413         * runtime/JSGlobalObject.cpp:
414         (JSC::JSGlobalObject::init):
415         * runtime/JSObject.cpp:
416         (JSC::JSObject::putIndexedDescriptor):
417         (JSC::JSObject::putDirectNativeIntrinsicGetter):
418         (JSC::putDescriptor):
419         (JSC::validateAndApplyPropertyDescriptor):
420         * runtime/JSTypedArrayViewPrototype.cpp:
421         (JSC::JSTypedArrayViewPrototype::finishCreation):
422         * runtime/Lookup.cpp:
423         (JSC::reifyStaticAccessor):
424         * runtime/PropertyDescriptor.cpp:
425         (JSC::PropertyDescriptor::slowGetterSetter):
426
427 2018-05-25  Saam Barati  <sbarati@apple.com>
428
429         Make JSC have a mini mode that kicks in when the JIT is disabled
430         https://bugs.webkit.org/show_bug.cgi?id=185931
431
432         Reviewed by Mark Lam.
433
434         This patch makes JSC have a mini VM mode. This currently only kicks in
435         when the process can't JIT. Mini VM now means a few things:
436         - We always use a 1.27x heap growth factor. This number was the best tradeoff
437           between memory use progression and time regression in run-testmem. We may
438           want to tune this more in the future as we make other mini VM changes.
439         - We always sweep synchronously.
440         - We disable generational GC.
441         
442         I'm going to continue to extend what mini VM mode means in future changes.
443         
444         This patch is a 50% memory progression and an ~8-9% time regression
445         on run-testmem when running in mini VM mode with the JIT disabled.
446
447         * heap/Heap.cpp:
448         (JSC::Heap::collectNow):
449         (JSC::Heap::finalize):
450         (JSC::Heap::useGenerationalGC):
451         (JSC::Heap::shouldSweepSynchronously):
452         (JSC::Heap::shouldDoFullCollection):
453         * heap/Heap.h:
454         * runtime/Options.h:
455         * runtime/VM.cpp:
456         (JSC::VM::isInMiniMode):
457         * runtime/VM.h:
458
459 2018-05-25  Saam Barati  <sbarati@apple.com>
460
461         Have a memory test where we can validate JSCs mini memory mode
462         https://bugs.webkit.org/show_bug.cgi?id=185932
463
464         Reviewed by Mark Lam.
465
466         This patch adds the testmem CLI. It takes as input a file to run
467         and the number of iterations to run it (by default it runs it
468         20 times). Each iteration runs in a new JSContext. Each JSContext
469         belongs to a VM that is created once. When finished, the CLI dumps
470         out the peak memory usage of the process, the memory usage at the end
471         of running all the iterations of the process, and the total time it
472         took to run all the iterations.
473
474         * JavaScriptCore.xcodeproj/project.pbxproj:
475         * testmem: Added.
476         * testmem/testmem.mm: Added.
477         (description):
478         (Footprint::now):
479         (main):
480
481 2018-05-25  David Kilzer  <ddkilzer@apple.com>
482
483         Fix issues with -dealloc methods found by clang static analyzer
484         <https://webkit.org/b/185887>
485
486         Reviewed by Joseph Pecoraro.
487
488         * API/JSValue.mm:
489         (-[JSValue dealloc]):
490         (-[JSValue description]):
491         - Move method implementations from (Internal) category to the
492           main category since these are public API.  This fixes the
493           false positive warning about a missing -dealloc method.
494
495 2018-05-24  Yusuke Suzuki  <utatane.tea@gmail.com>
496
497         [Baseline] Remove a hack for DCE removal of NewFunction
498         https://bugs.webkit.org/show_bug.cgi?id=185945
499
500         Reviewed by Saam Barati.
501
502         This `undefined` check in baseline is originally introduced in r177871. The problem was,
503         when NewFunction is removed in DFG DCE, its referencing scope DFG node  is also removed.
504         While op_new_func_xxx want to have scope for function creation, DFG OSR exit cannot
505         retrieve this into the stack since the scope is not referenced from anywhere.
506
507         In r177871, we fixed this by accepting `undefined` scope in the baseline op_new_func_xxx
508         implementation. But rather than that, just emitting `Phantom` for this scope is clean
509         and consistent to the other DFG nodes like GetClosureVar.
510
511         This patch emits Phantom instead, and removes unnecessary `undefined` check in baseline.
512         While we emit Phantom, it is not testable since NewFunction is guarded by MovHint which
513         is not removed in DFG. And in FTL, NewFunction will be converted to PhantomNewFunction
514         if it is not referenced. And scope node is kept by PutHint. But emitting Phantom is nice
515         since it conservatively guards the scope, and it does not introduce any additional overhead
516         compared to the current status.
517
518         * dfg/DFGByteCodeParser.cpp:
519         (JSC::DFG::ByteCodeParser::parseBlock):
520         * jit/JITOpcodes.cpp:
521         (JSC::JIT::emitNewFuncExprCommon):
522
523 2018-05-23  Keith Miller  <keith_miller@apple.com>
524
525         Expose $vm if window.internals is exposed
526         https://bugs.webkit.org/show_bug.cgi?id=185900
527
528         Reviewed by Mark Lam.
529
530         This is useful for testing vm internals when running LayoutTests.
531
532         * runtime/JSGlobalObject.cpp:
533         (JSC::JSGlobalObject::init):
534         (JSC::JSGlobalObject::visitChildren):
535         (JSC::JSGlobalObject::exposeDollarVM):
536         * runtime/JSGlobalObject.h:
537
538 2018-05-23  Keith Miller  <keith_miller@apple.com>
539
540         Define length on CoW array should properly convert to writable
541         https://bugs.webkit.org/show_bug.cgi?id=185927
542
543         Reviewed by Yusuke Suzuki.
544
545         * runtime/JSArray.cpp:
546         (JSC::JSArray::setLength):
547
548 2018-05-23  Keith Miller  <keith_miller@apple.com>
549
550         InPlaceAbstractState should filter variables at the tail from a GetLocal by their flush format
551         https://bugs.webkit.org/show_bug.cgi?id=185923
552
553         Reviewed by Saam Barati.
554
555         Previously, we could confuse AI by overly broadening a type. This happens when a block in a
556         loop has a local mutated following a GetLocal but never SetLocaled to the stack. For example,
557
558         Block 1:
559         @1: GetLocal(loc42, FlushedInt32);
560         @2: PutStructure(Check: Cell: @1);
561         @3: Jump(Block 1);
562
563         Would cause us to claim that loc42 could be either an int32 or a some cell. However,
564         the type of an local cannot change without writing to it.
565
566         This fixes a crash in destructuring-rest-element.js
567
568         * dfg/DFGInPlaceAbstractState.cpp:
569         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
570
571 2018-05-23  Filip Pizlo  <fpizlo@apple.com>
572
573         Speed up JetStream/base64
574         https://bugs.webkit.org/show_bug.cgi?id=185914
575
576         Reviewed by Michael Saboff.
577         
578         Make allocation fast paths ALWAYS_INLINE.
579         
580         This is a 1% speed-up on SunSpider, mostly because of base64. It also speeds up pdfjs by
581         ~6%.
582
583         * CMakeLists.txt:
584         * JavaScriptCore.xcodeproj/project.pbxproj:
585         * heap/AllocatorInlines.h:
586         (JSC::Allocator::allocate const):
587         * heap/CompleteSubspace.cpp:
588         (JSC::CompleteSubspace::allocateNonVirtual): Deleted.
589         * heap/CompleteSubspace.h:
590         * heap/CompleteSubspaceInlines.h: Added.
591         (JSC::CompleteSubspace::allocateNonVirtual):
592         * heap/FreeListInlines.h:
593         (JSC::FreeList::allocate):
594         * heap/IsoSubspace.cpp:
595         (JSC::IsoSubspace::allocateNonVirtual): Deleted.
596         * heap/IsoSubspace.h:
597         (JSC::IsoSubspace::allocatorForNonVirtual):
598         * heap/IsoSubspaceInlines.h: Added.
599         (JSC::IsoSubspace::allocateNonVirtual):
600         * runtime/JSCellInlines.h:
601         * runtime/VM.h:
602
603 2018-05-23  Rick Waldron  <waldron.rick@gmail.com>
604
605         Conversion misspelled "Convertion" in error message string
606         https://bugs.webkit.org/show_bug.cgi?id=185436
607
608         Reviewed by Saam Barati, Michael Saboff
609
610         * runtime/JSBigInt.cpp:
611         (JSC::JSBigInt::toNumber const):
612
613 2018-05-22  Yusuke Suzuki  <utatane.tea@gmail.com>
614
615         [JSC] Clean up stringGetByValStubGenerator
616         https://bugs.webkit.org/show_bug.cgi?id=185864
617
618         Reviewed by Saam Barati.
619
620         We clean up stringGetByValStubGenerator.
621
622         1. Unify 32bit and 64bit implementations.
623         2. Rename stringGetByValStubGenerator to stringGetByValGenerator, move it to ThunkGenerators.cpp.
624         3. Remove string type check since this code is invoked only when we know regT0 is JSString*.
625         4. Do not tag Cell in stringGetByValGenerator side. 32bit code stores Cell with tag in JITPropertyAccess32_64 side.
626         5. Fix invalid use of loadPtr for StringImpl::flags. Should use load32.
627
628         * jit/JIT.h:
629         * jit/JITPropertyAccess.cpp:
630         (JSC::JIT::emitSlow_op_get_by_val):
631         (JSC::JIT::stringGetByValStubGenerator): Deleted.
632         * jit/JITPropertyAccess32_64.cpp:
633         (JSC::JIT::emit_op_get_by_val):
634         (JSC::JIT::emitSlow_op_get_by_val):
635         (JSC::JIT::stringGetByValStubGenerator): Deleted.
636         * jit/ThunkGenerators.cpp:
637         (JSC::stringGetByValGenerator):
638         * jit/ThunkGenerators.h:
639
640 2018-05-22  Yusuke Suzuki  <utatane.tea@gmail.com>
641
642         [JSC] Use branchIfString/branchIfNotString instead of structure checkings
643         https://bugs.webkit.org/show_bug.cgi?id=185810
644
645         Reviewed by Saam Barati.
646
647         Let's use branchIfString/branchIfNotString helper functions instead of
648         checking structure with jsString's structure. It's easy to read. And
649         it emits less code since we do not need to embed string structure's
650         raw pointer in 32bit environment.
651
652         * jit/JIT.h:
653         * jit/JITInlines.h:
654         (JSC::JIT::emitLoadCharacterString):
655         (JSC::JIT::checkStructure): Deleted.
656         * jit/JITOpcodes32_64.cpp:
657         (JSC::JIT::emitSlow_op_eq):
658         (JSC::JIT::compileOpEqJumpSlow):
659         (JSC::JIT::emitSlow_op_neq):
660         * jit/JITPropertyAccess.cpp:
661         (JSC::JIT::stringGetByValStubGenerator):
662         (JSC::JIT::emitSlow_op_get_by_val):
663         (JSC::JIT::emitByValIdentifierCheck):
664         * jit/JITPropertyAccess32_64.cpp:
665         (JSC::JIT::stringGetByValStubGenerator):
666         (JSC::JIT::emitSlow_op_get_by_val):
667         * jit/JSInterfaceJIT.h:
668         (JSC::ThunkHelpers::jsStringLengthOffset): Deleted.
669         (JSC::ThunkHelpers::jsStringValueOffset): Deleted.
670         * jit/SpecializedThunkJIT.h:
671         (JSC::SpecializedThunkJIT::loadJSStringArgument):
672         * jit/ThunkGenerators.cpp:
673         (JSC::stringCharLoad):
674         (JSC::charCodeAtThunkGenerator):
675         (JSC::charAtThunkGenerator):
676         * runtime/JSString.h:
677
678 2018-05-22  Mark Lam  <mark.lam@apple.com>
679
680         BytecodeGeneratorification shouldn't add a ValueProfile if the JIT is disabled.
681         https://bugs.webkit.org/show_bug.cgi?id=185896
682         <rdar://problem/40471403>
683
684         Reviewed by Saam Barati.
685
686         * bytecode/BytecodeGeneratorification.cpp:
687         (JSC::BytecodeGeneratorification::run):
688
689 2018-05-22  Yusuke Suzuki  <utatane.tea@gmail.com>
690
691         [JSC] Fix CachedCall's argument count if RegExp has named captures
692         https://bugs.webkit.org/show_bug.cgi?id=185587
693
694         Reviewed by Mark Lam.
695
696         If the given RegExp has named captures, the argument count of CachedCall in String#replace
697         should be increased by one. This causes crash with assertion in test262. This patch corrects
698         the argument count.
699
700         This patch also unifies source.is8Bit()/!source.is8Bit() code since they are now completely
701         the same.
702
703         * runtime/StringPrototype.cpp:
704         (JSC::replaceUsingRegExpSearch):
705
706 2018-05-22  Mark Lam  <mark.lam@apple.com>
707
708         StringImpl utf8 conversion should not fail silently.
709         https://bugs.webkit.org/show_bug.cgi?id=185888
710         <rdar://problem/40464506>
711
712         Reviewed by Filip Pizlo.
713
714         * dfg/DFGLazyJSValue.cpp:
715         (JSC::DFG::LazyJSValue::dumpInContext const):
716         * runtime/DateConstructor.cpp:
717         (JSC::constructDate):
718         (JSC::dateParse):
719         * runtime/JSDateMath.cpp:
720         (JSC::parseDate):
721         * runtime/JSDateMath.h:
722
723 2018-05-22  Keith Miller  <keith_miller@apple.com>
724
725         Remove the UnconditionalFinalizer class
726         https://bugs.webkit.org/show_bug.cgi?id=185881
727
728         Reviewed by Filip Pizlo.
729
730         The only remaining user of this API is
731         JSWebAssemblyCodeBlock. This patch changes, JSWebAssemblyCodeBlock
732         to use the newer template based API and removes the old class.
733
734         * JavaScriptCore.xcodeproj/project.pbxproj:
735         * bytecode/CodeBlock.h:
736         * heap/Heap.cpp:
737         (JSC::Heap::finalizeUnconditionalFinalizers):
738         * heap/Heap.h:
739         * heap/SlotVisitor.cpp:
740         (JSC::SlotVisitor::addUnconditionalFinalizer): Deleted.
741         * heap/SlotVisitor.h:
742         * heap/UnconditionalFinalizer.h: Removed.
743         * wasm/js/JSWebAssemblyCodeBlock.cpp:
744         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
745         (JSC::JSWebAssemblyCodeBlock::visitChildren):
746         (JSC::JSWebAssemblyCodeBlock::finalizeUnconditionally):
747         (JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
748         * wasm/js/JSWebAssemblyCodeBlock.h:
749         * wasm/js/JSWebAssemblyModule.h:
750
751         * CMakeLists.txt:
752         * JavaScriptCore.xcodeproj/project.pbxproj:
753         * bytecode/CodeBlock.h:
754         * heap/Heap.cpp:
755         (JSC::Heap::finalizeUnconditionalFinalizers):
756         * heap/Heap.h:
757         * heap/SlotVisitor.cpp:
758         (JSC::SlotVisitor::addUnconditionalFinalizer): Deleted.
759         * heap/SlotVisitor.h:
760         * heap/UnconditionalFinalizer.h: Removed.
761         * wasm/js/JSWebAssemblyCodeBlock.cpp:
762         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
763         (JSC::JSWebAssemblyCodeBlock::visitChildren):
764         (JSC::JSWebAssemblyCodeBlock::finalizeUnconditionally):
765         (JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
766         * wasm/js/JSWebAssemblyCodeBlock.h:
767         * wasm/js/JSWebAssemblyModule.h:
768
769 2018-05-22  Keith Miller  <keith_miller@apple.com>
770
771         Unreviewed, fix internal build.
772
773         * runtime/JSImmutableButterfly.cpp:
774
775 2018-05-22  Saam Barati  <sbarati@apple.com>
776
777         DFG::LICMPhase should attempt to hoist edge type checks if hoisting the whole node fails
778         https://bugs.webkit.org/show_bug.cgi?id=144525
779
780         Reviewed by Filip Pizlo.
781
782         This patch teaches LICM to fall back to hoisting a node's type checks when
783         hoisting the entire node fails.
784         
785         This patch follow the same principles we use when deciding to hoist nodes in general:
786         - If the pre header is control equivalent to where the current check is, we
787         go ahead and hoist the check.
788         - Otherwise, if hoisting hasn't failed before, we go ahead and gamble and
789         hoist the check. If hoisting failed in the past, we will not hoist the check.
790
791         * dfg/DFGLICMPhase.cpp:
792         (JSC::DFG::LICMPhase::attemptHoist):
793         * dfg/DFGUseKind.h:
794         (JSC::DFG::checkMayCrashIfInputIsEmpty):
795
796 2018-05-21  Filip Pizlo  <fpizlo@apple.com>
797
798         Get rid of TLCs
799         https://bugs.webkit.org/show_bug.cgi?id=185846
800
801         Rubber stamped by Geoffrey Garen.
802         
803         This removes support for thread-local caches from the GC in order to speed up allocation a
804         bit.
805         
806         We added TLCs as part of Spectre mitigations, which we have since removed.
807         
808         We will want some kind of TLCs eventually, since they allow us to:
809         
810         - have a global GC, which may be a perf optimization at some point.
811         - allocate objects from JIT threads, which we've been wanting to do for a while.
812         
813         This change keeps the most interesting aspect of TLCs, which is the
814         LocalAllocator/BlockDirectory separation. This means that it ought to be easy to implement
815         TLCs again in the future if we wanted this feature.
816         
817         This change removes the part of TLCs that causes a perf regression, namely that Allocator is
818         an offset that requires a bounds check and lookup that makes the rest of the allocation fast
819         path dependent on the load of the TLC. Now, Allocator is really just a LocalAllocator*, so
820         you can directly use it to allocate. This removes two loads and a check from the allocation
821         fast path. In hindsight, I probably could have made that whole thing more efficient, had I
822         allowed us to have a statically known set of LocalAllocators. This would have removed the
823         bounds check (one load and one branch) and it would have made it possible to CSE the load of
824         the TLC data structure, since that would no longer resize. But that's a harder change that
825         this patch, and we don't need it right now.
