[ESNext][BigInt] Implement support for "=<" and ">=" relational operation
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-05-31  Caio Lima  <ticaiolima@gmail.com>
2
3         [ESNext][BigInt] Implement support for "=<" and ">=" relational operation
4         https://bugs.webkit.org/show_bug.cgi?id=185929
5
6         Reviewed by Yusuke Suzuki.
7
8         This patch is introducing support to BigInt operands into ">=" and
9         "<=" operators.
10         Here we introduce ```bigIntCompareResult``` that is a helper function
11         to reuse code between "less than" and "less than or equal" operators.
12
13         * runtime/JSBigInt.h:
14         * runtime/Operations.h:
15         (JSC::bigIntCompareResult):
16         (JSC::bigIntCompare):
17         (JSC::jsLess):
18         (JSC::jsLessEq):
19         (JSC::bigIntCompareLess): Deleted.
20
21 2018-05-31  Saam Barati  <sbarati@apple.com>
22
23         Cache toString results for CoW arrays
24         https://bugs.webkit.org/show_bug.cgi?id=186160
25
26         Reviewed by Keith Miller.
27
28         This patch makes it so that we cache the result of toString on
29         arrays with a CoW butterfly. This cache lives on Heap and is
30         cleared after every GC. We only cache the toString result when
31         the CoW butterfly doesn't have a hole (currently, all CoW arrays
32         have a hole, but this isn't an invariant we want to rely on). The
33         reason for this is that if there is a hole, the value may be loaded
34         from the prototype, and the cache may produce a stale result.
35         
36         This is a ~4% speedup on the ML subtest in ARES. And is a ~1% overall
37         progression on ARES.
38
39         * heap/Heap.cpp:
40         (JSC::Heap::finalize):
41         (JSC::Heap::addCoreConstraints):
42         * heap/Heap.h:
43         * runtime/ArrayPrototype.cpp:
44         (JSC::canUseFastJoin):
45         (JSC::holesMustForwardToPrototype):
46         (JSC::isHole):
47         (JSC::containsHole):
48         (JSC::fastJoin):
49         (JSC::arrayProtoFuncToString):
50
51 2018-05-31  Saam Barati  <sbarati@apple.com>
52
53         PutStructure AI rule needs to call didFoldClobberStructures when the incoming value's structure set is clear
54         https://bugs.webkit.org/show_bug.cgi?id=186169
55
56         Reviewed by Mark Lam.
57
58         If we don't do this, the CFA validation rule about StructureID being
59         clobbered but AI not clobbering or folding a clobber will cause us
60         to crash. Simon was running into this yesterday on arstechnica.com.
61         I couldn't come up with a test case for this, but it's obvious
62         what the issue is by looking at the IR dump at the time of the crash.
63
64         * dfg/DFGAbstractInterpreterInlines.h:
65         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
66
67 2018-05-31  Saam Barati  <sbarati@apple.com>
68
69         JSImmutableButterfly should align its variable storage
70         https://bugs.webkit.org/show_bug.cgi?id=186159
71
72         Reviewed by Mark Lam.
73
74         I'm also making the use of reinterpret_cast and bitwise_cast consistent
75         inside of JSImmutableButterfly. I switched everything to use bitwise_cast.
76
77         * runtime/JSImmutableButterfly.h:
78         (JSC::JSImmutableButterfly::toButterfly const):
79         (JSC::JSImmutableButterfly::fromButterfly):
80         (JSC::JSImmutableButterfly::offsetOfData):
81         (JSC::JSImmutableButterfly::allocationSize):
82
83 2018-05-31  Keith Miller  <keith_miller@apple.com>
84
85         DFGArrayModes needs to know more about CoW arrays
86         https://bugs.webkit.org/show_bug.cgi?id=186162
87
88         Reviewed by Filip Pizlo.
89
90         This patch fixes two issues in DFGArrayMode.
91
92         1) fromObserved was missing switch cases for when the only observed ArrayModes are CopyOnWrite.
93         2) DFGArrayModes needs to track if the ArrayClass is an OriginalCopyOnWriteArray in order
94         to vend an accurate original structure.
95
96         Additionally, this patch fixes some places in Bytecode parsing where we told the array mode
97         we were doing a read but actually doing a write. Also, DFGArrayMode will now print the
98         action it is expecting when being dumped.
99
100         * bytecode/ArrayProfile.h:
101         (JSC::hasSeenWritableArray):
102         * dfg/DFGArrayMode.cpp:
103         (JSC::DFG::ArrayMode::fromObserved):
104         (JSC::DFG::ArrayMode::refine const):
105         (JSC::DFG::ArrayMode::originalArrayStructure const):
106         (JSC::DFG::arrayActionToString):
107         (JSC::DFG::arrayClassToString):
108         (JSC::DFG::ArrayMode::dump const):
109         (WTF::printInternal):
110         * dfg/DFGArrayMode.h:
111         (JSC::DFG::ArrayMode::withProfile const):
112         (JSC::DFG::ArrayMode::isJSArray const):
113         (JSC::DFG::ArrayMode::isJSArrayWithOriginalStructure const):
114         (JSC::DFG::ArrayMode::arrayModesWithIndexingShape const):
115         * dfg/DFGByteCodeParser.cpp:
116         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
117         (JSC::DFG::ByteCodeParser::parseBlock):
118         * dfg/DFGFixupPhase.cpp:
119         (JSC::DFG::FixupPhase::fixupNode):
120         * dfg/DFGSpeculativeJIT.cpp:
121         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
122         * ftl/FTLLowerDFGToB3.cpp:
123         (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify):
124
125 2018-05-30  Yusuke Suzuki  <utatane.tea@gmail.com>
126
127         [JSC] Pass VM& parameter as much as possible
128         https://bugs.webkit.org/show_bug.cgi?id=186085
129
130         Reviewed by Saam Barati.
131
132         JSCell::vm() is slow compared to ExecState::vm(). That's why we have bunch of functions in JSCell/JSObject that take VM& as a parameter.
133         For example, we have JSCell::structure() and JSCell::structure(VM&), the former retrieves VM& from the cell and invokes structure(VM&).
134         If we can get VM& from ExecState* or the other place, it reduces the inlined code size.
135         This patch attempts to pass VM& parameter to such functions as much as possible.
136
137         * API/APICast.h:
138         (toJS):
139         (toJSForGC):
140         * API/JSCallbackObjectFunctions.h:
141         (JSC::JSCallbackObject<Parent>::getOwnPropertySlotByIndex):
142         (JSC::JSCallbackObject<Parent>::deletePropertyByIndex):
143         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
144         * API/JSObjectRef.cpp:
145         (JSObjectIsConstructor):
146         * API/JSTypedArray.cpp:
147         (JSObjectGetTypedArrayBuffer):
148         * API/JSValueRef.cpp:
149         (JSValueIsInstanceOfConstructor):
150         * bindings/ScriptFunctionCall.cpp:
151         (Deprecated::ScriptFunctionCall::call):
152         * bindings/ScriptValue.cpp:
153         (Inspector::jsToInspectorValue):
154         * bytecode/AccessCase.cpp:
155         (JSC::AccessCase::generateImpl):
156         * bytecode/CodeBlock.cpp:
157         (JSC::CodeBlock::CodeBlock):
158         * bytecode/ObjectAllocationProfileInlines.h:
159         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
160         * bytecode/ObjectPropertyConditionSet.cpp:
161         (JSC::generateConditionsForInstanceOf):
162         * bytecode/PropertyCondition.cpp:
163         (JSC::PropertyCondition::isWatchableWhenValid const):
164         (JSC::PropertyCondition::attemptToMakeEquivalenceWithoutBarrier const):
165         * bytecode/StructureStubClearingWatchpoint.cpp:
166         (JSC::StructureStubClearingWatchpoint::fireInternal):
167         * debugger/Debugger.cpp:
168         (JSC::Debugger::detach):
169         * debugger/DebuggerScope.cpp:
170         (JSC::DebuggerScope::create):
171         (JSC::DebuggerScope::put):
172         (JSC::DebuggerScope::deleteProperty):
173         (JSC::DebuggerScope::getOwnPropertyNames):
174         (JSC::DebuggerScope::defineOwnProperty):
175         * dfg/DFGAbstractInterpreterInlines.h:
176         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
177         * dfg/DFGAbstractValue.cpp:
178         (JSC::DFG::AbstractValue::mergeOSREntryValue):
179         * dfg/DFGArgumentsEliminationPhase.cpp:
180         * dfg/DFGArrayMode.cpp:
181         (JSC::DFG::ArrayMode::refine const):
182         * dfg/DFGByteCodeParser.cpp:
183         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
184         (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
185         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
186         (JSC::DFG::ByteCodeParser::check):
187         * dfg/DFGConstantFoldingPhase.cpp:
188         (JSC::DFG::ConstantFoldingPhase::foldConstants):
189         (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
190         * dfg/DFGFixupPhase.cpp:
191         (JSC::DFG::FixupPhase::fixupNode):
192         * dfg/DFGGraph.cpp:
193         (JSC::DFG::Graph::tryGetConstantProperty):
194         * dfg/DFGOperations.cpp:
195         * dfg/DFGSpeculativeJIT.cpp:
196         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
197         * dfg/DFGStrengthReductionPhase.cpp:
198         (JSC::DFG::StrengthReductionPhase::handleNode):
199         * ftl/FTLLowerDFGToB3.cpp:
200         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
201         * ftl/FTLOperations.cpp:
202         (JSC::FTL::operationPopulateObjectInOSR):
203         * inspector/InjectedScriptManager.cpp:
204         (Inspector::InjectedScriptManager::createInjectedScript):
205         * inspector/JSJavaScriptCallFrame.cpp:
206         (Inspector::JSJavaScriptCallFrame::caller const):
207         (Inspector::JSJavaScriptCallFrame::scopeChain const):
208         * interpreter/CallFrame.cpp:
209         (JSC::CallFrame::wasmAwareLexicalGlobalObject):
210         * interpreter/Interpreter.cpp:
211         (JSC::Interpreter::executeProgram):
212         (JSC::Interpreter::executeCall):
213         (JSC::Interpreter::executeConstruct):
214         (JSC::Interpreter::execute):
215         (JSC::Interpreter::executeModuleProgram):
216         * jit/JITOperations.cpp:
217         (JSC::getByVal):
218         * jit/Repatch.cpp:
219         (JSC::tryCacheInByID):
220         * jsc.cpp:
221         (functionDollarAgentReceiveBroadcast):
222         (functionHasCustomProperties):
223         * llint/LLIntSlowPaths.cpp:
224         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
225         (JSC::LLInt::setupGetByIdPrototypeCache):
226         (JSC::LLInt::getByVal):
227         (JSC::LLInt::handleHostCall):
228         (JSC::LLInt::llint_throw_stack_overflow_error):
229         * runtime/AbstractModuleRecord.cpp:
230         (JSC::AbstractModuleRecord::finishCreation):
231         * runtime/ArrayConstructor.cpp:
232         (JSC::constructArrayWithSizeQuirk):
233         * runtime/ArrayPrototype.cpp:
234         (JSC::speciesWatchpointIsValid):
235         (JSC::arrayProtoFuncToString):
236         (JSC::arrayProtoFuncToLocaleString):
237         (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
238         * runtime/AsyncFunctionConstructor.cpp:
239         (JSC::callAsyncFunctionConstructor):
240         (JSC::constructAsyncFunctionConstructor):
241         * runtime/AsyncGeneratorFunctionConstructor.cpp:
242         (JSC::callAsyncGeneratorFunctionConstructor):
243         (JSC::constructAsyncGeneratorFunctionConstructor):
244         * runtime/BooleanConstructor.cpp:
245         (JSC::constructWithBooleanConstructor):
246         * runtime/ClonedArguments.cpp:
247         (JSC::ClonedArguments::createEmpty):
248         (JSC::ClonedArguments::createWithInlineFrame):
249         (JSC::ClonedArguments::createWithMachineFrame):
250         (JSC::ClonedArguments::createByCopyingFrom):
251         (JSC::ClonedArguments::getOwnPropertySlot):
252         (JSC::ClonedArguments::materializeSpecials):
253         * runtime/CommonSlowPaths.cpp:
254         (JSC::SLOW_PATH_DECL):
255         * runtime/CommonSlowPaths.h:
256         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
257         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
258         (JSC::CommonSlowPaths::canAccessArgumentIndexQuickly):
259         * runtime/ConstructData.cpp:
260         (JSC::construct):
261         * runtime/DateConstructor.cpp:
262         (JSC::constructWithDateConstructor):
263         * runtime/DatePrototype.cpp:
264         (JSC::dateProtoFuncToJSON):
265         * runtime/DirectArguments.cpp:
266         (JSC::DirectArguments::overrideThings):
267         * runtime/Error.cpp:
268         (JSC::getStackTrace):
269         * runtime/ErrorConstructor.cpp:
270         (JSC::Interpreter::constructWithErrorConstructor):
271         (JSC::Interpreter::callErrorConstructor):
272         * runtime/FunctionConstructor.cpp:
273         (JSC::constructWithFunctionConstructor):
274         (JSC::callFunctionConstructor):
275         * runtime/GeneratorFunctionConstructor.cpp:
276         (JSC::callGeneratorFunctionConstructor):
277         (JSC::constructGeneratorFunctionConstructor):
278         * runtime/GenericArgumentsInlines.h:
279         (JSC::GenericArguments<Type>::getOwnPropertySlot):
280         * runtime/InferredStructureWatchpoint.cpp:
281         (JSC::InferredStructureWatchpoint::fireInternal):
282         * runtime/InferredType.cpp:
283         (JSC::InferredType::removeStructure):
284         * runtime/InferredType.h:
285         * runtime/InferredTypeInlines.h:
286         (JSC::InferredType::finalizeUnconditionally):
287         * runtime/IntlCollator.cpp:
288         (JSC::IntlCollator::initializeCollator):
289         * runtime/IntlCollatorConstructor.cpp:
290         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
291         * runtime/IntlCollatorPrototype.cpp:
292         (JSC::IntlCollatorPrototypeGetterCompare):
293         * runtime/IntlDateTimeFormat.cpp:
294         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
295         (JSC::IntlDateTimeFormat::formatToParts):
296         * runtime/IntlDateTimeFormatConstructor.cpp:
297         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
298         * runtime/IntlDateTimeFormatPrototype.cpp:
299         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
300         * runtime/IntlNumberFormat.cpp:
301         (JSC::IntlNumberFormat::initializeNumberFormat):
302         (JSC::IntlNumberFormat::formatToParts):
303         * runtime/IntlNumberFormatConstructor.cpp:
304         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
305         * runtime/IntlNumberFormatPrototype.cpp:
306         (JSC::IntlNumberFormatPrototypeGetterFormat):
307         * runtime/IntlObject.cpp:
308         (JSC::canonicalizeLocaleList):
309         (JSC::defaultLocale):
310         (JSC::lookupSupportedLocales):
311         (JSC::intlObjectFuncGetCanonicalLocales):
312         * runtime/IntlPluralRules.cpp:
313         (JSC::IntlPluralRules::initializePluralRules):
314         (JSC::IntlPluralRules::resolvedOptions):
315         * runtime/IntlPluralRulesConstructor.cpp:
316         (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf):
317         * runtime/IteratorOperations.cpp:
318         (JSC::iteratorNext):
319         (JSC::iteratorClose):
320         (JSC::iteratorForIterable):
321         * runtime/JSArray.cpp:
322         (JSC::JSArray::shiftCountWithArrayStorage):
323         (JSC::JSArray::unshiftCountWithArrayStorage):
324         (JSC::JSArray::isIteratorProtocolFastAndNonObservable):
325         * runtime/JSArrayBufferConstructor.cpp:
326         (JSC::JSArrayBufferConstructor::finishCreation):
327         (JSC::constructArrayBuffer):
328         * runtime/JSArrayBufferPrototype.cpp:
329         (JSC::arrayBufferProtoFuncSlice):
330         * runtime/JSArrayBufferView.cpp:
331         (JSC::JSArrayBufferView::unsharedJSBuffer):
332         (JSC::JSArrayBufferView::possiblySharedJSBuffer):
333         * runtime/JSAsyncFunction.cpp:
334         (JSC::JSAsyncFunction::createImpl):
335         (JSC::JSAsyncFunction::create):
336         (JSC::JSAsyncFunction::createWithInvalidatedReallocationWatchpoint):
337         * runtime/JSAsyncGeneratorFunction.cpp:
338         (JSC::JSAsyncGeneratorFunction::createImpl):
339         (JSC::JSAsyncGeneratorFunction::create):
340         (JSC::JSAsyncGeneratorFunction::createWithInvalidatedReallocationWatchpoint):
341         * runtime/JSBoundFunction.cpp:
342         (JSC::boundThisNoArgsFunctionCall):
343         (JSC::boundFunctionCall):
344         (JSC::boundThisNoArgsFunctionConstruct):
345         (JSC::boundFunctionConstruct):
346         (JSC::getBoundFunctionStructure):
347         (JSC::JSBoundFunction::create):
348         (JSC::JSBoundFunction::boundArgsCopy):
349         * runtime/JSCJSValue.cpp:
350         (JSC::JSValue::putToPrimitive):
351         * runtime/JSCellInlines.h:
352         (JSC::JSCell::setStructure):
353         (JSC::JSCell::methodTable const):
354         (JSC::JSCell::toBoolean const):
355         * runtime/JSFunction.h:
356         (JSC::JSFunction::createImpl):
357         * runtime/JSGeneratorFunction.cpp:
358         (JSC::JSGeneratorFunction::createImpl):
359         (JSC::JSGeneratorFunction::create):
360         (JSC::JSGeneratorFunction::createWithInvalidatedReallocationWatchpoint):
361         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
362         (JSC::constructGenericTypedArrayViewWithArguments):
363         (JSC::constructGenericTypedArrayView):
364         * runtime/JSGenericTypedArrayViewInlines.h:
365         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
366         (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
367         (JSC::JSGenericTypedArrayView<Adaptor>::deletePropertyByIndex):
368         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
369         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
370         (JSC::genericTypedArrayViewProtoFuncSlice):
371         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
372         * runtime/JSGlobalObject.cpp:
373         (JSC::JSGlobalObject::init):
374         (JSC::JSGlobalObject::exposeDollarVM):
375         (JSC::JSGlobalObject::finishCreation):
376         * runtime/JSGlobalObject.h:
377         * runtime/JSGlobalObjectFunctions.cpp:
378         (JSC::globalFuncEval):
379         * runtime/JSInternalPromise.cpp:
380         (JSC::JSInternalPromise::then):
381         * runtime/JSInternalPromiseConstructor.cpp:
382         (JSC::constructPromise):
383         * runtime/JSJob.cpp:
384         (JSC::JSJobMicrotask::run):
385         * runtime/JSLexicalEnvironment.cpp:
386         (JSC::JSLexicalEnvironment::getOwnPropertySlot):
387         (JSC::JSLexicalEnvironment::put):
388         * runtime/JSMap.cpp:
389         (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
390         * runtime/JSMapIterator.cpp:
391         (JSC::JSMapIterator::createPair):
392         * runtime/JSModuleLoader.cpp:
393         (JSC::JSModuleLoader::provideFetch):
394         (JSC::JSModuleLoader::loadAndEvaluateModule):
395         (JSC::JSModuleLoader::loadModule):
396         (JSC::JSModuleLoader::linkAndEvaluateModule):
397         (JSC::JSModuleLoader::requestImportModule):
398         * runtime/JSONObject.cpp:
399         (JSC::JSONProtoFuncParse):
400         * runtime/JSObject.cpp:
401         (JSC::JSObject::putInlineSlow):
402         (JSC::JSObject::putByIndex):
403         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
404         (JSC::JSObject::createInitialIndexedStorage):
405         (JSC::JSObject::createArrayStorage):
406         (JSC::JSObject::convertUndecidedToArrayStorage):
407         (JSC::JSObject::convertInt32ToArrayStorage):
408         (JSC::JSObject::convertDoubleToArrayStorage):
409         (JSC::JSObject::convertContiguousToArrayStorage):
410         (JSC::JSObject::convertFromCopyOnWrite):
411         (JSC::JSObject::ensureWritableInt32Slow):
412         (JSC::JSObject::ensureWritableDoubleSlow):
413         (JSC::JSObject::ensureWritableContiguousSlow):
414         (JSC::JSObject::ensureArrayStorageSlow):
415         (JSC::JSObject::setPrototypeDirect):
416         (JSC::JSObject::deleteProperty):
417         (JSC::callToPrimitiveFunction):
418         (JSC::JSObject::hasInstance):
419         (JSC::JSObject::getOwnNonIndexPropertyNames):
420         (JSC::JSObject::preventExtensions):
421         (JSC::JSObject::isExtensible):
422         (JSC::JSObject::reifyAllStaticProperties):
423         (JSC::JSObject::fillGetterPropertySlot):
424         (JSC::JSObject::defineOwnIndexedProperty):
425         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
426         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
427         (JSC::JSObject::putByIndexBeyondVectorLength):
428         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
429         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
430         (JSC::JSObject::getNewVectorLength):
431         (JSC::JSObject::increaseVectorLength):
432         (JSC::JSObject::reallocateAndShrinkButterfly):
433         (JSC::JSObject::shiftButterflyAfterFlattening):
434         (JSC::JSObject::anyObjectInChainMayInterceptIndexedAccesses const):
435         (JSC::JSObject::prototypeChainMayInterceptStoreTo):
436         (JSC::JSObject::needsSlowPutIndexing const):
437         (JSC::JSObject::suggestedArrayStorageTransition const):
438         * runtime/JSObject.h:
439         (JSC::JSObject::mayInterceptIndexedAccesses):
440         (JSC::JSObject::hasIndexingHeader const):
441         (JSC::JSObject::hasCustomProperties):
442         (JSC::JSObject::hasGetterSetterProperties):
443         (JSC::JSObject::hasCustomGetterSetterProperties):
444         (JSC::JSObject::isExtensibleImpl):
445         (JSC::JSObject::isStructureExtensible):
446         (JSC::JSObject::indexingShouldBeSparse):
447         (JSC::JSObject::staticPropertiesReified):
448         (JSC::JSObject::globalObject const):
449         (JSC::JSObject::finishCreation):
450         (JSC::JSNonFinalObject::finishCreation):
451         (JSC::getCallData):
452         (JSC::getConstructData):
453         (JSC::JSObject::getOwnNonIndexPropertySlot):
454         (JSC::JSObject::putOwnDataProperty):
455         (JSC::JSObject::putOwnDataPropertyMayBeIndex):
456         (JSC::JSObject::butterflyPreCapacity):
457         (JSC::JSObject::butterflyTotalSize):
458         * runtime/JSObjectInlines.h:
459         (JSC::JSObject::putDirectInternal):
460         * runtime/JSPromise.cpp:
461         (JSC::JSPromise::initialize):
462         (JSC::JSPromise::resolve):
463         * runtime/JSPromiseConstructor.cpp:
464         (JSC::constructPromise):
465         * runtime/JSPromiseDeferred.cpp:
466         (JSC::newPromiseCapability):
467         (JSC::callFunction):
468         * runtime/JSScope.cpp:
469         (JSC::abstractAccess):
470         * runtime/JSScope.h:
471         (JSC::JSScope::globalObject): Deleted.
