Fix Windows build after r240511
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-01-25  Alex Christensen  <achristensen@webkit.org>
2
3         Fix Windows build after r240511
4
5         * bytecode/UnlinkedFunctionExecutable.cpp:
6         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
7
8 2019-01-25  Keith Rollin  <krollin@apple.com>
9
10         Update Xcode projects with "Apply Configuration to XCFileLists" build target
11         https://bugs.webkit.org/show_bug.cgi?id=193781
12         <rdar://problem/47201153>
13
14         Reviewed by Alex Christensen.
15
16         Part of generating the .xcfilelists used as part of adopting XCBuild
17         includes running `make DerivedSources.make` from a standalone script.
18         It’s important for this invocation to have the same environment as
19         when the actual build invokes `make DerivedSources.make`. If the
20         environments are different, then the two invocations will provide
21         different results. In order to get the same environment in the
22         standalone script, have the script launch xcodebuild targeting the
23         "Apply Configuration to XCFileLists" build target, which will then
24         re-invoke our standalone script. The script is now running again, this
25         time in an environment with all workspace, project, target, xcconfig
26         and other environment variables established.
27
28         The "Apply Configuration to XCFileLists" build target accomplishes
29         this task via a small embedded shell script that consists only of:
30
31             eval "${WK_SUBLAUNCH_SCRIPT_PARAMETERS[@]}"
32
33         The process that invokes "Apply Configuration to XCFileLists" first
34         sets WK_SUBLAUNCH_SCRIPT_PARAMETERS to an array of commands to be
35         evaluated and exports it into the shell environment. When xcodebuild
36         is invoked, it inherits the value of this variable and can `eval` the
37         contents of that variable. Our external standalone script can then set
38         WK_SUBLAUNCH_SCRIPT_PARAMETERS to the path to itself, along with a set
39         of command-line parameters needed to restart itself in the appropriate
40         state.
41
42         * JavaScriptCore.xcodeproj/project.pbxproj:
43
44 2019-01-25  Tadeu Zagallo  <tzagallo@apple.com>
45
46         Add API to generate and consume cached bytecode
47         https://bugs.webkit.org/show_bug.cgi?id=193401
48         <rdar://problem/47514099>
49
50         Reviewed by Keith Miller.
51
52         Add the `generateBytecode` and `generateModuleBytecode` functions to
53         generate serialized bytecode for a given `SourceCode`. These functions
54         will eagerly generate code for all the nested functions.
55
56         Additionally, update the API methods in JSScript to generate and use the
57         bytecode when the bytecodeCache path is provided.
58
59         * API/JSAPIGlobalObject.mm:
60         (JSC::JSAPIGlobalObject::moduleLoaderFetch):
61         * API/JSContext.mm:
62         (-[JSContext wrapperMap]):
63         * API/JSContextInternal.h:
64         * API/JSScript.mm:
65         (+[JSScript scriptWithSource:inVirtualMachine:]):
66         (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
67         (-[JSScript dealloc]):
68         (-[JSScript readCache]):
69         (-[JSScript writeCache]):
70         (-[JSScript hash]):
71         (-[JSScript source]):
72         (-[JSScript cachedBytecode]):
73         (-[JSScript jsSourceCode:]):
74         * API/JSScriptInternal.h:
75         * API/JSScriptSourceProvider.h: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
76         (JSScriptSourceProvider::create):
77         (JSScriptSourceProvider::JSScriptSourceProvider):
78         * API/JSScriptSourceProvider.mm: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
79         (JSScriptSourceProvider::hash const):
80         (JSScriptSourceProvider::source const):
81         (JSScriptSourceProvider::cachedBytecode const):
82         * API/JSVirtualMachine.mm:
83         (-[JSVirtualMachine vm]):
84         * API/JSVirtualMachineInternal.h:
85         * API/tests/testapi.mm:
86         (testBytecodeCache):
87         (-[JSContextFileLoaderDelegate context:fetchModuleForIdentifier:withResolveHandler:andRejectHandler:]):
88         (testObjectiveCAPI):
89         * JavaScriptCore.xcodeproj/project.pbxproj:
90         * SourcesCocoa.txt:
91         * bytecode/UnlinkedFunctionExecutable.cpp:
92         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
93         * bytecode/UnlinkedFunctionExecutable.h:
94         * parser/SourceCodeKey.h:
95         (JSC::SourceCodeKey::source const):
96         * parser/SourceProvider.h:
97         (JSC::CachedBytecode::CachedBytecode):
98         (JSC::CachedBytecode::operator=):
99         (JSC::CachedBytecode::data const):
100         (JSC::CachedBytecode::size const):
101         (JSC::CachedBytecode::owned const):
102         (JSC::CachedBytecode::~CachedBytecode):
103         (JSC::CachedBytecode::freeDataIfOwned):
104         (JSC::SourceProvider::cachedBytecode const):
105         * parser/UnlinkedSourceCode.h:
106         (JSC::UnlinkedSourceCode::provider const):
107         * runtime/CodeCache.cpp:
108         (JSC::generateUnlinkedCodeBlockForFunctions):
109         (JSC::writeCodeBlock):
110         (JSC::serializeBytecode):
111         * runtime/CodeCache.h:
112         (JSC::CodeCacheMap::fetchFromDiskImpl):
113         (JSC::CodeCacheMap::findCacheAndUpdateAge):
114         (JSC::generateUnlinkedCodeBlockImpl):
115         (JSC::generateUnlinkedCodeBlock):
116         * runtime/Completion.cpp:
117         (JSC::generateBytecode):
118         (JSC::generateModuleBytecode):
119         * runtime/Completion.h:
120         * runtime/Options.cpp:
121         (JSC::recomputeDependentOptions):
122
123 2019-01-25  Keith Rollin  <krollin@apple.com>
124
125         Update WebKitAdditions.xcconfig with correct order of variable definitions
126         https://bugs.webkit.org/show_bug.cgi?id=193793
127         <rdar://problem/47532439>
128
129         Reviewed by Alex Christensen.
130
131         XCBuild changes the way xcconfig variables are evaluated. In short,
132         all config file assignments are now considered in part of the
133         evaluation. When using the new build system and an .xcconfig file
134         contains multiple assignments of the same build setting:
135
136         - Later assignments using $(inherited) will inherit from earlier
137           assignments in the xcconfig file.
138         - Later assignments not using $(inherited) will take precedence over
139           earlier assignments. An assignment to a more general setting will
140           mask an earlier assignment to a less general setting. For example,
141           an assignment without a condition ('FOO = bar') will completely mask
142           an earlier assignment with a condition ('FOO[sdk=macos*] = quux').
143
144         This affects some of our .xcconfig files, in that sometimes platform-
145         or sdk-specific definitions appear before the general definitions.
146         Under the new evaluations rules, the general definitions alway take
147         effect because they always overwrite the more-specific definitions. The
148         solution is to swap the order, so that the general definitions are
149         established first, and then conditionally overwritten by the
150         more-specific definitions.
151
152         * Configurations/Version.xcconfig:
153
154 2019-01-25  Keith Rollin  <krollin@apple.com>
155
156         Update existing .xcfilelists
157         https://bugs.webkit.org/show_bug.cgi?id=193791
158         <rdar://problem/47201706>
159
160         Reviewed by Alex Christensen.
161
162         Many .xcfilelist files were added in r238824 in order to support
163         XCBuild. Update these with recent changes to the set of build files
164         and with the current generate-xcfilelist script.
165
166         * DerivedSources-input.xcfilelist:
167         * DerivedSources-output.xcfilelist:
168         * UnifiedSources-input.xcfilelist:
169         * UnifiedSources-output.xcfilelist:
170
171 2019-01-25  Jon Davis  <jond@apple.com>
172
173         Update JavaScriptCore feature status entries.
174         https://bugs.webkit.org/show_bug.cgi?id=193797
175
176         Reviewed by Mark Lam.
177         
178         Updated feature status for Async Iteration, and Object rest/spread.
179
180         * features.json:
181
182 2019-01-24  Keith Miller  <keith_miller@apple.com>
183
184         Remove usage of internal macro from private header
185         https://bugs.webkit.org/show_bug.cgi?id=193809
186
187         Reviewed by Saam Barati.
188
189         Also, add a new file to include all of our API headers to make sure
190         they don't accidentally include C++ or internal values.
191
192         * API/JSScript.h:
193         * API/tests/testIncludes.m: Added.
194         * JavaScriptCore.xcodeproj/project.pbxproj:
195
196 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
197
198         [JSC] ErrorConstructor should not have own IsoSubspace
199         https://bugs.webkit.org/show_bug.cgi?id=193800
200
201         Reviewed by Saam Barati.
202
203         Similar to r240456, sizeof(ErrorConstructor) != sizeof(InternalFunction), and that is why we have
204         IsoSubspace errorConstructorSpace in VM. But it is allocated only one-per-JSGlobalObject, and it is
205         too costly to have IsoSubspace which allocates 16KB. Since stackTraceLimit information is per
206         JSGlobalObject information, we should have m_stackTraceLimit in JSGlobalObject instead and put
207         ErrorConstructor in InternalFunction's IsoSubspace. As r230813 (moving InternalFunction and subclasses
208         into IsoSubspaces) described,
209
210             "subclasses that are the same size as InternalFunction share its subspace. I did this because the subclasses
211             appear to just override methods, which are called dynamically via the structure or class of the object.
212             So, I don't see a type confusion risk if UAF is used to allocate one kind of InternalFunction over another."
213
214         Then, putting ErrorConstructor in InternalFunction IsoSubspace is fine since it meets the above condition.
215         This patch removes m_stackTraceLimit in ErrorConstructor, and drops IsoSubspace for errorConstructorSpace.
216         This reduces the memory usage.
217
218         * interpreter/Interpreter.h:
219         * runtime/Error.cpp:
220         (JSC::getStackTrace):
221         * runtime/ErrorConstructor.cpp:
222         (JSC::ErrorConstructor::ErrorConstructor):
223         (JSC::ErrorConstructor::finishCreation):
224         (JSC::constructErrorConstructor):
225         (JSC::callErrorConstructor):
226         (JSC::ErrorConstructor::put):
227         (JSC::ErrorConstructor::deleteProperty):
228         (JSC::Interpreter::constructWithErrorConstructor): Deleted.
229         (JSC::Interpreter::callErrorConstructor): Deleted.
230         * runtime/ErrorConstructor.h:
231         * runtime/JSGlobalObject.cpp:
232         (JSC::JSGlobalObject::JSGlobalObject):
233         (JSC::JSGlobalObject::init):
234         (JSC::JSGlobalObject::visitChildren):
235         * runtime/JSGlobalObject.h:
236         (JSC::JSGlobalObject::stackTraceLimit const):
237         (JSC::JSGlobalObject::setStackTraceLimit):
238         (JSC::JSGlobalObject::errorConstructor const): Deleted.
239         * runtime/VM.cpp:
240         (JSC::VM::VM):
241         * runtime/VM.h:
242
243 2019-01-24  Joseph Pecoraro  <pecoraro@apple.com>
244
245         Web Inspector: CPU Usage Timeline
246         https://bugs.webkit.org/show_bug.cgi?id=193730
247         <rdar://problem/46797201>
248
249         Reviewed by Devin Rousso.
250
251         * CMakeLists.txt:
252         * DerivedSources-input.xcfilelist:
253         * DerivedSources.make:
254         New files.
255
256         * inspector/protocol/CPUProfiler.json: Added.
257         New domain that follows the pattern of Memory/ScriptProfiler.
258
259         * inspector/protocol/Timeline.json:
260         New enum to auto-start a CPU instrument in the backend.
261
262 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
263
264         [JSC] SharedArrayBufferConstructor and ArrayBufferConstructor should not have their own IsoSubspace
265         https://bugs.webkit.org/show_bug.cgi?id=193774
266
267         Reviewed by Mark Lam.
268
269         We put all the instances of InternalFunction and its subclasses in IsoSubspace to make safer from UAF.
270         But since IsoSubspace requires the memory layout of instances is the same, we created different IsoSubspace
271         for subclasses of InternalFunction if sizeof(subclass) != sizeof(InternalFunction). One example is
272         ArrayBufferConstructor and SharedArrayBufferConstructor. But it is too costly to allocate 16KB page just
273         for these two constructor instances. They are only two instances per JSGlobalObject.
274
275         This patch makes sizeof(ArrayBufferConstructor) == sizeof(InternalFunction) so that they can use IsoSubspace
276         of InternalFunction. We introduce JSGenericArrayBufferConstructor, and it takes ArrayBufferSharingMode as
277         its template parameter. We define JSArrayBufferConstructor as JSGenericArrayBufferConstructor<ArrayBufferSharingMode::Default>
278         and JSSharedArrayBufferConstructor as JSGenericArrayBufferConstructor<ArrayBufferSharingMode::Shared> so that
279         we do not need to hold ArrayBufferSharingMode in the field of the constructor. This change removes IsoSubspace
280         for ArrayBufferConstructors, and reduces the memory usage.
281
282         * runtime/JSArrayBufferConstructor.cpp:
283         (JSC::JSGenericArrayBufferConstructor<sharingMode>::JSGenericArrayBufferConstructor):
284         (JSC::JSGenericArrayBufferConstructor<sharingMode>::finishCreation):
285         (JSC::JSGenericArrayBufferConstructor<sharingMode>::constructArrayBuffer):
286         (JSC::JSGenericArrayBufferConstructor<sharingMode>::createStructure):
287         (JSC::JSGenericArrayBufferConstructor<sharingMode>::info):
288         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor): Deleted.
289         (JSC::JSArrayBufferConstructor::finishCreation): Deleted.
290         (JSC::JSArrayBufferConstructor::create): Deleted.
291         (JSC::JSArrayBufferConstructor::createStructure): Deleted.
292         (JSC::constructArrayBuffer): Deleted.
293         * runtime/JSArrayBufferConstructor.h:
294         * runtime/JSGlobalObject.cpp:
295         (JSC::JSGlobalObject::init):
296         * runtime/JSGlobalObject.h:
297         * runtime/VM.cpp:
298         (JSC::VM::VM):
299         * runtime/VM.h:
300
301 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
302
303         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
304         https://bugs.webkit.org/show_bug.cgi?id=190693
305
306         Reviewed by Michael Saboff.
307
308         JITStubRoutine's fields are marked only when JITStubRoutine::m_mayBeExecuting is true.
309         This becomes true when we find the executable address in our conservative roots, which
310         means that we could be executing it right now. This means that object liveness in
311         JITStubRoutine depends on the information gathered in ConservativeRoots. However, our
312         constraints are separated, "Conservative Scan" and "JIT Stub Routines". They can even
313         be executed concurrently, so that "JIT Stub Routines" may miss to mark the actually
314         executing JITStubRoutine because "Conservative Scan" finds it later.
315         When finalizing the GC, we delete the dead JITStubRoutines. At that time, since
316         "Conservative Scan" already finishes, we do not delete some JITStubRoutines which do not
317         mark the depending objects. Then, in the next cycle, we find JITStubRoutines still live,
318         attempt to mark the depending objects, and encounter the dead objects which are collected
319         in the previous cycles.
320
321         This patch removes "JIT Stub Routines" and merge it to "Conservative Scan". Since
322         "Conservative Scan" and "JIT Stub Routines" need to be executed only when the execution
323         happens (ensured by GreyedByExecution and CollectionPhase check), this change is OK for
324         GC stop time.
325
326         * heap/ConservativeRoots.h:
327         (JSC::ConservativeRoots::roots const):
328         (JSC::ConservativeRoots::roots): Deleted.
329         * heap/Heap.cpp:
330         (JSC::Heap::addCoreConstraints):
331         * heap/SlotVisitor.cpp:
332         (JSC::SlotVisitor::append):
333         * heap/SlotVisitor.h:
334         * jit/GCAwareJITStubRoutine.cpp:
335         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
336         * jit/GCAwareJITStubRoutine.h:
337
338 2019-01-24  Saam Barati  <sbarati@apple.com>
339
340         Update ARM64EHash
341         https://bugs.webkit.org/show_bug.cgi?id=193776
342         <rdar://problem/47526457>
343
344         Reviewed by Mark Lam.
345
346         See radar for details.
347
348         * assembler/AssemblerBuffer.h:
349         (JSC::ARM64EHash::update):
350         (JSC::ARM64EHash::finalHash const):
351
352 2019-01-24  Saam Barati  <sbarati@apple.com>
353
354         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
355         https://bugs.webkit.org/show_bug.cgi?id=193751
356         <rdar://problem/47280215>
357
358         Reviewed by Michael Saboff.
359
360         The Object Allocation Sinking phase may move allocations around inside
361         of the program. However, it was not ensuring that it's still possible 
362         to walk the stack at the point in the program that it moved the allocation to.
363         Certain InlineCallFrames rely on data in the stack when taking a stack trace.
364         All allocation sites can do a stack walk (we do a stack walk when we GC).
365         Conservatively, this patch says we're ok to move this allocation if we are
366         moving within the same InlineCallFrame. We could be more precise and do an
367         analysis of stack writes. However, this scenario is so rare that we just
368         take the conservative-and-straight-forward approach of checking that the place
369         we're moving to is the same InlineCallFrame as the allocation site.
370         
371         In general, this issue arises anytime we do any kind of code motion.
372         Interestingly, LICM gets this right. It gets it right because the only
373         InlineCallFrames we can't move out of are the InlineCallFrames that
374         have metadata stored on the stack (callee for closure calls and argument
375         count for varargs calls). LICM doesn't have this issue because it relies
376         on Clobberize for doing its effects analysis. In clobberize, we model every
377         node within an InlineCallFrame that meets the above criteria as reading
378         from those stack fields. Consequently, LICM won't hoist any node in that
379         InlineCallFrame past the beginning of the InlineCallFrame since the IR
380         we generate to set up such an InlineCallFrame contains writes to that
381         stack location.
382
383         * dfg/DFGObjectAllocationSinkingPhase.cpp:
384
385 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
386
387         [JSC] Reenable baseline JIT on mips
388         https://bugs.webkit.org/show_bug.cgi?id=192983
389
390         Reviewed by Mark Lam.
391
392         Use $s0 as metadata register and make sure it's properly saved and
393         restored.
394
395         * jit/GPRInfo.h:
396         * jit/RegisterSet.cpp:
397         (JSC::RegisterSet::vmCalleeSaveRegisters):
398         (JSC::RegisterSet::llintBaselineCalleeSaveRegisters):
399         * llint/LowLevelInterpreter.asm:
400         * offlineasm/mips.rb:
401
402 2019-01-24  Carlos Garcia Campos  <cgarcia@igalia.com>
403
404         [GLIB] Expose JavaScriptCore options in GLib public API
405         https://bugs.webkit.org/show_bug.cgi?id=188742
406
407         Reviewed by Michael Catanzaro.
408
409         Add new API to set, get and iterate JSC options.
410
411         * API/glib/JSCOptions.cpp: Added.
412         (valueFromGValue):
413         (valueToGValue):
414         (jscOptionsSetValue):
415         (jscOptionsGetValue):
416         (jsc_options_set_boolean):
417         (jsc_options_get_boolean):
418         (jsc_options_set_int):
419         (jsc_options_get_int):
420         (jsc_options_set_uint):
421         (jsc_options_get_uint):
422         (jsc_options_set_size):
423         (jsc_options_get_size):
424         (jsc_options_set_double):
425         (jsc_options_get_double):
426         (jsc_options_set_string):
427         (jsc_options_get_string):
428         (jsc_options_set_range_string):
429         (jsc_options_get_range_string):
430         (jscOptionsType):
431         (jsc_options_foreach):
432         (setOptionEntry):
433         (jsc_options_get_option_group):
434         * API/glib/JSCOptions.h: Added.
435         * API/glib/docs/jsc-glib-4.0-sections.txt:
436         * API/glib/docs/jsc-glib-docs.sgml:
437         * API/glib/jsc.h:
438         * GLib.cmake:
439
440 2019-01-23  Mark Lam  <mark.lam@apple.com>
441
442         ARM64E should not ENABLE(SEPARATED_WX_HEAP).
443         https://bugs.webkit.org/show_bug.cgi?id=193744
444         <rdar://problem/46262952>
445
446         Reviewed by Saam Barati.
447
448         * assembler/LinkBuffer.cpp:
449         (JSC::LinkBuffer::copyCompactAndLinkCode):
450
451 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
452
453         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
454         https://bugs.webkit.org/show_bug.cgi?id=193711
455         <rdar://problem/47250262>
456
457         Reviewed by Saam Barati.
458
459         When pruning OSR Availability based on bytecode liveness, we accidentally clear the Availability (making it DeadFlush) instead of
460         making it Availability::unavailable() (Making it ConflictingFlush). In OSRAvailabilityAnalysisPhase, we perform forward analysis.
461         We first clear all the availability of basic blocks DeadFlush, which is an empty set. And then, we set operands in the root block
462         ConflictingFlush. In this forward analysis, DeadFlush is BOTTOM, and ConflictingFlush is TOP. Then, we propagate information by
463         merging availability until we reach to the fixed-point. As an optimization, we perform "pruning" of the availability in the head
464         of the basic blocks. We remove availabilities of operands which are not live in the bytecode liveness at the head of the basic block.
465         The problem is, when removing availabilities, we set DeadFlush for them instead of ConflictingFlush. Basically, it means that we set
466         BOTTOM (an empty set) instead of TOP. Let's consider the following simple example. We have 6 basic blocks, and they are connected
467         as follows.