826         
827         While reviewing the allocation hot paths, I found that CreateThis had an unnecessary branch
828         to check if the allocator is null. I removed that check. AssemblyHelpers::emitAllocate() does
829         that check already. Previously, the TLC bounds check doubled as this check.
830         
831         This is a 1% speed-up on Octane and a 2.3% speed-up on TailBench. However, the Octane
832         speed-up on my machine includes an 8% regexp speed-up. I've found that sometimes regexp
833         speeds up or slows down by 8% depending on which path I build JSC from. Without that 8%, this
834         is still an Octane speed-up due to 2-4% speed-ups in earley, boyer, raytrace, and splay.
835
836         * JavaScriptCore.xcodeproj/project.pbxproj:
837         * Sources.txt:
838         * bytecode/ObjectAllocationProfileInlines.h:
839         (JSC::ObjectAllocationProfile::initializeProfile):
840         * dfg/DFGSpeculativeJIT.cpp:
841         (JSC::DFG::SpeculativeJIT::compileCreateThis):
842         * ftl/FTLLowerDFGToB3.cpp:
843         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
844         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
845         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
846         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
847         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
848         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
849         * heap/Allocator.cpp:
850         (JSC::Allocator::cellSize const):
851         * heap/Allocator.h:
852         (JSC::Allocator::Allocator):
853         (JSC::Allocator::localAllocator const):
854         (JSC::Allocator::operator== const):
855         (JSC::Allocator::offset const): Deleted.
856         * heap/AllocatorInlines.h:
857         (JSC::Allocator::allocate const):
858         (JSC::Allocator::tryAllocate const): Deleted.
859         * heap/BlockDirectory.cpp:
860         (JSC::BlockDirectory::BlockDirectory):
861         (JSC::BlockDirectory::~BlockDirectory):
862         * heap/BlockDirectory.h:
863         (JSC::BlockDirectory::allocator const): Deleted.
864         * heap/CompleteSubspace.cpp:
865         (JSC::CompleteSubspace::allocateNonVirtual):
866         (JSC::CompleteSubspace::allocatorForSlow):
867         (JSC::CompleteSubspace::tryAllocateSlow):
868         * heap/CompleteSubspace.h:
869         * heap/Heap.cpp:
870         (JSC::Heap::Heap):
871         * heap/Heap.h:
872         (JSC::Heap::threadLocalCacheLayout): Deleted.
873         * heap/IsoSubspace.cpp:
874         (JSC::IsoSubspace::IsoSubspace):
875         (JSC::IsoSubspace::allocateNonVirtual):
876         * heap/IsoSubspace.h:
877         (JSC::IsoSubspace::allocatorForNonVirtual):
878         * heap/LocalAllocator.cpp:
879         (JSC::LocalAllocator::LocalAllocator):
880         (JSC::LocalAllocator::~LocalAllocator):
881         * heap/LocalAllocator.h:
882         (JSC::LocalAllocator::cellSize const):
883         (JSC::LocalAllocator::tlc const): Deleted.
884         * heap/ThreadLocalCache.cpp: Removed.
885         * heap/ThreadLocalCache.h: Removed.
886         * heap/ThreadLocalCacheInlines.h: Removed.
887         * heap/ThreadLocalCacheLayout.cpp: Removed.
888         * heap/ThreadLocalCacheLayout.h: Removed.
889         * jit/AssemblyHelpers.cpp:
890         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
891         (JSC::AssemblyHelpers::emitAllocate):
892         (JSC::AssemblyHelpers::emitAllocateVariableSized):
893         * jit/JITOpcodes.cpp:
894         (JSC::JIT::emit_op_create_this):
895         * runtime/JSLock.cpp:
896         (JSC::JSLock::didAcquireLock):
897         * runtime/VM.cpp:
898         (JSC::VM::VM):
899         (JSC::VM::~VM):
900         * runtime/VM.h:
901         * runtime/VMEntryScope.cpp:
902         (JSC::VMEntryScope::~VMEntryScope):
903         * runtime/VMEntryScope.h:
904
905 2018-05-22  Keith Miller  <keith_miller@apple.com>
906
907         We should have a CoW storage for NewArrayBuffer arrays.
908         https://bugs.webkit.org/show_bug.cgi?id=185003
909
910         Reviewed by Filip Pizlo.
911
912         This patch adds copy on write storage for new array buffers. In
913         order to do this there needed to be significant changes to the
914         layout of IndexingType. The new indexing type has the following
915         shape:
916
917         struct IndexingTypeAndMisc {
918             struct IndexingModeIncludingHistory {
919                 struct IndexingMode {
920                     struct IndexingType {
921                         uint8_t isArray:1;          // bit 0
922                         uint8_t shape:3;            // bit 1 - 3
923                     };
924                     uint8_t copyOnWrite:1;          // bit 4
925                 };
926                 uint8_t mayHaveIndexedAccessors:1;  // bit 5
927             };
928             uint8_t cellLockBits:2;                 // bit 6 - 7
929         };
930
931         For simplicity ArrayStorage shapes cannot be CoW. So the only
932         valid CoW indexing shapes are ArrayWithInt32, ArrayWithDouble, and
933         ArrayWithContiguous.
934
935         The backing store for a CoW array is a new class
936         JSImmutableButterfly, which looks exactly the same as a normal
937         butterfly except that it has a JSCell header. Like other
938         butterflies, JSImmutableButterfies are allocated out of the
939         Auxiliary Gigacage and are pointed to by JSCells in the same
940         way. However, when marking JSImmutableButterflies they are marked
941         as if they were a property.
942
943         With CoW arrays, the new_array_buffer bytecode will reallocate the
944         shared JSImmutableButterfly if it sees from the allocation profile
945         that the last array it allocated has transitioned to a different
946         indexing type. From then on, all arrays created by that
947         new_array_buffer bytecode will have the promoted indexing
948         type. This is more or less the same as what we used to do. The
949         only difference is that we don't promote all the way to array
950         storage even if we have seen it before.
951
952         Transitioning from a CoW indexing mode occurs whenever someone
953         tries to store to an element, grow the array, or add properties.
954         Storing or growing the array will call into code that does the
955         stupid thing of copying the butterfly then continue into the old
956         code. This doesn't end up costing us as future allocations will
957         use any upgraded indexing shape.  We get adding properties for
958         free by just changing the indexing mode on transition (our C++
959         code always updates the indexing mode).
960
961         * JavaScriptCore.xcodeproj/project.pbxproj:
962         * Sources.txt:
963         * bytecode/ArrayAllocationProfile.cpp:
964         (JSC::ArrayAllocationProfile::updateProfile):
965         * bytecode/ArrayAllocationProfile.h:
966         (JSC::ArrayAllocationProfile::initializeIndexingMode):
967         * bytecode/ArrayProfile.cpp:
968         (JSC::dumpArrayModes):
969         (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
970         * bytecode/ArrayProfile.h:
971         (JSC::asArrayModes):
972         (JSC::arrayModeFromStructure):
973         (JSC::arrayModesInclude):
974         (JSC::hasSeenCopyOnWriteArray):
975         * bytecode/BytecodeList.json:
976         * bytecode/CodeBlock.cpp:
977         (JSC::CodeBlock::finishCreation):
978         * bytecode/InlineAccess.cpp:
979         (JSC::InlineAccess::generateArrayLength):
980         * bytecode/UnlinkedCodeBlock.h:
981         (JSC::UnlinkedCodeBlock::addArrayAllocationProfile):
982         (JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile):
983         * bytecompiler/BytecodeGenerator.cpp:
984         (JSC::BytecodeGenerator::newArrayAllocationProfile):
985         (JSC::BytecodeGenerator::emitNewArrayBuffer):
986         (JSC::BytecodeGenerator::emitNewArray):
987         (JSC::BytecodeGenerator::emitNewArrayWithSize):
988         (JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
989         * bytecompiler/BytecodeGenerator.h:
990         * bytecompiler/NodesCodegen.cpp:
991         (JSC::ArrayNode::emitBytecode):
992         (JSC::ArrayPatternNode::bindValue const):
993         (JSC::ArrayPatternNode::emitDirectBinding):
994         * dfg/DFGAbstractInterpreterInlines.h:
995         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
996         * dfg/DFGArgumentsEliminationPhase.cpp:
997         * dfg/DFGArgumentsUtilities.cpp:
998         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
999         * dfg/DFGArrayMode.cpp:
1000         (JSC::DFG::ArrayMode::fromObserved):
1001         (JSC::DFG::ArrayMode::refine const):
1002         (JSC::DFG::ArrayMode::alreadyChecked const):
1003         * dfg/DFGArrayMode.h:
1004         (JSC::DFG::ArrayMode::ArrayMode):
1005         (JSC::DFG::ArrayMode::action const):
1006         (JSC::DFG::ArrayMode::withSpeculation const):
1007         (JSC::DFG::ArrayMode::withArrayClass const):
1008         (JSC::DFG::ArrayMode::withType const):
1009         (JSC::DFG::ArrayMode::withConversion const):
1010         (JSC::DFG::ArrayMode::withTypeAndConversion const):
1011         (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
1012         (JSC::DFG::ArrayMode::arrayModesWithIndexingShape const):
1013         * dfg/DFGByteCodeParser.cpp:
1014         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1015         (JSC::DFG::ByteCodeParser::handleIntrinsicGetter):
1016         (JSC::DFG::ByteCodeParser::parseBlock):
1017         * dfg/DFGClobberize.h:
1018         (JSC::DFG::clobberize):
1019         * dfg/DFGConstantFoldingPhase.cpp:
1020         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1021         * dfg/DFGFixupPhase.cpp:
1022         (JSC::DFG::FixupPhase::fixupNode):
1023         (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion):
1024         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
1025         * dfg/DFGGraph.cpp:
1026         (JSC::DFG::Graph::dump):
1027         * dfg/DFGNode.h:
1028         (JSC::DFG::Node::indexingType):
1029         (JSC::DFG::Node::indexingMode):
1030         * dfg/DFGOSRExit.cpp:
1031         (JSC::DFG::OSRExit::compileExit):
1032         * dfg/DFGOperations.cpp:
1033         * dfg/DFGOperations.h:
1034         * dfg/DFGSpeculativeJIT.cpp:
1035         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1036         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
1037         (JSC::DFG::SpeculativeJIT::arrayify):
1038         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1039         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
1040         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1041         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
1042         (JSC::DFG::SpeculativeJIT::compileCreateRest):
1043         (JSC::DFG::SpeculativeJIT::compileArraySlice):
1044         (JSC::DFG::SpeculativeJIT::compileNewArrayBuffer):
1045         * dfg/DFGSpeculativeJIT32_64.cpp:
1046         (JSC::DFG::SpeculativeJIT::compile):
1047         * dfg/DFGSpeculativeJIT64.cpp:
1048         (JSC::DFG::SpeculativeJIT::compile):
1049         * dfg/DFGValidate.cpp:
1050         * ftl/FTLAbstractHeapRepository.h:
1051         * ftl/FTLLowerDFGToB3.cpp:
1052         (JSC::FTL::DFG::LowerDFGToB3::compilePutStructure):
1053         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
1054         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
1055         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
1056         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
1057         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargsWithSpread):
1058         (JSC::FTL::DFG::LowerDFGToB3::storeStructure):
1059         (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify):
1060         * ftl/FTLOperations.cpp:
1061         (JSC::FTL::operationMaterializeObjectInOSR):
1062         * generate-bytecode-files:
1063         * interpreter/Interpreter.cpp:
1064         (JSC::sizeOfVarargs):
1065         (JSC::loadVarargs):
1066         * jit/AssemblyHelpers.cpp:
1067         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
1068         * jit/AssemblyHelpers.h:
1069         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
1070         * jit/JITOperations.cpp:
1071         * jit/JITPropertyAccess.cpp:
1072         (JSC::JIT::emit_op_put_by_val):
1073         (JSC::JIT::emitSlow_op_put_by_val):
1074         * jit/Repatch.cpp:
1075         (JSC::tryCachePutByID):
1076         * llint/LowLevelInterpreter.asm:
1077         * llint/LowLevelInterpreter32_64.asm:
1078         * llint/LowLevelInterpreter64.asm:
1079         * runtime/Butterfly.h:
1080         (JSC::ContiguousData::Data::Data):
1081         (JSC::ContiguousData::Data::operator bool const):
1082         (JSC::ContiguousData::Data::operator=):
1083         (JSC::ContiguousData::Data::operator const T& const):
1084         (JSC::ContiguousData::Data::set):
1085         (JSC::ContiguousData::Data::setWithoutWriteBarrier):
1086         (JSC::ContiguousData::Data::clear):
1087         (JSC::ContiguousData::Data::get const):
1088         (JSC::ContiguousData::atUnsafe):
1089         (JSC::ContiguousData::at const): Deleted.
1090         (JSC::ContiguousData::at): Deleted.
1091         * runtime/ButterflyInlines.h:
1092         (JSC::ContiguousData<T>::at const):
1093         (JSC::ContiguousData<T>::at):
1094         * runtime/ClonedArguments.cpp:
1095         (JSC::ClonedArguments::createEmpty):
1096         * runtime/CommonSlowPaths.cpp:
1097         (JSC::SLOW_PATH_DECL):
1098         * runtime/CommonSlowPaths.h:
1099         (JSC::CommonSlowPaths::allocateNewArrayBuffer):
1100         * runtime/IndexingType.cpp:
1101         (JSC::leastUpperBoundOfIndexingTypeAndType):
1102         (JSC::leastUpperBoundOfIndexingTypeAndValue):
1103         (JSC::dumpIndexingType):
1104         * runtime/IndexingType.h:
1105         (JSC::hasIndexedProperties):
1106         (JSC::hasUndecided):
1107         (JSC::hasInt32):
1108         (JSC::hasDouble):
1109         (JSC::hasContiguous):
1110         (JSC::hasArrayStorage):
1111         (JSC::hasAnyArrayStorage):
1112         (JSC::hasSlowPutArrayStorage):
1113         (JSC::shouldUseSlowPut):
1114         (JSC::isCopyOnWrite):
1115         (JSC::arrayIndexFromIndexingType):
1116         * runtime/JSArray.cpp:
1117         (JSC::JSArray::tryCreateUninitializedRestricted):
1118         (JSC::JSArray::put):
1119         (JSC::JSArray::appendMemcpy):
1120         (JSC::JSArray::setLength):
1121         (JSC::JSArray::pop):
1122         (JSC::JSArray::fastSlice):
1123         (JSC::JSArray::shiftCountWithAnyIndexingType):
1124         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1125         (JSC::JSArray::fillArgList):
1126         (JSC::JSArray::copyToArguments):
1127         * runtime/JSArrayInlines.h:
1128         (JSC::JSArray::pushInline):
1129         * runtime/JSCell.h:
1130         * runtime/JSCellInlines.h:
1131         (JSC::JSCell::JSCell):
1132         (JSC::JSCell::finishCreation):
1133         (JSC::JSCell::indexingType const):
1134         (JSC::JSCell::indexingMode const):
1135         (JSC::JSCell::setStructure):
1136         * runtime/JSFixedArray.h:
1137         * runtime/JSGlobalObject.cpp:
1138         (JSC::JSGlobalObject::init):
1139         (JSC::JSGlobalObject::haveABadTime):
1140         (JSC::JSGlobalObject::visitChildren):
1141         * runtime/JSGlobalObject.h:
1142         (JSC::JSGlobalObject::originalArrayStructureForIndexingType const):
1143         (JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation const):
1144         (JSC::JSGlobalObject::isOriginalArrayStructure):
1145         * runtime/JSImmutableButterfly.cpp: Added.
1146         (JSC::JSImmutableButterfly::visitChildren):
1147         (JSC::JSImmutableButterfly::copyToArguments):
1148         * runtime/JSImmutableButterfly.h: Added.
1149         (JSC::JSImmutableButterfly::createStructure):
1150         (JSC::JSImmutableButterfly::tryCreate):
1151         (JSC::JSImmutableButterfly::create):
1152         (JSC::JSImmutableButterfly::publicLength const):
1153         (JSC::JSImmutableButterfly::vectorLength const):
1154         (JSC::JSImmutableButterfly::length const):
1155         (JSC::JSImmutableButterfly::toButterfly const):
1156         (JSC::JSImmutableButterfly::fromButterfly):
1157         (JSC::JSImmutableButterfly::get const):
1158         (JSC::JSImmutableButterfly::subspaceFor):
1159         (JSC::JSImmutableButterfly::setIndex):
1160         (JSC::JSImmutableButterfly::allocationSize):
1161         (JSC::JSImmutableButterfly::JSImmutableButterfly):
1162         * runtime/JSObject.cpp:
1163         (JSC::JSObject::markAuxiliaryAndVisitOutOfLineProperties):
1164         (JSC::JSObject::visitButterflyImpl):
1165         (JSC::JSObject::getOwnPropertySlotByIndex):
1166         (JSC::JSObject::putByIndex):
1167         (JSC::JSObject::createInitialInt32):
1168         (JSC::JSObject::createInitialDouble):
1169         (JSC::JSObject::createInitialContiguous):
1170         (JSC::JSObject::convertUndecidedToInt32):
1171         (JSC::JSObject::convertUndecidedToDouble):
1172         (JSC::JSObject::convertUndecidedToContiguous):
1173         (JSC::JSObject::convertInt32ToDouble):
1174         (JSC::JSObject::convertInt32ToArrayStorage):
1175         (JSC::JSObject::convertDoubleToContiguous):
1176         (JSC::JSObject::convertDoubleToArrayStorage):
1177         (JSC::JSObject::convertContiguousToArrayStorage):
1178         (JSC::JSObject::createInitialForValueAndSet):
1179         (JSC::JSObject::convertInt32ForValue):
1180         (JSC::JSObject::convertFromCopyOnWrite):
1181         (JSC::JSObject::ensureWritableInt32Slow):
1182         (JSC::JSObject::ensureWritableDoubleSlow):
1183         (JSC::JSObject::ensureWritableContiguousSlow):
1184         (JSC::JSObject::ensureArrayStorageSlow):
1185         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
1186         (JSC::JSObject::switchToSlowPutArrayStorage):
1187         (JSC::JSObject::deletePropertyByIndex):
1188         (JSC::JSObject::getOwnPropertyNames):
1189         (JSC::canDoFastPutDirectIndex):
1190         (JSC::JSObject::defineOwnIndexedProperty):
1191         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1192         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
1193         (JSC::JSObject::putByIndexBeyondVectorLength):
1194         (JSC::JSObject::countElements):
1195         (JSC::JSObject::ensureLengthSlow):
1196         (JSC::JSObject::getEnumerableLength):
1197         (JSC::JSObject::ensureInt32Slow): Deleted.
