Fix failing ARM64E wasm tests
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-04-30  Keith Miller  <keith_miller@apple.com>
2
3         Fix failing ARM64E wasm tests
4         https://bugs.webkit.org/show_bug.cgi?id=197420
5
6         Reviewed by Saam Barati.
7
8         This patch fixes a bug in the slow path of our JS->Wasm IC bridge
9         where we wouldn't untag the link register before tail calling.
10
11         Additionally, this patch fixes a broken assert when using setting
12         Options::useTailCalls=false.
13
14         * bytecompiler/BytecodeGenerator.cpp:
15         (JSC::BytecodeGenerator::emitCallForwardArgumentsInTailPosition):
16         * wasm/js/WebAssemblyFunction.cpp:
17         (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
18
19 2019-04-29  Saam Barati  <sbarati@apple.com>
20
21         Make JITType an enum class
22         https://bugs.webkit.org/show_bug.cgi?id=197394
23
24         Reviewed by Yusuke Suzuki.
25
26         This makes the code more easily searchable.
27
28         * bytecode/CallLinkStatus.cpp:
29         (JSC::CallLinkStatus::computeFor):
30         * bytecode/CodeBlock.cpp:
31         (JSC::CodeBlock::dumpAssumingJITType const):
32         (JSC::CodeBlock::specialOSREntryBlockOrNull):
33         (JSC::timeToLive):
34         (JSC::CodeBlock::propagateTransitions):
35         (JSC::CodeBlock::baselineAlternative):
36         (JSC::CodeBlock::baselineVersion):
37         (JSC::CodeBlock::hasOptimizedReplacement):
38         (JSC::CodeBlock::noticeIncomingCall):
39         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
40         (JSC::CodeBlock::tallyFrequentExitSites):
41         (JSC::CodeBlock::frameRegisterCount):
42         (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):
43         * bytecode/CodeBlock.h:
44         (JSC::CodeBlock::jitType const):
45         (JSC::CodeBlock::hasBaselineJITProfiling const):
46         * bytecode/CodeBlockWithJITType.h:
47         (JSC::CodeBlockWithJITType::CodeBlockWithJITType):
48         * bytecode/DeferredSourceDump.cpp:
49         (JSC::DeferredSourceDump::DeferredSourceDump):
50         * bytecode/DeferredSourceDump.h:
51         * bytecode/ExitingJITType.h:
52         (JSC::exitingJITTypeFor):
53         * bytecode/InlineCallFrame.h:
54         (JSC::baselineCodeBlockForOriginAndBaselineCodeBlock):
55         * dfg/DFGByteCodeParser.cpp:
56         (JSC::DFG::ByteCodeParser::parseCodeBlock):
57         * dfg/DFGDisassembler.cpp:
58         (JSC::DFG::Disassembler::dumpHeader):
59         * dfg/DFGDriver.cpp:
60         (JSC::DFG::compileImpl):
61         * dfg/DFGGraph.cpp:
62         (JSC::DFG::Graph::dump):
63         * dfg/DFGJITCode.cpp:
64         (JSC::DFG::JITCode::JITCode):
65         (JSC::DFG::JITCode::checkIfOptimizationThresholdReached):
66         (JSC::DFG::JITCode::optimizeNextInvocation):
67         (JSC::DFG::JITCode::dontOptimizeAnytimeSoon):
68         (JSC::DFG::JITCode::optimizeAfterWarmUp):
69         (JSC::DFG::JITCode::optimizeSoon):
70         (JSC::DFG::JITCode::forceOptimizationSlowPathConcurrently):
71         (JSC::DFG::JITCode::setOptimizationThresholdBasedOnCompilationResult):
72         * dfg/DFGJITFinalizer.cpp:
73         (JSC::DFG::JITFinalizer::finalize):
74         (JSC::DFG::JITFinalizer::finalizeFunction):
75         * dfg/DFGOSREntry.cpp:
76         (JSC::DFG::prepareOSREntry):
77         (JSC::DFG::prepareCatchOSREntry):
78         * dfg/DFGOSRExit.cpp:
79         (JSC::DFG::OSRExit::executeOSRExit):
80         (JSC::DFG::reifyInlinedCallFrames):
81         (JSC::DFG::OSRExit::compileOSRExit):
82         * dfg/DFGOSRExitCompilerCommon.cpp:
83         (JSC::DFG::handleExitCounts):
84         (JSC::DFG::reifyInlinedCallFrames):
85         (JSC::DFG::adjustAndJumpToTarget):
86         * dfg/DFGOSRExitCompilerCommon.h:
87         (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
88         * dfg/DFGOperations.cpp:
89         * dfg/DFGThunks.cpp:
90         (JSC::DFG::osrExitGenerationThunkGenerator):
91         * dfg/DFGVariableEventStream.cpp:
92         (JSC::DFG::VariableEventStream::reconstruct const):
93         * ftl/FTLCompile.cpp:
94         (JSC::FTL::compile):
95         * ftl/FTLJITCode.cpp:
96         (JSC::FTL::JITCode::JITCode):
97         * ftl/FTLJITFinalizer.cpp:
98         (JSC::FTL::JITFinalizer::finalizeCommon):
99         * ftl/FTLLink.cpp:
100         (JSC::FTL::link):
101         * ftl/FTLOSRExitCompiler.cpp:
102         (JSC::FTL::compileFTLOSRExit):
103         * ftl/FTLThunks.cpp:
104         (JSC::FTL::genericGenerationThunkGenerator):
105         * interpreter/CallFrame.cpp:
106         (JSC::CallFrame::callSiteBitsAreBytecodeOffset const):
107         (JSC::CallFrame::callSiteBitsAreCodeOriginIndex const):
108         * interpreter/StackVisitor.cpp:
109         (JSC::StackVisitor::Frame::dump const):
110         * jit/AssemblyHelpers.h:
111         (JSC::AssemblyHelpers::AssemblyHelpers):
112         * jit/JIT.cpp:
113         (JSC::JIT::link):
114         * jit/JITCode.cpp:
115         (JSC::JITCode::typeName):
116         (WTF::printInternal):
117         * jit/JITCode.h:
118         (JSC::JITCode::bottomTierJIT):
119         (JSC::JITCode::topTierJIT):
120         (JSC::JITCode::nextTierJIT):
121         (JSC::JITCode::isExecutableScript):
122         (JSC::JITCode::couldBeInterpreted):
123         (JSC::JITCode::isJIT):
124         (JSC::JITCode::isOptimizingJIT):
125         (JSC::JITCode::isBaselineCode):
126         (JSC::JITCode::jitTypeFor):
127         * jit/JITDisassembler.cpp:
128         (JSC::JITDisassembler::dumpHeader):
129         * jit/JITOperations.cpp:
130         * jit/JITThunks.cpp:
131         (JSC::JITThunks::hostFunctionStub):
132         * jit/JITToDFGDeferredCompilationCallback.cpp:
133         (JSC::JITToDFGDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
134         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
135         * jit/JITWorklist.cpp:
136         (JSC::JITWorklist::compileLater):
137         (JSC::JITWorklist::compileNow):
138         * jit/Repatch.cpp:
139         (JSC::readPutICCallTarget):
140         (JSC::ftlThunkAwareRepatchCall):
141         * llint/LLIntEntrypoint.cpp:
142         (JSC::LLInt::setFunctionEntrypoint):
143         (JSC::LLInt::setEvalEntrypoint):
144         (JSC::LLInt::setProgramEntrypoint):
145         (JSC::LLInt::setModuleProgramEntrypoint):
146         * llint/LLIntSlowPaths.cpp:
147         (JSC::LLInt::jitCompileAndSetHeuristics):
148         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
149         * runtime/SamplingProfiler.cpp:
150         (JSC::SamplingProfiler::processUnverifiedStackTraces):
151         * runtime/SamplingProfiler.h:
152         * runtime/VM.cpp:
153         (JSC::jitCodeForCallTrampoline):
154         (JSC::jitCodeForConstructTrampoline):
155         * tools/CodeProfile.cpp:
156         (JSC::CodeProfile::sample):
157         * tools/JSDollarVM.cpp:
158         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
159         (JSC::CallerFrameJITTypeFunctor::jitType):
160         (JSC::functionLLintTrue):
161         (JSC::functionJITTrue):
162
163 2019-04-29  Yusuke Suzuki  <ysuzuki@apple.com>
164
165         Unreivewed, fix FTL implementation of r244760
166         https://bugs.webkit.org/show_bug.cgi?id=197362
167
168         Reviewed by Saam Barati.
169
170         Looked with Saam. ValueFromBlock from double case block was overridden by NaN thing now.
171
172         * ftl/FTLLowerDFGToB3.cpp:
173         (JSC::FTL::DFG::LowerDFGToB3::compileNormalizeMapKey):
174
175 2019-04-29  Yusuke Suzuki  <ysuzuki@apple.com>
176
177         normalizeMapKey should normalize NaN to one PureNaN bit pattern to make MapHash same
178         https://bugs.webkit.org/show_bug.cgi?id=197362
179
180         Reviewed by Saam Barati.
181
182         Our Map/Set's hash algorithm relies on the bit pattern of JSValue. So our Map/Set has
183         normalization of the key, which normalizes Int32 / Double etc. But we did not normalize
184         pure NaNs into one canonicalized pure NaN. So we end up having multiple different pure NaNs
185         in one Map/Set. This patch normalizes NaN into one jsNaN(), which uses PNaN for the representation.
186
187         * dfg/DFGSpeculativeJIT.cpp:
188         (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
189         * ftl/FTLLowerDFGToB3.cpp:
190         (JSC::FTL::DFG::LowerDFGToB3::compileNormalizeMapKey):
191         * runtime/HashMapImpl.h:
192         (JSC::normalizeMapKey):
193
194 2019-04-29  Alex Christensen  <achristensen@webkit.org>
195
196         <rdar://problem/50299396> Fix internal High Sierra build
197         https://bugs.webkit.org/show_bug.cgi?id=197388
198
199         * Configurations/Base.xcconfig:
200
201 2019-04-29  Yusuke Suzuki  <ysuzuki@apple.com>
202
203         JITStubRoutineSet wastes 180KB of HashTable capacity on can.com
204         https://bugs.webkit.org/show_bug.cgi?id=186732
205
206         Reviewed by Saam Barati.
207
208         Our current mechanism of JITStubRoutineSet consumes more memory than needed. Basically we have HashMap<uintptr_t, StubRoutine*> and register
209         each executable address by 16 byte to this entry. So if your StubRoutine has 128bytes, it just adds 8 entries to this hash table.
210         In Gmail, we see a ~2MB table size.
211
212         Instead, this patch uses Vector<pair<uintptr_t, StubRoutine*>> and performs binary search onto this sorted vector. Before conservative
213         scanning, we sort this vector. And doing binary search with the sorted vector to find executing stub routines from the conservative roots.
214         This vector includes uintptr_t startAddress to make binary searching fast.
215
216         Large amount of conservative scan should be filtered by range check, so I think binary search here is OK, but we can decide based on what the
217         performance bots say.
218
219         * heap/Heap.cpp:
220         (JSC::Heap::addCoreConstraints):
221         * heap/JITStubRoutineSet.cpp:
222         (JSC::JITStubRoutineSet::~JITStubRoutineSet):
223         (JSC::JITStubRoutineSet::add):
224         (JSC::JITStubRoutineSet::prepareForConservativeScan):
225         (JSC::JITStubRoutineSet::clearMarks):
226         (JSC::JITStubRoutineSet::markSlow):
227         (JSC::JITStubRoutineSet::deleteUnmarkedJettisonedStubRoutines):
228         (JSC::JITStubRoutineSet::traceMarkedStubRoutines):
229         * heap/JITStubRoutineSet.h:
230         (JSC::JITStubRoutineSet::mark):
231         (JSC::JITStubRoutineSet::prepareForConservativeScan):
232         (JSC::JITStubRoutineSet::size const): Deleted.
233         (JSC::JITStubRoutineSet::at const): Deleted.
234
235 2019-04-29  Basuke Suzuki  <Basuke.Suzuki@sony.com>
236
237         [Win] Add flag to enable version information stamping and disable by default.
238         https://bugs.webkit.org/show_bug.cgi?id=197249
239         <rdar://problem/50224412>
240
241         Reviewed by Ross Kirsling.
242
243         This feature is only used in AppleWin port. Add flag for this task and make it OFF by default.
244         Then enable it by default on AppleWin.
245
246         * CMakeLists.txt:
247
248 2019-04-26  Keith Rollin  <krollin@apple.com>
249
250         Enable new build rule for post-processing headers when using XCBuild
251         https://bugs.webkit.org/show_bug.cgi?id=197340
252         <rdar://problem/50226685>
253
254         Reviewed by Brent Fulgham.
255
256         In Bug 197116, we conditionally disabled the old method for
257         post-processing header files when we are using the new XCBuild build
258         system. This check-in conditionally enables the new post-processing
259         facility. Note that the old system is disabled and the new system
260         enabled only when the USE_NEW_BUILD_SYSTEM environment variable is set
261         to YES.
262
263         * Configurations/JavaScriptCore.xcconfig:
264
265 2019-04-26  Jessie Berlin  <jberlin@webkit.org>
266
267         Add new mac target numbers
268         https://bugs.webkit.org/show_bug.cgi?id=197313
269
270         Reviewed by Alex Christensen.
271
272         * Configurations/Version.xcconfig:
273         * Configurations/WebKitTargetConditionals.xcconfig:
274
275 2019-04-26  Commit Queue  <commit-queue@webkit.org>
276
277         Unreviewed, rolling out r244708.
278         https://bugs.webkit.org/show_bug.cgi?id=197334
279
280         "Broke the debug build" (Requested by rmorisset on #webkit).
281
282         Reverted changeset:
283
284         "All prototypes should call didBecomePrototype()"
285         https://bugs.webkit.org/show_bug.cgi?id=196315
286         https://trac.webkit.org/changeset/244708
287
288 2019-04-26  Don Olmstead  <don.olmstead@sony.com>
289
290         [CMake] Add WEBKIT_EXECUTABLE macro
291         https://bugs.webkit.org/show_bug.cgi?id=197206
292
293         Reviewed by Konstantin Tokarev.
294
295         Migrate to WEBKIT_EXECUTABLE for the jsc and test targets.
296
297         * b3/air/testair.cpp:
298         * b3/testb3.cpp:
299         * dfg/testdfg.cpp:
300         * shell/CMakeLists.txt:
301         * shell/PlatformGTK.cmake:
302         * shell/PlatformJSCOnly.cmake: Removed.
303         * shell/PlatformMac.cmake:
304         * shell/PlatformPlayStation.cmake:
305         * shell/PlatformWPE.cmake:
306         * shell/PlatformWin.cmake:
307
308 2019-04-25  Yusuke Suzuki  <ysuzuki@apple.com>
309
310         [JSC] linkPolymorphicCall now does GC
311         https://bugs.webkit.org/show_bug.cgi?id=197306
312
313         Reviewed by Saam Barati.
314
315         Previously, we assumed that linkPolymorphicCall does not perform allocations. So we put CallVariant into a Vector<>.
316         But now, WebAssemblyFunction's entrypoint generation can allocate JSToWasmICCallee and cause GC. Since CallLinkInfo
317         does not hold these cells, they can be collected, and we will see dead cells in the middle of linkPolymorphicCall.
318         We should defer GC for a while in linkPolymorphicCall. We use DeferGCForAWhile instead of DeferGC because the
319         caller "operationLinkPolymorphicCall" assumes that this function does not cause GC.
320
321         * jit/Repatch.cpp:
322         (JSC::linkPolymorphicCall):
323
324 2019-04-26  Robin Morisset  <rmorisset@apple.com>
325
326         All prototypes should call didBecomePrototype()
327         https://bugs.webkit.org/show_bug.cgi?id=196315
328
329         Reviewed by Saam Barati.
330
331         Otherwise we won't remember to run haveABadTime() when someone adds to them an indexed accessor.
332
333         I added a check used in both Structure::finishCreation() and Structure::changePrototypeTransition to make sure we don't
334         create structures with invalid prototypes.
335         It found a lot of objects that are used as prototypes in JSGlobalObject and yet were missing didBecomePrototype() in their finishCreation().
336         Somewhat surprisingly, some of them have names like FunctionConstructor and not only FooPrototype.
337
338         * runtime/BigIntPrototype.cpp:
339         (JSC::BigIntPrototype::finishCreation):
340         * runtime/BooleanPrototype.cpp:
341         (JSC::BooleanPrototype::finishCreation):
342         * runtime/DatePrototype.cpp:
343         (JSC::DatePrototype::finishCreation):
344         * runtime/ErrorConstructor.cpp:
345         (JSC::ErrorConstructor::finishCreation):
346         * runtime/ErrorPrototype.cpp:
347         (JSC::ErrorPrototype::finishCreation):
348         * runtime/FunctionConstructor.cpp:
349         (JSC::FunctionConstructor::finishCreation):
350         * runtime/FunctionPrototype.cpp:
351         (JSC::FunctionPrototype::finishCreation):
352         * runtime/IntlCollatorPrototype.cpp:
353         (JSC::IntlCollatorPrototype::finishCreation):
354         * runtime/IntlDateTimeFormatPrototype.cpp:
355         (JSC::IntlDateTimeFormatPrototype::finishCreation):
356         * runtime/IntlNumberFormatPrototype.cpp:
357         (JSC::IntlNumberFormatPrototype::finishCreation):
358         * runtime/IntlPluralRulesPrototype.cpp:
359         (JSC::IntlPluralRulesPrototype::finishCreation):
360         * runtime/JSArrayBufferPrototype.cpp:
361         (JSC::JSArrayBufferPrototype::finishCreation):
362         * runtime/JSDataViewPrototype.cpp:
363         (JSC::JSDataViewPrototype::finishCreation):
364         * runtime/JSGenericTypedArrayViewPrototypeInlines.h:
365         (JSC::JSGenericTypedArrayViewPrototype<ViewClass>::finishCreation):
366         * runtime/JSGlobalObject.cpp:
367         (JSC::createConsoleProperty):
368         * runtime/JSPromisePrototype.cpp:
369         (JSC::JSPromisePrototype::finishCreation):
370         * runtime/JSTypedArrayViewConstructor.cpp:
371         (JSC::JSTypedArrayViewConstructor::finishCreation):
372         * runtime/JSTypedArrayViewPrototype.cpp:
373         (JSC::JSTypedArrayViewPrototype::finishCreation):
374         * runtime/NumberPrototype.cpp:
375         (JSC::NumberPrototype::finishCreation):
376         * runtime/RegExpPrototype.cpp:
377         (JSC::RegExpPrototype::finishCreation):
378         * runtime/StringPrototype.cpp:
379         (JSC::StringPrototype::finishCreation):
380         * runtime/Structure.cpp:
381         (JSC::Structure::isValidPrototype):
382         (JSC::Structure::changePrototypeTransition):
383         * runtime/Structure.h:
384         * runtime/SymbolPrototype.cpp:
385         (JSC::SymbolPrototype::finishCreation):
386         * wasm/js/WebAssemblyCompileErrorPrototype.cpp:
387         (JSC::WebAssemblyCompileErrorPrototype::finishCreation):
388         * wasm/js/WebAssemblyInstancePrototype.cpp:
389         (JSC::WebAssemblyInstancePrototype::finishCreation):
390         * wasm/js/WebAssemblyLinkErrorPrototype.cpp:
391         (JSC::WebAssemblyLinkErrorPrototype::finishCreation):
392         * wasm/js/WebAssemblyMemoryPrototype.cpp:
393         (JSC::WebAssemblyMemoryPrototype::finishCreation):
394         * wasm/js/WebAssemblyModulePrototype.cpp:
395         (JSC::WebAssemblyModulePrototype::finishCreation):
396         * wasm/js/WebAssemblyPrototype.cpp:
397         (JSC::WebAssemblyPrototype::finishCreation):
398         * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp:
399         (JSC::WebAssemblyRuntimeErrorPrototype::finishCreation):
400         * wasm/js/WebAssemblyTablePrototype.cpp:
401         (JSC::WebAssemblyTablePrototype::finishCreation):
402
403 2019-04-26  Don Olmstead  <don.olmstead@sony.com>
404
405         Add WTF::findIgnoringASCIICaseWithoutLength to replace strcasestr
406         https://bugs.webkit.org/show_bug.cgi?id=197291
407
408         Reviewed by Konstantin Tokarev.
409
410         Replace uses of strcasestr with WTF::findIgnoringASCIICaseWithoutLength.
411
412         * API/tests/testapi.cpp:
413         * assembler/testmasm.cpp:
414         * b3/air/testair.cpp:
415         * b3/testb3.cpp:
416         * dfg/testdfg.cpp:
417         * dynbench.cpp:
418
419 2019-04-25  Fujii Hironori  <Hironori.Fujii@sony.com>
420
421         Unreviewed, rolling out r244669.
422
423         Windows ports can't clean build.
424
425         Reverted changeset:
426
427         "[Win] Add flag to enable version information stamping and
428         disable by default."