468
469             BB0 -> BB1 -> BB2 -> BB4
470              |        \        ^
471              v          > BB3 /
472             BB5
473
474         And consider about loc1 in FTL, which is required to be recovered in BB4's OSR exit.
475
476             BB0 does nothing
477                 head: loc1 is dead
478                 tail: loc1 is dead
479
480             BB1 has MovHint @1, loc1
481                 head: loc1 is dead
482                 tail: loc1 is live
483
484             BB2 does nothing
485                 head: loc1 is live
486                 tail: loc1 is live
487
488             BB3 has PutStack @1, loc1
489                 head: loc1 is live
490                 tail: loc1 is live
491
492             BB4 has OSR exit using loc1
493                 head: loc1 is live
494                 tail: loc1 is live (in bytecode)
495
496             BB5 does nothing
497                 head: loc1 is dead
498                 tail: loc1 is dead
499
500         In our OSR Availability analysis, we always prune loc1 result in BB1's head since its head says "loc1 is dead".
501         But at that time, we clear the availability for loc1, which makes it DeadFlush, instead of making it ConflictingFlush.
502
503         So, the flush format of loc1 in each tail of BB is like this.
504
505             BB0
506                 ConflictingFlush (because all the local operands are initialized with ConflictingFlush)
507             BB1
508                 DeadFlush+@1 (pruning clears it)
509             BB2
510                 DeadFlush+@1 (since it is propagated from BB1)
511             BB3
512                 FlushedJSValue+@1 with loc1 (since it has PutStack)
513             BB4
514                 FlushedJSValue+@1 with loc1 (since MERGE(DeadFlush, FlushedJSValue) = FlushedJSValue)
515             BB5
516                 DeadFlush (pruning clears it)
517
518         Then, if we go the path BB0->BB1->BB2->BB4, we read the value from the stack while it is not flushed.
519         The correct fix is making availability "unavailable" when pruning based on bytecode liveness.
520
521         * dfg/DFGAvailabilityMap.cpp:
522         (JSC::DFG::AvailabilityMap::pruneByLiveness): When pruning availability, we first set all the operands Availability::unavailable(),
523         and copy the calculated value from the current availability map.
524         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
525         (JSC::DFG::OSRAvailabilityAnalysisPhase::run): Add logging things for debugging.
526
527 2019-01-23  David Kilzer  <ddkilzer@apple.com>
528
529         [JSC] Duplicate global variables: JSC::opcodeLengths
530         <https://webkit.org/b/193714>
531         <rdar://problem/47340200>
532
533         Reviewed by Mark Lam.
534
535         * bytecode/Opcode.cpp:
536         (JSC::opcodeLengths): Move array implementation here and mark
537         const.
538         * bytecode/Opcode.h:
539         (JSC::opcodeLengths): Change to extern declaration.
540
541 2019-01-23  Carlos Garcia Campos  <cgarcia@igalia.com>
542
543         [GLIB] Remote Inspector: no data displayed
544         https://bugs.webkit.org/show_bug.cgi?id=193569
545
546         Reviewed by Michael Catanzaro.
547
548         Release the remote inspector mutex before using RemoteConnectionToTarget in RemoteInspector::setup() to avoid a
549         deadlock.
550
551         * inspector/remote/glib/RemoteInspectorGlib.cpp:
552         (Inspector::RemoteInspector::receivedSetupMessage):
553         (Inspector::RemoteInspector::setup):
554
555 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
556
557         Unreviewed, fix initial global lexical binding epoch
558         https://bugs.webkit.org/show_bug.cgi?id=193603
559         <rdar://problem/47380869>
560
561         * bytecode/CodeBlock.cpp:
562         (JSC::CodeBlock::finishCreation):
563
564 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
565
566         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
567         https://bugs.webkit.org/show_bug.cgi?id=193709
568         <rdar://problem/47363838>
569
570         Unreviewed, rollout to watch the tests.
571
572         * JavaScriptCore.xcodeproj/project.pbxproj:
573         * dfg/DFGAbstractInterpreterInlines.h:
574         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
575         * dfg/DFGByteCodeParser.cpp:
576         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
577         * dfg/DFGClobberize.h:
578         (JSC::DFG::clobberize):
579         * dfg/DFGDoesGC.cpp:
580         (JSC::DFG::doesGC):
581         * dfg/DFGFixupPhase.cpp:
582         (JSC::DFG::FixupPhase::fixupNode):
583         (JSC::DFG::FixupPhase::fixupObjectToString): Deleted.
584         * dfg/DFGNodeType.h:
585         * dfg/DFGOperations.cpp:
586         * dfg/DFGOperations.h:
587         * dfg/DFGPredictionPropagationPhase.cpp:
588         * dfg/DFGSafeToExecute.h:
589         (JSC::DFG::safeToExecute):
590         * dfg/DFGSpeculativeJIT.cpp:
591         (JSC::DFG::SpeculativeJIT::compileObjectToString): Deleted.
592         * dfg/DFGSpeculativeJIT.h:
593         * dfg/DFGSpeculativeJIT32_64.cpp:
594         (JSC::DFG::SpeculativeJIT::compile):
595         * dfg/DFGSpeculativeJIT64.cpp:
596         (JSC::DFG::SpeculativeJIT::compile):
597         * ftl/FTLAbstractHeapRepository.h:
598         * ftl/FTLCapabilities.cpp:
599         (JSC::FTL::canCompile):
600         * ftl/FTLLowerDFGToB3.cpp:
601         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
602         (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructorOrStringValueOf):
603         (JSC::FTL::DFG::LowerDFGToB3::compileObjectToString): Deleted.
604         * runtime/Intrinsic.cpp:
605         (JSC::intrinsicName):
606         * runtime/Intrinsic.h:
607         * runtime/ObjectPrototype.cpp:
608         (JSC::ObjectPrototype::finishCreation):
609         (JSC::objectProtoFuncToString):
610         * runtime/ObjectPrototype.h:
611         * runtime/ObjectPrototypeInlines.h: Removed.
612         * runtime/StructureRareData.h:
613
614 2019-01-22  Devin Rousso  <drousso@apple.com>
615
616         Web Inspector: expose Audit and Recording versions to the frontend
617         https://bugs.webkit.org/show_bug.cgi?id=193262
618         <rdar://problem/47130684>
619
620         Reviewed by Joseph Pecoraro.
621
622         * inspector/protocol/Audit.json:
623         * inspector/protocol/Recording.json:
624         Add `version` values.
625
626         * inspector/scripts/codegen/models.py:
627         (Protocol.parse_domain):
628         (Domain.__init__):
629         (Domain.version): Added.
630         (Domains):
631
632         * inspector/scripts/codegen/generator.py:
633         (Generator.version_for_domain): Added.
634
635         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
636         (CppProtocolTypesHeaderGenerator.generate_output):
637         (CppProtocolTypesHeaderGenerator._generate_versions): Added.
638
639         * inspector/scripts/codegen/generate_js_backend_commands.py:
640         (JSBackendCommandsGenerator.should_generate_domain):
641         (JSBackendCommandsGenerator.generate_domain):
642
643         * inspector/scripts/tests/generic/version.json: Added.
644         * inspector/scripts/tests/generic/expected/version.json-result: Added.
645
646         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
647         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
648         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
649         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
650         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
651         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
652         * inspector/scripts/tests/generic/expected/enum-values.json-result:
653         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
654         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
655         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
656         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
657         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
658         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
659         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
660         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
661         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
662         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
663         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
664         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
665
666 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
667
668         [JSC] Intl constructors should fit in sizeof(InternalFunction)
669         https://bugs.webkit.org/show_bug.cgi?id=193661
670
671         Reviewed by Mark Lam.
672
673         Previously all the Intl constructors have their own subspace. This is because these constructors have different size from InternalFunction.
674         But it is too costly approach in terms of the memory usage since these constructors are only one per JSGlobalObject. This patch attempts to
675         reduce the memory size consumed by these Intl objects by holding instance structures in IntlObject instead of in each Intl constructors.
676         So that we can make sizeof(Intl constructors) == sizeof(InternalFunction) and drop costly subspaces. Since this patch drops subspaces in VM,
677         it also significantly reduces the sizeof(VM), from 76696 to 74680.
678
679         This patch also includes the preparation for making Intl properties lazy. But currently it is not possible since @Collator reference exists
680         in builtin code.
681
682         * CMakeLists.txt:
683         * DerivedSources.make:
684         * runtime/IntlCollatorConstructor.cpp:
685         (JSC::IntlCollatorConstructor::create):
686         (JSC::IntlCollatorConstructor::finishCreation):
687         (JSC::constructIntlCollator):
688         (JSC::callIntlCollator):
689         (JSC::IntlCollatorConstructor::visitChildren): Deleted.
690         * runtime/IntlCollatorConstructor.h:
691         * runtime/IntlDateTimeFormatConstructor.cpp:
692         (JSC::IntlDateTimeFormatConstructor::create):
693         (JSC::IntlDateTimeFormatConstructor::finishCreation):
694         (JSC::constructIntlDateTimeFormat):
695         (JSC::callIntlDateTimeFormat):
696         (JSC::IntlDateTimeFormatConstructor::visitChildren): Deleted.
697         * runtime/IntlDateTimeFormatConstructor.h:
698         * runtime/IntlNumberFormatConstructor.cpp:
699         (JSC::IntlNumberFormatConstructor::create):
700         (JSC::IntlNumberFormatConstructor::finishCreation):
701         (JSC::constructIntlNumberFormat):
702         (JSC::callIntlNumberFormat):
703         (JSC::IntlNumberFormatConstructor::visitChildren): Deleted.
704         * runtime/IntlNumberFormatConstructor.h:
705         * runtime/IntlObject.cpp:
706         (JSC::createCollatorConstructor):
707         (JSC::createNumberFormatConstructor):
708         (JSC::createDateTimeFormatConstructor):
709         (JSC::createPluralRulesConstructor):
710         (JSC::IntlObject::create):
711         (JSC::IntlObject::finishCreation):
712         (JSC::IntlObject::visitChildren):
713         * runtime/IntlObject.h:
714         * runtime/IntlPluralRulesConstructor.cpp:
715         (JSC::IntlPluralRulesConstructor::create):
716         (JSC::IntlPluralRulesConstructor::finishCreation):
717         (JSC::constructIntlPluralRules):
718         (JSC::IntlPluralRulesConstructor::visitChildren): Deleted.
719         * runtime/IntlPluralRulesConstructor.h:
720         * runtime/JSGlobalObject.cpp:
721         (JSC::JSGlobalObject::init):
722         (JSC::JSGlobalObject::visitChildren):
723         * runtime/JSGlobalObject.h:
724         (JSC::JSGlobalObject::intlObject const):
725         * runtime/VM.cpp:
726         (JSC::VM::VM):
727         * runtime/VM.h:
728
729 2019-01-22  Saam Barati  <sbarati@apple.com>
730
731         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
732
733         * dfg/DFGBackwardsPropagationPhase.cpp:
734         (JSC::DFG::BackwardsPropagationPhase::propagate):
735
736 2019-01-22  Tadeu Zagallo  <tzagallo@apple.com>
737
738         Unreviewed, restore bytecode cache-related JSC options deleted in r240254
739         https://bugs.webkit.org/show_bug.cgi?id=192782
740
741         The JSC options were committed as part of r240210, which got rolled out in
742         r240224. However, the options got re-landed in r240248  and then deleted
743         again in 240254 (immediately before the caching code code landed in 240255)
744
745         * runtime/Options.h:
746
747 2019-01-22  Tadeu Zagallo  <tzagallo@apple.com>
748
749         Cache bytecode to disk
750         https://bugs.webkit.org/show_bug.cgi?id=192782
751         <rdar://problem/46084932>
752
753         Reviewed by Keith Miller.
754
755         Add the logic to serialize and deserialize the new JSC bytecode. For now,
756         the cache is only used for tests.
757
758         Each class that can be serialized has a counterpart in CachedTypes, which
759         handles the decoding and encoding. When decoding, the cached objects are
760         mmap'd from disk, but only used for creating instances of the respective
761         in-memory version of each object. Ideally, the mmap'd objects should be
762         used at runtime in the future.
763
764         * CMakeLists.txt:
765         * JavaScriptCore.xcodeproj/project.pbxproj:
766         * Sources.txt:
767         * builtins/BuiltinNames.cpp:
768         (JSC::BuiltinNames::BuiltinNames):
769         * builtins/BuiltinNames.h:
770         * bytecode/CodeBlock.cpp:
771         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
772         * bytecode/CodeBlock.h:
773         * bytecode/HandlerInfo.h:
774         (JSC::UnlinkedHandlerInfo::UnlinkedHandlerInfo):
775         * bytecode/InstructionStream.h:
776         * bytecode/UnlinkedCodeBlock.h:
777         (JSC::UnlinkedCodeBlock::addSetConstant):
778         (JSC::UnlinkedCodeBlock::constantIdentifierSets):
779         * bytecode/UnlinkedEvalCodeBlock.h:
780         * bytecode/UnlinkedFunctionCodeBlock.h:
781         * bytecode/UnlinkedFunctionExecutable.h:
782         * bytecode/UnlinkedGlobalCodeBlock.h:
783         (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock):
784         * bytecode/UnlinkedMetadataTable.h:
785         * bytecode/UnlinkedModuleProgramCodeBlock.h:
786         * bytecode/UnlinkedProgramCodeBlock.h:
787         * interpreter/Interpreter.cpp:
788         * jsc.cpp:
789         (functionQuit):
790         (runJSC):
791         * parser/SourceCode.h:
792         * parser/SourceCodeKey.h:
793         (JSC::SourceCodeKey::operator!= const):
794         * parser/UnlinkedSourceCode.h:
795         * parser/VariableEnvironment.h:
796         * runtime/CachedTypes.cpp: Added.
797         (JSC::Encoder::Allocation::buffer const):
798         (JSC::Encoder::Allocation::offset const):
799         (JSC::Encoder::Allocation::Allocation):
800         (JSC::Encoder::Encoder):
801         (JSC::Encoder::vm):
802         (JSC::Encoder::malloc):
803         (JSC::Encoder::offsetOf):
804         (JSC::Encoder::cachePtr):
805         (JSC::Encoder::offsetForPtr):
806         (JSC::Encoder::release):
807         (JSC::Encoder::Page::Page):
808         (JSC::Encoder::Page::malloc):
809         (JSC::Encoder::Page::buffer const):
810         (JSC::Encoder::Page::size const):
811         (JSC::Encoder::Page::getOffset const):
812         (JSC::Encoder::allocateNewPage):
813         (JSC::Decoder::Decoder):
814         (JSC::Decoder::~Decoder):
815         (JSC::Decoder::vm):
816         (JSC::Decoder::offsetOf):
817         (JSC::Decoder::cacheOffset):
818         (JSC::Decoder::addFinalizer):
819         (JSC::encode):
820         (JSC::decode):
821         (JSC::VariableLengthObject::buffer const):
822         (JSC::VariableLengthObject::allocate):
823         (JSC::CachedPtr::encode):
824         (JSC::CachedPtr::decode const):
825         (JSC::CachedPtr::operator-> const):
826         (JSC::CachedPtr::get const):
827         (JSC::CachedRefPtr::encode):
828         (JSC::CachedRefPtr::decode const):
829         (JSC::CachedWriteBarrier::encode):
830         (JSC::CachedWriteBarrier::decode const):
831         (JSC::CachedVector::encode):
832         (JSC::CachedVector::decode const):
833         (JSC::CachedPair::encode):
834         (JSC::CachedPair::decode const):
835         (JSC::CachedHashMap::encode):
836         (JSC::CachedHashMap::decode const):
837         (JSC::CachedUniquedStringImpl::encode):
838         (JSC::CachedUniquedStringImpl::decode const):
839         (JSC::CachedStringImpl::encode):
840         (JSC::CachedStringImpl::decode const):
841         (JSC::CachedString::encode):
842         (JSC::CachedString::decode const):
843         (JSC::CachedIdentifier::encode):
844         (JSC::CachedIdentifier::decode const):
845         (JSC::CachedOptional::encode):
846         (JSC::CachedOptional::decode const):
847         (JSC::CachedOptional::decodeAsPtr const):
848         (JSC::CachedSimpleJumpTable::encode):
849         (JSC::CachedSimpleJumpTable::decode const):
850         (JSC::CachedStringJumpTable::encode):
851         (JSC::CachedStringJumpTable::decode const):
852         (JSC::CachedCodeBlockRareData::encode):
853         (JSC::CachedCodeBlockRareData::decode const):
854         (JSC::CachedBitVector::encode):
855         (JSC::CachedBitVector::decode const):
856         (JSC::CachedHashSet::encode):
857         (JSC::CachedHashSet::decode const):
858         (JSC::CachedConstantIdentifierSetEntry::encode):
859         (JSC::CachedConstantIdentifierSetEntry::decode const):
860         (JSC::CachedVariableEnvironment::encode):
861         (JSC::CachedVariableEnvironment::decode const):
862         (JSC::CachedArray::encode):
863         (JSC::CachedArray::decode const):
864         (JSC::CachedScopedArgumentsTable::encode):
865         (JSC::CachedScopedArgumentsTable::decode const):
866         (JSC::CachedSymbolTableEntry::encode):
867         (JSC::CachedSymbolTableEntry::decode const):
868         (JSC::CachedSymbolTable::encode):
869         (JSC::CachedSymbolTable::decode const):
870         (JSC::CachedImmutableButterfly::encode):
871         (JSC::CachedImmutableButterfly::decode const):
872         (JSC::CachedRegExp::encode):
873         (JSC::CachedRegExp::decode const):
874         (JSC::CachedTemplateObjectDescriptor::encode):
875         (JSC::CachedTemplateObjectDescriptor::decode const):
876         (JSC::CachedBigInt::encode):
877         (JSC::CachedBigInt::decode const):
878         (JSC::CachedJSValue::encode):
879         (JSC::CachedJSValue::decode const):
880         (JSC::CachedInstructionStream::encode):
881         (JSC::CachedInstructionStream::decode const):
882         (JSC::CachedMetadataTable::encode):
883         (JSC::CachedMetadataTable::decode const):
884         (JSC::CachedSourceOrigin::encode):
885         (JSC::CachedSourceOrigin::decode const):
886         (JSC::CachedTextPosition::encode):
887         (JSC::CachedTextPosition::decode const):
888         (JSC::CachedSourceProviderShape::encode):
889         (JSC::CachedSourceProviderShape::decode const):
890         (JSC::CachedStringSourceProvider::encode):
891         (JSC::CachedStringSourceProvider::decode const):
892         (JSC::CachedWebAssemblySourceProvider::encode):
893         (JSC::CachedWebAssemblySourceProvider::decode const):
894         (JSC::CachedSourceProvider::encode):
895         (JSC::CachedSourceProvider::decode const):
896         (JSC::CachedUnlinkedSourceCodeShape::encode):
897         (JSC::CachedUnlinkedSourceCodeShape::decode const):
898         (JSC::CachedSourceCode::encode):
899         (JSC::CachedSourceCode::decode const):
900         (JSC::CachedFunctionExecutable::firstLineOffset const):
901         (JSC::CachedFunctionExecutable::lineCount const):
902         (JSC::CachedFunctionExecutable::unlinkedFunctionNameStart const):
903         (JSC::CachedFunctionExecutable::unlinkedBodyStartColumn const):
904         (JSC::CachedFunctionExecutable::unlinkedBodyEndColumn const):
905         (JSC::CachedFunctionExecutable::startOffset const):
906         (JSC::CachedFunctionExecutable::sourceLength const):
907         (JSC::CachedFunctionExecutable::parametersStartOffset const):
908         (JSC::CachedFunctionExecutable::typeProfilingStartOffset const):
909         (JSC::CachedFunctionExecutable::typeProfilingEndOffset const):
910         (JSC::CachedFunctionExecutable::parameterCount const):
911         (JSC::CachedFunctionExecutable::features const):
912         (JSC::CachedFunctionExecutable::sourceParseMode const):
913         (JSC::CachedFunctionExecutable::isInStrictContext const):
914         (JSC::CachedFunctionExecutable::hasCapturedVariables const):
915         (JSC::CachedFunctionExecutable::isBuiltinFunction const):
916         (JSC::CachedFunctionExecutable::isBuiltinDefaultClassConstructor const):
917         (JSC::CachedFunctionExecutable::constructAbility const):
918         (JSC::CachedFunctionExecutable::constructorKind const):
919         (JSC::CachedFunctionExecutable::functionMode const):
920         (JSC::CachedFunctionExecutable::scriptMode const):
921         (JSC::CachedFunctionExecutable::superBinding const):
922         (JSC::CachedFunctionExecutable::derivedContextType const):
923         (JSC::CachedFunctionExecutable::name const):
924         (JSC::CachedFunctionExecutable::ecmaName const):
925         (JSC::CachedFunctionExecutable::inferredName const):
926         (JSC::CachedCodeBlock::instructions const):
927         (JSC::CachedCodeBlock::thisRegister const):
928         (JSC::CachedCodeBlock::scopeRegister const):
929         (JSC::CachedCodeBlock::globalObjectRegister const):
930         (JSC::CachedCodeBlock::sourceURLDirective const):
931         (JSC::CachedCodeBlock::sourceMappingURLDirective const):
932         (JSC::CachedCodeBlock::usesEval const):
933         (JSC::CachedCodeBlock::isStrictMode const):
934         (JSC::CachedCodeBlock::isConstructor const):
935         (JSC::CachedCodeBlock::hasCapturedVariables const):
936         (JSC::CachedCodeBlock::isBuiltinFunction const):
937         (JSC::CachedCodeBlock::superBinding const):
938         (JSC::CachedCodeBlock::scriptMode const):
939         (JSC::CachedCodeBlock::isArrowFunctionContext const):
940         (JSC::CachedCodeBlock::isClassContext const):
941         (JSC::CachedCodeBlock::wasCompiledWithDebuggingOpcodes const):
942         (JSC::CachedCodeBlock::constructorKind const):
943         (JSC::CachedCodeBlock::derivedContextType const):
944         (JSC::CachedCodeBlock::evalContextType const):
945         (JSC::CachedCodeBlock::hasTailCalls const):
946         (JSC::CachedCodeBlock::lineCount const):
947         (JSC::CachedCodeBlock::endColumn const):
948         (JSC::CachedCodeBlock::numVars const):
949         (JSC::CachedCodeBlock::numCalleeLocals const):
950         (JSC::CachedCodeBlock::numParameters const):
951         (JSC::CachedCodeBlock::features const):
952         (JSC::CachedCodeBlock::parseMode const):
953         (JSC::CachedCodeBlock::codeType const):
954         (JSC::CachedCodeBlock::rareData const):
955         (JSC::CachedProgramCodeBlock::encode):
956         (JSC::CachedProgramCodeBlock::decode const):
957         (JSC::CachedModuleCodeBlock::encode):
958         (JSC::CachedModuleCodeBlock::decode const):
959         (JSC::CachedEvalCodeBlock::encode):
960         (JSC::CachedEvalCodeBlock::decode const):
961         (JSC::CachedFunctionCodeBlock::encode):
962         (JSC::CachedFunctionCodeBlock::decode const):
963         (JSC::UnlinkedFunctionCodeBlock::UnlinkedFunctionCodeBlock):
964         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
965         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
966         (JSC::UnlinkedProgramCodeBlock::UnlinkedProgramCodeBlock):
967         (JSC::UnlinkedModuleProgramCodeBlock::UnlinkedModuleProgramCodeBlock):
968         (JSC::UnlinkedEvalCodeBlock::UnlinkedEvalCodeBlock):
969         (JSC::CachedFunctionExecutable::encode):
970         (JSC::CachedFunctionExecutable::decode const):
971         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
972         (JSC::CachedCodeBlock<CodeBlockType>::encode):
973         (JSC::CachedSourceCodeKey::encode):
974         (JSC::CachedSourceCodeKey::decode const):
975         (JSC::CacheEntry::encode):
976         (JSC::CacheEntry:: const):
977         (JSC:: const):
978         (JSC::encodeCodeBlock):
979         (JSC::decodeCodeBlockImpl):
980         * runtime/CachedTypes.h: Copied from Source/JavaScriptCore/bytecode/UnlinkedGlobalCodeBlock.h.