1198         (JSC::JSObject::ensureDoubleSlow): Deleted.
1199         (JSC::JSObject::ensureContiguousSlow): Deleted.
1200         * runtime/JSObject.h:
1201         (JSC::JSObject::putDirectIndex):
1202         (JSC::JSObject::canGetIndexQuickly):
1203         (JSC::JSObject::getIndexQuickly):
1204         (JSC::JSObject::tryGetIndexQuickly const):
1205         (JSC::JSObject::canSetIndexQuickly):
1206         (JSC::JSObject::setIndexQuickly):
1207         (JSC::JSObject::initializeIndex):
1208         (JSC::JSObject::initializeIndexWithoutBarrier):
1209         (JSC::JSObject::ensureWritableInt32):
1210         (JSC::JSObject::ensureWritableDouble):
1211         (JSC::JSObject::ensureWritableContiguous):
1212         (JSC::JSObject::ensureLength):
1213         (JSC::JSObject::ensureInt32): Deleted.
1214         (JSC::JSObject::ensureDouble): Deleted.
1215         (JSC::JSObject::ensureContiguous): Deleted.
1216         * runtime/JSObjectInlines.h:
1217         (JSC::JSObject::putDirectInternal):
1218         * runtime/JSType.h:
1219         * runtime/RegExpMatchesArray.h:
1220         (JSC::tryCreateUninitializedRegExpMatchesArray):
1221         * runtime/Structure.cpp:
1222         (JSC::Structure::Structure):
1223         (JSC::Structure::addNewPropertyTransition):
1224         (JSC::Structure::nonPropertyTransition):
1225         * runtime/Structure.h:
1226         * runtime/StructureIDBlob.h:
1227         (JSC::StructureIDBlob::StructureIDBlob):
1228         (JSC::StructureIDBlob::indexingModeIncludingHistory const):
1229         (JSC::StructureIDBlob::setIndexingModeIncludingHistory):
1230         (JSC::StructureIDBlob::indexingModeIncludingHistoryOffset):
1231         (JSC::StructureIDBlob::indexingTypeIncludingHistory const): Deleted.
1232         (JSC::StructureIDBlob::setIndexingTypeIncludingHistory): Deleted.
1233         (JSC::StructureIDBlob::indexingTypeIncludingHistoryOffset): Deleted.
1234         * runtime/StructureTransitionTable.h:
1235         (JSC::newIndexingType):
1236         * runtime/VM.cpp:
1237         (JSC::VM::VM):
1238         * runtime/VM.h:
1239
1240 2018-05-22  Ryan Haddad  <ryanhaddad@apple.com>
1241
1242         Unreviewed, rolling out r232052.
1243
1244         Breaks internal builds.
1245
1246         Reverted changeset:
1247
1248         "Use more C++17"
1249         https://bugs.webkit.org/show_bug.cgi?id=185176
1250         https://trac.webkit.org/changeset/232052
1251
1252 2018-05-22  Alberto Garcia  <berto@igalia.com>
1253
1254         [CMake] Properly detect compiler flags, needed libs, and fallbacks for usage of 64-bit atomic operations
1255         https://bugs.webkit.org/show_bug.cgi?id=182622
1256         <rdar://problem/40292317>
1257
1258         Reviewed by Michael Catanzaro.
1259
1260         We were linking JavaScriptCore against libatomic in MIPS because
1261         in that architecture __atomic_fetch_add_8() is not a compiler
1262         intrinsic and is provided by that library instead. However other
1263         architectures (e.g armel) are in the same situation, so we need a
1264         generic test.
1265
1266         That test already exists in WebKit/CMakeLists.txt, so we just have
1267         to move it to a common file (WebKitCompilerFlags.cmake) and use
1268         its result (ATOMIC_INT64_REQUIRES_LIBATOMIC) here.
1269
1270         * CMakeLists.txt:
1271
1272 2018-05-22  Michael Catanzaro  <mcatanzaro@igalia.com>
1273
1274         Unreviewed, rolling out r231843.
1275
1276         Broke cross build
1277
1278         Reverted changeset:
1279
1280         "[CMake] Properly detect compiler flags, needed libs, and
1281         fallbacks for usage of 64-bit atomic operations"
1282         https://bugs.webkit.org/show_bug.cgi?id=182622
1283         https://trac.webkit.org/changeset/231843
1284
1285 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1286
1287         Use more C++17
1288         https://bugs.webkit.org/show_bug.cgi?id=185176
1289
1290         Reviewed by JF Bastien.
1291
1292         * Configurations/Base.xcconfig:
1293
1294 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1295
1296         [JSC] Remove duplicate methods in JSInterfaceJIT
1297         https://bugs.webkit.org/show_bug.cgi?id=185813
1298
1299         Reviewed by Saam Barati.
1300
1301         Some methods of JSInterfaceJIT are duplicate with AssemblyHelpers' ones.
1302         This patch removes these ones and use AssemblyHelpers' ones instead.
1303
1304         This patch also a bit cleans up ThunkGenerators' unnecessary ifdefs.
1305
1306         * jit/AssemblyHelpers.h:
1307         (JSC::AssemblyHelpers::tagFor):
1308         (JSC::AssemblyHelpers::payloadFor):
1309         * jit/JIT.h:
1310         * jit/JITArithmetic.cpp:
1311         (JSC::JIT::emit_op_unsigned):
1312         (JSC::JIT::emit_compareUnsigned):
1313         (JSC::JIT::emit_op_inc):
1314         (JSC::JIT::emit_op_dec):
1315         (JSC::JIT::emit_op_mod):
1316         * jit/JITCall32_64.cpp:
1317         (JSC::JIT::compileOpCall):
1318         * jit/JITInlines.h:
1319         (JSC::JIT::emitPutIntToCallFrameHeader):
1320         (JSC::JIT::updateTopCallFrame):
1321         (JSC::JIT::emitInitRegister):
1322         (JSC::JIT::emitLoad):
1323         (JSC::JIT::emitStore):
1324         (JSC::JIT::emitStoreInt32):
1325         (JSC::JIT::emitStoreCell):
1326         (JSC::JIT::emitStoreBool):
1327         (JSC::JIT::emitGetVirtualRegister):
1328         (JSC::JIT::emitPutVirtualRegister):
1329         (JSC::JIT::emitTagBool): Deleted.
1330         * jit/JITOpcodes.cpp:
1331         (JSC::JIT::emit_op_overrides_has_instance):
1332         (JSC::JIT::emit_op_is_empty):
1333         (JSC::JIT::emit_op_is_undefined):
1334         (JSC::JIT::emit_op_is_boolean):
1335         (JSC::JIT::emit_op_is_number):
1336         (JSC::JIT::emit_op_is_cell_with_type):
1337         (JSC::JIT::emit_op_is_object):
1338         (JSC::JIT::emit_op_eq):
1339         (JSC::JIT::emit_op_neq):
1340         (JSC::JIT::compileOpStrictEq):
1341         (JSC::JIT::emit_op_eq_null):
1342         (JSC::JIT::emit_op_neq_null):
1343         (JSC::JIT::emitSlow_op_eq):
1344         (JSC::JIT::emitSlow_op_neq):
1345         (JSC::JIT::emitSlow_op_instanceof_custom):
1346         (JSC::JIT::emitNewFuncExprCommon):
1347         * jit/JSInterfaceJIT.h:
1348         (JSC::JSInterfaceJIT::emitLoadInt32):
1349         (JSC::JSInterfaceJIT::emitLoadDouble):
1350         (JSC::JSInterfaceJIT::emitPutToCallFrameHeader):
1351         (JSC::JSInterfaceJIT::emitPutCellToCallFrameHeader):
1352         (JSC::JSInterfaceJIT::tagFor): Deleted.
1353         (JSC::JSInterfaceJIT::payloadFor): Deleted.
1354         (JSC::JSInterfaceJIT::intPayloadFor): Deleted.
1355         (JSC::JSInterfaceJIT::intTagFor): Deleted.
1356         (JSC::JSInterfaceJIT::emitTagInt): Deleted.
1357         (JSC::JSInterfaceJIT::addressFor): Deleted.
1358         * jit/SpecializedThunkJIT.h:
1359         (JSC::SpecializedThunkJIT::returnDouble):
1360         * jit/ThunkGenerators.cpp:
1361         (JSC::nativeForGenerator):
1362         (JSC::arityFixupGenerator):
1363
1364 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1365
1366         Unreviewed, reland InById cache
1367         https://bugs.webkit.org/show_bug.cgi?id=185682
1368
1369         Includes Dominik's 32bit fix.
1370
1371         * bytecode/AccessCase.cpp:
1372         (JSC::AccessCase::fromStructureStubInfo):
1373         (JSC::AccessCase::generateWithGuard):
1374         (JSC::AccessCase::generateImpl):
1375         * bytecode/BytecodeDumper.cpp:
1376         (JSC::BytecodeDumper<Block>::printInByIdCacheStatus):
1377         (JSC::BytecodeDumper<Block>::dumpBytecode):
1378         * bytecode/BytecodeDumper.h:
1379         * bytecode/BytecodeList.json:
1380         * bytecode/BytecodeUseDef.h:
1381         (JSC::computeUsesForBytecodeOffset):
1382         (JSC::computeDefsForBytecodeOffset):
1383         * bytecode/CodeBlock.cpp:
1384         (JSC::CodeBlock::finishCreation):
1385         * bytecode/InlineAccess.cpp:
1386         (JSC::InlineAccess::generateSelfInAccess):
1387         * bytecode/InlineAccess.h:
1388         * bytecode/StructureStubInfo.cpp:
1389         (JSC::StructureStubInfo::initInByIdSelf):
1390         (JSC::StructureStubInfo::deref):
1391         (JSC::StructureStubInfo::aboutToDie):
1392         (JSC::StructureStubInfo::reset):
1393         (JSC::StructureStubInfo::visitWeakReferences):
1394         (JSC::StructureStubInfo::propagateTransitions):
1395         * bytecode/StructureStubInfo.h:
1396         (JSC::StructureStubInfo::patchableJump):
1397         * bytecompiler/BytecodeGenerator.cpp:
1398         (JSC::BytecodeGenerator::emitInByVal):
1399         (JSC::BytecodeGenerator::emitInById):
1400         (JSC::BytecodeGenerator::emitIn): Deleted.
1401         * bytecompiler/BytecodeGenerator.h:
1402         * bytecompiler/NodesCodegen.cpp:
1403         (JSC::InNode::emitBytecode):
1404         * dfg/DFGAbstractInterpreterInlines.h:
1405         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1406         * dfg/DFGByteCodeParser.cpp:
1407         (JSC::DFG::ByteCodeParser::parseBlock):
1408         * dfg/DFGCapabilities.cpp:
1409         (JSC::DFG::capabilityLevel):
1410         * dfg/DFGClobberize.h:
1411         (JSC::DFG::clobberize):
1412         * dfg/DFGConstantFoldingPhase.cpp:
1413         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1414         * dfg/DFGDoesGC.cpp:
1415         (JSC::DFG::doesGC):
1416         * dfg/DFGFixupPhase.cpp:
1417         (JSC::DFG::FixupPhase::fixupNode):
1418         * dfg/DFGJITCompiler.cpp:
1419         (JSC::DFG::JITCompiler::link):
1420         * dfg/DFGJITCompiler.h:
1421         (JSC::DFG::JITCompiler::addInById):
1422         (JSC::DFG::InRecord::InRecord): Deleted.
1423         (JSC::DFG::JITCompiler::addIn): Deleted.
1424         * dfg/DFGNode.h:
1425         (JSC::DFG::Node::convertToInById):
1426         (JSC::DFG::Node::hasIdentifier):
1427         (JSC::DFG::Node::hasArrayMode):
1428         * dfg/DFGNodeType.h:
1429         * dfg/DFGPredictionPropagationPhase.cpp:
1430         * dfg/DFGSafeToExecute.h:
1431         (JSC::DFG::safeToExecute):
1432         * dfg/DFGSpeculativeJIT.cpp:
1433         (JSC::DFG::SpeculativeJIT::compileInById):
1434         (JSC::DFG::SpeculativeJIT::compileInByVal):
1435         (JSC::DFG::SpeculativeJIT::compileIn): Deleted.
1436         * dfg/DFGSpeculativeJIT.h:
1437         * dfg/DFGSpeculativeJIT32_64.cpp:
1438         (JSC::DFG::SpeculativeJIT::compile):
1439         * dfg/DFGSpeculativeJIT64.cpp:
1440         (JSC::DFG::SpeculativeJIT::compile):
1441         * ftl/FTLCapabilities.cpp:
1442         (JSC::FTL::canCompile):
1443         * ftl/FTLLowerDFGToB3.cpp:
1444         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1445         (JSC::FTL::DFG::LowerDFGToB3::compileInByVal):
1446         (JSC::FTL::DFG::LowerDFGToB3::compileInById):
1447         (JSC::FTL::DFG::LowerDFGToB3::compileIn): Deleted.
1448         * jit/AssemblyHelpers.h:
1449         (JSC::AssemblyHelpers::boxBoolean):
1450         * jit/ICStats.h:
1451         * jit/JIT.cpp:
1452         (JSC::JIT::JIT):
1453         (JSC::JIT::privateCompileMainPass):
1454         (JSC::JIT::privateCompileSlowCases):
1455         (JSC::JIT::link):
1456         * jit/JIT.h:
1457         * jit/JITInlineCacheGenerator.cpp:
1458         (JSC::JITInByIdGenerator::JITInByIdGenerator):
1459         (JSC::JITInByIdGenerator::generateFastPath):
1460         * jit/JITInlineCacheGenerator.h:
1461         (JSC::JITInByIdGenerator::JITInByIdGenerator):
1462         * jit/JITOperations.cpp:
1463         * jit/JITOperations.h:
1464         * jit/JITPropertyAccess.cpp:
1465         (JSC::JIT::emit_op_in_by_id):
1466         (JSC::JIT::emitSlow_op_in_by_id):
1467         * jit/JITPropertyAccess32_64.cpp:
1468         (JSC::JIT::emit_op_in_by_id):
1469         (JSC::JIT::emitSlow_op_in_by_id):
1470         * jit/Repatch.cpp:
1471         (JSC::tryCacheInByID):
1472         (JSC::repatchInByID):
1473         (JSC::resetInByID):
1474         (JSC::tryCacheIn): Deleted.
1475         (JSC::repatchIn): Deleted.
1476         (JSC::resetIn): Deleted.
1477         * jit/Repatch.h:
1478         * llint/LowLevelInterpreter.asm:
1479         * llint/LowLevelInterpreter64.asm:
1480         * parser/NodeConstructors.h:
1481         (JSC::InNode::InNode):
1482         * runtime/CommonSlowPaths.cpp:
1483         (JSC::SLOW_PATH_DECL):
1484         * runtime/CommonSlowPaths.h:
1485         (JSC::CommonSlowPaths::opInByVal):
1486         (JSC::CommonSlowPaths::opIn): Deleted.
1487
1488 2018-05-21  Commit Queue  <commit-queue@webkit.org>
1489
1490         Unreviewed, rolling out r231998 and r232017.
1491         https://bugs.webkit.org/show_bug.cgi?id=185842
1492
1493         causes crashes on 32 JSC bot (Requested by realdawei on
1494         #webkit).
1495
1496         Reverted changesets:
1497
1498         "[JSC] JSC should have consistent InById IC"
1499         https://bugs.webkit.org/show_bug.cgi?id=185682
1500         https://trac.webkit.org/changeset/231998
1501
1502         "Unreviewed, fix 32bit and scope release"
1503         https://bugs.webkit.org/show_bug.cgi?id=185682
1504         https://trac.webkit.org/changeset/232017
1505
1506 2018-05-21  Jer Noble  <jer.noble@apple.com>
1507
1508         Complete fix for enabling modern EME by default
1509         https://bugs.webkit.org/show_bug.cgi?id=185770
1510         <rdar://problem/40368220>
1511
1512         Reviewed by Eric Carlson.
1513
1514         * Configurations/FeatureDefines.xcconfig:
1515
1516 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1517
1518         Unreviewed, fix 32bit and scope release
1519         https://bugs.webkit.org/show_bug.cgi?id=185682
1520
1521         * jit/JITOperations.cpp:
1522         * jit/JITPropertyAccess32_64.cpp:
1523         (JSC::JIT::emitSlow_op_in_by_id):
1524
1525 2018-05-20  Filip Pizlo  <fpizlo@apple.com>
1526
1527         Revert the B3 compiler pipeline's treatment of taildup
1528         https://bugs.webkit.org/show_bug.cgi?id=185808
1529
1530         Reviewed by Yusuke Suzuki.
1531         
1532         While trying to implement path specialization (bug 185060), I reorganized the B3 pass pipeline.
1533         But then path specialization turned out to be a negative result. This reverts the pipeline to the
1534         way it was before that work.
1535         
1536         1.5% progression on V8Spider-CompileTime.
1537
1538         * b3/B3Generate.cpp:
1539         (JSC::B3::generateToAir):
1540
1541 2018-05-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1542
1543         [DFG] CheckTypeInfoFlags should say `eliminated` if it is removed in constant folding phase
1544         https://bugs.webkit.org/show_bug.cgi?id=185802
1545
1546         Reviewed by Saam Barati.
1547
1548         * dfg/DFGConstantFoldingPhase.cpp:
1549         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1550
1551 2018-05-18  Filip Pizlo  <fpizlo@apple.com>
1552
1553         DFG should inline InstanceOf ICs
1554         https://bugs.webkit.org/show_bug.cgi?id=185695
1555
1556         Reviewed by Yusuke Suzuki.
1557         
1558         This teaches the DFG how to inline InstanceOf ICs into a MatchStructure node. This can then
1559         be folded to a CheckStructure + JSConstant.