472         Remove this JSScope::globalObject function since it is completely the same to JSObject::globalObject().
473
474         * runtime/JSSet.cpp:
475         (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
476         * runtime/JSSetIterator.cpp:
477         (JSC::JSSetIterator::createPair):
478         * runtime/JSStringIterator.cpp:
479         (JSC::JSStringIterator::clone):
480         * runtime/Lookup.cpp:
481         (JSC::reifyStaticAccessor):
482         (JSC::setUpStaticFunctionSlot):
483         * runtime/Lookup.h:
484         (JSC::getStaticPropertySlotFromTable):
485         (JSC::replaceStaticPropertySlot):
486         (JSC::reifyStaticProperty):
487         * runtime/MapConstructor.cpp:
488         (JSC::constructMap):
489         * runtime/NumberConstructor.cpp:
490         (JSC::NumberConstructor::finishCreation):
491         * runtime/ObjectConstructor.cpp:
492         (JSC::constructObject):
493         (JSC::objectConstructorAssign):
494         (JSC::toPropertyDescriptor):
495         * runtime/ObjectPrototype.cpp:
496         (JSC::objectProtoFuncDefineGetter):
497         (JSC::objectProtoFuncDefineSetter):
498         (JSC::objectProtoFuncToLocaleString):
499         * runtime/Operations.cpp:
500         (JSC::jsIsFunctionType): Deleted.
501         Replace it with JSValue::isFunction(VM&).
502
503         * runtime/Operations.h:
504         * runtime/ProgramExecutable.cpp:
505         (JSC::ProgramExecutable::initializeGlobalProperties):
506         * runtime/RegExpConstructor.cpp:
507         (JSC::constructWithRegExpConstructor):
508         (JSC::callRegExpConstructor):
509         * runtime/SamplingProfiler.cpp:
510         (JSC::SamplingProfiler::processUnverifiedStackTraces):
511         (JSC::SamplingProfiler::StackFrame::nameFromCallee):
512         * runtime/ScopedArguments.cpp:
513         (JSC::ScopedArguments::overrideThings):
514         * runtime/ScriptExecutable.cpp:
515         (JSC::ScriptExecutable::newCodeBlockFor):
516         (JSC::ScriptExecutable::prepareForExecutionImpl):
517         * runtime/SetConstructor.cpp:
518         (JSC::constructSet):
519         * runtime/SparseArrayValueMap.cpp:
520         (JSC::SparseArrayValueMap::putEntry):
521         (JSC::SparseArrayValueMap::putDirect):
522         * runtime/StringConstructor.cpp:
523         (JSC::constructWithStringConstructor):
524         * runtime/StringPrototype.cpp:
525         (JSC::replaceUsingRegExpSearch):
526         (JSC::replaceUsingStringSearch):
527         (JSC::stringProtoFuncIterator):
528         * runtime/Structure.cpp:
529         (JSC::Structure::materializePropertyTable):
530         (JSC::Structure::willStoreValueSlow):
531         * runtime/StructureCache.cpp:
532         (JSC::StructureCache::emptyStructureForPrototypeFromBaseStructure):
533         * runtime/StructureInlines.h:
534         (JSC::Structure::get):
535         * runtime/WeakMapConstructor.cpp:
536         (JSC::constructWeakMap):
537         * runtime/WeakSetConstructor.cpp:
538         (JSC::constructWeakSet):
539         * tools/HeapVerifier.cpp:
540         (JSC::HeapVerifier::reportCell):
541         * tools/JSDollarVM.cpp:
542         (JSC::functionGlobalObjectForObject):
543         (JSC::JSDollarVM::finishCreation):
544         * wasm/js/JSWebAssemblyInstance.cpp:
545         (JSC::JSWebAssemblyInstance::finalizeCreation):
546         * wasm/js/WasmToJS.cpp:
547         (JSC::Wasm::handleBadI64Use):
548         (JSC::Wasm::wasmToJSException):
549         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
550         (JSC::constructJSWebAssemblyCompileError):
551         (JSC::callJSWebAssemblyCompileError):
552         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
553         (JSC::constructJSWebAssemblyLinkError):
554         (JSC::callJSWebAssemblyLinkError):
555         * wasm/js/WebAssemblyModuleRecord.cpp:
556         (JSC::WebAssemblyModuleRecord::evaluate):
557         * wasm/js/WebAssemblyPrototype.cpp:
558         (JSC::instantiate):
559         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
560         (JSC::constructJSWebAssemblyRuntimeError):
561         (JSC::callJSWebAssemblyRuntimeError):
562         * wasm/js/WebAssemblyToJSCallee.cpp:
563         (JSC::WebAssemblyToJSCallee::create):
564
565 2018-05-30  Saam Barati  <sbarati@apple.com>
566
567         DFG combined liveness needs to say that the machine CodeBlock's arguments are live
568         https://bugs.webkit.org/show_bug.cgi?id=186121
569         <rdar://problem/39377796>
570
571         Reviewed by Keith Miller.
572
573         DFG's combined liveness was reporting that the machine CodeBlock's |this|
574         argument was dead at certain points in the program. However, a CodeBlock's
575         arguments are considered live for the entire function. This fixes a bug
576         where object allocation sinking phase skipped materializing an allocation
577         because it thought that the argument it was associated with, |this|, was dead.
578
579         * dfg/DFGCombinedLiveness.cpp:
580         (JSC::DFG::liveNodesAtHead):
581
582 2018-05-30  Daniel Bates  <dabates@apple.com>
583
584         Web Inspector: Annotate Same-Site cookies
585         https://bugs.webkit.org/show_bug.cgi?id=184897
586         <rdar://problem/35178209>
587
588         Reviewed by Brian Burg.
589
590         Update protocol to include cookie Same-Site policy.
591
592         * inspector/protocol/Page.json:
593
594 2018-05-29  Keith Miller  <keith_miller@apple.com>
595
596         Error instances should not strongly hold onto StackFrames
597         https://bugs.webkit.org/show_bug.cgi?id=185996
598
599         Reviewed by Mark Lam.
600
601         Previously, we would hold onto all the StackFrames until the the user
602         looked at one of the properties on the Error object. This patch makes us
603         only weakly retain the StackFrames and collect all the information
604         if we are about to collect any frame.
605
606         This patch also adds a method to $vm that returns the heaps count
607         of live global objects.
608
609         * heap/Heap.cpp:
610         (JSC::Heap::finalizeUnconditionalFinalizers):
611         * interpreter/Interpreter.cpp:
612         (JSC::Interpreter::stackTraceAsString):
613         * interpreter/Interpreter.h:
614         * runtime/Error.cpp:
615         (JSC::addErrorInfo):
616         * runtime/ErrorInstance.cpp:
617         (JSC::ErrorInstance::finalizeUnconditionally):
618         (JSC::ErrorInstance::computeErrorInfo):
619         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
620         (JSC::ErrorInstance::visitChildren): Deleted.
621         * runtime/ErrorInstance.h:
622         (JSC::ErrorInstance::subspaceFor):
623         * runtime/JSFunction.cpp:
624         (JSC::getCalculatedDisplayName):
625         * runtime/StackFrame.h:
626         (JSC::StackFrame::isMarked const):
627         * runtime/VM.cpp:
628         (JSC::VM::VM):
629         * runtime/VM.h:
630         * tools/JSDollarVM.cpp:
631         (JSC::functionGlobalObjectCount):
632         (JSC::JSDollarVM::finishCreation):
633
634 2018-05-30  Keith Miller  <keith_miller@apple.com>
635
636         LLInt get_by_id prototype caching doesn't properly handle changes
637         https://bugs.webkit.org/show_bug.cgi?id=186112
638
639         Reviewed by Filip Pizlo.
640
641         The caching would sometimes fail to track that a prototype had changed
642         and wouldn't update its set of watchpoints.
643
644         * bytecode/CodeBlock.cpp:
645         (JSC::CodeBlock::finalizeLLIntInlineCaches):
646         * bytecode/CodeBlock.h:
647         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
648         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::key const):
649         * bytecode/ObjectPropertyConditionSet.h:
650         (JSC::ObjectPropertyConditionSet::size const):
651         * bytecode/Watchpoint.h:
652         (JSC::Watchpoint::Watchpoint): Deleted.
653         * llint/LLIntSlowPaths.cpp:
654         (JSC::LLInt::setupGetByIdPrototypeCache):
655
656 2018-05-30  Caio Lima  <ticaiolima@gmail.com>
657
658         [ESNext][BigInt] Implement support for "%" operation
659         https://bugs.webkit.org/show_bug.cgi?id=184327
660
661         Reviewed by Yusuke Suzuki.
662
663         We are introducing the support of BigInt into remainder (a.k.a mod)
664         operation.
665
666         * runtime/CommonSlowPaths.cpp:
667         (JSC::SLOW_PATH_DECL):
668         * runtime/JSBigInt.cpp:
669         (JSC::JSBigInt::remainder):
670         (JSC::JSBigInt::rightTrim):
671         * runtime/JSBigInt.h:
672
673 2018-05-30  Saam Barati  <sbarati@apple.com>
674
675         AI for Atomics.load() is too conservative in always clobbering world
676         https://bugs.webkit.org/show_bug.cgi?id=185738
677         <rdar://problem/40342214>
678
679         Reviewed by Yusuke Suzuki.
680
681         It fails the assertion that Fil added for catching disagreements between
682         AI and clobberize. This patch fixes that. You'd run into this if you
683         manually enabled SAB in a build and ran any SAB tests.
684
685         * dfg/DFGAbstractInterpreterInlines.h:
686         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
687
688 2018-05-30  Michael Saboff  <msaboff@apple.com>
689
690         REGRESSION(r232212): Broke Win32 Builds
691         https://bugs.webkit.org/show_bug.cgi?id=186061
692
693         Reviewed by Yusuke Suzuki.
694
695         Changed Windows builds with the JIT disabled to generate and use LLIntAssembly.h
696         instead of LowLevelInterpreterWin.asm.
697
698         * CMakeLists.txt:
699
700 2018-05-30  Dominik Infuehr  <dinfuehr@igalia.com>
701
702         [MIPS] Fix build on MIPS32r1
703         https://bugs.webkit.org/show_bug.cgi?id=185944
704
705         Reviewed by Yusuke Suzuki.
706
707         Only use instructions on MIPS32r2 or later. mthc1 and mfhc1 are not supported
708         on MIPS32r1.
709
710         * offlineasm/mips.rb:
711
712 2018-05-29  Saam Barati  <sbarati@apple.com>
713
714         Add a version of JSVirtualMachine shrinkFootprint that runs when the VM goes idle
715         https://bugs.webkit.org/show_bug.cgi?id=186064
716
717         Reviewed by Mark Lam.
718
719         shrinkFootprint was implemented as:
720         ```
721         sanitizeStackForVM(this);
722         deleteAllCode(DeleteAllCodeIfNotCollecting);
723         heap.collectNow(Synchronousness::Sync);
724         WTF::releaseFastMallocFreeMemory();
725         ```
726         
727         However, for correctness reasons, deleteAllCode is implemented to do
728         work when the VM is idle: no JS is running on the stack. This means
729         that if shrinkFootprint is called when JS is running on the stack, it
730         ends up freeing less memory than it could have if it waited to run until
731         the VM goes idle.
732         
733         This patch makes it so we wait until idle before doing work. I'm seeing a
734         10% footprint progression when testing this against a client of the JSC SPI.
735         
736         Because this is a semantic change in how the SPI works, this patch
737         adds new SPI named shrinkFootprintWhenIdle. The plan is to move
738         all clients of the shrinkFootprint SPI to shrinkFootprintWhenIdle.
739         Once that happens, we will delete shrinkFootprint. Until then,
740         we make shrinkFootprint do exactly what shrinkFootprintWhenIdle does.
741
742         * API/JSVirtualMachine.mm:
743         (-[JSVirtualMachine shrinkFootprint]):
744         (-[JSVirtualMachine shrinkFootprintWhenIdle]):
745         * API/JSVirtualMachinePrivate.h:
746         * runtime/VM.cpp:
747         (JSC::VM::shrinkFootprintWhenIdle):
748         (JSC::VM::shrinkFootprint): Deleted.
749         * runtime/VM.h:
750
751 2018-05-29  Saam Barati  <sbarati@apple.com>
752
753         shrinkFootprint needs to request a full collection
754         https://bugs.webkit.org/show_bug.cgi?id=186069
755
756         Reviewed by Mark Lam.
757
758         * runtime/VM.cpp:
759         (JSC::VM::shrinkFootprint):
760
761 2018-05-29  Caio Lima  <ticaiolima@gmail.com>
762
763         [ESNext][BigInt] Implement support for "<" and ">" relational operation
764         https://bugs.webkit.org/show_bug.cgi?id=185379
765
766         Reviewed by Yusuke Suzuki.
767
768         This patch is changing the ``jsLess``` operation to follow the
769         semantics of Abstract Relational Comparison[1] that supports BigInt.
770         For that, we create 2 new helper functions ```bigIntCompareLess``` and
771         ```toPrimitiveNumeric``` that considers BigInt as a valid type to be
772         compared.
773
774         [1] - https://tc39.github.io/proposal-bigint/#sec-abstract-relational-comparison
775
776         * runtime/JSBigInt.cpp:
777         (JSC::JSBigInt::unequalSign):
778         (JSC::JSBigInt::absoluteGreater):
779         (JSC::JSBigInt::absoluteLess):
780         (JSC::JSBigInt::compare):
781         (JSC::JSBigInt::absoluteCompare):
782         * runtime/JSBigInt.h:
783         * runtime/JSCJSValueInlines.h:
784         (JSC::JSValue::isPrimitive const):
785         * runtime/Operations.h:
786         (JSC::bigIntCompareLess):
787         (JSC::toPrimitiveNumeric):
788         (JSC::jsLess):
789
790 2018-05-29  Yusuke Suzuki  <utatane.tea@gmail.com>
791
792         [Baseline] Merge loading functionalities
793         https://bugs.webkit.org/show_bug.cgi?id=185907
794
795         Reviewed by Saam Barati.
796
797         This patch unifies emitXXXLoad functions in 32bit and 64bit.
798
799         * jit/JITInlines.h:
800         (JSC::JIT::emitDoubleGetByVal):
801         * jit/JITPropertyAccess.cpp:
802         (JSC::JIT::emitDoubleLoad):
803         (JSC::JIT::emitContiguousLoad):
804         (JSC::JIT::emitArrayStorageLoad):
805         (JSC::JIT::emitIntTypedArrayGetByVal):
806         (JSC::JIT::emitFloatTypedArrayGetByVal):
807         Define register usage first, and share the same code in 32bit and 64bit.
808
809         * jit/JITPropertyAccess32_64.cpp:
810         (JSC::JIT::emitSlow_op_put_by_val):
811         Now C-stack is always enabled in JIT platform and temporary registers increases from 5 to 6 in x86.
812         We can remove this special handling.
813
814         (JSC::JIT::emitContiguousLoad): Deleted.
815         (JSC::JIT::emitDoubleLoad): Deleted.
816         (JSC::JIT::emitArrayStorageLoad): Deleted.
817
818 2018-05-29  Saam Barati  <sbarati@apple.com>
819
820         JSC should put bmalloc's scavenger into mini mode
821         https://bugs.webkit.org/show_bug.cgi?id=185988
822
823         Reviewed by Michael Saboff.
824
825         When we InitializeThreading, we'll now enable bmalloc's mini mode
826         if the VM is in mini mode. This is an 8-10% progression on the footprint
827         at end score in run-testmem, making it a 4-5% memory score progression.
828         It's between a 0-1% regression in its time score.
829
830         * runtime/InitializeThreading.cpp:
831         (JSC::initializeThreading):
832
833 2018-05-29  Caitlin Potter  <caitp@igalia.com>
834
835         [JSC] Fix Array.prototype.concat fast case when single argument is Proxy
836         https://bugs.webkit.org/show_bug.cgi?id=184267
837
838         Reviewed by Saam Barati.
839
840         Before this patch, the fast case for Array.prototype.concat was taken if
841         there was a single argument passed to the function, which is either a
842         non-JSCell, or an ObjectType JSCell not marked as concat-spreadable.
843         This incorrectly prevented Proxy objects from being spread when
844         they were the only argument passed to A.prototype.concat(), violating ECMA-262.
845
846         * builtins/ArrayPrototype.js:
847         (concat):
848
849 2018-05-27  Yusuke Suzuki  <utatane.tea@gmail.com>
850
851         [JSC] JSBigInt::digitDiv has undefined behavior which causes test failures
852         https://bugs.webkit.org/show_bug.cgi?id=186022
853
854         Reviewed by Darin Adler.
855
856         digitDiv performs Value64Bit >> 64 / Value32Bit >> 32, which is undefined behavior. And zero mask
857         creation has an issue (`s` should be casted to signed one before negating). They cause test failures
858         in non x86 / x86_64 environments. x86 and x86_64 work well since they have a fast path written
859         in asm.
860
861         This patch fixes digitDiv by carefully avoiding undefined behaviors. We mask the left value of the
862         rshift with `digitBits - 1`, which makes `digitBits` 0 while it keeps 0 <= n < digitBits values.
863         This makes the target rshift well-defined in C++. While produced value by the rshift covers 0 <= `s` < 64 (32
864         in 32bit envirnoment) cases, this rshift does not shift if `s` is 0. sZeroMask clears the value
865         if `s` is 0, so that `s == 0` case is also covered. Note that `s == 64` never happens since `divisor`
866         is never 0 here. We add assertion for that. We also fixes `sZeroMask` calculation.