981         (JSC::decodeCodeBlock):
982         * runtime/CodeCache.cpp:
983         (JSC::CodeCacheMap::pruneSlowCase):
984         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
985         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
986         (JSC::CodeCache::write):
987         * runtime/CodeCache.h:
988         (JSC::CodeCacheMap::begin):
989         (JSC::CodeCacheMap::end):
990         (JSC::CodeCacheMap::fetchFromDiskImpl):
991         (JSC::CodeCacheMap::findCacheAndUpdateAge):
992         (JSC::writeCodeBlock):
993         * runtime/JSBigInt.cpp:
994         * runtime/JSBigInt.h:
995         * runtime/Options.cpp:
996         (JSC::recomputeDependentOptions):
997         * runtime/RegExp.h:
998         * runtime/ScopedArgumentsTable.h:
999         * runtime/StackFrame.h:
1000         * runtime/StructureInlines.h:
1001         * runtime/SymbolTable.h:
1002
1003 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1004
1005         [JSC] Invalidate old scope operations using global lexical binding epoch
1006         https://bugs.webkit.org/show_bug.cgi?id=193603
1007         <rdar://problem/47380869>
1008
1009         Reviewed by Saam Barati.
1010
1011         Even if the global lexical binding does not shadow the global property at that time, we need to clear the cached information in
1012         scope related operations since we may have a global property previously. Consider the following example,
1013
1014             foo = 0;
1015             function get() { return foo; }
1016             print(get()); // 0
1017             print(get()); // 0
1018             delete globalThis.foo;
1019             $.evalScript(`const foo = 42;`);
1020             print(get()); // Should be 42, but it returns 0 if the cached information in get() is not cleared.
1021
1022         To invalidate the cache easily, we introduce global lexical binding epoch. It is bumped every time we introduce a new lexical binding
1023         into JSGlobalLexicalEnvironment, since that name could shadow the global property name previously. In op_resolve_scope, we first check
1024         the epoch stored in the metadata, and go to slow path if it is not equal to the current epoch. Our slow path code convert the scope
1025         operation to the appropriate one even if the resolve type is not UnresolvedProperty type. After updating the resolve type of the bytecode,
1026         we update the cached epoch to the current one, so that we can use the cached information as long as we stay in the same epoch.
1027
1028         In op_get_from_scope and op_put_to_scope, we do not use this epoch since Structure check can do the same thing instead. If op_resolve_type
1029         is updated by the epoch, and if it starts returning JSGlobalLexicalEnvironment instead JSGlobalObject, obviously the structure check fails.
1030         And in the slow path, we update op_get_from_scope and op_put_to_scope appropriately.
1031
1032         So, the metadata for scope related bytecodes are eventually updated to the appropriate one. In DFG and FTL, we use the watchpoint based approach.
1033         In DFG and FTL, we concurrently attempt to get the watchpoint for the lexical binding and look into it by using `isStillValid()` to avoid
1034         infinite compile-and-fail loop.
1035
1036         When the global lexical binding epoch overflows we iterate all the live CodeBlock and update the op_resolve_scope's epoch. Even if the shadowing
1037         happens, it is OK if we bump the epoch, since op_resolve_scope will return JSGlobalLexicalEnvironment instead of JSGlobalObject, and following
1038         structure check in op_put_to_scope and op_get_from_scope fail. We do not need to update op_get_from_scope and op_put_to_scope because of the same
1039         reason.
1040
1041         * bytecode/BytecodeList.rb:
1042         * bytecode/CodeBlock.cpp:
1043         (JSC::CodeBlock::finishCreation):
1044         (JSC::CodeBlock::notifyLexicalBindingUpdate):
1045         (JSC::CodeBlock::notifyLexicalBindingShadowing): Deleted.
1046         * bytecode/CodeBlock.h:
1047         * dfg/DFGByteCodeParser.cpp:
1048         (JSC::DFG::ByteCodeParser::parseBlock):
1049         * dfg/DFGDesiredGlobalProperties.cpp:
1050         (JSC::DFG::DesiredGlobalProperties::isStillValidOnMainThread):
1051         * dfg/DFGDesiredGlobalProperties.h:
1052         * dfg/DFGGraph.cpp:
1053         (JSC::DFG::Graph::watchGlobalProperty):
1054         * dfg/DFGGraph.h:
1055         * dfg/DFGPlan.cpp:
1056         (JSC::DFG::Plan::isStillValidOnMainThread):
1057         * jit/JITPropertyAccess.cpp:
1058         (JSC::JIT::emit_op_resolve_scope):
1059         * jit/JITPropertyAccess32_64.cpp:
1060         (JSC::JIT::emit_op_resolve_scope):
1061         * llint/LowLevelInterpreter32_64.asm:
1062         * llint/LowLevelInterpreter64.asm:
1063         * runtime/CommonSlowPaths.cpp:
1064         (JSC::SLOW_PATH_DECL):
1065         * runtime/CommonSlowPaths.h:
1066         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
1067         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
1068         * runtime/JSGlobalObject.cpp:
1069         (JSC::JSGlobalObject::bumpGlobalLexicalBindingEpoch):
1070         (JSC::JSGlobalObject::getReferencedPropertyWatchpointSet):
1071         (JSC::JSGlobalObject::ensureReferencedPropertyWatchpointSet):
1072         (JSC::JSGlobalObject::notifyLexicalBindingShadowing): Deleted.
1073         * runtime/JSGlobalObject.h:
1074         (JSC::JSGlobalObject::globalLexicalBindingEpoch const):
1075         (JSC::JSGlobalObject::globalLexicalBindingEpochOffset):
1076         (JSC::JSGlobalObject::addressOfGlobalLexicalBindingEpoch):
1077         * runtime/Options.cpp:
1078         (JSC::correctOptions):
1079         (JSC::Options::initialize):
1080         (JSC::Options::setOptions):
1081         (JSC::Options::setOptionWithoutAlias):
1082         * runtime/Options.h:
1083         * runtime/ProgramExecutable.cpp:
1084         (JSC::ProgramExecutable::initializeGlobalProperties):
1085
1086 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1087
1088         Unreviewed, roll out r240220 due to date-format-xparb regression
1089         https://bugs.webkit.org/show_bug.cgi?id=193603
1090
1091         * bytecode/BytecodeList.rb:
1092         * bytecode/CodeBlock.cpp:
1093         (JSC::CodeBlock::notifyLexicalBindingShadowing):
1094         (JSC::CodeBlock::notifyLexicalBindingUpdate): Deleted.
1095         * bytecode/CodeBlock.h:
1096         * dfg/DFGByteCodeParser.cpp:
1097         (JSC::DFG::ByteCodeParser::parseBlock):
1098         * dfg/DFGDesiredGlobalProperties.cpp:
1099         (JSC::DFG::DesiredGlobalProperties::isStillValidOnMainThread):
1100         * dfg/DFGDesiredGlobalProperties.h:
1101         * dfg/DFGGraph.cpp:
1102         (JSC::DFG::Graph::watchGlobalProperty): Deleted.
1103         * dfg/DFGGraph.h:
1104         * dfg/DFGPlan.cpp:
1105         (JSC::DFG::Plan::isStillValidOnMainThread):
1106         * jit/JITPropertyAccess.cpp:
1107         (JSC::JIT::emit_op_resolve_scope):
1108         * jit/JITPropertyAccess32_64.cpp:
1109         (JSC::JIT::emit_op_resolve_scope):
1110         * llint/LowLevelInterpreter32_64.asm:
1111         * llint/LowLevelInterpreter64.asm:
1112         * runtime/CommonSlowPaths.cpp:
1113         (JSC::SLOW_PATH_DECL):
1114         * runtime/CommonSlowPaths.h:
1115         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
1116         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
1117         * runtime/JSGlobalObject.cpp:
1118         (JSC::JSGlobalObject::notifyLexicalBindingShadowing):
1119         (JSC::JSGlobalObject::getReferencedPropertyWatchpointSet):
1120         (JSC::JSGlobalObject::ensureReferencedPropertyWatchpointSet):
1121         (JSC::JSGlobalObject::bumpGlobalLexicalBindingEpoch): Deleted.
1122         * runtime/JSGlobalObject.h:
1123         (JSC::JSGlobalObject::globalLexicalBindingEpoch const): Deleted.
1124         (JSC::JSGlobalObject::globalLexicalBindingEpochOffset): Deleted.
1125         (JSC::JSGlobalObject::addressOfGlobalLexicalBindingEpoch): Deleted.
1126         * runtime/Options.cpp:
1127         (JSC::Options::initialize):
1128         (JSC::Options::setOptions):
1129         (JSC::Options::setOptionWithoutAlias):
1130         (JSC::correctOptions): Deleted.
1131         * runtime/Options.h:
1132         * runtime/ProgramExecutable.cpp:
1133         (JSC::ProgramExecutable::initializeGlobalProperties):
1134
1135 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1136
1137         [JSC] StrictModeTypeErrorFunction is no longer used
1138         https://bugs.webkit.org/show_bug.cgi?id=193662
1139
1140         Reviewed by Mark Lam.
1141
1142         StrictModeTypeErrorFunction is no longer used. This patch drops it. Furthermore, it also allows us to drop
1143         strictModeTypeErrorFunctionSpace from VM.
1144
1145         * runtime/Error.cpp:
1146         (JSC::StrictModeTypeErrorFunction::destroy): Deleted.
1147         * runtime/Error.h:
1148         (): Deleted.
1149         * runtime/VM.cpp:
1150         (JSC::VM::VM):
1151         * runtime/VM.h:
1152
1153 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1154
1155         DoesGC rule is wrong for nodes with BigIntUse
1156         https://bugs.webkit.org/show_bug.cgi?id=193652
1157
1158         Reviewed by Saam Barati.
1159
1160         Former rule was that ValueOp does not GC. However this is wrong, since
1161         these operations can trigger GC and mess up memory management. In the end, this
1162         will generate wrong code because we will have wrong GC epoch value during 
1163         Store Barrier Insertion phase.
1164         We changed this to consider BigIntUse for such nodes and properly return true when
1165         they are BigIntUse.
1166
1167         * dfg/DFGDoesGC.cpp:
1168         (JSC::DFG::doesGC):
1169
1170 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1171
1172         [JSC] Lazily initialize JSModuleLoader
1173         https://bugs.webkit.org/show_bug.cgi?id=193646
1174
1175         Reviewed by Keith Miller and Saam Barati.
1176
1177         Lazily initialize JSModuleLoader so that we do not need to initialize it until we need modules.
1178
1179         * runtime/JSGlobalObject.cpp:
1180         (JSC::JSGlobalObject::init):
1181         (JSC::JSGlobalObject::visitChildren):
1182         * runtime/JSGlobalObject.h:
1183         (JSC::JSGlobalObject::moduleLoader const):
1184
1185 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1186
1187         [JSC] sub op with 0 should be optimized
1188         https://bugs.webkit.org/show_bug.cgi?id=190751
1189
1190         Reviewed by Mark Lam.
1191
1192         LLInt sometimes emit `subp 0, %rxx`. For example, `maxFrameExtentForSlowPathCall` is 0 in X86_64, ARM64, and ARM64E.
1193         So `subp maxFrameExtentForSlowPathCall sp` becomes `subp 0, %rsp`. While `addp 0, %rsp` is removed in offlineasm,
1194         sub operation does not have such an optimization. This patch applies the same optimization to sub operation already
1195         done in add operation. Since the CPU flags changed in offlineasm's these operations are not considered (if these flags
1196         are required, we use special branch operations instead), this optimization is sane.
1197
1198         One problem is that zero-extension of the 32bit register in 64bit architecture. If the instruction emission is skipped,
1199         this won't be happen. Currently, we align our sub to add operation: we skip emission in this case.
1200
1201         * offlineasm/arm64.rb:
1202         * offlineasm/x86.rb:
1203
1204 2019-01-20  Saam Barati  <sbarati@apple.com>
1205
1206         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1207         https://bugs.webkit.org/show_bug.cgi?id=193644
1208         <rdar://problem/46209745>
1209
1210         Reviewed by Yusuke Suzuki.
1211
1212         This patch also makes it so we fail fast when we make this mistake.
1213         I've made this mistake more than once.
1214
1215         * dfg/DFGByteCodeParser.cpp:
1216         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1217
1218 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1219
1220         [JSC] Reduce size of SourceProvider
1221         https://bugs.webkit.org/show_bug.cgi?id=193544
1222
1223         Reviewed by Saam Barati.
1224
1225         This patch attempts to reduce the dirty memory footprint by the following 3 optimizations.
1226
1227         1. Reordering the members of SourceProvider to reduce the size. This affects on JSC, and CachedScriptSourceProvider used in WebCore.
1228
1229         2. Create one SourceProvider for all the builtin code and use substring to create builtin JS functions.
1230            This reduces # of SourceProvider created for builtins.
1231
1232         3. Drop m_validated flag in SourceProvider since nobody uses it. It also deletes dead code in Parser.cpp.
1233
1234         Unfortunately, MSVC does not accept super long C string literal. So instead, we construct combined string in a form of C array.
1235
1236         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
1237         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
1238         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
1239         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
1240         * Scripts/wkbuiltins/builtins_generate_combined_header.py:
1241         (BuiltinsCombinedHeaderGenerator.generate_output):
1242         * Scripts/wkbuiltins/builtins_generate_combined_implementation.py:
1243         (BuiltinsCombinedImplementationGenerator.generate_output):
1244         * Scripts/wkbuiltins/builtins_generate_separate_implementation.py:
1245         (BuiltinsSeparateImplementationGenerator.generate_output):
1246         * Scripts/wkbuiltins/builtins_generator.py:
1247         (BuiltinsGenerator.generate_embedded_code_data_for_function):
1248         (BuiltinsGenerator.generate_embedded_code_string_section_for_data):
1249         (BuiltinsGenerator.generate_embedded_code_string_section_for_function): Deleted.
1250         * builtins/BuiltinExecutables.cpp:
1251         (JSC::BuiltinExecutables::BuiltinExecutables):
1252         (JSC::JSC_FOREACH_BUILTIN_CODE):
1253         (JSC::BuiltinExecutables::createExecutable):
1254         * builtins/BuiltinExecutables.h:
1255         * parser/Parser.cpp:
1256         (JSC::Parser<LexerType>::Parser):
1257         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
1258         (JSC::Parser<LexerType>::shouldCheckPropertyForUnderscoreProtoDuplicate):
1259         (JSC::Parser<LexerType>::parseObjectLiteral):
1260         (JSC::Parser<LexerType>::parseUnaryExpression):
1261         * parser/Parser.h:
1262         * parser/SourceCode.h:
1263         * parser/SourceProvider.cpp:
1264         (JSC::SourceProvider::SourceProvider):
1265         * parser/SourceProvider.h:
1266         (JSC::SourceProvider::isValid const): Deleted.
1267         (JSC::SourceProvider::setValid): Deleted.
1268         * runtime/CachedTypes.cpp:
1269         (JSC::CachedSourceProviderShape::encode):
1270         (JSC::CachedSourceProviderShape::decode const):
1271
1272 2019-01-20  Michael Catanzaro  <mcatanzaro@igalia.com>
1273
1274         Unreviewed, fix -Wint-in-bool-context warning
1275         https://bugs.webkit.org/show_bug.cgi?id=193483
1276         <rdar://problem/47280522>
1277
1278         * dfg/DFGFixupPhase.cpp:
1279         (JSC::DFG::FixupPhase::addCheckStructureForOriginalStringObjectUse):
1280
1281 2019-01-20  Saam Barati  <sbarati@apple.com>
1282
1283         Rollout r240210: It broke tests on iOS
1284         https://bugs.webkit.org/show_bug.cgi?id=193640
1285
1286         Unreviewed. ~2650 tests are failing on iOS.
1287
1288         * CMakeLists.txt:
1289         * JavaScriptCore.xcodeproj/project.pbxproj:
1290         * Sources.txt:
1291         * builtins/BuiltinNames.cpp:
1292         (JSC::BuiltinNames::BuiltinNames):
1293         * builtins/BuiltinNames.h:
1294         * bytecode/CodeBlock.cpp:
1295         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
1296         * bytecode/CodeBlock.h:
1297         * bytecode/HandlerInfo.h:
1298         * bytecode/InstructionStream.h:
1299         * bytecode/UnlinkedCodeBlock.h:
1300         (JSC::UnlinkedCodeBlock::addSetConstant):
1301         (JSC::UnlinkedCodeBlock::constantIdentifierSets):
1302         * bytecode/UnlinkedEvalCodeBlock.h:
1303         * bytecode/UnlinkedFunctionCodeBlock.h:
1304         * bytecode/UnlinkedFunctionExecutable.h:
1305         * bytecode/UnlinkedGlobalCodeBlock.h:
1306         (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock):
1307         * bytecode/UnlinkedMetadataTable.h:
1308         * bytecode/UnlinkedModuleProgramCodeBlock.h:
1309         * bytecode/UnlinkedProgramCodeBlock.h:
1310         * interpreter/Interpreter.cpp:
1311         * jsc.cpp:
1312         (functionQuit):
1313         (runJSC):
1314         * parser/SourceCode.h:
1315         * parser/SourceCodeKey.h:
1316         (JSC::SourceCodeKey::operator!= const): Deleted.
1317         * parser/UnlinkedSourceCode.h:
1318         * parser/VariableEnvironment.h:
1319         * runtime/CachedTypes.cpp:
1320         (): Deleted.
1321         (JSC::Encoder::Allocation::buffer const): Deleted.
1322         (JSC::Encoder::Allocation::offset const): Deleted.
1323         (JSC::Encoder::Allocation::Allocation): Deleted.
1324         (JSC::Encoder::Encoder): Deleted.
1325         (JSC::Encoder::vm): Deleted.
1326         (JSC::Encoder::malloc): Deleted.
1327         (JSC::Encoder::offsetOf): Deleted.
1328         (JSC::Encoder::cachePtr): Deleted.
1329         (JSC::Encoder::offsetForPtr): Deleted.
1330         (JSC::Encoder::release): Deleted.
1331         (JSC::Encoder::Page::Page): Deleted.
1332         (JSC::Encoder::Page::malloc): Deleted.
1333         (JSC::Encoder::Page::buffer const): Deleted.
1334         (JSC::Encoder::Page::size const): Deleted.
1335         (JSC::Encoder::Page::getOffset const): Deleted.
1336         (JSC::Encoder::allocateNewPage): Deleted.
1337         (JSC::Decoder::Decoder): Deleted.
1338         (JSC::Decoder::~Decoder): Deleted.
1339         (JSC::Decoder::vm): Deleted.
1340         (JSC::Decoder::offsetOf): Deleted.
1341         (JSC::Decoder::cacheOffset): Deleted.
1342         (JSC::Decoder::addFinalizer): Deleted.
1343         (JSC::encode): Deleted.
1344         (JSC::decode): Deleted.