1560         
1561         In the process of testing this, I found a bug where LICM was not hoisting things that
1562         depended on ExtraOSREntryLocal because that might return SpecEmpty. I fixed that by teaching
1563         LICM how to materialize CheckNotEmpty on demand whenever !HoistingFailed.
1564         
1565         This is a ~5% speed-up on boyer.
1566         
1567         ~2x speed-up on the instanceof-always-hit-one, instanceof-always-hit-two, and
1568         instanceof-sometimes-hit microbenchmarks.
1569
1570         * JavaScriptCore.xcodeproj/project.pbxproj:
1571         * Sources.txt:
1572         * bytecode/GetByIdStatus.cpp:
1573         (JSC::GetByIdStatus::appendVariant):
1574         (JSC::GetByIdStatus::filter):
1575         * bytecode/GetByIdStatus.h:
1576         (JSC::GetByIdStatus::operator bool const):
1577         (JSC::GetByIdStatus::operator! const): Deleted.
1578         * bytecode/GetByIdVariant.h:
1579         (JSC::GetByIdVariant::operator bool const):
1580         (JSC::GetByIdVariant::operator! const): Deleted.
1581         * bytecode/ICStatusUtils.h: Added.
1582         (JSC::appendICStatusVariant):
1583         (JSC::filterICStatusVariants):
1584         * bytecode/InstanceOfStatus.cpp: Added.
1585         (JSC::InstanceOfStatus::appendVariant):
1586         (JSC::InstanceOfStatus::computeFor):
1587         (JSC::InstanceOfStatus::computeForStubInfo):
1588         (JSC::InstanceOfStatus::commonPrototype const):
1589         (JSC::InstanceOfStatus::filter):
1590         * bytecode/InstanceOfStatus.h: Added.
1591         (JSC::InstanceOfStatus::InstanceOfStatus):
1592         (JSC::InstanceOfStatus::state const):
1593         (JSC::InstanceOfStatus::isSet const):
1594         (JSC::InstanceOfStatus::operator bool const):
1595         (JSC::InstanceOfStatus::isSimple const):
1596         (JSC::InstanceOfStatus::takesSlowPath const):
1597         (JSC::InstanceOfStatus::numVariants const):
1598         (JSC::InstanceOfStatus::variants const):
1599         (JSC::InstanceOfStatus::at const):
1600         (JSC::InstanceOfStatus::operator[] const):
1601         * bytecode/InstanceOfVariant.cpp: Added.
1602         (JSC::InstanceOfVariant::InstanceOfVariant):
1603         (JSC::InstanceOfVariant::attemptToMerge):
1604         (JSC::InstanceOfVariant::dump const):
1605         (JSC::InstanceOfVariant::dumpInContext const):
1606         * bytecode/InstanceOfVariant.h: Added.
1607         (JSC::InstanceOfVariant::InstanceOfVariant):
1608         (JSC::InstanceOfVariant::operator bool const):
1609         (JSC::InstanceOfVariant::structureSet const):
1610         (JSC::InstanceOfVariant::structureSet):
1611         (JSC::InstanceOfVariant::conditionSet const):
1612         (JSC::InstanceOfVariant::prototype const):
1613         (JSC::InstanceOfVariant::isHit const):
1614         * bytecode/StructureStubInfo.cpp:
1615         (JSC::StructureStubInfo::StructureStubInfo):
1616         * bytecode/StructureStubInfo.h:
1617         (JSC::StructureStubInfo::considerCaching):
1618         * dfg/DFGAbstractInterpreterInlines.h:
1619         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1620         * dfg/DFGByteCodeParser.cpp:
1621         (JSC::DFG::ByteCodeParser::parseBlock):
1622         * dfg/DFGClobberize.h:
1623         (JSC::DFG::clobberize):
1624         * dfg/DFGConstantFoldingPhase.cpp:
1625         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1626         * dfg/DFGDoesGC.cpp:
1627         (JSC::DFG::doesGC):
1628         * dfg/DFGFixupPhase.cpp:
1629         (JSC::DFG::FixupPhase::fixupNode):
1630         * dfg/DFGGraph.cpp:
1631         (JSC::DFG::Graph::dump):
1632         * dfg/DFGGraph.h:
1633         * dfg/DFGLICMPhase.cpp:
1634         (JSC::DFG::LICMPhase::attemptHoist):
1635         * dfg/DFGNode.cpp:
1636         (JSC::DFG::Node::remove):
1637         * dfg/DFGNode.h:
1638         (JSC::DFG::Node::hasMatchStructureData):
1639         (JSC::DFG::Node::matchStructureData):
1640         * dfg/DFGNodeType.h:
1641         * dfg/DFGSafeToExecute.h:
1642         (JSC::DFG::safeToExecute):
1643         * dfg/DFGSpeculativeJIT.cpp:
1644         (JSC::DFG::SpeculativeJIT::compileMatchStructure):
1645         * dfg/DFGSpeculativeJIT.h:
1646         * dfg/DFGSpeculativeJIT32_64.cpp:
1647         (JSC::DFG::SpeculativeJIT::compile):
1648         * dfg/DFGSpeculativeJIT64.cpp:
1649         (JSC::DFG::SpeculativeJIT::compile):
1650         * ftl/FTLCapabilities.cpp:
1651         (JSC::FTL::canCompile):
1652         * ftl/FTLLowerDFGToB3.cpp:
1653         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1654         (JSC::FTL::DFG::LowerDFGToB3::compileMatchStructure):
1655
1656 2018-05-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1657
1658         [JSC] JSC should have consistent InById IC
1659         https://bugs.webkit.org/show_bug.cgi?id=185682
1660
1661         Reviewed by Filip Pizlo.
1662
1663         Current our op_in IC is adhoc: It is only emitted in DFG and FTL layers,
1664         when we found that DFG::In's parameter is constant string. We should
1665         align this IC to the other ById ICs to clean up and remove adhoc code
1666         in DFG and FTL.
1667
1668         This patch cleans up our "In" IC by aligning it to the other ById ICs.
1669         We split op_in bytecode to op_in_by_id and op_in_by_val. op_in_by_val
1670         is the same to the original op_in. For op_in_by_id, we use JITInByIdGenerator
1671         to emit InById IC code. In addition, our JITInByIdGenerator and op_in_by_id
1672         has a inline access cache for own property case, which is the same to
1673         JITGetByIdGenerator.
1674
1675         And we split DFG::In to DFG::InById and DFG::InByVal. InByVal is the same
1676         to the original In DFG node. DFG AI attempts to lower InByVal to InById
1677         if AI figured out that the property name is a constant string. And in
1678         InById node, we use JITInByIdGenerator code.
1679
1680         This patch cleans up DFG and FTL's adhoc In IC code.
1681
1682         In a subsequent patch, we should introduce InByIdStatus to optimize
1683         InById in DFG and FTL. We would like to have a new InByIdStatus instead of
1684         reusing GetByIdStatus since GetByIdStatus becomes too complicated, and
1685         AccessCase::Types are different from them (AccessCase::InHit / InMiss).
1686
1687         * bytecode/AccessCase.cpp:
1688         (JSC::AccessCase::fromStructureStubInfo):
1689         (JSC::AccessCase::generateWithGuard):
1690         * bytecode/BytecodeDumper.cpp:
1691         (JSC::BytecodeDumper<Block>::printInByIdCacheStatus):
1692         (JSC::BytecodeDumper<Block>::dumpBytecode):
1693         * bytecode/BytecodeDumper.h:
1694         * bytecode/BytecodeList.json:
1695         * bytecode/BytecodeUseDef.h:
1696         (JSC::computeUsesForBytecodeOffset):
1697         (JSC::computeDefsForBytecodeOffset):
1698         * bytecode/CodeBlock.cpp:
1699         (JSC::CodeBlock::finishCreation):
1700         * bytecode/InlineAccess.cpp:
1701         (JSC::InlineAccess::generateSelfInAccess):
1702         * bytecode/InlineAccess.h:
1703         * bytecode/StructureStubInfo.cpp:
1704         (JSC::StructureStubInfo::initInByIdSelf):
1705         (JSC::StructureStubInfo::deref):
1706         (JSC::StructureStubInfo::aboutToDie):
1707         (JSC::StructureStubInfo::reset):
1708         (JSC::StructureStubInfo::visitWeakReferences):
1709         (JSC::StructureStubInfo::propagateTransitions):
1710         * bytecode/StructureStubInfo.h:
1711         (JSC::StructureStubInfo::patchableJump):
1712         * bytecompiler/BytecodeGenerator.cpp:
1713         (JSC::BytecodeGenerator::emitInByVal):
1714         (JSC::BytecodeGenerator::emitInById):
1715         (JSC::BytecodeGenerator::emitIn): Deleted.
1716         * bytecompiler/BytecodeGenerator.h:
1717         * bytecompiler/NodesCodegen.cpp:
1718         (JSC::InNode::emitBytecode):
1719         * dfg/DFGAbstractInterpreterInlines.h:
1720         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1721         * dfg/DFGByteCodeParser.cpp:
1722         (JSC::DFG::ByteCodeParser::parseBlock):
1723         * dfg/DFGCapabilities.cpp:
1724         (JSC::DFG::capabilityLevel):
1725         * dfg/DFGClobberize.h:
1726         (JSC::DFG::clobberize):
1727         * dfg/DFGConstantFoldingPhase.cpp:
1728         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1729         * dfg/DFGDoesGC.cpp:
1730         (JSC::DFG::doesGC):
1731         * dfg/DFGFixupPhase.cpp:
1732         (JSC::DFG::FixupPhase::fixupNode):
1733         * dfg/DFGJITCompiler.cpp:
1734         (JSC::DFG::JITCompiler::link):
1735         * dfg/DFGJITCompiler.h:
1736         (JSC::DFG::JITCompiler::addInById):
1737         (JSC::DFG::InRecord::InRecord): Deleted.
1738         (JSC::DFG::JITCompiler::addIn): Deleted.
1739         * dfg/DFGNode.h:
1740         (JSC::DFG::Node::convertToInById):
1741         (JSC::DFG::Node::hasIdentifier):
1742         (JSC::DFG::Node::hasArrayMode):
1743         * dfg/DFGNodeType.h:
1744         * dfg/DFGPredictionPropagationPhase.cpp:
1745         * dfg/DFGSafeToExecute.h:
1746         (JSC::DFG::safeToExecute):
1747         * dfg/DFGSpeculativeJIT.cpp:
1748         (JSC::DFG::SpeculativeJIT::compileInById):
1749         (JSC::DFG::SpeculativeJIT::compileInByVal):
1750         (JSC::DFG::SpeculativeJIT::compileIn): Deleted.
1751         * dfg/DFGSpeculativeJIT.h:
1752         * dfg/DFGSpeculativeJIT32_64.cpp:
1753         (JSC::DFG::SpeculativeJIT::compile):
1754         * dfg/DFGSpeculativeJIT64.cpp:
1755         (JSC::DFG::SpeculativeJIT::compile):
1756         * ftl/FTLCapabilities.cpp:
1757         (JSC::FTL::canCompile):
1758         * ftl/FTLLowerDFGToB3.cpp:
1759         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1760         (JSC::FTL::DFG::LowerDFGToB3::compileInByVal):
1761         (JSC::FTL::DFG::LowerDFGToB3::compileInById):
1762         (JSC::FTL::DFG::LowerDFGToB3::compileIn): Deleted.
1763         * jit/ICStats.h:
1764         * jit/JIT.cpp:
1765         (JSC::JIT::JIT):
1766         (JSC::JIT::privateCompileMainPass):
1767         (JSC::JIT::privateCompileSlowCases):
1768         (JSC::JIT::link):
1769         * jit/JIT.h:
1770         * jit/JITInlineCacheGenerator.cpp:
1771         (JSC::JITInByIdGenerator::JITInByIdGenerator):
1772         (JSC::JITInByIdGenerator::generateFastPath):
1773         * jit/JITInlineCacheGenerator.h:
1774         (JSC::JITInByIdGenerator::JITInByIdGenerator):
1775         * jit/JITOperations.cpp:
1776         * jit/JITOperations.h:
1777         * jit/JITPropertyAccess.cpp:
1778         (JSC::JIT::emit_op_in_by_id):
1779         (JSC::JIT::emitSlow_op_in_by_id):
1780         * jit/JITPropertyAccess32_64.cpp:
1781         (JSC::JIT::emit_op_in_by_id):
1782         (JSC::JIT::emitSlow_op_in_by_id):
1783         * jit/Repatch.cpp:
1784         (JSC::tryCacheInByID):
1785         (JSC::repatchInByID):
1786         (JSC::resetInByID):
1787         (JSC::tryCacheIn): Deleted.
1788         (JSC::repatchIn): Deleted.
1789         (JSC::resetIn): Deleted.
1790         * jit/Repatch.h:
1791         * llint/LowLevelInterpreter.asm:
1792         * llint/LowLevelInterpreter64.asm:
1793         * parser/NodeConstructors.h:
1794         (JSC::InNode::InNode):
1795         * runtime/CommonSlowPaths.cpp:
1796         (JSC::SLOW_PATH_DECL):
1797         * runtime/CommonSlowPaths.h:
1798         (JSC::CommonSlowPaths::opInByVal):
1799         (JSC::CommonSlowPaths::opIn): Deleted.
1800
1801 2018-05-18  Commit Queue  <commit-queue@webkit.org>
1802
1803         Unreviewed, rolling out r231982.
1804         https://bugs.webkit.org/show_bug.cgi?id=185793
1805
1806         Caused layout test failures (Requested by realdawei on
1807         #webkit).
1808
1809         Reverted changeset:
1810
1811         "Complete fix for enabling modern EME by default"
1812         https://bugs.webkit.org/show_bug.cgi?id=185770
1813         https://trac.webkit.org/changeset/231982
1814
1815 2018-05-18  Keith Miller  <keith_miller@apple.com>
1816
1817         op_in should mark if it sees out of bounds accesses
1818         https://bugs.webkit.org/show_bug.cgi?id=185792
1819
1820         Reviewed by Filip Pizlo.
1821
1822         This would used to cause us to OSR loop since we would always speculate
1823         we were in bounds in HasIndexedProperty.
1824
1825         * bytecode/ArrayProfile.cpp:
1826         (JSC::ArrayProfile::observeIndexedRead):
1827         * bytecode/ArrayProfile.h:
1828         * runtime/CommonSlowPaths.h:
1829         (JSC::CommonSlowPaths::opIn):
1830
1831 2018-05-18  Mark Lam  <mark.lam@apple.com>
1832
1833         Add missing exception check.
1834         https://bugs.webkit.org/show_bug.cgi?id=185786
1835         <rdar://problem/35686560>
1836
1837         Reviewed by Michael Saboff.
1838
1839         * runtime/JSPropertyNameEnumerator.h:
1840         (JSC::propertyNameEnumerator):
1841
1842 2018-05-18  Jer Noble  <jer.noble@apple.com>
1843
1844         Complete fix for enabling modern EME by default
1845         https://bugs.webkit.org/show_bug.cgi?id=185770
1846         <rdar://problem/40368220>
1847
1848         Reviewed by Eric Carlson.
1849
1850         * Configurations/FeatureDefines.xcconfig:
1851
1852 2018-05-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1853
1854         Unreviewed, fix exception checking, part 2
1855         https://bugs.webkit.org/show_bug.cgi?id=185350
1856
1857         * dfg/DFGOperations.cpp:
1858         (JSC::DFG::putByValInternal):
1859         * jit/JITOperations.cpp:
1860         * runtime/CommonSlowPaths.h:
1861         (JSC::CommonSlowPaths::putDirectAccessorWithReify):
1862
1863 2018-05-16  Filip Pizlo  <fpizlo@apple.com>
1864
1865         JSC should have InstanceOf inline caching
1866         https://bugs.webkit.org/show_bug.cgi?id=185652
1867
1868         Reviewed by Saam Barati.
1869         
1870         This adds a polymorphic inline cache for instanceof. It caches hits and misses. It uses the
1871         existing PolymorphicAccess IC machinery along with all of its heuristics. If we ever generate
1872         too many cases, we emit the generic instanceof implementation instead.
1873         
1874         All of the JIT tiers use the same InstanceOf IC. It uses the existing JITInlineCacheGenerator
1875         abstraction.
1876         
1877         This is a ~40% speed-up on instanceof microbenchmarks. It's a *tiny* (~1%) speed-up on
1878         Octane/boyer. I think I can make that speed-up bigger by inlining the inline cache.
1879
1880         * API/tests/testapi.mm:
1881         (testObjectiveCAPIMain):
1882         * JavaScriptCore.xcodeproj/project.pbxproj:
1883         * Sources.txt:
1884         * b3/B3Effects.h:
1885         (JSC::B3::Effects::forReadOnlyCall):
1886         * bytecode/AccessCase.cpp:
1887         (JSC::AccessCase::guardedByStructureCheck const):
1888         (JSC::AccessCase::canReplace const):
1889         (JSC::AccessCase::visitWeak const):
1890         (JSC::AccessCase::generateWithGuard):
1891         (JSC::AccessCase::generateImpl):
1892         * bytecode/AccessCase.h:
1893         * bytecode/InstanceOfAccessCase.cpp: Added.
1894         (JSC::InstanceOfAccessCase::create):
1895         (JSC::InstanceOfAccessCase::dumpImpl const):
1896         (JSC::InstanceOfAccessCase::clone const):
1897         (JSC::InstanceOfAccessCase::~InstanceOfAccessCase):
1898         (JSC::InstanceOfAccessCase::InstanceOfAccessCase):
1899         * bytecode/InstanceOfAccessCase.h: Added.