867
868         This patch also fixes naming convention for constant values.
869
870         * runtime/JSBigInt.cpp:
871         (JSC::JSBigInt::digitMul):
872         (JSC::JSBigInt::digitDiv):
873         * runtime/JSBigInt.h:
874
875 2018-05-27  Yusuke Suzuki  <utatane.tea@gmail.com>
876
877         [WTF] Add clz32 / clz64 for MSVC
878         https://bugs.webkit.org/show_bug.cgi?id=186023
879
880         Reviewed by Daniel Bates.
881
882         Move clz32 and clz64 to WTF.
883
884         * runtime/MathCommon.h:
885         (JSC::clz32): Deleted.
886         (JSC::clz64): Deleted.
887
888 2018-05-27  Caio Lima  <ticaiolima@gmail.com>
889
890         [ESNext][BigInt] Implement "+" and "-" unary operation
891         https://bugs.webkit.org/show_bug.cgi?id=182214
892
893         Reviewed by Yusuke Suzuki.
894
895         This Patch is implementing support to "-" unary operation on BigInt.
896         It is also changing the logic of ASTBuilder::makeNegateNode to
897         calculate BigInt literals with properly sign, avoiding
898         unecessary operation. It required a refactoring into
899         JSBigInt::parseInt to consider the sign as parameter.
900
901         We are also introducing a new DFG Node called ValueNegate to handle BigInt negate
902         operations. With the introduction of BigInt, it is not true
903         that every negate operation returns a Number. As ArithNegate is a
904         node that considers its result is always a Number, like all other
905         Arith<Operation>, we decided to keep this consistency and use ValueNegate when
906         speculation indicates that the operand is a BigInt.
907         This design is following the same distinction between ArithAdd and
908         ValueAdd. Also, this new node will make simpler the introduction of
909         optimizations when we create speculation paths for BigInt in future
910         patches.
911
912         In the case of "+" unary operation on BigInt, the current semantic we already have
913         is correctly, since it needs to throw TypeError because of ToNumber call[1].
914         In such case, we are adding tests to verify other edge cases.
915
916         [1] - https://tc39.github.io/proposal-bigint/#sec-unary-plus-operator
917
918         * bytecompiler/BytecodeGenerator.cpp:
919         (JSC::BytecodeGenerator::addBigIntConstant):
920         * bytecompiler/BytecodeGenerator.h:
921         * bytecompiler/NodesCodegen.cpp:
922         (JSC::BigIntNode::jsValue const):
923         * dfg/DFGAbstractInterpreterInlines.h:
924         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
925         * dfg/DFGByteCodeParser.cpp:
926         (JSC::DFG::ByteCodeParser::makeSafe):
927         (JSC::DFG::ByteCodeParser::parseBlock):
928         * dfg/DFGClobberize.h:
929         (JSC::DFG::clobberize):
930         * dfg/DFGDoesGC.cpp:
931         (JSC::DFG::doesGC):
932         * dfg/DFGFixupPhase.cpp:
933         (JSC::DFG::FixupPhase::fixupNode):
934         * dfg/DFGNode.h:
935         (JSC::DFG::Node::arithNodeFlags):
936         * dfg/DFGNodeType.h:
937         * dfg/DFGPredictionPropagationPhase.cpp:
938         * dfg/DFGSafeToExecute.h:
939         (JSC::DFG::safeToExecute):
940         * dfg/DFGSpeculativeJIT.cpp:
941         (JSC::DFG::SpeculativeJIT::compileValueNegate):
942         (JSC::DFG::SpeculativeJIT::compileArithNegate):
943         * dfg/DFGSpeculativeJIT.h:
944         * dfg/DFGSpeculativeJIT32_64.cpp:
945         (JSC::DFG::SpeculativeJIT::compile):
946         * dfg/DFGSpeculativeJIT64.cpp:
947         (JSC::DFG::SpeculativeJIT::compile):
948         * ftl/FTLCapabilities.cpp:
949         (JSC::FTL::canCompile):
950         * ftl/FTLLowerDFGToB3.cpp:
951         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
952         (JSC::FTL::DFG::LowerDFGToB3::compileValueNegate):
953         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
954         * jit/JITOperations.cpp:
955         * parser/ASTBuilder.h:
956         (JSC::ASTBuilder::createBigIntWithSign):
957         (JSC::ASTBuilder::createBigIntFromUnaryOperation):
958         (JSC::ASTBuilder::makeNegateNode):
959         * parser/NodeConstructors.h:
960         (JSC::BigIntNode::BigIntNode):
961         * parser/Nodes.h:
962         * runtime/CommonSlowPaths.cpp:
963         (JSC::updateArithProfileForUnaryArithOp):
964         (JSC::SLOW_PATH_DECL):
965         * runtime/JSBigInt.cpp:
966         (JSC::JSBigInt::parseInt):
967         * runtime/JSBigInt.h:
968         * runtime/JSCJSValueInlines.h:
969         (JSC::JSValue::strictEqualSlowCaseInline):
970
971 2018-05-27  Dan Bernstein  <mitz@apple.com>
972
973         Tried to fix the 32-bit !ASSERT_DISABLED build after r232211.
974
975         * jit/JITOperations.cpp:
976
977 2018-05-26  Yusuke Suzuki  <utatane.tea@gmail.com>
978
979         [JSC] Rename Array#flatten to flat
980         https://bugs.webkit.org/show_bug.cgi?id=186012
981
982         Reviewed by Saam Barati.
983
984         Rename Array#flatten to Array#flat. This rename is done in TC39 since flatten
985         conflicts with the mootools' function name.
986
987         * builtins/ArrayPrototype.js:
988         (globalPrivate.flatIntoArray):
989         (flat):
990         (globalPrivate.flatIntoArrayWithCallback):
991         (flatMap):
992         (globalPrivate.flattenIntoArray): Deleted.
993         (flatten): Deleted.
994         (globalPrivate.flattenIntoArrayWithCallback): Deleted.
995         * runtime/ArrayPrototype.cpp:
996         (JSC::ArrayPrototype::finishCreation):
997
998 2018-05-25  Mark Lam  <mark.lam@apple.com>
999
1000         for-in loops should preserve and restore the TDZ stack for each of its internal loops.
1001         https://bugs.webkit.org/show_bug.cgi?id=185995
1002         <rdar://problem/40173142>
1003
1004         Reviewed by Saam Barati.
1005
1006         This is because there's no guarantee that any of the loop bodies will be
1007         executed.  Hence, there's no guarantee that the TDZ variables will have been
1008         initialized after each loop body.
1009
1010         * bytecompiler/BytecodeGenerator.cpp:
1011         (JSC::BytecodeGenerator::preserveTDZStack):
1012         (JSC::BytecodeGenerator::restoreTDZStack):
1013         * bytecompiler/BytecodeGenerator.h:
1014         * bytecompiler/NodesCodegen.cpp:
1015         (JSC::ForInNode::emitBytecode):
1016
1017 2018-05-25  Mark Lam  <mark.lam@apple.com>
1018
1019         MachineContext's instructionPointer() should handle null PCs correctly.
1020         https://bugs.webkit.org/show_bug.cgi?id=186004
1021         <rdar://problem/40570067>
1022
1023         Reviewed by Saam Barati.
1024
1025         instructionPointer() returns a MacroAssemblerCodePtr<CFunctionPtrTag>.  However,
1026         MacroAssemblerCodePtr's constructor does not accept a null pointer value and will
1027         assert accordingly with a debug ASSERT.  This is inconsequential for release
1028         builds, but to avoid this assertion failure, we should check for a null PC and
1029         return MacroAssemblerCodePtr<CFunctionPtrTag>(nullptr) instead (which uses the
1030         MacroAssemblerCodePtr(std::nullptr_t) version of the constructor instead).
1031
1032         Alternatively, we can change all of MacroAssemblerCodePtr's constructors to check
1033         for null pointers, but I rather not do that yet.  In general,
1034         MacroAssemblerCodePtrs are constructed with non-null pointers, and I prefer to
1035         leave it that way for now.
1036
1037         Note: this assertion failure only manifests when we have signal traps enabled,
1038         and encounter a null pointer deref.
1039
1040         * runtime/MachineContext.h:
1041         (JSC::MachineContext::instructionPointer):
1042
1043 2018-05-25  Mark Lam  <mark.lam@apple.com>
1044
1045         Enforce invariant that GetterSetter objects are invariant.
1046         https://bugs.webkit.org/show_bug.cgi?id=185968
1047         <rdar://problem/40541416>
1048
1049         Reviewed by Saam Barati.
1050
1051         The code already assumes the invariant that GetterSetter objects are immutable.
1052         For example, the use of @tryGetById in builtins expect this invariant to be true.
1053         The existing code mostly enforces this except for one case: JSObject's
1054         validateAndApplyPropertyDescriptor, where it will re-use the same GetterSetter
1055         object.
1056
1057         This patch enforces this invariant by removing the setGetter and setSetter methods
1058         of GetterSetter, and requiring the getter/setter callback functions to be
1059         specified at construction time.
1060
1061         * jit/JITOperations.cpp:
1062         * llint/LLIntSlowPaths.cpp:
1063         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1064         * runtime/GetterSetter.cpp:
1065         (JSC::GetterSetter::withGetter): Deleted.
1066         (JSC::GetterSetter::withSetter): Deleted.
1067         * runtime/GetterSetter.h:
1068         * runtime/JSGlobalObject.cpp:
1069         (JSC::JSGlobalObject::init):
1070         * runtime/JSObject.cpp:
1071         (JSC::JSObject::putIndexedDescriptor):
1072         (JSC::JSObject::putDirectNativeIntrinsicGetter):
1073         (JSC::putDescriptor):
1074         (JSC::validateAndApplyPropertyDescriptor):
1075         * runtime/JSTypedArrayViewPrototype.cpp:
1076         (JSC::JSTypedArrayViewPrototype::finishCreation):
1077         * runtime/Lookup.cpp:
1078         (JSC::reifyStaticAccessor):
1079         * runtime/PropertyDescriptor.cpp:
1080         (JSC::PropertyDescriptor::slowGetterSetter):
1081
1082 2018-05-25  Saam Barati  <sbarati@apple.com>
1083
1084         Make JSC have a mini mode that kicks in when the JIT is disabled
1085         https://bugs.webkit.org/show_bug.cgi?id=185931
1086
1087         Reviewed by Mark Lam.
1088
1089         This patch makes JSC have a mini VM mode. This currently only kicks in
1090         when the process can't JIT. Mini VM now means a few things:
1091         - We always use a 1.27x heap growth factor. This number was the best tradeoff
1092           between memory use progression and time regression in run-testmem. We may
1093           want to tune this more in the future as we make other mini VM changes.
1094         - We always sweep synchronously.
1095         - We disable generational GC.
1096         
1097         I'm going to continue to extend what mini VM mode means in future changes.
1098         
1099         This patch is a 50% memory progression and an ~8-9% time regression
1100         on run-testmem when running in mini VM mode with the JIT disabled.
1101
1102         * heap/Heap.cpp:
1103         (JSC::Heap::collectNow):
1104         (JSC::Heap::finalize):
1105         (JSC::Heap::useGenerationalGC):
1106         (JSC::Heap::shouldSweepSynchronously):
1107         (JSC::Heap::shouldDoFullCollection):
1108         * heap/Heap.h:
1109         * runtime/Options.h:
1110         * runtime/VM.cpp:
1111         (JSC::VM::isInMiniMode):
1112         * runtime/VM.h:
1113
1114 2018-05-25  Saam Barati  <sbarati@apple.com>
1115
1116         Have a memory test where we can validate JSCs mini memory mode
1117         https://bugs.webkit.org/show_bug.cgi?id=185932
1118
1119         Reviewed by Mark Lam.
1120
1121         This patch adds the testmem CLI. It takes as input a file to run
1122         and the number of iterations to run it (by default it runs it
1123         20 times). Each iteration runs in a new JSContext. Each JSContext
1124         belongs to a VM that is created once. When finished, the CLI dumps
1125         out the peak memory usage of the process, the memory usage at the end
1126         of running all the iterations of the process, and the total time it
1127         took to run all the iterations.
1128
1129         * JavaScriptCore.xcodeproj/project.pbxproj:
1130         * testmem: Added.
1131         * testmem/testmem.mm: Added.
1132         (description):
1133         (Footprint::now):
1134         (main):
1135
1136 2018-05-25  David Kilzer  <ddkilzer@apple.com>
1137
1138         Fix issues with -dealloc methods found by clang static analyzer
1139         <https://webkit.org/b/185887>
1140
1141         Reviewed by Joseph Pecoraro.
1142
1143         * API/JSValue.mm:
1144         (-[JSValue dealloc]):
1145         (-[JSValue description]):
1146         - Move method implementations from (Internal) category to the
1147           main category since these are public API.  This fixes the
1148           false positive warning about a missing -dealloc method.
1149
1150 2018-05-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1151
1152         [Baseline] Remove a hack for DCE removal of NewFunction
1153         https://bugs.webkit.org/show_bug.cgi?id=185945
1154
1155         Reviewed by Saam Barati.
1156
1157         This `undefined` check in baseline is originally introduced in r177871. The problem was,
1158         when NewFunction is removed in DFG DCE, its referencing scope DFG node  is also removed.
1159         While op_new_func_xxx want to have scope for function creation, DFG OSR exit cannot
1160         retrieve this into the stack since the scope is not referenced from anywhere.
1161
1162         In r177871, we fixed this by accepting `undefined` scope in the baseline op_new_func_xxx
1163         implementation. But rather than that, just emitting `Phantom` for this scope is clean
1164         and consistent to the other DFG nodes like GetClosureVar.
1165
1166         This patch emits Phantom instead, and removes unnecessary `undefined` check in baseline.
1167         While we emit Phantom, it is not testable since NewFunction is guarded by MovHint which
1168         is not removed in DFG. And in FTL, NewFunction will be converted to PhantomNewFunction
1169         if it is not referenced. And scope node is kept by PutHint. But emitting Phantom is nice
1170         since it conservatively guards the scope, and it does not introduce any additional overhead
1171         compared to the current status.
1172
1173         * dfg/DFGByteCodeParser.cpp:
1174         (JSC::DFG::ByteCodeParser::parseBlock):
1175         * jit/JITOpcodes.cpp:
1176         (JSC::JIT::emitNewFuncExprCommon):
1177
1178 2018-05-23  Keith Miller  <keith_miller@apple.com>
1179
1180         Expose $vm if window.internals is exposed
1181         https://bugs.webkit.org/show_bug.cgi?id=185900
1182
1183         Reviewed by Mark Lam.
1184
1185         This is useful for testing vm internals when running LayoutTests.
1186
1187         * runtime/JSGlobalObject.cpp:
1188         (JSC::JSGlobalObject::init):
1189         (JSC::JSGlobalObject::visitChildren):
1190         (JSC::JSGlobalObject::exposeDollarVM):
1191         * runtime/JSGlobalObject.h:
1192
1193 2018-05-23  Keith Miller  <keith_miller@apple.com>
1194
1195         Define length on CoW array should properly convert to writable
1196         https://bugs.webkit.org/show_bug.cgi?id=185927
1197
1198         Reviewed by Yusuke Suzuki.
1199
1200         * runtime/JSArray.cpp:
1201         (JSC::JSArray::setLength):
1202
1203 2018-05-23  Keith Miller  <keith_miller@apple.com>
1204
1205         InPlaceAbstractState should filter variables at the tail from a GetLocal by their flush format
1206         https://bugs.webkit.org/show_bug.cgi?id=185923
1207
1208         Reviewed by Saam Barati.
1209
1210         Previously, we could confuse AI by overly broadening a type. This happens when a block in a
1211         loop has a local mutated following a GetLocal but never SetLocaled to the stack. For example,
1212
1213         Block 1:
1214         @1: GetLocal(loc42, FlushedInt32);
1215         @2: PutStructure(Check: Cell: @1);
1216         @3: Jump(Block 1);
1217
1218         Would cause us to claim that loc42 could be either an int32 or a some cell. However,
1219         the type of an local cannot change without writing to it.
1220
1221         This fixes a crash in destructuring-rest-element.js
1222
1223         * dfg/DFGInPlaceAbstractState.cpp:
1224         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
1225
1226 2018-05-23  Filip Pizlo  <fpizlo@apple.com>
1227
1228         Speed up JetStream/base64
1229         https://bugs.webkit.org/show_bug.cgi?id=185914
1230
1231         Reviewed by Michael Saboff.
1232         
1233         Make allocation fast paths ALWAYS_INLINE.
1234         
1235         This is a 1% speed-up on SunSpider, mostly because of base64. It also speeds up pdfjs by
1236         ~6%.
1237
1238         * CMakeLists.txt:
1239         * JavaScriptCore.xcodeproj/project.pbxproj:
1240         * heap/AllocatorInlines.h:
1241         (JSC::Allocator::allocate const):
1242         * heap/CompleteSubspace.cpp:
1243         (JSC::CompleteSubspace::allocateNonVirtual): Deleted.
1244         * heap/CompleteSubspace.h:
1245         * heap/CompleteSubspaceInlines.h: Added.
1246         (JSC::CompleteSubspace::allocateNonVirtual):
1247         * heap/FreeListInlines.h:
1248         (JSC::FreeList::allocate):
1249         * heap/IsoSubspace.cpp:
1250         (JSC::IsoSubspace::allocateNonVirtual): Deleted.
1251         * heap/IsoSubspace.h:
1252         (JSC::IsoSubspace::allocatorForNonVirtual):
1253         * heap/IsoSubspaceInlines.h: Added.
1254         (JSC::IsoSubspace::allocateNonVirtual):
1255         * runtime/JSCellInlines.h:
1256         * runtime/VM.h:
1257
1258 2018-05-23  Rick Waldron  <waldron.rick@gmail.com>
1259
1260         Conversion misspelled "Convertion" in error message string
1261         https://bugs.webkit.org/show_bug.cgi?id=185436
1262
1263         Reviewed by Saam Barati, Michael Saboff
1264
1265         * runtime/JSBigInt.cpp:
1266         (JSC::JSBigInt::toNumber const):
1267
1268 2018-05-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1269
1270         [JSC] Clean up stringGetByValStubGenerator
1271         https://bugs.webkit.org/show_bug.cgi?id=185864
1272
1273         Reviewed by Saam Barati.
1274
1275         We clean up stringGetByValStubGenerator.
1276
1277         1. Unify 32bit and 64bit implementations.
1278         2. Rename stringGetByValStubGenerator to stringGetByValGenerator, move it to ThunkGenerators.cpp.
1279         3. Remove string type check since this code is invoked only when we know regT0 is JSString*.
1280         4. Do not tag Cell in stringGetByValGenerator side. 32bit code stores Cell with tag in JITPropertyAccess32_64 side.
1281         5. Fix invalid use of loadPtr for StringImpl::flags. Should use load32.
1282
1283         * jit/JIT.h:
1284         * jit/JITPropertyAccess.cpp:
1285         (JSC::JIT::emitSlow_op_get_by_val):
1286         (JSC::JIT::stringGetByValStubGenerator): Deleted.
1287         * jit/JITPropertyAccess32_64.cpp:
1288         (JSC::JIT::emit_op_get_by_val):
1289         (JSC::JIT::emitSlow_op_get_by_val):
1290         (JSC::JIT::stringGetByValStubGenerator): Deleted.
1291         * jit/ThunkGenerators.cpp:
1292         (JSC::stringGetByValGenerator):
1293         * jit/ThunkGenerators.h:
1294
1295 2018-05-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1296
1297         [JSC] Use branchIfString/branchIfNotString instead of structure checkings
1298         https://bugs.webkit.org/show_bug.cgi?id=185810
1299
1300         Reviewed by Saam Barati.
1301
1302         Let's use branchIfString/branchIfNotString helper functions instead of
1303         checking structure with jsString's structure. It's easy to read. And
1304         it emits less code since we do not need to embed string structure's
1305         raw pointer in 32bit environment.
1306
1307         * jit/JIT.h:
1308         * jit/JITInlines.h:
1309         (JSC::JIT::emitLoadCharacterString):
1310         (JSC::JIT::checkStructure): Deleted.
1311         * jit/JITOpcodes32_64.cpp:
1312         (JSC::JIT::emitSlow_op_eq):
1313         (JSC::JIT::compileOpEqJumpSlow):
1314         (JSC::JIT::emitSlow_op_neq):
1315         * jit/JITPropertyAccess.cpp:
1316         (JSC::JIT::stringGetByValStubGenerator):
1317         (JSC::JIT::emitSlow_op_get_by_val):
1318         (JSC::JIT::emitByValIdentifierCheck):
1319         * jit/JITPropertyAccess32_64.cpp:
1320         (JSC::JIT::stringGetByValStubGenerator):
1321         (JSC::JIT::emitSlow_op_get_by_val):
1322         * jit/JSInterfaceJIT.h:
1323         (JSC::ThunkHelpers::jsStringLengthOffset): Deleted.