1345         (JSC::VariableLengthObject::buffer const): Deleted.
1346         (JSC::VariableLengthObject::allocate): Deleted.
1347         (JSC::CachedPtr::encode): Deleted.
1348         (JSC::CachedPtr::decode const): Deleted.
1349         (JSC::CachedPtr::operator-> const): Deleted.
1350         (JSC::CachedPtr::get const): Deleted.
1351         (JSC::CachedRefPtr::encode): Deleted.
1352         (JSC::CachedRefPtr::decode const): Deleted.
1353         (JSC::CachedWriteBarrier::encode): Deleted.
1354         (JSC::CachedWriteBarrier::decode const): Deleted.
1355         (JSC::CachedVector::encode): Deleted.
1356         (JSC::CachedVector::decode const): Deleted.
1357         (JSC::CachedPair::encode): Deleted.
1358         (JSC::CachedPair::decode const): Deleted.
1359         (JSC::CachedHashMap::encode): Deleted.
1360         (JSC::CachedHashMap::decode const): Deleted.
1361         (JSC::CachedUniquedStringImpl::encode): Deleted.
1362         (JSC::CachedUniquedStringImpl::decode const): Deleted.
1363         (JSC::CachedStringImpl::encode): Deleted.
1364         (JSC::CachedStringImpl::decode const): Deleted.
1365         (JSC::CachedString::encode): Deleted.
1366         (JSC::CachedString::decode const): Deleted.
1367         (JSC::CachedIdentifier::encode): Deleted.
1368         (JSC::CachedIdentifier::decode const): Deleted.
1369         (JSC::CachedOptional::encode): Deleted.
1370         (JSC::CachedOptional::decode const): Deleted.
1371         (JSC::CachedOptional::decodeAsPtr const): Deleted.
1372         (JSC::CachedSimpleJumpTable::encode): Deleted.
1373         (JSC::CachedSimpleJumpTable::decode const): Deleted.
1374         (JSC::CachedStringJumpTable::encode): Deleted.
1375         (JSC::CachedStringJumpTable::decode const): Deleted.
1376         (JSC::CachedCodeBlockRareData::encode): Deleted.
1377         (JSC::CachedCodeBlockRareData::decode const): Deleted.
1378         (JSC::CachedBitVector::encode): Deleted.
1379         (JSC::CachedBitVector::decode const): Deleted.
1380         (JSC::CachedHashSet::encode): Deleted.
1381         (JSC::CachedHashSet::decode const): Deleted.
1382         (JSC::CachedConstantIdentifierSetEntry::encode): Deleted.
1383         (JSC::CachedConstantIdentifierSetEntry::decode const): Deleted.
1384         (JSC::CachedVariableEnvironment::encode): Deleted.
1385         (JSC::CachedVariableEnvironment::decode const): Deleted.
1386         (JSC::CachedArray::encode): Deleted.
1387         (JSC::CachedArray::decode const): Deleted.
1388         (JSC::CachedScopedArgumentsTable::encode): Deleted.
1389         (JSC::CachedScopedArgumentsTable::decode const): Deleted.
1390         (JSC::CachedSymbolTableEntry::encode): Deleted.
1391         (JSC::CachedSymbolTableEntry::decode const): Deleted.
1392         (JSC::CachedSymbolTable::encode): Deleted.
1393         (JSC::CachedSymbolTable::decode const): Deleted.
1394         (JSC::CachedImmutableButterfly::encode): Deleted.
1395         (JSC::CachedImmutableButterfly::decode const): Deleted.
1396         (JSC::CachedRegExp::encode): Deleted.
1397         (JSC::CachedRegExp::decode const): Deleted.
1398         (JSC::CachedTemplateObjectDescriptor::encode): Deleted.
1399         (JSC::CachedTemplateObjectDescriptor::decode const): Deleted.
1400         (JSC::CachedBigInt::encode): Deleted.
1401         (JSC::CachedBigInt::decode const): Deleted.
1402         (JSC::CachedJSValue::encode): Deleted.
1403         (JSC::CachedJSValue::decode const): Deleted.
1404         (JSC::CachedInstructionStream::encode): Deleted.
1405         (JSC::CachedInstructionStream::decode const): Deleted.
1406         (JSC::CachedMetadataTable::encode): Deleted.
1407         (JSC::CachedMetadataTable::decode const): Deleted.
1408         (JSC::CachedSourceOrigin::encode): Deleted.
1409         (JSC::CachedSourceOrigin::decode const): Deleted.
1410         (JSC::CachedTextPosition::encode): Deleted.
1411         (JSC::CachedTextPosition::decode const): Deleted.
1412         (JSC::CachedSourceProviderShape::encode): Deleted.
1413         (JSC::CachedSourceProviderShape::decode const): Deleted.
1414         (JSC::CachedStringSourceProvider::encode): Deleted.
1415         (JSC::CachedStringSourceProvider::decode const): Deleted.
1416         (JSC::CachedWebAssemblySourceProvider::encode): Deleted.
1417         (JSC::CachedWebAssemblySourceProvider::decode const): Deleted.
1418         (JSC::CachedSourceProvider::encode): Deleted.
1419         (JSC::CachedSourceProvider::decode const): Deleted.
1420         (JSC::CachedUnlinkedSourceCodeShape::encode): Deleted.
1421         (JSC::CachedUnlinkedSourceCodeShape::decode const): Deleted.
1422         (JSC::CachedSourceCode::encode): Deleted.
1423         (JSC::CachedSourceCode::decode const): Deleted.
1424         (JSC::CachedFunctionExecutable::firstLineOffset const): Deleted.
1425         (JSC::CachedFunctionExecutable::lineCount const): Deleted.
1426         (JSC::CachedFunctionExecutable::unlinkedFunctionNameStart const): Deleted.
1427         (JSC::CachedFunctionExecutable::unlinkedBodyStartColumn const): Deleted.
1428         (JSC::CachedFunctionExecutable::unlinkedBodyEndColumn const): Deleted.
1429         (JSC::CachedFunctionExecutable::startOffset const): Deleted.
1430         (JSC::CachedFunctionExecutable::sourceLength const): Deleted.
1431         (JSC::CachedFunctionExecutable::parametersStartOffset const): Deleted.
1432         (JSC::CachedFunctionExecutable::typeProfilingStartOffset const): Deleted.
1433         (JSC::CachedFunctionExecutable::typeProfilingEndOffset const): Deleted.
1434         (JSC::CachedFunctionExecutable::parameterCount const): Deleted.
1435         (JSC::CachedFunctionExecutable::features const): Deleted.
1436         (JSC::CachedFunctionExecutable::sourceParseMode const): Deleted.
1437         (JSC::CachedFunctionExecutable::isInStrictContext const): Deleted.
1438         (JSC::CachedFunctionExecutable::hasCapturedVariables const): Deleted.
1439         (JSC::CachedFunctionExecutable::isBuiltinFunction const): Deleted.
1440         (JSC::CachedFunctionExecutable::isBuiltinDefaultClassConstructor const): Deleted.
1441         (JSC::CachedFunctionExecutable::constructAbility const): Deleted.
1442         (JSC::CachedFunctionExecutable::constructorKind const): Deleted.
1443         (JSC::CachedFunctionExecutable::functionMode const): Deleted.
1444         (JSC::CachedFunctionExecutable::scriptMode const): Deleted.
1445         (JSC::CachedFunctionExecutable::superBinding const): Deleted.
1446         (JSC::CachedFunctionExecutable::derivedContextType const): Deleted.
1447         (JSC::CachedFunctionExecutable::name const): Deleted.
1448         (JSC::CachedFunctionExecutable::ecmaName const): Deleted.
1449         (JSC::CachedFunctionExecutable::inferredName const): Deleted.
1450         (JSC::CachedCodeBlock::instructions const): Deleted.
1451         (JSC::CachedCodeBlock::thisRegister const): Deleted.
1452         (JSC::CachedCodeBlock::scopeRegister const): Deleted.
1453         (JSC::CachedCodeBlock::globalObjectRegister const): Deleted.
1454         (JSC::CachedCodeBlock::sourceURLDirective const): Deleted.
1455         (JSC::CachedCodeBlock::sourceMappingURLDirective const): Deleted.
1456         (JSC::CachedCodeBlock::usesEval const): Deleted.
1457         (JSC::CachedCodeBlock::isStrictMode const): Deleted.
1458         (JSC::CachedCodeBlock::isConstructor const): Deleted.
1459         (JSC::CachedCodeBlock::hasCapturedVariables const): Deleted.
1460         (JSC::CachedCodeBlock::isBuiltinFunction const): Deleted.
1461         (JSC::CachedCodeBlock::superBinding const): Deleted.
1462         (JSC::CachedCodeBlock::scriptMode const): Deleted.
1463         (JSC::CachedCodeBlock::isArrowFunctionContext const): Deleted.
1464         (JSC::CachedCodeBlock::isClassContext const): Deleted.
1465         (JSC::CachedCodeBlock::wasCompiledWithDebuggingOpcodes const): Deleted.
1466         (JSC::CachedCodeBlock::constructorKind const): Deleted.
1467         (JSC::CachedCodeBlock::derivedContextType const): Deleted.
1468         (JSC::CachedCodeBlock::evalContextType const): Deleted.
1469         (JSC::CachedCodeBlock::hasTailCalls const): Deleted.
1470         (JSC::CachedCodeBlock::lineCount const): Deleted.
1471         (JSC::CachedCodeBlock::endColumn const): Deleted.
1472         (JSC::CachedCodeBlock::numVars const): Deleted.
1473         (JSC::CachedCodeBlock::numCalleeLocals const): Deleted.
1474         (JSC::CachedCodeBlock::numParameters const): Deleted.
1475         (JSC::CachedCodeBlock::features const): Deleted.
1476         (JSC::CachedCodeBlock::parseMode const): Deleted.
1477         (JSC::CachedCodeBlock::codeType const): Deleted.
1478         (JSC::CachedCodeBlock::rareData const): Deleted.
1479         (JSC::CachedProgramCodeBlock::encode): Deleted.
1480         (JSC::CachedProgramCodeBlock::decode const): Deleted.
1481         (JSC::CachedModuleCodeBlock::encode): Deleted.
1482         (JSC::CachedModuleCodeBlock::decode const): Deleted.
1483         (JSC::CachedEvalCodeBlock::encode): Deleted.
1484         (JSC::CachedEvalCodeBlock::decode const): Deleted.
1485         (JSC::CachedFunctionCodeBlock::encode): Deleted.
1486         (JSC::CachedFunctionCodeBlock::decode const): Deleted.
1487         (JSC::UnlinkedFunctionCodeBlock::UnlinkedFunctionCodeBlock): Deleted.
1488         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): Deleted.
1489         (JSC::CachedCodeBlock<CodeBlockType>::decode const): Deleted.
1490         (JSC::UnlinkedProgramCodeBlock::UnlinkedProgramCodeBlock): Deleted.
1491         (JSC::UnlinkedModuleProgramCodeBlock::UnlinkedModuleProgramCodeBlock): Deleted.
1492         (JSC::UnlinkedEvalCodeBlock::UnlinkedEvalCodeBlock): Deleted.
1493         (JSC::CachedFunctionExecutable::encode): Deleted.
1494         (JSC::CachedFunctionExecutable::decode const): Deleted.
1495         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable): Deleted.
1496         (JSC::CachedCodeBlock<CodeBlockType>::encode): Deleted.
1497         (JSC::CachedSourceCodeKey::encode): Deleted.
1498         (JSC::CachedSourceCodeKey::decode const): Deleted.
1499         (JSC::CacheEntry::encode): Deleted.
1500         (JSC::CacheEntry:: const): Deleted.
1501         (JSC:: const): Deleted.
1502         (JSC::encodeCodeBlock): Deleted.
1503         (JSC::decodeCodeBlockImpl): Deleted.
1504         * runtime/CachedTypes.h:
1505         (JSC::decodeCodeBlock): Deleted.
1506         * runtime/CodeCache.cpp:
1507         (JSC::CodeCacheMap::pruneSlowCase):
1508         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
1509         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
1510         (JSC::CodeCache::write): Deleted.
1511         * runtime/CodeCache.h:
1512         (JSC::CodeCacheMap::findCacheAndUpdateAge):
1513         (JSC::CodeCache::clear):
1514         (JSC::CodeCacheMap::begin): Deleted.
1515         (JSC::CodeCacheMap::end): Deleted.
1516         (JSC::CodeCacheMap::fetchFromDiskImpl): Deleted.
1517         (): Deleted.
1518         (JSC::writeCodeBlock): Deleted.
1519         * runtime/JSBigInt.cpp:
1520         (JSC::JSBigInt::offsetOfData):
1521         (JSC::JSBigInt::dataStorage):
1522         * runtime/JSBigInt.h:
1523         * runtime/Options.cpp:
1524         (JSC::recomputeDependentOptions):
1525         * runtime/Options.h:
1526         * runtime/RegExp.h:
1527         * runtime/ScopedArgumentsTable.h:
1528         * runtime/StackFrame.h:
1529         * runtime/StructureInlines.h:
1530         * runtime/SymbolTable.h:
1531
1532 2019-01-20  Saam Barati  <sbarati@apple.com>
1533
1534         MovHint must merge NodeBytecodeUsesAsValue for its child in backwards propagation
1535         https://bugs.webkit.org/show_bug.cgi?id=186916
1536         <rdar://problem/41396612>
1537
1538         Reviewed by Yusuke Suzuki.
1539
1540         Otherwise, we may not think we care about the non-integral part in
1541         a division (or perhaps overflow in an add, etc). Consider a program
1542         like this:
1543         
1544         ```return a / b```
1545         
1546         That gets compiled to:
1547         ```
1548         a: ArithDiv // We don't check that the remainder is zero here.
1549         b: MovHint(@a)
1550         c: ForceOSRExit
1551         d: Unreachable
1552         ```
1553         
1554         If we don't inform @a that we care about its result in full number
1555         accuracy, it will choose to ignore its non-integral remainder. This
1556         makes sense if *everybody* that all uses of the Div only cared about
1557         the integral part. However, OSR exit is not one of those users. OSR
1558         exit cares about the fractional bits in such a Div.
1559
1560         * dfg/DFGBackwardsPropagationPhase.cpp:
1561         (JSC::DFG::BackwardsPropagationPhase::propagate):
1562
1563 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1564
1565         [JSC] Invalidate old scope operations using global lexical binding epoch
1566         https://bugs.webkit.org/show_bug.cgi?id=193603
1567         <rdar://problem/47380869>
1568
1569         Reviewed by Saam Barati.
1570
1571         Even if the global lexical binding does not shadow the global property at that time, we need to clear the cached information in
1572         scope related operations since we may have a global property previously. Consider the following example,
1573
1574             foo = 0;
1575             function get() { return foo; }
1576             print(get()); // 0
1577             print(get()); // 0
1578             delete globalThis.foo;
1579             $.evalScript(`const foo = 42;`);
1580             print(get()); // Should be 42, but it returns 0 if the cached information in get() is not cleared.
1581
1582         To invalidate the cache easily, we introduce global lexical binding epoch. It is bumped every time we introduce a new lexical binding
1583         into JSGlobalLexicalEnvironment, since that name could shadow the global property name previously. In op_resolve_scope, we first check
1584         the epoch stored in the metadata, and go to slow path if it is not equal to the current epoch. Our slow path code convert the scope
1585         operation to the appropriate one even if the resolve type is not UnresolvedProperty type. After updating the resolve type of the bytecode,
1586         we update the cached epoch to the current one, so that we can use the cached information as long as we stay in the same epoch.
1587
1588         In op_get_from_scope and op_put_to_scope, we do not use this epoch since Structure check can do the same thing instead. If op_resolve_type
1589         is updated by the epoch, and if it starts returning JSGlobalLexicalEnvironment instead JSGlobalObject, obviously the structure check fails.
1590         And in the slow path, we update op_get_from_scope and op_put_to_scope appropriately.
1591
1592         So, the metadata for scope related bytecodes are eventually updated to the appropriate one. In DFG and FTL, we use the watchpoint based approach.
1593         In DFG and FTL, we concurrently attempt to get the watchpoint for the lexical binding and look into it by using `isStillValid()` to avoid
1594         infinite compile-and-fail loop.
1595
1596         When the global lexical binding epoch overflows we iterate all the live CodeBlock and update the op_resolve_scope's epoch. Even if the shadowing
1597         happens, it is OK if we bump the epoch, since op_resolve_scope will return JSGlobalLexicalEnvironment instead of JSGlobalObject, and following
1598         structure check in op_put_to_scope and op_get_from_scope fail. We do not need to update op_get_from_scope and op_put_to_scope because of the same
1599         reason.
1600
1601         * bytecode/BytecodeList.rb:
1602         * bytecode/CodeBlock.cpp:
1603         (JSC::CodeBlock::notifyLexicalBindingUpdate):
1604         (JSC::CodeBlock::notifyLexicalBindingShadowing): Deleted.
1605         * bytecode/CodeBlock.h:
1606         * dfg/DFGByteCodeParser.cpp:
1607         (JSC::DFG::ByteCodeParser::parseBlock):
1608         * dfg/DFGDesiredGlobalProperties.cpp:
1609         (JSC::DFG::DesiredGlobalProperties::isStillValidOnMainThread):
1610         * dfg/DFGDesiredGlobalProperties.h:
1611         * dfg/DFGGraph.cpp:
1612         (JSC::DFG::Graph::watchGlobalProperty):
1613         * dfg/DFGGraph.h:
1614         * dfg/DFGPlan.cpp:
1615         (JSC::DFG::Plan::isStillValidOnMainThread):
1616         * jit/JITPropertyAccess.cpp:
1617         (JSC::JIT::emit_op_resolve_scope):
1618         * jit/JITPropertyAccess32_64.cpp:
1619         (JSC::JIT::emit_op_resolve_scope):
1620         * llint/LowLevelInterpreter32_64.asm:
1621         * llint/LowLevelInterpreter64.asm:
1622         * runtime/CommonSlowPaths.cpp:
1623         (JSC::SLOW_PATH_DECL):
1624         * runtime/CommonSlowPaths.h:
1625         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
1626         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
1627         * runtime/JSGlobalObject.cpp:
1628         (JSC::JSGlobalObject::bumpGlobalLexicalBindingEpoch):
1629         (JSC::JSGlobalObject::getReferencedPropertyWatchpointSet):
1630         (JSC::JSGlobalObject::ensureReferencedPropertyWatchpointSet):
1631         (JSC::JSGlobalObject::notifyLexicalBindingShadowing): Deleted.
1632         * runtime/JSGlobalObject.h:
1633         (JSC::JSGlobalObject::globalLexicalBindingEpoch const):
1634         (JSC::JSGlobalObject::globalLexicalBindingEpochOffset):
1635         (JSC::JSGlobalObject::addressOfGlobalLexicalBindingEpoch):
1636         * runtime/Options.cpp:
1637         (JSC::correctOptions):
1638         (JSC::Options::initialize):
1639         (JSC::Options::setOptions):
1640         (JSC::Options::setOptionWithoutAlias):
1641         * runtime/Options.h:
1642         * runtime/ProgramExecutable.cpp:
1643         (JSC::ProgramExecutable::initializeGlobalProperties):
1644
1645 2019-01-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1646
1647         [JSC] Shrink data structure size in JSC/heap
1648         https://bugs.webkit.org/show_bug.cgi?id=193612
1649
1650         Reviewed by Saam Barati.
1651
1652         This patch reduces the size of data structures in JSC/heap. Basically, we reorder the members to remove paddings.
1653
1654         For Subspace, we drop CellAttributes `m_attributes`. Instead, we use `heapCellType->attributes()`. And we use
1655         FreeList::cellSize() instead of holding m_cellSize in LocalAllocator.
1656
1657         This change reduces the size of JSC::VM too since it includes JSC::Heap. The size of VM becomes from 78208 to 76696.
1658
1659         * heap/BlockDirectory.cpp:
1660         * heap/BlockDirectory.h:
1661         * heap/CollectionScope.h:
1662         * heap/CompleteSubspace.cpp:
1663         (JSC::CompleteSubspace::allocatorForSlow):
1664         * heap/FreeList.h:
1665         (JSC::FreeList::offsetOfCellSize):
1666         (JSC::FreeList::cellSize const):
1667         * heap/Heap.cpp:
1668         (JSC::Heap::Heap):
1669         (JSC::Heap::updateObjectCounts):
1670         (JSC::Heap::addToRememberedSet):
1671         (JSC::Heap::runBeginPhase):
1672         (JSC::Heap::willStartCollection):
1673         (JSC::Heap::pruneStaleEntriesFromWeakGCMaps):
1674         (JSC::Heap::deleteSourceProviderCaches):
1675         (JSC::Heap::notifyIncrementalSweeper):
1676         (JSC::Heap::updateAllocationLimits):
1677         * heap/Heap.h:
1678         * heap/IsoAlignedMemoryAllocator.h:
1679         * heap/LargeAllocation.cpp:
1680         * heap/LocalAllocator.cpp:
1681         (JSC::LocalAllocator::LocalAllocator):
1682         * heap/LocalAllocator.h:
1683         (JSC::LocalAllocator::cellSize const):
1684         (JSC::LocalAllocator::offsetOfCellSize):
1685         * heap/MarkedSpace.cpp:
1686         (JSC::MarkedSpace::MarkedSpace):
1687         * heap/MarkedSpace.h:
1688         * heap/MarkingConstraint.h:
1689         * heap/Subspace.cpp:
1690         (JSC::Subspace::initialize):
1691         * heap/Subspace.h:
1692         (JSC::Subspace::attributes const): Deleted.