1900         (JSC::InstanceOfAccessCase::prototype const):
1901         * bytecode/ObjectPropertyCondition.h:
1902         (JSC::ObjectPropertyCondition::hasPrototypeWithoutBarrier):
1903         (JSC::ObjectPropertyCondition::hasPrototype):
1904         * bytecode/ObjectPropertyConditionSet.cpp:
1905         (JSC::generateConditionsForInstanceOf):
1906         * bytecode/ObjectPropertyConditionSet.h:
1907         * bytecode/PolymorphicAccess.cpp:
1908         (JSC::PolymorphicAccess::addCases):
1909         (JSC::PolymorphicAccess::regenerate):
1910         (WTF::printInternal):
1911         * bytecode/PropertyCondition.cpp:
1912         (JSC::PropertyCondition::dumpInContext const):
1913         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
1914         (JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint const):
1915         (WTF::printInternal):
1916         * bytecode/PropertyCondition.h:
1917         (JSC::PropertyCondition::absenceWithoutBarrier):
1918         (JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier):
1919         (JSC::PropertyCondition::hasPrototypeWithoutBarrier):
1920         (JSC::PropertyCondition::hasPrototype):
1921         (JSC::PropertyCondition::hasPrototype const):
1922         (JSC::PropertyCondition::prototype const):
1923         (JSC::PropertyCondition::hash const):
1924         (JSC::PropertyCondition::operator== const):
1925         * bytecode/StructureStubInfo.cpp:
1926         (JSC::StructureStubInfo::StructureStubInfo):
1927         (JSC::StructureStubInfo::reset):
1928         * bytecode/StructureStubInfo.h:
1929         (JSC::StructureStubInfo::considerCaching):
1930         * dfg/DFGByteCodeParser.cpp:
1931         (JSC::DFG::ByteCodeParser::parseBlock):
1932         * dfg/DFGFixupPhase.cpp:
1933         (JSC::DFG::FixupPhase::fixupNode):
1934         * dfg/DFGInlineCacheWrapper.h:
1935         * dfg/DFGInlineCacheWrapperInlines.h:
1936         (JSC::DFG::InlineCacheWrapper<GeneratorType>::finalize):
1937         * dfg/DFGJITCompiler.cpp:
1938         (JSC::DFG::JITCompiler::link):
1939         * dfg/DFGJITCompiler.h:
1940         (JSC::DFG::JITCompiler::addInstanceOf):
1941         * dfg/DFGOperations.cpp:
1942         * dfg/DFGSpeculativeJIT.cpp:
1943         (JSC::DFG::SpeculativeJIT::usedRegisters):
1944         (JSC::DFG::SpeculativeJIT::compileInstanceOfForCells):
1945         (JSC::DFG::SpeculativeJIT::compileInstanceOf):
1946         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject): Deleted.
1947         * dfg/DFGSpeculativeJIT.h:
1948         * dfg/DFGSpeculativeJIT64.cpp:
1949         (JSC::DFG::SpeculativeJIT::cachedGetById):
1950         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
1951         * ftl/FTLLowerDFGToB3.cpp:
1952         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
1953         (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
1954         (JSC::FTL::DFG::LowerDFGToB3::compileNumberIsInteger):
1955         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
1956         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
1957         (JSC::FTL::DFG::LowerDFGToB3::getById):
1958         (JSC::FTL::DFG::LowerDFGToB3::getByIdWithThis):
1959         * jit/ICStats.h:
1960         * jit/JIT.cpp:
1961         (JSC::JIT::privateCompileSlowCases):
1962         (JSC::JIT::link):
1963         * jit/JIT.h:
1964         * jit/JITInlineCacheGenerator.cpp:
1965         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
1966         (JSC::JITInlineCacheGenerator::finalize):
1967         (JSC::JITByIdGenerator::JITByIdGenerator):
1968         (JSC::JITByIdGenerator::finalize):
1969         (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator):
1970         (JSC::JITInstanceOfGenerator::generateFastPath):
1971         (JSC::JITInstanceOfGenerator::finalize):
1972         * jit/JITInlineCacheGenerator.h:
1973         (JSC::JITInlineCacheGenerator::reportSlowPathCall):
1974         (JSC::JITInlineCacheGenerator::slowPathBegin const):
1975         (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator):
1976         (JSC::finalizeInlineCaches):
1977         (JSC::JITByIdGenerator::reportSlowPathCall): Deleted.
1978         (JSC::JITByIdGenerator::slowPathBegin const): Deleted.
1979         * jit/JITOpcodes.cpp:
1980         (JSC::JIT::emit_op_instanceof):
1981         (JSC::JIT::emitSlow_op_instanceof):
1982         * jit/JITOperations.cpp:
1983         * jit/JITOperations.h:
1984         * jit/JITPropertyAccess.cpp:
1985         (JSC::JIT::privateCompileGetByValWithCachedId):
1986         (JSC::JIT::privateCompilePutByValWithCachedId):
1987         * jit/RegisterSet.cpp:
1988         (JSC::RegisterSet::stubUnavailableRegisters):
1989         * jit/Repatch.cpp:
1990         (JSC::tryCacheIn):
1991         (JSC::tryCacheInstanceOf):
1992         (JSC::repatchInstanceOf):
1993         (JSC::resetPatchableJump):
1994         (JSC::resetIn):
1995         (JSC::resetInstanceOf):
1996         * jit/Repatch.h:
1997         * runtime/Options.h:
1998         * runtime/Structure.h:
1999
2000 2018-05-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2001
2002         Unreviewed, fix exception checking
2003         https://bugs.webkit.org/show_bug.cgi?id=185350
2004
2005         * runtime/CommonSlowPaths.h:
2006         (JSC::CommonSlowPaths::putDirectWithReify):
2007         (JSC::CommonSlowPaths::putDirectAccessorWithReify):
2008
2009 2018-05-17  Michael Saboff  <msaboff@apple.com>
2010
2011         We don't throw SyntaxErrors for runtime generated regular expressions with errors
2012         https://bugs.webkit.org/show_bug.cgi?id=185755
2013
2014         Reviewed by Keith Miller.
2015
2016         Added a new helper that creates the correct exception to throw for each type of error when
2017         compiling a RegExp.  Using that new helper, added missing checks for RegExp for the cases
2018         where we create a new RegExp from an existing one.  Also refactored other places that we
2019         throw SyntaxErrors after a failed RegExp compile to use the new helper.
2020
2021         * runtime/RegExp.h:
2022         * runtime/RegExpConstructor.cpp:
2023         (JSC::regExpCreate):
2024         (JSC::constructRegExp):
2025         * runtime/RegExpPrototype.cpp:
2026         (JSC::regExpProtoFuncCompile):
2027         * yarr/YarrErrorCode.cpp:
2028         (JSC::Yarr::errorToThrow):
2029         * yarr/YarrErrorCode.h:
2030
2031 2018-05-17  Saam Barati  <sbarati@apple.com>
2032
2033         Remove shrinkFootprint test from apitests since it's flaky
2034         https://bugs.webkit.org/show_bug.cgi?id=185754
2035
2036         Reviewed by Mark Lam.
2037
2038         This test is flaky as it keeps failing on certain people's machines.
2039         Having a test about OS footprint seems like it'll forever be doomed
2040         to being flaky.
2041
2042         * API/tests/testapi.mm:
2043         (testObjectiveCAPIMain):
2044
2045 2018-05-17  Saam Barati  <sbarati@apple.com>
2046
2047         defaultConstructorSourceCode needs to makeSource every time it's called
2048         https://bugs.webkit.org/show_bug.cgi?id=185753
2049
2050         Rubber-stamped by Mark Lam.
2051
2052         The bug here is multiple VMs can be running concurrently to one another
2053         in the same process. They may each ref/deref something that isn't ThreadSafeRefCounted
2054         if we copy a static SourceCode. instead, we create a new one each time
2055         this function is called.
2056
2057         * builtins/BuiltinExecutables.cpp:
2058         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
2059
2060 2018-05-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2061
2062         [JSC] Use AssemblyHelpers' type checking functions as much as possible
2063         https://bugs.webkit.org/show_bug.cgi?id=185730
2064
2065         Reviewed by Saam Barati.
2066
2067         Let's use AssemblyHelpers' type checking functions as much as possible. This hides the complex
2068         bit and register operations for type tagging of JSValue. It is really useful when we would like
2069         to tweak type tagging representation since the code is collected into AssemblyHelpers. And
2070         the named function is more readable than some branching operations.
2071
2072         We also remove unnecessary branching functions in JIT / JSInterfaceJIT. Some of them are duplicate
2073         to AssemblyHelpers' one.
2074
2075         We add several new type checking functions to AssemblyHelpers. Moreover, we add branchIfXXX(GPRReg)
2076         functions even for 32bit environment. In 32bit environment, this function takes tag register. This
2077         semantics is aligned to the existing branchIfCell / branchIfNotCell.
2078
2079         * bytecode/AccessCase.cpp:
2080         (JSC::AccessCase::generateWithGuard):
2081         * dfg/DFGSpeculativeJIT.cpp:
2082         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
2083         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
2084         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
2085         (JSC::DFG::SpeculativeJIT::compileSpread):
2086         (JSC::DFG::SpeculativeJIT::speculateCellTypeWithoutTypeFiltering):
2087         (JSC::DFG::SpeculativeJIT::speculateCellType):
2088         (JSC::DFG::SpeculativeJIT::speculateNumber):
2089         (JSC::DFG::SpeculativeJIT::speculateMisc):
2090         (JSC::DFG::SpeculativeJIT::compileExtractValueFromWeakMapGet):
2091         (JSC::DFG::SpeculativeJIT::compileCreateThis):
2092         (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf):
2093         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
2094         * dfg/DFGSpeculativeJIT32_64.cpp:
2095         (JSC::DFG::SpeculativeJIT::emitCall):
2096         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2097         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2098         (JSC::DFG::SpeculativeJIT::compile):
2099         * dfg/DFGSpeculativeJIT64.cpp:
2100         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
2101         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
2102         (JSC::DFG::SpeculativeJIT::emitCall):
2103         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2104         (JSC::DFG::SpeculativeJIT::compile):
2105         (JSC::DFG::SpeculativeJIT::convertAnyInt):
2106         * ftl/FTLLowerDFGToB3.cpp:
2107         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
2108         * jit/AssemblyHelpers.h:
2109         (JSC::AssemblyHelpers::branchIfInt32):
2110         (JSC::AssemblyHelpers::branchIfNotInt32):
2111         (JSC::AssemblyHelpers::branchIfNumber):
2112         (JSC::AssemblyHelpers::branchIfNotNumber):
2113         (JSC::AssemblyHelpers::branchIfBoolean):
2114         (JSC::AssemblyHelpers::branchIfNotBoolean):
2115         (JSC::AssemblyHelpers::branchIfEmpty):
2116         (JSC::AssemblyHelpers::branchIfNotEmpty):
2117         (JSC::AssemblyHelpers::branchIfUndefined):
2118         (JSC::AssemblyHelpers::branchIfNotUndefined):
2119         (JSC::AssemblyHelpers::branchIfNull):
2120         (JSC::AssemblyHelpers::branchIfNotNull):
2121         * jit/JIT.h:
2122         * jit/JITArithmetic.cpp:
2123         (JSC::JIT::emit_compareAndJump):
2124         (JSC::JIT::emit_compareAndJumpSlow):
2125         * jit/JITArithmetic32_64.cpp:
2126         (JSC::JIT::emit_compareAndJump):
2127         (JSC::JIT::emit_op_unsigned):
2128         (JSC::JIT::emit_op_inc):
2129         (JSC::JIT::emit_op_dec):
2130         (JSC::JIT::emitBinaryDoubleOp):
2131         (JSC::JIT::emit_op_mod):
2132         * jit/JITCall.cpp:
2133         (JSC::JIT::compileCallEval):
2134         (JSC::JIT::compileOpCall):
2135         * jit/JITCall32_64.cpp:
2136         (JSC::JIT::compileCallEval):
2137         (JSC::JIT::compileOpCall):
2138         * jit/JITInlines.h:
2139         (JSC::JIT::emitJumpSlowCaseIfNotJSCell):
2140         (JSC::JIT::emitJumpIfBothJSCells):
2141         (JSC::JIT::emitJumpSlowCaseIfJSCell):
2142         (JSC::JIT::emitJumpIfNotInt):
2143         (JSC::JIT::emitJumpSlowCaseIfNotInt):
2144         (JSC::JIT::emitJumpSlowCaseIfNotNumber):
2145         (JSC::JIT::emitJumpIfCellObject): Deleted.
2146         (JSC::JIT::emitJumpIfCellNotObject): Deleted.
2147         (JSC::JIT::emitJumpIfJSCell): Deleted.
2148         (JSC::JIT::emitJumpIfInt): Deleted.
2149         * jit/JITOpcodes.cpp:
2150         (JSC::JIT::emit_op_instanceof):
2151         (JSC::JIT::emit_op_is_undefined):
2152         (JSC::JIT::emit_op_is_cell_with_type):
2153         (JSC::JIT::emit_op_is_object):
2154         (JSC::JIT::emit_op_to_primitive):
2155         (JSC::JIT::emit_op_jeq_null):
2156         (JSC::JIT::emit_op_jneq_null):
2157         (JSC::JIT::compileOpStrictEq):
2158         (JSC::JIT::compileOpStrictEqJump):
2159         (JSC::JIT::emit_op_to_number):
2160         (JSC::JIT::emit_op_to_string):
2161         (JSC::JIT::emit_op_to_object):
2162         (JSC::JIT::emit_op_eq_null):
2163         (JSC::JIT::emit_op_neq_null):
2164         (JSC::JIT::emit_op_to_this):
2165         (JSC::JIT::emit_op_create_this):
2166         (JSC::JIT::emit_op_check_tdz):
2167         (JSC::JIT::emitNewFuncExprCommon):
2168         (JSC::JIT::emit_op_profile_type):
2169         * jit/JITOpcodes32_64.cpp:
2170         (JSC::JIT::emit_op_instanceof):
2171         (JSC::JIT::emit_op_is_undefined):
2172         (JSC::JIT::emit_op_is_cell_with_type):
2173         (JSC::JIT::emit_op_is_object):
2174         (JSC::JIT::emit_op_to_primitive):
2175         (JSC::JIT::emit_op_not):
2176         (JSC::JIT::emit_op_jeq_null):
2177         (JSC::JIT::emit_op_jneq_null):
2178         (JSC::JIT::emit_op_jneq_ptr):
2179         (JSC::JIT::emit_op_eq):
2180         (JSC::JIT::emit_op_jeq):
2181         (JSC::JIT::emit_op_neq):
2182         (JSC::JIT::emit_op_jneq):
2183         (JSC::JIT::compileOpStrictEq):
2184         (JSC::JIT::compileOpStrictEqJump):
2185         (JSC::JIT::emit_op_eq_null):
2186         (JSC::JIT::emit_op_neq_null):
2187         (JSC::JIT::emit_op_to_number):
2188         (JSC::JIT::emit_op_to_string):
2189         (JSC::JIT::emit_op_to_object):
2190         (JSC::JIT::emit_op_create_this):
2191         (JSC::JIT::emit_op_to_this):
2192         (JSC::JIT::emit_op_check_tdz):
2193         (JSC::JIT::emit_op_profile_type):
2194         * jit/JITPropertyAccess.cpp:
2195         (JSC::JIT::emit_op_get_by_val):
2196         (JSC::JIT::emitGetByValWithCachedId):
2197         (JSC::JIT::emitGenericContiguousPutByVal):
2198         (JSC::JIT::emitPutByValWithCachedId):
2199         (JSC::JIT::emit_op_get_from_scope):
2200         (JSC::JIT::emit_op_put_to_scope):
2201         (JSC::JIT::emitWriteBarrier):
2202         (JSC::JIT::emitIntTypedArrayPutByVal):
2203         (JSC::JIT::emitFloatTypedArrayPutByVal):
2204         * jit/JITPropertyAccess32_64.cpp:
2205         (JSC::JIT::emit_op_get_by_val):
2206         (JSC::JIT::emitContiguousLoad):
2207         (JSC::JIT::emitArrayStorageLoad):
2208         (JSC::JIT::emitGetByValWithCachedId):
2209         (JSC::JIT::emitGenericContiguousPutByVal):
2210         (JSC::JIT::emitPutByValWithCachedId):
2211         (JSC::JIT::emit_op_get_from_scope):
2212         (JSC::JIT::emit_op_put_to_scope):
2213         * jit/JSInterfaceJIT.h:
2214         (JSC::JSInterfaceJIT::emitLoadJSCell):
2215         (JSC::JSInterfaceJIT::emitLoadInt32):
2216         (JSC::JSInterfaceJIT::emitLoadDouble):
2217         (JSC::JSInterfaceJIT::emitJumpIfNumber): Deleted.
2218         (JSC::JSInterfaceJIT::emitJumpIfNotNumber): Deleted.
2219         (JSC::JSInterfaceJIT::emitJumpIfNotType): Deleted.
2220         * jit/Repatch.cpp:
2221         (JSC::linkPolymorphicCall):
2222         * jit/ThunkGenerators.cpp:
2223         (JSC::virtualThunkFor):
2224         (JSC::absThunkGenerator):
2225         * tools/JSDollarVM.cpp:
2226         (WTF::DOMJITNode::checkSubClassSnippet):
2227         (WTF::DOMJITFunctionObject::checkSubClassSnippet):
2228
2229 2018-05-17  Saam Barati  <sbarati@apple.com>
2230
2231         Unreviewed. Fix the build after my attempted build fix broke the build.
2232
2233         * builtins/BuiltinExecutables.cpp:
2234         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
2235         (JSC::BuiltinExecutables::createDefaultConstructor):
2236         * builtins/BuiltinExecutables.h:
2237
2238 2018-05-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2239
2240         [JSC] Remove reifyPropertyNameIfNeeded
2241         https://bugs.webkit.org/show_bug.cgi?id=185350
2242
2243         Reviewed by Saam Barati.
2244
2245         reifyPropertyNameIfNeeded is in the middle of putDirectInternal, which is super critical path.
2246         This is a virtual call, and it is only used by JSFunction right now. Since this causes too much
2247         cost, we should remove this from the critical path.
2248
2249         This patch removes this function call from the critical path. And in our slow paths, we call
2250         helper functions which calls reifyLazyPropertyIfNeeded if the given value is a JSFunction.
2251         While putDirect is a bit raw API, our slow paths just call it. This helper wraps this calls
2252         and care the edge cases. The other callsites of putDirect should know the type of the given
2253         object and the name of the property (And avoid these edge cases).
2254
2255         This improves SixSpeed/object-assign.es6 by ~4% on MacBook Pro. And this patch does not cause
2256         regressions of the existing tests.