1324         (JSC::ThunkHelpers::jsStringValueOffset): Deleted.
1325         * jit/SpecializedThunkJIT.h:
1326         (JSC::SpecializedThunkJIT::loadJSStringArgument):
1327         * jit/ThunkGenerators.cpp:
1328         (JSC::stringCharLoad):
1329         (JSC::charCodeAtThunkGenerator):
1330         (JSC::charAtThunkGenerator):
1331         * runtime/JSString.h:
1332
1333 2018-05-22  Mark Lam  <mark.lam@apple.com>
1334
1335         BytecodeGeneratorification shouldn't add a ValueProfile if the JIT is disabled.
1336         https://bugs.webkit.org/show_bug.cgi?id=185896
1337         <rdar://problem/40471403>
1338
1339         Reviewed by Saam Barati.
1340
1341         * bytecode/BytecodeGeneratorification.cpp:
1342         (JSC::BytecodeGeneratorification::run):
1343
1344 2018-05-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1345
1346         [JSC] Fix CachedCall's argument count if RegExp has named captures
1347         https://bugs.webkit.org/show_bug.cgi?id=185587
1348
1349         Reviewed by Mark Lam.
1350
1351         If the given RegExp has named captures, the argument count of CachedCall in String#replace
1352         should be increased by one. This causes crash with assertion in test262. This patch corrects
1353         the argument count.
1354
1355         This patch also unifies source.is8Bit()/!source.is8Bit() code since they are now completely
1356         the same.
1357
1358         * runtime/StringPrototype.cpp:
1359         (JSC::replaceUsingRegExpSearch):
1360
1361 2018-05-22  Mark Lam  <mark.lam@apple.com>
1362
1363         StringImpl utf8 conversion should not fail silently.
1364         https://bugs.webkit.org/show_bug.cgi?id=185888
1365         <rdar://problem/40464506>
1366
1367         Reviewed by Filip Pizlo.
1368
1369         * dfg/DFGLazyJSValue.cpp:
1370         (JSC::DFG::LazyJSValue::dumpInContext const):
1371         * runtime/DateConstructor.cpp:
1372         (JSC::constructDate):
1373         (JSC::dateParse):
1374         * runtime/JSDateMath.cpp:
1375         (JSC::parseDate):
1376         * runtime/JSDateMath.h:
1377
1378 2018-05-22  Keith Miller  <keith_miller@apple.com>
1379
1380         Remove the UnconditionalFinalizer class
1381         https://bugs.webkit.org/show_bug.cgi?id=185881
1382
1383         Reviewed by Filip Pizlo.
1384
1385         The only remaining user of this API is
1386         JSWebAssemblyCodeBlock. This patch changes, JSWebAssemblyCodeBlock
1387         to use the newer template based API and removes the old class.
1388
1389         * JavaScriptCore.xcodeproj/project.pbxproj:
1390         * bytecode/CodeBlock.h:
1391         * heap/Heap.cpp:
1392         (JSC::Heap::finalizeUnconditionalFinalizers):
1393         * heap/Heap.h:
1394         * heap/SlotVisitor.cpp:
1395         (JSC::SlotVisitor::addUnconditionalFinalizer): Deleted.
1396         * heap/SlotVisitor.h:
1397         * heap/UnconditionalFinalizer.h: Removed.
1398         * wasm/js/JSWebAssemblyCodeBlock.cpp:
1399         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
1400         (JSC::JSWebAssemblyCodeBlock::visitChildren):
1401         (JSC::JSWebAssemblyCodeBlock::finalizeUnconditionally):
1402         (JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
1403         * wasm/js/JSWebAssemblyCodeBlock.h:
1404         * wasm/js/JSWebAssemblyModule.h:
1405
1406         * CMakeLists.txt:
1407         * JavaScriptCore.xcodeproj/project.pbxproj:
1408         * bytecode/CodeBlock.h:
1409         * heap/Heap.cpp:
1410         (JSC::Heap::finalizeUnconditionalFinalizers):
1411         * heap/Heap.h:
1412         * heap/SlotVisitor.cpp:
1413         (JSC::SlotVisitor::addUnconditionalFinalizer): Deleted.
1414         * heap/SlotVisitor.h:
1415         * heap/UnconditionalFinalizer.h: Removed.
1416         * wasm/js/JSWebAssemblyCodeBlock.cpp:
1417         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
1418         (JSC::JSWebAssemblyCodeBlock::visitChildren):
1419         (JSC::JSWebAssemblyCodeBlock::finalizeUnconditionally):
1420         (JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
1421         * wasm/js/JSWebAssemblyCodeBlock.h:
1422         * wasm/js/JSWebAssemblyModule.h:
1423
1424 2018-05-22  Keith Miller  <keith_miller@apple.com>
1425
1426         Unreviewed, fix internal build.
1427
1428         * runtime/JSImmutableButterfly.cpp:
1429
1430 2018-05-22  Saam Barati  <sbarati@apple.com>
1431
1432         DFG::LICMPhase should attempt to hoist edge type checks if hoisting the whole node fails
1433         https://bugs.webkit.org/show_bug.cgi?id=144525
1434
1435         Reviewed by Filip Pizlo.
1436
1437         This patch teaches LICM to fall back to hoisting a node's type checks when
1438         hoisting the entire node fails.
1439         
1440         This patch follow the same principles we use when deciding to hoist nodes in general:
1441         - If the pre header is control equivalent to where the current check is, we
1442         go ahead and hoist the check.
1443         - Otherwise, if hoisting hasn't failed before, we go ahead and gamble and
1444         hoist the check. If hoisting failed in the past, we will not hoist the check.
1445
1446         * dfg/DFGLICMPhase.cpp:
1447         (JSC::DFG::LICMPhase::attemptHoist):
1448         * dfg/DFGUseKind.h:
1449         (JSC::DFG::checkMayCrashIfInputIsEmpty):
1450
1451 2018-05-21  Filip Pizlo  <fpizlo@apple.com>
1452
1453         Get rid of TLCs
1454         https://bugs.webkit.org/show_bug.cgi?id=185846
1455
1456         Rubber stamped by Geoffrey Garen.
1457         
1458         This removes support for thread-local caches from the GC in order to speed up allocation a
1459         bit.
1460         
1461         We added TLCs as part of Spectre mitigations, which we have since removed.
1462         
1463         We will want some kind of TLCs eventually, since they allow us to:
1464         
1465         - have a global GC, which may be a perf optimization at some point.
1466         - allocate objects from JIT threads, which we've been wanting to do for a while.
1467         
1468         This change keeps the most interesting aspect of TLCs, which is the
1469         LocalAllocator/BlockDirectory separation. This means that it ought to be easy to implement
1470         TLCs again in the future if we wanted this feature.
1471         
1472         This change removes the part of TLCs that causes a perf regression, namely that Allocator is
1473         an offset that requires a bounds check and lookup that makes the rest of the allocation fast
1474         path dependent on the load of the TLC. Now, Allocator is really just a LocalAllocator*, so
1475         you can directly use it to allocate. This removes two loads and a check from the allocation
1476         fast path. In hindsight, I probably could have made that whole thing more efficient, had I
1477         allowed us to have a statically known set of LocalAllocators. This would have removed the
1478         bounds check (one load and one branch) and it would have made it possible to CSE the load of
1479         the TLC data structure, since that would no longer resize. But that's a harder change that
1480         this patch, and we don't need it right now.
1481         
1482         While reviewing the allocation hot paths, I found that CreateThis had an unnecessary branch
1483         to check if the allocator is null. I removed that check. AssemblyHelpers::emitAllocate() does
1484         that check already. Previously, the TLC bounds check doubled as this check.
1485         
1486         This is a 1% speed-up on Octane and a 2.3% speed-up on TailBench. However, the Octane
1487         speed-up on my machine includes an 8% regexp speed-up. I've found that sometimes regexp
1488         speeds up or slows down by 8% depending on which path I build JSC from. Without that 8%, this
1489         is still an Octane speed-up due to 2-4% speed-ups in earley, boyer, raytrace, and splay.
1490
1491         * JavaScriptCore.xcodeproj/project.pbxproj:
1492         * Sources.txt:
1493         * bytecode/ObjectAllocationProfileInlines.h:
1494         (JSC::ObjectAllocationProfile::initializeProfile):
1495         * dfg/DFGSpeculativeJIT.cpp:
1496         (JSC::DFG::SpeculativeJIT::compileCreateThis):
1497         * ftl/FTLLowerDFGToB3.cpp:
1498         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
1499         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1500         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
1501         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
1502         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1503         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
1504         * heap/Allocator.cpp:
1505         (JSC::Allocator::cellSize const):
1506         * heap/Allocator.h:
1507         (JSC::Allocator::Allocator):
1508         (JSC::Allocator::localAllocator const):
1509         (JSC::Allocator::operator== const):
1510         (JSC::Allocator::offset const): Deleted.
1511         * heap/AllocatorInlines.h:
1512         (JSC::Allocator::allocate const):
1513         (JSC::Allocator::tryAllocate const): Deleted.
1514         * heap/BlockDirectory.cpp:
1515         (JSC::BlockDirectory::BlockDirectory):
1516         (JSC::BlockDirectory::~BlockDirectory):
1517         * heap/BlockDirectory.h:
1518         (JSC::BlockDirectory::allocator const): Deleted.
1519         * heap/CompleteSubspace.cpp:
1520         (JSC::CompleteSubspace::allocateNonVirtual):
1521         (JSC::CompleteSubspace::allocatorForSlow):
1522         (JSC::CompleteSubspace::tryAllocateSlow):
1523         * heap/CompleteSubspace.h:
1524         * heap/Heap.cpp:
1525         (JSC::Heap::Heap):
1526         * heap/Heap.h:
1527         (JSC::Heap::threadLocalCacheLayout): Deleted.
1528         * heap/IsoSubspace.cpp:
1529         (JSC::IsoSubspace::IsoSubspace):
1530         (JSC::IsoSubspace::allocateNonVirtual):
1531         * heap/IsoSubspace.h:
1532         (JSC::IsoSubspace::allocatorForNonVirtual):
1533         * heap/LocalAllocator.cpp:
1534         (JSC::LocalAllocator::LocalAllocator):
1535         (JSC::LocalAllocator::~LocalAllocator):
1536         * heap/LocalAllocator.h:
1537         (JSC::LocalAllocator::cellSize const):
1538         (JSC::LocalAllocator::tlc const): Deleted.
1539         * heap/ThreadLocalCache.cpp: Removed.
1540         * heap/ThreadLocalCache.h: Removed.
1541         * heap/ThreadLocalCacheInlines.h: Removed.
1542         * heap/ThreadLocalCacheLayout.cpp: Removed.
1543         * heap/ThreadLocalCacheLayout.h: Removed.
1544         * jit/AssemblyHelpers.cpp:
1545         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
1546         (JSC::AssemblyHelpers::emitAllocate):
1547         (JSC::AssemblyHelpers::emitAllocateVariableSized):
1548         * jit/JITOpcodes.cpp:
1549         (JSC::JIT::emit_op_create_this):
1550         * runtime/JSLock.cpp:
1551         (JSC::JSLock::didAcquireLock):
1552         * runtime/VM.cpp:
1553         (JSC::VM::VM):
1554         (JSC::VM::~VM):
1555         * runtime/VM.h:
1556         * runtime/VMEntryScope.cpp:
1557         (JSC::VMEntryScope::~VMEntryScope):
1558         * runtime/VMEntryScope.h:
1559
1560 2018-05-22  Keith Miller  <keith_miller@apple.com>
1561
1562         We should have a CoW storage for NewArrayBuffer arrays.
1563         https://bugs.webkit.org/show_bug.cgi?id=185003
1564
1565         Reviewed by Filip Pizlo.
1566
1567         This patch adds copy on write storage for new array buffers. In
1568         order to do this there needed to be significant changes to the
1569         layout of IndexingType. The new indexing type has the following
1570         shape:
1571
1572         struct IndexingTypeAndMisc {
1573             struct IndexingModeIncludingHistory {
1574                 struct IndexingMode {
1575                     struct IndexingType {
1576                         uint8_t isArray:1;          // bit 0
1577                         uint8_t shape:3;            // bit 1 - 3
1578                     };
1579                     uint8_t copyOnWrite:1;          // bit 4
1580                 };
1581                 uint8_t mayHaveIndexedAccessors:1;  // bit 5
1582             };
1583             uint8_t cellLockBits:2;                 // bit 6 - 7
1584         };
1585
1586         For simplicity ArrayStorage shapes cannot be CoW. So the only
1587         valid CoW indexing shapes are ArrayWithInt32, ArrayWithDouble, and
1588         ArrayWithContiguous.
1589
1590         The backing store for a CoW array is a new class
1591         JSImmutableButterfly, which looks exactly the same as a normal
1592         butterfly except that it has a JSCell header. Like other
1593         butterflies, JSImmutableButterfies are allocated out of the
1594         Auxiliary Gigacage and are pointed to by JSCells in the same
1595         way. However, when marking JSImmutableButterflies they are marked
1596         as if they were a property.
1597
1598         With CoW arrays, the new_array_buffer bytecode will reallocate the
1599         shared JSImmutableButterfly if it sees from the allocation profile
1600         that the last array it allocated has transitioned to a different
1601         indexing type. From then on, all arrays created by that
1602         new_array_buffer bytecode will have the promoted indexing
1603         type. This is more or less the same as what we used to do. The
1604         only difference is that we don't promote all the way to array
1605         storage even if we have seen it before.
1606
1607         Transitioning from a CoW indexing mode occurs whenever someone
1608         tries to store to an element, grow the array, or add properties.
1609         Storing or growing the array will call into code that does the
1610         stupid thing of copying the butterfly then continue into the old
1611         code. This doesn't end up costing us as future allocations will
1612         use any upgraded indexing shape.  We get adding properties for
1613         free by just changing the indexing mode on transition (our C++
1614         code always updates the indexing mode).
1615
1616         * JavaScriptCore.xcodeproj/project.pbxproj:
1617         * Sources.txt:
1618         * bytecode/ArrayAllocationProfile.cpp:
1619         (JSC::ArrayAllocationProfile::updateProfile):
1620         * bytecode/ArrayAllocationProfile.h:
1621         (JSC::ArrayAllocationProfile::initializeIndexingMode):
1622         * bytecode/ArrayProfile.cpp:
1623         (JSC::dumpArrayModes):
1624         (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
1625         * bytecode/ArrayProfile.h:
1626         (JSC::asArrayModes):
1627         (JSC::arrayModeFromStructure):
1628         (JSC::arrayModesInclude):
1629         (JSC::hasSeenCopyOnWriteArray):
1630         * bytecode/BytecodeList.json:
1631         * bytecode/CodeBlock.cpp:
1632         (JSC::CodeBlock::finishCreation):
1633         * bytecode/InlineAccess.cpp:
1634         (JSC::InlineAccess::generateArrayLength):
1635         * bytecode/UnlinkedCodeBlock.h:
1636         (JSC::UnlinkedCodeBlock::addArrayAllocationProfile):
1637         (JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile):
1638         * bytecompiler/BytecodeGenerator.cpp:
1639         (JSC::BytecodeGenerator::newArrayAllocationProfile):
1640         (JSC::BytecodeGenerator::emitNewArrayBuffer):
1641         (JSC::BytecodeGenerator::emitNewArray):
1642         (JSC::BytecodeGenerator::emitNewArrayWithSize):
1643         (JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
1644         * bytecompiler/BytecodeGenerator.h:
1645         * bytecompiler/NodesCodegen.cpp:
1646         (JSC::ArrayNode::emitBytecode):
1647         (JSC::ArrayPatternNode::bindValue const):
1648         (JSC::ArrayPatternNode::emitDirectBinding):
1649         * dfg/DFGAbstractInterpreterInlines.h:
1650         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1651         * dfg/DFGArgumentsEliminationPhase.cpp:
1652         * dfg/DFGArgumentsUtilities.cpp:
1653         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
1654         * dfg/DFGArrayMode.cpp:
1655         (JSC::DFG::ArrayMode::fromObserved):
1656         (JSC::DFG::ArrayMode::refine const):
1657         (JSC::DFG::ArrayMode::alreadyChecked const):
1658         * dfg/DFGArrayMode.h:
1659         (JSC::DFG::ArrayMode::ArrayMode):
1660         (JSC::DFG::ArrayMode::action const):
1661         (JSC::DFG::ArrayMode::withSpeculation const):
1662         (JSC::DFG::ArrayMode::withArrayClass const):
1663         (JSC::DFG::ArrayMode::withType const):
1664         (JSC::DFG::ArrayMode::withConversion const):
1665         (JSC::DFG::ArrayMode::withTypeAndConversion const):
1666         (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
1667         (JSC::DFG::ArrayMode::arrayModesWithIndexingShape const):
1668         * dfg/DFGByteCodeParser.cpp:
1669         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1670         (JSC::DFG::ByteCodeParser::handleIntrinsicGetter):
1671         (JSC::DFG::ByteCodeParser::parseBlock):
1672         * dfg/DFGClobberize.h:
1673         (JSC::DFG::clobberize):
1674         * dfg/DFGConstantFoldingPhase.cpp:
1675         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1676         * dfg/DFGFixupPhase.cpp:
1677         (JSC::DFG::FixupPhase::fixupNode):
1678         (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion):
1679         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
1680         * dfg/DFGGraph.cpp:
1681         (JSC::DFG::Graph::dump):
1682         * dfg/DFGNode.h:
1683         (JSC::DFG::Node::indexingType):
1684         (JSC::DFG::Node::indexingMode):
1685         * dfg/DFGOSRExit.cpp:
1686         (JSC::DFG::OSRExit::compileExit):
1687         * dfg/DFGOperations.cpp:
1688         * dfg/DFGOperations.h:
1689         * dfg/DFGSpeculativeJIT.cpp:
1690         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1691         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
1692         (JSC::DFG::SpeculativeJIT::arrayify):
1693         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1694         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
1695         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1696         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
1697         (JSC::DFG::SpeculativeJIT::compileCreateRest):
1698         (JSC::DFG::SpeculativeJIT::compileArraySlice):
1699         (JSC::DFG::SpeculativeJIT::compileNewArrayBuffer):
1700         * dfg/DFGSpeculativeJIT32_64.cpp:
1701         (JSC::DFG::SpeculativeJIT::compile):
1702         * dfg/DFGSpeculativeJIT64.cpp:
1703         (JSC::DFG::SpeculativeJIT::compile):
1704         * dfg/DFGValidate.cpp:
1705         * ftl/FTLAbstractHeapRepository.h:
1706         * ftl/FTLLowerDFGToB3.cpp:
1707         (JSC::FTL::DFG::LowerDFGToB3::compilePutStructure):
1708         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
1709         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
1710         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
1711         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
1712         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargsWithSpread):
1713         (JSC::FTL::DFG::LowerDFGToB3::storeStructure):
1714         (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify):
1715         * ftl/FTLOperations.cpp:
1716         (JSC::FTL::operationMaterializeObjectInOSR):
1717         * generate-bytecode-files:
1718         * interpreter/Interpreter.cpp:
1719         (JSC::sizeOfVarargs):
1720         (JSC::loadVarargs):
1721         * jit/AssemblyHelpers.cpp:
1722         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
1723         * jit/AssemblyHelpers.h:
1724         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
1725         * jit/JITOperations.cpp:
1726         * jit/JITPropertyAccess.cpp:
1727         (JSC::JIT::emit_op_put_by_val):
1728         (JSC::JIT::emitSlow_op_put_by_val):
1729         * jit/Repatch.cpp:
1730         (JSC::tryCachePutByID):
1731         * llint/LowLevelInterpreter.asm:
1732         * llint/LowLevelInterpreter32_64.asm:
1733         * llint/LowLevelInterpreter64.asm:
1734         * runtime/Butterfly.h:
1735         (JSC::ContiguousData::Data::Data):
1736         (JSC::ContiguousData::Data::operator bool const):
1737         (JSC::ContiguousData::Data::operator=):
1738         (JSC::ContiguousData::Data::operator const T& const):
1739         (JSC::ContiguousData::Data::set):
1740         (JSC::ContiguousData::Data::setWithoutWriteBarrier):
1741         (JSC::ContiguousData::Data::clear):
1742         (JSC::ContiguousData::Data::get const):
1743         (JSC::ContiguousData::atUnsafe):
1744         (JSC::ContiguousData::at const): Deleted.
1745         (JSC::ContiguousData::at): Deleted.
