Unreviewed, follow-up change after r250198
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-09-22  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         Unreviewed, follow-up change after r250198
4         https://bugs.webkit.org/show_bug.cgi?id=201633
5
6         * b3/testb3_5.cpp:
7         (testCheckAddRemoveCheckWithSExt16):
8
9 2019-09-21  Yusuke Suzuki  <ysuzuki@apple.com>
10
11         [JSC] Remove CheckAdd in JetStream2/async-fs's Math.random function
12         https://bugs.webkit.org/show_bug.cgi?id=201633
13
14         Reviewed by Mark Lam.
15
16         Int52Rep is used in DFG and FTL to calculate Int52 things faster. This is typically used when user code see uint32_t type.
17         In JS, we handles Int32 well, but if the value exceeds Int32 range (like, using 0xffffffff), we use Int52 instead not to fallback to Double.
18
19         The problem is that we do not have optimizations for Int52's overflow checks. This emits many ArithAdd(Int52Rep x 2, CheckOverflow). Each
20         of them emits OSR exit, which prevents dead-store-elimination in B3, and makes ValueToInt32(Int52) alive if it is referenced from some variable which
21         can be seen if OSR exit occurs.
22
23         In this patch, we perform strength-reduction for CheckAdd, converting to Add. We already have such a thing. But the existing one does not handle instructions
24         well emitted when Int52 is used.
25
26         When Int52 is used, we typically have the sequence like,
27
28             Int64 @78 = SExt32(@73, DFG:@67<Int52>) // Widen Int32 to Int64
29             Int64 @81 = Shl(@78, $12(@80), DFG:@162<Int52>) // Convert Int32 to Int52
30
31         While we have Shl handling for integer-range optimization in B3ReduceStrength, we lack handling of SExt32 while it is very easy.
32         This patch adds SExt8, SExt16, SExt32, and ZExt32 handling to B3ReduceStrength's integer range analysis.
33         This converts many CheckAdd in JetStream2/async-fs's hot function to simple Add, and removes a bunch of unnecessary instructions which exist because of this OSR exit.
34         We can see ~5% improvement in JetStream2/async-fs.
35
36         * b3/B3ReduceStrength.cpp:
37         * b3/testb3.h:
38         (int16Operands):
39         (int8Operands):
40         * b3/testb3_1.cpp:
41         (run):
42         * b3/testb3_5.cpp:
43         (testCheckAddRemoveCheckWithSExt8):
44         (testCheckAddRemoveCheckWithSExt16):
45         (testCheckAddRemoveCheckWithSExt32):
46         (testCheckAddRemoveCheckWithZExt32):
47
48 2019-09-21  Mark Lam  <mark.lam@apple.com>
49
50         Move JSLexicalEnvironment, DirectArguments, and ScopedArguments cells out of the Gigacage.
51         https://bugs.webkit.org/show_bug.cgi?id=202082
52
53         Reviewed by Tadeu Zagallo.
54
55         They are not being caged anyway.
56
57         * runtime/DirectArguments.h:
58         * runtime/JSLexicalEnvironment.h:
59         (JSC::JSLexicalEnvironment::subspaceFor):
60         * runtime/ScopedArguments.h:
61         * runtime/VM.cpp:
62         (JSC::VM::VM):
63         * runtime/VM.h:
64
65 2019-09-21  Tadeu Zagallo  <tzagallo@apple.com>
66
67         AccessCase should strongly visit its dependencies while on stack
68         https://bugs.webkit.org/show_bug.cgi?id=201986
69         <rdar://problem/55521953>
70
71         Reviewed by Saam Barati and Yusuke Suzuki.
72
73         AccessCase::doesCalls is responsible for specifying the cells it depends on, so that
74         MarkingGCAwareJITStubRoutine can strongly visit them while the stub is on stack. However,
75         it was missing most of its dependencies, which led to it being collected while on stack.
76         This manifested in the flaky test stress/ftl-put-by-id-setter-exception-interesting-live-state.js
77         as the PolymorphicAccess being collected and removing its exception handler from the code
78         block, which led to exception propagating past the try/catch.
79
80         In order to fix this, we abstract the dependency gathering logic from AccessCase into
81         forEachDependentCell and use it to implement visitWeak as well as doesCalls in order to
82         guarantee that their implementation is consistent.
83
84         * bytecode/AccessCase.cpp:
85         (JSC::AccessCase::forEachDependentCell const):
86         (JSC::AccessCase::doesCalls const):
87         (JSC::AccessCase::visitWeak const):
88         * bytecode/AccessCase.h:
89         * bytecode/CallLinkInfo.cpp:
90         (JSC::CallLinkInfo::lastSeenCallee const):
91         (JSC::CallLinkInfo::haveLastSeenCallee const):
92         (JSC::CallLinkInfo::lastSeenCallee): Deleted.
93         (JSC::CallLinkInfo::haveLastSeenCallee): Deleted.
94         * bytecode/CallLinkInfo.h:
95         (JSC::CallLinkInfo::isDirect const):
96         (JSC::CallLinkInfo::isLinked const):
97         (JSC::CallLinkInfo::stub const):
98         (JSC::CallLinkInfo::forEachDependentCell const):
99         (JSC::CallLinkInfo::isLinked): Deleted.
100         (JSC::CallLinkInfo::stub): Deleted.
101         * bytecode/ObjectPropertyCondition.cpp:
102         (JSC::ObjectPropertyCondition::isStillLive const):
103         * bytecode/ObjectPropertyCondition.h:
104         (JSC::ObjectPropertyCondition::forEachDependentCell const):
105         * bytecode/ObjectPropertyConditionSet.cpp:
106         (JSC::ObjectPropertyConditionSet::areStillLive const):
107         * bytecode/ObjectPropertyConditionSet.h:
108         (JSC::ObjectPropertyConditionSet::forEachDependentCell const):
109         * bytecode/PropertyCondition.cpp:
110         (JSC::PropertyCondition::isStillLive const):
111         * bytecode/PropertyCondition.h:
112         (JSC::PropertyCondition::forEachDependentCell const):
113         * jit/PolymorphicCallStubRoutine.cpp:
114         (JSC::PolymorphicCallStubRoutine::visitWeak):
115         * jit/PolymorphicCallStubRoutine.h:
116         (JSC::PolymorphicCallStubRoutine::forEachDependentCell):
117
118 2019-09-21  David Kilzer  <ddkilzer@apple.com>
119
120         clang-tidy: Fix unnecessary copy/ref churn of for loop variables in WTF/JavaScriptCore
121         <https://webkit.org/b/202069>
122
123         Reviewed by Mark Lam.
124
125         Fix unwanted copying/ref churn of loop variables by making them
126         const references.
127
128         * bytecode/CodeBlock.cpp:
129         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
130         * bytecompiler/BytecodeGenerator.cpp:
131         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
132         * dfg/DFGGraph.cpp:
133         (JSC::DFG::Graph::dump):
134         * inspector/agents/InspectorAgent.cpp:
135         (Inspector::InspectorAgent::activateExtraDomains):
136         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
137         (Inspector::RemoteInspector::stopInternal):
138         (Inspector::RemoteInspector::xpcConnectionFailed):
139         (Inspector::RemoteInspector::pushListingsNow):
140         * parser/Parser.h:
141         (JSC::Scope::computeLexicallyCapturedVariablesAndPurgeCandidates):
142         * runtime/ProxyObject.cpp:
143         (JSC::ProxyObject::performGetOwnPropertyNames):
144         * runtime/SamplingProfiler.cpp:
145         (JSC::SamplingProfiler::registerForReportAtExit):
146         (JSC::SamplingProfiler::reportTopFunctions):
147         (JSC::SamplingProfiler::reportTopBytecodes):
148         * runtime/TypeSet.cpp:
149         (JSC::StructureShape::inspectorRepresentation):
150         (JSC::StructureShape::merge):
151
152 2019-09-20  Keith Miller  <keith_miller@apple.com>
153
154         eliding a move in Air O0 needs to mark the dest's old reg as available
155         https://bugs.webkit.org/show_bug.cgi?id=202066
156
157         Reviewed by Saam Barati.
158
159         Also adds a new release method that handles all the invariants of
160         returning a register to the available register pool.
161
162         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp:
163         (JSC::B3::Air::GenerateAndAllocateRegisters::release):
164         (JSC::B3::Air::GenerateAndAllocateRegisters::spill):
165         (JSC::B3::Air::GenerateAndAllocateRegisters::freeDeadTmpsIfNeeded):
166         (JSC::B3::Air::GenerateAndAllocateRegisters::generate):
167         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.h:
168
169 2019-09-20  Mark Lam  <mark.lam@apple.com>
170
171         Harden assertion in StructureIDTable::get().
172         https://bugs.webkit.org/show_bug.cgi?id=202067
173         <rdar://problem/55577923>
174
175         Reviewed by Keith Miller.
176
177         * runtime/StructureIDTable.h:
178         (JSC::StructureIDTable::get):
179
180 2019-09-20  Truitt Savell  <tsavell@apple.com>
181
182         Unreviewed, rolling out r250114.
183
184         Broke ~16 webgpu/ tests on Mojave wk2
185
186         Reverted changeset:
187
188         "Web Inspector: Canvas: show WebGPU shader pipelines"
189         https://bugs.webkit.org/show_bug.cgi?id=201675
190         https://trac.webkit.org/changeset/250114
191
192 2019-09-20  Paulo Matos  <pmatos@igalia.com>
193
194         Implement memory monitoring functions for Linux OS
195         https://bugs.webkit.org/show_bug.cgi?id=200391
196
197         Reviewed by Žan Doberšek.
198
199         * jsc.cpp:
200
201 2019-09-20  Devin Rousso  <drousso@apple.com>
202
203         ASSERT NOT REACHED in Inspector::InjectedScriptModule::ensureInjected() seen with inspector/heap/getRemoteObject.html
204         https://bugs.webkit.org/show_bug.cgi?id=201713
205         <rdar://problem/55290349>
206
207         Reviewed by Joseph Pecoraro.
208
209         Expose the `Exception` object by leveraging an `Expected` of `JSValue` as the return value
210         instead of using a referenced `bool` (which wouldn't include any of the exception's info).
211
212         * bindings/ScriptFunctionCall.h:
213         * bindings/ScriptFunctionCall.cpp:
214         (Deprecated::ScriptFunctionCall::call):
215
216         * inspector/InjectedScript.cpp:
217         (Inspector::InjectedScript::wrapCallFrames const):
218         (Inspector::InjectedScript::wrapObject const):
219         (Inspector::InjectedScript::wrapJSONString const):
220         (Inspector::InjectedScript::wrapTable const):
221         (Inspector::InjectedScript::previewValue const):
222         (Inspector::InjectedScript::findObjectById const):
223         (Inspector::InjectedScript::releaseObjectGroup):
224
225         * inspector/InjectedScriptBase.h:
226         * inspector/InjectedScriptBase.cpp:
227         (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled const):
228         (Inspector::InjectedScriptBase::makeCall):
229         (Inspector::InjectedScriptBase::makeAsyncCall):
230
231         * inspector/InjectedScriptManager.h:
232         * inspector/InjectedScriptManager.cpp:
233         (Inspector::InjectedScriptManager::createInjectedScript):
234         (Inspector::InjectedScriptManager::injectedScriptFor):
235
236         * inspector/InjectedScriptModule.cpp:
237         (Inspector::InjectedScriptModule::ensureInjected):
238
239 2019-09-19  Yusuke Suzuki  <ysuzuki@apple.com>
240
241         [JSC] DFG op_call_varargs should not assume that one-previous-local of freeReg is usable
242         https://bugs.webkit.org/show_bug.cgi?id=202014
243
244         Reviewed by Saam Barati.
245
246         Let's look into the bytecode generated by the test.
247
248             [   0] enter
249             [   1] get_scope          loc4
250             [   3] mov                loc5, loc4
251             [   6] check_traps
252             [   7] mov                loc6, callee
253             [  10] create_direct_arguments loc7
254             [  12] to_this            this
255             [  15] mov                loc8, loc7
256             [  18] mov                loc9, loc6
257             [  21] mov                loc12, Undefined(const0)
258             [  24] get_by_id          loc11, loc6, 0
259             [  29] jneq_ptr           loc11, ApplyFunction, 18(->47)
260             [  34] mov                loc11, loc6
261             [  37] call_varargs       loc11, loc11, this, loc8, loc13, 0
262             [  45] jmp                17(->62)
263             [  47] mov                loc16, loc6
264             [  50] mov                loc15, this
265             [  53] mov                loc14, loc8
266             [  56] call               loc11, loc11, 3, 22
267             ...