2257
2258                                            baseline                  patched
2259         Kraken:
2260             json-parse-financial        35.522+-0.069      ^      34.708+-0.097         ^ definitely 1.0234x faster
2261
2262         SixSpeed:
2263             object-assign.es6         145.8779+-0.2838     ^    140.1019+-0.8007        ^ definitely 1.0412x faster
2264
2265         * dfg/DFGOperations.cpp:
2266         (JSC::DFG::putByValInternal):
2267         (JSC::DFG::putByValCellInternal):
2268         * jit/JITOperations.cpp:
2269         * llint/LLIntSlowPaths.cpp:
2270         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2271         * runtime/ClassInfo.h:
2272         * runtime/CommonSlowPaths.h:
2273         (JSC::CommonSlowPaths::putDirectWithReify):
2274         (JSC::CommonSlowPaths::putDirectAccessorWithReify):
2275         * runtime/JSCell.cpp:
2276         (JSC::JSCell::reifyPropertyNameIfNeeded): Deleted.
2277         * runtime/JSCell.h:
2278         * runtime/JSFunction.cpp:
2279         (JSC::JSFunction::reifyPropertyNameIfNeeded): Deleted.
2280         * runtime/JSFunction.h:
2281         * runtime/JSObject.cpp:
2282         (JSC::JSObject::putDirectAccessor):
2283         (JSC::JSObject::putDirectNonIndexAccessor):
2284         * runtime/JSObject.h:
2285         * runtime/JSObjectInlines.h:
2286         (JSC::JSObject::putDirectInternal):
2287
2288 2018-05-17  Saam Barati  <sbarati@apple.com>
2289
2290         Unreviewed. Try to fix windows build.
2291
2292         * builtins/BuiltinExecutables.cpp:
2293         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
2294
2295 2018-05-16  Saam Barati  <sbarati@apple.com>
2296
2297         UnlinkedFunctionExecutable doesn't need a parent source override field since it's only used for default class constructors
2298         https://bugs.webkit.org/show_bug.cgi?id=185637
2299
2300         Reviewed by Keith Miller.
2301
2302         We had this general mechanism for overriding an UnlinkedFunctionExecutable's parent
2303         source code. However, we were only using this for default class constructors. There
2304         are only two types of default class constructors. This patch makes it so that
2305         we just store this information inside of a single bit, and ask for the source
2306         code as needed instead of holding it in a nullable field that is 24 bytes in size.
2307         
2308         This brings UnlinkedFunctionExecutable's size down from 184 bytes to 160 bytes.
2309         This has the consequence of making it allocated out of a 160 byte size class
2310         instead of a 224 byte size class. This should bring down its memory footprint
2311         by ~40%.
2312
2313         * builtins/BuiltinExecutables.cpp:
2314         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
2315         (JSC::BuiltinExecutables::createDefaultConstructor):
2316         (JSC::BuiltinExecutables::createExecutable):
2317         * builtins/BuiltinExecutables.h:
2318         * bytecode/UnlinkedFunctionExecutable.cpp:
2319         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2320         (JSC::UnlinkedFunctionExecutable::link):
2321         * bytecode/UnlinkedFunctionExecutable.h:
2322         * runtime/CodeCache.cpp:
2323         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
2324
2325 2018-05-16  Saam Barati  <sbarati@apple.com>
2326
2327         VM::shrinkFootprint should call collectNow(Sync) instead of collectSync so it also eagerly sweeps
2328         https://bugs.webkit.org/show_bug.cgi?id=185707
2329
2330         Reviewed by Mark Lam.
2331
2332         * runtime/VM.cpp:
2333         (JSC::VM::shrinkFootprint):
2334
2335 2018-05-16  Caio Lima  <ticaiolima@gmail.com>
2336
2337         [ESNext][BigInt] Implement support for "/" operation
2338         https://bugs.webkit.org/show_bug.cgi?id=183996
2339
2340         Reviewed by Yusuke Suzuki.
2341
2342         This patch is introducing the support for BigInt into divide
2343         operation int LLInt and JIT layers.
2344
2345         * dfg/DFGOperations.cpp:
2346         * runtime/CommonSlowPaths.cpp:
2347         (JSC::SLOW_PATH_DECL):
2348         * runtime/JSBigInt.cpp:
2349         (JSC::JSBigInt::divide):
2350         (JSC::JSBigInt::copy):
2351         (JSC::JSBigInt::unaryMinus):
2352         (JSC::JSBigInt::absoluteCompare):
2353         (JSC::JSBigInt::absoluteDivLarge):
2354         (JSC::JSBigInt::productGreaterThan):
2355         (JSC::JSBigInt::inplaceAdd):
2356         (JSC::JSBigInt::inplaceSub):
2357         (JSC::JSBigInt::inplaceRightShift):
2358         (JSC::JSBigInt::specialLeftShift):
2359         (JSC::JSBigInt::digit):
2360         (JSC::JSBigInt::setDigit):
2361         * runtime/JSBigInt.h:
2362
2363 2018-05-16  Saam Barati  <sbarati@apple.com>
2364
2365         Constant fold CheckTypeInfoFlags on ImplementsDefaultHasInstance
2366         https://bugs.webkit.org/show_bug.cgi?id=185670
2367
2368         Reviewed by Yusuke Suzuki.
2369
2370         This patch makes it so that we constant fold CheckTypeInfoFlags for
2371         ImplementsDefaultHasInstance inside of AI/constant folding. We constant
2372         fold in three ways:
2373         - When the incoming value is a constant, we just look at its inline type
2374         flags. Since those flags never change after an object is created, this
2375         is sound.
2376         - Based on the incoming value having a finite structure set. We just iterate
2377         all structures and ensure they have the bit set.
2378         - Based on speculated type. To do this, I split up SpecFunction into two
2379         subheaps where one is for functions that have the bit set, and one for
2380         functions that don't have the bit set. The latter is currently only comprised
2381         of JSBoundFunctions. To constant fold, we check that the incoming
2382         value only has the SpecFunction type with ImplementsDefaultHasInstance set.
2383
2384         * bytecode/SpeculatedType.cpp:
2385         (JSC::speculationFromClassInfo):
2386         * bytecode/SpeculatedType.h:
2387         * dfg/DFGAbstractInterpreterInlines.h:
2388         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2389         * dfg/DFGConstantFoldingPhase.cpp:
2390         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2391         * dfg/DFGSpeculativeJIT.cpp:
2392         (JSC::DFG::SpeculativeJIT::compileCheckTypeInfoFlags):
2393         * dfg/DFGStrengthReductionPhase.cpp:
2394         (JSC::DFG::StrengthReductionPhase::handleNode):
2395         * runtime/JSFunction.cpp:
2396         (JSC::JSFunction::JSFunction):
2397         (JSC::JSFunction::assertTypeInfoFlagInvariants):
2398         * runtime/JSFunction.h:
2399         (JSC::JSFunction::assertTypeInfoFlagInvariants):
2400         * runtime/JSFunctionInlines.h:
2401         (JSC::JSFunction::JSFunction):
2402
2403 2018-05-16  Devin Rousso  <webkit@devinrousso.com>
2404
2405         Web Inspector: create a navigation item for toggling the overlay rulers/guides
2406         https://bugs.webkit.org/show_bug.cgi?id=185644
2407
2408         Reviewed by Matt Baker.
2409
2410         * inspector/protocol/OverlayTypes.json:
2411         * inspector/protocol/Page.json:
2412
2413 2018-05-16  Commit Queue  <commit-queue@webkit.org>
2414
2415         Unreviewed, rolling out r231845.
2416         https://bugs.webkit.org/show_bug.cgi?id=185702
2417
2418         it is breaking Apple High Sierra 32-bit JSC bot (Requested by
2419         caiolima on #webkit).
2420
2421         Reverted changeset:
2422
2423         "[ESNext][BigInt] Implement support for "/" operation"
2424         https://bugs.webkit.org/show_bug.cgi?id=183996
2425         https://trac.webkit.org/changeset/231845
2426
2427 2018-05-16  Filip Pizlo  <fpizlo@apple.com>
2428
2429         DFG models InstanceOf incorrectly
2430         https://bugs.webkit.org/show_bug.cgi?id=185694
2431
2432         Reviewed by Keith Miller.
2433         
2434         Proxies mean that InstanceOf can have effects. Exceptions mean that it's illegal to DCE it or
2435         hoist it.
2436
2437         * dfg/DFGAbstractInterpreterInlines.h:
2438         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2439         * dfg/DFGClobberize.h:
2440         (JSC::DFG::clobberize):
2441         * dfg/DFGHeapLocation.cpp:
2442         (WTF::printInternal):
2443         * dfg/DFGHeapLocation.h:
2444         * dfg/DFGNodeType.h:
2445
2446 2018-05-16  Andy VanWagoner  <andy@vanwagoner.family>
2447
2448         Add support for Intl NumberFormat formatToParts
2449         https://bugs.webkit.org/show_bug.cgi?id=185375
2450
2451         Reviewed by Yusuke Suzuki.
2452
2453         Add flag for NumberFormat formatToParts. Implement formatToParts using
2454         unum_formatDoubleForFields. Because the fields are nested and come back
2455         in no guaranteed order, the simple algorithm to convert them to the
2456         desired format is roughly O(n^2). However, even with Number.MAX_VALUE
2457         it appears to perform well enough for the initial implementation. Another
2458         issue has been created to improve this algorithm.
2459
2460         This requires ICU v59+ for unum_formatDoubleForFields, so it is disabled
2461         on macOS, since only v57 is available.
2462
2463         * Configurations/FeatureDefines.xcconfig:
2464         * runtime/IntlNumberFormat.cpp:
2465         (JSC::IntlNumberFormat::UFieldPositionIteratorDeleter::operator() const):
2466         (JSC::IntlNumberFormat::partTypeString):
2467         (JSC::IntlNumberFormat::formatToParts):
2468         * runtime/IntlNumberFormat.h:
2469         * runtime/IntlNumberFormatPrototype.cpp:
2470         (JSC::IntlNumberFormatPrototype::create):
2471         (JSC::IntlNumberFormatPrototype::finishCreation):
2472         (JSC::IntlNumberFormatPrototypeFuncFormatToParts):
2473         * runtime/IntlNumberFormatPrototype.h:
2474         * runtime/Options.h:
2475
2476 2018-05-16  Caio Lima  <ticaiolima@gmail.com>
2477
2478         [ESNext][BigInt] Implement support for "/" operation
2479         https://bugs.webkit.org/show_bug.cgi?id=183996
2480
2481         Reviewed by Yusuke Suzuki.
2482
2483         This patch is introducing the support for BigInt into divide
2484         operation int LLInt and JIT layers.
2485
2486         * dfg/DFGOperations.cpp:
2487         * runtime/CommonSlowPaths.cpp:
2488         (JSC::SLOW_PATH_DECL):
2489         * runtime/JSBigInt.cpp:
2490         (JSC::JSBigInt::divide):
2491         (JSC::JSBigInt::copy):
2492         (JSC::JSBigInt::unaryMinus):
2493         (JSC::JSBigInt::absoluteCompare):
2494         (JSC::JSBigInt::absoluteDivLarge):
2495         (JSC::JSBigInt::productGreaterThan):
2496         (JSC::JSBigInt::inplaceAdd):
2497         (JSC::JSBigInt::inplaceSub):
2498         (JSC::JSBigInt::inplaceRightShift):
2499         (JSC::JSBigInt::specialLeftShift):
2500         (JSC::JSBigInt::digit):
2501         (JSC::JSBigInt::setDigit):
2502         * runtime/JSBigInt.h:
2503
2504 2018-05-16  Alberto Garcia  <berto@igalia.com>
2505
2506         [CMake] Properly detect compiler flags, needed libs, and fallbacks for usage of 64-bit atomic operations
2507         https://bugs.webkit.org/show_bug.cgi?id=182622
2508
2509         Reviewed by Michael Catanzaro.
2510
2511         We were linking JavaScriptCore against libatomic in MIPS because
2512         in that architecture __atomic_fetch_add_8() is not a compiler
2513         intrinsic and is provided by that library instead. However other
2514         architectures (e.g armel) are in the same situation, so we need a
2515         generic test.
2516
2517         That test already exists in WebKit/CMakeLists.txt, so we just have
2518         to move it to a common file (WebKitCompilerFlags.cmake) and use
2519         its result (ATOMIC_INT64_REQUIRES_LIBATOMIC) here.
2520
2521         * CMakeLists.txt:
2522
2523 2018-05-15  Yusuke Suzuki  <utatane.tea@gmail.com>
2524
2525         [JSC] Check TypeInfo first before calling getCallData when we would like to check whether given object is a function
2526         https://bugs.webkit.org/show_bug.cgi?id=185601
2527
2528         Reviewed by Saam Barati.
2529
2530         Rename TypeOfShouldCallGetCallData to OverridesGetCallData. And check OverridesGetCallData
2531         before calling getCallData when we would like to check whether a given object is callable
2532         since getCallData is a virtual call. When we call the object anyway, directly calling getCallData
2533         is fine. But if we would like to check whether the object is callable, we can have non
2534         callable objects frequently. In that case, we should not call getCallData if we can avoid it.
2535
2536         To do this cleanly, we refactor JSValue::{isFunction,isCallable}. We add JSCell::{isFunction,isCallable}
2537         and JSValue ones call into these functions. Inside JSCell::{isFunction,isCallable}, we perform
2538         OverridesGetCallData checking before calling getCallData.
2539
2540         We found that this virtual call exists in JSON.stringify's critial path. Checking
2541         OverridesGetCallData improves Kraken/json-stringify-tinderbox by 2-4%.
2542
2543                                                baseline                  patched
2544
2545             json-stringify-tinderbox        38.807+-0.350      ^      37.216+-0.337         ^ definitely 1.0427x faster
2546
2547         In addition to that, we also add OverridesGetCallData flag to JSFunction while we keep JSFunctionType checking fast path
2548         since major cases are covered by this fast JSFunctionType checking.
2549
2550         * API/JSCallbackObject.h:
2551         * dfg/DFGAbstractInterpreterInlines.h:
2552         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2553         * dfg/DFGOperations.cpp:
2554         * dfg/DFGSpeculativeJIT.cpp:
2555         (JSC::DFG::SpeculativeJIT::compileIsObjectOrNull):
2556         (JSC::DFG::SpeculativeJIT::compileIsFunction):
2557         * ftl/FTLLowerDFGToB3.cpp:
2558         (JSC::FTL::DFG::LowerDFGToB3::isExoticForTypeof):
2559         * jit/AssemblyHelpers.h:
2560         (JSC::AssemblyHelpers::emitTypeOf):
2561         * runtime/ExceptionHelpers.cpp:
2562         (JSC::createError):
2563         (JSC::createInvalidFunctionApplyParameterError):
2564         * runtime/FunctionPrototype.cpp:
2565         (JSC::functionProtoFuncToString):
2566         * runtime/InternalFunction.h:
2567         * runtime/JSCJSValue.h:
2568         * runtime/JSCJSValueInlines.h:
2569         (JSC::JSValue::isFunction const):
2570         (JSC::JSValue::isCallable const):
2571         * runtime/JSCell.h:
2572         * runtime/JSCellInlines.h:
2573         (JSC::JSCell::isFunction):
2574         ALWAYS_INLINE works well for my environment.
2575         (JSC::JSCell::isCallable):
2576         * runtime/JSFunction.h:
2577         * runtime/JSONObject.cpp:
2578         (JSC::Stringifier::toJSON):
2579         (JSC::Stringifier::toJSONImpl):
2580         (JSC::Stringifier::appendStringifiedValue):
2581         * runtime/JSObjectInlines.h:
2582         (JSC::createListFromArrayLike):
2583         * runtime/JSTypeInfo.h:
2584         (JSC::TypeInfo::overridesGetCallData const):
2585         (JSC::TypeInfo::typeOfShouldCallGetCallData const): Deleted.
2586         * runtime/Operations.cpp:
2587         (JSC::jsTypeStringForValue):
2588         (JSC::jsIsObjectTypeOrNull):
2589         * runtime/ProxyObject.h:
2590         * runtime/RuntimeType.cpp:
2591         (JSC::runtimeTypeForValue):
2592         * runtime/RuntimeType.h:
2593         * runtime/Structure.cpp:
2594         (JSC::Structure::Structure):
2595         * runtime/TypeProfilerLog.cpp:
2596         (JSC::TypeProfilerLog::TypeProfilerLog):
2597         (JSC::TypeProfilerLog::processLogEntries):
2598         * runtime/TypeProfilerLog.h:
2599         * runtime/VM.cpp:
2600         (JSC::VM::enableTypeProfiler):
2601         * tools/JSDollarVM.cpp:
2602         (JSC::functionFindTypeForExpression):
2603         (JSC::functionReturnTypeFor):
2604         (JSC::functionHasBasicBlockExecuted):
2605         (JSC::functionBasicBlockExecutionCount):
2606         * wasm/js/JSWebAssemblyHelpers.h:
2607         (JSC::getWasmBufferFromValue):
2608         * wasm/js/JSWebAssemblyInstance.cpp:
2609         (JSC::JSWebAssemblyInstance::create):
2610         * wasm/js/WebAssemblyFunction.cpp:
2611         (JSC::callWebAssemblyFunction):
2612         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2613         (JSC::constructJSWebAssemblyInstance):
2614         * wasm/js/WebAssemblyModuleRecord.cpp:
2615         (JSC::WebAssemblyModuleRecord::link):
2616         * wasm/js/WebAssemblyPrototype.cpp:
2617         (JSC::webAssemblyInstantiateFunc):
2618         (JSC::webAssemblyInstantiateStreamingInternal):
2619         * wasm/js/WebAssemblyWrapperFunction.cpp:
2620         (JSC::WebAssemblyWrapperFunction::finishCreation):
2621
2622 2018-05-15  Devin Rousso  <webkit@devinrousso.com>
2623
2624         Web Inspector: Add rulers and guides
2625         https://bugs.webkit.org/show_bug.cgi?id=32263
2626         <rdar://problem/19281564>
2627
2628         Reviewed by Matt Baker.
2629
2630         * inspector/protocol/OverlayTypes.json:
2631
2632 2018-05-14  Keith Miller  <keith_miller@apple.com>
2633
2634         Remove butterflyMask from DFGAbstractHeap
2635         https://bugs.webkit.org/show_bug.cgi?id=185640
2636
2637         Reviewed by Saam Barati.
2638
2639         We don't have a butterfly indexing mask anymore so we don't need
2640         the abstract heap information for it anymore.