1746         * runtime/ButterflyInlines.h:
1747         (JSC::ContiguousData<T>::at const):
1748         (JSC::ContiguousData<T>::at):
1749         * runtime/ClonedArguments.cpp:
1750         (JSC::ClonedArguments::createEmpty):
1751         * runtime/CommonSlowPaths.cpp:
1752         (JSC::SLOW_PATH_DECL):
1753         * runtime/CommonSlowPaths.h:
1754         (JSC::CommonSlowPaths::allocateNewArrayBuffer):
1755         * runtime/IndexingType.cpp:
1756         (JSC::leastUpperBoundOfIndexingTypeAndType):
1757         (JSC::leastUpperBoundOfIndexingTypeAndValue):
1758         (JSC::dumpIndexingType):
1759         * runtime/IndexingType.h:
1760         (JSC::hasIndexedProperties):
1761         (JSC::hasUndecided):
1762         (JSC::hasInt32):
1763         (JSC::hasDouble):
1764         (JSC::hasContiguous):
1765         (JSC::hasArrayStorage):
1766         (JSC::hasAnyArrayStorage):
1767         (JSC::hasSlowPutArrayStorage):
1768         (JSC::shouldUseSlowPut):
1769         (JSC::isCopyOnWrite):
1770         (JSC::arrayIndexFromIndexingType):
1771         * runtime/JSArray.cpp:
1772         (JSC::JSArray::tryCreateUninitializedRestricted):
1773         (JSC::JSArray::put):
1774         (JSC::JSArray::appendMemcpy):
1775         (JSC::JSArray::setLength):
1776         (JSC::JSArray::pop):
1777         (JSC::JSArray::fastSlice):
1778         (JSC::JSArray::shiftCountWithAnyIndexingType):
1779         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1780         (JSC::JSArray::fillArgList):
1781         (JSC::JSArray::copyToArguments):
1782         * runtime/JSArrayInlines.h:
1783         (JSC::JSArray::pushInline):
1784         * runtime/JSCell.h:
1785         * runtime/JSCellInlines.h:
1786         (JSC::JSCell::JSCell):
1787         (JSC::JSCell::finishCreation):
1788         (JSC::JSCell::indexingType const):
1789         (JSC::JSCell::indexingMode const):
1790         (JSC::JSCell::setStructure):
1791         * runtime/JSFixedArray.h:
1792         * runtime/JSGlobalObject.cpp:
1793         (JSC::JSGlobalObject::init):
1794         (JSC::JSGlobalObject::haveABadTime):
1795         (JSC::JSGlobalObject::visitChildren):
1796         * runtime/JSGlobalObject.h:
1797         (JSC::JSGlobalObject::originalArrayStructureForIndexingType const):
1798         (JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation const):
1799         (JSC::JSGlobalObject::isOriginalArrayStructure):
1800         * runtime/JSImmutableButterfly.cpp: Added.
1801         (JSC::JSImmutableButterfly::visitChildren):
1802         (JSC::JSImmutableButterfly::copyToArguments):
1803         * runtime/JSImmutableButterfly.h: Added.
1804         (JSC::JSImmutableButterfly::createStructure):
1805         (JSC::JSImmutableButterfly::tryCreate):
1806         (JSC::JSImmutableButterfly::create):
1807         (JSC::JSImmutableButterfly::publicLength const):
1808         (JSC::JSImmutableButterfly::vectorLength const):
1809         (JSC::JSImmutableButterfly::length const):
1810         (JSC::JSImmutableButterfly::toButterfly const):
1811         (JSC::JSImmutableButterfly::fromButterfly):
1812         (JSC::JSImmutableButterfly::get const):
1813         (JSC::JSImmutableButterfly::subspaceFor):
1814         (JSC::JSImmutableButterfly::setIndex):
1815         (JSC::JSImmutableButterfly::allocationSize):
1816         (JSC::JSImmutableButterfly::JSImmutableButterfly):
1817         * runtime/JSObject.cpp:
1818         (JSC::JSObject::markAuxiliaryAndVisitOutOfLineProperties):
1819         (JSC::JSObject::visitButterflyImpl):
1820         (JSC::JSObject::getOwnPropertySlotByIndex):
1821         (JSC::JSObject::putByIndex):
1822         (JSC::JSObject::createInitialInt32):
1823         (JSC::JSObject::createInitialDouble):
1824         (JSC::JSObject::createInitialContiguous):
1825         (JSC::JSObject::convertUndecidedToInt32):
1826         (JSC::JSObject::convertUndecidedToDouble):
1827         (JSC::JSObject::convertUndecidedToContiguous):
1828         (JSC::JSObject::convertInt32ToDouble):
1829         (JSC::JSObject::convertInt32ToArrayStorage):
1830         (JSC::JSObject::convertDoubleToContiguous):
1831         (JSC::JSObject::convertDoubleToArrayStorage):
1832         (JSC::JSObject::convertContiguousToArrayStorage):
1833         (JSC::JSObject::createInitialForValueAndSet):
1834         (JSC::JSObject::convertInt32ForValue):
1835         (JSC::JSObject::convertFromCopyOnWrite):
1836         (JSC::JSObject::ensureWritableInt32Slow):
1837         (JSC::JSObject::ensureWritableDoubleSlow):
1838         (JSC::JSObject::ensureWritableContiguousSlow):
1839         (JSC::JSObject::ensureArrayStorageSlow):
1840         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
1841         (JSC::JSObject::switchToSlowPutArrayStorage):
1842         (JSC::JSObject::deletePropertyByIndex):
1843         (JSC::JSObject::getOwnPropertyNames):
1844         (JSC::canDoFastPutDirectIndex):
1845         (JSC::JSObject::defineOwnIndexedProperty):
1846         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1847         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
1848         (JSC::JSObject::putByIndexBeyondVectorLength):
1849         (JSC::JSObject::countElements):
1850         (JSC::JSObject::ensureLengthSlow):
1851         (JSC::JSObject::getEnumerableLength):
1852         (JSC::JSObject::ensureInt32Slow): Deleted.
1853         (JSC::JSObject::ensureDoubleSlow): Deleted.
1854         (JSC::JSObject::ensureContiguousSlow): Deleted.
1855         * runtime/JSObject.h:
1856         (JSC::JSObject::putDirectIndex):
1857         (JSC::JSObject::canGetIndexQuickly):
1858         (JSC::JSObject::getIndexQuickly):
1859         (JSC::JSObject::tryGetIndexQuickly const):
1860         (JSC::JSObject::canSetIndexQuickly):
1861         (JSC::JSObject::setIndexQuickly):
1862         (JSC::JSObject::initializeIndex):
1863         (JSC::JSObject::initializeIndexWithoutBarrier):
1864         (JSC::JSObject::ensureWritableInt32):
1865         (JSC::JSObject::ensureWritableDouble):
1866         (JSC::JSObject::ensureWritableContiguous):
1867         (JSC::JSObject::ensureLength):
1868         (JSC::JSObject::ensureInt32): Deleted.
1869         (JSC::JSObject::ensureDouble): Deleted.
1870         (JSC::JSObject::ensureContiguous): Deleted.
1871         * runtime/JSObjectInlines.h:
1872         (JSC::JSObject::putDirectInternal):
1873         * runtime/JSType.h:
1874         * runtime/RegExpMatchesArray.h:
1875         (JSC::tryCreateUninitializedRegExpMatchesArray):
1876         * runtime/Structure.cpp:
1877         (JSC::Structure::Structure):
1878         (JSC::Structure::addNewPropertyTransition):
1879         (JSC::Structure::nonPropertyTransition):
1880         * runtime/Structure.h:
1881         * runtime/StructureIDBlob.h:
1882         (JSC::StructureIDBlob::StructureIDBlob):
1883         (JSC::StructureIDBlob::indexingModeIncludingHistory const):
1884         (JSC::StructureIDBlob::setIndexingModeIncludingHistory):
1885         (JSC::StructureIDBlob::indexingModeIncludingHistoryOffset):
1886         (JSC::StructureIDBlob::indexingTypeIncludingHistory const): Deleted.
1887         (JSC::StructureIDBlob::setIndexingTypeIncludingHistory): Deleted.
1888         (JSC::StructureIDBlob::indexingTypeIncludingHistoryOffset): Deleted.
1889         * runtime/StructureTransitionTable.h:
1890         (JSC::newIndexingType):
1891         * runtime/VM.cpp:
1892         (JSC::VM::VM):
1893         * runtime/VM.h:
1894
1895 2018-05-22  Ryan Haddad  <ryanhaddad@apple.com>
1896
1897         Unreviewed, rolling out r232052.
1898
1899         Breaks internal builds.
1900
1901         Reverted changeset:
1902
1903         "Use more C++17"
1904         https://bugs.webkit.org/show_bug.cgi?id=185176
1905         https://trac.webkit.org/changeset/232052
1906
1907 2018-05-22  Alberto Garcia  <berto@igalia.com>
1908
1909         [CMake] Properly detect compiler flags, needed libs, and fallbacks for usage of 64-bit atomic operations
1910         https://bugs.webkit.org/show_bug.cgi?id=182622
1911         <rdar://problem/40292317>
1912
1913         Reviewed by Michael Catanzaro.
1914
1915         We were linking JavaScriptCore against libatomic in MIPS because
1916         in that architecture __atomic_fetch_add_8() is not a compiler
1917         intrinsic and is provided by that library instead. However other
1918         architectures (e.g armel) are in the same situation, so we need a
1919         generic test.
1920
1921         That test already exists in WebKit/CMakeLists.txt, so we just have
1922         to move it to a common file (WebKitCompilerFlags.cmake) and use
1923         its result (ATOMIC_INT64_REQUIRES_LIBATOMIC) here.
1924
1925         * CMakeLists.txt:
1926
1927 2018-05-22  Michael Catanzaro  <mcatanzaro@igalia.com>
1928
1929         Unreviewed, rolling out r231843.
1930
1931         Broke cross build
1932
1933         Reverted changeset:
1934
1935         "[CMake] Properly detect compiler flags, needed libs, and
1936         fallbacks for usage of 64-bit atomic operations"
1937         https://bugs.webkit.org/show_bug.cgi?id=182622
1938         https://trac.webkit.org/changeset/231843
1939
1940 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1941
1942         Use more C++17
1943         https://bugs.webkit.org/show_bug.cgi?id=185176
1944
1945         Reviewed by JF Bastien.
1946
1947         * Configurations/Base.xcconfig:
1948
1949 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1950
1951         [JSC] Remove duplicate methods in JSInterfaceJIT
1952         https://bugs.webkit.org/show_bug.cgi?id=185813
1953
1954         Reviewed by Saam Barati.
1955
1956         Some methods of JSInterfaceJIT are duplicate with AssemblyHelpers' ones.
1957         This patch removes these ones and use AssemblyHelpers' ones instead.
1958
1959         This patch also a bit cleans up ThunkGenerators' unnecessary ifdefs.
1960
1961         * jit/AssemblyHelpers.h:
1962         (JSC::AssemblyHelpers::tagFor):
1963         (JSC::AssemblyHelpers::payloadFor):
1964         * jit/JIT.h:
1965         * jit/JITArithmetic.cpp:
1966         (JSC::JIT::emit_op_unsigned):
1967         (JSC::JIT::emit_compareUnsigned):
1968         (JSC::JIT::emit_op_inc):
1969         (JSC::JIT::emit_op_dec):
1970         (JSC::JIT::emit_op_mod):
1971         * jit/JITCall32_64.cpp:
1972         (JSC::JIT::compileOpCall):
1973         * jit/JITInlines.h:
1974         (JSC::JIT::emitPutIntToCallFrameHeader):
1975         (JSC::JIT::updateTopCallFrame):
1976         (JSC::JIT::emitInitRegister):
1977         (JSC::JIT::emitLoad):
1978         (JSC::JIT::emitStore):
1979         (JSC::JIT::emitStoreInt32):
1980         (JSC::JIT::emitStoreCell):
1981         (JSC::JIT::emitStoreBool):
1982         (JSC::JIT::emitGetVirtualRegister):
1983         (JSC::JIT::emitPutVirtualRegister):
1984         (JSC::JIT::emitTagBool): Deleted.
1985         * jit/JITOpcodes.cpp:
1986         (JSC::JIT::emit_op_overrides_has_instance):
1987         (JSC::JIT::emit_op_is_empty):
1988         (JSC::JIT::emit_op_is_undefined):
1989         (JSC::JIT::emit_op_is_boolean):
1990         (JSC::JIT::emit_op_is_number):
1991         (JSC::JIT::emit_op_is_cell_with_type):
1992         (JSC::JIT::emit_op_is_object):
1993         (JSC::JIT::emit_op_eq):
1994         (JSC::JIT::emit_op_neq):
1995         (JSC::JIT::compileOpStrictEq):
1996         (JSC::JIT::emit_op_eq_null):
1997         (JSC::JIT::emit_op_neq_null):
1998         (JSC::JIT::emitSlow_op_eq):
1999         (JSC::JIT::emitSlow_op_neq):
2000         (JSC::JIT::emitSlow_op_instanceof_custom):
2001         (JSC::JIT::emitNewFuncExprCommon):
2002         * jit/JSInterfaceJIT.h:
2003         (JSC::JSInterfaceJIT::emitLoadInt32):
2004         (JSC::JSInterfaceJIT::emitLoadDouble):
2005         (JSC::JSInterfaceJIT::emitPutToCallFrameHeader):
2006         (JSC::JSInterfaceJIT::emitPutCellToCallFrameHeader):
2007         (JSC::JSInterfaceJIT::tagFor): Deleted.
2008         (JSC::JSInterfaceJIT::payloadFor): Deleted.
2009         (JSC::JSInterfaceJIT::intPayloadFor): Deleted.
2010         (JSC::JSInterfaceJIT::intTagFor): Deleted.
2011         (JSC::JSInterfaceJIT::emitTagInt): Deleted.
2012         (JSC::JSInterfaceJIT::addressFor): Deleted.
2013         * jit/SpecializedThunkJIT.h:
2014         (JSC::SpecializedThunkJIT::returnDouble):
2015         * jit/ThunkGenerators.cpp:
2016         (JSC::nativeForGenerator):
2017         (JSC::arityFixupGenerator):
2018
2019 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2020
2021         Unreviewed, reland InById cache
2022         https://bugs.webkit.org/show_bug.cgi?id=185682
2023
2024         Includes Dominik's 32bit fix.
2025
2026         * bytecode/AccessCase.cpp:
2027         (JSC::AccessCase::fromStructureStubInfo):
2028         (JSC::AccessCase::generateWithGuard):
2029         (JSC::AccessCase::generateImpl):
2030         * bytecode/BytecodeDumper.cpp:
2031         (JSC::BytecodeDumper<Block>::printInByIdCacheStatus):
2032         (JSC::BytecodeDumper<Block>::dumpBytecode):
2033         * bytecode/BytecodeDumper.h:
2034         * bytecode/BytecodeList.json:
2035         * bytecode/BytecodeUseDef.h:
2036         (JSC::computeUsesForBytecodeOffset):
2037         (JSC::computeDefsForBytecodeOffset):
2038         * bytecode/CodeBlock.cpp:
2039         (JSC::CodeBlock::finishCreation):
2040         * bytecode/InlineAccess.cpp:
2041         (JSC::InlineAccess::generateSelfInAccess):
2042         * bytecode/InlineAccess.h:
2043         * bytecode/StructureStubInfo.cpp:
2044         (JSC::StructureStubInfo::initInByIdSelf):
2045         (JSC::StructureStubInfo::deref):
2046         (JSC::StructureStubInfo::aboutToDie):
2047         (JSC::StructureStubInfo::reset):
2048         (JSC::StructureStubInfo::visitWeakReferences):
2049         (JSC::StructureStubInfo::propagateTransitions):
2050         * bytecode/StructureStubInfo.h:
2051         (JSC::StructureStubInfo::patchableJump):
2052         * bytecompiler/BytecodeGenerator.cpp:
2053         (JSC::BytecodeGenerator::emitInByVal):
2054         (JSC::BytecodeGenerator::emitInById):
2055         (JSC::BytecodeGenerator::emitIn): Deleted.
2056         * bytecompiler/BytecodeGenerator.h:
2057         * bytecompiler/NodesCodegen.cpp:
2058         (JSC::InNode::emitBytecode):
2059         * dfg/DFGAbstractInterpreterInlines.h:
2060         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2061         * dfg/DFGByteCodeParser.cpp:
2062         (JSC::DFG::ByteCodeParser::parseBlock):
2063         * dfg/DFGCapabilities.cpp:
2064         (JSC::DFG::capabilityLevel):
2065         * dfg/DFGClobberize.h:
2066         (JSC::DFG::clobberize):
2067         * dfg/DFGConstantFoldingPhase.cpp:
2068         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2069         * dfg/DFGDoesGC.cpp:
2070         (JSC::DFG::doesGC):
2071         * dfg/DFGFixupPhase.cpp:
2072         (JSC::DFG::FixupPhase::fixupNode):
2073         * dfg/DFGJITCompiler.cpp:
2074         (JSC::DFG::JITCompiler::link):
2075         * dfg/DFGJITCompiler.h:
2076         (JSC::DFG::JITCompiler::addInById):
2077         (JSC::DFG::InRecord::InRecord): Deleted.
2078         (JSC::DFG::JITCompiler::addIn): Deleted.
2079         * dfg/DFGNode.h:
2080         (JSC::DFG::Node::convertToInById):
2081         (JSC::DFG::Node::hasIdentifier):
2082         (JSC::DFG::Node::hasArrayMode):
2083         * dfg/DFGNodeType.h:
2084         * dfg/DFGPredictionPropagationPhase.cpp:
2085         * dfg/DFGSafeToExecute.h:
2086         (JSC::DFG::safeToExecute):
2087         * dfg/DFGSpeculativeJIT.cpp:
2088         (JSC::DFG::SpeculativeJIT::compileInById):
2089         (JSC::DFG::SpeculativeJIT::compileInByVal):
2090         (JSC::DFG::SpeculativeJIT::compileIn): Deleted.
2091         * dfg/DFGSpeculativeJIT.h:
2092         * dfg/DFGSpeculativeJIT32_64.cpp:
2093         (JSC::DFG::SpeculativeJIT::compile):
2094         * dfg/DFGSpeculativeJIT64.cpp:
2095         (JSC::DFG::SpeculativeJIT::compile):
2096         * ftl/FTLCapabilities.cpp:
2097         (JSC::FTL::canCompile):
2098         * ftl/FTLLowerDFGToB3.cpp:
2099         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2100         (JSC::FTL::DFG::LowerDFGToB3::compileInByVal):
2101         (JSC::FTL::DFG::LowerDFGToB3::compileInById):
2102         (JSC::FTL::DFG::LowerDFGToB3::compileIn): Deleted.
2103         * jit/AssemblyHelpers.h:
2104         (JSC::AssemblyHelpers::boxBoolean):
2105         * jit/ICStats.h:
2106         * jit/JIT.cpp:
2107         (JSC::JIT::JIT):
2108         (JSC::JIT::privateCompileMainPass):
2109         (JSC::JIT::privateCompileSlowCases):
2110         (JSC::JIT::link):
2111         * jit/JIT.h:
2112         * jit/JITInlineCacheGenerator.cpp:
2113         (JSC::JITInByIdGenerator::JITInByIdGenerator):
2114         (JSC::JITInByIdGenerator::generateFastPath):
2115         * jit/JITInlineCacheGenerator.h:
2116         (JSC::JITInByIdGenerator::JITInByIdGenerator):
2117         * jit/JITOperations.cpp:
2118         * jit/JITOperations.h:
2119         * jit/JITPropertyAccess.cpp:
2120         (JSC::JIT::emit_op_in_by_id):
2121         (JSC::JIT::emitSlow_op_in_by_id):
2122         * jit/JITPropertyAccess32_64.cpp:
2123         (JSC::JIT::emit_op_in_by_id):
2124         (JSC::JIT::emitSlow_op_in_by_id):
2125         * jit/Repatch.cpp:
2126         (JSC::tryCacheInByID):
2127         (JSC::repatchInByID):
2128         (JSC::resetInByID):
2129         (JSC::tryCacheIn): Deleted.
2130         (JSC::repatchIn): Deleted.
2131         (JSC::resetIn): Deleted.
2132         * jit/Repatch.h:
2133         * llint/LowLevelInterpreter.asm:
2134         * llint/LowLevelInterpreter64.asm:
2135         * parser/NodeConstructors.h:
2136         (JSC::InNode::InNode):
2137         * runtime/CommonSlowPaths.cpp:
2138         (JSC::SLOW_PATH_DECL):
2139         * runtime/CommonSlowPaths.h:
2140         (JSC::CommonSlowPaths::opInByVal):
2141         (JSC::CommonSlowPaths::opIn): Deleted.