268
269         call_varargs uses loc13 as firstFreeReg (first usable bottom register in the current stack-frame to spread variadic arguments after this).
270         This is correct. And call_varargs uses |this| as this argument for the call_varargs. This |this| argument is not in a region starting from loc13.
271         And it is not in the previous place to loc13 (|this| is not loc12).
272
273         On the other hand, DFG::ByteCodeParser's inlining path is always assuming that the previous to firstFreeReg is usable and part of arguments.
274         But this is wrong. loc12 in the above bytecode is used for `[  56] call               loc11, loc11, 3, 22`'s argument later, and this call assumes
275         that loc12 is not clobbered by call_varargs. But DFG and FTL clobbers it.
276
277         The test is recursively calling the same function, and we inline the same function one-level. And stack-overflow error happens when inlined
278         CallForwardVarargs (from op_call_varargs) is called. FTL recovers the frames, and at this point, outer function's loc12 is recovered to garbage since
279         LoadVarargs clobbers it. And we eventually use it and crash.
280
281             60:<!0:-> LoadVarargs(Check:Untyped:Kill:@30, MustGen, start = loc13, count = loc15, machineStart = loc7, machineCount = loc9, offset = 0, mandatoryMinimum = 0, limit = 2, R:World, W:Stack(-16),Stack(-14),Stack(-13),Heap, Exits, ClobbersExit, bc#37, ExitValid)
282
283         This LoadVarargs clobbers loc12, loc13, and loc15 while loc12 is used.
284
285         In all the tiers, op_call_varargs first allocates enough region to hold varargs including |this|. And we store |this| value to a correct place.
286         DFG should not assume that the previous register to firstFreeReg is used for |this|.
287
288         This patch fixes DFG::ByteCodeParser's stack region calculation for op_call_varargs inlining. And we rename maxNumArguments to maxArgumentCountIncludingThis to
289         represent that `maxArgumentCountIncludingThis` includes |this| count.
290
291         * bytecode/CallLinkInfo.cpp:
292         (JSC::CallLinkInfo::setMaxArgumentCountIncludingThis):
293         (JSC::CallLinkInfo::setMaxNumArguments): Deleted.
294         * bytecode/CallLinkInfo.h:
295         (JSC::CallLinkInfo::addressOfMaxArgumentCountIncludingThis):
296         (JSC::CallLinkInfo::maxArgumentCountIncludingThis):
297         (JSC::CallLinkInfo::addressOfMaxNumArguments): Deleted.
298         (JSC::CallLinkInfo::maxNumArguments): Deleted.
299         * bytecode/CallLinkStatus.cpp:
300         (JSC::CallLinkStatus::computeFor):
301         (JSC::CallLinkStatus::dump const):
302         * bytecode/CallLinkStatus.h:
303         (JSC::CallLinkStatus::maxArgumentCountIncludingThis const):
304         (JSC::CallLinkStatus::maxNumArguments const): Deleted.
305         * dfg/DFGByteCodeParser.cpp:
306         (JSC::DFG::ByteCodeParser::handleVarargsInlining):
307         * dfg/DFGSpeculativeJIT32_64.cpp:
308         (JSC::DFG::SpeculativeJIT::emitCall):
309         * dfg/DFGSpeculativeJIT64.cpp:
310         (JSC::DFG::SpeculativeJIT::emitCall):
311         * ftl/FTLLowerDFGToB3.cpp:
312         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
313         * jit/JITCall.cpp:
314         (JSC::JIT::compileSetupFrame):
315         * jit/JITCall32_64.cpp:
316         (JSC::JIT::compileSetupFrame):
317         * jit/JITOperations.cpp:
318
319 2019-09-19  Devin Rousso  <drousso@apple.com>
320
321         Web Inspector: Canvas: show WebGPU shader pipelines
322         https://bugs.webkit.org/show_bug.cgi?id=201675
323
324         Reviewed by Joseph Pecoraro.
325
326         * inspector/protocol/Canvas.json:
327         Add a `ProgramType` enum that conveys the type of shader program/pipeline when notifying the
328         frontend of a new program
329
330 2019-09-19  Mark Lam  <mark.lam@apple.com>
331
332         Rename VMInspector::m_list to m_vmList.
333         https://bugs.webkit.org/show_bug.cgi?id=202015
334
335         Reviewed by Yusuke Suzuki.
336
337         m_vmList is more descriptive, and this rename helps grep-ability by disambiguating
338         it from other m_lists in the code base.
339
340         * tools/VMInspector.cpp:
341         (JSC::VMInspector::add):
342         (JSC::VMInspector::remove):
343         * tools/VMInspector.h:
344         (JSC::VMInspector::iterate):
345
346 2019-09-19  Mark Lam  <mark.lam@apple.com>
347
348         Reduce the number of required tag bits for the JSValue.
349         https://bugs.webkit.org/show_bug.cgi?id=201990
350
351         Reviewed by Yusuke Suzuki.
352
353         We're reducing the number of tag bits to 15.  It should just work.
354
355         How did we arrive at 15 bits?
356         ============================
357         Currently, the minimum number of top bits used by doubles is 13-bits.  The
358         highest double bit encoding are:
359
360             "negative" pureNaN: starts with 0xfff8
361             negative infinity:  starts with 0xfff0
362             highest number:     starts with 0xffe*
363             lowest number:      starts with 0x0000
364
365         Requirements:
366         1. We need tags for 2 range of numbers: pointers (all 0s at the top), and ints
367            (all 1s at the top).
368
369         2. We want to be able to add an offset to double bits and ensure that they never
370            end up in the ranges for pointers and ints.
371
372         3. The int tag must be higher than whatever value is produced in the top bits
373            when boxing a double.  We have code that relies on this relationship being
374            true and checks if a JSValue is an int by checking if the tag bits are above
375            or equal to the int tag.
376
377         4. We don't want to burn more than 2 CPU registers for tag / mask registers.
378
379         Based on the bit encoding of doubles, the full number range of the top 13 bits
380         are used in valid double numbers.  This means the minimum tag bits must be greater
381         than 13.
382
383         Consider a 14-bit tag.  The DoubleEncodeOffset will be 1 << 50 i.e. starts with
384         0x0004.  With this encoding,
385             "negative" pureNaN: maps to 0xfff8 + 0x0004 => 0xfffc
386
387         i.e. the top 14 bits are all set.  This conflicts with the int number range.
388
389         Next, consider a 15-bit tag.  The DoubleEncodeOffset will be 1 << 49 i.e. starts
390         with 0x0002.  With this encoding:
391             "negative" pureNaN: maps to 0xfff8 + 0x0002 => 0xfffa
392             negative infinity:  maps to 0xfff0 + 0x0002 => 0xfff2
393
394         i.e. 0xfffe (top 5 bits set) is available to represent ints.  This is the encoding
395         that we'll adopt in this patch.
396
397         Alternate encodings schemes to consider in the future:
398         =====================================================
399         1. If we're willing and able to purifyNaN at all the places that can produce a
400            "negative" pureNaN, e.g. after a division, then we can remove the "negative"
401            pureNaN as a valid double bit encoding.  With this, we can now box doubles
402            with just a 14-bit tag, and DoubleEncodeOffset will be 1 << 50 i.e. starts with
403            0x0004.
404
405            With this encoding, the top double, negative infinity, is encoded as follows:
406
407                 negative infinity:  maps to 0xfff0 + 0x0004 => 0xfff4
408
409            i.e. leaving 0xfffc as the tag for ints.
410
411            We didn't adopt this scheme at this time because it adds complexity, and may
412            have performance impact from the extra purifyNaN checks.
413
414            Ref: https://bugs.webkit.org/show_bug.cgi?id=202002
415
416         2. If we're willing to use 3 tag registers or always materialize one of them, we
417            can also adopt a 14-bit tag as follows:
418
419                Pointer {  0000:PPPP:PPPP:PPPP
420                         / 0002:****:****:****
421                Double  {         ...
422                         \ FFFC:****:****:****
423                Integer {  FFFF:0000:IIII:IIII
424
425            where ...
426                NumberMask is 0xfffc: any bits set in the top 14 bits is a number.
427                IntMask is 0xffff: value is int if value & IntMask == IntMask.
428                NotCellMask is NumberMask | OtherTag.
429
430            Since the highest double is "negative" pureNaN i.e. starts with 0xfff8, adding
431            a DoubleEncodeOffset of 1<<50 (starts with 0x0004) produces 0xfffc which is
432            still less than 0xffff.
433
434            We didn't adopt this scheme at this time because it adds complexity and may
435            have a performance impact from either burning another register, or materializing
436            the 3rd mask.
437
438            Ref: https://bugs.webkit.org/show_bug.cgi?id=202005
439
440         * runtime/JSCJSValue.h:
441
442 2019-09-19  Mark Lam  <mark.lam@apple.com>
443
444         Refactoring: fix broken indentation in JSNonDestructibleProxy.h.
445         https://bugs.webkit.org/show_bug.cgi?id=201989
446
447         Reviewed by Saam Barati.
448
449         This patch only unindent the code to get it back to compliant formatting.
450         There is no actual code change.
451
452         * runtime/JSNonDestructibleProxy.h:
453         (JSC::JSNonDestructibleProxy::subspaceFor):
454         (JSC::JSNonDestructibleProxy::create):
455         (JSC::JSNonDestructibleProxy::createStructure):
456         (JSC::JSNonDestructibleProxy::JSNonDestructibleProxy):
457
458 2019-09-19  Tadeu Zagallo  <tzagallo@apple.com>
459
460         Syntax checker should report duplicate __proto__ properties
461         https://bugs.webkit.org/show_bug.cgi?id=201897
462         <rdar://problem/53201788>
463
464         Reviewed by Mark Lam.
465
466         Currently we have two ways of parsing object literals:
467         - parseObjectLiteral: this is called in sloppy mode, and as an optimization for syntax checking,
468           it doesn't allocate string literals while parsing properties. It does still allocate identifiers,
469           but it won't store them in the Property object that it creates for each parsed property. This
470           method backtracks and calls parseObjectStrictLiteral if it finds any getters or setters.
471         - parseObjectStrictLiteral: this is called in strict mode, or when the object contains getters/setters
472           as stated above. This will always allocate string literals as well as identifiers and store them in
473           the Property object, even during syntax checking.
474
475         From looking at the history, it seems that there was a distinction between these two methods:
476         parseStrictObjectLiteral was introduced in r62848 and contained an extra check for duplicate
477         getters/setters or properties defined as both getters/setters and constants. That distinction
478         was removed and the only distinction that remained was whether we build strings and store the
479         strings and properties as part of the Property object created by SyntaxChecker::createProperty.
480         However, this optimization is no longer valid, since we need to throw a SyntaxError for duplicate
481         __proto__ properties in object literals even in sloppy mode, which means that we do need to build
482         the strings and identifiers and store them as part of the Property objects.
483
484         * parser/Parser.cpp:
485         (JSC::Parser<LexerType>::parseObjectLiteral):
486         (JSC::Parser<LexerType>::parsePrimaryExpression):
487         (JSC::Parser<LexerType>::parseStrictObjectLiteral): Deleted.
488         * parser/Parser.h:
489
490 2019-09-19  Mark Lam  <mark.lam@apple.com>
491
492         Remove a now unnecessary hack to work around static const needing external linkage.
493         https://bugs.webkit.org/show_bug.cgi?id=201988
494
495         Reviewed by Saam Barati.
496
497         MacroAssembler::dataTempRegister is now a constexpr, thereby ensuring that it's
498         inlinable.
499
500         * b3/B3Common.cpp:
501         (JSC::B3::pinnedExtendedOffsetAddrRegister):
502
503 2019-09-19  Mark Lam  <mark.lam@apple.com>
504
505         Replace JSValue #defines with static constexpr values.
506         https://bugs.webkit.org/show_bug.cgi?id=201966
507
508         Reviewed by Yusuke Suzuki.
509
510         static constexpr is the modern C++ way to define these constants.
511
512         Some of the values are typed int64_t and some are int32_t.  The original #define
513         values are int64_t.  Hence, we adopt int64_t as the default type to use here.
514
515         However, some of these constants are being used as 32-bit values, and the code
516         was static_cast'ing them into int32_t.  This set of constants are all the small
517         values that fit in an int32_t anyway.  So, we're putting these in int32_t instead
518         so that we don't have to keep casting them.  In the few places where they are
519         used as int64_t, they will automatically get up-casted anyway.