429         https://bugs.webkit.org/show_bug.cgi?id=197249
430         https://trac.webkit.org/changeset/244669
431
432 2019-04-25  Basuke Suzuki  <Basuke.Suzuki@sony.com>
433
434         [Win] Add flag to enable version information stamping and disable by default.
435         https://bugs.webkit.org/show_bug.cgi?id=197249
436
437         Reviewed by Ross Kirsling.
438
439         This feature is only used in AppleWin port. Add flag for this task and make it OFF by default.
440         Then enable it by default on AppleWin.
441
442         * CMakeLists.txt:
443
444 2019-04-25  Timothy Hatcher  <timothy@apple.com>
445
446         Disable date and time inputs on iOSMac.
447         https://bugs.webkit.org/show_bug.cgi?id=197287
448         rdar://problem/46794376
449
450         Reviewed by Wenson Hsieh.
451
452         * Configurations/FeatureDefines.xcconfig:
453
454 2019-04-25  Alex Christensen  <achristensen@webkit.org>
455
456         Fix more builds after r244653
457         https://bugs.webkit.org/show_bug.cgi?id=197131
458
459         * b3/B3Value.h:
460         There is an older system with libc++ headers that don't have std::conjunction.  Just use constexpr and && instead for the one use of it in WebKit.
461
462 2019-04-25  Basuke Suzuki  <Basuke.Suzuki@sony.com>
463
464         [RemoteInspector] Fix connection and target identifier types.
465         https://bugs.webkit.org/show_bug.cgi?id=197243
466
467         Reviewed by Ross Kirsling.
468
469         Give dedicated type for RemoteControllableTarget's identifier as Inspector::TargetID.
470
471         Also rename ClientID type used in Socket backend to ConnectionID because this is the identifier
472         socket endpoint assign to the newly created connection. The size was changed to uint32_t.
473         Enough size for managing connections.
474
475         * inspector/remote/RemoteConnectionToTarget.cpp:
476         (Inspector::RemoteConnectionToTarget::setup):
477         (Inspector::RemoteConnectionToTarget::close):
478         (Inspector::RemoteConnectionToTarget::targetIdentifier const):
479         * inspector/remote/RemoteConnectionToTarget.h:
480         * inspector/remote/RemoteControllableTarget.h:
481         * inspector/remote/RemoteInspector.cpp:
482         (Inspector::RemoteInspector::nextAvailableTargetIdentifier):
483         (Inspector::RemoteInspector::registerTarget):
484         (Inspector::RemoteInspector::unregisterTarget):
485         (Inspector::RemoteInspector::updateTarget):
486         (Inspector::RemoteInspector::setupFailed):
487         (Inspector::RemoteInspector::setupCompleted):
488         (Inspector::RemoteInspector::waitingForAutomaticInspection):
489         (Inspector::RemoteInspector::updateTargetListing):
490         * inspector/remote/RemoteInspector.h:
491         * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:
492         (Inspector::RemoteConnectionToTarget::targetIdentifier const):
493         (Inspector::RemoteConnectionToTarget::setup):
494         (Inspector::RemoteConnectionToTarget::close):
495         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
496         (Inspector::RemoteInspector::updateAutomaticInspectionCandidate):
497         (Inspector::RemoteInspector::sendMessageToRemote):
498         (Inspector::RemoteInspector::receivedSetupMessage):
499         (Inspector::RemoteInspector::receivedDataMessage):
500         (Inspector::RemoteInspector::receivedDidCloseMessage):
501         (Inspector::RemoteInspector::receivedIndicateMessage):
502         (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage):
503         * inspector/remote/glib/RemoteInspectorGlib.cpp:
504         (Inspector::RemoteInspector::updateAutomaticInspectionCandidate):
505         (Inspector::RemoteInspector::sendMessageToRemote):
506         (Inspector::RemoteInspector::receivedSetupMessage):
507         (Inspector::RemoteInspector::receivedDataMessage):
508         (Inspector::RemoteInspector::receivedCloseMessage):
509         (Inspector::RemoteInspector::setup):
510         (Inspector::RemoteInspector::sendMessageToTarget):
511         * inspector/remote/socket/RemoteInspectorConnectionClient.cpp:
512         (Inspector::RemoteInspectorConnectionClient::didReceiveWebInspectorEvent):
513         * inspector/remote/socket/RemoteInspectorConnectionClient.h:
514         (Inspector::RemoteInspectorConnectionClient::didAccept):
515         * inspector/remote/socket/RemoteInspectorMessageParser.cpp:
516         (Inspector::MessageParser::MessageParser):
517         (Inspector::MessageParser::parse):
518         * inspector/remote/socket/RemoteInspectorMessageParser.h:
519         (Inspector::MessageParser::setDidParseMessageListener):
520         * inspector/remote/socket/RemoteInspectorServer.cpp:
521         (Inspector::RemoteInspectorServer::didAccept):
522         (Inspector::RemoteInspectorServer::didClose):
523         (Inspector::RemoteInspectorServer::dispatchMap):
524         (Inspector::RemoteInspectorServer::sendWebInspectorEvent):
525         (Inspector::RemoteInspectorServer::sendCloseEvent):
526         (Inspector::RemoteInspectorServer::connectionClosed):
527         * inspector/remote/socket/RemoteInspectorServer.h:
528         * inspector/remote/socket/RemoteInspectorSocket.cpp:
529         (Inspector::RemoteInspector::didClose):
530         (Inspector::RemoteInspector::sendMessageToRemote):
531         (Inspector::RemoteInspector::setup):
532         (Inspector::RemoteInspector::sendMessageToTarget):
533         * inspector/remote/socket/RemoteInspectorSocket.h:
534         * inspector/remote/socket/RemoteInspectorSocketEndpoint.cpp:
535         (Inspector::RemoteInspectorSocketEndpoint::connectInet):
536         (Inspector::RemoteInspectorSocketEndpoint::isListening):
537         (Inspector::RemoteInspectorSocketEndpoint::workerThread):
538         (Inspector::RemoteInspectorSocketEndpoint::createClient):
539         (Inspector::RemoteInspectorSocketEndpoint::recvIfEnabled):
540         (Inspector::RemoteInspectorSocketEndpoint::sendIfEnabled):
541         (Inspector::RemoteInspectorSocketEndpoint::send):
542         (Inspector::RemoteInspectorSocketEndpoint::acceptInetSocketIfEnabled):
543         * inspector/remote/socket/RemoteInspectorSocketEndpoint.h:
544
545 2019-04-25  Alex Christensen  <achristensen@webkit.org>
546
547         Start using C++17
548         https://bugs.webkit.org/show_bug.cgi?id=197131
549
550         Reviewed by Darin Alder.
551
552         * Configurations/Base.xcconfig:
553
554 2019-04-25  Alex Christensen  <achristensen@webkit.org>
555
556         Remove DeprecatedOptional
557         https://bugs.webkit.org/show_bug.cgi?id=197161
558
559         Reviewed by Darin Adler.
560
561         We need to keep a symbol exported from JavaScriptCore for binary compatibility with iOS12.
562         We need this symbol to be in a file that doesn't include anything because libcxx's implementation of
563         std::optional is actually std::__1::optional, which has a different mangled name.  This change will
564         prevent protocol errors from being reported if you are running the iOS12 simulator with a custom build of WebKit
565         and using the web inspector with it, but it's necessary to allow us to start using C++17 in WebKit.
566
567         * JavaScriptCore.xcodeproj/project.pbxproj:
568         * inspector/InspectorBackendDispatcher.cpp:
569         * inspector/InspectorBackendDispatcher.h:
570         * inspector/InspectorBackendDispatcherCompatibility.cpp: Added.
571         (Inspector::BackendDispatcher::reportProtocolError):
572         * inspector/InspectorBackendDispatcherCompatibility.h: Added.
573
574 2019-04-24  Saam Barati  <sbarati@apple.com>
575
576         Add SPI callbacks for before and after module execution
577         https://bugs.webkit.org/show_bug.cgi?id=197244
578         <rdar://problem/50180511>
579
580         Reviewed by Yusuke Suzuki.
581
582         This is helpful for clients that want to profile execution of modules
583         in some way. E.g, if they want to time module execution time.
584
585         * API/JSAPIGlobalObject.h:
586         * API/JSAPIGlobalObject.mm:
587         (JSC::JSAPIGlobalObject::moduleLoaderEvaluate):
588         * API/JSContextPrivate.h:
589         * API/tests/testapi.mm:
590         (+[JSContextFetchDelegate contextWithBlockForFetch:]):
591         (-[JSContextFetchDelegate willEvaluateModule:]):
592         (-[JSContextFetchDelegate didEvaluateModule:]):
593         (testFetch):
594         (testFetchWithTwoCycle):
595         (testFetchWithThreeCycle):
596         (testLoaderResolvesAbsoluteScriptURL):
597         (testLoaderRejectsNilScriptURL):
598         * runtime/JSModuleLoader.cpp:
599         (JSC::JSModuleLoader::evaluate):
600         (JSC::JSModuleLoader::evaluateNonVirtual):
601         * runtime/JSModuleLoader.h:
602
603 2019-04-23  Yusuke Suzuki  <ysuzuki@apple.com>
604
605         [JSC] Shrink DFG::MinifiedNode
606         https://bugs.webkit.org/show_bug.cgi?id=197224
607
608         Reviewed by Filip Pizlo.
609
610         Since it is kept alive with compiled DFG code, we should shrink it to save memory.
611         If it is effective, we should consider minimizing these OSR exit data more aggressively.
612
613         * dfg/DFGMinifiedNode.h:
614
615 2019-04-23  Saam Barati  <sbarati@apple.com>
616
617         LICM incorrectly assumes it'll never insert a node which provably OSR exits
618         https://bugs.webkit.org/show_bug.cgi?id=196721
619         <rdar://problem/49556479> 
620
621         Reviewed by Filip Pizlo.
622
623         Previously, we assumed LICM could never hoist code that caused us
624         to provably OSR exit. This is a bad assumption, as we may very well
625         hoist such code. Obviously hoisting such code is not ideal. We shouldn't
626         hoist something we provably know will OSR exit. However, this is super rare,
627         and the phase is written in such a way where it's easier to gracefully
628         handle this case than to prevent us from hoisting such code.
629         
630         If we wanted to ensure we never hoisted code that would provably exit, we'd
631         have to teach the phase to know when it inserted code that provably exits. I
632         saw two ways to do that:
633         1: Save and restore the AI state before actually hoisting.
634         2: Write an analysis that can determine if such a node would exit.
635         
636         (1) is bad because it costs in memory and compile time. (2) will inevitably
637         have bugs as running into this condition is rare.
638         
639         So instead of (1) or (2), I opted to have LICM gracefully handle when
640         it causes a provable exit. When we encounter this, we mark all blocks
641         in the loop as !cfaHasVisited and !cfaDidFinish.
642
643         * dfg/DFGLICMPhase.cpp:
644         (JSC::DFG::LICMPhase::attemptHoist):
645
646 2019-04-23  Yusuke Suzuki  <ysuzuki@apple.com>
647
648         [JSC] Use node index as DFG::MinifiedID
649         https://bugs.webkit.org/show_bug.cgi?id=197186
650
651         Reviewed by Saam Barati.
652
653         DFG Nodes can be identified with index if the graph is given. We should use unsigned index as a DFG::MinifiedID's underlying
654         source instead of Node* to reduce the size of VariableEvent from 16 to 12. Vector<VariableEvent> is the main data in DFG's OSR
655         tracking. It is kept after DFG compilation is done to make OSR work. We saw that this is allocated with large size in GMail.
656
657         * JavaScriptCore.xcodeproj/project.pbxproj:
658         * bytecode/DataFormat.h:
659         * bytecode/ValueRecovery.h:
660         * dfg/DFGGenerationInfo.h:
661         * dfg/DFGMinifiedID.h:
662         (JSC::DFG::MinifiedID::MinifiedID):
663         (JSC::DFG::MinifiedID::operator! const):
664         (JSC::DFG::MinifiedID::operator== const):
665         (JSC::DFG::MinifiedID::operator!= const):
666         (JSC::DFG::MinifiedID::operator< const):
667         (JSC::DFG::MinifiedID::operator> const):
668         (JSC::DFG::MinifiedID::operator<= const):
669         (JSC::DFG::MinifiedID::operator>= const):
670         (JSC::DFG::MinifiedID::hash const):
671         (JSC::DFG::MinifiedID::dump const):
672         (JSC::DFG::MinifiedID::isHashTableDeletedValue const):
673         (JSC::DFG::MinifiedID::fromBits):
674         (JSC::DFG::MinifiedID::bits const):
675         (JSC::DFG::MinifiedID::invalidIndex):
676         (JSC::DFG::MinifiedID::otherInvalidIndex):
677         (JSC::DFG::MinifiedID::node const): Deleted.
678         (JSC::DFG::MinifiedID::invalidID): Deleted.
679         (JSC::DFG::MinifiedID::otherInvalidID): Deleted.
680         * dfg/DFGMinifiedIDInlines.h: Copied from Source/JavaScriptCore/dfg/DFGMinifiedNode.cpp.
681         (JSC::DFG::MinifiedID::MinifiedID):
682         * dfg/DFGMinifiedNode.cpp:
683         * dfg/DFGValueSource.h:
684         (JSC::DFG::ValueSource::ValueSource):
685         * dfg/DFGVariableEvent.h:
686         (JSC::DFG::VariableEvent::dataFormat const):
687
688 2019-04-23  Keith Rollin  <krollin@apple.com>
689
690         Add Xcode version check for Header post-processing scripts
691         https://bugs.webkit.org/show_bug.cgi?id=197116
692         <rdar://problem/50058968>
693
694         Reviewed by Brent Fulgham.
695
696         There are several places in our Xcode projects that post-process
697         header files after they've been exported. Because of XCBuild, we're
698         moving to a model where the post-processing is performed at the same
699         time the header files are exported, rather than as a distinct
700         post-processing step. This patch disables the distinct step when the
701         inline processing is available.
702
703         In practice, this means prefixing appropriate post-processing Custom
704         Build phases with:
705
706         if [ "${XCODE_VERSION_MAJOR}" -ge "1100" -a "${USE_NEW_BUILD_SYSTEM}" = "YES" ]; then
707             # In this configuration, post-processing is performed at the same time as copying in the postprocess-header-rule script, so there's no need for this separate step.
708             exit 0
709         fi
710
711         * JavaScriptCore.xcodeproj/project.pbxproj:
712
713 2019-04-23  Commit Queue  <commit-queue@webkit.org>
714
715         Unreviewed, rolling out r244558.
716         https://bugs.webkit.org/show_bug.cgi?id=197219
717
718         Causing crashes on iOS Sim Release and Debug (Requested by
719         ShawnRoberts on #webkit).
720
721         Reverted changeset:
722
723         "Remove DeprecatedOptional"
724         https://bugs.webkit.org/show_bug.cgi?id=197161
725         https://trac.webkit.org/changeset/244558
726
727 2019-04-23  Devin Rousso  <drousso@apple.com>
728
729         Web Inspector: Uncaught Exception: null is not an object (evaluating 'this.ownerDocument.frameIdentifier')
730         https://bugs.webkit.org/show_bug.cgi?id=196420
731         <rdar://problem/49444205>
732
733         Reviewed by Timothy Hatcher.
734
735         * inspector/protocol/DOM.json:
736         Modify the existing `frameId` to represent the owner frame of the node, rather than the
737         frame it holds (in the case of an `<iframe>`).
738
739 2019-04-23  Alex Christensen  <achristensen@webkit.org>
740
741         Remove DeprecatedOptional
742         https://bugs.webkit.org/show_bug.cgi?id=197161
743
744         Reviewed by Darin Adler.
745
746         * inspector/InspectorBackendDispatcher.cpp:
747         * inspector/InspectorBackendDispatcher.h:
748
749 2019-04-22  Yusuke Suzuki  <ysuzuki@apple.com>
750
751         [JSC] Use volatile load to populate backing page in MarkedBlock::Footer instead of using holdLock
752         https://bugs.webkit.org/show_bug.cgi?id=197152
753
754         Reviewed by Saam Barati.
755
756         Emit volatile load instead of using holdLock to populate backing page in MarkedBlock::Footer.
757
758         * heap/BlockDirectory.cpp:
759         (JSC::BlockDirectory::isPagedOut):
760         * heap/MarkedBlock.h:
761         (JSC::MarkedBlock::populatePage const):
762
763 2019-04-22  Yusuke Suzuki  <ysuzuki@apple.com>
764
765         [JSC] useJIT should subsume useRegExpJIT
766         https://bugs.webkit.org/show_bug.cgi?id=197153
767
768         Reviewed by Alex Christensen.
769
770         useJIT should subsume useRegExpJIT. We should immediately disable JIT feature if useJIT = false,
771         even if useRegExpJIT is true.
772
773         * dfg/DFGCapabilities.cpp:
774         (JSC::DFG::isSupported):
775         * runtime/Options.cpp:
776         (JSC::recomputeDependentOptions):
777         * runtime/RegExp.cpp:
778         (JSC::RegExp::compile):
779         (JSC::RegExp::compileMatchOnly):
780         * runtime/VM.cpp:
781         (JSC::enableAssembler):
782         (JSC::VM::canUseRegExpJIT): Deleted.
783         * runtime/VM.h:
784
785 2019-04-22  Basuke Suzuki  <basuke.suzuki@sony.com>
786
787         [PlayStation] Restructuring Remote Inspector classes to support multiple platform.
788         https://bugs.webkit.org/show_bug.cgi?id=197030
789
790         Reviewed by Don Olmstead.
791
792         Restructuring the PlayStation's RemoteInspector backend which uses native socket for the communication to be ready for WinCairo.
793
794         What we did is basically:
795         - Renamed `remote/playstation/` to `remote/socket/`. This directory is now platform independent implementation of socket backend. 
796         - Renamed `RemoteInspectorSocket` class to `RemoteInspectorSocketEndpoint`. This class is platform independent and core of the backend.
797         - Merged `RemoteInspectorSocket{Client|Server}` classes into `RemoteInspectorSocketEndpoint` class because the differences are little.
798         - Defined a new interface functions in `Inspector::Socket` (new) namespace.
799         - Moved POSIX socket implementation into `posix\RemoteInspectorSocketPOSIX.{h|cpp}`.
800
801         * PlatformPlayStation.cmake:
802         * inspector/remote/RemoteInspector.h:
803         * inspector/remote/playstation/RemoteInspectorSocketClient.h: Merged into RemoteInspectorSocketEndpoint.
804         * inspector/remote/playstation/RemoteInspectorSocketClientPlayStation.cpp: Merged into RemoteInspectorSocketEndpoint.
805         * inspector/remote/playstation/RemoteInspectorSocketPlayStation.cpp: Removed.
806         * inspector/remote/playstation/RemoteInspectorSocketServer.h: Merged into RemoteInspectorSocketEndpoint.
807         * inspector/remote/playstation/RemoteInspectorSocketServerPlayStation.cpp: Merged into RemoteInspectorSocketEndpoint.
808         * inspector/remote/socket/RemoteInspectorConnectionClient.cpp: Renamed from inspector\remote\playstation\RemoteInspectorConnectionClientPlayStation.cpp.
809         * inspector/remote/socket/RemoteInspectorConnectionClient.h: Renamed from inspector\remote\playstation\RemoteInspectorConnectionClient.h.
810         (Inspector::RemoteInspectorConnectionClient::didAccept):
811         * inspector/remote/socket/RemoteInspectorMessageParser.cpp: Renamed from inspector\remote\playstation\RemoteInspectorMessageParserPlayStation.cpp.
812         * inspector/remote/socket/RemoteInspectorMessageParser.h: Renamed from inspector\remote\playstation\RemoteInspectorMessageParser.h.
813         * inspector/remote/socket/RemoteInspectorServer.cpp: Renamed from inspector\remote\playstation\RemoteInspectorServerPlayStation.cpp.
814         (Inspector::RemoteInspectorServer::didAccept):
815         (Inspector::RemoteInspectorServer::start):
816         * inspector/remote/socket/RemoteInspectorServer.h: Renamed from inspector\remote\playstation\RemoteInspectorServer.h.
817         * inspector/remote/socket/RemoteInspectorSocket.cpp: Renamed from inspector\remote\playstation\RemoteInspectorPlayStation.cpp.
818         (Inspector::RemoteInspector::start):
819         * inspector/remote/socket/RemoteInspectorSocket.h: Copied from inspector\remote\playstation\RemoteInspectorSocket.h.