1693         * heap/SubspaceInlines.h:
1694         (JSC::Subspace::forEachMarkedCell):
1695         (JSC::Subspace::forEachMarkedCellInParallel):
1696         (JSC::Subspace::forEachLiveCell):
1697         (JSC::Subspace::attributes const):
1698
1699 2019-01-20  Tadeu Zagallo  <tzagallo@apple.com>
1700
1701         Cache bytecode to disk
1702         https://bugs.webkit.org/show_bug.cgi?id=192782
1703         <rdar://problem/46084932>
1704
1705         Reviewed by Keith Miller.
1706
1707         Add the logic to serialize and deserialize the new JSC bytecode. For now,
1708         the cache is only used for tests.
1709
1710         Each class that can be serialized has a counterpart in CachedTypes, which
1711         handles the decoding and encoding. When decoding, the cached objects are
1712         mmap'd from disk, but only used for creating instances of the respective
1713         in-memory version of each object. Ideally, the mmap'd objects should be
1714         used at runtime in the future.
1715
1716         * CMakeLists.txt:
1717         * JavaScriptCore.xcodeproj/project.pbxproj:
1718         * Sources.txt:
1719         * builtins/BuiltinNames.cpp:
1720         (JSC::BuiltinNames::BuiltinNames):
1721         * builtins/BuiltinNames.h:
1722         * bytecode/CodeBlock.cpp:
1723         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
1724         * bytecode/CodeBlock.h:
1725         * bytecode/HandlerInfo.h:
1726         (JSC::UnlinkedHandlerInfo::UnlinkedHandlerInfo):
1727         * bytecode/InstructionStream.h:
1728         * bytecode/UnlinkedCodeBlock.h:
1729         (JSC::UnlinkedCodeBlock::addSetConstant):
1730         (JSC::UnlinkedCodeBlock::constantIdentifierSets):
1731         * bytecode/UnlinkedEvalCodeBlock.h:
1732         * bytecode/UnlinkedFunctionCodeBlock.h:
1733         * bytecode/UnlinkedFunctionExecutable.h:
1734         * bytecode/UnlinkedGlobalCodeBlock.h:
1735         (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock):
1736         * bytecode/UnlinkedMetadataTable.h:
1737         * bytecode/UnlinkedModuleProgramCodeBlock.h:
1738         * bytecode/UnlinkedProgramCodeBlock.h:
1739         * interpreter/Interpreter.cpp:
1740         * jsc.cpp:
1741         (functionQuit):
1742         (runJSC):
1743         * parser/SourceCode.h:
1744         * parser/SourceCodeKey.h:
1745         (JSC::SourceCodeKey::operator!= const):
1746         * parser/UnlinkedSourceCode.h:
1747         * parser/VariableEnvironment.h:
1748         * runtime/CachedTypes.cpp: Added.
1749         (JSC::Encoder::Allocation::buffer const):
1750         (JSC::Encoder::Allocation::offset const):
1751         (JSC::Encoder::Allocation::Allocation):
1752         (JSC::Encoder::Encoder):
1753         (JSC::Encoder::vm):
1754         (JSC::Encoder::malloc):
1755         (JSC::Encoder::offsetOf):
1756         (JSC::Encoder::cachePtr):
1757         (JSC::Encoder::offsetForPtr):
1758         (JSC::Encoder::release):
1759         (JSC::Encoder::Page::Page):
1760         (JSC::Encoder::Page::malloc):
1761         (JSC::Encoder::Page::buffer const):
1762         (JSC::Encoder::Page::size const):
1763         (JSC::Encoder::Page::getOffset const):
1764         (JSC::Encoder::allocateNewPage):
1765         (JSC::Decoder::Decoder):
1766         (JSC::Decoder::~Decoder):
1767         (JSC::Decoder::vm):
1768         (JSC::Decoder::offsetOf):
1769         (JSC::Decoder::cacheOffset):
1770         (JSC::Decoder::addFinalizer):
1771         (JSC::encode):
1772         (JSC::decode):
1773         (JSC::VariableLengthObject::buffer const):
1774         (JSC::VariableLengthObject::allocate):
1775         (JSC::CachedPtr::encode):
1776         (JSC::CachedPtr::decode const):
1777         (JSC::CachedPtr::operator-> const):
1778         (JSC::CachedPtr::get const):
1779         (JSC::CachedRefPtr::encode):
1780         (JSC::CachedRefPtr::decode const):
1781         (JSC::CachedWriteBarrier::encode):
1782         (JSC::CachedWriteBarrier::decode const):
1783         (JSC::CachedVector::encode):
1784         (JSC::CachedVector::decode const):
1785         (JSC::CachedPair::encode):
1786         (JSC::CachedPair::decode const):
1787         (JSC::CachedHashMap::encode):
1788         (JSC::CachedHashMap::decode const):
1789         (JSC::CachedUniquedStringImpl::encode):
1790         (JSC::CachedUniquedStringImpl::decode const):
1791         (JSC::CachedStringImpl::encode):
1792         (JSC::CachedStringImpl::decode const):
1793         (JSC::CachedString::encode):
1794         (JSC::CachedString::decode const):
1795         (JSC::CachedIdentifier::encode):
1796         (JSC::CachedIdentifier::decode const):
1797         (JSC::CachedOptional::encode):
1798         (JSC::CachedOptional::decode const):
1799         (JSC::CachedOptional::decodeAsPtr const):
1800         (JSC::CachedSimpleJumpTable::encode):
1801         (JSC::CachedSimpleJumpTable::decode const):
1802         (JSC::CachedStringJumpTable::encode):
1803         (JSC::CachedStringJumpTable::decode const):
1804         (JSC::CachedCodeBlockRareData::encode):
1805         (JSC::CachedCodeBlockRareData::decode const):
1806         (JSC::CachedBitVector::encode):
1807         (JSC::CachedBitVector::decode const):
1808         (JSC::CachedHashSet::encode):
1809         (JSC::CachedHashSet::decode const):
1810         (JSC::CachedConstantIdentifierSetEntry::encode):
1811         (JSC::CachedConstantIdentifierSetEntry::decode const):
1812         (JSC::CachedVariableEnvironment::encode):
1813         (JSC::CachedVariableEnvironment::decode const):
1814         (JSC::CachedArray::encode):
1815         (JSC::CachedArray::decode const):
1816         (JSC::CachedScopedArgumentsTable::encode):
1817         (JSC::CachedScopedArgumentsTable::decode const):
1818         (JSC::CachedSymbolTableEntry::encode):
1819         (JSC::CachedSymbolTableEntry::decode const):
1820         (JSC::CachedSymbolTable::encode):
1821         (JSC::CachedSymbolTable::decode const):
1822         (JSC::CachedImmutableButterfly::encode):
1823         (JSC::CachedImmutableButterfly::decode const):
1824         (JSC::CachedRegExp::encode):
1825         (JSC::CachedRegExp::decode const):
1826         (JSC::CachedTemplateObjectDescriptor::encode):
1827         (JSC::CachedTemplateObjectDescriptor::decode const):
1828         (JSC::CachedBigInt::encode):
1829         (JSC::CachedBigInt::decode const):
1830         (JSC::CachedJSValue::encode):
1831         (JSC::CachedJSValue::decode const):
1832         (JSC::CachedInstructionStream::encode):
1833         (JSC::CachedInstructionStream::decode const):
1834         (JSC::CachedMetadataTable::encode):
1835         (JSC::CachedMetadataTable::decode const):
1836         (JSC::CachedSourceOrigin::encode):
1837         (JSC::CachedSourceOrigin::decode const):
1838         (JSC::CachedTextPosition::encode):
1839         (JSC::CachedTextPosition::decode const):
1840         (JSC::CachedSourceProviderShape::encode):
1841         (JSC::CachedSourceProviderShape::decode const):
1842         (JSC::CachedStringSourceProvider::encode):
1843         (JSC::CachedStringSourceProvider::decode const):
1844         (JSC::CachedWebAssemblySourceProvider::encode):
1845         (JSC::CachedWebAssemblySourceProvider::decode const):
1846         (JSC::CachedSourceProvider::encode):
1847         (JSC::CachedSourceProvider::decode const):
1848         (JSC::CachedUnlinkedSourceCodeShape::encode):
1849         (JSC::CachedUnlinkedSourceCodeShape::decode const):
1850         (JSC::CachedSourceCode::encode):
1851         (JSC::CachedSourceCode::decode const):
1852         (JSC::CachedFunctionExecutable::firstLineOffset const):
1853         (JSC::CachedFunctionExecutable::lineCount const):
1854         (JSC::CachedFunctionExecutable::unlinkedFunctionNameStart const):
1855         (JSC::CachedFunctionExecutable::unlinkedBodyStartColumn const):
1856         (JSC::CachedFunctionExecutable::unlinkedBodyEndColumn const):
1857         (JSC::CachedFunctionExecutable::startOffset const):
1858         (JSC::CachedFunctionExecutable::sourceLength const):
1859         (JSC::CachedFunctionExecutable::parametersStartOffset const):
1860         (JSC::CachedFunctionExecutable::typeProfilingStartOffset const):
1861         (JSC::CachedFunctionExecutable::typeProfilingEndOffset const):
1862         (JSC::CachedFunctionExecutable::parameterCount const):
1863         (JSC::CachedFunctionExecutable::features const):
1864         (JSC::CachedFunctionExecutable::sourceParseMode const):
1865         (JSC::CachedFunctionExecutable::isInStrictContext const):
1866         (JSC::CachedFunctionExecutable::hasCapturedVariables const):
1867         (JSC::CachedFunctionExecutable::isBuiltinFunction const):
1868         (JSC::CachedFunctionExecutable::isBuiltinDefaultClassConstructor const):
1869         (JSC::CachedFunctionExecutable::constructAbility const):
1870         (JSC::CachedFunctionExecutable::constructorKind const):
1871         (JSC::CachedFunctionExecutable::functionMode const):
1872         (JSC::CachedFunctionExecutable::scriptMode const):
1873         (JSC::CachedFunctionExecutable::superBinding const):
1874         (JSC::CachedFunctionExecutable::derivedContextType const):
1875         (JSC::CachedFunctionExecutable::name const):
1876         (JSC::CachedFunctionExecutable::ecmaName const):
1877         (JSC::CachedFunctionExecutable::inferredName const):
1878         (JSC::CachedCodeBlock::instructions const):
1879         (JSC::CachedCodeBlock::thisRegister const):
1880         (JSC::CachedCodeBlock::scopeRegister const):
1881         (JSC::CachedCodeBlock::globalObjectRegister const):
1882         (JSC::CachedCodeBlock::sourceURLDirective const):
1883         (JSC::CachedCodeBlock::sourceMappingURLDirective const):
1884         (JSC::CachedCodeBlock::usesEval const):
1885         (JSC::CachedCodeBlock::isStrictMode const):
1886         (JSC::CachedCodeBlock::isConstructor const):
1887         (JSC::CachedCodeBlock::hasCapturedVariables const):
1888         (JSC::CachedCodeBlock::isBuiltinFunction const):
1889         (JSC::CachedCodeBlock::superBinding const):
1890         (JSC::CachedCodeBlock::scriptMode const):
1891         (JSC::CachedCodeBlock::isArrowFunctionContext const):
1892         (JSC::CachedCodeBlock::isClassContext const):
1893         (JSC::CachedCodeBlock::wasCompiledWithDebuggingOpcodes const):
1894         (JSC::CachedCodeBlock::constructorKind const):
1895         (JSC::CachedCodeBlock::derivedContextType const):
1896         (JSC::CachedCodeBlock::evalContextType const):
1897         (JSC::CachedCodeBlock::hasTailCalls const):
1898         (JSC::CachedCodeBlock::lineCount const):
1899         (JSC::CachedCodeBlock::endColumn const):
1900         (JSC::CachedCodeBlock::numVars const):
1901         (JSC::CachedCodeBlock::numCalleeLocals const):
1902         (JSC::CachedCodeBlock::numParameters const):
1903         (JSC::CachedCodeBlock::features const):
1904         (JSC::CachedCodeBlock::parseMode const):
1905         (JSC::CachedCodeBlock::codeType const):
1906         (JSC::CachedCodeBlock::rareData const):
1907         (JSC::CachedProgramCodeBlock::encode):
1908         (JSC::CachedProgramCodeBlock::decode const):
1909         (JSC::CachedModuleCodeBlock::encode):
1910         (JSC::CachedModuleCodeBlock::decode const):
1911         (JSC::CachedEvalCodeBlock::encode):
1912         (JSC::CachedEvalCodeBlock::decode const):
1913         (JSC::CachedFunctionCodeBlock::encode):
1914         (JSC::CachedFunctionCodeBlock::decode const):
1915         (JSC::UnlinkedFunctionCodeBlock::UnlinkedFunctionCodeBlock):
1916         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1917         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
1918         (JSC::UnlinkedProgramCodeBlock::UnlinkedProgramCodeBlock):
1919         (JSC::UnlinkedModuleProgramCodeBlock::UnlinkedModuleProgramCodeBlock):
1920         (JSC::UnlinkedEvalCodeBlock::UnlinkedEvalCodeBlock):
1921         (JSC::CachedFunctionExecutable::encode):
1922         (JSC::CachedFunctionExecutable::decode const):
1923         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1924         (JSC::CachedCodeBlock<CodeBlockType>::encode):
1925         (JSC::CachedSourceCodeKey::encode):
1926         (JSC::CachedSourceCodeKey::decode const):
1927         (JSC::CacheEntry::encode):
1928         (JSC::CacheEntry:: const):
1929         (JSC:: const):
1930         (JSC::encodeCodeBlock):
1931         (JSC::decodeCodeBlockImpl):
1932         * runtime/CachedTypes.h: Copied from Source/JavaScriptCore/bytecode/UnlinkedGlobalCodeBlock.h.
1933         (JSC::decodeCodeBlock):
1934         * runtime/CodeCache.cpp:
1935         (JSC::CodeCacheMap::pruneSlowCase):
1936         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
1937         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
1938         (JSC::CodeCache::write):
1939         * runtime/CodeCache.h:
1940         (JSC::CodeCacheMap::begin):
1941         (JSC::CodeCacheMap::end):
1942         (JSC::CodeCacheMap::fetchFromDiskImpl):
1943         (JSC::CodeCacheMap::findCacheAndUpdateAge):
1944         (JSC::writeCodeBlock):
1945         * runtime/JSBigInt.cpp:
1946         * runtime/JSBigInt.h:
1947         * runtime/Options.cpp:
1948         (JSC::recomputeDependentOptions):
1949         * runtime/Options.h:
1950         * runtime/RegExp.h:
1951         * runtime/ScopedArgumentsTable.h:
1952         * runtime/StackFrame.h:
1953         * runtime/StructureInlines.h:
1954         * runtime/SymbolTable.h:
1955
1956 2019-01-20  Antoine Quint  <graouts@apple.com>
1957
1958         Add a POINTER_EVENTS feature flag
1959         https://bugs.webkit.org/show_bug.cgi?id=193577
1960         <rdar://problem/47408511>
1961
1962         Unreviewed. Also enable Pointer Events for iosmac.
1963
1964         * Configurations/FeatureDefines.xcconfig:
1965
1966 2019-01-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1967
1968         [JSC] Reorder JSSegmentedVariableObject member for preparation of JSGlobalObject memory reduction
1969         https://bugs.webkit.org/show_bug.cgi?id=193609
1970
1971         Reviewed by Sam Weinig.
1972
1973         Basically, we should order the members in large => small order not to add paddings.
1974
1975         * runtime/JSSegmentedVariableObject.h:
1976
1977 2019-01-19  Antoine Quint  <graouts@apple.com>
1978
1979         Add a POINTER_EVENTS feature flag
1980         https://bugs.webkit.org/show_bug.cgi?id=193577
1981
1982         Reviewed by Dean Jackson.
1983
1984         * Configurations/FeatureDefines.xcconfig:
1985
1986 2019-01-18  Keith Miller  <keith_miller@apple.com>
1987
1988         JSScript API should only take ascii files.
1989         https://bugs.webkit.org/show_bug.cgi?id=193420
1990
1991         Reviewed by Saam Barati.
1992
1993         This patch leaves the UTF8 method for binary compatablity, which
1994         will be removed later.
1995
1996         * API/JSScript.h:
1997         * API/JSScript.mm:
1998         (fillBufferWithContentsOfFile):
1999         (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
2000         (+[JSScript scriptFromUTF8File:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
2001         * API/tests/testapi.mm:
2002         (-[JSContextFileLoaderDelegate context:fetchModuleForIdentifier:withResolveHandler:andRejectHandler:]):
2003
2004 2019-01-18  David Kilzer  <ddkilzer@apple.com>
2005
2006         Follow-up: Gigacages should start allocations from a slide
2007         <https://bugs.webkit.org/show_bug.cgi?id=193523>
2008         <rdar://problem/44958707>
2009
2010         * ftl/FTLLowerDFGToB3.cpp:
2011         (JSC::FTL::DFG::LowerDFGToB3::caged): Add UNUSED_PARAM(kind) to
2012         fix the build.
2013
2014 2019-01-18  Jer Noble  <jer.noble@apple.com>
2015
2016         SDK_VARIANT build destinations should be separate from non-SDK_VARIANT builds
2017         https://bugs.webkit.org/show_bug.cgi?id=189553
2018
2019         Reviewed by Tim Horton.
2020
2021         * Configurations/Base.xcconfig:
2022         * Configurations/SDKVariant.xcconfig: Added.
2023
2024 2019-01-18  Keith Miller  <keith_miller@apple.com>
2025
2026         Gigacages should start allocations from a slide
2027         https://bugs.webkit.org/show_bug.cgi?id=193523
2028
2029         Reviewed by Mark Lam.
2030
2031         This patch changes some macros into constants since macros are the
2032         devil.
2033
2034         * ftl/FTLLowerDFGToB3.cpp:
2035         (JSC::FTL::DFG::LowerDFGToB3::caged):
2036         * llint/LowLevelInterpreter64.asm:
2037
2038 2019-01-18  Matt Lewis  <jlewis3@apple.com>
2039
2040         Unreviewed, rolling out r240160.
2041
2042         This broke multiple internal builds.
2043
2044         Reverted changeset:
2045
2046         "Gigacages should start allocations from a slide"
2047         https://bugs.webkit.org/show_bug.cgi?id=193523
2048         https://trac.webkit.org/changeset/240160
2049
2050 2019-01-18  Keith Miller  <keith_miller@apple.com>
2051
2052         Gigacages should start allocations from a slide
2053         https://bugs.webkit.org/show_bug.cgi?id=193523
2054
2055         Reviewed by Mark Lam.
2056
2057         This patch changes some macros into constants since macros are the
2058         devil.
2059
2060         * llint/LowLevelInterpreter64.asm:
2061
2062 2019-01-17  Mark Lam  <mark.lam@apple.com>
2063
2064         Audit bytecode fields and ensure that LLInt instructions for accessing them are appropriate.
2065         https://bugs.webkit.org/show_bug.cgi?id=193557
2066         <rdar://problem/47369125>
2067
2068         Reviewed by Yusuke Suzuki.
2069
2070         1. Rename some bytecode fields so that it's easier to discern whether the LLInt
2071            is accessing them the right way:
2072            - distinguish between targetVirtualRegister and targetLabel.
2073            - name all StructureID fields as structureID (oldStructureID, newStructureID)
2074              instead of structure (oldStructure, newStructure).
2075
2076         2. Use bitwise_cast in struct Fits when sizeof(T) == size.
2077            This prevents potential undefined behavior issues arising from doing
2078            assignments with reinterpret_cast'ed pointers.
2079
2080         3. Make Special::Pointer an unsigned type (previously int).
2081            Make ResolveType an unsigned type (previously int).
2082
2083         4. In LowLevelInterpreter*.asm:
2084
2085            - rename the op macro argument to opcodeName or opcodeStruct respectively.
2086              This makes it clearer which argument type the macro is working with.
2087
2088            - rename the name macro argument to opcodeName.
2089
2090            - fix operator types to match the field type being accessed.  The following
2091              may have resulted in bugs before:
2092
2093              1. The following should be read with getu() instead of get() because they
2094                 are unsigned ints:
2095                     OpSwitchImm::m_tableIndex
2096                     OpSwitchChar::m_tableIndex
2097                     OpGetFromArguments::m_index
2098                     OpPutToArguments::m_index
2099                     OpGetRestLength::m_numParametersToSkip
2100
2101                 OpJneqPtr::m_specialPointer should also be read with getu() though this
2102                 wasn't a bug because it was previously an int by default, and is only
2103                 changed to an unsigned int in this patch.
2104
2105              2.The following should be read with loadi (not loadp) because they are of
2106                unsigned type (not a pointer):
2107                     OpResolveScope::Metadata::m_resolveType
2108                     CodeBlock::m_numParameters (see prepareForTailCall)
2109
2110              3. OpPutToScope::Metadata::m_operand should be read with loadp (not loadis)
2111                 because it is a uintptr_t.
2112
2113              4. The following should be read with loadi (not loadis) because they are
2114                 unsigned ints:
2115                     OpNegate::Metadata::m_arithProfile + ArithProfile::m_bits
2116                     OpPutById::Metadata::m_oldStructureID
2117                     OpPutToScope::Metadata::m_getPutInfo + GetPutInfo::m_operand
2118
2119                 These may not have manifested in bugs because the operations that follow
2120                 the load are 32-bit instructions which ignore the high word.