2142
2143 2018-05-21  Commit Queue  <commit-queue@webkit.org>
2144
2145         Unreviewed, rolling out r231998 and r232017.
2146         https://bugs.webkit.org/show_bug.cgi?id=185842
2147
2148         causes crashes on 32 JSC bot (Requested by realdawei on
2149         #webkit).
2150
2151         Reverted changesets:
2152
2153         "[JSC] JSC should have consistent InById IC"
2154         https://bugs.webkit.org/show_bug.cgi?id=185682
2155         https://trac.webkit.org/changeset/231998
2156
2157         "Unreviewed, fix 32bit and scope release"
2158         https://bugs.webkit.org/show_bug.cgi?id=185682
2159         https://trac.webkit.org/changeset/232017
2160
2161 2018-05-21  Jer Noble  <jer.noble@apple.com>
2162
2163         Complete fix for enabling modern EME by default
2164         https://bugs.webkit.org/show_bug.cgi?id=185770
2165         <rdar://problem/40368220>
2166
2167         Reviewed by Eric Carlson.
2168
2169         * Configurations/FeatureDefines.xcconfig:
2170
2171 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2172
2173         Unreviewed, fix 32bit and scope release
2174         https://bugs.webkit.org/show_bug.cgi?id=185682
2175
2176         * jit/JITOperations.cpp:
2177         * jit/JITPropertyAccess32_64.cpp:
2178         (JSC::JIT::emitSlow_op_in_by_id):
2179
2180 2018-05-20  Filip Pizlo  <fpizlo@apple.com>
2181
2182         Revert the B3 compiler pipeline's treatment of taildup
2183         https://bugs.webkit.org/show_bug.cgi?id=185808
2184
2185         Reviewed by Yusuke Suzuki.
2186         
2187         While trying to implement path specialization (bug 185060), I reorganized the B3 pass pipeline.
2188         But then path specialization turned out to be a negative result. This reverts the pipeline to the
2189         way it was before that work.
2190         
2191         1.5% progression on V8Spider-CompileTime.
2192
2193         * b3/B3Generate.cpp:
2194         (JSC::B3::generateToAir):
2195
2196 2018-05-20  Yusuke Suzuki  <utatane.tea@gmail.com>
2197
2198         [DFG] CheckTypeInfoFlags should say `eliminated` if it is removed in constant folding phase
2199         https://bugs.webkit.org/show_bug.cgi?id=185802
2200
2201         Reviewed by Saam Barati.
2202
2203         * dfg/DFGConstantFoldingPhase.cpp:
2204         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2205
2206 2018-05-18  Filip Pizlo  <fpizlo@apple.com>
2207
2208         DFG should inline InstanceOf ICs
2209         https://bugs.webkit.org/show_bug.cgi?id=185695
2210
2211         Reviewed by Yusuke Suzuki.
2212         
2213         This teaches the DFG how to inline InstanceOf ICs into a MatchStructure node. This can then
2214         be folded to a CheckStructure + JSConstant.
2215         
2216         In the process of testing this, I found a bug where LICM was not hoisting things that
2217         depended on ExtraOSREntryLocal because that might return SpecEmpty. I fixed that by teaching
2218         LICM how to materialize CheckNotEmpty on demand whenever !HoistingFailed.
2219         
2220         This is a ~5% speed-up on boyer.
2221         
2222         ~2x speed-up on the instanceof-always-hit-one, instanceof-always-hit-two, and
2223         instanceof-sometimes-hit microbenchmarks.
2224
2225         * JavaScriptCore.xcodeproj/project.pbxproj:
2226         * Sources.txt:
2227         * bytecode/GetByIdStatus.cpp:
2228         (JSC::GetByIdStatus::appendVariant):
2229         (JSC::GetByIdStatus::filter):
2230         * bytecode/GetByIdStatus.h:
2231         (JSC::GetByIdStatus::operator bool const):
2232         (JSC::GetByIdStatus::operator! const): Deleted.
2233         * bytecode/GetByIdVariant.h:
2234         (JSC::GetByIdVariant::operator bool const):
2235         (JSC::GetByIdVariant::operator! const): Deleted.
2236         * bytecode/ICStatusUtils.h: Added.
2237         (JSC::appendICStatusVariant):
2238         (JSC::filterICStatusVariants):
2239         * bytecode/InstanceOfStatus.cpp: Added.
2240         (JSC::InstanceOfStatus::appendVariant):
2241         (JSC::InstanceOfStatus::computeFor):
2242         (JSC::InstanceOfStatus::computeForStubInfo):
2243         (JSC::InstanceOfStatus::commonPrototype const):
2244         (JSC::InstanceOfStatus::filter):
2245         * bytecode/InstanceOfStatus.h: Added.
2246         (JSC::InstanceOfStatus::InstanceOfStatus):
2247         (JSC::InstanceOfStatus::state const):
2248         (JSC::InstanceOfStatus::isSet const):
2249         (JSC::InstanceOfStatus::operator bool const):
2250         (JSC::InstanceOfStatus::isSimple const):
2251         (JSC::InstanceOfStatus::takesSlowPath const):
2252         (JSC::InstanceOfStatus::numVariants const):
2253         (JSC::InstanceOfStatus::variants const):
2254         (JSC::InstanceOfStatus::at const):
2255         (JSC::InstanceOfStatus::operator[] const):
2256         * bytecode/InstanceOfVariant.cpp: Added.
2257         (JSC::InstanceOfVariant::InstanceOfVariant):
2258         (JSC::InstanceOfVariant::attemptToMerge):
2259         (JSC::InstanceOfVariant::dump const):
2260         (JSC::InstanceOfVariant::dumpInContext const):
2261         * bytecode/InstanceOfVariant.h: Added.
2262         (JSC::InstanceOfVariant::InstanceOfVariant):
2263         (JSC::InstanceOfVariant::operator bool const):
2264         (JSC::InstanceOfVariant::structureSet const):
2265         (JSC::InstanceOfVariant::structureSet):
2266         (JSC::InstanceOfVariant::conditionSet const):
2267         (JSC::InstanceOfVariant::prototype const):
2268         (JSC::InstanceOfVariant::isHit const):
2269         * bytecode/StructureStubInfo.cpp:
2270         (JSC::StructureStubInfo::StructureStubInfo):
2271         * bytecode/StructureStubInfo.h:
2272         (JSC::StructureStubInfo::considerCaching):
2273         * dfg/DFGAbstractInterpreterInlines.h:
2274         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2275         * dfg/DFGByteCodeParser.cpp:
2276         (JSC::DFG::ByteCodeParser::parseBlock):
2277         * dfg/DFGClobberize.h:
2278         (JSC::DFG::clobberize):
2279         * dfg/DFGConstantFoldingPhase.cpp:
2280         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2281         * dfg/DFGDoesGC.cpp:
2282         (JSC::DFG::doesGC):
2283         * dfg/DFGFixupPhase.cpp:
2284         (JSC::DFG::FixupPhase::fixupNode):
2285         * dfg/DFGGraph.cpp:
2286         (JSC::DFG::Graph::dump):
2287         * dfg/DFGGraph.h:
2288         * dfg/DFGLICMPhase.cpp:
2289         (JSC::DFG::LICMPhase::attemptHoist):
2290         * dfg/DFGNode.cpp:
2291         (JSC::DFG::Node::remove):
2292         * dfg/DFGNode.h:
2293         (JSC::DFG::Node::hasMatchStructureData):
2294         (JSC::DFG::Node::matchStructureData):
2295         * dfg/DFGNodeType.h:
2296         * dfg/DFGSafeToExecute.h:
2297         (JSC::DFG::safeToExecute):
2298         * dfg/DFGSpeculativeJIT.cpp:
2299         (JSC::DFG::SpeculativeJIT::compileMatchStructure):
2300         * dfg/DFGSpeculativeJIT.h:
2301         * dfg/DFGSpeculativeJIT32_64.cpp:
2302         (JSC::DFG::SpeculativeJIT::compile):
2303         * dfg/DFGSpeculativeJIT64.cpp:
2304         (JSC::DFG::SpeculativeJIT::compile):
2305         * ftl/FTLCapabilities.cpp:
2306         (JSC::FTL::canCompile):
2307         * ftl/FTLLowerDFGToB3.cpp:
2308         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2309         (JSC::FTL::DFG::LowerDFGToB3::compileMatchStructure):
2310
2311 2018-05-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2312
2313         [JSC] JSC should have consistent InById IC
2314         https://bugs.webkit.org/show_bug.cgi?id=185682
2315
2316         Reviewed by Filip Pizlo.
2317
2318         Current our op_in IC is adhoc: It is only emitted in DFG and FTL layers,
2319         when we found that DFG::In's parameter is constant string. We should
2320         align this IC to the other ById ICs to clean up and remove adhoc code
2321         in DFG and FTL.
2322
2323         This patch cleans up our "In" IC by aligning it to the other ById ICs.
2324         We split op_in bytecode to op_in_by_id and op_in_by_val. op_in_by_val
2325         is the same to the original op_in. For op_in_by_id, we use JITInByIdGenerator
2326         to emit InById IC code. In addition, our JITInByIdGenerator and op_in_by_id
2327         has a inline access cache for own property case, which is the same to
2328         JITGetByIdGenerator.
2329
2330         And we split DFG::In to DFG::InById and DFG::InByVal. InByVal is the same
2331         to the original In DFG node. DFG AI attempts to lower InByVal to InById
2332         if AI figured out that the property name is a constant string. And in
2333         InById node, we use JITInByIdGenerator code.
2334
2335         This patch cleans up DFG and FTL's adhoc In IC code.
2336
2337         In a subsequent patch, we should introduce InByIdStatus to optimize
2338         InById in DFG and FTL. We would like to have a new InByIdStatus instead of
2339         reusing GetByIdStatus since GetByIdStatus becomes too complicated, and
2340         AccessCase::Types are different from them (AccessCase::InHit / InMiss).
2341
2342         * bytecode/AccessCase.cpp:
2343         (JSC::AccessCase::fromStructureStubInfo):
2344         (JSC::AccessCase::generateWithGuard):
2345         * bytecode/BytecodeDumper.cpp:
2346         (JSC::BytecodeDumper<Block>::printInByIdCacheStatus):
2347         (JSC::BytecodeDumper<Block>::dumpBytecode):
2348         * bytecode/BytecodeDumper.h:
2349         * bytecode/BytecodeList.json:
2350         * bytecode/BytecodeUseDef.h:
2351         (JSC::computeUsesForBytecodeOffset):
2352         (JSC::computeDefsForBytecodeOffset):
2353         * bytecode/CodeBlock.cpp:
2354         (JSC::CodeBlock::finishCreation):
2355         * bytecode/InlineAccess.cpp:
2356         (JSC::InlineAccess::generateSelfInAccess):
2357         * bytecode/InlineAccess.h:
2358         * bytecode/StructureStubInfo.cpp:
2359         (JSC::StructureStubInfo::initInByIdSelf):
2360         (JSC::StructureStubInfo::deref):
2361         (JSC::StructureStubInfo::aboutToDie):
2362         (JSC::StructureStubInfo::reset):
2363         (JSC::StructureStubInfo::visitWeakReferences):
2364         (JSC::StructureStubInfo::propagateTransitions):
2365         * bytecode/StructureStubInfo.h:
2366         (JSC::StructureStubInfo::patchableJump):
2367         * bytecompiler/BytecodeGenerator.cpp:
2368         (JSC::BytecodeGenerator::emitInByVal):
2369         (JSC::BytecodeGenerator::emitInById):
2370         (JSC::BytecodeGenerator::emitIn): Deleted.
2371         * bytecompiler/BytecodeGenerator.h:
2372         * bytecompiler/NodesCodegen.cpp:
2373         (JSC::InNode::emitBytecode):
2374         * dfg/DFGAbstractInterpreterInlines.h:
2375         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2376         * dfg/DFGByteCodeParser.cpp:
2377         (JSC::DFG::ByteCodeParser::parseBlock):
2378         * dfg/DFGCapabilities.cpp:
2379         (JSC::DFG::capabilityLevel):
2380         * dfg/DFGClobberize.h:
2381         (JSC::DFG::clobberize):
2382         * dfg/DFGConstantFoldingPhase.cpp:
2383         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2384         * dfg/DFGDoesGC.cpp:
2385         (JSC::DFG::doesGC):
2386         * dfg/DFGFixupPhase.cpp:
2387         (JSC::DFG::FixupPhase::fixupNode):
2388         * dfg/DFGJITCompiler.cpp:
2389         (JSC::DFG::JITCompiler::link):
2390         * dfg/DFGJITCompiler.h:
2391         (JSC::DFG::JITCompiler::addInById):
2392         (JSC::DFG::InRecord::InRecord): Deleted.
2393         (JSC::DFG::JITCompiler::addIn): Deleted.
2394         * dfg/DFGNode.h:
2395         (JSC::DFG::Node::convertToInById):
2396         (JSC::DFG::Node::hasIdentifier):
2397         (JSC::DFG::Node::hasArrayMode):
2398         * dfg/DFGNodeType.h:
2399         * dfg/DFGPredictionPropagationPhase.cpp:
2400         * dfg/DFGSafeToExecute.h:
2401         (JSC::DFG::safeToExecute):
2402         * dfg/DFGSpeculativeJIT.cpp:
2403         (JSC::DFG::SpeculativeJIT::compileInById):
2404         (JSC::DFG::SpeculativeJIT::compileInByVal):
2405         (JSC::DFG::SpeculativeJIT::compileIn): Deleted.
2406         * dfg/DFGSpeculativeJIT.h:
2407         * dfg/DFGSpeculativeJIT32_64.cpp:
2408         (JSC::DFG::SpeculativeJIT::compile):
2409         * dfg/DFGSpeculativeJIT64.cpp:
2410         (JSC::DFG::SpeculativeJIT::compile):
2411         * ftl/FTLCapabilities.cpp:
2412         (JSC::FTL::canCompile):
2413         * ftl/FTLLowerDFGToB3.cpp:
2414         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2415         (JSC::FTL::DFG::LowerDFGToB3::compileInByVal):
2416         (JSC::FTL::DFG::LowerDFGToB3::compileInById):
2417         (JSC::FTL::DFG::LowerDFGToB3::compileIn): Deleted.
2418         * jit/ICStats.h:
2419         * jit/JIT.cpp:
2420         (JSC::JIT::JIT):
2421         (JSC::JIT::privateCompileMainPass):
2422         (JSC::JIT::privateCompileSlowCases):
2423         (JSC::JIT::link):
2424         * jit/JIT.h:
2425         * jit/JITInlineCacheGenerator.cpp:
2426         (JSC::JITInByIdGenerator::JITInByIdGenerator):
2427         (JSC::JITInByIdGenerator::generateFastPath):
2428         * jit/JITInlineCacheGenerator.h:
2429         (JSC::JITInByIdGenerator::JITInByIdGenerator):
2430         * jit/JITOperations.cpp:
2431         * jit/JITOperations.h:
2432         * jit/JITPropertyAccess.cpp:
2433         (JSC::JIT::emit_op_in_by_id):
2434         (JSC::JIT::emitSlow_op_in_by_id):
2435         * jit/JITPropertyAccess32_64.cpp:
2436         (JSC::JIT::emit_op_in_by_id):
2437         (JSC::JIT::emitSlow_op_in_by_id):
2438         * jit/Repatch.cpp:
2439         (JSC::tryCacheInByID):
2440         (JSC::repatchInByID):
2441         (JSC::resetInByID):
2442         (JSC::tryCacheIn): Deleted.
2443         (JSC::repatchIn): Deleted.
2444         (JSC::resetIn): Deleted.
2445         * jit/Repatch.h:
2446         * llint/LowLevelInterpreter.asm:
2447         * llint/LowLevelInterpreter64.asm:
2448         * parser/NodeConstructors.h:
2449         (JSC::InNode::InNode):
2450         * runtime/CommonSlowPaths.cpp:
2451         (JSC::SLOW_PATH_DECL):
2452         * runtime/CommonSlowPaths.h:
2453         (JSC::CommonSlowPaths::opInByVal):
2454         (JSC::CommonSlowPaths::opIn): Deleted.
2455
2456 2018-05-18  Commit Queue  <commit-queue@webkit.org>
2457
2458         Unreviewed, rolling out r231982.
2459         https://bugs.webkit.org/show_bug.cgi?id=185793
2460
2461         Caused layout test failures (Requested by realdawei on
2462         #webkit).
2463
2464         Reverted changeset:
2465
2466         "Complete fix for enabling modern EME by default"
2467         https://bugs.webkit.org/show_bug.cgi?id=185770
2468         https://trac.webkit.org/changeset/231982
2469
2470 2018-05-18  Keith Miller  <keith_miller@apple.com>
2471
2472         op_in should mark if it sees out of bounds accesses
2473         https://bugs.webkit.org/show_bug.cgi?id=185792
2474
2475         Reviewed by Filip Pizlo.
2476
2477         This would used to cause us to OSR loop since we would always speculate
2478         we were in bounds in HasIndexedProperty.
2479
2480         * bytecode/ArrayProfile.cpp:
2481         (JSC::ArrayProfile::observeIndexedRead):
2482         * bytecode/ArrayProfile.h:
2483         * runtime/CommonSlowPaths.h:
2484         (JSC::CommonSlowPaths::opIn):
2485
2486 2018-05-18  Mark Lam  <mark.lam@apple.com>
2487
2488         Add missing exception check.
2489         https://bugs.webkit.org/show_bug.cgi?id=185786
2490         <rdar://problem/35686560>
2491
2492         Reviewed by Michael Saboff.
2493
2494         * runtime/JSPropertyNameEnumerator.h:
2495         (JSC::propertyNameEnumerator):
2496
2497 2018-05-18  Jer Noble  <jer.noble@apple.com>
2498
2499         Complete fix for enabling modern EME by default
2500         https://bugs.webkit.org/show_bug.cgi?id=185770
2501         <rdar://problem/40368220>
2502
2503         Reviewed by Eric Carlson.
2504
2505         * Configurations/FeatureDefines.xcconfig:
2506
2507 2018-05-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2508
2509         Unreviewed, fix exception checking, part 2
2510         https://bugs.webkit.org/show_bug.cgi?id=185350
2511
2512         * dfg/DFGOperations.cpp:
2513         (JSC::DFG::putByValInternal):
2514         * jit/JITOperations.cpp:
2515         * runtime/CommonSlowPaths.h:
2516         (JSC::CommonSlowPaths::putDirectAccessorWithReify):
2517
2518 2018-05-16  Filip Pizlo  <fpizlo@apple.com>
2519
2520         JSC should have InstanceOf inline caching
2521         https://bugs.webkit.org/show_bug.cgi?id=185652
2522
2523         Reviewed by Saam Barati.
2524         
2525         This adds a polymorphic inline cache for instanceof. It caches hits and misses. It uses the
2526         existing PolymorphicAccess IC machinery along with all of its heuristics. If we ever generate
2527         too many cases, we emit the generic instanceof implementation instead.
2528         
2529         All of the JIT tiers use the same InstanceOf IC. It uses the existing JITInlineCacheGenerator
2530         abstraction.
2531         
2532         This is a ~40% speed-up on instanceof microbenchmarks. It's a *tiny* (~1%) speed-up on
2533         Octane/boyer. I think I can make that speed-up bigger by inlining the inline cache.
2534
2535         * API/tests/testapi.mm:
2536         (testObjectiveCAPIMain):
2537         * JavaScriptCore.xcodeproj/project.pbxproj:
2538         * Sources.txt:
2539         * b3/B3Effects.h:
2540         (JSC::B3::Effects::forReadOnlyCall):
2541         * bytecode/AccessCase.cpp:
2542         (JSC::AccessCase::guardedByStructureCheck const):
2543         (JSC::AccessCase::canReplace const):
2544         (JSC::AccessCase::visitWeak const):
2545         (JSC::AccessCase::generateWithGuard):
2546         (JSC::AccessCase::generateImpl):
2547         * bytecode/AccessCase.h:
2548         * bytecode/InstanceOfAccessCase.cpp: Added.
2549         (JSC::InstanceOfAccessCase::create):
2550         (JSC::InstanceOfAccessCase::dumpImpl const):
2551         (JSC::InstanceOfAccessCase::clone const):
2552         (JSC::InstanceOfAccessCase::~InstanceOfAccessCase):
2553         (JSC::InstanceOfAccessCase::InstanceOfAccessCase):
2554         * bytecode/InstanceOfAccessCase.h: Added.