820         * inspector/remote/socket/RemoteInspectorSocketEndpoint.cpp: Added.
821         (Inspector::RemoteInspectorSocketEndpoint::RemoteInspectorSocketEndpoint):
822         (Inspector::RemoteInspectorSocketEndpoint::~RemoteInspectorSocketEndpoint):
823         (Inspector::RemoteInspectorSocketEndpoint::wakeupWorkerThread):
824         (Inspector::RemoteInspectorSocketEndpoint::connectInet):
825         (Inspector::RemoteInspectorSocketEndpoint::listenInet):
826         (Inspector::RemoteInspectorSocketEndpoint::isListening):
827         (Inspector::RemoteInspectorSocketEndpoint::workerThread):
828         (Inspector::RemoteInspectorSocketEndpoint::createClient):
829         (Inspector::RemoteInspectorSocketEndpoint::recvIfEnabled):
830         (Inspector::RemoteInspectorSocketEndpoint::sendIfEnabled):
831         (Inspector::RemoteInspectorSocketEndpoint::send):
832         (Inspector::RemoteInspectorSocketEndpoint::acceptInetSocketIfEnabled):
833         * inspector/remote/socket/RemoteInspectorSocketEndpoint.h: Renamed from inspector\remote\playstation\RemoteInspectorSocket.h.
834         * inspector/remote/socket/posix/RemoteInspectorSocketPOSIX.cpp: Added.
835         (Inspector::Socket::connect):
836         (Inspector::Socket::listen):
837         (Inspector::Socket::accept):
838         (Inspector::Socket::createPair):
839         (Inspector::Socket::setup):
840         (Inspector::Socket::isValid):
841         (Inspector::Socket::isListening):
842         (Inspector::Socket::read):
843         (Inspector::Socket::write):
844         (Inspector::Socket::close):
845         (Inspector::Socket::preparePolling):
846         (Inspector::Socket::poll):
847         (Inspector::Socket::isReadable):
848         (Inspector::Socket::isWritable):
849         (Inspector::Socket::markWaitingWritable):
850         (Inspector::Socket::clearWaitingWritable):
851
852 2019-04-20  Yusuke Suzuki  <ysuzuki@apple.com>
853
854         Unreviewed, suppress warnings in non Darwin environments
855
856         * jit/ExecutableAllocator.cpp:
857         (JSC::dumpJITMemory):
858
859 2019-04-19  Saam Barati  <sbarati@apple.com>
860
861         AbstractValue can represent more than int52
862         https://bugs.webkit.org/show_bug.cgi?id=197118
863         <rdar://problem/49969960>
864
865         Reviewed by Michael Saboff.
866
867         Let's analyze this control flow diamond:
868         
869         #0
870         branch #1, #2
871         
872         #1:
873         PutStack(JSValue, loc42)
874         Jump #3
875         
876         #2:
877         PutStack(Int52, loc42)
878         Jump #3
879         
880         #3:
881         ...
882         
883         Our abstract value for loc42 at the head of #3 will contain an abstract
884         value that us the union of Int52 with other things. Obviously in the
885         above program, a GetStack for loc42 would be inavlid, since it might
886         be loading either JSValue or Int52. However, the abstract interpreter
887         just tracks what the value could be, and it could be Int52 or JSValue.
888         
889         When I did the Int52 refactoring, I expected such things to never happen,
890         but it turns out it does. We should just allow for this instead of asserting
891         against it since it's valid IR to do the above.
892
893         * bytecode/SpeculatedType.cpp:
894         (JSC::dumpSpeculation):
895         * dfg/DFGAbstractValue.cpp:
896         (JSC::DFG::AbstractValue::checkConsistency const):
897         * dfg/DFGAbstractValue.h:
898         (JSC::DFG::AbstractValue::validateTypeAcceptingBoxedInt52 const):
899
900 2019-04-19  Tadeu Zagallo  <tzagallo@apple.com>
901
902         Add option to dump JIT memory
903         https://bugs.webkit.org/show_bug.cgi?id=197062
904         <rdar://problem/49744332>
905
906         Reviewed by Saam Barati.
907
908         Dump all writes into JIT memory to the specified file. The format is:
909         - 64-bit destination address for the write
910         - 64-bit size of the content written
911         - Copy of the data that was written to JIT memory
912
913         * assembler/LinkBuffer.cpp:
914         (JSC::LinkBuffer::copyCompactAndLinkCode):
915         * jit/ExecutableAllocator.cpp:
916         (JSC::dumpJITMemory):
917         * jit/ExecutableAllocator.h:
918         (JSC::performJITMemcpy):
919         * runtime/Options.h:
920
921 2019-04-19  Keith Rollin  <krollin@apple.com>
922
923         Add postprocess-header-rule scripts
924         https://bugs.webkit.org/show_bug.cgi?id=197072
925         <rdar://problem/50027299>
926
927         Reviewed by Brent Fulgham.
928
929         Several projects have post-processing build phases where exported
930         headers are tweaked after they've been copied. This post-processing is
931         performed via scripts called postprocess-headers.sh. For reasons
932         related to XCBuild, we are now transitioning to a build process where
933         the post-processing is performed at the same time as the
934         exporting/copying. To support this process, add similar scripts named
935         postprocess-header-rule, which are geared towards processing a single
936         file at a time rather than all exported files at once. Also add a
937         build rule that makes use of these scripts. These scripts and build
938         rules are not used at the moment; they will come into use in an
939         imminent patch.
940
941         Note that I've named these postprocess-header-rule rather than
942         postprocess-header-rule.sh. Scripts in Tools/Scripts do not have
943         suffixes indicating how the tool is implemented. Scripts in
944         per-project Scripts folders appear to be mixed regarding the use of
945         suffixes. I'm opting here to follow the Tools/Scripts convention, with
946         the expectation that over time we completely standardize on that.
947
948         * JavaScriptCore.xcodeproj/project.pbxproj:
949         * Scripts/postprocess-header-rule: Added.
950
951 2019-04-18  Saam barati  <sbarati@apple.com>
952
953         Remove useConcurrentBarriers option
954         https://bugs.webkit.org/show_bug.cgi?id=197066
955
956         Reviewed by Michael Saboff.
957
958         This isn't a helpful option as it will lead us to crash when using the
959         concurrent GC.
960
961         * dfg/DFGStoreBarrierClusteringPhase.cpp:
962         * dfg/DFGStoreBarrierInsertionPhase.cpp:
963         * jit/AssemblyHelpers.h:
964         (JSC::AssemblyHelpers::barrierStoreLoadFence):
965         * runtime/Options.h:
966
967 2019-04-17  Saam Barati  <sbarati@apple.com>
968
969         Remove deprecated JSScript SPI
970         https://bugs.webkit.org/show_bug.cgi?id=194909
971         <rdar://problem/48283499>
972
973         Reviewed by Keith Miller.
974
975         * API/JSAPIGlobalObject.mm:
976         (JSC::JSAPIGlobalObject::moduleLoaderFetch):
977         * API/JSScript.h:
978         * API/JSScript.mm:
979         (+[JSScript scriptWithSource:inVirtualMachine:]): Deleted.
980         (fillBufferWithContentsOfFile): Deleted.
981         (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]): Deleted.
982         (+[JSScript scriptFromUTF8File:inVirtualMachine:withCodeSigning:andBytecodeCache:]): Deleted.
983         (-[JSScript setSourceURL:]): Deleted.
984         * API/JSScriptInternal.h:
985         * API/tests/testapi.mm:
986         (testFetch):
987         (testFetchWithTwoCycle):
988         (testFetchWithThreeCycle):
989         (testLoaderResolvesAbsoluteScriptURL):
990         (testImportModuleTwice):
991         (-[JSContextFileLoaderDelegate context:fetchModuleForIdentifier:withResolveHandler:andRejectHandler:]):
992
993 2019-04-17  Keith Rollin  <krollin@apple.com>
994
995         Remove JSCBuiltins.cpp from Copy Headers phase
996         https://bugs.webkit.org/show_bug.cgi?id=196981
997         <rdar://problem/49952133>
998
999         Reviewed by Alex Christensen.
1000
1001         JSCBuiltins.cpp is not a header and so doesn't need to be in the Copy
1002         Headers phase. Checking its history, it seems to have been added
1003         accidentally at the same time that JSCBuiltins.h was added.
1004
1005         * JavaScriptCore.xcodeproj/project.pbxproj:
1006
1007 2019-04-16  Stephan Szabo  <stephan.szabo@sony.com>
1008
1009         [PlayStation] Update port for system library changes
1010         https://bugs.webkit.org/show_bug.cgi?id=196978
1011
1012         Reviewed by Ross Kirsling.
1013
1014         * shell/playstation/Initializer.cpp:
1015         Add reference to new posix compatibility library.
1016
1017 2019-04-16  Robin Morisset  <rmorisset@apple.com>
1018
1019         [WTF] holdLock should be marked WARN_UNUSED_RETURN
1020         https://bugs.webkit.org/show_bug.cgi?id=196922
1021
1022         Reviewed by Keith Miller.
1023
1024         There was one case where holdLock was used and the result ignored.
1025         From a comment that was deleted in https://bugs.webkit.org/attachment.cgi?id=328438&action=prettypatch, I believe that it is on purpose.
1026         So I brought back a variant of the comment, and made the ignoring of the return explicit.
1027
1028         * heap/BlockDirectory.cpp:
1029         (JSC::BlockDirectory::isPagedOut):
1030
1031 2019-04-16  Caitlin Potter  <caitp@igalia.com>
1032
1033         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
1034         https://bugs.webkit.org/show_bug.cgi?id=176810
1035
1036         Reviewed by Saam Barati.
1037
1038         This adds conditional logic following the invariant checks, to perform
1039         filtering in common uses of getOwnPropertyNames.
1040
1041         While this would ideally only be done in JSPropertyNameEnumerator, adding
1042         the filtering to ProxyObject::performGetOwnPropertyNames maintains the
1043         invariant that the EnumerationMode is properly followed.
1044
1045         This was originally rolled out in r244020, as DontEnum filtering code
1046         in ObjectConstructor.cpp's ownPropertyKeys() had not been removed. It's
1047         now redundant due to being handled in ProxyObject::getOwnPropertyNames().
1048
1049         * runtime/PropertyNameArray.h:
1050         (JSC::PropertyNameArray::reset):
1051         * runtime/ProxyObject.cpp:
1052         (JSC::ProxyObject::performGetOwnPropertyNames):
1053
1054 2019-04-15  Saam barati  <sbarati@apple.com>
1055
1056         Modify how we do SetArgument when we inline varargs calls
1057         https://bugs.webkit.org/show_bug.cgi?id=196712
1058         <rdar://problem/49605012>
1059
1060         Reviewed by Michael Saboff.
1061
1062         When we inline varargs calls, we guarantee that the number of arguments that
1063         go on the stack are somewhere between the "mandatoryMinimum" and the "limit - 1".
1064         However, we can't statically guarantee that the arguments between these two
1065         ranges was filled out by Load/ForwardVarargs. This is because in the general
1066         case we don't know the argument count statically.
1067         
1068         However, we used to always emit SetArgumentDefinitely up to "limit - 1" for
1069         all arguments, even when some arguments aren't guaranteed to be in a valid
1070         state. Emitting these SetArgumentDefinitely were helpful because they let us
1071         handle variable liveness and OSR exit metadata. However, when we converted
1072         to SSA, we ended up emitting a GetStack for each such SetArgumentDefinitely.
1073         
1074         This is wrong, as we can't guarantee such SetArgumentDefinitely nodes are
1075         actually looking at a range of the stack that are guaranteed to be initialized.
1076         This patch introduces a new form of SetArgument node: SetArgumentMaybe. In terms
1077         of OSR exit metadata and variable liveness tracking, it behaves like SetArgumentDefinitely.
1078         
1079         However, it differs in a couple key ways:
1080         1. In ThreadedCPS, GetLocal(@SetArgumentMaybe) is invalid IR, as this implies
1081         you might be loading uninitialized stack. (This same rule applies when you do
1082         the full data flow reachability analysis over CPS Phis.) If someone logically
1083         wanted to emit code like this, the correct node to emit would be GetArgument,
1084         not GetLocal. For similar reasons, PhantomLocal(@SetArgumentMaybe) is also
1085         invalid IR.
1086         2. To track liveness, Flush(@SetArgumentMaybe) is valid, and is the main user
1087         of SetArgumentMaybe.
1088         3. In SSA conversion, we don't lower SetArgumentMaybe to GetStack, as there
1089         should be no data flow user of SetArgumentMaybe.
1090         
1091         SetArgumentDefinitely guarantees that the stack slot is initialized.
1092         SetArgumentMaybe makes no such guarantee.
1093
1094         * dfg/DFGAbstractInterpreterInlines.h:
1095         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1096         * dfg/DFGByteCodeParser.cpp:
1097         (JSC::DFG::ByteCodeParser::handleVarargsInlining):
1098         * dfg/DFGCPSRethreadingPhase.cpp:
1099         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
1100         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
1101         (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
1102         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
1103         (JSC::DFG::CPSRethreadingPhase::propagatePhis):
1104         (JSC::DFG::CPSRethreadingPhase::computeIsFlushed):
1105         * dfg/DFGClobberize.h:
1106         (JSC::DFG::clobberize):
1107         * dfg/DFGCommon.h:
1108         * dfg/DFGDoesGC.cpp:
1109         (JSC::DFG::doesGC):
1110         * dfg/DFGFixupPhase.cpp:
1111         (JSC::DFG::FixupPhase::fixupNode):
1112         * dfg/DFGInPlaceAbstractState.cpp:
1113         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
1114         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
1115         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch):
1116         * dfg/DFGMaximalFlushInsertionPhase.cpp:
1117         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
1118         (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
1119         * dfg/DFGMayExit.cpp:
1120         * dfg/DFGNode.cpp:
1121         (JSC::DFG::Node::hasVariableAccessData):
1122         * dfg/DFGNodeType.h:
1123         * dfg/DFGPhantomInsertionPhase.cpp:
1124         * dfg/DFGPredictionPropagationPhase.cpp:
1125         * dfg/DFGSSAConversionPhase.cpp:
1126         (JSC::DFG::SSAConversionPhase::run):
1127         * dfg/DFGSafeToExecute.h:
1128         (JSC::DFG::safeToExecute):
1129         * dfg/DFGSpeculativeJIT32_64.cpp:
1130         (JSC::DFG::SpeculativeJIT::compile):
1131         * dfg/DFGSpeculativeJIT64.cpp:
1132         (JSC::DFG::SpeculativeJIT::compile):
1133         * dfg/DFGValidate.cpp:
1134         * ftl/FTLCapabilities.cpp:
1135         (JSC::FTL::canCompile):
1136
1137 2019-04-15  Commit Queue  <commit-queue@webkit.org>
1138
1139         Unreviewed, rolling out r243672.
1140         https://bugs.webkit.org/show_bug.cgi?id=196952
1141
1142         [JSValue release] should be thread-safe (Requested by
1143         yusukesuzuki on #webkit).
1144
1145         Reverted changeset:
1146
1147         "[JSC] JSWrapperMap should not use Objective-C Weak map
1148         (NSMapTable with NSPointerFunctionsWeakMemory) for
1149         m_cachedObjCWrappers"
1150         https://bugs.webkit.org/show_bug.cgi?id=196392
1151         https://trac.webkit.org/changeset/243672
1152
1153 2019-04-15  Saam barati  <sbarati@apple.com>
1154
1155         SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
1156         https://bugs.webkit.org/show_bug.cgi?id=196945
1157         <rdar://problem/49802750>
1158
1159         Reviewed by Filip Pizlo.
1160
1161         * dfg/DFGSafeToExecute.h:
1162         (JSC::DFG::safeToExecute):
1163
1164 2019-04-15  Robin Morisset  <rmorisset@apple.com>
1165
1166         DFG should be able to constant fold Object.create() with a constant prototype operand
1167         https://bugs.webkit.org/show_bug.cgi?id=196886
1168
1169         Reviewed by Yusuke Suzuki.
1170
1171
1172         It is a fairly simple and limited patch, as it only works when the DFG can prove the exact object used as prototype.
1173         But when it applies it can be a significant win:
1174                                                         Baseline                   Optim                                       
1175         object-create-constant-prototype              3.6082+-0.0979     ^      1.6947+-0.0756        ^ definitely 2.1292x faster
1176         object-create-null                           11.4492+-0.2510     ?     11.5030+-0.2402        ?
1177         object-create-unknown-object-prototype       15.6067+-0.1851     ?     15.7500+-0.2322        ?
1178         object-create-untyped-prototype               8.8873+-0.1240     ?      8.9806+-0.1202        ? might be 1.0105x slower
1179         <geometric>                                   8.6967+-0.1208     ^      7.2408+-0.1367        ^ definitely 1.2011x faster
1180
1181         The only subtlety is that we need to to access the StructureCache concurrently from the compiler thread (see https://bugs.webkit.org/show_bug.cgi?id=186199)
1182         I solved this with a simple lock, taken when the compiler thread tries to read it, and when the main thread tries to modify it.
1183         I expect it to be extremely low contention, but will watch the bots just in case.
1184         The lock is taken neither when the main thread is only reading the cache (it has no-one to race with), nor when the GC purges it of dead entries (it does not free anything while a compiler thread is in the middle of a phase).
1185
1186         * dfg/DFGAbstractInterpreterInlines.h:
1187         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1188         * dfg/DFGConstantFoldingPhase.cpp:
1189         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1190         * runtime/StructureCache.cpp:
1191         (JSC::StructureCache::createEmptyStructure):
1192         (JSC::StructureCache::tryEmptyObjectStructureForPrototypeFromCompilerThread):
1193         * runtime/StructureCache.h:
1194
1195 2019-04-15  Devin Rousso  <drousso@apple.com>
1196
1197         Web Inspector: fake value descriptors for promises add a catch handler, preventing "rejectionhandled" events from being fired
1198         https://bugs.webkit.org/show_bug.cgi?id=196484
1199         <rdar://problem/49114725>
1200
1201         Reviewed by Joseph Pecoraro.
1202
1203         Only add a catch handler when the promise is reachable via a native getter and is known to
1204         have rejected. A non-rejected promise doesn't need a catch handler, and any promise that
1205         isn't reachable via a getter won't actually be reached, as `InjectedScript` doesn't call any
1206         functions, instead only getting the function object itself.
1207
1208         * inspector/InjectedScriptSource.js:
1209         (InjectedScript.prototype._propertyDescriptors.createFakeValueDescriptor):
1210
1211         * inspector/JSInjectedScriptHost.h:
1212         * inspector/JSInjectedScriptHost.cpp:
1213         (Inspector::JSInjectedScriptHost::isPromiseRejectedWithNativeGetterTypeError): Added.
1214         * inspector/JSInjectedScriptHostPrototype.cpp:
1215         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
1216         (Inspector::jsInjectedScriptHostPrototypeFunctionIsPromiseRejectedWithNativeGetterTypeError): Added.
1217
1218         * runtime/ErrorInstance.h:
1219         (JSC::ErrorInstance::setNativeGetterTypeError): Added.
1220         (JSC::ErrorInstance::isNativeGetterTypeError const): Added.
1221
1222         * runtime/Error.h:
1223         (JSC::throwVMGetterTypeError): Added.
1224         * runtime/Error.cpp:
1225         (JSC::createGetterTypeError): Added.
1226         (JSC::throwGetterTypeError): Added.
1227         (JSC::throwDOMAttributeGetterTypeError):
1228
1229 2019-04-15  Robin Morisset  <rmorisset@apple.com>
1230
1231         B3::Value should have different kinds of adjacency lists
1232         https://bugs.webkit.org/show_bug.cgi?id=196091
1233
1234         Reviewed by Filip Pizlo.
1235
1236         The key idea of this optimization is to replace the Vector<Value*, 3> m_children in B3::Value (40 bytes on 64-bits platform) by one of the following:
1237         - Nothing (0 bytes)
1238         - 1 Value* (8 bytes)
1239         - 2 Value* (16 bytes)
1240         - 3 Value* (24 bytes)
1241         - A Vector<Value*, 3>
1242         after the end of the Value object, depending on the kind of the Value.
1243         So for example, when allocating an Add, we would allocate an extra 16 bytes into which to store 2 Values.
1244         This would halve the memory consumption of Const64/Const32/Nop/Identity and a bunch more kinds of values, and reduce by a more moderate amount the memory consumption of the rest of non-varargs values (e.g. Add would go from 72 to 48 bytes).