2641
2642         * dfg/DFGAbstractHeap.h:
2643         * dfg/DFGClobberize.h:
2644         (JSC::DFG::clobberize):
2645
2646 2018-05-14  Andy VanWagoner  <andy@vanwagoner.family>
2647
2648         [INTL] Handle error in defineProperty for supported locales length
2649         https://bugs.webkit.org/show_bug.cgi?id=185623
2650
2651         Reviewed by Saam Barati.
2652
2653         Adds the missing RETURN_IF_EXCEPTION after defineOwnProperty for the
2654         length of the supported locales array.
2655
2656         * runtime/IntlObject.cpp:
2657         (JSC::supportedLocales):
2658
2659 2018-05-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2660
2661         [JSC] Tweak LiteralParser to improve lexing performance
2662         https://bugs.webkit.org/show_bug.cgi?id=185541
2663
2664         Reviewed by Saam Barati.
2665
2666         This patch attemps to improve LiteralParser performance.
2667
2668         This patch improves Kraken/json-parse-financial by roughly ~10%.
2669                                            baseline                  patched
2670
2671             json-parse-financial        65.810+-1.591      ^      59.943+-1.784         ^ definitely 1.0979x faster
2672
2673         * parser/Lexer.cpp:
2674         (JSC::Lexer<T>::Lexer):
2675         * runtime/ArgList.h:
2676         (JSC::MarkedArgumentBuffer::takeLast):
2677         Add takeLast() for idiomatic last() + removeLast() calls.
2678
2679         * runtime/LiteralParser.cpp:
2680         (JSC::LiteralParser<CharType>::Lexer::lex):
2681         Do not have mode in its template parameter. While lex function is large, this mode is not used in a critical path.
2682         We should not include this mode in its template parameter to reduce the code size.
2683         And we do not use template parameter for a terminator since duplicating ' and " code for lexString is not good.
2684         Also, we construct TokenType table to remove bunch of unnecessary switch cases.
2685
2686         (JSC::LiteralParser<CharType>::Lexer::next):
2687         (JSC::isSafeStringCharacter):
2688         Take mode in its template parameter. But do not take terminator character in its template parameter.
2689
2690         (JSC::LiteralParser<CharType>::Lexer::lexString):
2691         (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
2692         Duplicate while statements manually since this is a critical path.
2693
2694         (JSC::LiteralParser<CharType>::parse):
2695         Use takeLast().
2696
2697         * runtime/LiteralParser.h:
2698
2699 2018-05-14  Dominik Infuehr  <dinfuehr@igalia.com>
2700
2701         [MIPS] Use btpz to compare against 0 instead of bpeq
2702         https://bugs.webkit.org/show_bug.cgi?id=185607
2703
2704         Reviewed by Yusuke Suzuki.
2705
2706         Fixes build on MIPS since MIPS doesn't have an instruction to
2707         compare a register against an immediate. Since the immediate is just 0
2708         in this case the simplest solution is just to use btpz instead of bpeq
2709         to compare to 0.
2710
2711         * llint/LowLevelInterpreter.asm:
2712
2713 2018-05-12  Filip Pizlo  <fpizlo@apple.com>
2714
2715         CachedCall::call() should be faster
2716         https://bugs.webkit.org/show_bug.cgi?id=185583
2717
2718         Reviewed by Yusuke Suzuki.
2719         
2720         CachedCall is an optimization for String.prototype.replace(r, f) where f is a function.
2721         Unfortunately, because of a combination of abstraction and assertions, this code path had a
2722         lot of overhead. This patch reduces this overhead by:
2723         
2724         - Turning off some assertions. These assertions don't look to have security value; they're
2725           mostly for sanity. I turned off stack alignment checks and VM state checks having to do
2726           with whether the JSLock is held. The JSLock checks are not relevant when doing a cached
2727           call, considering that the caller would have already been strongly assuming that the JSLock
2728           is held.
2729         
2730         - Making more things inlineable.
2731         
2732         This looks like a small (4% ish) speed-up on SunSpider/string-unpack-code.
2733
2734         * JavaScriptCore.xcodeproj/project.pbxproj:
2735         * interpreter/CachedCall.h:
2736         (JSC::CachedCall::call):
2737         * interpreter/Interpreter.cpp:
2738         (JSC::checkedReturn): Deleted.
2739         * interpreter/Interpreter.h:
2740         (JSC::Interpreter::checkedReturn):
2741         * interpreter/InterpreterInlines.h:
2742         (JSC::Interpreter::execute):
2743         * jit/JITCode.cpp:
2744         (JSC::JITCode::execute): Deleted.
2745         * jit/JITCodeInlines.h: Added.
2746         (JSC::JITCode::execute):
2747         * llint/LowLevelInterpreter.asm:
2748         * runtime/StringPrototype.cpp:
2749
2750 2018-05-13  Andy VanWagoner  <andy@vanwagoner.family>
2751
2752         [INTL] Improve spec & test262 compliance for Intl APIs
2753         https://bugs.webkit.org/show_bug.cgi?id=185578
2754
2755         Reviewed by Yusuke Suzuki.
2756
2757         Use putDirectIndex over push for lists to arrays.
2758         Update default options to construct with a null prototype.
2759         Define constructor and toStringTag on prototypes.
2760         Add proper time clipping.
2761         Remove some outdated comment spec text, use url instead.
2762
2763         * runtime/IntlCollator.cpp:
2764         (JSC::IntlCollator::initializeCollator):
2765         * runtime/IntlCollatorConstructor.cpp:
2766         (JSC::IntlCollatorConstructor::finishCreation):
2767         * runtime/IntlCollatorPrototype.cpp:
2768         (JSC::IntlCollatorPrototype::finishCreation):
2769         * runtime/IntlDateTimeFormatConstructor.cpp:
2770         (JSC::IntlDateTimeFormatConstructor::finishCreation):
2771         * runtime/IntlDateTimeFormatPrototype.cpp:
2772         (JSC::IntlDateTimeFormatPrototype::finishCreation):
2773         (JSC::IntlDateTimeFormatFuncFormatDateTime):
2774         (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts):
2775         * runtime/IntlNumberFormat.cpp:
2776         (JSC::IntlNumberFormat::initializeNumberFormat):
2777         * runtime/IntlNumberFormatConstructor.cpp:
2778         (JSC::IntlNumberFormatConstructor::finishCreation):
2779         * runtime/IntlNumberFormatPrototype.cpp:
2780         (JSC::IntlNumberFormatPrototype::finishCreation):
2781         * runtime/IntlObject.cpp:
2782         (JSC::lookupSupportedLocales):
2783         (JSC::supportedLocales):
2784         (JSC::intlObjectFuncGetCanonicalLocales):
2785         * runtime/IntlPluralRules.cpp:
2786         (JSC::IntlPluralRules::resolvedOptions):
2787         * runtime/IntlPluralRulesConstructor.cpp:
2788         (JSC::IntlPluralRulesConstructor::finishCreation):
2789
2790 2018-05-11  Caio Lima  <ticaiolima@gmail.com>
2791
2792         [ESNext][BigInt] Implement support for "*" operation
2793         https://bugs.webkit.org/show_bug.cgi?id=183721
2794
2795         Reviewed by Yusuke Suzuki.
2796
2797         Added BigInt support into times binary operator into LLInt and on
2798         JITOperations profiledMul and unprofiledMul. We are also replacing all
2799         uses of int to unsigned when there is no negative values for
2800         variables.
2801
2802         * dfg/DFGConstantFoldingPhase.cpp:
2803         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2804         * jit/JITOperations.cpp:
2805         * runtime/CommonSlowPaths.cpp:
2806         (JSC::SLOW_PATH_DECL):
2807         * runtime/JSBigInt.cpp:
2808         (JSC::JSBigInt::JSBigInt):
2809         (JSC::JSBigInt::allocationSize):
2810         (JSC::JSBigInt::createWithLength):
2811         (JSC::JSBigInt::toString):
2812         (JSC::JSBigInt::multiply):
2813         (JSC::JSBigInt::digitDiv):
2814         (JSC::JSBigInt::internalMultiplyAdd):
2815         (JSC::JSBigInt::multiplyAccumulate):
2816         (JSC::JSBigInt::equals):
2817         (JSC::JSBigInt::absoluteDivSmall):
2818         (JSC::JSBigInt::calculateMaximumCharactersRequired):
2819         (JSC::JSBigInt::toStringGeneric):
2820         (JSC::JSBigInt::rightTrim):
2821         (JSC::JSBigInt::allocateFor):
2822         (JSC::JSBigInt::parseInt):
2823         (JSC::JSBigInt::digit):
2824         (JSC::JSBigInt::setDigit):
2825         * runtime/JSBigInt.h:
2826         * runtime/JSCJSValue.h:
2827         * runtime/JSCJSValueInlines.h:
2828         (JSC::JSValue::toNumeric const):
2829         * runtime/Operations.h:
2830         (JSC::jsMul):
2831
2832 2018-05-11  Commit Queue  <commit-queue@webkit.org>
2833
2834         Unreviewed, rolling out r231316 and r231332.
2835         https://bugs.webkit.org/show_bug.cgi?id=185564
2836
2837         Appears to be a Speedometer2/MotionMark regression (Requested
2838         by keith_miller on #webkit).
2839
2840         Reverted changesets:
2841
2842         "Remove the prototype caching for get_by_id in the LLInt"
2843         https://bugs.webkit.org/show_bug.cgi?id=185226
2844         https://trac.webkit.org/changeset/231316
2845
2846         "Unreviewed, fix 32-bit profile offset for change in bytecode"
2847         https://trac.webkit.org/changeset/231332
2848
2849 2018-05-11  Michael Saboff  <msaboff@apple.com>
2850
2851         [DFG] Compiler uses incorrect output register for NumberIsInteger operation
2852         https://bugs.webkit.org/show_bug.cgi?id=185328
2853
2854         Reviewed by Keith Miller.
2855
2856         Fixed a typo from when this code was added in r228968 where resultGPR
2857         was assigned the input register instead of the result.gpr().
2858
2859         * dfg/DFGSpeculativeJIT64.cpp:
2860         (JSC::DFG::SpeculativeJIT::compile):
2861
2862 2018-05-11  Saam Barati  <sbarati@apple.com>
2863
2864         Don't use inferred types when the JIT is disabled
2865         https://bugs.webkit.org/show_bug.cgi?id=185539
2866
2867         Reviewed by Yusuke Suzuki.
2868
2869         There are many JSC API clients that run with the JIT disabled. They were
2870         all allocating and tracking inferred types for no benefit. Inferred types
2871         only benefit programs when they make it to the DFG/FTL. I was seeing cases
2872         where the inferred type machinery used ~0.5MB. This patch makes is so we
2873         don't allocate that machinery when the JIT is disabled.
2874
2875         * runtime/Structure.cpp:
2876         (JSC::Structure::willStoreValueSlow):
2877         * runtime/Structure.h:
2878
2879 2018-05-11  Saam Barati  <sbarati@apple.com>
2880
2881         Don't allocate value profiles when the JIT is disabled
2882         https://bugs.webkit.org/show_bug.cgi?id=185525
2883
2884         Reviewed by Michael Saboff.
2885
2886         There are many JSC API clients that run with the JIT disabled. We were
2887         still allocating a ton of value profiles in this use case even though
2888         these clients get no benefit from doing value profiling. This patch makes
2889         it so that we don't allocate value profiles or argument value profiles
2890         when we're not using the JIT. We now just make all value profiles in
2891         the instruction stream point to a global value profile that the VM owns.
2892         And we make the argument value profile array have zero length and teach
2893         the LLInt how to handle that. Heap clears the global value profile on each GC.
2894
2895         In an app that I'm testing this against, this saves ~1MB of memory.
2896
2897         * bytecode/CodeBlock.cpp:
2898         (JSC::CodeBlock::finishCreation):
2899         (JSC::CodeBlock::setNumParameters):
2900         * bytecode/CodeBlock.h:
2901         (JSC::CodeBlock::numberOfArgumentValueProfiles):
2902         (JSC::CodeBlock::valueProfileForArgument):
2903         * bytecompiler/BytecodeGenerator.cpp:
2904         (JSC::BytecodeGenerator::emitProfiledOpcode):
2905         * heap/Heap.cpp:
2906         (JSC::Heap::runEndPhase):
2907         * llint/LowLevelInterpreter.asm:
2908         * runtime/VM.cpp:
2909         (JSC::VM::VM):
2910         * runtime/VM.h:
2911
2912 2018-05-10  Carlos Garcia Campos  <cgarcia@igalia.com>
2913
2914         [JSC][GLIB] Add introspectable alternatives to functions using vargars
2915         https://bugs.webkit.org/show_bug.cgi?id=185508
2916
2917         Reviewed by Michael Catanzaro.
2918
2919         * API/glib/JSCClass.cpp:
2920         (jscClassCreateConstructor):
2921         (jsc_class_add_constructor):
2922         (jsc_class_add_constructorv):
2923         (jscClassAddMethod):
2924         (jsc_class_add_method):
2925         (jsc_class_add_methodv):
2926         * API/glib/JSCClass.h:
2927         * API/glib/JSCValue.cpp:
2928         (jsObjectCall):
2929         (jscValueCallFunction):
2930         (jsc_value_object_invoke_methodv):
2931         (jscValueFunctionCreate):
2932         (jsc_value_new_function):
2933         (jsc_value_new_functionv):
2934         (jsc_value_function_callv):
2935         (jsc_value_constructor_callv):
2936         * API/glib/JSCValue.h:
2937         * API/glib/docs/jsc-glib-4.0-sections.txt:
2938
2939 2018-05-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2940
2941         [JSC] Make return types of construction functions tight
2942         https://bugs.webkit.org/show_bug.cgi?id=185509
2943
2944         Reviewed by Saam Barati.
2945
2946         Array and Object construction functions should return strict types instead of returning JSObject*/JSValue.
2947
2948         * runtime/ArrayConstructor.cpp:
2949         (JSC::constructArrayWithSizeQuirk):
2950         * runtime/ArrayConstructor.h:
2951         * runtime/ObjectConstructor.h:
2952         (JSC::constructEmptyObject):
2953
2954 2018-05-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2955
2956         [JSC] Object.assign for final objects should be faster
2957         https://bugs.webkit.org/show_bug.cgi?id=185348
2958
2959         Reviewed by Saam Barati.
2960
2961         Object.assign is so heavily used to clone an object. For example, speedometer react-redux can be significantly
2962         improved if Object.assign becomes fast. It is worth adding a complex fast path to accelerate the major use cases.
2963
2964         If enumerating properties of source objects and putting properties to target object are non observable,
2965         we can avoid hash table looking up of source object properties. We can enumerate object property entries,
2966         and put them to target object. This patch adds this fast path to Object.assign implementation.
2967
2968         When enumerating properties, we need to ensure that the given |source| object does not include "__proto__"
2969         property since we cannot perform fast [[Put]] for the |target| object. We add a new flag
2970         "HasUnderscoreProtoPropertyExcludingOriginalProto" to Structure to track this state.
2971
2972         This improves object-assign.es6 by 1.85x.
2973
2974                                         baseline                  patched
2975
2976             object-assign.es6      368.6132+-8.3508     ^    198.8775+-4.9042        ^ definitely 1.8535x faster
2977
2978         And Speedometer2.0 React-Redux-TodoMVC's total time is improved from 490ms to 431ms.
2979
2980         * runtime/JSObject.h:
2981         * runtime/JSObjectInlines.h:
2982         (JSC::JSObject::canPerformFastPutInlineExcludingProto):
2983         (JSC::JSObject::canPerformFastPutInline):
2984         * runtime/ObjectConstructor.cpp:
2985         (JSC::objectConstructorAssign):
2986         * runtime/Structure.cpp:
2987         (JSC::Structure::Structure):
2988         * runtime/Structure.h:
2989         * runtime/StructureInlines.h:
2990         (JSC::Structure::forEachProperty):
2991         (JSC::Structure::add):
2992
2993 2018-05-10  Filip Pizlo  <fpizlo@apple.com>
2994
2995         DFG CFA should pick the right time to inject OSR entry data
2996         https://bugs.webkit.org/show_bug.cgi?id=185530
2997
2998         Reviewed by Saam Barati.
2999         
3000         Previously, we would do a bonus run of CFA to inject OSR entry data. This patch makes us inject
3001         OSR entry data as part of the normal flow of CFA, which reduces the total number of CFA
3002         reexecutions while minimizing the likelihood that we have CFA execute constants in paths that
3003         would eventually LUB to non-constant.
3004         
3005         This looks like almost a 1% speed-up on SunSpider-CompileTime. All of the logic for preventing
3006         execution over constants is for V8Spider-CompileTime/regexp, which would otherwise do a lot of
3007         useless regexp/string execution in the compiler.
3008
3009         * dfg/DFGBlockSet.h:
3010         (JSC::DFG::BlockSet::remove):
3011         * dfg/DFGCFAPhase.cpp:
3012         (JSC::DFG::CFAPhase::run):
3013         (JSC::DFG::CFAPhase::injectOSR):
3014         (JSC::DFG::CFAPhase::performBlockCFA):
3015
3016 2018-05-09  Filip Pizlo  <fpizlo@apple.com>
3017
3018         InPlaceAbstractState::beginBasicBlock shouldn't copy all m_variables every time
3019         https://bugs.webkit.org/show_bug.cgi?id=185452
3020
3021         Reviewed by Michael Saboff.
3022         
3023         We were spending a lot of time in beginBasicBlock() just copying the state of all variables
3024         from the block head to InPlaceAbstractState::m_variables. It is necessary for
3025         InPlaceAbstractState to have its own copy since we need to mutate it separately from
3026         block->valuesAtHead. But most variables are untouched by most basic blocks, so this was a lot
3027         of superfluous work.
3028         
3029         This change adds a bitvector called m_activeVariables that tracks which variables have been
3030         copied. We lazily copy the variables on first use. Variables that were never copied also have
3031         a simplified merging path, which just needs to consider if the variable got clobbered between
3032         head and tail.