520
521         In this patch, we also did the following:
522
523         1. Renamed TagMask to NotCellMask, because everywhere in the code, we're
524            basically using it to filter out cells like this:
525
526               if (value & NotCellMask) then goto handleNotCellCase;
527
528         2. Renamed TagTypeNumber to NumberTag for a shorter name.
529
530            Ditto for TagBitTypeOther, TagBitBool, TagBitUndefined, TagBitsWasm, and TagWasmMask.
531            They are now OtherTag, BoolTag, UndefinedTag, WasmTag, and WasmMask.
532
533         3. Introduced DoubleEncodeOffsetBit so that client code do not embed this value
534            as a literal constant.  We now define DoubleEncodeOffset based on
535            DoubleEncodeOffsetBit ensuring consistency.
536
537         4. Introduced MiscTag so that clients don't have to put this set of tags together
538            themselves.
539
540         5. Removed static asserts for tags in LLIntData.cpp because the offlineasm now
541            captures these values correctly with constexpr statements.  These static
542            asserts were holdovers from the old days back when we had to define LLInt
543            constant values manually, and we needed a mechanism to detect when the values
544            have changed in the source.
545
546         6. Replaced some runtime asserts in RegisterSet.cpp with static_asserts.
547
548         7. In Wasm::wasmToJS(), we were constructing the value of JSValue::DoubleEncodeOffset
549            constant by left shifting 1 by JSValue::DoubleEncodeOffsetBit.  There's no need
550            to do this for ARM64 because the constant can be loaded efficiently with a single
551            MOVZ instruction.  So, we add a CPU(ARM64) case to just move the constant into
552            the target register.
553
554         * assembler/AbortReason.h:
555         * bytecode/AccessCase.cpp:
556         (JSC::AccessCase::generateWithGuard):
557         * dfg/DFGOSRExit.cpp:
558         (JSC::DFG::OSRExit::executeOSRExit):
559         (JSC::DFG::OSRExit::compileExit):
560         * dfg/DFGSpeculativeJIT.cpp:
561         (JSC::DFG::SpeculativeJIT::silentFill):
562         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
563         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
564         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
565         (JSC::DFG::SpeculativeJIT::getIntTypedArrayStoreOperand):
566         (JSC::DFG::SpeculativeJIT::speculateMisc):
567         * dfg/DFGSpeculativeJIT.h:
568         (JSC::DFG::SpeculativeJIT::spill):
569         * dfg/DFGSpeculativeJIT64.cpp:
570         (JSC::DFG::SpeculativeJIT::fillJSValue):
571         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
572         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
573         (JSC::DFG::SpeculativeJIT::emitCall):
574         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
575         (JSC::DFG::SpeculativeJIT::compileObjectStrictEquality):
576         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
577         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
578         (JSC::DFG::SpeculativeJIT::compileInt52Compare):
579         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
580         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
581         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
582         (JSC::DFG::SpeculativeJIT::emitBranch):
583         (JSC::DFG::SpeculativeJIT::compile):
584         (JSC::DFG::SpeculativeJIT::moveTrueTo):
585         (JSC::DFG::SpeculativeJIT::moveFalseTo):
586         (JSC::DFG::SpeculativeJIT::blessBoolean):
587         * ftl/FTLLowerDFGToB3.cpp:
588         (JSC::FTL::DFG::LowerDFGToB3::lower):
589         (JSC::FTL::DFG::LowerDFGToB3::compileDoubleRep):
590         (JSC::FTL::DFG::LowerDFGToB3::compileBooleanToNumber):
591         (JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC):
592         (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC):
593         (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
594         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
595         (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf):
596         (JSC::FTL::DFG::LowerDFGToB3::compileGetArgument):
597         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
598         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
599         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
600         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
601         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
602         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
603         (JSC::FTL::DFG::LowerDFGToB3::compileInById):
604         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
605         (JSC::FTL::DFG::LowerDFGToB3::compileGetEnumeratorStructurePname):
606         (JSC::FTL::DFG::LowerDFGToB3::compileGetEnumeratorGenericPname):
607         (JSC::FTL::DFG::LowerDFGToB3::getById):
608         (JSC::FTL::DFG::LowerDFGToB3::getByIdWithThis):
609         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
610         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
611         (JSC::FTL::DFG::LowerDFGToB3::emitBinarySnippet):
612         (JSC::FTL::DFG::LowerDFGToB3::emitBinaryBitOpSnippet):
613         (JSC::FTL::DFG::LowerDFGToB3::emitRightShiftSnippet):
614         (JSC::FTL::DFG::LowerDFGToB3::equalNullOrUndefined):
615         (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf):
616         (JSC::FTL::DFG::LowerDFGToB3::isInt32):
617         (JSC::FTL::DFG::LowerDFGToB3::isNotInt32):
618         (JSC::FTL::DFG::LowerDFGToB3::boxInt32):
619         (JSC::FTL::DFG::LowerDFGToB3::isCellOrMisc):
620         (JSC::FTL::DFG::LowerDFGToB3::isNotCellOrMisc):
621         (JSC::FTL::DFG::LowerDFGToB3::unboxDouble):
622         (JSC::FTL::DFG::LowerDFGToB3::boxDouble):
623         (JSC::FTL::DFG::LowerDFGToB3::isNotCell):
624         (JSC::FTL::DFG::LowerDFGToB3::isCell):
625         (JSC::FTL::DFG::LowerDFGToB3::isNotMisc):
626         (JSC::FTL::DFG::LowerDFGToB3::isNotBoolean):
627         (JSC::FTL::DFG::LowerDFGToB3::boxBoolean):
628         (JSC::FTL::DFG::LowerDFGToB3::isNotOther):
629         (JSC::FTL::DFG::LowerDFGToB3::isOther):
630         * ftl/FTLOSRExitCompiler.cpp:
631         (JSC::FTL::reboxAccordingToFormat):
632         (JSC::FTL::compileStub):
633         * interpreter/CalleeBits.h:
634         (JSC::CalleeBits::boxWasm):
635         (JSC::CalleeBits::isWasm const):
636         (JSC::CalleeBits::asWasmCallee const):
637         * jit/AssemblyHelpers.cpp:
638         (JSC::AssemblyHelpers::jitAssertIsJSInt32):
639         (JSC::AssemblyHelpers::jitAssertIsJSNumber):
640         (JSC::AssemblyHelpers::jitAssertIsJSDouble):
641         (JSC::AssemblyHelpers::jitAssertIsCell):
642         (JSC::AssemblyHelpers::jitAssertTagsInPlace):
643         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
644         * jit/AssemblyHelpers.h:
645         (JSC::AssemblyHelpers::emitSaveThenMaterializeTagRegisters):
646         (JSC::AssemblyHelpers::emitRestoreSavedTagRegisters):
647         (JSC::AssemblyHelpers::emitMaterializeTagCheckRegisters):
648         (JSC::AssemblyHelpers::branchIfNotCell):
649         (JSC::AssemblyHelpers::branchIfCell):
650         (JSC::AssemblyHelpers::branchIfOther):
651         (JSC::AssemblyHelpers::branchIfNotOther):
652         (JSC::AssemblyHelpers::branchIfInt32):
653         (JSC::AssemblyHelpers::branchIfNotInt32):
654         (JSC::AssemblyHelpers::branchIfNumber):
655         (JSC::AssemblyHelpers::branchIfNotNumber):
656         (JSC::AssemblyHelpers::branchIfNotDoubleKnownNotInt32):
657         (JSC::AssemblyHelpers::branchIfBoolean):
658         (JSC::AssemblyHelpers::branchIfNotBoolean):
659         (JSC::AssemblyHelpers::boxDouble):
660         (JSC::AssemblyHelpers::unboxDoubleWithoutAssertions):
661         (JSC::AssemblyHelpers::boxInt52):
662         (JSC::AssemblyHelpers::boxBooleanPayload):
663         (JSC::AssemblyHelpers::boxInt32):
664         * jit/CallFrameShuffleData.h:
665         * jit/CallFrameShuffler.cpp:
666         (JSC::CallFrameShuffler::CallFrameShuffler):
667         (JSC::CallFrameShuffler::dump const):
668         (JSC::CallFrameShuffler::prepareAny):
669         * jit/CallFrameShuffler.h:
670         (JSC::CallFrameShuffler::getFreeRegister const):
671         * jit/CallFrameShuffler64.cpp:
672         (JSC::CallFrameShuffler::emitBox):
673         (JSC::CallFrameShuffler::tryAcquireNumberTagRegister):
674         (JSC::CallFrameShuffler::tryAcquireTagTypeNumber): Deleted.
675         * jit/GPRInfo.h:
676         (JSC::GPRInfo::reservedRegisters):
677         * jit/JITArithmetic.cpp:
678         (JSC::JIT::emit_compareAndJumpSlow):
679         * jit/JITBitAndGenerator.cpp:
680         (JSC::JITBitAndGenerator::generateFastPath):
681         * jit/JITBitOrGenerator.cpp:
682         (JSC::JITBitOrGenerator::generateFastPath):
683         * jit/JITBitXorGenerator.cpp:
684         (JSC::JITBitXorGenerator::generateFastPath):
685         * jit/JITCall.cpp:
686         (JSC::JIT::compileTailCall):
687         * jit/JITDivGenerator.cpp:
688         (JSC::JITDivGenerator::generateFastPath):
689         * jit/JITInlines.h:
690         (JSC::JIT::emitPatchableJumpIfNotInt):
691         * jit/JITLeftShiftGenerator.cpp:
692         (JSC::JITLeftShiftGenerator::generateFastPath):
693         * jit/JITMulGenerator.cpp:
694         (JSC::JITMulGenerator::generateFastPath):
695         * jit/JITOpcodes.cpp:
696         (JSC::JIT::emit_op_overrides_has_instance):
697         (JSC::JIT::emit_op_is_undefined):
698         (JSC::JIT::emit_op_is_undefined_or_null):
699         (JSC::JIT::emit_op_is_boolean):
700         (JSC::JIT::emit_op_is_number):
701         (JSC::JIT::emit_op_is_cell_with_type):
702         (JSC::JIT::emit_op_is_object):
703         (JSC::JIT::emit_op_not):
704         (JSC::JIT::emit_op_jeq_null):
705         (JSC::JIT::emit_op_jneq_null):
706         (JSC::JIT::emit_op_jundefined_or_null):
707         (JSC::JIT::emit_op_jnundefined_or_null):
708         (JSC::JIT::emit_op_eq_null):
709         (JSC::JIT::emit_op_neq_null):
710         * jit/JITPropertyAccess.cpp:
711         (JSC::JIT::emitGenericContiguousPutByVal):
712         (JSC::JIT::emitFloatTypedArrayPutByVal):
713         * jit/JITRightShiftGenerator.cpp:
714         (JSC::JITRightShiftGenerator::generateFastPath):
715         * jit/RegisterSet.cpp:
716         (JSC::RegisterSet::runtimeTagRegisters):
717         (JSC::RegisterSet::llintBaselineCalleeSaveRegisters):
718         (JSC::RegisterSet::dfgCalleeSaveRegisters):
719         (JSC::RegisterSet::ftlCalleeSaveRegisters):
720         * jit/SpecializedThunkJIT.h:
721         (JSC::SpecializedThunkJIT::returnDouble):
722         (JSC::SpecializedThunkJIT::tagReturnAsInt32):
723         * jit/ThunkGenerators.cpp:
724         (JSC::virtualThunkFor):
725         (JSC::nativeForGenerator):
726         (JSC::arityFixupGenerator):
727         (JSC::absThunkGenerator):
728         * llint/LLIntData.cpp:
729         (JSC::LLInt::Data::performAssertions):
730         * llint/LowLevelInterpreter.asm:
731         * llint/LowLevelInterpreter.cpp:
732         (JSC::CLoop::execute):
733         * llint/LowLevelInterpreter64.asm:
734         * offlineasm/arm64.rb:
735         * offlineasm/cloop.rb:
736         * offlineasm/x86.rb:
737         * runtime/JSCJSValue.h:
738         * runtime/JSCJSValueInlines.h:
739         (JSC::JSValue::isUndefinedOrNull const):
740         (JSC::JSValue::isCell const):
741         (JSC::JSValue::isInt32 const):
742         (JSC::JSValue::JSValue):
743         (JSC::JSValue::asDouble const):
744         (JSC::JSValue::isNumber const):
745         * wasm/js/WasmToJS.cpp:
746         (JSC::Wasm::wasmToJS):
747         * wasm/js/WebAssemblyFunction.cpp:
748         (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
749
750 2019-09-18  Devin Rousso  <drousso@apple.com>
751
752         Web Inspector: Better handling for large arrays and collections in Object Trees
753         https://bugs.webkit.org/show_bug.cgi?id=143589
754         <rdar://problem/16135388>
755
756         Reviewed by Joseph Pecoraro.
757
758         Adds two buttons before the "Prototype" item in expanded object/collection previews:
759          - Show %d More
760          - Show All (%d More)
761
762         The default `fetchCount` increment is `100`. The first button will only be shown if there
763         are more than `100` items remaining (haven't been shown).