1245
1246         A few implementation points:
1247         - Even if there is no children, we must remember to allocate at least enough space for replaceWithIdentity to work later. It needs sizeof(Value) (for the object itself) + sizeof(Value*) (for the pointer to its child)
1248         - We must make sure to destroy the vector whenever we destroy a Value which is VarArgs
1249         - We must remember how many elements there are in the case where we did not allocate a Vector. We cannot do it purely by relying on the kind, both for speed reasons and because Return can have either 0 or 1 argument in B3
1250           Thankfully, we have an extra byte of padding to use in the middle of B3::Value
1251         - In order to support clone(), we must have a separate version of allocate, which extracts the opcode from the to-be-cloned object instead of from the call to the constructor
1252         - Speaking of which, we need a special templated function opcodeFromConstructor, because some of the constructors of subclasses of Value don't take an explicit Opcode as argument, typically because they match a single one.
1253         - To maximize performance, we provide specialized versions of child/lastChild/numChildren/children in the subclasses of Value, skipping checks when the actual type of the Value is already known.
1254           This is done through the B3_SPECIALIZE_VALUE_FOR_... defined at the bottom of B3Value.h
1255         - In the constructors of Value, we convert all extra children arguments to Value* eagerly. It is not required for correctness (they will be converted when put into a Vector<Value*> or a Value* in the end), but it helps limit an explosion in the number of template instantiations.
1256         - I moved DeepValueDump::dump from the .h to the .cpp, as there is no good reason to inline it, and recompiling JSC is already slow enough
1257
1258         * JavaScriptCore.xcodeproj/project.pbxproj:
1259         * b3/B3ArgumentRegValue.cpp:
1260         (JSC::B3::ArgumentRegValue::cloneImpl const): Deleted.
1261         * b3/B3ArgumentRegValue.h:
1262         * b3/B3AtomicValue.cpp:
1263         (JSC::B3::AtomicValue::AtomicValue):
1264         (JSC::B3::AtomicValue::cloneImpl const): Deleted.
1265         * b3/B3AtomicValue.h:
1266         * b3/B3BasicBlock.h:
1267         * b3/B3BasicBlockInlines.h:
1268         (JSC::B3::BasicBlock::appendNewNonTerminal): Deleted.
1269         * b3/B3CCallValue.cpp:
1270         (JSC::B3::CCallValue::appendArgs):
1271         (JSC::B3::CCallValue::cloneImpl const): Deleted.
1272         * b3/B3CCallValue.h:
1273         * b3/B3CheckValue.cpp:
1274         (JSC::B3::CheckValue::cloneImpl const): Deleted.
1275         * b3/B3CheckValue.h:
1276         * b3/B3Const32Value.cpp:
1277         (JSC::B3::Const32Value::cloneImpl const): Deleted.
1278         * b3/B3Const32Value.h:
1279         * b3/B3Const64Value.cpp:
1280         (JSC::B3::Const64Value::cloneImpl const): Deleted.
1281         * b3/B3Const64Value.h:
1282         * b3/B3ConstDoubleValue.cpp:
1283         (JSC::B3::ConstDoubleValue::cloneImpl const): Deleted.
1284         * b3/B3ConstDoubleValue.h:
1285         * b3/B3ConstFloatValue.cpp:
1286         (JSC::B3::ConstFloatValue::cloneImpl const): Deleted.
1287         * b3/B3ConstFloatValue.h:
1288         * b3/B3ConstPtrValue.h:
1289         (JSC::B3::ConstPtrValue::opcodeFromConstructor):
1290         * b3/B3FenceValue.cpp:
1291         (JSC::B3::FenceValue::FenceValue):
1292         (JSC::B3::FenceValue::cloneImpl const): Deleted.
1293         * b3/B3FenceValue.h:
1294         * b3/B3MemoryValue.cpp:
1295         (JSC::B3::MemoryValue::MemoryValue):
1296         (JSC::B3::MemoryValue::cloneImpl const): Deleted.
1297         * b3/B3MemoryValue.h:
1298         * b3/B3MoveConstants.cpp:
1299         * b3/B3PatchpointValue.cpp:
1300         (JSC::B3::PatchpointValue::cloneImpl const): Deleted.
1301         * b3/B3PatchpointValue.h:
1302         (JSC::B3::PatchpointValue::opcodeFromConstructor):
1303         * b3/B3Procedure.cpp:
1304         * b3/B3Procedure.h:
1305         * b3/B3ProcedureInlines.h:
1306         (JSC::B3::Procedure::add):
1307         * b3/B3SlotBaseValue.cpp:
1308         (JSC::B3::SlotBaseValue::cloneImpl const): Deleted.
1309         * b3/B3SlotBaseValue.h:
1310         * b3/B3StackmapSpecial.cpp:
1311         (JSC::B3::StackmapSpecial::forEachArgImpl):
1312         (JSC::B3::StackmapSpecial::isValidImpl):
1313         * b3/B3StackmapValue.cpp:
1314         (JSC::B3::StackmapValue::append):
1315         (JSC::B3::StackmapValue::StackmapValue):
1316         * b3/B3StackmapValue.h:
1317         * b3/B3SwitchValue.cpp:
1318         (JSC::B3::SwitchValue::SwitchValue):
1319         (JSC::B3::SwitchValue::cloneImpl const): Deleted.
1320         * b3/B3SwitchValue.h:
1321         (JSC::B3::SwitchValue::opcodeFromConstructor):
1322         * b3/B3UpsilonValue.cpp:
1323         (JSC::B3::UpsilonValue::cloneImpl const): Deleted.
1324         * b3/B3UpsilonValue.h:
1325         * b3/B3Value.cpp:
1326         (JSC::B3::DeepValueDump::dump const):
1327         (JSC::B3::Value::~Value):
1328         (JSC::B3::Value::replaceWithIdentity):
1329         (JSC::B3::Value::replaceWithNopIgnoringType):
1330         (JSC::B3::Value::replaceWithPhi):
1331         (JSC::B3::Value::replaceWithJump):
1332         (JSC::B3::Value::replaceWithOops):
1333         (JSC::B3::Value::replaceWith):
1334         (JSC::B3::Value::invertedCompare const):
1335         (JSC::B3::Value::returnsBool const):
1336         (JSC::B3::Value::cloneImpl const): Deleted.
1337         * b3/B3Value.h:
1338         (JSC::B3::DeepValueDump::dump const): Deleted.
1339         * b3/B3ValueInlines.h:
1340         (JSC::B3::Value::adjacencyListOffset const):
1341         (JSC::B3::Value::cloneImpl const):
1342         * b3/B3VariableValue.cpp:
1343         (JSC::B3::VariableValue::VariableValue):
1344         (JSC::B3::VariableValue::cloneImpl const): Deleted.
1345         * b3/B3VariableValue.h:
1346         * b3/B3WasmAddressValue.cpp:
1347         (JSC::B3::WasmAddressValue::WasmAddressValue):
1348         (JSC::B3::WasmAddressValue::cloneImpl const): Deleted.
1349         * b3/B3WasmAddressValue.h:
1350         * b3/B3WasmBoundsCheckValue.cpp:
1351         (JSC::B3::WasmBoundsCheckValue::WasmBoundsCheckValue):
1352         (JSC::B3::WasmBoundsCheckValue::cloneImpl const): Deleted.
1353         * b3/B3WasmBoundsCheckValue.h:
1354         (JSC::B3::WasmBoundsCheckValue::accepts):
1355         (JSC::B3::WasmBoundsCheckValue::opcodeFromConstructor):
1356         * b3/testb3.cpp:
1357         (JSC::B3::testCallFunctionWithHellaArguments):
1358         (JSC::B3::testCallFunctionWithHellaArguments2):
1359         (JSC::B3::testCallFunctionWithHellaArguments3):
1360         (JSC::B3::testCallFunctionWithHellaDoubleArguments):
1361         (JSC::B3::testCallFunctionWithHellaFloatArguments):
1362         * ftl/FTLOutput.h:
1363         (JSC::FTL::Output::call):
1364
1365 2019-04-15  Tadeu Zagallo  <tzagallo@apple.com>
1366
1367         Bytecode cache should not encode the SourceProvider for UnlinkedFunctionExecutable's classSource
1368         https://bugs.webkit.org/show_bug.cgi?id=196878
1369
1370         Reviewed by Saam Barati.
1371
1372         Every time we encode an (Unlinked)SourceCode, we encode its SourceProvider,
1373         including the full source if it's a StringSourceProvider. This wasn't an issue,
1374         since the SourceCode contains a RefPtr to the SourceProvider, and the Encoder
1375         would avoid encoding the provider multiple times. With the addition of the
1376         incremental cache, each UnlinkedFunctionCodeBlock is encoded in isolation, which
1377         means we can no longer deduplicate it and the full program text was being encoded
1378         multiple times in the cache.
1379         As a work around, this patch adds a custom cached type for encoding the SourceCode
1380         without its provider, and later injects the SourceProvider through the Decoder.
1381
1382         * parser/SourceCode.h:
1383         * parser/UnlinkedSourceCode.h:
1384         (JSC::UnlinkedSourceCode::provider const):
1385         * runtime/CachedTypes.cpp:
1386         (JSC::Decoder::Decoder):
1387         (JSC::Decoder::create):
1388         (JSC::Decoder::provider const):
1389         (JSC::CachedSourceCodeWithoutProvider::encode):
1390         (JSC::CachedSourceCodeWithoutProvider::decode const):
1391         (JSC::decodeCodeBlockImpl):
1392         * runtime/CachedTypes.h:
1393
1394 2019-04-15  Robin Morisset  <rmorisset@apple.com>
1395
1396         MarkedSpace.cpp is not in the Xcode workspace
1397         https://bugs.webkit.org/show_bug.cgi?id=196928
1398
1399         Reviewed by Saam Barati.
1400
1401         * JavaScriptCore.xcodeproj/project.pbxproj:
1402
1403 2019-04-15  Tadeu Zagallo  <tzagallo@apple.com>
1404
1405         Incremental bytecode cache should not append function updates when loaded from memory
1406         https://bugs.webkit.org/show_bug.cgi?id=196865
1407
1408         Reviewed by Filip Pizlo.
1409
1410         Function updates hold the assumption that a function can only be executed/cached
1411         after its containing code block has already been cached. This assumptions does
1412         not hold if the UnlinkedCodeBlock is loaded from memory by the CodeCache, since
1413         we might have two independent SourceProviders executing different paths of the
1414         code and causing the same UnlinkedCodeBlock to be modified in memory.
1415         Use a RefPtr instead of Ref for m_cachedBytecode in ShellSourceProvider to distinguish
1416         between a new, empty cache and a cache that was not loaded and therefore cannot be updated.
1417
1418         * jsc.cpp:
1419         (ShellSourceProvider::ShellSourceProvider):
1420
1421 2019-04-15  Saam barati  <sbarati@apple.com>
1422
1423         mergeOSREntryValue is wrong when the incoming value does not match up with the flush format
1424         https://bugs.webkit.org/show_bug.cgi?id=196918
1425
1426         Reviewed by Yusuke Suzuki.
1427
1428         r244238 lead to some debug failures because we were calling checkConsistency()
1429         before doing fixTypeForRepresentation when merging in must handle values in
1430         CFA. This patch fixes that.
1431         
1432         However, as I was reading over mergeOSREntryValue, I realized it was wrong. It
1433         was possible it could merge in a value/type outside of the variable's flushed type.
1434         Once the flush format types are locked in, we can't introduce a type out of
1435         that range. This probably never lead to any crashes as our profiling injection
1436         and speculation decision code is solid. However, what we were doing is clearly
1437         wrong, and something a fuzzer could have found if we fuzzed the must handle
1438         values inside prediction injection. We should do that fuzzing:
1439         https://bugs.webkit.org/show_bug.cgi?id=196924
1440
1441         * dfg/DFGAbstractValue.cpp:
1442         (JSC::DFG::AbstractValue::mergeOSREntryValue):
1443         * dfg/DFGAbstractValue.h:
1444         * dfg/DFGCFAPhase.cpp:
1445         (JSC::DFG::CFAPhase::injectOSR):
1446
1447 2019-04-15  Robin Morisset  <rmorisset@apple.com>
1448
1449         Several structures and enums in the Yarr interpreter can be shrunk
1450         https://bugs.webkit.org/show_bug.cgi?id=196923
1451
1452         Reviewed by Saam Barati.
1453
1454         YarrOp: 88 -> 80
1455         RegularExpression: 40 -> 32
1456         ByteTerm: 56 -> 48
1457         PatternTerm: 56 -> 48
1458
1459         * yarr/RegularExpression.cpp:
1460         * yarr/YarrInterpreter.h:
1461         * yarr/YarrJIT.cpp:
1462         (JSC::Yarr::YarrGenerator::YarrOp::YarrOp):
1463         * yarr/YarrParser.h:
1464         * yarr/YarrPattern.h:
1465
1466 2019-04-15  Devin Rousso  <drousso@apple.com>
1467
1468         Web Inspector: REGRESSION(r244172): crash when trying to add extra domain while inspecting JSContext
1469         https://bugs.webkit.org/show_bug.cgi?id=196925
1470         <rdar://problem/49873994>
1471
1472         Reviewed by Joseph Pecoraro.
1473
1474         Move the logic for creating the `InspectorAgent` and `InspectorDebuggerAgent` into separate
1475         functions so that callers can be guaranteed to have a valid instance of the agent.
1476
1477         * inspector/JSGlobalObjectInspectorController.h:
1478         * inspector/JSGlobalObjectInspectorController.cpp:
1479         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
1480         (Inspector::JSGlobalObjectInspectorController::frontendInitialized):
1481         (Inspector::JSGlobalObjectInspectorController::appendExtraAgent):
1482         (Inspector::JSGlobalObjectInspectorController::ensureInspectorAgent): Added.
1483         (Inspector::JSGlobalObjectInspectorController::ensureDebuggerAgent): Added.
1484         (Inspector::JSGlobalObjectInspectorController::createLazyAgents):
1485
1486 2019-04-14  Don Olmstead  <don.olmstead@sony.com>
1487
1488         [CMake] JavaScriptCore derived sources should only be referenced inside JavaScriptCore
1489         https://bugs.webkit.org/show_bug.cgi?id=196742
1490
1491         Reviewed by Konstantin Tokarev.
1492
1493         Migrate to using JavaScriptCore_DERIVED_SOURCES_DIR instead of DERIVED_SOURCES_JAVASCRIPTCORE_DIR
1494         to support moving the JavaScriptCore derived sources outside of a shared directory.
1495
1496         Also use JavaScriptCore_DERIVED_SOURCES_DIR instead of DERIVED_SOUCES_DIR.
1497
1498         * CMakeLists.txt:
1499
1500 2019-04-13  Tadeu Zagallo  <tzagallo@apple.com>
1501
1502         CodeCache should check that the UnlinkedCodeBlock was successfully created before caching it
1503         https://bugs.webkit.org/show_bug.cgi?id=196880
1504
1505         Reviewed by Yusuke Suzuki.
1506
1507         CodeCache should not tell the SourceProvider to cache the bytecode if it failed
1508         to create the UnlinkedCodeBlock.
1509
1510         * runtime/CodeCache.cpp:
1511         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
1512
1513 2019-04-12  Saam barati  <sbarati@apple.com>
1514
1515         r244079 logically broke shouldSpeculateInt52
1516         https://bugs.webkit.org/show_bug.cgi?id=196884
1517
1518         Reviewed by Yusuke Suzuki.
1519
1520         In r244079, I changed shouldSpeculateInt52 to only return true
1521         when the prediction is isAnyInt52Speculation(). However, it was
1522         wrong to not to include SpecInt32 in this for two reasons:
1523
1524         1. We diligently write code that first checks if we should speculate Int32.
1525         For example:
1526         if (shouldSpeculateInt32()) ... 
1527         else if (shouldSpeculateInt52()) ...
1528
1529         It would be wrong not to fall back to Int52 if we're dealing with the union of
1530         Int32 and Int52.
1531
1532         It would be a performance mistake to not include Int32 here because
1533         data flow can easily tell us that we have variables that are the union
1534         of Int32 and Int52 values. It's better to speculate Int52 than Double
1535         in that situation.
1536
1537         2. We also write code where we ask if the inputs can be Int52, e.g, if
1538         we know via profiling that an Add overflows, we may not emit an Int32 add.
1539         However, we only emit such an add if both inputs can be Int52, and Int32
1540         can trivially become Int52.
1541
1542        This patch recovers the 0.5-1% regression r244079 caused on JetStream 2.
1543
1544         * bytecode/SpeculatedType.h:
1545         (JSC::isInt32SpeculationForArithmetic):
1546         (JSC::isInt32OrBooleanSpeculationForArithmetic):
1547         (JSC::isInt32OrInt52Speculation):
1548         * dfg/DFGFixupPhase.cpp:
1549         (JSC::DFG::FixupPhase::observeUseKindOnNode):
1550         * dfg/DFGNode.h:
1551         (JSC::DFG::Node::shouldSpeculateInt52):
1552         * dfg/DFGPredictionPropagationPhase.cpp:
1553         * dfg/DFGVariableAccessData.cpp:
1554         (JSC::DFG::VariableAccessData::couldRepresentInt52Impl):
1555
1556 2019-04-12  Saam barati  <sbarati@apple.com>
1557
1558         Unreviewed. Build fix after r244233.
1559
1560         * assembler/CPU.cpp:
1561
1562 2019-04-12  Saam barati  <sbarati@apple.com>
1563
1564         Sometimes we need to user fewer CPUs in our threading calculations
1565         https://bugs.webkit.org/show_bug.cgi?id=196794
1566         <rdar://problem/49389497>
1567
1568         Reviewed by Yusuke Suzuki.
1569
1570         * JavaScriptCore.xcodeproj/project.pbxproj:
1571         * Sources.txt:
1572         * assembler/CPU.cpp: Added.
1573         (JSC::isKernTCSMAvailable):
1574         (JSC::enableKernTCSM):
1575         (JSC::kernTCSMAwareNumberOfProcessorCores):
1576         * assembler/CPU.h:
1577         (JSC::isKernTCSMAvailable):
1578         (JSC::enableKernTCSM):
1579         (JSC::kernTCSMAwareNumberOfProcessorCores):
1580         * heap/MachineStackMarker.h:
1581         (JSC::MachineThreads::addCurrentThread):
1582         * runtime/JSLock.cpp:
1583         (JSC::JSLock::didAcquireLock):
1584         * runtime/Options.cpp:
1585         (JSC::computeNumberOfWorkerThreads):
1586         (JSC::computePriorityDeltaOfWorkerThreads):
1587         * wasm/WasmWorklist.cpp:
1588         (JSC::Wasm::Worklist::Worklist):
1589
1590 2019-04-12  Robin Morisset  <rmorisset@apple.com>
1591
1592         Use padding at end of ArrayBuffer
1593         https://bugs.webkit.org/show_bug.cgi?id=196823
1594
1595         Reviewed by Filip Pizlo.
1596
1597         * runtime/ArrayBuffer.h:
1598
1599 2019-04-11  Yusuke Suzuki  <ysuzuki@apple.com>
1600
1601         [JSC] op_has_indexed_property should not assume subscript part is Uint32
1602         https://bugs.webkit.org/show_bug.cgi?id=196850
1603
1604         Reviewed by Saam Barati.
1605
1606         op_has_indexed_property assumed that subscript part is always Uint32. However, this is just a load from non-constant RegisterID,
1607         DFG can store it in double format and can perform OSR exit. op_has_indexed_property should not assume that.
1608         In this patch, instead, we check it with isAnyInt and get uint32_t from AnyInt.
1609
1610         * jit/JITOpcodes.cpp:
1611         (JSC::JIT::emit_op_has_indexed_property):
1612         * jit/JITOpcodes32_64.cpp:
1613         (JSC::JIT::emit_op_has_indexed_property):
1614         * jit/JITOperations.cpp:
1615         * runtime/CommonSlowPaths.cpp:
1616         (JSC::SLOW_PATH_DECL):
1617
1618 2019-04-11  Saam barati  <sbarati@apple.com>
1619
1620         Remove invalid assertion in operationInstanceOfCustom
1621         https://bugs.webkit.org/show_bug.cgi?id=196842
1622         <rdar://problem/49725493>
1623
1624         Reviewed by Michael Saboff.
1625
1626         In the generated JIT code, we go to the slow path when the incoming function
1627         isn't the Node's CodeOrigin's functionProtoHasInstanceSymbolFunction. However,
1628         in the JIT operation, we were asserting against exec->lexicalGlobalObject()'s
1629         functionProtoHasInstanceSymbolFunction. That assertion might be wrong when
1630         inlining across global objects as exec->lexicalGlobalObject() uses the machine
1631         frame for procuring the global object. There is no harm when this assertion fails
1632         as we just execute the slow path. This patch removes the assertion. (However, this
1633         does shed light on the deficiency in our exec->lexicalGlobalObject() function with
1634         respect to inlining. However, this isn't new -- we've known about this for a while.)