3033         
3034         This is a 1.5% speed-up on SunSpider-CompileTime and a 1.7% speed-up on V8Spider-CompileTime.
3035
3036         * bytecode/Operands.h:
3037         (JSC::Operands::argumentIndex const):
3038         (JSC::Operands::localIndex const):
3039         (JSC::Operands::argument):
3040         (JSC::Operands::argument const):
3041         (JSC::Operands::local):
3042         (JSC::Operands::local const):
3043         (JSC::Operands::operandIndex const):
3044         * dfg/DFGAbstractValue.h:
3045         (JSC::DFG::AbstractValue::fastForwardFromTo):
3046         * dfg/DFGCFAPhase.cpp:
3047         (JSC::DFG::CFAPhase::performForwardCFA):
3048         * dfg/DFGInPlaceAbstractState.cpp:
3049         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
3050         (JSC::DFG::InPlaceAbstractState::variablesForDebugging):
3051         (JSC::DFG::InPlaceAbstractState::activateAllVariables):
3052         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
3053         (JSC::DFG::InPlaceAbstractState::activateVariable):
3054         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail): Deleted.
3055         * dfg/DFGInPlaceAbstractState.h:
3056         (JSC::DFG::InPlaceAbstractState::variableAt):
3057         (JSC::DFG::InPlaceAbstractState::operand):
3058         (JSC::DFG::InPlaceAbstractState::local):
3059         (JSC::DFG::InPlaceAbstractState::argument):
3060         (JSC::DFG::InPlaceAbstractState::activateVariableIfNecessary):
3061         (JSC::DFG::InPlaceAbstractState::variablesForDebugging): Deleted.
3062
3063 2018-05-09  Caio Lima  <ticaiolima@gmail.com>
3064
3065         [ESNext][BigInt] Implement support for "==" operation
3066         https://bugs.webkit.org/show_bug.cgi?id=184474
3067
3068         Reviewed by Yusuke Suzuki.
3069
3070         This patch is implementing support of BigInt for equals operator
3071         following the spec semantics[1].
3072
3073         [1] - https://tc39.github.io/proposal-bigint/#sec-abstract-equality-comparison
3074
3075         * runtime/JSBigInt.cpp:
3076         (JSC::JSBigInt::parseInt):
3077         (JSC::JSBigInt::stringToBigInt):
3078         (JSC::JSBigInt::toString):
3079         (JSC::JSBigInt::setDigit):
3080         (JSC::JSBigInt::equalsToNumber):
3081         (JSC::JSBigInt::compareToDouble):
3082         * runtime/JSBigInt.h:
3083         * runtime/JSCJSValueInlines.h:
3084         (JSC::JSValue::equalSlowCaseInline):
3085
3086 2018-05-09  Filip Pizlo  <fpizlo@apple.com>
3087
3088         Speed up AbstractInterpreter::executeEdges
3089         https://bugs.webkit.org/show_bug.cgi?id=185457
3090
3091         Reviewed by Saam Barati.
3092
3093         This patch started out with the desire to make executeEdges() faster by making filtering faster.
3094         However, when I studied the disassembly, I found that there are many opportunities for
3095         improvement and I implemented all of them:
3096         
3097         - Filtering itself now has an inline fast path for when the filtering didn't change the value or
3098           for non-cells.
3099         
3100         - Edge execution doesn't fast-forward anything if the filtering fast path would have succeeded,
3101           since fast-forwarding is only interesting for cells and only if we have a clobbered value.
3102         
3103         - Similarly, edge verification doesn't need to fast-forward in the common case.
3104         
3105         - A bunch of stuff related to Graph::doToChildren is now inlined properly.
3106         
3107         - The edge doesn't even have to be considered for execution if it's UntypedUse.
3108         
3109         That last bit was the trickiest. We had gotten into a bad habit of using SpecFullNumber in the
3110         abstract interpreter. It's not correct to use SpecFullNumber in the abstract interpreter, because
3111         it means proving that the value could either be formatted as a double (with impure NaN values),
3112         or as any JSValue, or as an Int52. There is no value that could possibly hold all of those
3113         states. This "worked" before because UntypedUse would filter this down to SpecBytecodeNumber. To
3114         make it work again, I needed to fix all of those uses of SpecFullNumber. In the future, we need
3115         to be careful about picking either SpecFullDouble (if returning a DoubleRep) or
3116         SpecBytecodeNumber (if returning a JSValueRep).
3117         
3118         But that fix revealed an amazing timeout in
3119         stress/keep-checks-when-converting-to-lazy-js-constant-in-strength-reduction.js. We were getting
3120         stuck in an OSR loop (baseline->DFG->FTL->baseline), all involving the same bytecode, without
3121         ever realizing that we should jettison something. The problem was with how
3122         triggerReoptimizationNow was getting the optimizedCodeBlock. It was trying to guess it by using
3123         baselineCodeBlock->replacement(), but that's wrong for FTL-for-OSR-entry code blocks.
3124         
3125         This is a 1% improvement in V8Spider-CompileTime.
3126
3127         * bytecode/ExitKind.cpp:
3128         (JSC::exitKindMayJettison):
3129         * dfg/DFGAbstractInterpreter.h:
3130         (JSC::DFG::AbstractInterpreter::filterEdgeByUse):
3131         (JSC::DFG::AbstractInterpreter::filterByType): Deleted.
3132         * dfg/DFGAbstractInterpreterInlines.h:
3133         (JSC::DFG::AbstractInterpreterExecuteEdgesFunc::AbstractInterpreterExecuteEdgesFunc):
3134         (JSC::DFG::AbstractInterpreterExecuteEdgesFunc::operator() const):
3135         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEdges):
3136         (JSC::DFG::AbstractInterpreter<AbstractStateType>::filterByType):
3137         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
3138         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3139         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
3140         * dfg/DFGAbstractValue.cpp:
3141         (JSC::DFG::AbstractValue::filterSlow):
3142         (JSC::DFG::AbstractValue::fastForwardToAndFilterSlow):
3143         * dfg/DFGAbstractValue.h:
3144         (JSC::DFG::AbstractValue::filter):
3145         (JSC::DFG::AbstractValue::fastForwardToAndFilter):
3146         (JSC::DFG::AbstractValue::fastForwardToAndFilterUnproven):
3147         (JSC::DFG::AbstractValue::makeTop):
3148         * dfg/DFGAtTailAbstractState.h:
3149         (JSC::DFG::AtTailAbstractState::fastForward):
3150         (JSC::DFG::AtTailAbstractState::forNodeWithoutFastForward):
3151         (JSC::DFG::AtTailAbstractState::fastForwardAndFilterUnproven):
3152         * dfg/DFGGraph.h:
3153         (JSC::DFG::Graph::doToChildren):
3154         * dfg/DFGInPlaceAbstractState.h:
3155         (JSC::DFG::InPlaceAbstractState::fastForward):
3156         (JSC::DFG::InPlaceAbstractState::fastForwardAndFilterUnproven):
3157         (JSC::DFG::InPlaceAbstractState::forNodeWithoutFastForward):
3158         * dfg/DFGOSRExit.cpp:
3159         (JSC::DFG::OSRExit::executeOSRExit):
3160         * dfg/DFGOSRExitCompilerCommon.cpp:
3161         (JSC::DFG::handleExitCounts):
3162         * dfg/DFGOperations.cpp:
3163         * dfg/DFGOperations.h:
3164
3165 2018-05-09  Saam Barati  <sbarati@apple.com>
3166
3167         Add JSVirtualMachine SPI to shrink the memory footprint of the VM
3168         https://bugs.webkit.org/show_bug.cgi?id=185441
3169         <rdar://problem/39999414>
3170
3171         Reviewed by Keith Miller.
3172
3173         This patch adds JSVirtualMachine SPI to release as much memory as possible.
3174         The SPI does:
3175         - Deletes all code caches.
3176         - Synchronous GC.
3177         - Run the scavenger.
3178
3179         * API/JSVirtualMachine.mm:
3180         (-[JSVirtualMachine shrinkFootprint]):
3181         * API/JSVirtualMachinePrivate.h: Added.
3182         * API/tests/testapi.mm:
3183         (testObjectiveCAPIMain):
3184         * JavaScriptCore.xcodeproj/project.pbxproj:
3185         * runtime/VM.cpp:
3186         (JSC::VM::shrinkFootprint):
3187         * runtime/VM.h:
3188
3189 2018-05-09  Leo Balter  <leonardo.balter@gmail.com>
3190
3191         [JSC] Fix ArraySpeciesCreate to return a new Array when the given object is not an array
3192         Error found in the following Test262 tests:
3193
3194         - test/built-ins/Array/prototype/slice/create-non-array-invalid-len.js
3195         - test/built-ins/Array/prototype/slice/create-proxied-array-invalid-len.js
3196         - test/built-ins/Array/prototype/splice/create-species-undef-invalid-len.js
3197
3198         The ArraySpeciesCreate should throw a RangeError with non-Array custom objects
3199         presenting a length > 2**32-1
3200         https://bugs.webkit.org/show_bug.cgi?id=185476
3201
3202         Reviewed by Yusuke Suzuki.
3203
3204         * runtime/ArrayPrototype.cpp:
3205
3206 2018-05-09  Michael Catanzaro  <mcatanzaro@igalia.com>
3207
3208         [WPE] Build cleanly with GCC 8 and ICU 60
3209         https://bugs.webkit.org/show_bug.cgi?id=185462
3210
3211         Reviewed by Carlos Alberto Lopez Perez.
3212
3213         * API/glib/JSCClass.cpp: Silence many -Wcast-function-type warnings.
3214         (jsc_class_add_constructor):
3215         (jsc_class_add_method):
3216         * API/glib/JSCValue.cpp: Silence many -Wcast-function-type warnings.
3217         (jsc_value_object_define_property_accessor):
3218         (jsc_value_new_function):
3219         * CMakeLists.txt: Build BuiltinNames.cpp with -fno-var-tracking-assignments. This was a
3220         problem with GCC 7 too, but might as well fix it now.
3221         * assembler/ProbeContext.h:
3222         (JSC::Probe::CPUState::gpr const): Silence a -Wclass-memaccess warning.
3223         (JSC::Probe::CPUState::spr const): Ditto. Assume std::remove_const is safe to clobber.
3224         * b3/air/AirArg.h:
3225         (JSC::B3::Air::Arg::isRepresentableAs): Silence -Wfallthrough warning.
3226         * builtins/BuiltinNames.cpp:
3227         (JSC::BuiltinNames::BuiltinNames): Moved from BuiltinNames.h so we can use a special flag.
3228         * builtins/BuiltinNames.h:
3229         (JSC::BuiltinNames::BuiltinNames): Moved to BuiltinNames.cpp.
3230         * dfg/DFGDoubleFormatState.h:
3231         (JSC::DFG::mergeDoubleFormatStates): Silence -Wfallthrough warnings.
3232         * heap/MarkedBlockInlines.h:
3233         (JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType): Silence -Wfallthrough warnings.
3234         * runtime/ConfigFile.cpp:
3235         (JSC::ConfigFile::canonicalizePaths): Here GCC found a genuine mistake, strncat is called
3236         with the wrong length parameter and the result is not null-terminated. Also, silence a
3237         -Wstringop-truncation warning as we intentionally truncate filenames that exceed PATH_MAX.
3238         * runtime/IntlDateTimeFormat.cpp:
3239         (JSC::IntlDateTimeFormat::partTypeString): Avoid an ICU deprecation warning.
3240         * runtime/JSGlobalObject.cpp:
3241         (JSC::JSGlobalObject::init): We were unconditionally running some BigInt code by accident.
3242         (JSC::JSGlobalObject::visitChildren): Probably a serious bug? Fixed.
3243
3244 2018-05-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3245
3246         [ARMv7] Drop ARMv7 disassembler in favor of capstone
3247         https://bugs.webkit.org/show_bug.cgi?id=185423
3248
3249         Reviewed by Michael Catanzaro.
3250
3251         This patch removes ARMv7Disassembler in our tree.
3252         We already adopted Capstone, and it is already used in ARMv7 JIT environments.
3253
3254         * CMakeLists.txt:
3255         * JavaScriptCore.xcodeproj/project.pbxproj:
3256         * Sources.txt:
3257         * disassembler/ARMv7/ARMv7DOpcode.cpp: Removed.
3258         * disassembler/ARMv7/ARMv7DOpcode.h: Removed.
3259         * disassembler/ARMv7Disassembler.cpp: Removed.
3260
3261 2018-05-09  Srdjan Lazarevic  <srdjan.lazarevic@rt-rk.com>
3262
3263         [MIPS] Optimize generated JIT code using r2
3264         https://bugs.webkit.org/show_bug.cgi?id=184584
3265
3266         Reviewed by Yusuke Suzuki.
3267
3268         EXT and MFHC1 instructions from MIPSR2 implemented and used where it is possible.
3269         Also, done some code size optimizations that were discovered in meantime.
3270
3271         * assembler/MIPSAssembler.h:
3272         (JSC::MIPSAssembler::ext):
3273         (JSC::MIPSAssembler::mfhc1):
3274         * assembler/MacroAssemblerMIPS.cpp:
3275         * assembler/MacroAssemblerMIPS.h:
3276         (JSC::MacroAssemblerMIPS::isPowerOf2):
3277         (JSC::MacroAssemblerMIPS::bitPosition):
3278         (JSC::MacroAssemblerMIPS::loadAddress):
3279         (JSC::MacroAssemblerMIPS::getEffectiveAddress):
3280         (JSC::MacroAssemblerMIPS::load8):
3281         (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
3282         (JSC::MacroAssemblerMIPS::load32):
3283         (JSC::MacroAssemblerMIPS::load16Unaligned):
3284         (JSC::MacroAssemblerMIPS::load32WithUnalignedHalfWords):
3285         (JSC::MacroAssemblerMIPS::load16):
3286         (JSC::MacroAssemblerMIPS::load16SignedExtendTo32):
3287         (JSC::MacroAssemblerMIPS::store8):
3288         (JSC::MacroAssemblerMIPS::store16):
3289         (JSC::MacroAssemblerMIPS::store32):
3290         (JSC::MacroAssemblerMIPS::branchTest32):
3291         (JSC::MacroAssemblerMIPS::loadFloat):
3292         (JSC::MacroAssemblerMIPS::loadDouble):
3293         (JSC::MacroAssemblerMIPS::storeFloat):
3294         (JSC::MacroAssemblerMIPS::storeDouble):
3295
3296 2018-05-06  Yusuke Suzuki  <utatane.tea@gmail.com>
3297
3298         [JSC][GTK][JSCONLY] Use capstone disassembler
3299         https://bugs.webkit.org/show_bug.cgi?id=185283
3300
3301         Reviewed by Michael Catanzaro.
3302
3303         Instead of adding MIPS disassembler baked by ourselves, we import capstone disassembler.
3304         And use capstone disassembler for MIPS, ARM, and ARMv7 in GTK, WPE, WinCairo and JSCOnly ports.
3305
3306         And we remove ARM LLVM disassembler.
3307
3308         Capstone is licensed under 3-clause BSD, which is acceptable in WebKit tree.
3309
3310         * CMakeLists.txt:
3311         * Sources.txt:
3312         * disassembler/ARMLLVMDisassembler.cpp: Removed.
3313         * disassembler/CapstoneDisassembler.cpp: Added.
3314         (JSC::tryToDisassemble):
3315
3316 2018-05-09  Dominik Infuehr  <dinfuehr@igalia.com>
3317
3318         [MIPS] Use mfhc1 and mthc1 to fix assembler error
3319         https://bugs.webkit.org/show_bug.cgi?id=185464
3320
3321         Reviewed by Yusuke Suzuki.
3322
3323         The binutils-assembler started to report failures for copying words between
3324         GP and FP registers for odd FP register indices. Use mfhc1 and mthc1 instead
3325         of mfc1 and mtc1 for conversion.
3326
3327         * offlineasm/mips.rb:
3328
3329 2018-05-08  Dominik Infuehr  <dinfuehr@igalia.com>
3330
3331         [MIPS] Collect callee-saved register using inline assembly
3332         https://bugs.webkit.org/show_bug.cgi?id=185428
3333
3334         Reviewed by Yusuke Suzuki.
3335
3336         MIPS used setjmp instead of collecting registers with inline assembly like
3337         other architectures.
3338
3339         * heap/RegisterState.h:
3340
3341 2018-05-07  Yusuke Suzuki  <utatane.tea@gmail.com>
3342
3343         [BigInt] Simplifying JSBigInt by using bool addition
3344         https://bugs.webkit.org/show_bug.cgi?id=185374
3345
3346         Reviewed by Alex Christensen.
3347
3348         Since using TWO_DIGIT does not produce good code, we remove this part from digitAdd and digitSub.
3349         Just adding overflow flag to carry/borrow produces setb + add in x86.
3350
3351         Also we annotate small helper functions and accessors with `inline` not to call these functions
3352         inside internalMultiplyAdd loop.
3353
3354         * runtime/JSBigInt.cpp:
3355         (JSC::JSBigInt::isZero):
3356         (JSC::JSBigInt::inplaceMultiplyAdd):
3357         (JSC::JSBigInt::digitAdd):
3358         (JSC::JSBigInt::digitSub):
3359         (JSC::JSBigInt::digitMul):
3360         (JSC::JSBigInt::digitPow):
3361         (JSC::JSBigInt::digitDiv):
3362         (JSC::JSBigInt::offsetOfData):
3363         (JSC::JSBigInt::dataStorage):
3364         (JSC::JSBigInt::digit):
3365         (JSC::JSBigInt::setDigit):
3366
3367 2018-05-08  Michael Saboff  <msaboff@apple.com>
3368
3369         Replace multiple Watchpoint Set fireAll() methods with templates
3370         https://bugs.webkit.org/show_bug.cgi?id=185456
3371
3372         Reviewed by Saam Barati.
3373
3374         Refactored to minimize duplicate code.
3375
3376         * bytecode/Watchpoint.h:
3377         (JSC::WatchpointSet::fireAll):
3378         (JSC::InlineWatchpointSet::fireAll):
3379
3380 2018-05-08  Filip Pizlo  <fpizlo@apple.com>
3381