2121
2122         5. Give class GetPutInfo a default constructor so that we can use bitwise_cast
2123            on it.  Also befriend LLIntOffsetsExtractor so that we can take the offset of
2124            m_operand in it.
2125
2126         * bytecode/ArithProfile.h:
2127         * bytecode/BytecodeList.rb:
2128         * bytecode/BytecodeUseDef.h:
2129         (JSC::computeUsesForBytecodeOffset):
2130         (JSC::computeDefsForBytecodeOffset):
2131         * bytecode/CodeBlock.cpp:
2132         (JSC::CodeBlock::propagateTransitions):
2133         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2134         * bytecode/Fits.h:
2135         * bytecode/GetByIdMetadata.h:
2136         * bytecode/GetByIdStatus.cpp:
2137         (JSC::GetByIdStatus::computeFromLLInt):
2138         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
2139         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::clearLLIntGetByIdCache):
2140         * bytecode/PreciseJumpTargetsInlines.h:
2141         (JSC::jumpTargetForInstruction):
2142         (JSC::updateStoredJumpTargetsForInstruction):
2143         * bytecode/PutByIdStatus.cpp:
2144         (JSC::PutByIdStatus::computeFromLLInt):
2145         * bytecode/SpecialPointer.h:
2146         * bytecompiler/BytecodeGenerator.cpp:
2147         (JSC::Label::setLocation):
2148         * dfg/DFGByteCodeParser.cpp:
2149         (JSC::DFG::ByteCodeParser::parseBlock):
2150         * jit/JITArithmetic.cpp:
2151         (JSC::JIT::emit_compareAndJump):
2152         (JSC::JIT::emit_compareUnsignedAndJump):
2153         (JSC::JIT::emit_compareAndJumpSlow):
2154         * jit/JITArithmetic32_64.cpp:
2155         (JSC::JIT::emit_compareAndJump):
2156         (JSC::JIT::emit_compareUnsignedAndJump):
2157         (JSC::JIT::emit_compareAndJumpSlow):
2158         (JSC::JIT::emitBinaryDoubleOp):
2159         * jit/JITOpcodes.cpp:
2160         (JSC::JIT::emit_op_jmp):
2161         (JSC::JIT::emit_op_jfalse):
2162         (JSC::JIT::emit_op_jeq_null):
2163         (JSC::JIT::emit_op_jneq_null):
2164         (JSC::JIT::emit_op_jneq_ptr):
2165         (JSC::JIT::emit_op_jeq):
2166         (JSC::JIT::emit_op_jtrue):
2167         (JSC::JIT::emit_op_jneq):
2168         (JSC::JIT::compileOpStrictEqJump):
2169         (JSC::JIT::emitSlow_op_jstricteq):
2170         (JSC::JIT::emitSlow_op_jnstricteq):
2171         (JSC::JIT::emit_op_check_tdz):
2172         (JSC::JIT::emitSlow_op_jeq):
2173         (JSC::JIT::emitSlow_op_jneq):
2174         (JSC::JIT::emit_op_profile_type):
2175         * jit/JITOpcodes32_64.cpp:
2176         (JSC::JIT::emit_op_jmp):
2177         (JSC::JIT::emit_op_jfalse):
2178         (JSC::JIT::emit_op_jtrue):
2179         (JSC::JIT::emit_op_jeq_null):
2180         (JSC::JIT::emit_op_jneq_null):
2181         (JSC::JIT::emit_op_jneq_ptr):
2182         (JSC::JIT::emit_op_jeq):
2183         (JSC::JIT::emitSlow_op_jeq):
2184         (JSC::JIT::emit_op_jneq):
2185         (JSC::JIT::emitSlow_op_jneq):
2186         (JSC::JIT::compileOpStrictEqJump):
2187         (JSC::JIT::emitSlow_op_jstricteq):
2188         (JSC::JIT::emitSlow_op_jnstricteq):
2189         (JSC::JIT::emit_op_check_tdz):
2190         (JSC::JIT::emit_op_profile_type):
2191         * llint/LLIntSlowPaths.cpp:
2192         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2193         (JSC::LLInt::setupGetByIdPrototypeCache):
2194         * llint/LowLevelInterpreter.asm:
2195         * llint/LowLevelInterpreter32_64.asm:
2196         * llint/LowLevelInterpreter64.asm:
2197         * runtime/CommonSlowPaths.cpp:
2198         * runtime/GetPutInfo.h:
2199
2200 2019-01-17  Truitt Savell  <tsavell@apple.com>
2201
2202         Unreviewed, rolling out r240124.
2203
2204         This commit broke an internal build.
2205
2206         Reverted changeset:
2207
2208         "SDK_VARIANT build destinations should be separate from non-
2209         SDK_VARIANT builds"
2210         https://bugs.webkit.org/show_bug.cgi?id=189553
2211         https://trac.webkit.org/changeset/240124
2212
2213 2019-01-17  Jer Noble  <jer.noble@apple.com>
2214
2215         SDK_VARIANT build destinations should be separate from non-SDK_VARIANT builds
2216         https://bugs.webkit.org/show_bug.cgi?id=189553
2217
2218         Reviewed by Tim Horton.
2219
2220         * Configurations/Base.xcconfig:
2221         * Configurations/SDKVariant.xcconfig: Added.
2222
2223 2019-01-17  Saam barati  <sbarati@apple.com>
2224
2225         StringObjectUse should not be a structure check for the original string object structure
2226         https://bugs.webkit.org/show_bug.cgi?id=193483
2227         <rdar://problem/47280522>
2228
2229         Reviewed by Yusuke Suzuki.
2230
2231         Prior to this patch, the use kind for StringObjectUse implied that we
2232         do a StructureCheck on the input operand for the *original* StringObject
2233         structure. This is generally not how we use UseKinds, so it's no surprise
2234         that this is buggy. A UseKind should map to a set of SpeculatedTypes, not an
2235         actual set of structures. This patch changes the meaning of StringObjectUse
2236         to mean an object where jsDynamicCast<StringObject*> would succeed.
2237         
2238         This patch also fixes a bug that was caused by the old and weird usage of the
2239         UseKind to mean StructureCheck. Consider a program like this:
2240         ```
2241         S1 = Original StringObject structure
2242         S2 = Original StringObject structure with the field "f" added
2243         
2244         a: GetLocal()
2245         b: CheckStructure(@a, {S2})
2246         c: ToString(StringObject:@a)
2247         ```
2248         
2249         According to AI, in the above program, we would exit at @c, since
2250         StringObject:@a implies a structure check of {S1}, and the intersection
2251         of {S1} and {S2} is {}. So, we'd convert the program to be:
2252         ```
2253         a: GetLocal()
2254         b: CheckStructure(@a, {S2})
2255         c: Check(StringObject:@a)
2256         d: Unreachable
2257         ```
2258         
2259         However, AI would set the proof status of the StringObject:@a edge
2260         to be proven, since the SpeculatedType for @a is SpecStringObject.
2261         This was incorrect of AI to do because the SpeculatedType itself
2262         didn't capture the full power of StringObjectUse. However, having
2263         a UseKind mean CheckStructure is weird precisely because what AI was
2264         doing is a natural fit to how we typically we think about UseKinds.
2265         
2266         So the above program would then incorrectly be converted to this, and
2267         we'd crash when reaching the Unreachable node:
2268         ```
2269         a: GetLocal()
2270         b: CheckStructure(@a, {S2})
2271         d: Unreachable
2272         ```
2273         
2274         This patch makes it so that StringObjectUse just means that the object that
2275         filters through a StringObjectUse check must !!jsDynamicCast<StringObject*>.
2276         This is now in line with all other UseKinds. It also lets us simplify a bunch
2277         of other code that had weird checks for the StringObjectUse UseKind.
2278         
2279         This patch also makes it so that anywhere where we used to rely on
2280         StringObjectUse implying a structure check we actually emit an explicit
2281         CheckStructure node.
2282
2283         * JavaScriptCore.xcodeproj/project.pbxproj:
2284         * bytecode/ExitKind.cpp:
2285         (JSC::exitKindToString):
2286         * bytecode/ExitKind.h:
2287         * dfg/DFGAbstractInterpreterInlines.h:
2288         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2289         * dfg/DFGCSEPhase.cpp:
2290         * dfg/DFGClobberize.h:
2291         (JSC::DFG::clobberize):
2292         * dfg/DFGEdgeUsesStructure.h: Removed.
2293         * dfg/DFGFixupPhase.cpp:
2294         (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion):
2295         (JSC::DFG::FixupPhase::addCheckStructureForOriginalStringObjectUse):
2296         (JSC::DFG::FixupPhase::fixupToPrimitive):
2297         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
2298         (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
2299         (JSC::DFG::FixupPhase::isStringObjectUse): Deleted.
2300         * dfg/DFGGraph.cpp:
2301         (JSC::DFG::Graph::canOptimizeStringObjectAccess):
2302         * dfg/DFGMayExit.cpp:
2303         * dfg/DFGSpeculativeJIT.cpp:
2304         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOrStringValueOf):
2305         (JSC::DFG::SpeculativeJIT::speculateStringObject):
2306         (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
2307         * dfg/DFGSpeculativeJIT.h:
2308         (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure): Deleted.
2309         * dfg/DFGUseKind.h:
2310         (JSC::DFG::alreadyChecked):
2311         (JSC::DFG::usesStructure): Deleted.
2312         * ftl/FTLLowerDFGToB3.cpp:
2313         (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructorOrStringValueOf):
2314         (JSC::FTL::DFG::LowerDFGToB3::speculateStringObject):
2315         (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrStringObject):
2316         (JSC::FTL::DFG::LowerDFGToB3::speculateStringObjectForCell):
2317         (JSC::FTL::DFG::LowerDFGToB3::speculateStringObjectForStructureID): Deleted.
2318         * runtime/JSType.cpp:
2319         (WTF::printInternal):
2320         * runtime/JSType.h:
2321         * runtime/StringObject.h:
2322         (JSC::StringObject::createStructure):
2323         * runtime/StringPrototype.h:
2324
2325 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2326
2327         [JSC] Add generateHeapSnapshotForGCDebugging function to dump GCDebugging data
2328         https://bugs.webkit.org/show_bug.cgi?id=193526
2329
2330         Reviewed by Michael Saboff.
2331
2332         This patch adds generateHeapSnapshotForGCDebugging to JSC shell to dump heap snapshot JSON string with GCDebugging option.
2333         GCDebuggingSnapshot mode is slightly different from InspectorSnapshot in terms of both the output data and the behavior.
2334         It always takes full snapshot, and it reports internal data too. This is useful to view the live heap objects after running
2335         the code. Also, generateHeapSnapshotForGCDebugging returns String instead of parsing it to JSObject internally by calling
2336         JSON.parse. If we convert the String to bunch of objects by using JSON.parse, it is difficult to call generateHeapSnapshotForGCDebugging
2337         multiple times for debugging. Currently, it only generates a large string, which is easily distinguishable in the heap inspector tool.
2338
2339         * jsc.cpp:
2340         (GlobalObject::finishCreation):
2341         (functionGenerateHeapSnapshotForGCDebugging):
2342
2343 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2344
2345         [JSC] ToThis omission in DFGByteCodeParser is wrong
2346         https://bugs.webkit.org/show_bug.cgi?id=193513
2347         <rdar://problem/45842236>
2348
2349         Reviewed by Saam Barati.
2350
2351         DFGByteCodeParser omitted ToThis node when we have `ToThis(ToThis(value))`. This semantics is wrong if ToThis has different semantics
2352         in the sloppy mode and the strict mode. If we convert `ToThisInSloppyMode(ToThisInStrictMode(boolean))` to `ToThisInStrictMode(boolean)`,
2353         we get boolean instead of BooleanObject.
2354
2355         This optimization is introduced more than 7 years ago, and from that, we have several optimizations that can remove such ToThis nodes
2356         in BytecodeParser, AI, and Fixup. Furthermore, this optimization is simply wrong since `toThis()` function of JSCell can be defined
2357         as they want. Before ensuring all the toThis function is safe, we should not fold `ToThis(ToThis(value))` => `ToThis(value)`.
2358         This patch just removes the problematic optimization. The performance numbers look neutral.
2359
2360         * dfg/DFGAbstractInterpreterInlines.h:
2361         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2362         * dfg/DFGByteCodeParser.cpp:
2363         (JSC::DFG::ByteCodeParser::parseBlock):
2364
2365 2019-01-16  Mark Lam  <mark.lam@apple.com>
2366
2367         Refactor new bytecode structs so that the fields are prefixed with "m_".
2368         https://bugs.webkit.org/show_bug.cgi?id=193467
2369
2370         Reviewed by Saam Barati and Tadeu Zagallo.
2371
2372         This makes it easier to do a manual audit of type correctness of the LLInt
2373         instructions used to access these fields.  Without this change, it would be
2374         difficult (and error prone) to distinguish the difference between field names and
2375         macro variables.  This audit will be done after this patch lands.
2376
2377         * bytecode/BytecodeGeneratorification.cpp:
2378         (JSC::BytecodeGeneratorification::BytecodeGeneratorification):
2379         * bytecode/BytecodeUseDef.h:
2380         (JSC::computeUsesForBytecodeOffset):
2381         * bytecode/CallLinkStatus.cpp:
2382         (JSC::CallLinkStatus::computeFromLLInt):
2383         * bytecode/CodeBlock.cpp:
2384         (JSC::CodeBlock::finishCreation):
2385         (JSC::CodeBlock::propagateTransitions):
2386         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2387         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffset):
2388         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
2389         (JSC::CodeBlock::getArrayProfile):
2390         (JSC::CodeBlock::notifyLexicalBindingShadowing):
2391         (JSC::CodeBlock::tryGetValueProfileForBytecodeOffset):
2392         (JSC::CodeBlock::arithProfileForPC):
2393         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
2394         * bytecode/CodeBlockInlines.h:
2395         (JSC::CodeBlock::forEachValueProfile):
2396         (JSC::CodeBlock::forEachArrayProfile):
2397         (JSC::CodeBlock::forEachArrayAllocationProfile):
2398         (JSC::CodeBlock::forEachObjectAllocationProfile):
2399         (JSC::CodeBlock::forEachLLIntCallLinkInfo):
2400         * bytecode/GetByIdStatus.cpp:
2401         (JSC::GetByIdStatus::computeFromLLInt):
2402         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
2403         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::clearLLIntGetByIdCache):
2404         * bytecode/PreciseJumpTargetsInlines.h:
2405         (JSC::jumpTargetForInstruction):
2406         (JSC::extractStoredJumpTargetsForInstruction):
2407         (JSC::updateStoredJumpTargetsForInstruction):
2408         * bytecode/PutByIdStatus.cpp:
2409         (JSC::PutByIdStatus::computeFromLLInt):
2410         * bytecode/UnlinkedCodeBlock.cpp:
2411         (JSC::dumpLineColumnEntry):
2412         * bytecompiler/BytecodeGenerator.cpp:
2413         (JSC::BytecodeGenerator::fuseCompareAndJump):
2414         (JSC::BytecodeGenerator::fuseTestAndJmp):
2415         (JSC::BytecodeGenerator::emitEqualityOp):
2416         (JSC::BytecodeGenerator::endSwitch):
2417         (JSC::StructureForInContext::finalize):
2418         * dfg/DFGByteCodeParser.cpp:
2419         (JSC::DFG::ByteCodeParser::handleCall):
2420         (JSC::DFG::ByteCodeParser::handleVarargsCall):
2421         (JSC::DFG::ByteCodeParser::parseGetById):
2422         (JSC::DFG::ByteCodeParser::parseBlock):
2423         (JSC::DFG::ByteCodeParser::handlePutByVal):
2424         (JSC::DFG::ByteCodeParser::handlePutAccessorById):
2425         (JSC::DFG::ByteCodeParser::handlePutAccessorByVal):
2426         (JSC::DFG::ByteCodeParser::handleNewFunc):
2427         (JSC::DFG::ByteCodeParser::handleNewFuncExp):
2428         * dfg/DFGOSREntry.cpp:
2429         (JSC::DFG::prepareCatchOSREntry):
2430         * ftl/FTLOperations.cpp:
2431         (JSC::FTL::operationMaterializeObjectInOSR):
2432         * generator/Argument.rb:
2433         * generator/Metadata.rb:
2434         * generator/Opcode.rb:
2435         * jit/JIT.h:
2436         * jit/JITArithmetic.cpp:
2437         (JSC::JIT::emit_op_unsigned):
2438         (JSC::JIT::emit_compareAndJump):
2439         (JSC::JIT::emit_compareUnsignedAndJump):
2440         (JSC::JIT::emit_compareUnsigned):
2441         (JSC::JIT::emit_compareAndJumpSlow):
2442         (JSC::JIT::emit_op_inc):
2443         (JSC::JIT::emit_op_dec):
2444         (JSC::JIT::emit_op_mod):
2445         (JSC::JIT::emit_op_negate):
2446         (JSC::JIT::emitBitBinaryOpFastPath):
2447         (JSC::JIT::emit_op_bitnot):
2448         (JSC::JIT::emitRightShiftFastPath):
2449         (JSC::JIT::emit_op_add):
2450         (JSC::JIT::emitMathICFast):
2451         (JSC::JIT::emitMathICSlow):
2452         (JSC::JIT::emit_op_div):
2453         (JSC::JIT::emit_op_mul):
2454         (JSC::JIT::emit_op_sub):
2455         * jit/JITArithmetic32_64.cpp:
2456         (JSC::JIT::emit_compareAndJump):
2457         (JSC::JIT::emit_compareUnsignedAndJump):
2458         (JSC::JIT::emit_compareUnsigned):
2459         (JSC::JIT::emit_compareAndJumpSlow):
2460         (JSC::JIT::emit_op_unsigned):
2461         (JSC::JIT::emit_op_inc):
2462         (JSC::JIT::emit_op_dec):
2463         (JSC::JIT::emitBinaryDoubleOp):
2464         (JSC::JIT::emit_op_mod):
2465         * jit/JITCall.cpp:
2466         (JSC::JIT::emitPutCallResult):
2467         (JSC::JIT::compileSetupFrame):
2468         (JSC::JIT::compileCallEvalSlowCase):
2469         (JSC::JIT::compileTailCall):
2470         (JSC::JIT::compileOpCall):
2471         * jit/JITCall32_64.cpp:
2472         (JSC::JIT::emitPutCallResult):
2473         (JSC::JIT::emit_op_ret):
2474         (JSC::JIT::compileSetupFrame):
2475         (JSC::JIT::compileCallEvalSlowCase):
2476         (JSC::JIT::compileOpCall):
2477         * jit/JITInlines.h:
2478         (JSC::JIT::emitValueProfilingSiteIfProfiledOpcode):
2479         (JSC::JIT::emitValueProfilingSite):
2480         (JSC::JIT::copiedGetPutInfo):
2481         (JSC::JIT::copiedArithProfile):
2482         * jit/JITOpcodes.cpp:
2483         (JSC::JIT::emit_op_mov):
2484         (JSC::JIT::emit_op_end):
2485         (JSC::JIT::emit_op_jmp):
2486         (JSC::JIT::emit_op_new_object):
2487         (JSC::JIT::emitSlow_op_new_object):
2488         (JSC::JIT::emit_op_overrides_has_instance):
2489         (JSC::JIT::emit_op_instanceof):
2490         (JSC::JIT::emitSlow_op_instanceof):
2491         (JSC::JIT::emit_op_is_empty):
2492         (JSC::JIT::emit_op_is_undefined):
2493         (JSC::JIT::emit_op_is_undefined_or_null):
2494         (JSC::JIT::emit_op_is_boolean):
2495         (JSC::JIT::emit_op_is_number):
2496         (JSC::JIT::emit_op_is_cell_with_type):
2497         (JSC::JIT::emit_op_is_object):
2498         (JSC::JIT::emit_op_ret):
2499         (JSC::JIT::emit_op_to_primitive):
2500         (JSC::JIT::emit_op_set_function_name):
2501         (JSC::JIT::emit_op_not):
2502         (JSC::JIT::emit_op_jfalse):
2503         (JSC::JIT::emit_op_jeq_null):
2504         (JSC::JIT::emit_op_jneq_null):
2505         (JSC::JIT::emit_op_jneq_ptr):
2506         (JSC::JIT::emit_op_eq):
2507         (JSC::JIT::emit_op_jeq):
2508         (JSC::JIT::emit_op_jtrue):
2509         (JSC::JIT::emit_op_neq):
2510         (JSC::JIT::emit_op_jneq):
2511         (JSC::JIT::emit_op_throw):
2512         (JSC::JIT::compileOpStrictEq):
2513         (JSC::JIT::compileOpStrictEqJump):
2514         (JSC::JIT::emitSlow_op_jstricteq):
2515         (JSC::JIT::emitSlow_op_jnstricteq):
2516         (JSC::JIT::emit_op_to_number):
2517         (JSC::JIT::emit_op_to_string):
2518         (JSC::JIT::emit_op_to_object):