1635
1636         * jit/JITOperations.cpp:
1637
1638 2019-04-11  Michael Saboff  <msaboff@apple.com>
1639
1640         Improve the Inline Cache Stats code
1641         https://bugs.webkit.org/show_bug.cgi?id=196836
1642
1643         Reviewed by Saam Barati.
1644
1645         Needed to handle the case where the Identifier could be null, for example with InstanceOfAddAccessCase
1646         and InstanceOfReplaceWithJump.
1647
1648         Added the ability to log the location of a GetBy and PutBy property as either on self or up the
1649         protocol chain.
1650
1651         * jit/ICStats.cpp:
1652         (JSC::ICEvent::operator< const):
1653         (JSC::ICEvent::dump const):
1654         * jit/ICStats.h:
1655         (JSC::ICEvent::ICEvent):
1656         (JSC::ICEvent::hash const):
1657         * jit/JITOperations.cpp:
1658         * jit/Repatch.cpp:
1659         (JSC::tryCacheGetByID):
1660         (JSC::tryCachePutByID):
1661         (JSC::tryCacheInByID):
1662
1663 2019-04-11  Devin Rousso  <drousso@apple.com>
1664
1665         Web Inspector: Timelines: can't reliably stop/start a recording
1666         https://bugs.webkit.org/show_bug.cgi?id=196778
1667         <rdar://problem/47606798>
1668
1669         Reviewed by Timothy Hatcher.
1670
1671         * inspector/protocol/ScriptProfiler.json:
1672         * inspector/protocol/Timeline.json:
1673         It is possible to determine when programmatic capturing starts/stops in the frontend based
1674         on the state when the backend causes the state to change, such as if the state is "inactive"
1675         when the frontend is told that the backend has started capturing.
1676
1677         * inspector/protocol/CPUProfiler.json:
1678         * inspector/protocol/Memory.json:
1679         Send an end timestamp to match other instruments.
1680
1681         * inspector/JSGlobalObjectConsoleClient.cpp:
1682         (Inspector::JSGlobalObjectConsoleClient::startConsoleProfile):
1683         (Inspector::JSGlobalObjectConsoleClient::stopConsoleProfile):
1684
1685         * inspector/agents/InspectorScriptProfilerAgent.h:
1686         * inspector/agents/InspectorScriptProfilerAgent.cpp:
1687         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
1688         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStarted): Deleted.
1689         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStopped): Deleted.
1690
1691 2019-04-11  Saam barati  <sbarati@apple.com>
1692
1693         Rename SetArgument to SetArgumentDefinitely
1694         https://bugs.webkit.org/show_bug.cgi?id=196828
1695
1696         Reviewed by Yusuke Suzuki.
1697
1698         This is in preparation for https://bugs.webkit.org/show_bug.cgi?id=196712
1699         where we will introduce a node named SetArgumentMaybe. Doing this refactoring
1700         first will make reviewing that other patch easier.
1701
1702         * dfg/DFGAbstractInterpreterInlines.h:
1703         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1704         * dfg/DFGByteCodeParser.cpp:
1705         (JSC::DFG::ByteCodeParser::handleVarargsInlining):
1706         (JSC::DFG::ByteCodeParser::parseBlock):
1707         * dfg/DFGCPSRethreadingPhase.cpp:
1708         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
1709         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
1710         (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
1711         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
1712         (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
1713         (JSC::DFG::CPSRethreadingPhase::propagatePhis):
1714         (JSC::DFG::CPSRethreadingPhase::computeIsFlushed):
1715         * dfg/DFGClobberize.h:
1716         (JSC::DFG::clobberize):
1717         * dfg/DFGCommon.h:
1718         * dfg/DFGDoesGC.cpp:
1719         (JSC::DFG::doesGC):
1720         * dfg/DFGFixupPhase.cpp:
1721         (JSC::DFG::FixupPhase::fixupNode):
1722         * dfg/DFGGraph.cpp:
1723         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
1724         * dfg/DFGGraph.h:
1725         * dfg/DFGInPlaceAbstractState.cpp:
1726         (JSC::DFG::InPlaceAbstractState::initialize):
1727         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
1728         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
1729         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch):
1730         * dfg/DFGMaximalFlushInsertionPhase.cpp:
1731         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
1732         (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
1733         * dfg/DFGMayExit.cpp:
1734         * dfg/DFGNode.cpp:
1735         (JSC::DFG::Node::hasVariableAccessData):
1736         * dfg/DFGNode.h:
1737         (JSC::DFG::Node::convertPhantomToPhantomLocal):
1738         * dfg/DFGNodeType.h:
1739         * dfg/DFGOSREntrypointCreationPhase.cpp:
1740         (JSC::DFG::OSREntrypointCreationPhase::run):
1741         * dfg/DFGPhantomInsertionPhase.cpp:
1742         * dfg/DFGPredictionPropagationPhase.cpp:
1743         * dfg/DFGSSAConversionPhase.cpp:
1744         (JSC::DFG::SSAConversionPhase::run):
1745         * dfg/DFGSafeToExecute.h:
1746         (JSC::DFG::safeToExecute):
1747         * dfg/DFGSpeculativeJIT.cpp:
1748         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
1749         * dfg/DFGSpeculativeJIT32_64.cpp:
1750         (JSC::DFG::SpeculativeJIT::compile):
1751         * dfg/DFGSpeculativeJIT64.cpp:
1752         (JSC::DFG::SpeculativeJIT::compile):
1753         * dfg/DFGTypeCheckHoistingPhase.cpp:
1754         (JSC::DFG::TypeCheckHoistingPhase::run):
1755         * dfg/DFGValidate.cpp:
1756         * ftl/FTLCapabilities.cpp:
1757         (JSC::FTL::canCompile):
1758
1759 2019-04-11  Truitt Savell  <tsavell@apple.com>
1760
1761         Unreviewed, rolling out r244158.
1762
1763         Casued 8 inspector/timeline/ test failures.
1764
1765         Reverted changeset:
1766
1767         "Web Inspector: Timelines: can't reliably stop/start a
1768         recording"
1769         https://bugs.webkit.org/show_bug.cgi?id=196778
1770         https://trac.webkit.org/changeset/244158
1771
1772 2019-04-10  Saam Barati  <sbarati@apple.com>
1773
1774         AbstractValue::validateOSREntryValue is wrong for Int52 constants
1775         https://bugs.webkit.org/show_bug.cgi?id=196801
1776         <rdar://problem/49771122>
1777
1778         Reviewed by Yusuke Suzuki.
1779
1780         validateOSREntryValue should not care about the format of the incoming
1781         value for Int52s. This patch normalizes the format of m_value and
1782         the incoming value when comparing them.
1783
1784         * dfg/DFGAbstractValue.h:
1785         (JSC::DFG::AbstractValue::validateOSREntryValue const):
1786
1787 2019-04-10  Saam Barati  <sbarati@apple.com>
1788
1789         ArithSub over Int52 has shouldCheckOverflow as always true
1790         https://bugs.webkit.org/show_bug.cgi?id=196796
1791
1792         Reviewed by Yusuke Suzuki.
1793
1794         AI was checking for ArithSub over Int52 if !shouldCheckOverflow. However,
1795         shouldCheckOverflow is always true, so !shouldCheckOverflow is always
1796         false. We shouldn't check something we assert against.
1797
1798         * dfg/DFGAbstractInterpreterInlines.h:
1799         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1800
1801 2019-04-10  Basuke Suzuki  <basuke.suzuki@sony.com>
1802
1803         [PlayStation] Specify byte order clearly on Remote Inspector Protocol
1804         https://bugs.webkit.org/show_bug.cgi?id=196790
1805
1806         Reviewed by Ross Kirsling.
1807
1808         Original implementation lacks byte order specification. Network byte order is the
1809         good candidate if there's no strong reason to choose other.
1810         Currently no client exists for PlayStation remote inspector protocol, so we can
1811         change the byte order without care.
1812
1813         * inspector/remote/playstation/RemoteInspectorMessageParserPlayStation.cpp:
1814         (Inspector::MessageParser::createMessage):
1815         (Inspector::MessageParser::parse):
1816
1817 2019-04-10  Devin Rousso  <drousso@apple.com>
1818
1819        Web Inspector: Inspector: lazily create the agent
1820        https://bugs.webkit.org/show_bug.cgi?id=195971
1821        <rdar://problem/49039645>
1822
1823        Reviewed by Joseph Pecoraro.
1824
1825        * inspector/JSGlobalObjectInspectorController.cpp:
1826        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1827        (Inspector::JSGlobalObjectInspectorController::connectFrontend):
1828        (Inspector::JSGlobalObjectInspectorController::appendExtraAgent):
1829        (Inspector::JSGlobalObjectInspectorController::createLazyAgents):
1830
1831        * inspector/agents/InspectorAgent.h:
1832        * inspector/agents/InspectorAgent.cpp:
1833
1834 2019-04-10  Saam Barati  <sbarati@apple.com>
1835
1836         Work around an arm64_32 LLVM miscompile bug
1837         https://bugs.webkit.org/show_bug.cgi?id=196788
1838
1839         Reviewed by Yusuke Suzuki.
1840
1841         * runtime/CachedTypes.cpp:
1842
1843 2019-04-10  Devin Rousso  <drousso@apple.com>
1844
1845         Web Inspector: Timelines: can't reliably stop/start a recording
1846         https://bugs.webkit.org/show_bug.cgi?id=196778
1847         <rdar://problem/47606798>
1848
1849         Reviewed by Timothy Hatcher.
1850
1851         * inspector/protocol/ScriptProfiler.json:
1852         * inspector/protocol/Timeline.json:
1853         It is possible to determine when programmatic capturing starts/stops in the frontend based
1854         on the state when the backend causes the state to change, such as if the state is "inactive"
1855         when the frontend is told that the backend has started capturing.
1856
1857         * inspector/protocol/CPUProfiler.json:
1858         * inspector/protocol/Memory.json:
1859         Send an end timestamp to match other instruments.
1860
1861         * inspector/JSGlobalObjectConsoleClient.cpp:
1862         (Inspector::JSGlobalObjectConsoleClient::startConsoleProfile):
1863         (Inspector::JSGlobalObjectConsoleClient::stopConsoleProfile):
1864
1865         * inspector/agents/InspectorScriptProfilerAgent.h:
1866         * inspector/agents/InspectorScriptProfilerAgent.cpp:
1867         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
1868         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStarted): Deleted.
1869         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStopped): Deleted.
1870
1871 2019-04-10  Tadeu Zagallo  <tzagallo@apple.com>
1872
1873         Unreviewed, fix watch build after r244143
1874         https://bugs.webkit.org/show_bug.cgi?id=195000
1875
1876         The result of `lseek` should be `off_t` rather than `int`.
1877
1878         * jsc.cpp:
1879
1880 2019-04-10  Tadeu Zagallo  <tzagallo@apple.com>
1881
1882         Add support for incremental bytecode cache updates
1883         https://bugs.webkit.org/show_bug.cgi?id=195000
1884
1885         Reviewed by Filip Pizlo.
1886
1887         Add support for incremental updates to the bytecode cache. The cache
1888         is constructed as follows:
1889         - When the cache is empty, the initial payload can be added to the BytecodeCache
1890         by calling BytecodeCache::addGlobalUpdate. This represents the encoded
1891         top-level UnlinkedCodeBlock.
1892         - Afterwards, updates can be added by calling BytecodeCache::addFunctionUpdate.
1893         The update is applied by appending the encoded UnlinkedFunctionCodeBlock
1894         to the existing cache and updating the CachedFunctionExecutableMetadata
1895         and the offset of the new CachedFunctionCodeBlock in the owner CachedFunctionExecutable.
1896
1897         * API/JSScript.mm:
1898         (-[JSScript readCache]):
1899         (-[JSScript isUsingBytecodeCache]):
1900         (-[JSScript init]):
1901         (-[JSScript cachedBytecode]):
1902         (-[JSScript writeCache:]):
1903         * API/JSScriptInternal.h:
1904         * API/JSScriptSourceProvider.h:
1905         * API/JSScriptSourceProvider.mm:
1906         (JSScriptSourceProvider::cachedBytecode const):
1907         * CMakeLists.txt:
1908         * JavaScriptCore.xcodeproj/project.pbxproj:
1909         * Sources.txt:
1910         * bytecode/UnlinkedFunctionExecutable.cpp:
1911         (JSC::generateUnlinkedFunctionCodeBlock):
1912         * jsc.cpp:
1913         (ShellSourceProvider::~ShellSourceProvider):
1914         (ShellSourceProvider::cachePath const):
1915         (ShellSourceProvider::loadBytecode const):
1916         (ShellSourceProvider::ShellSourceProvider):
1917         (ShellSourceProvider::cacheEnabled):
1918         * parser/SourceProvider.h:
1919         (JSC::SourceProvider::cachedBytecode const):
1920         (JSC::SourceProvider::updateCache const):
1921         (JSC::SourceProvider::commitCachedBytecode const):
1922         * runtime/CachePayload.cpp: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
1923         (JSC::CachePayload::makeMappedPayload):
1924         (JSC::CachePayload::makeMallocPayload):
1925         (JSC::CachePayload::makeEmptyPayload):
1926         (JSC::CachePayload::CachePayload):
1927         (JSC::CachePayload::~CachePayload):
1928         (JSC::CachePayload::operator=):
1929         (JSC::CachePayload::freeData):
1930         * runtime/CachePayload.h: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
1931         (JSC::CachePayload::data const):
1932         (JSC::CachePayload::size const):
1933         (JSC::CachePayload::CachePayload):
1934         * runtime/CacheUpdate.cpp: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
1935         (JSC::CacheUpdate::CacheUpdate):
1936         (JSC::CacheUpdate::operator=):
1937         (JSC::CacheUpdate::isGlobal const):
1938         (JSC::CacheUpdate::asGlobal const):
1939         (JSC::CacheUpdate::asFunction const):
1940         * runtime/CacheUpdate.h: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
1941         * runtime/CachedBytecode.cpp: Added.
1942         (JSC::CachedBytecode::addGlobalUpdate):
1943         (JSC::CachedBytecode::addFunctionUpdate):
1944         (JSC::CachedBytecode::copyLeafExecutables):
1945         (JSC::CachedBytecode::commitUpdates const):
1946         * runtime/CachedBytecode.h: Added.
1947         (JSC::CachedBytecode::create):
1948         (JSC::CachedBytecode::leafExecutables):
1949         (JSC::CachedBytecode::data const):
1950         (JSC::CachedBytecode::size const):
1951         (JSC::CachedBytecode::hasUpdates const):
1952         (JSC::CachedBytecode::sizeForUpdate const):
1953         (JSC::CachedBytecode::CachedBytecode):
1954         * runtime/CachedTypes.cpp:
1955         (JSC::Encoder::addLeafExecutable):
1956         (JSC::Encoder::release):
1957         (JSC::Decoder::Decoder):
1958         (JSC::Decoder::create):
1959         (JSC::Decoder::size const):
1960         (JSC::Decoder::offsetOf):
1961         (JSC::Decoder::ptrForOffsetFromBase):
1962         (JSC::Decoder::addLeafExecutable):
1963         (JSC::VariableLengthObject::VariableLengthObject):
1964         (JSC::VariableLengthObject::buffer const):
1965         (JSC::CachedPtrOffsets::offsetOffset):
1966         (JSC::CachedWriteBarrierOffsets::ptrOffset):
1967         (JSC::CachedFunctionExecutable::features const):
1968         (JSC::CachedFunctionExecutable::hasCapturedVariables const):
1969         (JSC::CachedFunctionExecutableOffsets::codeBlockForCallOffset):
1970         (JSC::CachedFunctionExecutableOffsets::codeBlockForConstructOffset):
1971         (JSC::CachedFunctionExecutableOffsets::metadataOffset):
1972         (JSC::CachedFunctionExecutable::encode):
1973         (JSC::CachedFunctionExecutable::decode const):
1974         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1975         (JSC::encodeCodeBlock):
1976         (JSC::encodeFunctionCodeBlock):
1977         (JSC::decodeCodeBlockImpl):
1978         (JSC::isCachedBytecodeStillValid):
1979         * runtime/CachedTypes.h:
1980         (JSC::VariableLengthObjectBase::VariableLengthObjectBase):
1981         (JSC::decodeCodeBlock):
1982         * runtime/CodeCache.cpp:
1983         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
1984         (JSC::CodeCache::updateCache):
1985         (JSC::CodeCache::write):
1986         (JSC::writeCodeBlock):
1987         (JSC::serializeBytecode):
1988         * runtime/CodeCache.h:
1989         (JSC::SourceCodeValue::SourceCodeValue):
1990         (JSC::CodeCacheMap::findCacheAndUpdateAge):
1991         (JSC::CodeCacheMap::fetchFromDiskImpl):
1992         * runtime/Completion.cpp:
1993         (JSC::generateProgramBytecode):
1994         (JSC::generateModuleBytecode):
1995         * runtime/Completion.h:
1996         * runtime/LeafExecutable.cpp: Copied from Source/JavaScriptCore/API/JSScriptSourceProvider.mm.
1997         (JSC::LeafExecutable::operator+ const):
1998         * runtime/LeafExecutable.h: Copied from Source/JavaScriptCore/API/JSScriptSourceProvider.mm.
1999         (JSC::LeafExecutable::LeafExecutable):
2000         (JSC::LeafExecutable::base const):
2001
2002 2019-04-10  Michael Catanzaro  <mcatanzaro@igalia.com>
2003
2004         Unreviewed, rolling out r243989.
2005
2006         Broke i686 builds
2007
2008         Reverted changeset:
2009
2010         "[CMake] Detect SSE2 at compile time"
2011         https://bugs.webkit.org/show_bug.cgi?id=196488
2012         https://trac.webkit.org/changeset/243989
2013
2014 2019-04-10  Robin Morisset  <rmorisset@apple.com>
2015
2016         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
2017         https://bugs.webkit.org/show_bug.cgi?id=196746
2018
2019         Reviewed by Yusuke Suzuki..
2020
2021         It should be safe as in that case we are not completing the operation, and so not going to have any buffer overflow.
2022
2023         * runtime/ObjectConstructor.cpp:
2024         (JSC::defineProperties):
2025
2026 2019-04-10  Antoine Quint  <graouts@apple.com>
2027
2028         Enable Pointer Events on watchOS
2029         https://bugs.webkit.org/show_bug.cgi?id=196771
2030         <rdar://problem/49040909>
2031
2032         Reviewed by Dean Jackson.
2033
2034         * Configurations/FeatureDefines.xcconfig:
2035
2036 2019-04-09  Keith Rollin  <krollin@apple.com>
2037
2038         Unreviewed build maintenance -- update .xcfilelists.
2039
2040         * DerivedSources-input.xcfilelist:
2041
2042 2019-04-09  Ross Kirsling  <ross.kirsling@sony.com>
2043
2044         JSC should build successfully even with -DENABLE_UNIFIED_BUILDS=OFF
2045         https://bugs.webkit.org/show_bug.cgi?id=193073
2046
2047         Reviewed by Keith Miller.
2048
2049         * bytecompiler/BytecodeGenerator.cpp:
2050         (JSC::BytecodeGenerator::emitEqualityOpImpl):
2051         (JSC::BytecodeGenerator::emitEqualityOp): Deleted.