2555         (JSC::InstanceOfAccessCase::prototype const):
2556         * bytecode/ObjectPropertyCondition.h:
2557         (JSC::ObjectPropertyCondition::hasPrototypeWithoutBarrier):
2558         (JSC::ObjectPropertyCondition::hasPrototype):
2559         * bytecode/ObjectPropertyConditionSet.cpp:
2560         (JSC::generateConditionsForInstanceOf):
2561         * bytecode/ObjectPropertyConditionSet.h:
2562         * bytecode/PolymorphicAccess.cpp:
2563         (JSC::PolymorphicAccess::addCases):
2564         (JSC::PolymorphicAccess::regenerate):
2565         (WTF::printInternal):
2566         * bytecode/PropertyCondition.cpp:
2567         (JSC::PropertyCondition::dumpInContext const):
2568         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
2569         (JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint const):
2570         (WTF::printInternal):
2571         * bytecode/PropertyCondition.h:
2572         (JSC::PropertyCondition::absenceWithoutBarrier):
2573         (JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier):
2574         (JSC::PropertyCondition::hasPrototypeWithoutBarrier):
2575         (JSC::PropertyCondition::hasPrototype):
2576         (JSC::PropertyCondition::hasPrototype const):
2577         (JSC::PropertyCondition::prototype const):
2578         (JSC::PropertyCondition::hash const):
2579         (JSC::PropertyCondition::operator== const):
2580         * bytecode/StructureStubInfo.cpp:
2581         (JSC::StructureStubInfo::StructureStubInfo):
2582         (JSC::StructureStubInfo::reset):
2583         * bytecode/StructureStubInfo.h:
2584         (JSC::StructureStubInfo::considerCaching):
2585         * dfg/DFGByteCodeParser.cpp:
2586         (JSC::DFG::ByteCodeParser::parseBlock):
2587         * dfg/DFGFixupPhase.cpp:
2588         (JSC::DFG::FixupPhase::fixupNode):
2589         * dfg/DFGInlineCacheWrapper.h:
2590         * dfg/DFGInlineCacheWrapperInlines.h:
2591         (JSC::DFG::InlineCacheWrapper<GeneratorType>::finalize):
2592         * dfg/DFGJITCompiler.cpp:
2593         (JSC::DFG::JITCompiler::link):
2594         * dfg/DFGJITCompiler.h:
2595         (JSC::DFG::JITCompiler::addInstanceOf):
2596         * dfg/DFGOperations.cpp:
2597         * dfg/DFGSpeculativeJIT.cpp:
2598         (JSC::DFG::SpeculativeJIT::usedRegisters):
2599         (JSC::DFG::SpeculativeJIT::compileInstanceOfForCells):
2600         (JSC::DFG::SpeculativeJIT::compileInstanceOf):
2601         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject): Deleted.
2602         * dfg/DFGSpeculativeJIT.h:
2603         * dfg/DFGSpeculativeJIT64.cpp:
2604         (JSC::DFG::SpeculativeJIT::cachedGetById):
2605         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
2606         * ftl/FTLLowerDFGToB3.cpp:
2607         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
2608         (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
2609         (JSC::FTL::DFG::LowerDFGToB3::compileNumberIsInteger):
2610         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
2611         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
2612         (JSC::FTL::DFG::LowerDFGToB3::getById):
2613         (JSC::FTL::DFG::LowerDFGToB3::getByIdWithThis):
2614         * jit/ICStats.h:
2615         * jit/JIT.cpp:
2616         (JSC::JIT::privateCompileSlowCases):
2617         (JSC::JIT::link):
2618         * jit/JIT.h:
2619         * jit/JITInlineCacheGenerator.cpp:
2620         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
2621         (JSC::JITInlineCacheGenerator::finalize):
2622         (JSC::JITByIdGenerator::JITByIdGenerator):
2623         (JSC::JITByIdGenerator::finalize):
2624         (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator):
2625         (JSC::JITInstanceOfGenerator::generateFastPath):
2626         (JSC::JITInstanceOfGenerator::finalize):
2627         * jit/JITInlineCacheGenerator.h:
2628         (JSC::JITInlineCacheGenerator::reportSlowPathCall):
2629         (JSC::JITInlineCacheGenerator::slowPathBegin const):
2630         (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator):
2631         (JSC::finalizeInlineCaches):
2632         (JSC::JITByIdGenerator::reportSlowPathCall): Deleted.
2633         (JSC::JITByIdGenerator::slowPathBegin const): Deleted.
2634         * jit/JITOpcodes.cpp:
2635         (JSC::JIT::emit_op_instanceof):
2636         (JSC::JIT::emitSlow_op_instanceof):
2637         * jit/JITOperations.cpp:
2638         * jit/JITOperations.h:
2639         * jit/JITPropertyAccess.cpp:
2640         (JSC::JIT::privateCompileGetByValWithCachedId):
2641         (JSC::JIT::privateCompilePutByValWithCachedId):
2642         * jit/RegisterSet.cpp:
2643         (JSC::RegisterSet::stubUnavailableRegisters):
2644         * jit/Repatch.cpp:
2645         (JSC::tryCacheIn):
2646         (JSC::tryCacheInstanceOf):
2647         (JSC::repatchInstanceOf):
2648         (JSC::resetPatchableJump):
2649         (JSC::resetIn):
2650         (JSC::resetInstanceOf):
2651         * jit/Repatch.h:
2652         * runtime/Options.h:
2653         * runtime/Structure.h:
2654
2655 2018-05-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2656
2657         Unreviewed, fix exception checking
2658         https://bugs.webkit.org/show_bug.cgi?id=185350
2659
2660         * runtime/CommonSlowPaths.h:
2661         (JSC::CommonSlowPaths::putDirectWithReify):
2662         (JSC::CommonSlowPaths::putDirectAccessorWithReify):
2663
2664 2018-05-17  Michael Saboff  <msaboff@apple.com>
2665
2666         We don't throw SyntaxErrors for runtime generated regular expressions with errors
2667         https://bugs.webkit.org/show_bug.cgi?id=185755
2668
2669         Reviewed by Keith Miller.
2670
2671         Added a new helper that creates the correct exception to throw for each type of error when
2672         compiling a RegExp.  Using that new helper, added missing checks for RegExp for the cases
2673         where we create a new RegExp from an existing one.  Also refactored other places that we
2674         throw SyntaxErrors after a failed RegExp compile to use the new helper.
2675
2676         * runtime/RegExp.h:
2677         * runtime/RegExpConstructor.cpp:
2678         (JSC::regExpCreate):
2679         (JSC::constructRegExp):
2680         * runtime/RegExpPrototype.cpp:
2681         (JSC::regExpProtoFuncCompile):
2682         * yarr/YarrErrorCode.cpp:
2683         (JSC::Yarr::errorToThrow):
2684         * yarr/YarrErrorCode.h:
2685
2686 2018-05-17  Saam Barati  <sbarati@apple.com>
2687
2688         Remove shrinkFootprint test from apitests since it's flaky
2689         https://bugs.webkit.org/show_bug.cgi?id=185754
2690
2691         Reviewed by Mark Lam.
2692
2693         This test is flaky as it keeps failing on certain people's machines.
2694         Having a test about OS footprint seems like it'll forever be doomed
2695         to being flaky.
2696
2697         * API/tests/testapi.mm:
2698         (testObjectiveCAPIMain):
2699
2700 2018-05-17  Saam Barati  <sbarati@apple.com>
2701
2702         defaultConstructorSourceCode needs to makeSource every time it's called
2703         https://bugs.webkit.org/show_bug.cgi?id=185753
2704
2705         Rubber-stamped by Mark Lam.
2706
2707         The bug here is multiple VMs can be running concurrently to one another
2708         in the same process. They may each ref/deref something that isn't ThreadSafeRefCounted
2709         if we copy a static SourceCode. instead, we create a new one each time
2710         this function is called.
2711
2712         * builtins/BuiltinExecutables.cpp:
2713         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
2714
2715 2018-05-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2716
2717         [JSC] Use AssemblyHelpers' type checking functions as much as possible
2718         https://bugs.webkit.org/show_bug.cgi?id=185730
2719
2720         Reviewed by Saam Barati.
2721
2722         Let's use AssemblyHelpers' type checking functions as much as possible. This hides the complex
2723         bit and register operations for type tagging of JSValue. It is really useful when we would like
2724         to tweak type tagging representation since the code is collected into AssemblyHelpers. And
2725         the named function is more readable than some branching operations.
2726
2727         We also remove unnecessary branching functions in JIT / JSInterfaceJIT. Some of them are duplicate
2728         to AssemblyHelpers' one.
2729
2730         We add several new type checking functions to AssemblyHelpers. Moreover, we add branchIfXXX(GPRReg)
2731         functions even for 32bit environment. In 32bit environment, this function takes tag register. This
2732         semantics is aligned to the existing branchIfCell / branchIfNotCell.
2733
2734         * bytecode/AccessCase.cpp:
2735         (JSC::AccessCase::generateWithGuard):
2736         * dfg/DFGSpeculativeJIT.cpp:
2737         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
2738         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
2739         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
2740         (JSC::DFG::SpeculativeJIT::compileSpread):
2741         (JSC::DFG::SpeculativeJIT::speculateCellTypeWithoutTypeFiltering):
2742         (JSC::DFG::SpeculativeJIT::speculateCellType):
2743         (JSC::DFG::SpeculativeJIT::speculateNumber):
2744         (JSC::DFG::SpeculativeJIT::speculateMisc):
2745         (JSC::DFG::SpeculativeJIT::compileExtractValueFromWeakMapGet):
2746         (JSC::DFG::SpeculativeJIT::compileCreateThis):
2747         (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf):
2748         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
2749         * dfg/DFGSpeculativeJIT32_64.cpp:
2750         (JSC::DFG::SpeculativeJIT::emitCall):
2751         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2752         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2753         (JSC::DFG::SpeculativeJIT::compile):
2754         * dfg/DFGSpeculativeJIT64.cpp:
2755         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
2756         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
2757         (JSC::DFG::SpeculativeJIT::emitCall):
2758         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2759         (JSC::DFG::SpeculativeJIT::compile):
2760         (JSC::DFG::SpeculativeJIT::convertAnyInt):
2761         * ftl/FTLLowerDFGToB3.cpp:
2762         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
2763         * jit/AssemblyHelpers.h:
2764         (JSC::AssemblyHelpers::branchIfInt32):
2765         (JSC::AssemblyHelpers::branchIfNotInt32):
2766         (JSC::AssemblyHelpers::branchIfNumber):
2767         (JSC::AssemblyHelpers::branchIfNotNumber):
2768         (JSC::AssemblyHelpers::branchIfBoolean):
2769         (JSC::AssemblyHelpers::branchIfNotBoolean):
2770         (JSC::AssemblyHelpers::branchIfEmpty):
2771         (JSC::AssemblyHelpers::branchIfNotEmpty):
2772         (JSC::AssemblyHelpers::branchIfUndefined):
2773         (JSC::AssemblyHelpers::branchIfNotUndefined):
2774         (JSC::AssemblyHelpers::branchIfNull):
2775         (JSC::AssemblyHelpers::branchIfNotNull):
2776         * jit/JIT.h:
2777         * jit/JITArithmetic.cpp:
2778         (JSC::JIT::emit_compareAndJump):
2779         (JSC::JIT::emit_compareAndJumpSlow):
2780         * jit/JITArithmetic32_64.cpp:
2781         (JSC::JIT::emit_compareAndJump):
2782         (JSC::JIT::emit_op_unsigned):
2783         (JSC::JIT::emit_op_inc):
2784         (JSC::JIT::emit_op_dec):
2785         (JSC::JIT::emitBinaryDoubleOp):
2786         (JSC::JIT::emit_op_mod):
2787         * jit/JITCall.cpp:
2788         (JSC::JIT::compileCallEval):
2789         (JSC::JIT::compileOpCall):
2790         * jit/JITCall32_64.cpp:
2791         (JSC::JIT::compileCallEval):
2792         (JSC::JIT::compileOpCall):
2793         * jit/JITInlines.h:
2794         (JSC::JIT::emitJumpSlowCaseIfNotJSCell):
2795         (JSC::JIT::emitJumpIfBothJSCells):
2796         (JSC::JIT::emitJumpSlowCaseIfJSCell):
2797         (JSC::JIT::emitJumpIfNotInt):
2798         (JSC::JIT::emitJumpSlowCaseIfNotInt):
2799         (JSC::JIT::emitJumpSlowCaseIfNotNumber):
2800         (JSC::JIT::emitJumpIfCellObject): Deleted.
2801         (JSC::JIT::emitJumpIfCellNotObject): Deleted.
2802         (JSC::JIT::emitJumpIfJSCell): Deleted.
2803         (JSC::JIT::emitJumpIfInt): Deleted.
2804         * jit/JITOpcodes.cpp:
2805         (JSC::JIT::emit_op_instanceof):
2806         (JSC::JIT::emit_op_is_undefined):
2807         (JSC::JIT::emit_op_is_cell_with_type):
2808         (JSC::JIT::emit_op_is_object):
2809         (JSC::JIT::emit_op_to_primitive):
2810         (JSC::JIT::emit_op_jeq_null):
2811         (JSC::JIT::emit_op_jneq_null):
2812         (JSC::JIT::compileOpStrictEq):
2813         (JSC::JIT::compileOpStrictEqJump):
2814         (JSC::JIT::emit_op_to_number):
2815         (JSC::JIT::emit_op_to_string):
2816         (JSC::JIT::emit_op_to_object):
2817         (JSC::JIT::emit_op_eq_null):
2818         (JSC::JIT::emit_op_neq_null):
2819         (JSC::JIT::emit_op_to_this):
2820         (JSC::JIT::emit_op_create_this):
2821         (JSC::JIT::emit_op_check_tdz):
2822         (JSC::JIT::emitNewFuncExprCommon):
2823         (JSC::JIT::emit_op_profile_type):
2824         * jit/JITOpcodes32_64.cpp:
2825         (JSC::JIT::emit_op_instanceof):
2826         (JSC::JIT::emit_op_is_undefined):
2827         (JSC::JIT::emit_op_is_cell_with_type):
2828         (JSC::JIT::emit_op_is_object):
2829         (JSC::JIT::emit_op_to_primitive):
2830         (JSC::JIT::emit_op_not):
2831         (JSC::JIT::emit_op_jeq_null):
2832         (JSC::JIT::emit_op_jneq_null):
2833         (JSC::JIT::emit_op_jneq_ptr):
2834         (JSC::JIT::emit_op_eq):
2835         (JSC::JIT::emit_op_jeq):
2836         (JSC::JIT::emit_op_neq):
2837         (JSC::JIT::emit_op_jneq):
2838         (JSC::JIT::compileOpStrictEq):
2839         (JSC::JIT::compileOpStrictEqJump):
2840         (JSC::JIT::emit_op_eq_null):
2841         (JSC::JIT::emit_op_neq_null):
2842         (JSC::JIT::emit_op_to_number):
2843         (JSC::JIT::emit_op_to_string):
2844         (JSC::JIT::emit_op_to_object):
2845         (JSC::JIT::emit_op_create_this):
2846         (JSC::JIT::emit_op_to_this):
2847         (JSC::JIT::emit_op_check_tdz):
2848         (JSC::JIT::emit_op_profile_type):
2849         * jit/JITPropertyAccess.cpp:
2850         (JSC::JIT::emit_op_get_by_val):
2851         (JSC::JIT::emitGetByValWithCachedId):
2852         (JSC::JIT::emitGenericContiguousPutByVal):
2853         (JSC::JIT::emitPutByValWithCachedId):
2854         (JSC::JIT::emit_op_get_from_scope):
2855         (JSC::JIT::emit_op_put_to_scope):
2856         (JSC::JIT::emitWriteBarrier):
2857         (JSC::JIT::emitIntTypedArrayPutByVal):
2858         (JSC::JIT::emitFloatTypedArrayPutByVal):
2859         * jit/JITPropertyAccess32_64.cpp:
2860         (JSC::JIT::emit_op_get_by_val):
2861         (JSC::JIT::emitContiguousLoad):
2862         (JSC::JIT::emitArrayStorageLoad):
2863         (JSC::JIT::emitGetByValWithCachedId):
2864         (JSC::JIT::emitGenericContiguousPutByVal):
2865         (JSC::JIT::emitPutByValWithCachedId):
2866         (JSC::JIT::emit_op_get_from_scope):
2867         (JSC::JIT::emit_op_put_to_scope):
2868         * jit/JSInterfaceJIT.h:
2869         (JSC::JSInterfaceJIT::emitLoadJSCell):
2870         (JSC::JSInterfaceJIT::emitLoadInt32):
2871         (JSC::JSInterfaceJIT::emitLoadDouble):
2872         (JSC::JSInterfaceJIT::emitJumpIfNumber): Deleted.
2873         (JSC::JSInterfaceJIT::emitJumpIfNotNumber): Deleted.
2874         (JSC::JSInterfaceJIT::emitJumpIfNotType): Deleted.
2875         * jit/Repatch.cpp:
2876         (JSC::linkPolymorphicCall):
2877         * jit/ThunkGenerators.cpp:
2878         (JSC::virtualThunkFor):
2879         (JSC::absThunkGenerator):
2880         * tools/JSDollarVM.cpp:
2881         (WTF::DOMJITNode::checkSubClassSnippet):
2882         (WTF::DOMJITFunctionObject::checkSubClassSnippet):
2883
2884 2018-05-17  Saam Barati  <sbarati@apple.com>
2885
2886         Unreviewed. Fix the build after my attempted build fix broke the build.
2887
2888         * builtins/BuiltinExecutables.cpp:
2889         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
2890         (JSC::BuiltinExecutables::createDefaultConstructor):
2891         * builtins/BuiltinExecutables.h:
2892
2893 2018-05-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2894
2895         [JSC] Remove reifyPropertyNameIfNeeded
2896         https://bugs.webkit.org/show_bug.cgi?id=185350
2897
2898         Reviewed by Saam Barati.
2899
2900         reifyPropertyNameIfNeeded is in the middle of putDirectInternal, which is super critical path.
2901         This is a virtual call, and it is only used by JSFunction right now. Since this causes too much
2902         cost, we should remove this from the critical path.
2903
2904         This patch removes this function call from the critical path. And in our slow paths, we call
2905         helper functions which calls reifyLazyPropertyIfNeeded if the given value is a JSFunction.
2906         While putDirect is a bit raw API, our slow paths just call it. This helper wraps this calls
2907         and care the edge cases. The other callsites of putDirect should know the type of the given
2908         object and the name of the property (And avoid these edge cases).
2909
2910         This improves SixSpeed/object-assign.es6 by ~4% on MacBook Pro. And this patch does not cause
2911         regressions of the existing tests.
2912
2913                                            baseline                  patched
2914         Kraken:
2915             json-parse-financial        35.522+-0.069      ^      34.708+-0.097         ^ definitely 1.0234x faster
2916
2917         SixSpeed:
2918             object-assign.es6         145.8779+-0.2838     ^    140.1019+-0.8007        ^ definitely 1.0412x faster
2919
2920         * dfg/DFGOperations.cpp:
2921         (JSC::DFG::putByValInternal):
2922         (JSC::DFG::putByValCellInternal):
2923         * jit/JITOperations.cpp:
2924         * llint/LLIntSlowPaths.cpp:
2925         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2926         * runtime/ClassInfo.h:
2927         * runtime/CommonSlowPaths.h:
2928         (JSC::CommonSlowPaths::putDirectWithReify):
2929         (JSC::CommonSlowPaths::putDirectAccessorWithReify):
2930         * runtime/JSCell.cpp:
2931         (JSC::JSCell::reifyPropertyNameIfNeeded): Deleted.
2932         * runtime/JSCell.h:
2933         * runtime/JSFunction.cpp:
2934         (JSC::JSFunction::reifyPropertyNameIfNeeded): Deleted.
2935         * runtime/JSFunction.h:
2936         * runtime/JSObject.cpp:
2937         (JSC::JSObject::putDirectAccessor):
2938         (JSC::JSObject::putDirectNonIndexAccessor):
2939         * runtime/JSObject.h:
2940         * runtime/JSObjectInlines.h:
2941         (JSC::JSObject::putDirectInternal):
2942
2943 2018-05-17  Saam Barati  <sbarati@apple.com>
2944
2945         Unreviewed. Try to fix windows build.
2946
2947         * builtins/BuiltinExecutables.cpp:
2948         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
2949
2950 2018-05-16  Saam Barati  <sbarati@apple.com>
2951
2952         UnlinkedFunctionExecutable doesn't need a parent source override field since it's only used for default class constructors
2953         https://bugs.webkit.org/show_bug.cgi?id=185637
2954
2955         Reviewed by Keith Miller.
2956
2957         We had this general mechanism for overriding an UnlinkedFunctionExecutable's parent
2958         source code. However, we were only using this for default class constructors. There
2959         are only two types of default class constructors. This patch makes it so that
2960         we just store this information inside of a single bit, and ask for the source
2961         code as needed instead of holding it in a nullable field that is 24 bytes in size.