2519         (JSC::JIT::emit_op_catch):
2520         (JSC::JIT::emit_op_get_parent_scope):
2521         (JSC::JIT::emit_op_switch_imm):
2522         (JSC::JIT::emit_op_switch_char):
2523         (JSC::JIT::emit_op_switch_string):
2524         (JSC::JIT::emit_op_debug):
2525         (JSC::JIT::emit_op_eq_null):
2526         (JSC::JIT::emit_op_neq_null):
2527         (JSC::JIT::emit_op_get_scope):
2528         (JSC::JIT::emit_op_to_this):
2529         (JSC::JIT::emit_op_create_this):
2530         (JSC::JIT::emit_op_check_tdz):
2531         (JSC::JIT::emitSlow_op_eq):
2532         (JSC::JIT::emitSlow_op_neq):
2533         (JSC::JIT::emitSlow_op_jeq):
2534         (JSC::JIT::emitSlow_op_jneq):
2535         (JSC::JIT::emitSlow_op_instanceof_custom):
2536         (JSC::JIT::emit_op_new_regexp):
2537         (JSC::JIT::emitNewFuncCommon):
2538         (JSC::JIT::emitNewFuncExprCommon):
2539         (JSC::JIT::emit_op_new_array):
2540         (JSC::JIT::emit_op_new_array_with_size):
2541         (JSC::JIT::emit_op_has_structure_property):
2542         (JSC::JIT::emit_op_has_indexed_property):
2543         (JSC::JIT::emitSlow_op_has_indexed_property):
2544         (JSC::JIT::emit_op_get_direct_pname):
2545         (JSC::JIT::emit_op_enumerator_structure_pname):
2546         (JSC::JIT::emit_op_enumerator_generic_pname):
2547         (JSC::JIT::emit_op_profile_type):
2548         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
2549         (JSC::JIT::emit_op_log_shadow_chicken_tail):
2550         (JSC::JIT::emit_op_profile_control_flow):
2551         (JSC::JIT::emit_op_argument_count):
2552         (JSC::JIT::emit_op_get_rest_length):
2553         (JSC::JIT::emit_op_get_argument):
2554         * jit/JITOpcodes32_64.cpp:
2555         (JSC::JIT::emit_op_mov):
2556         (JSC::JIT::emit_op_end):
2557         (JSC::JIT::emit_op_jmp):
2558         (JSC::JIT::emit_op_new_object):
2559         (JSC::JIT::emitSlow_op_new_object):
2560         (JSC::JIT::emit_op_overrides_has_instance):
2561         (JSC::JIT::emit_op_instanceof):
2562         (JSC::JIT::emitSlow_op_instanceof):
2563         (JSC::JIT::emitSlow_op_instanceof_custom):
2564         (JSC::JIT::emit_op_is_empty):
2565         (JSC::JIT::emit_op_is_undefined):
2566         (JSC::JIT::emit_op_is_undefined_or_null):
2567         (JSC::JIT::emit_op_is_boolean):
2568         (JSC::JIT::emit_op_is_number):
2569         (JSC::JIT::emit_op_is_cell_with_type):
2570         (JSC::JIT::emit_op_is_object):
2571         (JSC::JIT::emit_op_to_primitive):
2572         (JSC::JIT::emit_op_set_function_name):
2573         (JSC::JIT::emit_op_not):
2574         (JSC::JIT::emit_op_jfalse):
2575         (JSC::JIT::emit_op_jtrue):
2576         (JSC::JIT::emit_op_jeq_null):
2577         (JSC::JIT::emit_op_jneq_null):
2578         (JSC::JIT::emit_op_jneq_ptr):
2579         (JSC::JIT::emit_op_eq):
2580         (JSC::JIT::emitSlow_op_eq):
2581         (JSC::JIT::emit_op_jeq):
2582         (JSC::JIT::emitSlow_op_jeq):
2583         (JSC::JIT::emit_op_neq):
2584         (JSC::JIT::emitSlow_op_neq):
2585         (JSC::JIT::emit_op_jneq):
2586         (JSC::JIT::emitSlow_op_jneq):
2587         (JSC::JIT::compileOpStrictEq):
2588         (JSC::JIT::compileOpStrictEqJump):
2589         (JSC::JIT::emitSlow_op_jstricteq):
2590         (JSC::JIT::emitSlow_op_jnstricteq):
2591         (JSC::JIT::emit_op_eq_null):
2592         (JSC::JIT::emit_op_neq_null):
2593         (JSC::JIT::emit_op_throw):
2594         (JSC::JIT::emit_op_to_number):
2595         (JSC::JIT::emit_op_to_string):
2596         (JSC::JIT::emit_op_to_object):
2597         (JSC::JIT::emit_op_catch):
2598         (JSC::JIT::emit_op_get_parent_scope):
2599         (JSC::JIT::emit_op_switch_imm):
2600         (JSC::JIT::emit_op_switch_char):
2601         (JSC::JIT::emit_op_switch_string):
2602         (JSC::JIT::emit_op_debug):
2603         (JSC::JIT::emit_op_get_scope):
2604         (JSC::JIT::emit_op_create_this):
2605         (JSC::JIT::emit_op_to_this):
2606         (JSC::JIT::emit_op_check_tdz):
2607         (JSC::JIT::emit_op_has_structure_property):
2608         (JSC::JIT::emit_op_has_indexed_property):
2609         (JSC::JIT::emitSlow_op_has_indexed_property):
2610         (JSC::JIT::emit_op_get_direct_pname):
2611         (JSC::JIT::emit_op_enumerator_structure_pname):
2612         (JSC::JIT::emit_op_enumerator_generic_pname):
2613         (JSC::JIT::emit_op_profile_type):
2614         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
2615         (JSC::JIT::emit_op_log_shadow_chicken_tail):
2616         * jit/JITOperations.cpp:
2617         * jit/JITPropertyAccess.cpp:
2618         (JSC::JIT::emit_op_get_by_val):
2619         (JSC::JIT::emitGetByValWithCachedId):
2620         (JSC::JIT::emitSlow_op_get_by_val):
2621         (JSC::JIT::emit_op_put_by_val):
2622         (JSC::JIT::emitGenericContiguousPutByVal):
2623         (JSC::JIT::emitArrayStoragePutByVal):
2624         (JSC::JIT::emitPutByValWithCachedId):
2625         (JSC::JIT::emitSlow_op_put_by_val):
2626         (JSC::JIT::emit_op_put_getter_by_id):
2627         (JSC::JIT::emit_op_put_setter_by_id):
2628         (JSC::JIT::emit_op_put_getter_setter_by_id):
2629         (JSC::JIT::emit_op_put_getter_by_val):
2630         (JSC::JIT::emit_op_put_setter_by_val):
2631         (JSC::JIT::emit_op_del_by_id):
2632         (JSC::JIT::emit_op_del_by_val):
2633         (JSC::JIT::emit_op_try_get_by_id):
2634         (JSC::JIT::emitSlow_op_try_get_by_id):
2635         (JSC::JIT::emit_op_get_by_id_direct):
2636         (JSC::JIT::emitSlow_op_get_by_id_direct):
2637         (JSC::JIT::emit_op_get_by_id):
2638         (JSC::JIT::emit_op_get_by_id_with_this):
2639         (JSC::JIT::emitSlow_op_get_by_id):
2640         (JSC::JIT::emitSlow_op_get_by_id_with_this):
2641         (JSC::JIT::emit_op_put_by_id):
2642         (JSC::JIT::emitSlow_op_put_by_id):
2643         (JSC::JIT::emit_op_in_by_id):
2644         (JSC::JIT::emitSlow_op_in_by_id):
2645         (JSC::JIT::emit_op_resolve_scope):
2646         (JSC::JIT::emit_op_get_from_scope):
2647         (JSC::JIT::emitSlow_op_get_from_scope):
2648         (JSC::JIT::emit_op_put_to_scope):
2649         (JSC::JIT::emit_op_get_from_arguments):
2650         (JSC::JIT::emit_op_put_to_arguments):
2651         (JSC::JIT::emitIntTypedArrayPutByVal):
2652         (JSC::JIT::emitFloatTypedArrayPutByVal):
2653         * jit/JITPropertyAccess32_64.cpp:
2654         (JSC::JIT::emit_op_put_getter_by_id):
2655         (JSC::JIT::emit_op_put_setter_by_id):
2656         (JSC::JIT::emit_op_put_getter_setter_by_id):
2657         (JSC::JIT::emit_op_put_getter_by_val):
2658         (JSC::JIT::emit_op_put_setter_by_val):
2659         (JSC::JIT::emit_op_del_by_id):
2660         (JSC::JIT::emit_op_del_by_val):
2661         (JSC::JIT::emit_op_get_by_val):
2662         (JSC::JIT::emitGetByValWithCachedId):
2663         (JSC::JIT::emitSlow_op_get_by_val):
2664         (JSC::JIT::emit_op_put_by_val):
2665         (JSC::JIT::emitGenericContiguousPutByVal):
2666         (JSC::JIT::emitArrayStoragePutByVal):
2667         (JSC::JIT::emitPutByValWithCachedId):
2668         (JSC::JIT::emitSlow_op_put_by_val):
2669         (JSC::JIT::emit_op_try_get_by_id):
2670         (JSC::JIT::emitSlow_op_try_get_by_id):
2671         (JSC::JIT::emit_op_get_by_id_direct):
2672         (JSC::JIT::emitSlow_op_get_by_id_direct):
2673         (JSC::JIT::emit_op_get_by_id):
2674         (JSC::JIT::emitSlow_op_get_by_id):
2675         (JSC::JIT::emit_op_get_by_id_with_this):
2676         (JSC::JIT::emitSlow_op_get_by_id_with_this):
2677         (JSC::JIT::emit_op_put_by_id):
2678         (JSC::JIT::emitSlow_op_put_by_id):
2679         (JSC::JIT::emit_op_in_by_id):
2680         (JSC::JIT::emitSlow_op_in_by_id):
2681         (JSC::JIT::emit_op_resolve_scope):
2682         (JSC::JIT::emit_op_get_from_scope):
2683         (JSC::JIT::emitSlow_op_get_from_scope):
2684         (JSC::JIT::emit_op_put_to_scope):
2685         (JSC::JIT::emit_op_get_from_arguments):
2686         (JSC::JIT::emit_op_put_to_arguments):
2687         * llint/LLIntSlowPaths.cpp:
2688         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2689         (JSC::LLInt::setupGetByIdPrototypeCache):
2690         (JSC::LLInt::getByVal):
2691         (JSC::LLInt::genericCall):
2692         (JSC::LLInt::varargsSetup):
2693         (JSC::LLInt::commonCallEval):
2694         * llint/LowLevelInterpreter.asm:
2695         * llint/LowLevelInterpreter32_64.asm:
2696         * llint/LowLevelInterpreter64.asm:
2697         * runtime/CommonSlowPaths.cpp:
2698         (JSC::SLOW_PATH_DECL):
2699         (JSC::updateArithProfileForUnaryArithOp):
2700         * runtime/CommonSlowPaths.h:
2701         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
2702         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
2703
2704 2019-01-15  Mark Lam  <mark.lam@apple.com>
2705
2706         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
2707         https://bugs.webkit.org/show_bug.cgi?id=193423
2708         <rdar://problem/46209355>
2709
2710         Reviewed by Saam Barati.
2711
2712         JSFunction::canUseAllocationProfile() should return false for most builtins
2713         because the majority of them have no prototype property.  The only exception to
2714         this is the few builtin functions that are explicitly used as constructors.
2715
2716         For these builtin constructors, JSFunction::canUseAllocationProfile() should also
2717         return false if the prototype property is a getter or custom getter because
2718         getting the prototype would then be effectful.
2719
2720         * dfg/DFGOperations.cpp:
2721         * runtime/CommonSlowPaths.cpp:
2722         (JSC::SLOW_PATH_DECL):
2723         * runtime/JSFunctionInlines.h:
2724         (JSC::JSFunction::canUseAllocationProfile):
2725         * runtime/PropertySlot.h:
2726
2727 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2728
2729         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
2730         https://bugs.webkit.org/show_bug.cgi?id=193438
2731         <rdar://problem/45581249>
2732
2733         Reviewed by Saam Barati and Keith Miller.
2734
2735         GetByVal(Array::String) emits Check(String) before that. But AI can broaden type constraint in the second run.
2736         After the first run removes Check(String), it would happen that AI starts saying the type of 1st child is not String.
2737         To claim that it *is* a String type, we should use KnownStringUse here.
2738
2739         * dfg/DFGFixupPhase.cpp:
2740         (JSC::DFG::FixupPhase::fixupNode): StringCharAt and GetByVal(Array::String) share the underlying compiler code. We should
2741         change StringUse => KnownStringUse for StringCharAt too. And StringCharAt and StringCharCodeAt potentially have the same
2742         problem. This patch fixes it too.
2743         * dfg/DFGSSALoweringPhase.cpp:
2744         (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
2745         * ftl/FTLLowerDFGToB3.cpp:
2746         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
2747         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
2748
2749 2019-01-15  Saam Barati  <sbarati@apple.com>
2750
2751         Try ripping out inferred types because it might be a performance improvement
2752         https://bugs.webkit.org/show_bug.cgi?id=190906
2753
2754         Reviewed by Yusuke Suzuki.
2755
2756         This patch removes inferred types from JSC. Initial evidence shows that
2757         this might be around a ~1% speedup on Speedometer2 and JetStream2.
2758
2759         * JavaScriptCore.xcodeproj/project.pbxproj:
2760         * Sources.txt:
2761         * bytecode/AccessCase.cpp:
2762         (JSC::AccessCase::generateImpl):
2763         * bytecode/Fits.h:
2764         * bytecode/PutByIdFlags.cpp:
2765         (WTF::printInternal):
2766         * bytecode/PutByIdFlags.h:
2767         * bytecode/PutByIdStatus.cpp:
2768         (JSC::PutByIdStatus::computeFromLLInt):
2769         (JSC::PutByIdStatus::computeForStubInfo):
2770         (JSC::PutByIdStatus::computeFor):
2771         * bytecode/PutByIdVariant.cpp:
2772         (JSC::PutByIdVariant::operator=):
2773         (JSC::PutByIdVariant::replace):
2774         (JSC::PutByIdVariant::transition):
2775         (JSC::PutByIdVariant::setter):
2776         (JSC::PutByIdVariant::attemptToMerge):
2777         (JSC::PutByIdVariant::dumpInContext const):
2778         * bytecode/PutByIdVariant.h:
2779         (JSC::PutByIdVariant::requiredType const): Deleted.
2780         * dfg/DFGAbstractInterpreterInlines.h:
2781         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2782         * dfg/DFGAbstractValue.cpp:
2783         (JSC::DFG::AbstractValue::isType const): Deleted.
2784         * dfg/DFGAbstractValue.h:
2785         * dfg/DFGByteCodeParser.cpp:
2786         (JSC::DFG::ByteCodeParser::handleGetByOffset):
2787         (JSC::DFG::ByteCodeParser::handlePutByOffset):
2788         (JSC::DFG::ByteCodeParser::load):
2789         (JSC::DFG::ByteCodeParser::store):
2790         (JSC::DFG::ByteCodeParser::handlePutById):
2791         (JSC::DFG::ByteCodeParser::parseBlock):
2792         * dfg/DFGConstantFoldingPhase.cpp:
2793         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2794         (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
2795         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
2796         * dfg/DFGDesiredInferredType.h: Removed.
2797         * dfg/DFGDesiredWatchpoints.cpp:
2798         (JSC::DFG::DesiredWatchpoints::reallyAdd):
2799         (JSC::DFG::DesiredWatchpoints::areStillValid const):
2800         (JSC::DFG::DesiredWatchpoints::dumpInContext const):
2801         (JSC::DFG::InferredTypeAdaptor::add): Deleted.
2802         * dfg/DFGDesiredWatchpoints.h:
2803         (JSC::DFG::DesiredWatchpoints::isWatched):
2804         (JSC::DFG::InferredTypeAdaptor::hasBeenInvalidated): Deleted.
2805         (JSC::DFG::InferredTypeAdaptor::dumpInContext): Deleted.
2806         * dfg/DFGFixupPhase.cpp:
2807         (JSC::DFG::FixupPhase::fixupNode):
2808         * dfg/DFGGraph.cpp:
2809         (JSC::DFG::Graph::dump):
2810         (JSC::DFG::Graph::inferredValueForProperty):
2811         (JSC::DFG::Graph::inferredTypeFor): Deleted.
2812         * dfg/DFGGraph.h:
2813         (JSC::DFG::Graph::registerInferredType): Deleted.
2814         (JSC::DFG::Graph::inferredTypeForProperty): Deleted.
2815         * dfg/DFGInferredTypeCheck.cpp: Removed.
2816         * dfg/DFGInferredTypeCheck.h: Removed.
2817         * dfg/DFGNode.h:
2818         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2819         * dfg/DFGSafeToExecute.h:
2820         (JSC::DFG::safeToExecute):
2821         * ftl/FTLLowerDFGToB3.cpp:
2822         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
2823         (JSC::FTL::DFG::LowerDFGToB3::checkInferredType): Deleted.
2824         * generator/DSL.rb:
2825         * heap/Heap.cpp:
2826         (JSC::Heap::finalizeUnconditionalFinalizers):
2827         * jit/AssemblyHelpers.cpp:
2828         (JSC::AssemblyHelpers::branchIfNotType): Deleted.
2829         * jit/AssemblyHelpers.h:
2830         * jit/Repatch.cpp:
2831         (JSC::tryCachePutByID):
2832         * llint/LLIntOffsetsExtractor.cpp:
2833         * llint/LLIntSlowPaths.cpp:
2834         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2835         * llint/LowLevelInterpreter.asm:
2836         * llint/LowLevelInterpreter32_64.asm:
2837         * llint/LowLevelInterpreter64.asm:
2838         * runtime/InferredStructure.cpp:
2839         (JSC::InferredStructure::InferredStructure): Deleted.
2840         * runtime/InferredStructure.h:
2841         (): Deleted.
2842         * runtime/InferredStructureWatchpoint.cpp:
2843         (JSC::InferredStructureWatchpoint::fireInternal): Deleted.
2844         * runtime/InferredType.cpp: Removed.
2845         * runtime/InferredType.h: Removed.
2846         * runtime/InferredTypeInlines.h: Removed.
2847         * runtime/InferredTypeTable.cpp: Removed.
2848         * runtime/InferredTypeTable.h: Removed.
2849         * runtime/JSObjectInlines.h:
2850         (JSC::JSObject::putDirectInternal):
2851         * runtime/Structure.cpp:
2852         (JSC::Structure::materializePropertyTable):
2853         (JSC::Structure::addNewPropertyTransition):
2854         (JSC::Structure::removePropertyTransition):
2855         (JSC::Structure::willStoreValueSlow):
2856         (JSC::Structure::visitChildren):
2857         * runtime/Structure.h:
2858         (JSC::PropertyMapEntry::PropertyMapEntry):
2859         * runtime/StructureInlines.h:
2860         (JSC::Structure::get):
2861         * runtime/VM.cpp:
2862         (JSC::VM::VM):
2863         * runtime/VM.h:
2864
2865 2019-01-15  Tomas Popela  <tpopela@redhat.com>
2866
2867         Unreviewed: Fix the -Wformat compiler warnings
2868
2869         * jsc.cpp:
2870         (jscmain):
2871
2872 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
2873
2874         DFGByteCodeParser rules for bitwise operations should consider type of their operands
2875         https://bugs.webkit.org/show_bug.cgi?id=192966
2876
2877         Reviewed by Yusuke Suzuki.
2878
2879         This patch is changing the logic how we lower bitwise operations, to
2880         consider only the type of input nodes and fix them during FixupPhase,
2881         if necessary. We are also changing the prediction propagation rules
2882         for ValueBitOp to use `getHeapPrediction()`. 
2883
2884         * dfg/DFGBackwardsPropagationPhase.cpp:
2885         (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
2886         (JSC::DFG::BackwardsPropagationPhase::propagate):
2887         * dfg/DFGByteCodeParser.cpp:
2888         (JSC::DFG::ByteCodeParser::parseBlock):
2889         * dfg/DFGFixupPhase.cpp:
2890         (JSC::DFG::FixupPhase::fixupNode):
2891         * dfg/DFGNode.h:
2892         (JSC::DFG::Node::hasInt32Result):
2893         (JSC::DFG::Node::hasNumberOrAnyIntResult):
2894         (JSC::DFG::Node::hasHeapPrediction):
2895         * dfg/DFGPredictionPropagationPhase.cpp:
2896
2897 2019-01-15  Joseph Pecoraro  <pecoraro@apple.com>
2898
2899         Web Inspector: Generate the DOMDebugger domain for Augmenting Agents (ObjC protocol)
2900         https://bugs.webkit.org/show_bug.cgi?id=193409
2901         <rdar://problem/44349411>
2902
2903         Reviewed by Devin Rousso.
2904
2905         * inspector/scripts/codegen/objc_generator.py:
2906         (ObjCGenerator):
2907         Generate DOMDebugger domain ObjC interfaces.
2908
2909 2019-01-15  Devin Rousso  <drousso@apple.com>
2910
2911         Web Inspector: Audit: create new IDL type for exposing special functionality in test context
2912         https://bugs.webkit.org/show_bug.cgi?id=193149
2913         <rdar://problem/46801218>
2914
2915         Reviewed by Joseph Pecoraro.
2916
2917         Create a new `AuditAgent` (and various subclasses for different inspection targets)
2918
2919         * inspector/protocol/Audit.json: Added.
2920         Add a `run` command that is a simpler version of `Runtime.evaluate`, except that it expects
2921         a function string instead of an arbitrary JavaScript expression.
2922         Add `setup` and `teardown` commands that create a JavaScript object that will be passed in
2923         to the test as an argument. Keep this object alive so that tests can add to the object and
2924         have later tests use what was added.
2925
2926         * inspector/agents/InspectorAuditAgent.h: Added.
2927         * inspector/agents/InspectorAuditAgent.cpp: Added.