764
765         * inspector/InjectedScriptSource.js:
766         (InjectedScript.prototype.getProperties):
767         (InjectedScript.prototype.getDisplayableProperties):
768         (InjectedScript.prototype.getCollectionEntries):
769         (InjectedScript.prototype._getProperties):
770         (InjectedScript.prototype._internalPropertyDescriptors):
771         (InjectedScript.prototype._propertyDescriptors):
772         (InjectedScript.prototype._propertyDescriptors.createFakeValueDescriptor):
773         (InjectedScript.prototype._propertyDescriptors.processProperties):
774         (InjectedScript.prototype._getSetEntries):
775         (InjectedScript.prototype._getMapEntries):
776         (InjectedScript.prototype._getWeakMapEntries):
777         (InjectedScript.prototype._getWeakSetEntries):
778         (InjectedScript.prototype._getIteratorEntries):
779         (InjectedScript.prototype._entries):
780         (RemoteObject.prototype._generatePreview):
781         (InjectedScript.prototype._propertyDescriptors.arrayIndexPropertyNames): Deleted.
782         Don't include boolean property descriptor values if they are `false.
783
784         * inspector/JSInjectedScriptHost.cpp:
785         (Inspector::JSInjectedScriptHost::weakMapEntries):
786         (Inspector::JSInjectedScriptHost::weakSetEntries):
787
788         * inspector/InjectedScript.h:
789         * inspector/InjectedScript.cpp:
790         (Inspector::InjectedScript::getProperties):
791         (Inspector::InjectedScript::getDisplayableProperties):
792         (Inspector::InjectedScript::getCollectionEntries):
793
794         * inspector/agents/InspectorRuntimeAgent.h:
795         * inspector/agents/InspectorRuntimeAgent.cpp:
796         (Inspector::asInt): Added.
797         (Inspector::InspectorRuntimeAgent::getProperties):
798         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
799         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
800
801         * inspector/protocol/Runtime.json:
802         Add `fetchStart`/`fetchCount` to `getProperties`/`getDisplayableProperties`/`getCollectionEntries`.
803         Mark boolean properties as optional so they can be omitted if `false`.
804
805 2019-09-18  Joonghun Park  <pjh0718@gmail.com>
806
807         Unreviewed. Remove build warning since r249976.
808
809         No new tests, no behavioral changes.
810
811         This patch removes the build warning below.
812         warning: control reaches end of non-void function [-Wreturn-type]
813
814         * dfg/DFGArrayMode.cpp:
815         (JSC::DFG::ArrayMode::alreadyChecked const):
816
817 2019-09-18  Saam Barati  <sbarati@apple.com>
818
819         TOCTOU bug in havingABadTime related assertion in DFGSpeculativeJIT
820         https://bugs.webkit.org/show_bug.cgi?id=201953
821         <rdar://problem/53803524>
822
823         Reviewed by Yusuke Suzuki.
824
825         We had code in DFGSpeculativeJIT like:
826         
827         if (!globalObject->isHavingABadTime()) {
828             <-- here -->
829             Structure* s = globalObject->arrayStructureForIndexingTypeDuringAllocation(node->indexingType()));
830             assert 's' has expected indexing type
831         }
832         
833         The problem is, we may have a bad time before we actually load the structure
834         inside the if. We may have a bad time while we're at the "<-- here -->" in the
835         above program. The fix is to first load the structure, then check if we're
836         having a bad time. If we're still not having a bad time, it's valid to assert
837         things about the structure.
838
839         * dfg/DFGSpeculativeJIT.cpp:
840         (JSC::DFG::SpeculativeJIT::compileNewArray):
841
842 2019-09-18  Chris Dumez  <cdumez@apple.com>
843
844         Stop calling WTF::initializeMainThread() in JSGlobalContextCreate*()
845         https://bugs.webkit.org/show_bug.cgi?id=201947
846         <rdar://problem/55453612>
847
848         Reviewed by Mark Lam.
849
850         Stop calling WTF::initializeMainThread() in JSGlobalContextCreate*(). I started doing so in <https://trac.webkit.org/changeset/248533>
851         but it is causing crashes for apps using this JS API on background threads. It is also no longer necessary as of
852         <https://trac.webkit.org/changeset/249064>.
853
854         * API/JSContextRef.cpp:
855         (JSContextGroupCreate):
856         (JSGlobalContextCreate):
857         (JSGlobalContextCreateInGroup):
858
859 2019-09-18  Saam Barati  <sbarati@apple.com>
860
861         Phantom insertion phase may disagree with arguments forwarding about live ranges
862         https://bugs.webkit.org/show_bug.cgi?id=200715
863         <rdar://problem/54301717>
864
865         Reviewed by Yusuke Suzuki.
866
867         The issue is that Phantom insertion phase was disagreeing about live ranges
868         from the arguments forwarding phase. The effect is that Phantom insertion
869         would insert a Phantom creating a longer live range than what arguments
870         forwarding was analyzing. Arguments forwarding will look for the last DFG
871         use or the last bytecode use of a variable it wants to eliminate. It then
872         does an interference analysis to ensure that nothing clobbers other variables
873         it needs to recover the sunken allocation during OSR exit.
874         
875         Phantom insertion works by ordering the program into OSR exit epochs. If a value was used
876         in the current epoch, there is no need to insert a phantom for it. We
877         determine where we might need a Phantom by looking at bytecode kills. In this
878         analysis, we have a mapping from bytecode local to DFG node. However, we
879         sometimes forgot to remove the entry when a local is killed. So, if the first
880         kill of a variable is in the same OSR exit epoch, we won't insert a Phantom by design.
881         However, if the variable gets killed again, we might errantly insert a Phantom
882         for the prior variable which should've already been killed. The solution is to
883         clear the entry in our mapping when a variable is killed.
884         
885         The program in question was like this:
886         
887         1: DirectArguments
888         ...
889         2: MovHint(@1, loc1) // arguments forwarding treats this as the final kill for @1
890         ...
891         clobber things needed for recovery
892         ...
893         
894         Arguments elimination would transform the program since between @1 and
895         @2, nothing clobbers values needed for exit and nothing escapes @1. The
896         program becomes:
897         
898         1: PhantomDirectArguments
899         ...
900         2: MovHint(@1, loc1) // arguments forwarding treats this as the final kill for @1
901         ...
902         clobber things needed for recovery of @1
903         ...
904         
905         
906         Phantom insertion would then transform the program into:
907         
908         1: PhantomDirectArguments
909         ...
910         2: MovHint(@1, loc1) // arguments forwarding treats this as the final kill for @1
911         ...
912         clobber things needed for recovery of @1
913         ...
914         3: Phantom(@1)
915         ...
916         
917         This is wrong because Phantom insertion and arguments forwarding must agree on live
918         ranges, otherwise the interference analysis performed by arguments forwarding will
919         not correctly analyze up until where the value might be recovered.
920
921         * dfg/DFGPhantomInsertionPhase.cpp:
922
923 2019-09-18  Commit Queue  <commit-queue@webkit.org>
924
925         Unreviewed, rolling out r250002.
926         https://bugs.webkit.org/show_bug.cgi?id=201943
927
928         Patching of the callee and call is not atomic (Requested by
929         tadeuzagallo on #webkit).
930
931         Reverted changeset:
932
933         "Change WebAssembly calling conventions"
934         https://bugs.webkit.org/show_bug.cgi?id=201799
935         https://trac.webkit.org/changeset/250002
936
937 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
938
939         [JSC] Generator should have internal fields
940         https://bugs.webkit.org/show_bug.cgi?id=201159
941
942         Reviewed by Keith Miller.
943
944         This patch makes generator's internal states InternalField instead of private properties.
945         Each generator function produces a generator with different [[Prototype]], which makes generators have different Structures.
946         As a result, Generator.prototype.next etc.'s implementation becomes megamorphic even if it is not necessary.
947
948         If we make these structures adaptively poly-proto, some generators get poly-proto structures while others are not, resulting
949         in megamorphic lookup in Generator.prototype.next. If we make all the generator's structure poly-proto, it makes Generator.prototype.next
950         lookup suboptimal for now.
951
952         In this patch, we start with a relatively simple solution. This patch introduces JSGenerator class, and it has internal fields for generator's internal
953         states. We extend promise-internal-field access bytecodes to access to these fields from bytecode so that Generator.prototype.next can access
954         these fields without using megamorphic get_by_id_direct.
955
956         And we attach JSGeneratorType to JSGenerator so that we can efficiently implement `@isGenerator()` check in bytecode.
957
958         We reserve the offset = 0 slot for the future poly-proto extension for JSGenerator. By reserving this slot, non-poly-proto JSGenerator and poly-proto
959         JSGenerator still can offer the way to access to the same Generator internal fields with the same offset while poly-proto JSGenerator can get offset = 0
960         inline-storage slot for PolyProto implementation.
961
962         This patch adds op_create_generator since it is distinct from op_create_promise once we add PolyProto support.
963         In the future when we introduce some kind of op_create_async_generator we will probably share only one bytecode for both generator and async generator.
964
965         This patch offers around 10% improvement in JetStream2/Basic. And this patch is the basis of optimization of JetStream2/async-fs which leverages async generators significantly.
966
967         This patch includes several design decisions.
968
969             1. We add a new JSGenerator instead of leveraging JSFinalObject. The main reason is that we would like to have JSGeneratorType to quickly query `@isGenerator`.
970             2. This patch currently does not include object-allocation-sinking support for JSGenerator, but it is trivial, and will be added. And this patch also does not include poly-proto
971                support for JSGenerator. The main reason is simply because this patch is already large enough, and I do not want to make this patch larger and larger.
972             3. We can support arbitrary sized inline-storage: Reserving 0-5 offsets for internal fields, and start putting all the other things to the subsequent internal fields. But for now,
973                we are not taking this approach just because I'm not sure this is necessary. If we found such a pattern, we can easily extend the current one but for now, I would like to keep
974                this patch simple.