2052         * bytecompiler/BytecodeGenerator.h:
2053         (JSC::BytecodeGenerator::emitEqualityOp):
2054         Factor out the logic that uses the template parameter and keep it in the header.
2055
2056         * jit/JITPropertyAccess.cpp:
2057         List off the template specializations needed by JITOperations.cpp.
2058         This is unfortunate but at least there are only two (x2) by definition?
2059         Trying to do away with this incurs a severe domino effect...
2060
2061         * API/JSValueRef.cpp:
2062         * b3/B3OptimizeAssociativeExpressionTrees.cpp:
2063         * b3/air/AirHandleCalleeSaves.cpp:
2064         * builtins/BuiltinNames.cpp:
2065         * bytecode/AccessCase.cpp:
2066         * bytecode/BytecodeIntrinsicRegistry.cpp:
2067         * bytecode/BytecodeIntrinsicRegistry.h:
2068         * bytecode/BytecodeRewriter.cpp:
2069         * bytecode/BytecodeUseDef.h:
2070         * bytecode/CodeBlock.cpp:
2071         * bytecode/InstanceOfAccessCase.cpp:
2072         * bytecode/MetadataTable.cpp:
2073         * bytecode/PolyProtoAccessChain.cpp:
2074         * bytecode/StructureSet.cpp:
2075         * bytecompiler/NodesCodegen.cpp:
2076         * dfg/DFGCFAPhase.cpp:
2077         * dfg/DFGPureValue.cpp:
2078         * heap/GCSegmentedArray.h:
2079         * heap/HeapInlines.h:
2080         * heap/IsoSubspace.cpp:
2081         * heap/LocalAllocator.cpp:
2082         * heap/LocalAllocator.h:
2083         * heap/LocalAllocatorInlines.h:
2084         * heap/MarkingConstraintSolver.cpp:
2085         * inspector/ScriptArguments.cpp:
2086         (Inspector::ScriptArguments::isEqual const):
2087         * inspector/ScriptCallStackFactory.cpp:
2088         * interpreter/CallFrame.h:
2089         * interpreter/Interpreter.cpp:
2090         * interpreter/StackVisitor.cpp:
2091         * llint/LLIntEntrypoint.cpp:
2092         * runtime/ArrayIteratorPrototype.cpp:
2093         * runtime/BigIntPrototype.cpp:
2094         * runtime/CachedTypes.cpp:
2095         * runtime/ErrorType.cpp:
2096         * runtime/IndexingType.cpp:
2097         * runtime/JSCellInlines.h:
2098         * runtime/JSImmutableButterfly.h:
2099         * runtime/Operations.h:
2100         * runtime/RegExpCachedResult.cpp:
2101         * runtime/RegExpConstructor.cpp:
2102         * runtime/RegExpGlobalData.cpp:
2103         * runtime/StackFrame.h:
2104         * wasm/WasmSignature.cpp:
2105         * wasm/js/JSToWasm.cpp:
2106         * wasm/js/JSToWasmICCallee.cpp:
2107         * wasm/js/WebAssemblyFunction.h:
2108         Fix includes / forward declarations (and a couple of nearby clang warnings).
2109
2110 2019-04-09  Don Olmstead  <don.olmstead@sony.com>
2111
2112         [CMake] Apple builds should use ICU_INCLUDE_DIRS
2113         https://bugs.webkit.org/show_bug.cgi?id=196720
2114
2115         Reviewed by Konstantin Tokarev.
2116
2117         * PlatformMac.cmake:
2118
2119 2019-04-09  Saam barati  <sbarati@apple.com>
2120
2121         Clean up Int52 code and some bugs in it
2122         https://bugs.webkit.org/show_bug.cgi?id=196639
2123         <rdar://problem/49515757>
2124
2125         Reviewed by Yusuke Suzuki.
2126
2127         This patch fixes bugs in our Int52 code. The primary change in this patch is
2128         adopting a segregated type lattice for Int52. Previously, for Int52 values,
2129         we represented them with SpecInt32Only and SpecInt52Only. For an Int52,
2130         SpecInt32Only meant that the value is in int32 range. And SpecInt52Only meant
2131         that the is outside of the int32 range.
2132         
2133         However, this got confusing because we reused SpecInt32Only both for JSValue
2134         representations and Int52 representations. This actually lead to some bugs.
2135         
2136         1. It's possible that roundtripping through Int52 representation would say
2137         it produces the wrong type. For example, consider this program and how we
2138         used to annotate types in AI:
2139         a: JSConstant(10.0) => m_type is SpecAnyIntAsDouble
2140         b: Int52Rep(@a) => m_type is SpecInt52Only
2141         c: ValueRep(@b) => m_type is SpecAnyIntAsDouble
2142         
2143         In AI, for the above program, we'd say that @c produces SpecAnyIntAsDouble.
2144         However, the execution semantics are such that it'd actually produce a boxed
2145         Int32. This patch fixes the bug where we'd say that Int52Rep over SpecAnyIntAsDouble
2146         would produce SpecInt52Only. This is clearly wrong, as SpecAnyIntAsDouble can
2147         mean an int value in either int32 or int52 range.
2148         
2149         2. AsbstractValue::validateTypeAcceptingBoxedInt52 was wrong in how it
2150         accepted Int52 values. It was wrong in two different ways:
2151         a: If the AbstractValue's type was SpecInt52Only, and the incoming value
2152         was a boxed double, but represented a value in int32 range, the incoming
2153         value would incorrectly validate as being acceptable. However, we should
2154         have rejected this value.
2155         b: If the AbstractValue's type was SpecInt32Only, and the incoming value
2156         was an Int32 boxed in a double, this would not validate, even though
2157         it should have validated.
2158         
2159         Solving 2 was easiest if we segregated out the Int52 type into its own
2160         lattice. This patch makes a new Int52 lattice, which is composed of
2161         SpecInt32AsInt52 and SpecNonInt32AsInt52.
2162         
2163         The conversion rules are now really simple.
2164         
2165         Int52 rep => JSValue rep
2166         SpecInt32AsInt52 => SpecInt32Only
2167         SpecNonInt32AsInt52 => SpecAnyIntAsDouble
2168         
2169         JSValue rep => Int52 rep
2170         SpecInt32Only => SpecInt32AsInt52
2171         SpecAnyIntAsDouble => SpecInt52Any
2172         
2173         With these rules, the program in (1) will now correctly report that @c
2174         returns SpecInt32Only | SpecAnyIntAsDouble.
2175
2176         * bytecode/SpeculatedType.cpp:
2177         (JSC::dumpSpeculation):
2178         (JSC::speculationToAbbreviatedString):
2179         (JSC::int52AwareSpeculationFromValue):
2180         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
2181         (JSC::speculationFromString):
2182         * bytecode/SpeculatedType.h:
2183         (JSC::isInt32SpeculationForArithmetic):
2184         (JSC::isInt32OrBooleanSpeculationForArithmetic):
2185         (JSC::isAnyInt52Speculation):
2186         (JSC::isIntAnyFormat):
2187         (JSC::isInt52Speculation): Deleted.
2188         (JSC::isAnyIntSpeculation): Deleted.
2189         * dfg/DFGAbstractInterpreterInlines.h:
2190         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2191         * dfg/DFGAbstractValue.cpp:
2192         (JSC::DFG::AbstractValue::fixTypeForRepresentation):
2193         (JSC::DFG::AbstractValue::checkConsistency const):
2194         * dfg/DFGAbstractValue.h:
2195         (JSC::DFG::AbstractValue::isInt52Any const):
2196         (JSC::DFG::AbstractValue::validateTypeAcceptingBoxedInt52 const):
2197         * dfg/DFGFixupPhase.cpp:
2198         (JSC::DFG::FixupPhase::fixupArithMul):
2199         (JSC::DFG::FixupPhase::fixupNode):
2200         (JSC::DFG::FixupPhase::fixupGetPrototypeOf):
2201         (JSC::DFG::FixupPhase::fixupToThis):
2202         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
2203         (JSC::DFG::FixupPhase::observeUseKindOnNode):
2204         (JSC::DFG::FixupPhase::fixIntConvertingEdge):
2205         (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
2206         (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
2207         (JSC::DFG::FixupPhase::fixupChecksInBlock):
2208         * dfg/DFGGraph.h:
2209         (JSC::DFG::Graph::addShouldSpeculateInt52):
2210         (JSC::DFG::Graph::binaryArithShouldSpeculateInt52):
2211         (JSC::DFG::Graph::unaryArithShouldSpeculateInt52):
2212         (JSC::DFG::Graph::addShouldSpeculateAnyInt): Deleted.
2213         (JSC::DFG::Graph::binaryArithShouldSpeculateAnyInt): Deleted.
2214         (JSC::DFG::Graph::unaryArithShouldSpeculateAnyInt): Deleted.
2215         * dfg/DFGNode.h:
2216         (JSC::DFG::Node::shouldSpeculateInt52):
2217         (JSC::DFG::Node::shouldSpeculateAnyInt): Deleted.
2218         * dfg/DFGPredictionPropagationPhase.cpp:
2219         * dfg/DFGSpeculativeJIT.cpp:
2220         (JSC::DFG::SpeculativeJIT::setIntTypedArrayLoadResult):
2221         (JSC::DFG::SpeculativeJIT::compileArithAdd):
2222         (JSC::DFG::SpeculativeJIT::compileArithSub):
2223         (JSC::DFG::SpeculativeJIT::compileArithNegate):
2224         * dfg/DFGSpeculativeJIT64.cpp:
2225         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2226         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
2227         * dfg/DFGUseKind.h:
2228         (JSC::DFG::typeFilterFor):
2229         * dfg/DFGVariableAccessData.cpp:
2230         (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
2231         (JSC::DFG::VariableAccessData::couldRepresentInt52Impl):
2232         * ftl/FTLLowerDFGToB3.cpp:
2233         (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
2234         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
2235         (JSC::FTL::DFG::LowerDFGToB3::setIntTypedArrayLoadResult):
2236
2237 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
2238
2239         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
2240         https://bugs.webkit.org/show_bug.cgi?id=196708
2241         <rdar://problem/49556803>
2242
2243         Reviewed by Yusuke Suzuki.
2244
2245         `operationPutToScope` needs to return early if an exception is thrown while
2246         checking if `hasProperty`.
2247
2248         * jit/JITOperations.cpp:
2249
2250 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
2251
2252         [JSC] DFG should respect node's strict flag
2253         https://bugs.webkit.org/show_bug.cgi?id=196617
2254
2255         Reviewed by Saam Barati.
2256
2257         We accidentally use codeBlock->isStrictMode() directly in DFG and FTL. But this is wrong since this CodeBlock is the top level DFG/FTL CodeBlock,
2258         and this code does not respect the isStrictMode flag for the inlined CodeBlocks. In this patch, we start using isStrictModeFor(CodeOrigin) consistently
2259         in DFG and FTL to get the right isStrictMode flag for the DFG node.
2260         And we also split compilePutDynamicVar into compilePutDynamicVarStrict and compilePutDynamicVarNonStrict since (1) it is cleaner than accessing inlined
2261         callframe in the operation function, and (2) it is aligned to the other functions like operationPutByValDirectNonStrict etc.
2262         This bug is discovered by RandomizingFuzzerAgent by expanding the DFG coverage.
2263
2264         * dfg/DFGAbstractInterpreterInlines.h:
2265         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2266         * dfg/DFGConstantFoldingPhase.cpp:
2267         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2268         * dfg/DFGFixupPhase.cpp:
2269         (JSC::DFG::FixupPhase::fixupToThis):
2270         * dfg/DFGOperations.cpp:
2271         * dfg/DFGOperations.h:
2272         * dfg/DFGPredictionPropagationPhase.cpp:
2273         * dfg/DFGSpeculativeJIT.cpp:
2274         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
2275         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
2276         (JSC::DFG::SpeculativeJIT::compilePutDynamicVar):
2277         (JSC::DFG::SpeculativeJIT::compileToThis):
2278         * dfg/DFGSpeculativeJIT32_64.cpp:
2279         (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
2280         (JSC::DFG::SpeculativeJIT::compile):
2281         * dfg/DFGSpeculativeJIT64.cpp:
2282         (JSC::DFG::SpeculativeJIT::compile):
2283         * ftl/FTLLowerDFGToB3.cpp:
2284         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
2285         (JSC::FTL::DFG::LowerDFGToB3::compilePutDynamicVar):
2286
2287 2019-04-08  Don Olmstead  <don.olmstead@sony.com>
2288
2289         [CMake][WinCairo] Separate copied headers into different directories
2290         https://bugs.webkit.org/show_bug.cgi?id=196655
2291
2292         Reviewed by Michael Catanzaro.
2293
2294         * CMakeLists.txt:
2295         * shell/PlatformWin.cmake:
2296
2297 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
2298
2299         [JSC] isRope jump in StringSlice should not jump over register allocations
2300         https://bugs.webkit.org/show_bug.cgi?id=196716
2301
2302         Reviewed by Saam Barati.
2303
2304         Jumping over the register allocation code in DFG (like the following) is wrong.
2305
2306             auto jump = m_jit.branchXXX();
2307             {
2308                 GPRTemporary reg(this);
2309                 GPRReg regGPR = reg.gpr();
2310                 ...
2311             }
2312             jump.link(&m_jit);
2313
2314         When GPRTemporary::gpr allocates a new register, it can flush the previous register value into the stack and make the register usable.
2315         Jumping over this register allocation code skips the flushing code, and makes the DFG's stack and register content tracking inconsistent:
2316         DFG thinks that the content is flushed and stored in particular stack slot even while this flushing code is skipped.
2317         In this patch, we perform register allocations before jumping to the slow path based on `isRope` condition in StringSlice.
2318
2319         * dfg/DFGSpeculativeJIT.cpp:
2320         (JSC::DFG::SpeculativeJIT::compileStringSlice):
2321
2322 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
2323
2324         [JSC] to_index_string should not assume incoming value is Uint32
2325         https://bugs.webkit.org/show_bug.cgi?id=196713
2326
2327         Reviewed by Saam Barati.
2328
2329         The slow path of to_index_string assumes that incoming value is Uint32. But we should not have
2330         this assumption since DFG may decide we should have it double format. This patch removes this
2331         assumption, and instead, we should assume that incoming value is AnyInt and the range of this
2332         is within Uint32.
2333
2334         * runtime/CommonSlowPaths.cpp:
2335         (JSC::SLOW_PATH_DECL):
2336
2337 2019-04-08  Justin Fan  <justin_fan@apple.com>
2338
2339         [Web GPU] Fix Web GPU experimental feature on iOS
2340         https://bugs.webkit.org/show_bug.cgi?id=196632
2341
2342         Reviewed by Myles C. Maxfield.
2343
2344         Properly make Web GPU available on iOS 11+.
2345
2346         * Configurations/FeatureDefines.xcconfig:
2347         * Configurations/WebKitTargetConditionals.xcconfig:
2348
2349 2019-04-08  Ross Kirsling  <ross.kirsling@sony.com>
2350
2351         -f[no-]var-tracking-assignments is GCC-only
2352         https://bugs.webkit.org/show_bug.cgi?id=196699
2353
2354         Reviewed by Don Olmstead.
2355
2356         * CMakeLists.txt:
2357         Just remove the build flag altogether -- it supposedly doesn't solve the problem it was meant to
2358         and said problem evidently no longer occurs as of GCC 9.
2359
2360 2019-04-08  Saam Barati  <sbarati@apple.com>
2361
2362         WebAssembly.RuntimeError missing exception check
2363         https://bugs.webkit.org/show_bug.cgi?id=196700
2364         <rdar://problem/49693932>
2365
2366         Reviewed by Yusuke Suzuki.
2367
2368         * wasm/js/JSWebAssemblyRuntimeError.h:
2369         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
2370         (JSC::constructJSWebAssemblyRuntimeError):
2371
2372 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
2373
2374         Unreviewed, rolling in r243948 with test fix
2375         https://bugs.webkit.org/show_bug.cgi?id=196486
2376
2377         * parser/ASTBuilder.h:
2378         (JSC::ASTBuilder::createString):
2379         * parser/Lexer.cpp:
2380         (JSC::Lexer<T>::parseMultilineComment):
2381         (JSC::Lexer<T>::lexWithoutClearingLineTerminator):
2382         (JSC::Lexer<T>::lex): Deleted.
2383         * parser/Lexer.h:
2384         (JSC::Lexer::hasLineTerminatorBeforeToken const):
2385         (JSC::Lexer::setHasLineTerminatorBeforeToken):
2386         (JSC::Lexer<T>::lex):
2387         (JSC::Lexer::prevTerminator const): Deleted.
2388         (JSC::Lexer::setTerminator): Deleted.
2389         * parser/Parser.cpp:
2390         (JSC::Parser<LexerType>::allowAutomaticSemicolon):
2391         (JSC::Parser<LexerType>::parseSingleFunction):
2392         (JSC::Parser<LexerType>::parseStatementListItem):
2393         (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement):
2394         (JSC::Parser<LexerType>::parseFunctionInfo):
2395         (JSC::Parser<LexerType>::parseClass):
2396         (JSC::Parser<LexerType>::parseExportDeclaration):
2397         (JSC::Parser<LexerType>::parseAssignmentExpression):
2398         (JSC::Parser<LexerType>::parseYieldExpression):
2399         (JSC::Parser<LexerType>::parseProperty):
2400         (JSC::Parser<LexerType>::parsePrimaryExpression):
2401         (JSC::Parser<LexerType>::parseMemberExpression):
2402         * parser/Parser.h:
2403         (JSC::Parser::nextWithoutClearingLineTerminator):
2404         (JSC::Parser::lexCurrentTokenAgainUnderCurrentContext):
2405         (JSC::Parser::internalSaveLexerState):
2406         (JSC::Parser::restoreLexerState):
2407
2408 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
2409
2410         Unreviewed, rolling out r243948.
2411
2412         Caused inspector/runtime/parse.html to fail
2413
2414         Reverted changeset:
2415
2416         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
2417         https://bugs.webkit.org/show_bug.cgi?id=196486
2418         https://trac.webkit.org/changeset/243948
2419
2420 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
2421
2422         Unreviewed, rolling out r243943.
2423
2424         Caused test262 failures.
2425
2426         Reverted changeset:
2427
2428         "[JSC] Filter DontEnum properties in
2429         ProxyObject::getOwnPropertyNames()"
2430         https://bugs.webkit.org/show_bug.cgi?id=176810
2431         https://trac.webkit.org/changeset/243943
2432
2433 2019-04-08  Claudio Saavedra  <csaavedra@igalia.com>
2434
2435         [JSC] Partially fix the build with unified builds disabled
2436         https://bugs.webkit.org/show_bug.cgi?id=196647
2437
2438         Reviewed by Konstantin Tokarev.
2439
2440         If you disable unified builds you find all kind of build
2441         errors. This partially tries to fix them but there's a lot
2442         more.
2443
2444         * API/JSBaseInternal.h:
2445         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp:
2446         * b3/air/AirHandleCalleeSaves.h:
2447         * bytecode/ExecutableToCodeBlockEdge.cpp:
2448         * bytecode/ExitFlag.h:
2449         * bytecode/ICStatusUtils.h:
2450         * bytecode/UnlinkedMetadataTable.h:
2451         * dfg/DFGPureValue.h:
2452         * heap/IsoAlignedMemoryAllocator.cpp:
2453         * heap/IsoAlignedMemoryAllocator.h:
2454
2455 2019-04-08  Guillaume Emont  <guijemont@igalia.com>
2456
2457         Enable DFG on MIPS
2458         https://bugs.webkit.org/show_bug.cgi?id=196689
2459
2460         Reviewed by Žan Doberšek.
2461
2462         Since the bytecode change, we enabled the baseline JIT on mips in
2463         r240432, but DFG is still missing. With this change, all tests are
2464         passing on a ci20 board.
2465
2466         * jit/RegisterSet.cpp:
2467         (JSC::RegisterSet::calleeSaveRegisters):
2468         Added s0, which is used in llint.
2469
2470 2019-04-08  Xan Lopez  <xan@igalia.com>
2471
2472         [CMake] Detect SSE2 at compile time
2473         https://bugs.webkit.org/show_bug.cgi?id=196488
2474
2475         Reviewed by Carlos Garcia Campos.
2476
2477         * assembler/MacroAssemblerX86Common.cpp: Remove unnecessary (and
2478         incorrect) static_assert.
2479
2480 2019-04-07  Michael Saboff  <msaboff@apple.com>
2481
2482         REGRESSION (r243642): Crash in reddit.com page
2483         https://bugs.webkit.org/show_bug.cgi?id=196684
2484
2485         Reviewed by Geoffrey Garen.
2486
2487         In r243642, the code that saves and restores the count for non-greedy character classes
2488         was inadvertently put inside an if statement.  This code should be generated for all
2489         non-greedy character classes.
2490
2491         * yarr/YarrJIT.cpp:
2492         (JSC::Yarr::YarrGenerator::generateCharacterClassNonGreedy):
2493         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
2494
2495 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
2496
2497         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
2498         https://bugs.webkit.org/show_bug.cgi?id=196683
2499
2500         Reviewed by Saam Barati.
2501
2502         In r243626, we stop repatching CallLinkInfo when the CallLinkInfo is held by jettisoned CodeBlock.
2503         But we still need to clear the Callee or CodeBlock since they are now dead. Otherwise, CodeBlock's
2504         visitWeak eventually accesses this dead cells and crashes because the owner CodeBlock of CallLinkInfo
2505         can be still live.
2506
2507         We also move all repatching operations from CallLinkInfo.cpp to Repatch.cpp for consistency because the
2508         other repatching operations in CallLinkInfo are implemented in Repatch.cpp side.
2509
2510         * bytecode/CallLinkInfo.cpp:
2511         (JSC::CallLinkInfo::setCallee):
2512         (JSC::CallLinkInfo::clearCallee):
2513         * jit/Repatch.cpp:
2514         (JSC::linkFor):
2515         (JSC::revertCall):
2516
2517 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
2518
2519         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
2520         https://bugs.webkit.org/show_bug.cgi?id=196582
2521
2522         Reviewed by Saam Barati.
2523
2524         In DFG, our ArithAdd with overflow is executed speculatively, and we recover the value when overflow flag is set.