2928         (Inspector::InspectorAuditAgent::InspectorAuditAgent):
2929         (Inspector::InspectorAuditAgent::didCreateFrontendAndBackend):
2930         (Inspector::InspectorAuditAgent::willDestroyFrontendAndBackend):
2931         (Inspector::InspectorAuditAgent::setup):
2932         (Inspector::InspectorAuditAgent::run):
2933         (Inspector::InspectorAuditAgent::teardown):
2934         (Inspector::InspectorAuditAgent::hasActiveAudit):
2935         (Inspector::InspectorAuditAgent::populateAuditObject):
2936
2937         * inspector/agents/JSGlobalObjectAuditAgent.h: Added.
2938         * inspector/agents/JSGlobalObjectAuditAgent.cpp: Added.
2939         (Inspector::JSGlobalObjectAuditAgent::JSGlobalObjectAuditAgent):
2940         (Inspector::JSGlobalObjectAuditAgent::injectedScriptForEval):
2941
2942         * inspector/JSGlobalObjectInspectorController.h:
2943         * inspector/JSGlobalObjectInspectorController.cpp:
2944         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2945         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
2946         (Inspector::JSGlobalObjectInspectorController::jsAgentContext): Added.
2947         (Inspector::JSGlobalObjectInspectorController::createLazyAgents): Added.
2948
2949         * inspector/InjectedScript.h:
2950         * inspector/InjectedScript.cpp:
2951         (Inspector::InjectedScript::execute): Added.
2952         (Inspector::InjectedScript::arrayFromVector): Added.
2953         Create a version of `evaluate` that accepts a list of values to be passed in as arguments
2954         to the function that was created by the `eval` of the given `functionString`.
2955
2956         * inspector/InjectedScriptSource.js:
2957         (InjectedScript.prototype.execute): Added.
2958         (InjectedScript.prototype.evaluate):
2959         (InjectedScript.prototype.evaluateOnCallFrame):
2960         (InjectedScript.prototype._evaluateAndWrap):
2961         (InjectedScript.prototype._wrapAndSaveCall): Added.
2962         (InjectedScript.prototype._wrapCall): Added.
2963         (InjectedScript.prototype._evaluateOn):
2964         Refactor the `eval` and `saveResult` logic to allow for more flexibility for other callers.
2965
2966         * CMakeLists.txt:
2967         * DerivedSources-input.xcfilelist:
2968         * DerivedSources.make:
2969         * JavaScriptCore.xcodeproj/project.pbxproj:
2970         * Sources.txt:
2971         * UnifiedSources-input.xcfilelist:
2972
2973 2019-01-14  Michael Saboff  <msaboff@apple.com>
2974
2975         Add option to JSC to dump memory footprint on script completion
2976         https://bugs.webkit.org/show_bug.cgi?id=193422
2977
2978         Reviewed by Mark Lam.
2979
2980         Added the --footprint option to dump peak and current memory usage.  This uses the same
2981         OS calls added in r2362362.
2982
2983         * jsc.cpp:
2984         (printUsageStatement):
2985         (CommandLine::parseArguments):
2986         (jscmain):
2987
2988 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2989
2990         [JSC] AI should check the given constant's array type when folding GetByVal into constant
2991         https://bugs.webkit.org/show_bug.cgi?id=193413
2992         <rdar://problem/46092389>
2993
2994         Reviewed by Keith Miller.
2995
2996         If GetByVal's DFG::ArrayMode's type is Array::Double, we expect that the result of GetByVal is Double, since we already performed CheckStructure or CheckArray
2997         to ensure this array type. But this assumption on the given value becomes wrong in AI, since CheckStructure may not perform filtering. And the proven AbstractValue
2998         in GetByVal would not be expected one.
2999
3000         We have the graph before performing constant folding.
3001
3002         53:<!0:->     GetLocal(Check:Untyped:@77, JS|MustGen|UseAsOther, Array, arg2(C<Array>/FlushedCell), R:Stack(7), bc#37, ExitValid)  predicting Array
3003         54:< 1:->     JSConstant(JS|PureNum|UseAsOther|UseAsInt|ReallyWantsInt, BoolInt32, Int32: 0, bc#37, ExitValid)
3004         93:<!0:->     CheckStructure(Cell:@53, MustGen, [%C7:Array], R:JSCell_structureID, Exits, bc#37, ExitValid)
3005         94:< 1:->     GetButterfly(Check:Cell:@53, Storage|PureInt, R:JSObject_butterfly, Exits, bc#37, ExitValid)
3006         55:<!0:->     GetByVal(Check:KnownCell:@53, Check:Int32:@54, Check:Untyped:@94, Double|MustGen|VarArgs|PureInt, AnyIntAsDouble|NonIntAsdouble, Double+OriginalCopyOnWriteArray+SaneChain+AsIs+Read, R:Butterfly_publicLength,IndexedDoubleProperties, Exits, bc#37, ExitValid)  predicting StringIdent|NonIntAsdouble
3007
3008         And 53 is converted to JSConstant in the constant folding. It leads to constant folding attempt in GetByVal.
3009
3010         53:< 1:->     JSConstant(JS|UseAsOther, Array, Weak:Object: 0x117fb4370 with butterfly 0x8000e4050 (Structure %BV:Array), StructureID: 104, bc#37, ExitValid)
3011         54:< 1:->     JSConstant(JS|PureNum|UseAsOther|UseAsInt|ReallyWantsInt, BoolInt32, Int32: 0, bc#37, ExitValid)
3012         93:<!0:->     CheckStructure(Cell:@53, MustGen, [%C7:Array], R:JSCell_structureID, Exits, bc#37, ExitValid)
3013         94:< 1:->     GetButterfly(Check:Cell:@53, Storage|PureInt, R:JSObject_butterfly, Exits, bc#37, ExitValid)
3014         55:<!0:->     GetByVal(Check:KnownCell:@53, Check:Int32:@54, Check:Untyped:@94, Double|MustGen|VarArgs|PureInt, AnyIntAsDouble|NonIntAsdouble, Double+OriginalCopyOnWriteArray+SaneChain+AsIs+Read, R:Butterfly_publicLength,IndexedDoubleProperties, Exits, bc#37, ExitValid)  predicting StringIdent|NonIntAsdouble
3015
3016         GetByVal gets constant Array from @53, and attempt to perform constant folding by leverating CoW state: if the given array's butterfly is CoW and we performed CoW array check for this GetByVal, the array would not be changed as long as the check works.
3017         However, CheckStructure for @53 does not filter anything at AI. So, if @53 is CopyOnWrite | Contiguous array (not CopyOnWrite | Double array!), GetByVal will get a JSValue. But it does not meet the requirement of GetByVal since it has Double Array mode, and says it returns Double.
3018         Here, CheckStructure is valid because structure of the constant object would be changed. What we should do is additional CoW & ArrayShape check in GetByVal when folding since this node leverages CoW's interesting feature,
3019         "If CoW array check (CheckStructure etc.) is emitted by GetByVal's DFG::ArrayMode, the content is not changed from the creation!".
3020
3021         This patch adds ArrayShape check in addition to CoW status check in GetByVal.
3022
3023         Unfortunately, this crash is very flaky. In the above case, if @53 stays GetLocal after the constant folding phase, this issue does not occur. We can see this crash in r238109, but it is really hard to reproduce it in the current ToT.
3024         I verified this fix works in r238109 with the attached test.
3025
3026         * dfg/DFGAbstractInterpreterInlines.h:
3027         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3028         * dfg/DFGAbstractValue.cpp:
3029         (JSC::DFG::AbstractValue::fixTypeForRepresentation):
3030
3031 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
3032
3033         [BigInt] Literal parsing is crashing when used inside a Object Literal
3034         https://bugs.webkit.org/show_bug.cgi?id=193404
3035
3036         Reviewed by Yusuke Suzuki.
3037
3038         Former implementation was relying into token.m_data.radix after the
3039         call of `next()` into Parser.cpp. This is not safe because next
3040         clobbers token.m_data.radix in some cases (e.g is CLOSEBRACE).
3041         Now we get radix value before calling `next()` into parser and store
3042         in a local variable.
3043
3044         * parser/Parser.cpp:
3045         (JSC::Parser<LexerType>::parsePrimaryExpression):
3046
3047 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3048
3049         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
3050         https://bugs.webkit.org/show_bug.cgi?id=193372
3051
3052         Reviewed by Saam Barati.
3053
3054         When RegisteredStructureSet is filtered with AbstractValue, we use structure, SpeculationType, and ArrayModes.
3055         However, we use asArrayModes() function with IndexingMode to compute the ArrayModes in AbstractValue. This is
3056         wrong since this discards TypedArray ArrayModes. As a result, if RegisteredStructureSet with TypedArrays is
3057         filtered with ArrayModes of AbstractValue populated from TypedArrays, we filter all the structures out since
3058         AbstractValue's ArrayModes become NonArray, which is wrong with the TypedArrays' ArrayModes. This leads to
3059         incorrect FTL code generation with MultiGetByOffset etc. nodes because,
3060
3061         1. AI think that this MultiGetByOffset never succeeds since all the values of RegisteredStructureSet are filtered out by the AbstractValue.
3062         2. AI says the state of MultiGetByOffset is invalid since AI think it never succeeds.
3063         3. So subsequent code becomes FTL crash code since AI think the execution should do OSR exit.
3064         4. Then, FTL emits the code for MultiGetByOffset, and emits crash after that.
3065         5. But in reality, the incoming value can match to the one of the RegisteredStructureSet value since (1)'s structures are incorrectly filtered by the incorrect ArrayModes.
3066         6. Then, the execution goes on, and falls into the FTL crash.
3067
3068         This patch fixes the incorrect ArrayModes calculation by the following changes
3069
3070         1. Rename asArrayModes to asArrayModesIgnoringTypedArrays.
3071         2. Fix incorrect asArrayModesIgnoringTypedArrays use in our code. Use arrayModesFromStructure instead.
3072         3. Fix OSR exit code which stores incorrect ArrayModes to the profiles.
3073
3074         * bytecode/ArrayProfile.cpp:
3075         (JSC::dumpArrayModes):
3076         (JSC::ArrayProfile::computeUpdatedPrediction):
3077         * bytecode/ArrayProfile.h:
3078         (JSC::asArrayModesIgnoringTypedArrays):
3079         (JSC::arrayModesFromStructure):
3080         (JSC::arrayModesIncludeIgnoringTypedArrays):
3081         (JSC::shouldUseSlowPutArrayStorage):
3082         (JSC::shouldUseFastArrayStorage):
3083         (JSC::shouldUseContiguous):
3084         (JSC::shouldUseDouble):
3085         (JSC::shouldUseInt32):
3086         (JSC::asArrayModes): Deleted.
3087         (JSC::arrayModeFromStructure): Deleted.
3088         (JSC::arrayModesInclude): Deleted.
3089         * dfg/DFGAbstractValue.cpp:
3090         (JSC::DFG::AbstractValue::observeTransitions):
3091         (JSC::DFG::AbstractValue::set):
3092         (JSC::DFG::AbstractValue::mergeOSREntryValue):
3093         (JSC::DFG::AbstractValue::contains const):
3094         * dfg/DFGAbstractValue.h:
3095         (JSC::DFG::AbstractValue::observeTransition):
3096         (JSC::DFG::AbstractValue::validate const):
3097         (JSC::DFG::AbstractValue::observeIndexingTypeTransition):
3098         * dfg/DFGArrayMode.cpp:
3099         (JSC::DFG::ArrayMode::fromObserved):
3100         (JSC::DFG::ArrayMode::alreadyChecked const):
3101         * dfg/DFGArrayMode.h:
3102         (JSC::DFG::ArrayMode::structureWouldPassArrayModeFiltering):
3103         (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
3104         (JSC::DFG::ArrayMode::arrayModesWithIndexingShape const):
3105         * dfg/DFGOSRExit.cpp:
3106         (JSC::DFG::OSRExit::executeOSRExit):
3107         (JSC::DFG::OSRExit::compileExit):
3108         * dfg/DFGRegisteredStructureSet.cpp:
3109         (JSC::DFG::RegisteredStructureSet::filterArrayModes):
3110         (JSC::DFG::RegisteredStructureSet::arrayModesFromStructures const):
3111         * ftl/FTLOSRExitCompiler.cpp:
3112         (JSC::FTL::compileStub):
3113         * jit/JITInlines.h:
3114         (JSC::JIT::chooseArrayMode):
3115         (JSC::arrayProfileSaw): Deleted.
3116         * runtime/JSType.h:
3117         (JSC::isTypedArrayType):
3118
3119 2019-01-14  Mark Lam  <mark.lam@apple.com>
3120
3121         Re-enable ability to build --cloop builds.
3122         https://bugs.webkit.org/show_bug.cgi?id=192955
3123         <rdar://problem/46882363>
3124
3125         Reviewed by Saam barati and Keith Miller.
3126
3127         * Configurations/FeatureDefines.xcconfig:
3128
3129 2019-01-14  Mark Lam  <mark.lam@apple.com>
3130
3131         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
3132         https://bugs.webkit.org/show_bug.cgi?id=193402
3133         <rdar://problem/46012309>
3134
3135         Reviewed by Keith Miller.
3136
3137         The CLoop builds via build-jsc were previously completely disabled after our
3138         change to enable ASM LLInt build without the JIT.  As a result, JSC tests have
3139         regressed on CLoop builds.  The CLoop builds and tests will be re-enabled when
3140         the fix for https://bugs.webkit.org/show_bug.cgi?id=192955 lands.  This patch
3141         fixes all the regressions (and some old bugs) so that the CLoop test bots won't
3142         be red when CLoop build gets re-enabled.
3143
3144         In this patch, we do the following:
3145
3146         1. Change CLoopStack::grow() to set the new CLoop stack top at the maximum
3147            allocated capacity (after discounting the reserved zone) as opposed to setting
3148            it only at the level that the client requested.
3149
3150            This fixes a small performance bug that I happened to noticed when I was
3151            debugging a stack issue.  It does not affect correctness.
3152
3153         2. In LowLevelInterpreter32_64.asm:
3154
3155            1. Fix loadConstantOrVariableTag() to use subi for computing the constant
3156               index because the VirtualRegister offset and FirstConstantRegisterIndex
3157               values it is operating on are both signed ints.  This is just to be
3158               pedantic.  The previous use of subu will still produce a correct value.
3159
3160            2. Fix llintOpWithReturn() to use getu (instead of get) for reading
3161               OpIsCellWithType::type because it is of type JSType, which is a uint8_t.
3162
3163            3. Fix llintOpWithMetadata() to use loadis for loading
3164               OpGetById::Metadata::modeMetadata.protoLoadMode.cachedOffset[t5] because it
3165               is of type PropertyOffset, which is a signed int.
3166
3167            4. Fix commonCallOp() to use getu for loading fields argv and argc because they
3168               are  of type unsigned for OpCall, OpConstruct, and OpTailCall, which are the
3169               clients of commonCallOp.
3170
3171            5. Fix llintOpWithMetadata() and getClosureVar() to use loadp for loading
3172               OpGetFromScope::Metadata::operand because it is of type uintptr_t.
3173
3174         3. In LowLevelInterpreter64.asm:
3175
3176            1. Fix llintOpWithReturn() to use getu for reading OpIsCellWithType::type
3177               because it is of type JSType, which is a uint8_t.
3178
3179            2. Fix llintOpWithMetadata() to use loadi for loading
3180               OpGetById::Metadata::modeMetadata.protoLoadMode.structure[t2] because it is
3181               of type StructureID, which is a uint32_t.
3182
3183               Fix llintOpWithMetadata() to use loadis for loading
3184               OpGetById::Metadata::modeMetadata.protoLoadMode.cachedOffset[t2] because it
3185               is of type PropertyOffset, which is a signed int.
3186
3187            3. commonOp() should reload the metadataTable for op_catch because unlike
3188               for the ASM LLInt, the exception unwinding code is not able to restore
3189               "callee saved registers" for the CLoop interpreter because the CLoop uses
3190               pseudo-registers (see the CLoopRegister class).
3191
3192               This was the source of many exotic Cloop failures after the bytecode format
3193               change (which introduced the metadataTable callee saved register).  Hence,
3194               we fix it by reloading metadataTable's value on re-entry via op_catch for
3195               exception handling.  We already take care of restoring it in op_ret.
3196
3197            4. Fix llintOpWithMetadata() and getClosureVar() to use loadp for loading
3198               OpGetFromScope::Metadata::operand because it is of type uintptr_t.
3199
3200         4. In LowLevelInterpreter.asm:
3201
3202            Fix metadata() to use loadi for loading metadataTable offsets because they are
3203            of type unsigned.  This was also a source of many exotic CLoop test failures.
3204
3205         5. Change CLoopRegister into a class with a uintptr_t as its storage element.
3206            Previously, we were using a union to convert between various value types that
3207            we would store in this pseudo-register.  This method of type conversion is
3208            undefined behavior according to the C++ spec.  As a result, the C++ compiler
3209            may choose to elide some CLoop statements, thereby resulting in some exotic
3210            bugs.
3211
3212            We fix this by now always using accessor methods and assignment operators to
3213            ensure that we use bitwise_cast to do the type conversions.  Since bitwise_cast
3214            uses a memcpy, this ensures that there's no undefined behavior, and that CLoop
3215            statements won't get elided willy-nilly by the compiler.
3216
3217            Ditto for the CloopDobleRegisters.
3218
3219            Similarly, use bitwise_cast for ints2Double() and double2Ints() utility
3220            functions.
3221
3222            Also use bitwise_cast (instead of reinterpret_cast) for the CLoop CAST macro.
3223
3224         6. Fix cloop.rb to use the new CLoopRegister and CLoopDoubleRegister classes.
3225
3226            Add a clLValue accessor for offlineasm operand types to distinguish
3227            LValue use of the operands from RValue uses.
3228
3229            Replace the use of clearHighWord() with simply casting to uint32_t.  This is
3230            more efficient for the C++ compiler (and help speed up debug build runs).
3231
3232            Also fix 32-bit arithmetic operations to only set the lower 32-bit value of
3233            the pseudo registers.  This fixes some CLoop JSC test failures.
3234
3235         This patch has been manually tested with the JSC tests on the following builds:
3236         64bit X86 ASM LLLint (without JIT), 64bit and 32bit X86 CLoop, and ARMv7 Cloop.
3237
3238         * interpreter/CLoopStack.cpp:
3239         (JSC::CLoopStack::grow):
3240         * llint/LowLevelInterpreter.asm:
3241         * llint/LowLevelInterpreter.cpp:
3242         (JSC::CLoopRegister::i const):
3243         (JSC::CLoopRegister::u const):
3244         (JSC::CLoopRegister::i32 const):
3245         (JSC::CLoopRegister::u32 const):
3246         (JSC::CLoopRegister::i8 const):
3247         (JSC::CLoopRegister::u8 const):
3248         (JSC::CLoopRegister::ip const):
3249         (JSC::CLoopRegister::i8p const):
3250         (JSC::CLoopRegister::vp const):
3251         (JSC::CLoopRegister::cvp const):
3252         (JSC::CLoopRegister::callFrame const):
3253         (JSC::CLoopRegister::execState const):
3254         (JSC::CLoopRegister::instruction const):
3255         (JSC::CLoopRegister::vm const):
3256         (JSC::CLoopRegister::cell const):
3257         (JSC::CLoopRegister::protoCallFrame const):
3258         (JSC::CLoopRegister::nativeFunc const):
3259         (JSC::CLoopRegister::i64 const):
3260         (JSC::CLoopRegister::u64 const):
3261         (JSC::CLoopRegister::encodedJSValue const):
3262         (JSC::CLoopRegister::opcode const):
3263         (JSC::CLoopRegister::operator ExecState*):
3264         (JSC::CLoopRegister::operator const Instruction*):
3265         (JSC::CLoopRegister::operator JSCell*):
3266         (JSC::CLoopRegister::operator ProtoCallFrame*):
3267         (JSC::CLoopRegister::operator Register*):
3268         (JSC::CLoopRegister::operator VM*):
3269         (JSC::CLoopRegister::operator=):
3270         (JSC::CLoopRegister::bitsAsDouble const):
3271         (JSC::CLoopRegister::bitsAsInt64 const):
3272         (JSC::CLoopDoubleRegister::operator T const):
3273         (JSC::CLoopDoubleRegister::d const):
3274         (JSC::CLoopDoubleRegister::bitsAsInt64 const):
3275         (JSC::CLoopDoubleRegister::operator=):
3276         (JSC::LLInt::ints2Double):
3277         (JSC::LLInt::double2Ints):
3278         (JSC::LLInt::decodeResult):
3279         (JSC::CLoop::execute):
3280         (JSC::LLInt::Ints2Double): Deleted.
3281         (JSC::LLInt::Double2Ints): Deleted.
3282         (JSC::CLoopRegister::CLoopRegister): Deleted.
3283         (JSC::CLoopRegister::clearHighWord): Deleted.
3284         * llint/LowLevelInterpreter32_64.asm:
3285         * llint/LowLevelInterpreter64.asm:
3286         * offlineasm/cloop.rb:
3287
3288 2019-01-14  Keith Miller  <keith_miller@apple.com>
3289
3290         JSC should have a module loader API
3291         https://bugs.webkit.org/show_bug.cgi?id=191121
3292
3293         Reviewed by Michael Saboff.
3294
3295         This patch adds a new delegate to JSContext that is called to fetch
3296         any resolved module. The resolution of a module identifier is computed
3297         as if it were a URL on the web with the caveat that it must be a file URL.
3298