975
976         * JavaScriptCore.xcodeproj/project.pbxproj:
977         * Sources.txt:
978         * builtins/AsyncFunctionPrototype.js:
979         (globalPrivate.asyncFunctionResume):
980         * builtins/GeneratorPrototype.js:
981         (globalPrivate.generatorResume):
982         (next):
983         (return):
984         (throw):
985         * bytecode/BytecodeGeneratorification.cpp:
986         (JSC::BytecodeGeneratorification::run):
987         * bytecode/BytecodeIntrinsicRegistry.cpp:
988         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
989         * bytecode/BytecodeIntrinsicRegistry.h:
990         * bytecode/BytecodeList.rb:
991         * bytecode/BytecodeUseDef.h:
992         (JSC::computeUsesForBytecodeOffset):
993         (JSC::computeDefsForBytecodeOffset):
994         * bytecode/CodeBlock.cpp:
995         (JSC::CodeBlock::finishCreation):
996         (JSC::CodeBlock::finalizeLLIntInlineCaches):
997         * bytecode/SpeculatedType.cpp:
998         (JSC::speculationFromJSType):
999         * bytecode/SpeculatedType.h:
1000         * bytecompiler/BytecodeGenerator.cpp:
1001         (JSC::BytecodeGenerator::BytecodeGenerator):
1002         (JSC::BytecodeGenerator::emitPutGeneratorFields):
1003         (JSC::BytecodeGenerator::emitCreateGenerator):
1004         (JSC::BytecodeGenerator::emitNewGenerator):
1005         (JSC::BytecodeGenerator::emitYield):
1006         (JSC::BytecodeGenerator::emitDelegateYield):
1007         (JSC::BytecodeGenerator::emitGeneratorStateChange):
1008         * bytecompiler/BytecodeGenerator.h:
1009         (JSC::BytecodeGenerator::emitIsGenerator):
1010         (JSC::BytecodeGenerator::generatorStateRegister):
1011         (JSC::BytecodeGenerator::generatorValueRegister):
1012         (JSC::BytecodeGenerator::generatorResumeModeRegister):
1013         (JSC::BytecodeGenerator::generatorFrameRegister):
1014         * bytecompiler/NodesCodegen.cpp:
1015         (JSC::generatorInternalFieldIndex):
1016         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getGeneratorInternalField):
1017         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putGeneratorInternalField):
1018         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isGenerator):
1019         (JSC::FunctionNode::emitBytecode):
1020         * dfg/DFGAbstractInterpreterInlines.h:
1021         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1022         * dfg/DFGByteCodeParser.cpp:
1023         (JSC::DFG::ByteCodeParser::parseBlock):
1024         * dfg/DFGCapabilities.cpp:
1025         (JSC::DFG::capabilityLevel):
1026         * dfg/DFGClobberize.h:
1027         (JSC::DFG::clobberize):
1028         * dfg/DFGClobbersExitState.cpp:
1029         (JSC::DFG::clobbersExitState):
1030         * dfg/DFGConstantFoldingPhase.cpp:
1031         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1032         * dfg/DFGDoesGC.cpp:
1033         (JSC::DFG::doesGC):
1034         * dfg/DFGFixupPhase.cpp:
1035         (JSC::DFG::FixupPhase::fixupNode):
1036         (JSC::DFG::FixupPhase::fixupIsCellWithType):
1037         * dfg/DFGGraph.cpp:
1038         (JSC::DFG::Graph::dump):
1039         * dfg/DFGNode.h:
1040         (JSC::DFG::Node::convertToNewGenerator):
1041         (JSC::DFG::Node::speculatedTypeForQuery):
1042         (JSC::DFG::Node::hasStructure):
1043         * dfg/DFGNodeType.h:
1044         * dfg/DFGOperations.cpp:
1045         * dfg/DFGOperations.h:
1046         * dfg/DFGPredictionPropagationPhase.cpp:
1047         * dfg/DFGSafeToExecute.h:
1048         (JSC::DFG::safeToExecute):
1049         * dfg/DFGSpeculativeJIT.cpp:
1050         (JSC::DFG::SpeculativeJIT::compileCreatePromise):
1051         (JSC::DFG::SpeculativeJIT::compileCreateGenerator):
1052         (JSC::DFG::SpeculativeJIT::compileNewGenerator):
1053         * dfg/DFGSpeculativeJIT.h:
1054         * dfg/DFGSpeculativeJIT32_64.cpp:
1055         (JSC::DFG::SpeculativeJIT::compile):
1056         * dfg/DFGSpeculativeJIT64.cpp:
1057         (JSC::DFG::SpeculativeJIT::compile):
1058         * dfg/DFGStoreBarrierInsertionPhase.cpp:
1059         * ftl/FTLCapabilities.cpp:
1060         (JSC::FTL::canCompile):
1061         * ftl/FTLLowerDFGToB3.cpp:
1062         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1063         (JSC::FTL::DFG::LowerDFGToB3::compileNewGenerator):
1064         (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
1065         (JSC::FTL::DFG::LowerDFGToB3::compileCreateGenerator):
1066         (JSC::FTL::DFG::LowerDFGToB3::isCellWithType):
1067         * jit/JIT.cpp:
1068         (JSC::JIT::privateCompileMainPass):
1069         (JSC::JIT::privateCompileSlowCases):
1070         * jit/JITOperations.cpp:
1071         * jit/JITOperations.h:
1072         * jit/JITPropertyAccess.cpp:
1073         (JSC::JIT::emit_op_get_internal_field):
1074         (JSC::JIT::emit_op_put_internal_field):
1075         * llint/LowLevelInterpreter.asm:
1076         * runtime/CommonSlowPaths.cpp:
1077         (JSC::SLOW_PATH_DECL):
1078         * runtime/CommonSlowPaths.h:
1079         * runtime/InternalFunction.cpp:
1080         (JSC::InternalFunction::createSubclassStructureSlow):
1081         * runtime/InternalFunction.h:
1082         (JSC::InternalFunction::createSubclassStructure):
1083         * runtime/JSGenerator.cpp: Added.
1084         (JSC::JSGenerator::create):
1085         (JSC::JSGenerator::createStructure):
1086         (JSC::JSGenerator::JSGenerator):
1087         (JSC::JSGenerator::finishCreation):
1088         (JSC::JSGenerator::visitChildren):
1089         * runtime/JSGenerator.h: Copied from Source/JavaScriptCore/runtime/JSGeneratorFunction.h.
1090         * runtime/JSGeneratorFunction.h:
1091         * runtime/JSGlobalObject.cpp:
1092         (JSC::JSGlobalObject::init):
1093         (JSC::JSGlobalObject::visitChildren):
1094         * runtime/JSGlobalObject.h:
1095         (JSC::JSGlobalObject::generatorStructure const):
1096         * runtime/JSType.cpp:
1097         (WTF::printInternal):
1098         * runtime/JSType.h:
1099
1100 2019-09-17  Keith Miller  <keith_miller@apple.com>
1101
1102         Move comment explaining our Options to OptionsList.h
1103         https://bugs.webkit.org/show_bug.cgi?id=201891
1104
1105         Rubber-stamped by Mark Lam.
1106
1107         We moved the list so we should move the comment.
1108
1109         * runtime/Options.h:
1110         * runtime/OptionsList.h:
1111
1112 2019-09-17  Keith Miller  <keith_miller@apple.com>
1113
1114         Elide unnecessary moves in Air O0
1115         https://bugs.webkit.org/show_bug.cgi?id=201703
1116
1117         Reviewed by Saam Barati.
1118
1119         This patch also removes the code that would try to reuse temps in
1120         WasmAirIRGenerator. That code makes it hard to accurately
1121         determine where a temp dies as it could be reused again
1122         later. Thus every temp, may appear to live for a long time in the
1123         global ordering.
1124
1125         This appears to be a minor progression on the overall score of
1126         wasm subtests in JS2 and a 10% wasm-JIT memory usage reduction.
1127
1128         This patch also fixes an issue where we didn't ask Patchpoints
1129         for early clobber registers when determining what callee saves
1130         were used by the program.
1131
1132         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp:
1133         (JSC::B3::Air::GenerateAndAllocateRegisters::generate):
1134         * b3/air/AirBasicBlock.h:
1135         * b3/air/AirCode.h:
1136         * b3/air/AirHandleCalleeSaves.cpp:
1137         (JSC::B3::Air::handleCalleeSaves):
1138         * b3/air/testair.cpp:
1139         * wasm/WasmAirIRGenerator.cpp:
1140         (JSC::Wasm::AirIRGenerator::didKill): Deleted.
1141         * wasm/WasmB3IRGenerator.cpp:
1142         (JSC::Wasm::B3IRGenerator::didKill): Deleted.
1143         * wasm/WasmFunctionParser.h:
1144         (JSC::Wasm::FunctionParser<Context>::parseBody):
1145         (JSC::Wasm::FunctionParser<Context>::parseExpression):
1146         * wasm/WasmValidate.cpp:
1147         (JSC::Wasm::Validate::didKill): Deleted.
1148
1149 2019-09-17  Mark Lam  <mark.lam@apple.com>
1150
1151         Use constexpr instead of const in symbol definitions that are obviously constexpr.
1152         https://bugs.webkit.org/show_bug.cgi?id=201879
1153
1154         Rubber-stamped by Joseph Pecoraro.
1155
1156         const may require external storage  (at the compiler's whim) though these
1157         currently do not.  constexpr makes it clear that the value is a literal constant
1158         that can be inlined.  In most cases in the code, when we say static const, we
1159         actually mean static constexpr.  I'm changing the code to reflect this.
1160
1161         * API/JSAPIValueWrapper.h:
1162         * API/JSCallbackConstructor.h:
1163         * API/JSCallbackObject.h:
1164         * API/JSContextRef.cpp:
1165         * API/JSWrapperMap.mm:
1166         * API/tests/CompareAndSwapTest.cpp:
1167         * API/tests/TypedArrayCTest.cpp:
1168         * API/tests/testapi.mm:
1169         (testObjectiveCAPIMain):
1170         * KeywordLookupGenerator.py:
1171         (Trie.printAsC):
1172         * assembler/ARMv7Assembler.h:
1173         * assembler/AssemblerBuffer.h:
1174         * assembler/AssemblerCommon.h:
1175         * assembler/MacroAssembler.h:
1176         * assembler/MacroAssemblerARM64.h:
1177         * assembler/MacroAssemblerARM64E.h:
1178         * assembler/MacroAssemblerARMv7.h:
1179         * assembler/MacroAssemblerCodeRef.h:
1180         * assembler/MacroAssemblerMIPS.h:
1181         * assembler/MacroAssemblerX86.h:
1182         * assembler/MacroAssemblerX86Common.h:
1183         (JSC::MacroAssemblerX86Common::absDouble):
1184         (JSC::MacroAssemblerX86Common::negateDouble):
1185         * assembler/MacroAssemblerX86_64.h:
1186         * assembler/X86Assembler.h:
1187         * b3/B3Bank.h:
1188         * b3/B3CheckSpecial.h:
1189         * b3/B3DuplicateTails.cpp:
1190         * b3/B3EliminateCommonSubexpressions.cpp:
1191         * b3/B3FixSSA.cpp:
1192         * b3/B3FoldPathConstants.cpp:
1193         * b3/B3InferSwitches.cpp:
1194         * b3/B3Kind.h:
1195         * b3/B3LowerToAir.cpp:
1196         * b3/B3NativeTraits.h:
1197         * b3/B3ReduceDoubleToFloat.cpp:
1198         * b3/B3ReduceLoopStrength.cpp:
1199         * b3/B3ReduceStrength.cpp:
1200         * b3/B3ValueKey.h:
1201         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
1202         * b3/air/AirAllocateStackByGraphColoring.cpp:
1203         * b3/air/AirArg.h:
1204         * b3/air/AirCCallSpecial.h:
1205         * b3/air/AirEmitShuffle.cpp:
1206         * b3/air/AirFixObviousSpills.cpp:
1207         * b3/air/AirFormTable.h:
1208         * b3/air/AirLowerAfterRegAlloc.cpp:
1209         * b3/air/AirPrintSpecial.h:
1210         * b3/air/AirStackAllocation.cpp:
1211         * b3/air/AirTmp.h:
1212         * b3/testb3_6.cpp:
1213         (testInterpreter):
1214         * bytecode/AccessCase.cpp:
1215         * bytecode/CallLinkStatus.cpp:
1216         * bytecode/CallVariant.h:
1217         * bytecode/CodeBlock.h:
1218         * bytecode/CodeOrigin.h:
1219         * bytecode/DFGExitProfile.h:
1220         * bytecode/DirectEvalCodeCache.h:
1221         * bytecode/ExecutableToCodeBlockEdge.h:
1222         * bytecode/GetterSetterAccessCase.cpp:
1223         * bytecode/LazyOperandValueProfile.h:
1224         * bytecode/ObjectPropertyCondition.h:
1225         * bytecode/ObjectPropertyConditionSet.cpp:
1226         * bytecode/PolymorphicAccess.cpp:
1227         * bytecode/PropertyCondition.h:
1228         * bytecode/SpeculatedType.h:
1229         * bytecode/StructureStubInfo.cpp:
1230         * bytecode/UnlinkedCodeBlock.cpp:
1231         (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset):
1232         * bytecode/UnlinkedCodeBlock.h:
1233         * bytecode/UnlinkedEvalCodeBlock.h:
1234         * bytecode/UnlinkedFunctionCodeBlock.h:
1235         * bytecode/UnlinkedFunctionExecutable.h:
1236         * bytecode/UnlinkedModuleProgramCodeBlock.h:
1237         * bytecode/UnlinkedProgramCodeBlock.h:
1238         * bytecode/ValueProfile.h:
1239         * bytecode/VirtualRegister.h:
1240         * bytecode/Watchpoint.h:
1241         * bytecompiler/BytecodeGenerator.h:
1242         * bytecompiler/Label.h:
1243         * bytecompiler/NodesCodegen.cpp:
1244         (JSC::ThisNode::emitBytecode):
1245         * bytecompiler/RegisterID.h:
1246         * debugger/Breakpoint.h:
1247         * debugger/DebuggerParseData.cpp:
1248         * debugger/DebuggerPrimitives.h:
1249         * debugger/DebuggerScope.h:
1250         * dfg/DFGAbstractHeap.h:
1251         * dfg/DFGAbstractValue.h:
1252         * dfg/DFGArgumentsEliminationPhase.cpp:
1253         * dfg/DFGByteCodeParser.cpp:
1254         * dfg/DFGCSEPhase.cpp:
1255         * dfg/DFGCommon.h:
1256         * dfg/DFGCompilationKey.h:
1257         * dfg/DFGDesiredGlobalProperty.h:
1258         * dfg/DFGEdgeDominates.h:
1259         * dfg/DFGEpoch.h:
1260         * dfg/DFGForAllKills.h:
1261         (JSC::DFG::forAllKilledNodesAtNodeIndex):
1262         * dfg/DFGGraph.cpp:
1263         (JSC::DFG::Graph::isLiveInBytecode):
1264         * dfg/DFGHeapLocation.h:
1265         * dfg/DFGInPlaceAbstractState.cpp:
1266         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1267         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
1268         * dfg/DFGInvalidationPointInjectionPhase.cpp:
1269         * dfg/DFGLICMPhase.cpp:
1270         * dfg/DFGLazyNode.h:
1271         * dfg/DFGMinifiedID.h:
1272         * dfg/DFGMovHintRemovalPhase.cpp:
1273         * dfg/DFGNodeFlowProjection.h:
1274         * dfg/DFGNodeType.h:
1275         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1276         * dfg/DFGPhantomInsertionPhase.cpp:
1277         * dfg/DFGPromotedHeapLocation.h:
1278         * dfg/DFGPropertyTypeKey.h:
1279         * dfg/DFGPureValue.h:
1280         * dfg/DFGPutStackSinkingPhase.cpp:
1281         * dfg/DFGRegisterBank.h:
1282         * dfg/DFGSSAConversionPhase.cpp:
1283         * dfg/DFGSSALoweringPhase.cpp:
1284         * dfg/DFGSpeculativeJIT.cpp:
1285         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
1286         (JSC::DFG::compileClampDoubleToByte):
1287         (JSC::DFG::SpeculativeJIT::compileArithRounding):
1288         (JSC::DFG::compileArithPowIntegerFastPath):
1289         (JSC::DFG::SpeculativeJIT::compileArithPow):
1290         (JSC::DFG::SpeculativeJIT::emitBinarySwitchStringRecurse):
1291         * dfg/DFGStackLayoutPhase.cpp:
1292         * dfg/DFGStoreBarrierInsertionPhase.cpp:
1293         * dfg/DFGStrengthReductionPhase.cpp:
1294         * dfg/DFGStructureAbstractValue.h:
1295         * dfg/DFGVarargsForwardingPhase.cpp:
1296         * dfg/DFGVariableEventStream.cpp:
1297         (JSC::DFG::VariableEventStream::reconstruct const):
1298         * dfg/DFGWatchpointCollectionPhase.cpp:
1299         * disassembler/ARM64/A64DOpcode.h:
1300         * ftl/FTLLocation.h:
1301         * ftl/FTLLowerDFGToB3.cpp:
1302         (JSC::FTL::DFG::LowerDFGToB3::compileArithRandom):
1303         * ftl/FTLSlowPathCall.cpp:
1304         * ftl/FTLSlowPathCallKey.h:
1305         * heap/CellContainer.h:
1306         * heap/CellState.h:
1307         * heap/ConservativeRoots.h:
1308         * heap/GCSegmentedArray.h:
1309         * heap/HandleBlock.h:
1310         * heap/Heap.cpp:
1311         (JSC::Heap::updateAllocationLimits):
1312         * heap/Heap.h:
1313         * heap/HeapSnapshot.h:
1314         * heap/HeapUtil.h:
1315         (JSC::HeapUtil::findGCObjectPointersForMarking):
1316         * heap/IncrementalSweeper.cpp:
1317         * heap/LargeAllocation.h:
1318         * heap/MarkedBlock.cpp:
1319         * heap/Strong.h:
1320         * heap/VisitRaceKey.h:
1321         * heap/Weak.h:
1322         * heap/WeakBlock.h:
1323         * inspector/JSInjectedScriptHost.h:
1324         * inspector/JSInjectedScriptHostPrototype.h:
1325         * inspector/JSJavaScriptCallFrame.h:
1326         * inspector/JSJavaScriptCallFramePrototype.h:
1327         * inspector/agents/InspectorConsoleAgent.cpp:
1328         * inspector/agents/InspectorRuntimeAgent.cpp:
1329         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1330         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
1331         (CppProtocolTypesHeaderGenerator._generate_versions):
1332         * inspector/scripts/tests/generic/expected/version.json-result:
1333         * interpreter/Interpreter.h:
1334         * interpreter/ShadowChicken.cpp:
1335         * jit/BinarySwitch.cpp:
1336         * jit/CallFrameShuffler.h:
1337         * jit/ExecutableAllocator.h:
1338         * jit/FPRInfo.h:
1339         * jit/GPRInfo.h:
1340         * jit/ICStats.h:
1341         * jit/JITThunks.h:
1342         * jit/Reg.h:
1343         * jit/RegisterSet.h:
1344         * jit/TempRegisterSet.h:
1345         * jsc.cpp:
1346         * parser/ASTBuilder.h:
1347         * parser/Nodes.h:
1348         * parser/SourceCodeKey.h:
1349         * parser/SyntaxChecker.h:
1350         * parser/VariableEnvironment.h:
1351         * profiler/ProfilerOrigin.h:
1352         * profiler/ProfilerOriginStack.h:
1353         * profiler/ProfilerUID.h:
1354         * runtime/AbstractModuleRecord.cpp:
1355         * runtime/ArrayBufferNeuteringWatchpointSet.h:
1356         * runtime/ArrayConstructor.h:
1357         * runtime/ArrayConventions.h:
1358         * runtime/ArrayIteratorPrototype.h:
1359         * runtime/ArrayPrototype.cpp:
1360         (JSC::setLength):
1361         * runtime/AsyncFromSyncIteratorPrototype.h:
1362         * runtime/AsyncGeneratorFunctionPrototype.h:
1363         * runtime/AsyncGeneratorPrototype.h:
1364         * runtime/AsyncIteratorPrototype.h:
1365         * runtime/AtomicsObject.cpp:
1366         * runtime/BigIntConstructor.h:
1367         * runtime/BigIntPrototype.h:
1368         * runtime/BooleanPrototype.h:
1369         * runtime/ClonedArguments.h:
1370         * runtime/CodeCache.h:
1371         * runtime/ControlFlowProfiler.h:
1372         * runtime/CustomGetterSetter.h:
1373         * runtime/DateConstructor.h:
1374         * runtime/DatePrototype.h:
1375         * runtime/DefinePropertyAttributes.h:
1376         * runtime/ErrorPrototype.h:
1377         * runtime/EvalExecutable.h:
1378         * runtime/Exception.h:
1379         * runtime/ExceptionHelpers.cpp:
1380         (JSC::invalidParameterInSourceAppender):
1381         (JSC::invalidParameterInstanceofSourceAppender):
1382         * runtime/ExceptionHelpers.h:
1383         * runtime/ExecutableBase.h:
1384         * runtime/FunctionExecutable.h:
1385         * runtime/FunctionRareData.h:
1386         * runtime/GeneratorPrototype.h:
1387         * runtime/GenericArguments.h:
1388         * runtime/GenericOffset.h:
1389         * runtime/GetPutInfo.h:
1390         * runtime/GetterSetter.h:
1391         * runtime/GlobalExecutable.h:
1392         * runtime/Identifier.h:
1393         * runtime/InspectorInstrumentationObject.h:
1394         * runtime/InternalFunction.h:
1395         * runtime/IntlCollatorConstructor.h:
1396         * runtime/IntlCollatorPrototype.h:
1397         * runtime/IntlDateTimeFormatConstructor.h:
1398         * runtime/IntlDateTimeFormatPrototype.h:
1399         * runtime/IntlNumberFormatConstructor.h:
1400         * runtime/IntlNumberFormatPrototype.h:
1401         * runtime/IntlObject.h:
1402         * runtime/IntlPluralRulesConstructor.h:
1403         * runtime/IntlPluralRulesPrototype.h:
1404         * runtime/IteratorPrototype.h:
1405         * runtime/JSArray.cpp:
1406         (JSC::JSArray::tryCreateUninitializedRestricted):
1407         * runtime/JSArray.h:
1408         * runtime/JSArrayBuffer.h:
1409         * runtime/JSArrayBufferView.h:
1410         * runtime/JSBigInt.h:
1411         * runtime/JSCJSValue.h:
1412         * runtime/JSCell.h:
1413         * runtime/JSCustomGetterSetterFunction.h:
1414         * runtime/JSDataView.h:
1415         * runtime/JSDataViewPrototype.h:
1416         * runtime/JSDestructibleObject.h:
1417         * runtime/JSFixedArray.h:
1418         * runtime/JSGenericTypedArrayView.h:
1419         * runtime/JSGlobalLexicalEnvironment.h:
1420         * runtime/JSGlobalObject.h:
1421         * runtime/JSImmutableButterfly.h:
1422         * runtime/JSInternalPromiseConstructor.h:
1423         * runtime/JSInternalPromiseDeferred.h:
1424         * runtime/JSInternalPromisePrototype.h:
1425         * runtime/JSLexicalEnvironment.h:
1426         * runtime/JSModuleEnvironment.h:
1427         * runtime/JSModuleLoader.h:
1428         * runtime/JSModuleNamespaceObject.h:
1429         * runtime/JSNonDestructibleProxy.h:
1430         * runtime/JSONObject.cpp:
1431         * runtime/JSONObject.h:
1432         * runtime/JSObject.h:
1433         * runtime/JSPromiseConstructor.h:
1434         * runtime/JSPromiseDeferred.h:
1435         * runtime/JSPromisePrototype.h:
1436         * runtime/JSPropertyNameEnumerator.h:
1437         * runtime/JSProxy.h:
1438         * runtime/JSScope.h:
1439         * runtime/JSScriptFetchParameters.h:
1440         * runtime/JSScriptFetcher.h:
1441         * runtime/JSSegmentedVariableObject.h:
1442         * runtime/JSSourceCode.h:
1443         * runtime/JSString.cpp:
1444         * runtime/JSString.h:
1445         * runtime/JSSymbolTableObject.h:
1446         * runtime/JSTemplateObjectDescriptor.h:
1447         * runtime/JSTypeInfo.h:
1448         * runtime/MapPrototype.h:
1449         * runtime/MinimumReservedZoneSize.h:
1450         * runtime/ModuleProgramExecutable.h:
1451         * runtime/NativeExecutable.h:
1452         * runtime/NativeFunction.h:
1453         * runtime/NativeStdFunctionCell.h:
1454         * runtime/NumberConstructor.h:
1455         * runtime/NumberPrototype.h:
1456         * runtime/ObjectConstructor.h:
1457         * runtime/ObjectPrototype.h:
1458         * runtime/ProgramExecutable.h:
1459         * runtime/PromiseDeferredTimer.cpp:
1460         * runtime/PropertyMapHashTable.h:
1461         * runtime/PropertyNameArray.h:
1462         (JSC::PropertyNameArray::add):
1463         * runtime/PrototypeKey.h:
1464         * runtime/ProxyConstructor.h:
1465         * runtime/ProxyObject.cpp:
1466         (JSC::ProxyObject::performGetOwnPropertyNames):
1467         * runtime/ProxyRevoke.h:
1468         * runtime/ReflectObject.h:
1469         * runtime/RegExp.h:
1470         * runtime/RegExpCache.h:
1471         * runtime/RegExpConstructor.h:
1472         * runtime/RegExpKey.h:
1473         * runtime/RegExpObject.h:
1474         * runtime/RegExpPrototype.h:
1475         * runtime/RegExpStringIteratorPrototype.h:
1476         * runtime/SamplingProfiler.cpp:
1477         * runtime/ScopedArgumentsTable.h:
1478         * runtime/ScriptExecutable.h:
1479         * runtime/SetPrototype.h:
1480         * runtime/SmallStrings.h:
1481         * runtime/SparseArrayValueMap.h:
1482         * runtime/StringConstructor.h:
1483         * runtime/StringIteratorPrototype.h:
1484         * runtime/StringObject.h:
1485         * runtime/StringPrototype.h:
1486         * runtime/Structure.h:
1487         * runtime/StructureChain.h:
1488         * runtime/StructureRareData.h:
1489         * runtime/StructureTransitionTable.h:
1490         * runtime/Symbol.h:
1491         * runtime/SymbolConstructor.h:
1492         * runtime/SymbolPrototype.h:
1493         * runtime/SymbolTable.h:
1494         * runtime/TemplateObjectDescriptor.h:
1495         * runtime/TypeProfiler.cpp:
1496         * runtime/TypeProfiler.h:
1497         * runtime/TypeProfilerLog.cpp:
1498         * runtime/VarOffset.h:
1499         * testRegExp.cpp:
1500         * tools/HeapVerifier.cpp:
1501         (JSC::HeapVerifier::checkIfRecorded):
1502         * tools/JSDollarVM.cpp:
1503         * wasm/WasmB3IRGenerator.cpp:
1504         * wasm/WasmBBQPlan.cpp:
1505         * wasm/WasmFaultSignalHandler.cpp:
1506         * wasm/WasmFunctionParser.h:
1507         * wasm/WasmOMGForOSREntryPlan.cpp:
1508         * wasm/WasmOMGPlan.cpp:
1509         * wasm/WasmPlan.cpp:
1510         * wasm/WasmSignature.cpp:
1511         * wasm/WasmSignature.h:
1512         * wasm/WasmWorklist.cpp:
1513         * wasm/js/JSWebAssembly.h:
1514         * wasm/js/JSWebAssemblyCodeBlock.h:
1515         * wasm/js/WebAssemblyCompileErrorConstructor.h:
1516         * wasm/js/WebAssemblyCompileErrorPrototype.h:
1517         * wasm/js/WebAssemblyFunction.h:
1518         * wasm/js/WebAssemblyInstanceConstructor.h:
1519         * wasm/js/WebAssemblyInstancePrototype.h:
1520         * wasm/js/WebAssemblyLinkErrorConstructor.h:
1521         * wasm/js/WebAssemblyLinkErrorPrototype.h:
1522         * wasm/js/WebAssemblyMemoryConstructor.h:
1523         * wasm/js/WebAssemblyMemoryPrototype.h:
1524         * wasm/js/WebAssemblyModuleConstructor.h:
1525         * wasm/js/WebAssemblyModulePrototype.h:
1526         * wasm/js/WebAssemblyRuntimeErrorConstructor.h:
1527         * wasm/js/WebAssemblyRuntimeErrorPrototype.h:
1528         * wasm/js/WebAssemblyTableConstructor.h:
1529         * wasm/js/WebAssemblyTablePrototype.h:
1530         * wasm/js/WebAssemblyToJSCallee.h:
1531         * yarr/Yarr.h:
1532         * yarr/YarrParser.h:
1533         * yarr/generateYarrCanonicalizeUnicode:
1534
1535 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
1536
1537         Follow-up after String.codePointAt optimization
1538         https://bugs.webkit.org/show_bug.cgi?id=201889
1539
1540         Reviewed by Saam Barati.
1541
1542         Follow-up after string.codePointAt DFG / FTL optimizations,
1543
1544         1. Gracefully accept arguments more than expected for intrinsics
1545         2. Check BadType in String.codePointAt, String.charAt, and String.charCodeAt.
1546
1547         * dfg/DFGByteCodeParser.cpp:
1548         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1549
1550 2019-09-17  Tadeu Zagallo  <tzagallo@apple.com>
1551
1552         Change WebAssembly calling conventions
1553         https://bugs.webkit.org/show_bug.cgi?id=201799
1554
1555         Reviewed by Saam Barati.
1556
1557         Currently, the Wasm::Callee writes itself to CallFrameSlot::callee. However, this won't work when
1558         we have the Wasm interpreter, since we need the callee in order to know which function are we executing.
1559         This patch changes the calling conventions in preparation for the interpreter, so that the caller
1560         becomes responsible for writing the callee into the call frame.
1561         However, there are exceptions to this rule: stubs can still write to the callee slot, since they are individually
1562         generated and will still be present in the interpreter. We keep this design to avoid emitting unnecessary
1563         code when we know statically who is the callee:
1564         - Caller writes to call frame: intra-module direct wasm calls, indirect wasm calls, JS-to-wasm stub (new frame), JS-to-wasm IC.
1565         - Callee writes to call frame: inter-module wasm-to-wasm stub, JS-to-wasm stub (callee frame), wasm-to-JS stub, OMG osr entry
1566
1567         Additionally, this patch also changes it so that the callee keeps track of its callers, instead of having a global mapping
1568         of calls in the Wasm::CodeBlock. This makes it easier to repatch all callers of a given Callee when it tiers up.
1569
1570         * CMakeLists.txt:
1571         * JavaScriptCore.xcodeproj/project.pbxproj:
1572         * wasm/WasmAirIRGenerator.cpp:
1573         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
1574         (JSC::Wasm::AirIRGenerator::addCall):
1575         (JSC::Wasm::AirIRGenerator::addCallIndirect):
1576         (JSC::Wasm::parseAndCompileAir):
1577         * wasm/WasmAirIRGenerator.h:
1578         * wasm/WasmB3IRGenerator.cpp:
1579         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1580         (JSC::Wasm::B3IRGenerator::addCall):
1581         (JSC::Wasm::B3IRGenerator::addCallIndirect):
1582         (JSC::Wasm::parseAndCompile):
1583         * wasm/WasmB3IRGenerator.h:
1584         * wasm/WasmBBQPlan.cpp:
1585         (JSC::Wasm::BBQPlan::BBQPlan):
1586         (JSC::Wasm::BBQPlan::prepare):
1587         (JSC::Wasm::BBQPlan::compileFunctions):
1588         (JSC::Wasm::BBQPlan::complete):
1589         * wasm/WasmBBQPlan.h:
1590         * wasm/WasmBBQPlanInlines.h:
1591         (JSC::Wasm::BBQPlan::initializeCallees):
1592         * wasm/WasmBinding.cpp:
1593         (JSC::Wasm::wasmToWasm):
1594         * wasm/WasmCallee.cpp:
1595         (JSC::Wasm::Callee::Callee):
1596         (JSC::Wasm::repatchMove):
1597         (JSC::Wasm::repatchCall):
1598         (JSC::Wasm::BBQCallee::addCaller):
1599         (JSC::Wasm::BBQCallee::addAndLinkCaller):
1600         (JSC::Wasm::BBQCallee::repatchCallers):
1601         * wasm/WasmCallee.h:
1602         (JSC::Wasm::Callee::entrypoint):
1603         (JSC::Wasm::Callee::code const):
1604         (JSC::Wasm::Callee::calleeSaveRegisters):
1605         * wasm/WasmCallingConvention.h:
1606         (JSC::Wasm::CallingConvention::setupFrameInPrologue const):
1607         * wasm/WasmCodeBlock.cpp:
1608         (JSC::Wasm::CodeBlock::CodeBlock):
1609         * wasm/WasmCodeBlock.h:
1610         (JSC::Wasm::CodeBlock::embedderEntrypointCalleeFromFunctionIndexSpace):
1611         (JSC::Wasm::CodeBlock::wasmBBQCalleeFromFunctionIndexSpace):
1612         (JSC::Wasm::CodeBlock::entrypointLoadLocationFromFunctionIndexSpace):
1613         (JSC::Wasm::CodeBlock::boxedCalleeLoadLocationFromFunctionIndexSpace):
1614         * wasm/WasmEmbedder.h:
1615         * wasm/WasmFormat.h:
1616         (JSC::Wasm::WasmToWasmImportableFunction::offsetOfBoxedCalleeLoadLocation):
1617         * wasm/WasmInstance.h:
1618         (JSC::Wasm::Instance::offsetOfBoxedCalleeLoadLocation):
1619         * wasm/WasmOMGForOSREntryPlan.cpp:
1620         (JSC::Wasm::OMGForOSREntryPlan::OMGForOSREntryPlan):
1621         (JSC::Wasm::OMGForOSREntryPlan::work):
1622         * wasm/WasmOMGForOSREntryPlan.h:
1623         * wasm/WasmOMGPlan.cpp:
1624         (JSC::Wasm::OMGPlan::OMGPlan):
1625         (JSC::Wasm::OMGPlan::work):
1626         * wasm/WasmOMGPlan.h:
1627         * wasm/WasmOperations.cpp:
1628         (JSC::Wasm::triggerOMGReplacementCompile):
1629         (JSC::Wasm::doOSREntry):
1630         (JSC::Wasm::triggerOSREntryNow):
1631         * wasm/js/JSToWasm.cpp:
1632         (JSC::Wasm::createJSToWasmWrapper):
1633         * wasm/js/JSToWasm.h:
1634         * wasm/js/WebAssemblyFunction.cpp:
1635         (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
1636         (JSC::WebAssemblyFunction::create):
1637         (JSC::WebAssemblyFunction::WebAssemblyFunction):
1638         * wasm/js/WebAssemblyFunction.h:
1639         * wasm/js/WebAssemblyModuleRecord.cpp:
1640         (JSC::WebAssemblyModuleRecord::link):
1641         (JSC::WebAssemblyModuleRecord::evaluate):
1642         * wasm/js/WebAssemblyWrapperFunction.cpp:
1643         (JSC::WebAssemblyWrapperFunction::create):
1644
1645 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
1646
1647         [JSC] CheckArray+NonArray is not filtering out Array in AI
1648         https://bugs.webkit.org/show_bug.cgi?id=201857
1649         <rdar://problem/54194820>
1650
1651         Reviewed by Keith Miller.
1652
1653         The code of DFG::ArrayMode::alreadyChecked is different from SpeculativeJIT's CheckArray / CheckStructure.
1654         While we assume CheckArray+NonArray ensures it only passes non-array inputs, DFG::ArrayMode::alreadyChecked
1655         accepts arrays too. So CheckArray+NonArray is removed in AI if the input is proven that it is an array.
1656         This patch aligns DFG::ArrayMode::alreadyChecked to the checks done at runtime.
1657
1658         * dfg/DFGArrayMode.cpp:
1659         (JSC::DFG::ArrayMode::alreadyChecked const):
1660
1661 2019-09-17  Saam Barati  <sbarati@apple.com>
1662
1663         CheckArray on DirectArguments/ScopedArguments does not filter out slow put array storage
1664         https://bugs.webkit.org/show_bug.cgi?id=201853
1665         <rdar://problem/53805461>
1666
1667         Reviewed by Yusuke Suzuki.
1668
1669         We were claiming CheckArray for ScopedArguments/DirectArguments was filtering
1670         out SlowPutArrayStorage. It does no such thing. We just check that the object
1671         is either ScopedArguments/DirectArguments.
1672
1673         * dfg/DFGArrayMode.h:
1674         (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
1675         (JSC::DFG::ArrayMode::arrayModesWithIndexingShapes const):
1676         (JSC::DFG::ArrayMode::arrayModesWithIndexingShape const): Deleted.
1677
1678 2019-09-16  Tadeu Zagallo  <tzagallo@apple.com>
1679
1680         Wasm StreamingParser should validate that number of functions matches number of declarations
1681         https://bugs.webkit.org/show_bug.cgi?id=201850
1682         <rdar://problem/55290186>
1683
1684         Reviewed by Yusuke Suzuki.
1685
1686         Currently, when parsing the code section, we check that the number of functions matches the number
1687         of declarations in the function section. However, that check is never performed if the module does
1688         not have a code section. To fix that, we perform the check again in StreamingParser::finalize.
1689
1690         * wasm/WasmStreamingParser.cpp:
1691         (JSC::Wasm::StreamingParser::finalize):
1692
1693 2019-09-16  Michael Saboff  <msaboff@apple.com>
1694
1695         [JSC] Perform check again when we found non-BMP characters
1696         https://bugs.webkit.org/show_bug.cgi?id=201647
1697
1698         Reviewed by Yusuke Suzuki.
1699
1700         We need to check for end of input for non-BMP characters when matching a character class that contains
1701         both BMP and non-BMP characters.  In advanceIndexAfterCharacterClassTermMatch() we were checking for
1702         end of input for both BMP and non-BMP characters.  For BMP characters, this check is redundant.
1703         After moving the check to after the "is BMP check", we need to decrement index after reaching the failure
1704         label to back out the index++ for the first surrogate of the non-BMP character.
1705
1706         Added the same kind of check in generateCharacterClassOnce().  In that case, we have pre-checked the
1707         first character (surrogate) for a non-BMP codepoint, so we just need to check for end of input before
1708         we increment for the second surrogate.
1709
1710         While writing tests, I found an off by one error in backtrackCharacterClassGreedy() and changed the
1711         loop to check the count at loop top instead of loop bottom.