2525         The recovery is subtracting the operand from the destination to get the original two operands. Our recovery code
2526         handles A + B = A, A + B = B cases. But it misses A + A = A case (here, A and B are GPRReg). Our recovery code
2527         attempts to produce the original operand by performing A - A, and it always produces zero accidentally.
2528
2529         This patch adds the recovery code for A + A = A case. Because we know that this ArithAdd overflows, and operands were
2530         same values, we can calculate the original operand from the destination value by `((int32_t)value >> 1) ^ 0x80000000`.
2531
2532         We also found that FTL recovery code is dead. We remove them in this patch.
2533
2534         * dfg/DFGOSRExit.cpp:
2535         (JSC::DFG::OSRExit::executeOSRExit):
2536         (JSC::DFG::OSRExit::compileExit):
2537         * dfg/DFGOSRExit.h:
2538         (JSC::DFG::SpeculationRecovery::SpeculationRecovery):
2539         * dfg/DFGSpeculativeJIT.cpp:
2540         (JSC::DFG::SpeculativeJIT::compileArithAdd):
2541         * ftl/FTLExitValue.cpp:
2542         (JSC::FTL::ExitValue::dataFormat const):
2543         (JSC::FTL::ExitValue::dumpInContext const):
2544         * ftl/FTLExitValue.h:
2545         (JSC::FTL::ExitValue::isArgument const):
2546         (JSC::FTL::ExitValue::hasIndexInStackmapLocations const):
2547         (JSC::FTL::ExitValue::adjustStackmapLocationsIndexByOffset):
2548         (JSC::FTL::ExitValue::recovery): Deleted.
2549         (JSC::FTL::ExitValue::isRecovery const): Deleted.
2550         (JSC::FTL::ExitValue::leftRecoveryArgument const): Deleted.
2551         (JSC::FTL::ExitValue::rightRecoveryArgument const): Deleted.
2552         (JSC::FTL::ExitValue::recoveryFormat const): Deleted.
2553         (JSC::FTL::ExitValue::recoveryOpcode const): Deleted.
2554         * ftl/FTLLowerDFGToB3.cpp:
2555         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2556         (JSC::FTL::DFG::LowerDFGToB3::preparePatchpointForExceptions):
2557         (JSC::FTL::DFG::LowerDFGToB3::appendOSRExit):
2558         (JSC::FTL::DFG::LowerDFGToB3::exitValueForNode):
2559         (JSC::FTL::DFG::LowerDFGToB3::addAvailableRecovery): Deleted.
2560         * ftl/FTLOSRExitCompiler.cpp:
2561         (JSC::FTL::compileRecovery):
2562
2563 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
2564
2565         Unreviewed, rolling out r243665.
2566
2567         Caused iOS JSC tests to exit with an exception.
2568
2569         Reverted changeset:
2570
2571         "Assertion failed in JSC::createError"
2572         https://bugs.webkit.org/show_bug.cgi?id=196305
2573         https://trac.webkit.org/changeset/243665
2574
2575 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
2576
2577         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
2578         https://bugs.webkit.org/show_bug.cgi?id=196486
2579
2580         Reviewed by Saam Barati.
2581
2582         When parsing a FunctionExpression / FunctionDeclaration etc., we use SyntaxChecker for the body of the function because we do not have any interest on the nodes of the body at that time.
2583         The nodes will be parsed with the ASTBuilder when the function itself is parsed for code generation. This works well previously because all the function ends with "}" previously.
2584         SyntaxChecker lexes this "}" token, and parser restores the context back to ASTBuilder and continues parsing.
2585
2586         But now, we have ArrowFunctionExpression without braces `arrow => expr`. Let's consider the following code.
2587
2588                 arrow => expr
2589                 "string!"
2590
2591         We parse arrow function's body with SyntaxChecker. At that time, we lex "string!" token under the SyntaxChecker context. But this means that we may not build string content for this token
2592         since SyntaxChecker may not have interest on string content itself in certain case. After the parser is back to ASTBuilder, we parse "string!" as ExpressionStatement with string constant,
2593         generate StringNode with non-built identifier (nullptr), and we accidentally create StringNode with nullptr.
2594
2595         This patch fixes this problem. The root cause of this problem is that the last token lexed in the previous context is used. We add lexCurrentTokenAgainUnderCurrentContext which will re-lex
2596         the current token under the current context (may be ASTBuilder). This should be done only when the caller's context is different from SyntaxChecker, which avoids unnecessary lexing.
2597         We leverage existing SavePoint mechanism to implement lexCurrentTokenAgainUnderCurrentContext cleanly.
2598
2599         And we also fix the bug in the existing SavePoint mechanism, which is shown in the attached test script. When we save LexerState, we do not save line terminator status. This patch also introduces
2600         lexWithoutClearingLineTerminator, which lex the token without clearing line terminator status.
2601
2602         * parser/ASTBuilder.h:
2603         (JSC::ASTBuilder::createString):
2604         * parser/Lexer.cpp:
2605         (JSC::Lexer<T>::parseMultilineComment):
2606         (JSC::Lexer<T>::lexWithoutClearingLineTerminator): EOF token also should record offset information. This offset information is correctly handled in Lexer::setOffset too.
2607         (JSC::Lexer<T>::lex): Deleted.
2608         * parser/Lexer.h:
2609         (JSC::Lexer::hasLineTerminatorBeforeToken const):
2610         (JSC::Lexer::setHasLineTerminatorBeforeToken):
2611         (JSC::Lexer<T>::lex):
2612         (JSC::Lexer::prevTerminator const): Deleted.
2613         (JSC::Lexer::setTerminator): Deleted.
2614         * parser/Parser.cpp:
2615         (JSC::Parser<LexerType>::allowAutomaticSemicolon):
2616         (JSC::Parser<LexerType>::parseSingleFunction):
2617         (JSC::Parser<LexerType>::parseStatementListItem):
2618         (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement):
2619         (JSC::Parser<LexerType>::parseFunctionInfo):
2620         (JSC::Parser<LexerType>::parseClass):
2621         (JSC::Parser<LexerType>::parseExportDeclaration):
2622         (JSC::Parser<LexerType>::parseAssignmentExpression):
2623         (JSC::Parser<LexerType>::parseYieldExpression):
2624         (JSC::Parser<LexerType>::parseProperty):
2625         (JSC::Parser<LexerType>::parsePrimaryExpression):
2626         (JSC::Parser<LexerType>::parseMemberExpression):
2627         * parser/Parser.h:
2628         (JSC::Parser::nextWithoutClearingLineTerminator):
2629         (JSC::Parser::lexCurrentTokenAgainUnderCurrentContext):
2630         (JSC::Parser::internalSaveLexerState):
2631         (JSC::Parser::restoreLexerState):
2632
2633 2019-04-05  Caitlin Potter  <caitp@igalia.com>
2634
2635         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
2636         https://bugs.webkit.org/show_bug.cgi?id=176810
2637
2638         Reviewed by Saam Barati.
2639
2640         This adds conditional logic following the invariant checks, to perform
2641         filtering in common uses of getOwnPropertyNames.
2642
2643         While this would ideally only be done in JSPropertyNameEnumerator, adding
2644         the filtering to ProxyObject::performGetOwnPropertyNames maintains the
2645         invariant that the EnumerationMode is properly followed.
2646
2647         * runtime/PropertyNameArray.h:
2648         (JSC::PropertyNameArray::reset):
2649         * runtime/ProxyObject.cpp:
2650         (JSC::ProxyObject::performGetOwnPropertyNames):
2651
2652 2019-04-05  Commit Queue  <commit-queue@webkit.org>
2653
2654         Unreviewed, rolling out r243833.
2655         https://bugs.webkit.org/show_bug.cgi?id=196645
2656
2657         This change breaks build of WPE and GTK ports (Requested by
2658         annulen on #webkit).
2659
2660         Reverted changeset:
2661
2662         "[CMake][WTF] Mirror XCode header directories"
2663         https://bugs.webkit.org/show_bug.cgi?id=191662
2664         https://trac.webkit.org/changeset/243833
2665
2666 2019-04-05  Caitlin Potter  <caitp@igalia.com>
2667
2668         [JSC] throw if ownKeys Proxy trap result contains duplicate keys
2669         https://bugs.webkit.org/show_bug.cgi?id=185211
2670
2671         Reviewed by Saam Barati.
2672
2673         Implements the normative spec change in https://github.com/tc39/ecma262/pull/833
2674
2675         This involves tracking duplicate keys returned from the ownKeys trap in yet
2676         another HashTable, and may incur a minor performance penalty in some cases. This
2677         is not expected to significantly affect web performance.
2678
2679         * runtime/ProxyObject.cpp:
2680         (JSC::ProxyObject::performGetOwnPropertyNames):
2681
2682 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
2683
2684         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
2685         https://bugs.webkit.org/show_bug.cgi?id=196631
2686
2687         Reviewed by Saam Barati.
2688
2689         makeBoundFunction assumes that "length" argument is always Int32. But this should not be done since this "length" value is calculated in builtin JS code.
2690         DFG may store this value in Double format so that we should not rely on that this value is Int32. This patch fixes makeBoundFunction function to perform
2691         toInt32 operation. We also insert a missing exception check for `JSString::value(ExecState*)` in makeBoundFunction.
2692
2693         * JavaScriptCore.xcodeproj/project.pbxproj:
2694         * Sources.txt:
2695         * interpreter/CallFrameInlines.h:
2696         * runtime/DoublePredictionFuzzerAgent.cpp: Copied from Source/JavaScriptCore/interpreter/CallFrameInlines.h.
2697         (JSC::DoublePredictionFuzzerAgent::DoublePredictionFuzzerAgent):
2698         (JSC::DoublePredictionFuzzerAgent::getPrediction):
2699         * runtime/DoublePredictionFuzzerAgent.h: Copied from Source/JavaScriptCore/interpreter/CallFrameInlines.h.
2700         * runtime/JSGlobalObject.cpp:
2701         (JSC::makeBoundFunction):
2702         * runtime/Options.h:
2703         * runtime/VM.cpp:
2704         (JSC::VM::VM):
2705
2706 2019-04-04  Robin Morisset  <rmorisset@apple.com>
2707
2708         B3ReduceStrength should know that Mul distributes over Add and Sub
2709         https://bugs.webkit.org/show_bug.cgi?id=196325
2710         <rdar://problem/49441650>
2711
2712         Reviewed by Saam Barati.
2713
2714         Fix some obviously wrong code that was due to an accidental copy-paste.
2715         It made the entire optimization dead code that never ran.
2716
2717         * b3/B3ReduceStrength.cpp:
2718
2719 2019-04-04  Saam Barati  <sbarati@apple.com>
2720
2721         Unreviewed, build fix for CLoop after r243886
2722
2723         * interpreter/Interpreter.cpp:
2724         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
2725         * interpreter/StackVisitor.cpp:
2726         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
2727         * interpreter/StackVisitor.h:
2728
2729 2019-04-04  Commit Queue  <commit-queue@webkit.org>
2730
2731         Unreviewed, rolling out r243898.
2732         https://bugs.webkit.org/show_bug.cgi?id=196624
2733
2734         `#if !ENABLE(C_LOOP) && NUMBER_OF_CALLEE_SAVES_REGISTERS > 0`
2735         does not work well (Requested by yusukesuzuki on #webkit).
2736
2737         Reverted changeset:
2738
2739         "Unreviewed, build fix for CLoop and Windows after r243886"
2740         https://bugs.webkit.org/show_bug.cgi?id=196387
2741         https://trac.webkit.org/changeset/243898
2742
2743 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
2744
2745         Unreviewed, build fix for CLoop and Windows after r243886
2746         https://bugs.webkit.org/show_bug.cgi?id=196387
2747
2748         RegisterAtOffsetList does not exist if ENABLE(ASSEMBLER) is false.
2749
2750         * interpreter/StackVisitor.cpp:
2751         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
2752         * interpreter/StackVisitor.h:
2753
2754 2019-04-04  Saam barati  <sbarati@apple.com>
2755
2756         Teach Call ICs how to call Wasm
2757         https://bugs.webkit.org/show_bug.cgi?id=196387
2758
2759         Reviewed by Filip Pizlo.
2760
2761         This patch teaches JS to call Wasm without going through the native thunk.
2762         Currently, we emit a JIT "JS" callee stub which marshals arguments from
2763         JS to Wasm. Like the native version of this, this thunk is responsible
2764         for saving and restoring the VM's current Wasm context. Instead of emitting
2765         an exception handler, we also teach the unwinder how to read the previous
2766         wasm context to restore it as it unwindws past this frame.
2767         
2768         This patch is straight forward, and leaves some areas for perf improvement:
2769         - We can teach the DFG/FTL to directly use the Wasm calling convention when
2770           it knows it's calling a single Wasm function. This way we don't shuffle
2771           registers to the stack and then back into registers.
2772         - We bail out to the slow path for mismatched arity. I opened a bug to fix
2773           optimize arity check failures: https://bugs.webkit.org/show_bug.cgi?id=196564
2774         - We bail out to the slow path Double JSValues flowing into i32 arguments.
2775           We should teach this thunk how to do that conversion directly.
2776         
2777         This patch also refactors the code to explicitly have a single pinned size register.
2778         We used pretend in some places that we could have more than one pinned size register.
2779         However, there was other code that just asserted the size was one. This patch just rips
2780         out this code since we never moved to having more than one pinned size register. Doing
2781         this refactoring cleans up the various places where we set up the size register.
2782         
2783         This patch is a 50-60% progression on JetStream 2's richards-wasm.
2784
2785         * JavaScriptCore.xcodeproj/project.pbxproj:
2786         * Sources.txt:
2787         * assembler/MacroAssemblerCodeRef.h:
2788         (JSC::MacroAssemblerCodeRef::operator=):
2789         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
2790         * interpreter/Interpreter.cpp:
2791         (JSC::UnwindFunctor::operator() const):
2792         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
2793         * interpreter/StackVisitor.cpp:
2794         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
2795         (JSC::StackVisitor::Frame::calleeSaveRegisters): Deleted.
2796         * interpreter/StackVisitor.h:
2797         * jit/JITOperations.cpp:
2798         * jit/RegisterSet.cpp:
2799         (JSC::RegisterSet::runtimeTagRegisters):
2800         (JSC::RegisterSet::specialRegisters):
2801         (JSC::RegisterSet::runtimeRegisters): Deleted.
2802         * jit/RegisterSet.h:
2803         * jit/Repatch.cpp:
2804         (JSC::linkPolymorphicCall):
2805         * runtime/JSFunction.cpp:
2806         (JSC::getCalculatedDisplayName):
2807         * runtime/JSGlobalObject.cpp:
2808         (JSC::JSGlobalObject::init):
2809         (JSC::JSGlobalObject::visitChildren):
2810         * runtime/JSGlobalObject.h:
2811         (JSC::JSGlobalObject::jsToWasmICCalleeStructure const):
2812         * runtime/VM.cpp:
2813         (JSC::VM::VM):
2814         * runtime/VM.h:
2815         * wasm/WasmAirIRGenerator.cpp:
2816         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
2817         (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
2818         (JSC::Wasm::AirIRGenerator::addCallIndirect):
2819         * wasm/WasmB3IRGenerator.cpp:
2820         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2821         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
2822         (JSC::Wasm::B3IRGenerator::addCallIndirect):
2823         * wasm/WasmBinding.cpp:
2824         (JSC::Wasm::wasmToWasm):
2825         * wasm/WasmContext.h:
2826         (JSC::Wasm::Context::pointerToInstance):
2827         * wasm/WasmContextInlines.h:
2828         (JSC::Wasm::Context::store):
2829         * wasm/WasmMemoryInformation.cpp:
2830         (JSC::Wasm::getPinnedRegisters):
2831         (JSC::Wasm::PinnedRegisterInfo::get):
2832         (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
2833         * wasm/WasmMemoryInformation.h:
2834         (JSC::Wasm::PinnedRegisterInfo::toSave const):
2835         * wasm/WasmOMGPlan.cpp:
2836         (JSC::Wasm::OMGPlan::work):
2837         * wasm/js/JSToWasm.cpp:
2838         (JSC::Wasm::createJSToWasmWrapper):
2839         * wasm/js/JSToWasmICCallee.cpp: Added.
2840         (JSC::JSToWasmICCallee::create):
2841         (JSC::JSToWasmICCallee::createStructure):
2842         (JSC::JSToWasmICCallee::visitChildren):
2843         * wasm/js/JSToWasmICCallee.h: Added.
2844         (JSC::JSToWasmICCallee::function):
2845         (JSC::JSToWasmICCallee::JSToWasmICCallee):
2846         * wasm/js/WebAssemblyFunction.cpp:
2847         (JSC::WebAssemblyFunction::useTagRegisters const):
2848         (JSC::WebAssemblyFunction::calleeSaves const):
2849         (JSC::WebAssemblyFunction::usedCalleeSaveRegisters const):
2850         (JSC::WebAssemblyFunction::previousInstanceOffset const):
2851         (JSC::WebAssemblyFunction::previousInstance):
2852         (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
2853         (JSC::WebAssemblyFunction::visitChildren):
2854         (JSC::WebAssemblyFunction::destroy):
2855         * wasm/js/WebAssemblyFunction.h:
2856         * wasm/js/WebAssemblyFunctionHeapCellType.cpp: Added.
2857         (JSC::WebAssemblyFunctionDestroyFunc::operator() const):
2858         (JSC::WebAssemblyFunctionHeapCellType::WebAssemblyFunctionHeapCellType):
2859         (JSC::WebAssemblyFunctionHeapCellType::~WebAssemblyFunctionHeapCellType):
2860         (JSC::WebAssemblyFunctionHeapCellType::finishSweep):
2861         (JSC::WebAssemblyFunctionHeapCellType::destroy):
2862         * wasm/js/WebAssemblyFunctionHeapCellType.h: Added.
2863         * wasm/js/WebAssemblyPrototype.h:
2864
2865 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
2866
2867         [JSC] Pass CodeOrigin to FuzzerAgent
2868         https://bugs.webkit.org/show_bug.cgi?id=196590
2869
2870         Reviewed by Saam Barati.
2871
2872         Pass CodeOrigin instead of bytecodeIndex. CodeOrigin includes richer information (InlineCallFrame*).
2873         We also mask prediction with SpecBytecodeTop in DFGByteCodeParser. The fuzzer can produce any SpeculatedTypes,
2874         but DFGByteCodeParser should only see predictions that can be actually produced from the bytecode execution.
2875
2876         * dfg/DFGByteCodeParser.cpp:
2877         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
2878         * runtime/FuzzerAgent.cpp:
2879         (JSC::FuzzerAgent::getPrediction):
2880         * runtime/FuzzerAgent.h:
2881         * runtime/RandomizingFuzzerAgent.cpp:
2882         (JSC::RandomizingFuzzerAgent::getPrediction):
2883         * runtime/RandomizingFuzzerAgent.h:
2884
2885 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
2886
2887         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
2888         https://bugs.webkit.org/show_bug.cgi?id=194944
2889
2890         Reviewed by Keith Miller.
2891
2892         Based on profile data collected on JetStream2, Speedometer 2 and
2893         other benchmarks, it is very rare having non-empty
2894         UnlinkedFunctionExecutable::m_parentScopeTDZVariables.
2895
2896         - Data collected from Speedometer2
2897             Total number of UnlinkedFunctionExecutable: 39463
2898             Total number of non-empty parentScopeTDZVars: 428 (~1%)
2899
2900         - Data collected from JetStream2
2901             Total number of UnlinkedFunctionExecutable: 83715
2902             Total number of non-empty parentScopeTDZVars: 5285 (~6%)
2903
2904         We also collected numbers on 6 of top 10 Alexia sites.
2905
2906         - Data collected from youtube.com
2907             Total number of UnlinkedFunctionExecutable: 29599
2908             Total number of non-empty parentScopeTDZVars: 97 (~0.3%)
2909
2910         - Data collected from twitter.com
2911             Total number of UnlinkedFunctionExecutable: 23774
2912             Total number of non-empty parentScopeTDZVars: 172 (~0.7%)
2913
2914         - Data collected from google.com
2915             Total number of UnlinkedFunctionExecutable: 33209
2916             Total number of non-empty parentScopeTDZVars: 174 (~0.5%)
2917
2918         - Data collected from amazon.com:
2919             Total number of UnlinkedFunctionExecutable: 15182
2920             Total number of non-empty parentScopeTDZVars: 166 (~1%)
2921
2922         - Data collected from facebook.com:
2923             Total number of UnlinkedFunctionExecutable: 54443
2924             Total number of non-empty parentScopeTDZVars: 269 (~0.4%)
2925
2926         - Data collected from netflix.com:
2927             Total number of UnlinkedFunctionExecutable: 39266
2928             Total number of non-empty parentScopeTDZVars: 97 (~0.2%)
2929
2930         Considering such numbers, this patch is moving `m_parentScopeTDZVariables`
2931         to RareData. This decreases sizeof(UnlinkedFunctionExecutable) by
2932         16 bytes. With this change, now UnlinkedFunctionExecutable constructors
2933         receives an `Optional<VariableEnvironmentMap::Handle>` and only stores
2934         it when `value != WTF::nullopt`. We also changed
2935         UnlinkedFunctionExecutable::parentScopeTDZVariables() and it returns
2936         `VariableEnvironment()` whenever the Executable doesn't have RareData,
2937         or VariableEnvironmentMap::Handle is unitialized. This is required
2938         because RareData is instantiated when any of its field is stored and
2939         we can have an unitialized `Handle` even on cases when parentScopeTDZVariables
2940         is `WTF::nullopt`.