2962         
2963         This brings UnlinkedFunctionExecutable's size down from 184 bytes to 160 bytes.
2964         This has the consequence of making it allocated out of a 160 byte size class
2965         instead of a 224 byte size class. This should bring down its memory footprint
2966         by ~40%.
2967
2968         * builtins/BuiltinExecutables.cpp:
2969         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
2970         (JSC::BuiltinExecutables::createDefaultConstructor):
2971         (JSC::BuiltinExecutables::createExecutable):
2972         * builtins/BuiltinExecutables.h:
2973         * bytecode/UnlinkedFunctionExecutable.cpp:
2974         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2975         (JSC::UnlinkedFunctionExecutable::link):
2976         * bytecode/UnlinkedFunctionExecutable.h:
2977         * runtime/CodeCache.cpp:
2978         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
2979
2980 2018-05-16  Saam Barati  <sbarati@apple.com>
2981
2982         VM::shrinkFootprint should call collectNow(Sync) instead of collectSync so it also eagerly sweeps
2983         https://bugs.webkit.org/show_bug.cgi?id=185707
2984
2985         Reviewed by Mark Lam.
2986
2987         * runtime/VM.cpp:
2988         (JSC::VM::shrinkFootprint):
2989
2990 2018-05-16  Caio Lima  <ticaiolima@gmail.com>
2991
2992         [ESNext][BigInt] Implement support for "/" operation
2993         https://bugs.webkit.org/show_bug.cgi?id=183996
2994
2995         Reviewed by Yusuke Suzuki.
2996
2997         This patch is introducing the support for BigInt into divide
2998         operation int LLInt and JIT layers.
2999
3000         * dfg/DFGOperations.cpp:
3001         * runtime/CommonSlowPaths.cpp:
3002         (JSC::SLOW_PATH_DECL):
3003         * runtime/JSBigInt.cpp:
3004         (JSC::JSBigInt::divide):
3005         (JSC::JSBigInt::copy):
3006         (JSC::JSBigInt::unaryMinus):
3007         (JSC::JSBigInt::absoluteCompare):
3008         (JSC::JSBigInt::absoluteDivLarge):
3009         (JSC::JSBigInt::productGreaterThan):
3010         (JSC::JSBigInt::inplaceAdd):
3011         (JSC::JSBigInt::inplaceSub):
3012         (JSC::JSBigInt::inplaceRightShift):
3013         (JSC::JSBigInt::specialLeftShift):
3014         (JSC::JSBigInt::digit):
3015         (JSC::JSBigInt::setDigit):
3016         * runtime/JSBigInt.h:
3017
3018 2018-05-16  Saam Barati  <sbarati@apple.com>
3019
3020         Constant fold CheckTypeInfoFlags on ImplementsDefaultHasInstance
3021         https://bugs.webkit.org/show_bug.cgi?id=185670
3022
3023         Reviewed by Yusuke Suzuki.
3024
3025         This patch makes it so that we constant fold CheckTypeInfoFlags for
3026         ImplementsDefaultHasInstance inside of AI/constant folding. We constant
3027         fold in three ways:
3028         - When the incoming value is a constant, we just look at its inline type
3029         flags. Since those flags never change after an object is created, this
3030         is sound.
3031         - Based on the incoming value having a finite structure set. We just iterate
3032         all structures and ensure they have the bit set.
3033         - Based on speculated type. To do this, I split up SpecFunction into two
3034         subheaps where one is for functions that have the bit set, and one for
3035         functions that don't have the bit set. The latter is currently only comprised
3036         of JSBoundFunctions. To constant fold, we check that the incoming
3037         value only has the SpecFunction type with ImplementsDefaultHasInstance set.
3038
3039         * bytecode/SpeculatedType.cpp:
3040         (JSC::speculationFromClassInfo):
3041         * bytecode/SpeculatedType.h:
3042         * dfg/DFGAbstractInterpreterInlines.h:
3043         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3044         * dfg/DFGConstantFoldingPhase.cpp:
3045         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3046         * dfg/DFGSpeculativeJIT.cpp:
3047         (JSC::DFG::SpeculativeJIT::compileCheckTypeInfoFlags):
3048         * dfg/DFGStrengthReductionPhase.cpp:
3049         (JSC::DFG::StrengthReductionPhase::handleNode):
3050         * runtime/JSFunction.cpp:
3051         (JSC::JSFunction::JSFunction):
3052         (JSC::JSFunction::assertTypeInfoFlagInvariants):
3053         * runtime/JSFunction.h:
3054         (JSC::JSFunction::assertTypeInfoFlagInvariants):
3055         * runtime/JSFunctionInlines.h:
3056         (JSC::JSFunction::JSFunction):
3057
3058 2018-05-16  Devin Rousso  <webkit@devinrousso.com>
3059
3060         Web Inspector: create a navigation item for toggling the overlay rulers/guides
3061         https://bugs.webkit.org/show_bug.cgi?id=185644
3062
3063         Reviewed by Matt Baker.
3064
3065         * inspector/protocol/OverlayTypes.json:
3066         * inspector/protocol/Page.json:
3067
3068 2018-05-16  Commit Queue  <commit-queue@webkit.org>
3069
3070         Unreviewed, rolling out r231845.
3071         https://bugs.webkit.org/show_bug.cgi?id=185702
3072
3073         it is breaking Apple High Sierra 32-bit JSC bot (Requested by
3074         caiolima on #webkit).
3075
3076         Reverted changeset:
3077
3078         "[ESNext][BigInt] Implement support for "/" operation"
3079         https://bugs.webkit.org/show_bug.cgi?id=183996
3080         https://trac.webkit.org/changeset/231845
3081
3082 2018-05-16  Filip Pizlo  <fpizlo@apple.com>
3083
3084         DFG models InstanceOf incorrectly
3085         https://bugs.webkit.org/show_bug.cgi?id=185694
3086
3087         Reviewed by Keith Miller.
3088         
3089         Proxies mean that InstanceOf can have effects. Exceptions mean that it's illegal to DCE it or
3090         hoist it.
3091
3092         * dfg/DFGAbstractInterpreterInlines.h:
3093         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3094         * dfg/DFGClobberize.h:
3095         (JSC::DFG::clobberize):
3096         * dfg/DFGHeapLocation.cpp:
3097         (WTF::printInternal):
3098         * dfg/DFGHeapLocation.h:
3099         * dfg/DFGNodeType.h:
3100
3101 2018-05-16  Andy VanWagoner  <andy@vanwagoner.family>
3102
3103         Add support for Intl NumberFormat formatToParts
3104         https://bugs.webkit.org/show_bug.cgi?id=185375
3105
3106         Reviewed by Yusuke Suzuki.
3107
3108         Add flag for NumberFormat formatToParts. Implement formatToParts using
3109         unum_formatDoubleForFields. Because the fields are nested and come back
3110         in no guaranteed order, the simple algorithm to convert them to the
3111         desired format is roughly O(n^2). However, even with Number.MAX_VALUE
3112         it appears to perform well enough for the initial implementation. Another
3113         issue has been created to improve this algorithm.
3114
3115         This requires ICU v59+ for unum_formatDoubleForFields, so it is disabled
3116         on macOS, since only v57 is available.
3117
3118         * Configurations/FeatureDefines.xcconfig:
3119         * runtime/IntlNumberFormat.cpp:
3120         (JSC::IntlNumberFormat::UFieldPositionIteratorDeleter::operator() const):
3121         (JSC::IntlNumberFormat::partTypeString):
3122         (JSC::IntlNumberFormat::formatToParts):
3123         * runtime/IntlNumberFormat.h:
3124         * runtime/IntlNumberFormatPrototype.cpp:
3125         (JSC::IntlNumberFormatPrototype::create):
3126         (JSC::IntlNumberFormatPrototype::finishCreation):
3127         (JSC::IntlNumberFormatPrototypeFuncFormatToParts):
3128         * runtime/IntlNumberFormatPrototype.h:
3129         * runtime/Options.h:
3130
3131 2018-05-16  Caio Lima  <ticaiolima@gmail.com>
3132
3133         [ESNext][BigInt] Implement support for "/" operation
3134         https://bugs.webkit.org/show_bug.cgi?id=183996
3135
3136         Reviewed by Yusuke Suzuki.
3137
3138         This patch is introducing the support for BigInt into divide
3139         operation int LLInt and JIT layers.
3140
3141         * dfg/DFGOperations.cpp:
3142         * runtime/CommonSlowPaths.cpp:
3143         (JSC::SLOW_PATH_DECL):
3144         * runtime/JSBigInt.cpp:
3145         (JSC::JSBigInt::divide):
3146         (JSC::JSBigInt::copy):
3147         (JSC::JSBigInt::unaryMinus):
3148         (JSC::JSBigInt::absoluteCompare):
3149         (JSC::JSBigInt::absoluteDivLarge):
3150         (JSC::JSBigInt::productGreaterThan):
3151         (JSC::JSBigInt::inplaceAdd):
3152         (JSC::JSBigInt::inplaceSub):
3153         (JSC::JSBigInt::inplaceRightShift):
3154         (JSC::JSBigInt::specialLeftShift):
3155         (JSC::JSBigInt::digit):
3156         (JSC::JSBigInt::setDigit):
3157         * runtime/JSBigInt.h:
3158
3159 2018-05-16  Alberto Garcia  <berto@igalia.com>
3160
3161         [CMake] Properly detect compiler flags, needed libs, and fallbacks for usage of 64-bit atomic operations
3162         https://bugs.webkit.org/show_bug.cgi?id=182622
3163
3164         Reviewed by Michael Catanzaro.
3165
3166         We were linking JavaScriptCore against libatomic in MIPS because
3167         in that architecture __atomic_fetch_add_8() is not a compiler
3168         intrinsic and is provided by that library instead. However other
3169         architectures (e.g armel) are in the same situation, so we need a
3170         generic test.
3171
3172         That test already exists in WebKit/CMakeLists.txt, so we just have
3173         to move it to a common file (WebKitCompilerFlags.cmake) and use
3174         its result (ATOMIC_INT64_REQUIRES_LIBATOMIC) here.
3175
3176         * CMakeLists.txt:
3177
3178 2018-05-15  Yusuke Suzuki  <utatane.tea@gmail.com>
3179
3180         [JSC] Check TypeInfo first before calling getCallData when we would like to check whether given object is a function
3181         https://bugs.webkit.org/show_bug.cgi?id=185601
3182
3183         Reviewed by Saam Barati.
3184
3185         Rename TypeOfShouldCallGetCallData to OverridesGetCallData. And check OverridesGetCallData
3186         before calling getCallData when we would like to check whether a given object is callable
3187         since getCallData is a virtual call. When we call the object anyway, directly calling getCallData
3188         is fine. But if we would like to check whether the object is callable, we can have non
3189         callable objects frequently. In that case, we should not call getCallData if we can avoid it.
3190
3191         To do this cleanly, we refactor JSValue::{isFunction,isCallable}. We add JSCell::{isFunction,isCallable}
3192         and JSValue ones call into these functions. Inside JSCell::{isFunction,isCallable}, we perform
3193         OverridesGetCallData checking before calling getCallData.
3194
3195         We found that this virtual call exists in JSON.stringify's critial path. Checking
3196         OverridesGetCallData improves Kraken/json-stringify-tinderbox by 2-4%.
3197
3198                                                baseline                  patched
3199
3200             json-stringify-tinderbox        38.807+-0.350      ^      37.216+-0.337         ^ definitely 1.0427x faster
3201
3202         In addition to that, we also add OverridesGetCallData flag to JSFunction while we keep JSFunctionType checking fast path
3203         since major cases are covered by this fast JSFunctionType checking.
3204
3205         * API/JSCallbackObject.h:
3206         * dfg/DFGAbstractInterpreterInlines.h:
3207         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3208         * dfg/DFGOperations.cpp:
3209         * dfg/DFGSpeculativeJIT.cpp:
3210         (JSC::DFG::SpeculativeJIT::compileIsObjectOrNull):
3211         (JSC::DFG::SpeculativeJIT::compileIsFunction):
3212         * ftl/FTLLowerDFGToB3.cpp:
3213         (JSC::FTL::DFG::LowerDFGToB3::isExoticForTypeof):
3214         * jit/AssemblyHelpers.h:
3215         (JSC::AssemblyHelpers::emitTypeOf):
3216         * runtime/ExceptionHelpers.cpp:
3217         (JSC::createError):
3218         (JSC::createInvalidFunctionApplyParameterError):
3219         * runtime/FunctionPrototype.cpp:
3220         (JSC::functionProtoFuncToString):
3221         * runtime/InternalFunction.h:
3222         * runtime/JSCJSValue.h:
3223         * runtime/JSCJSValueInlines.h:
3224         (JSC::JSValue::isFunction const):
3225         (JSC::JSValue::isCallable const):
3226         * runtime/JSCell.h:
3227         * runtime/JSCellInlines.h:
3228         (JSC::JSCell::isFunction):
3229         ALWAYS_INLINE works well for my environment.
3230         (JSC::JSCell::isCallable):
3231         * runtime/JSFunction.h:
3232         * runtime/JSONObject.cpp:
3233         (JSC::Stringifier::toJSON):
3234         (JSC::Stringifier::toJSONImpl):
3235         (JSC::Stringifier::appendStringifiedValue):
3236         * runtime/JSObjectInlines.h:
3237         (JSC::createListFromArrayLike):
3238         * runtime/JSTypeInfo.h:
3239         (JSC::TypeInfo::overridesGetCallData const):
3240         (JSC::TypeInfo::typeOfShouldCallGetCallData const): Deleted.
3241         * runtime/Operations.cpp:
3242         (JSC::jsTypeStringForValue):
3243         (JSC::jsIsObjectTypeOrNull):
3244         * runtime/ProxyObject.h:
3245         * runtime/RuntimeType.cpp:
3246         (JSC::runtimeTypeForValue):
3247         * runtime/RuntimeType.h:
3248         * runtime/Structure.cpp:
3249         (JSC::Structure::Structure):
3250         * runtime/TypeProfilerLog.cpp:
3251         (JSC::TypeProfilerLog::TypeProfilerLog):
3252         (JSC::TypeProfilerLog::processLogEntries):
3253         * runtime/TypeProfilerLog.h:
3254         * runtime/VM.cpp:
3255         (JSC::VM::enableTypeProfiler):
3256         * tools/JSDollarVM.cpp:
3257         (JSC::functionFindTypeForExpression):
3258         (JSC::functionReturnTypeFor):
3259         (JSC::functionHasBasicBlockExecuted):
3260         (JSC::functionBasicBlockExecutionCount):
3261         * wasm/js/JSWebAssemblyHelpers.h:
3262         (JSC::getWasmBufferFromValue):
3263         * wasm/js/JSWebAssemblyInstance.cpp:
3264         (JSC::JSWebAssemblyInstance::create):
3265         * wasm/js/WebAssemblyFunction.cpp:
3266         (JSC::callWebAssemblyFunction):
3267         * wasm/js/WebAssemblyInstanceConstructor.cpp:
3268         (JSC::constructJSWebAssemblyInstance):
3269         * wasm/js/WebAssemblyModuleRecord.cpp:
3270         (JSC::WebAssemblyModuleRecord::link):
3271         * wasm/js/WebAssemblyPrototype.cpp:
3272         (JSC::webAssemblyInstantiateFunc):
3273         (JSC::webAssemblyInstantiateStreamingInternal):
3274         * wasm/js/WebAssemblyWrapperFunction.cpp:
3275         (JSC::WebAssemblyWrapperFunction::finishCreation):
3276
3277 2018-05-15  Devin Rousso  <webkit@devinrousso.com>
3278
3279         Web Inspector: Add rulers and guides
3280         https://bugs.webkit.org/show_bug.cgi?id=32263
3281         <rdar://problem/19281564>
3282
3283         Reviewed by Matt Baker.
3284
3285         * inspector/protocol/OverlayTypes.json:
3286
3287 2018-05-14  Keith Miller  <keith_miller@apple.com>
3288
3289         Remove butterflyMask from DFGAbstractHeap
3290         https://bugs.webkit.org/show_bug.cgi?id=185640
3291
3292         Reviewed by Saam Barati.
3293
3294         We don't have a butterfly indexing mask anymore so we don't need
3295         the abstract heap information for it anymore.
3296
3297         * dfg/DFGAbstractHeap.h:
3298         * dfg/DFGClobberize.h:
3299         (JSC::DFG::clobberize):
3300
3301 2018-05-14  Andy VanWagoner  <andy@vanwagoner.family>
3302
3303         [INTL] Handle error in defineProperty for supported locales length
3304         https://bugs.webkit.org/show_bug.cgi?id=185623
3305
3306         Reviewed by Saam Barati.
3307
3308         Adds the missing RETURN_IF_EXCEPTION after defineOwnProperty for the
3309         length of the supported locales array.
3310
3311         * runtime/IntlObject.cpp:
3312         (JSC::supportedLocales):
3313
3314 2018-05-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3315
3316         [JSC] Tweak LiteralParser to improve lexing performance
3317         https://bugs.webkit.org/show_bug.cgi?id=185541
3318
3319         Reviewed by Saam Barati.
3320
3321         This patch attemps to improve LiteralParser performance.
3322
3323         This patch improves Kraken/json-parse-financial by roughly ~10%.
3324                                            baseline                  patched
3325
3326             json-parse-financial        65.810+-1.591      ^      59.943+-1.784         ^ definitely 1.0979x faster
3327
3328         * parser/Lexer.cpp:
3329         (JSC::Lexer<T>::Lexer):
3330         * runtime/ArgList.h:
3331         (JSC::MarkedArgumentBuffer::takeLast):
3332         Add takeLast() for idiomatic last() + removeLast() calls.
3333
3334         * runtime/LiteralParser.cpp:
3335         (JSC::LiteralParser<CharType>::Lexer::lex):
3336         Do not have mode in its template parameter. While lex function is large, this mode is not used in a critical path.
3337         We should not include this mode in its template parameter to reduce the code size.
3338         And we do not use template parameter for a terminator since duplicating ' and " code for lexString is not good.
3339         Also, we construct TokenType table to remove bunch of unnecessary switch cases.
3340
3341         (JSC::LiteralParser<CharType>::Lexer::next):
3342         (JSC::isSafeStringCharacter):
3343         Take mode in its template parameter. But do not take terminator character in its template parameter.
3344
3345         (JSC::LiteralParser<CharType>::Lexer::lexString):
3346         (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
3347         Duplicate while statements manually since this is a critical path.
3348
3349         (JSC::LiteralParser<CharType>::parse):
3350         Use takeLast().
3351
3352         * runtime/LiteralParser.h:
3353
3354 2018-05-14  Dominik Infuehr  <dinfuehr@igalia.com>
3355
3356         [MIPS] Use btpz to compare against 0 instead of bpeq
3357         https://bugs.webkit.org/show_bug.cgi?id=185607
3358
3359         Reviewed by Yusuke Suzuki.
3360
3361         Fixes build on MIPS since MIPS doesn't have an instruction to
3362         compare a register against an immediate. Since the immediate is just 0
3363         in this case the simplest solution is just to use btpz instead of bpeq
3364         to compare to 0.
3365
3366         * llint/LowLevelInterpreter.asm:
3367
3368 2018-05-12  Filip Pizlo  <fpizlo@apple.com>
3369
3370         CachedCall::call() should be faster
3371         https://bugs.webkit.org/show_bug.cgi?id=185583
3372
3373         Reviewed by Yusuke Suzuki.
3374         
3375         CachedCall is an optimization for String.prototype.replace(r, f) where f is a function.
3376         Unfortunately, because of a combination of abstraction and assertions, this code path had a
3377         lot of overhead. This patch reduces this overhead by:
3378         
3379         - Turning off some assertions. These assertions don't look to have security value; they're
3380           mostly for sanity. I turned off stack alignment checks and VM state checks having to do
3381           with whether the JSLock is held. The JSLock checks are not relevant when doing a cached
3382           call, considering that the caller would have already been strongly assuming that the JSLock
3383           is held.