The relationship between abstract values and structure transition watchpoints should be rationalized
https://bugs.webkit.org/show_bug.cgi?id=94205

Reviewed by Geoffrey Garen.

This patch does a number of things related to the handling of the abstract values
arrising from values with structures known to be watchpointable:
        
- This rationalizes the relationship between the structure that we know an object
  to have *right now* based on having executed a check against that structure, and
  the structure that we know the object could have *in the future* based on a type
  check executed in the past over a structure that was watchpointable.
        
- We use the above to assert that structure transition watchpoints are being used
  soundly.
        
- We use the above to strength reduce CheckStructure into StructureTransitionWatchpoint
  whenever possible.
        
- This rationalizes the handling of CFA over constants that appeared in the bytecode.
  If at compile-time the constant has a watchpointable structure, then we can prove
  what structures it may have in the future. The analysis uses this to both assert
  that structure transition watchpoints are being used correctly, and to find
  opportunities for using them more aggressively.
        
The net effect of all of these changes is that OSR entry should work more smoothly.
It may also be a slight win due to strength reductions, though most of those strength
reductions would have already been done by the parser and the structure check hoister.

* GNUmakefile.list.am:
* JavaScriptCore.xcodeproj/project.pbxproj:
* dfg/DFGAbstractState.cpp:
(JSC::DFG::AbstractState::beginBasicBlock):
(JSC::DFG::AbstractState::execute):
* dfg/DFGAbstractValue.h:
(DFG):
(JSC::DFG::AbstractValue::clear):
(JSC::DFG::AbstractValue::isClear):
(JSC::DFG::AbstractValue::makeTop):
(JSC::DFG::AbstractValue::clobberStructures):
(JSC::DFG::AbstractValue::isTop):
(JSC::DFG::AbstractValue::setFuturePossibleStructure):
(AbstractValue):
(JSC::DFG::AbstractValue::filterFuturePossibleStructure):
(JSC::DFG::AbstractValue::setMostSpecific):
(JSC::DFG::AbstractValue::set):
(JSC::DFG::AbstractValue::operator==):
(JSC::DFG::AbstractValue::merge):
(JSC::DFG::AbstractValue::filter):
(JSC::DFG::AbstractValue::filterValueByType):
(JSC::DFG::AbstractValue::validateType):
(JSC::DFG::AbstractValue::validate):
(JSC::DFG::AbstractValue::checkConsistency):
(JSC::DFG::AbstractValue::dump):
* dfg/DFGArgumentsSimplificationPhase.cpp:
(JSC::DFG::ArgumentsSimplificationPhase::run):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::checkStructureLoadElimination):
(JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
(JSC::DFG::CSEPhase::performNodeCSE):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGNode.h:
(JSC::DFG::Node::convertToStructureTransitionWatchpoint):
(Node):
(JSC::DFG::Node::hasStructure):
* dfg/DFGNodeType.h:
(DFG):
* dfg/DFGOSREntry.cpp:
(JSC::DFG::prepareOSREntry):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
(JSC::DFG::SpeculativeJIT::forwardSpeculationWatchpoint):
(DFG):
(JSC::DFG::SpeculativeJIT::speculationWatchpointWithConditionalDirection):
(JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
(JSC::DFG::SpeculativeJIT::speculateArray):
* dfg/DFGSpeculativeJIT.h:
(SpeculativeJIT):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStructureAbstractValue.h: Added.
(DFG):
(StructureAbstractValue):
(JSC::DFG::StructureAbstractValue::StructureAbstractValue):
(JSC::DFG::StructureAbstractValue::clear):
(JSC::DFG::StructureAbstractValue::makeTop):
(JSC::DFG::StructureAbstractValue::top):
(JSC::DFG::StructureAbstractValue::add):
(JSC::DFG::StructureAbstractValue::addAll):
(JSC::DFG::StructureAbstractValue::contains):
(JSC::DFG::StructureAbstractValue::isSubsetOf):
(JSC::DFG::StructureAbstractValue::doesNotContainAnyOtherThan):
(JSC::DFG::StructureAbstractValue::isSupersetOf):
(JSC::DFG::StructureAbstractValue::filter):
(JSC::DFG::StructureAbstractValue::isClear):
(JSC::DFG::StructureAbstractValue::isTop):
(JSC::DFG::StructureAbstractValue::isClearOrTop):
(JSC::DFG::StructureAbstractValue::isNeitherClearNorTop):
(JSC::DFG::StructureAbstractValue::size):
(JSC::DFG::StructureAbstractValue::at):
(JSC::DFG::StructureAbstractValue::operator[]):
(JSC::DFG::StructureAbstractValue::last):
(JSC::DFG::StructureAbstractValue::speculationFromStructures):
(JSC::DFG::StructureAbstractValue::hasSingleton):
(JSC::DFG::StructureAbstractValue::singleton):
(JSC::DFG::StructureAbstractValue::operator==):
(JSC::DFG::StructureAbstractValue::dump):
(JSC::DFG::StructureAbstractValue::topValue):
* dfg/DFGStructureCheckHoistingPhase.cpp:
(JSC::DFG::StructureCheckHoistingPhase::run):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@125999 268f45cc-cd09-0410-ab3c-d52691b4dbfc