2941
2942         Results on memory usage on JetStrem2 is neutral.
2943
2944             Mean of memory peak on ToT: 4258633728 bytes (confidence interval: 249720072.95)
2945             Mean of memory peak on Changes: 4367325184 bytes (confidence interval: 321285583.61)
2946
2947         * builtins/BuiltinExecutables.cpp:
2948         (JSC::BuiltinExecutables::createExecutable):
2949         * bytecode/UnlinkedFunctionExecutable.cpp:
2950         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2951         * bytecode/UnlinkedFunctionExecutable.h:
2952         * bytecompiler/BytecodeGenerator.cpp:
2953         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
2954
2955         BytecodeGenerator::getVariablesUnderTDZ now also caches if m_cachedVariablesUnderTDZ
2956         is empty, so we can properly return `WTF::nullopt` without the
2957         reconstruction of a VariableEnvironment to check if it is empty.
2958
2959         * bytecompiler/BytecodeGenerator.h:
2960         (JSC::BytecodeGenerator::makeFunction):
2961         * parser/VariableEnvironment.h:
2962         (JSC::VariableEnvironment::isEmpty const):
2963         * runtime/CachedTypes.cpp:
2964         (JSC::CachedCompactVariableMapHandle::decode const):
2965
2966         It returns an unitialized Handle when there is no
2967         CompactVariableEnvironment. This can happen when RareData is ensured
2968         because of another field.
2969
2970         (JSC::CachedFunctionExecutableRareData::encode):
2971         (JSC::CachedFunctionExecutableRareData::decode const):
2972         (JSC::CachedFunctionExecutable::encode):
2973         (JSC::CachedFunctionExecutable::decode const):
2974         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2975         * runtime/CodeCache.cpp:
2976
2977         Instead of creating a dummyVariablesUnderTDZ, we simply pass
2978         WTF::nullopt.
2979
2980         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
2981
2982 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
2983
2984         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
2985         https://bugs.webkit.org/show_bug.cgi?id=196409
2986
2987         Reviewed by Saam Barati.
2988
2989         Some of the helpers in jsc.cpp, such as `functionRunString`, were stll using
2990         using `makeSource` instead of `jscSource`, which does not use the ShellSourceProvider
2991         and therefore does not write the bytecode cache to disk.
2992
2993         Changing that revealed a bug in bytecode cache. The Encoder keeps a mapping
2994         of pointers to offsets of already cached objects, in order to avoid caching
2995         the same object twice. Similarly, the Decoder keeps a mapping from offsets
2996         to pointers, in order to avoid creating multiple objects in memory for the
2997         same cached object. The following was happening:
2998         1) A StringImpl* S was cached as CachedPtr<CachedStringImpl> at offset O. We add
2999         an entry in the Encoder mapping that S has already been encoded at O.
3000         2) We cache StringImpl* S again, but now as CachedPtr<CachedUniquedStringImpl>.
3001         We find an entry in the Encoder mapping for S, and return the offset O. However,
3002         the object cached at O is a CachedPtr<CachedStringImpl> (i.e. not Uniqued).
3003
3004         3) When decoding, there are 2 possibilities:
3005         3.1) We find S for the first time through a CachedPtr<CachedStringImpl>. In
3006         this case, everything works as expected since we add an entry in the decoder
3007         mapping from the offset O to the decoded StringImpl* S. The next time we find
3008         S through the uniqued version, we'll return the already decoded S.
3009         3.2) We find S through a CachedPtr<CachedUniquedStringImpl>. Now we have a
3010         problem, since the CachedPtr has the offset of a CachedStringImpl (not uniqued),
3011         which has a different shape and we crash.
3012
3013         We fix this by making CachedStringImpl and CachedUniquedStringImpl share the
3014         same implementation. Since it doesn't matter whether a string is uniqued for
3015         encoding, and we always decode strings as uniqued either way, they can be used
3016         interchangeably.
3017
3018         * jsc.cpp:
3019         (functionRunString):
3020         (functionLoadString):
3021         (functionDollarAgentStart):
3022         (functionCheckModuleSyntax):
3023         (runInteractive):
3024         * runtime/CachedTypes.cpp:
3025         (JSC::CachedUniquedStringImplBase::decode const):
3026         (JSC::CachedFunctionExecutable::rareData const):
3027         (JSC::CachedCodeBlock::rareData const):
3028         (JSC::CachedFunctionExecutable::encode):
3029         (JSC::CachedCodeBlock<CodeBlockType>::encode):
3030         (JSC::CachedUniquedStringImpl::encode): Deleted.
3031         (JSC::CachedUniquedStringImpl::decode const): Deleted.
3032         (JSC::CachedStringImpl::encode): Deleted.
3033         (JSC::CachedStringImpl::decode const): Deleted.
3034
3035 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
3036
3037         UnlinkedCodeBlock constructor from cache should initialize m_didOptimize
3038         https://bugs.webkit.org/show_bug.cgi?id=196396
3039
3040         Reviewed by Saam Barati.
3041
3042         The UnlinkedCodeBlock constructor in CachedTypes was missing the initialization
3043         for m_didOptimize, which leads to crashes in CodeBlock::thresholdForJIT.
3044
3045         * runtime/CachedTypes.cpp:
3046         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
3047
3048 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
3049
3050         Unreviewed, rolling in r243843 with the build fix
3051         https://bugs.webkit.org/show_bug.cgi?id=196586
3052
3053         * runtime/Options.cpp:
3054         (JSC::recomputeDependentOptions):
3055         * runtime/Options.h:
3056         * runtime/RandomizingFuzzerAgent.cpp:
3057         (JSC::RandomizingFuzzerAgent::getPrediction):
3058
3059 2019-04-03  Ryan Haddad  <ryanhaddad@apple.com>
3060
3061         Unreviewed, rolling out r243843.
3062
3063         Broke CLoop and Windows builds.
3064
3065         Reverted changeset:
3066
3067         "[JSC] Add dump feature for RandomizingFuzzerAgent"
3068         https://bugs.webkit.org/show_bug.cgi?id=196586
3069         https://trac.webkit.org/changeset/243843
3070
3071 2019-04-03  Robin Morisset  <rmorisset@apple.com>
3072
3073         B3 should use associativity to optimize expression trees
3074         https://bugs.webkit.org/show_bug.cgi?id=194081
3075
3076         Reviewed by Filip Pizlo.
3077
3078         This patch adds a new B3 pass, that tries to find and optimize expression trees made purely of any one associative and commutative operator (Add/Mul/BitOr/BitAnd/BitXor).
3079         The pass only runs in O2, and runs once, after lowerMacros and just before a run of B3ReduceStrength (which helps clean up the dead code it tends to leave behind).
3080         I had to separate killDeadCode out of B3ReduceStrength (as a new B3EliminateDeadCode pass) to run it before B3OptimizeAssociativeExpressionTrees, as otherwise it is stopped by high use counts
3081         inherited from CSE.
3082         This extra run of DCE is by itself a win, most notably on microbenchmarks/instanceof-always-hit-two (1.5x faster), and on microbenchmarks/licm-dragons(-out-of-bounds) (both get 1.16x speedup).
3083         I suspect it is because it runs between CSE and tail-dedup, and as a result allows a lot more tail-dedup to occur.
3084
3085         The pass is currently extremely conservative, not trying anything if it would cause _any_ code duplication.
3086         For this purpose, it starts by computing use counts for the potentially interesting nodes (those with the right opcodes), and segregate them into expression trees.
3087         The root of an expression tree is a node that is either used in multiple places, or is used by a value with a different opcode.
3088         The leaves of an expression tree are nodes that are either used in multiple places, or have a different opcode.
3089         All constant leaves of a tree are combined, as well as all leaves that are identical. What remains is then laid out into a balanced binary tree, hopefully maximizing ILP.
3090
3091         This optimization was implemented as a stand-alone pass and not as part of B3ReduceStrength mostly because it needs use counts to avoid code duplication.
3092         It also benefits from finding all tree roots first, and not trying to repeatedly optimize subtrees.
3093
3094         I added several tests to testB3 with varying patterns of trees. It is also tested in a less focused way by lots of older tests.
3095
3096         In the future this pass could be expanded to allow some bounded amount of code duplication, and merging more leaves (e.g. Mul(a, 3) and a in an Add tree, into Mul(a, 4))
3097         The latter will need exposing the peephole optimizations out of B3ReduceStrength to avoid duplicating code.
3098
3099         * JavaScriptCore.xcodeproj/project.pbxproj:
3100         * Sources.txt:
3101         * b3/B3Common.cpp:
3102         (JSC::B3::shouldDumpIR):
3103         (JSC::B3::shouldDumpIRAtEachPhase):
3104         * b3/B3Common.h:
3105         * b3/B3EliminateDeadCode.cpp: Added.
3106         (JSC::B3::EliminateDeadCode::run):
3107         (JSC::B3::eliminateDeadCode):
3108         * b3/B3EliminateDeadCode.h: Added.
3109         (JSC::B3::EliminateDeadCode::EliminateDeadCode):
3110         * b3/B3Generate.cpp:
3111         (JSC::B3::generateToAir):
3112         * b3/B3OptimizeAssociativeExpressionTrees.cpp: Added.
3113         (JSC::B3::OptimizeAssociativeExpressionTrees::OptimizeAssociativeExpressionTrees):
3114         (JSC::B3::OptimizeAssociativeExpressionTrees::neutralElement):
3115         (JSC::B3::OptimizeAssociativeExpressionTrees::isAbsorbingElement):
3116         (JSC::B3::OptimizeAssociativeExpressionTrees::combineConstants):
3117         (JSC::B3::OptimizeAssociativeExpressionTrees::emitValue):
3118         (JSC::B3::OptimizeAssociativeExpressionTrees::optimizeRootedTree):
3119         (JSC::B3::OptimizeAssociativeExpressionTrees::run):
3120         (JSC::B3::optimizeAssociativeExpressionTrees):
3121         * b3/B3OptimizeAssociativeExpressionTrees.h: Added.
3122         * b3/B3ReduceStrength.cpp:
3123         * b3/B3Value.cpp:
3124         (JSC::B3::Value::replaceWithIdentity):
3125         * b3/testb3.cpp:
3126         (JSC::B3::testBitXorTreeArgs):
3127         (JSC::B3::testBitXorTreeArgsEven):
3128         (JSC::B3::testBitXorTreeArgImm):
3129         (JSC::B3::testAddTreeArg32):
3130         (JSC::B3::testMulTreeArg32):
3131         (JSC::B3::testBitAndTreeArg32):
3132         (JSC::B3::testBitOrTreeArg32):
3133         (JSC::B3::run):
3134
3135 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
3136
3137         [JSC] Add dump feature for RandomizingFuzzerAgent
3138         https://bugs.webkit.org/show_bug.cgi?id=196586
3139
3140         Reviewed by Saam Barati.
3141
3142         Towards deterministic tests for the results from randomizing fuzzer agent, this patch adds Options::dumpRandomizingFuzzerAgentPredictions, which dumps the generated types.
3143         The results is like this.
3144
3145             getPrediction name:(#C2q9xD),bytecodeIndex:(22),original:(Array),generated:(OtherObj|Array|Float64Array|BigInt|NonIntAsDouble)
3146             getPrediction name:(makeUnwriteableUnconfigurableObject#AiEJv1),bytecodeIndex:(14),original:(OtherObj),generated:(Final|Uint8Array|Float64Array|SetObject|WeakSetObject|BigInt|NonIntAsDouble)
3147
3148         * runtime/Options.cpp:
3149         (JSC::recomputeDependentOptions):
3150         * runtime/Options.h:
3151         * runtime/RandomizingFuzzerAgent.cpp:
3152         (JSC::RandomizingFuzzerAgent::getPrediction):
3153
3154 2019-04-03  Myles C. Maxfield  <mmaxfield@apple.com>
3155
3156         -apple-trailing-word is needed for browser detection
3157         https://bugs.webkit.org/show_bug.cgi?id=196575
3158
3159         Unreviewed.
3160
3161         * Configurations/FeatureDefines.xcconfig:
3162
3163 2019-04-03  Michael Saboff  <msaboff@apple.com>
3164
3165         REGRESSION (r243642): com.apple.JavaScriptCore crash in JSC::RegExpObject::execInline
3166         https://bugs.webkit.org/show_bug.cgi?id=196477
3167
3168         Reviewed by Keith Miller.
3169
3170         The problem here is that when we advance the index by 2 for a character class that only
3171         has non-BMP characters, we might go past the end of the string.  This can happen for
3172         greedy counted character classes that are part of a alternative where there is one
3173         character to match after the greedy non-BMP character class.
3174
3175         The "do we have string left to match" check at the top of the JIT loop for the counted
3176         character class checks to see if index is not equal to the string length.  For non-BMP
3177         character classes, we need to check to see if there are at least 2 characters left.
3178         Therefore we now temporarily add 1 to the current index before comparing.  This checks
3179         to see if there are iat least 2 characters left to match, instead of 1.
3180
3181         * yarr/YarrJIT.cpp:
3182         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
3183         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
3184
3185 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
3186
3187         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
3188         https://bugs.webkit.org/show_bug.cgi?id=196574
3189
3190         Reviewed by Saam Barati.
3191
3192         This patch adds missing exception check in operationArrayIndexOfValueInt32OrContiguous.
3193
3194         * dfg/DFGOperations.cpp:
3195
3196 2019-04-03  Don Olmstead  <don.olmstead@sony.com>
3197
3198         [CMake][WTF] Mirror XCode header directories
3199         https://bugs.webkit.org/show_bug.cgi?id=191662
3200
3201         Reviewed by Konstantin Tokarev.
3202
3203         Use WTFFramework as a dependency and include frameworks/WTF.cmake for AppleWin internal
3204         builds.
3205
3206         * CMakeLists.txt:
3207         * shell/CMakeLists.txt:
3208
3209 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
3210
3211         [JSC] Add FuzzerAgent, which has a hooks to get feedback & inject fuzz data into JSC
3212         https://bugs.webkit.org/show_bug.cgi?id=196530
3213
3214         Reviewed by Saam Barati.
3215
3216         This patch adds FuzzerAgent interface and simple RandomizingFuzzerAgent to JSC.
3217         This RandomizingFuzzerAgent returns random SpeculatedType for value profiling to find
3218         the issues in JSC. The seed for randomization can be specified by seedOfRandomizingFuzzerAgent.
3219
3220         I ran this with seedOfRandomizingFuzzerAgent=1 last night and it finds 3 failures in the current JSC tests,
3221         they should be fixed in subsequent patches.
3222
3223         * CMakeLists.txt:
3224         * JavaScriptCore.xcodeproj/project.pbxproj:
3225         * Sources.txt:
3226         * dfg/DFGByteCodeParser.cpp:
3227         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
3228         * runtime/FuzzerAgent.cpp: Added.
3229         (JSC::FuzzerAgent::~FuzzerAgent):
3230         (JSC::FuzzerAgent::getPrediction):
3231         * runtime/FuzzerAgent.h: Added.
3232         * runtime/JSGlobalObjectFunctions.cpp:
3233         * runtime/Options.h:
3234         * runtime/RandomizingFuzzerAgent.cpp: Added.
3235         (JSC::RandomizingFuzzerAgent::RandomizingFuzzerAgent):
3236         (JSC::RandomizingFuzzerAgent::getPrediction):
3237         * runtime/RandomizingFuzzerAgent.h: Added.
3238         * runtime/RegExpCachedResult.h:
3239         * runtime/RegExpGlobalData.cpp:
3240         * runtime/VM.cpp:
3241         (JSC::VM::VM):
3242         * runtime/VM.h:
3243         (JSC::VM::fuzzerAgent const):
3244         (JSC::VM::setFuzzerAgent):
3245
3246 2019-04-03  Myles C. Maxfield  <mmaxfield@apple.com>
3247
3248         Remove support for -apple-trailing-word
3249         https://bugs.webkit.org/show_bug.cgi?id=196525
3250
3251         Reviewed by Zalan Bujtas.
3252
3253         This CSS property is nonstandard and not used.
3254
3255         * Configurations/FeatureDefines.xcconfig:
3256
3257 2019-04-03  Joseph Pecoraro  <pecoraro@apple.com>
3258
3259         Web Inspector: Remote Inspector indicate callback should always happen on the main thread
3260         https://bugs.webkit.org/show_bug.cgi?id=196513
3261         <rdar://problem/49498284>
3262
3263         Reviewed by Devin Rousso.
3264
3265         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
3266         (Inspector::RemoteInspector::receivedIndicateMessage):
3267         When we have a WebThread, don't just run on the WebThread,
3268         run on the MainThread with the WebThreadLock.
3269
3270 2019-04-02  Michael Saboff  <msaboff@apple.com>
3271
3272         Crash in Options::setOptions() using --configFile option and libgmalloc
3273         https://bugs.webkit.org/show_bug.cgi?id=196506
3274
3275         Reviewed by Keith Miller.
3276
3277         Changed to call CString::data() while making the call to Options::setOptions().  This keeps
3278         the implicit CString temporary alive until after setOptions() returns.
3279
3280         * runtime/ConfigFile.cpp:
3281         (JSC::ConfigFile::parse):
3282
3283 2019-04-02  Fujii Hironori  <Hironori.Fujii@sony.com>
3284
3285         [CMake] WEBKIT_MAKE_FORWARDING_HEADERS shouldn't use POST_BUILD to copy generated headers
3286         https://bugs.webkit.org/show_bug.cgi?id=182757
3287
3288         Reviewed by Don Olmstead.
3289
3290         * CMakeLists.txt: Do not use DERIVED_SOURCE_DIRECTORIES parameter
3291         of WEBKIT_MAKE_FORWARDING_HEADERS. Added generated headers to
3292         JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS.
3293
3294 2019-04-02  Saam barati  <sbarati@apple.com>
3295
3296         Add a ValueRepReduction phase
3297         https://bugs.webkit.org/show_bug.cgi?id=196234
3298
3299         Reviewed by Filip Pizlo.
3300
3301         This patch adds a ValueRepReduction phase. The main idea here is
3302         to try to reduce DoubleRep(RealNumberUse:ValueRep(DoubleRepUse:@x))
3303         to just be @x. This patch handles such above strengh reduction rules
3304         as long as we prove that all users of the ValueRep can be converted
3305         to using the incoming double value. That way we prevent introducing
3306         a parallel live range for the double value.
3307         
3308         This patch tracks the uses of the ValueRep through Phi variables,
3309         so we can convert entire Phi variables to being Double instead
3310         of JSValue if the Phi also has only double uses.
3311         
3312         This is implemented through a simple escape analysis. DoubleRep(RealNumberUse:)
3313         and OSR exit hints are not counted as escapes. All other uses are counted
3314         as escapes. Connected Phi graphs are converted to being Double only if the
3315         entire graph is ok with the result being Double.
3316         
3317         Some ways we could extend this phase in the future:
3318         - There are a lot of DoubleRep(NumberUse:@ValueRep(@x)) uses. This ensures
3319           that the result of the DoubleRep of @x is not impure NaN. We could
3320           handle this case if we introduced a PurifyNaN node and replace the DoubleRep
3321           with PurifyNaN(@x). Alternatively, we could see if certain users of this
3322           DoubleRep are okay with impure NaN flowing into them and we'd need to ensure
3323           their output type is always treated as if the input is impure NaN.
3324         - We could do sinking of ValueRep where we think it's profitable. So instead
3325           of an escape making it so we never represent the variable as a Double, we
3326           could make the escape reconstruct the JSValueRep where profitable.
3327         - We can extend this phase to handle Int52Rep if it's profitable.
3328         - We can opt other nodes into accepting incoming Doubles so we no longer
3329           treat them as escapes.
3330         
3331         This patch is somewhere between neutral and a 1% progression on JetStream 2.
3332
3333         * JavaScriptCore.xcodeproj/project.pbxproj:
3334         * Sources.txt:
3335         * dfg/DFGPlan.cpp:
3336         (JSC::DFG::Plan::compileInThreadImpl):