1712
1713         * yarr/YarrJIT.cpp:
1714         (JSC::Yarr::YarrGenerator::advanceIndexAfterCharacterClassTermMatch):
1715         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
1716         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
1717         (JSC::Yarr::YarrGenerator::backtrackCharacterClassGreedy):
1718         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
1719
1720 2019-09-16  Ross Kirsling  <ross.kirsling@sony.com>
1721
1722         [JSC] Add missing syntax errors for await in function parameter default expressions
1723         https://bugs.webkit.org/show_bug.cgi?id=201615
1724
1725         Reviewed by Darin Adler.
1726
1727         This patch rectifies two oversights:
1728           1. We were prohibiting `async function f(x = (await) => {}) {}` but not `async function f(x = await => {}) {}`
1729              (and likewise for async arrow functions).
1730           2. We were not prohibiting `(x = await => {}) => {}` in an async context
1731              (regardless of parentheses, but note that this one *only* applies to arrow functions).
1732
1733         * parser/Parser.cpp:
1734         (JSC::Parser<LexerType>::isArrowFunctionParameters): Fix case (1).
1735         (JSC::Parser<LexerType>::parseFunctionInfo): Fix case (2).
1736         (JSC::Parser<LexerType>::parseAwaitExpression): Convert unfailing check into an ASSERT.
1737         (JSC::Parser<LexerType>::parsePrimaryExpression): Adjust error message for case (2).
1738
1739 2019-09-16  Tadeu Zagallo  <tzagallo@apple.com>
1740
1741         SamplingProfiler should hold API lock before reporting results
1742         https://bugs.webkit.org/show_bug.cgi?id=201829
1743
1744         Reviewed by Yusuke Suzuki.
1745
1746         Right now, the SamplingProfiler crashes in debug builds when trying
1747         report results if it finds a JSFunction on the stack that doesn't have
1748         RareData. It tries to allocate the function's rare data when we call
1749         getOwnPropertySlot in order to get the function's name, but that fails
1750         because we are not holding the VM's API lock. We fix it by just holding
1751         the lock before reporting the results.
1752
1753         * runtime/SamplingProfiler.cpp:
1754         (JSC::SamplingProfiler::reportDataToOptionFile):
1755
1756 2019-09-16  David Kilzer  <ddkilzer@apple.com>
1757
1758         [JSC] REGRESSION (r248938): Leak of uint32_t arrays in testFastForwardCopy32()
1759         <https://webkit.org/b/201804>
1760
1761         Reviewed by Saam Barati.
1762
1763         * b3/testb3_8.cpp:
1764         (testFastForwardCopy32): Allocate arrays using
1765         WTF::makeUniqueArray<uint32_t> to fix leaks caused by continue
1766         statements.
1767
1768 2019-09-16  Saam Barati  <sbarati@apple.com>
1769
1770         JSObject::putInlineSlow should not ignore "__proto__" for Proxy
1771         https://bugs.webkit.org/show_bug.cgi?id=200386
1772         <rdar://problem/53854946>
1773
1774         Reviewed by Yusuke Suzuki.
1775
1776         We used to ignore '__proto__' in putInlineSlow when the object in question
1777         was Proxy. There is no reason for this, and it goes against the spec. So
1778         I've removed that condition. This also has the effect that it fixes an
1779         assertion firing inside our inline caching code which dictates that for a
1780         property replace that the base value's structure must be equal to the
1781         structure when we grabbed the structure prior to the put operation.
1782         The old code caused a weird edge case where we broke this invariant.
1783
1784         * runtime/JSObject.cpp:
1785         (JSC::JSObject::putInlineSlow):
1786
1787 2019-09-15  David Kilzer  <ddkilzer@apple.com>
1788
1789         Leak of NSMapTable in -[JSVirtualMachine addManagedReference:withOwner:]
1790         <https://webkit.org/b/201803>
1791
1792         Reviewed by Dan Bernstein.
1793
1794         * API/JSVirtualMachine.mm:
1795         (-[JSVirtualMachine addManagedReference:withOwner:]): Use
1796         RetainPtr<> to fix the leak.
1797
1798 2019-09-14  Yusuke Suzuki  <ysuzuki@apple.com>
1799
1800         Retire x86 32bit JIT support
1801         https://bugs.webkit.org/show_bug.cgi?id=201790
1802
1803         Reviewed by Mark Lam.
1804
1805         Now, Xcode no longer has ability to build 32bit binary, so we cannot even test it on macOS.
1806         Fedora stops shipping x86 32bit kernel. Our x86/x86_64 JIT requires SSE2, and so such relatively modern CPUs
1807         can use JIT by switching x86 to x86_64. And these CPUs are modern enough to run CLoop at high speed.
1808         WebKit already disabled x86 JIT by default while the implementation exists. So literary, it is not tested.
1809
1810         While x86 32bit becomes less useful, x86 32bit JIT backend is very complicated and is being a major maintenance burden.
1811         This is due to very few # of registers. Which scatters a lot of isX86 / CPU(X86) in Baseline, DFG, and Yarr.
1812
1813         This patch retires x86 JIT support from JavaScriptCore and CSS JIT. We still keep MacroAssembler and GPRInfo / FPRInfo,
1814         MachineContext information since they are useful even though JIT is not supported.
1815
1816         * dfg/DFGArrayMode.cpp:
1817         (JSC::DFG::ArrayMode::refine const):
1818         * dfg/DFGByteCodeParser.cpp:
1819         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1820         (JSC::DFG::ByteCodeParser::parseBlock):
1821         * dfg/DFGFixupPhase.cpp:
1822         (JSC::DFG::FixupPhase::fixupNode):
1823         * dfg/DFGJITCompiler.cpp:
1824         (JSC::DFG::JITCompiler::compileExceptionHandlers):
1825         * dfg/DFGOSRExitCompilerCommon.cpp:
1826         (JSC::DFG::osrWriteBarrier):
1827         * dfg/DFGSpeculativeJIT.cpp:
1828         (JSC::DFG::SpeculativeJIT::compileArithDiv):
1829         (JSC::DFG::SpeculativeJIT::compileArithMod):
1830         (JSC::DFG::SpeculativeJIT::compileCreateRest):
1831         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
1832         * dfg/DFGSpeculativeJIT.h:
1833         * dfg/DFGSpeculativeJIT32_64.cpp:
1834         (JSC::DFG::SpeculativeJIT::emitCall):
1835         (JSC::DFG::SpeculativeJIT::compile):
1836         * dfg/DFGThunks.cpp:
1837         (JSC::DFG::osrExitGenerationThunkGenerator):
1838         * ftl/FTLThunks.cpp:
1839         (JSC::FTL::slowPathCallThunkGenerator):
1840         * jit/AssemblyHelpers.cpp:
1841         (JSC::AssemblyHelpers::callExceptionFuzz):
1842         (JSC::AssemblyHelpers::debugCall):
1843         * jit/AssemblyHelpers.h:
1844         (JSC::AssemblyHelpers::emitComputeButterflyIndexingMask):
1845         * jit/CCallHelpers.h:
1846         (JSC::CCallHelpers::setupArgumentsImpl):
1847         (JSC::CCallHelpers::prepareForTailCallSlow):
1848         * jit/CallFrameShuffler.cpp:
1849         (JSC::CallFrameShuffler::prepareForTailCall):
1850         * jit/JIT.cpp:
1851         (JSC::JIT::privateCompileExceptionHandlers):
1852         * jit/JITArithmetic32_64.cpp:
1853         (JSC::JIT::emit_op_mod):
1854         (JSC::JIT::emitSlow_op_mod):
1855         * jit/SlowPathCall.h:
1856         (JSC::JITSlowPathCall::call):
1857         * jit/ThunkGenerators.cpp:
1858         (JSC::nativeForGenerator):
1859         (JSC::arityFixupGenerator):
1860         * wasm/WasmAirIRGenerator.cpp:
1861         (JSC::Wasm::AirIRGenerator::emitModOrDiv):
1862         * yarr/YarrJIT.cpp:
1863         (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
1864         (JSC::Yarr::YarrGenerator::generateEnter):
1865         (JSC::Yarr::YarrGenerator::generateReturn):
1866         (JSC::Yarr::YarrGenerator::compile):
1867         * yarr/YarrJIT.h:
1868
1869 2019-09-13  Mark Lam  <mark.lam@apple.com>
1870
1871         jsc -d stopped working.
1872         https://bugs.webkit.org/show_bug.cgi?id=201787
1873
1874         Reviewed by Joseph Pecoraro.
1875
1876         The reason is because, in this case, the jsc shell is trying to set an option
1877         after the VM has been instantiated.  The fix is simply to move all options
1878         initialization before the VM is instantiated.
1879
1880         * jsc.cpp:
1881         (runWithOptions):
1882         (jscmain):
1883
1884 2019-09-13  Mark Lam  <mark.lam@apple.com>
1885
1886         watchOS requires PageSize alignment of 16K for JSC::Config.
1887         https://bugs.webkit.org/show_bug.cgi?id=201786
1888         <rdar://problem/55357890>
1889
1890         Reviewed by Yusuke Suzuki.
1891
1892         * runtime/JSCConfig.h:
1893
1894 2019-09-13  Yusuke Suzuki  <ysuzuki@apple.com>
1895
1896         Unreviewed, follow-up fix after r249842
1897         https://bugs.webkit.org/show_bug.cgi?id=201750
1898
1899         Michael reviewed this offline. When performing nearCall, we need to invalidate cache registers.
1900
1901         * assembler/MacroAssemblerARM64.h:
1902         (JSC::MacroAssemblerARM64::nearCall):
1903         (JSC::MacroAssemblerARM64::threadSafePatchableNearCall):
1904
1905 2019-09-13  Alexey Shvayka  <shvaikalesh@gmail.com>
1906
1907         Date.prototype.toJSON does not execute steps 1-2
1908         https://bugs.webkit.org/show_bug.cgi?id=105282
1909
1910         Reviewed by Ross Kirsling.
1911
1912         According to https://tc39.es/ecma262/#sec-built-in-function-objects, built-in methods must be
1913         strict mode functions. Before this change, `this` value in Date.prototype.toJSON was resolved
1914         using sloppy mode semantics, resulting in `toISOString` being called on global object if `this`
1915         value equals `null` or `undefined`.
1916
1917         * runtime/DatePrototype.cpp:
1918         (JSC::dateProtoFuncToJSON): Resolve thisValue using strict semantics and simplify std::isfinite check.
1919
1920 2019-09-13  Mark Lam  <mark.lam@apple.com>
1921
1922         performJITMemcpy() should do its !Gigacage assertion on exit.
1923         https://bugs.webkit.org/show_bug.cgi?id=201780
1924         <rdar://problem/55354867>
1925
1926         Reviewed by Robin Morisset.
1927
1928         Re-doing previous fix.
1929
1930         * jit/ExecutableAllocator.h:
1931         (JSC::performJITMemcpy):
1932         (JSC::GigacageAssertScope::GigacageAssertScope): Deleted.
1933         (JSC::GigacageAssertScope::~GigacageAssertScope): Deleted.
1934
1935 2019-09-13  Mark Lam  <mark.lam@apple.com>
1936
1937         performJITMemcpy() should do its !Gigacage assertion on exit.
1938         https://bugs.webkit.org/show_bug.cgi?id=201780
1939         <rdar://problem/55354867>
1940
1941         Reviewed by Robin Morisset.
1942
1943         * jit/ExecutableAllocator.h:
1944         (JSC::GigacageAssertScope::GigacageAssertScope):
1945         (JSC::GigacageAssertScope::~GigacageAssertScope):
1946         (JSC::performJITMemcpy):
1947
1948 2019-09-13  Yusuke Suzuki  <ysuzuki@apple.com>
1949
1950         [JSC] Micro-optimize YarrJIT's surrogate pair handling
1951         https://bugs.webkit.org/show_bug.cgi?id=201750
1952
1953         Reviewed by Michael Saboff.
1954
1955         Optimize sequence of machine code used to get code-point with unicode flag.
1956
1957         * yarr/YarrJIT.cpp:
1958         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
1959
1960 2019-09-13  Mark Lam  <mark.lam@apple.com>
1961
1962         We should assert $vm is enabled on entry and exit in its functions.
1963         https://bugs.webkit.org/show_bug.cgi?id=201762
1964         <rdar://problem/55338742>
1965
1966         Rubber-stamped by Michael Saboff.
1967
1968         1. Also do the same for FunctionOverrides.
1969         2. Added the DollarVMAssertScope and FunctionOverridesAssertScope to achieve this.
1970         3. Also added assertions to lambda functions in $vm.
1971
1972         * tools/FunctionOverrides.cpp:
1973         (JSC::FunctionOverridesAssertScope::FunctionOverridesAssertScope):
1974         (JSC::FunctionOverridesAssertScope::~FunctionOverridesAssertScope):
1975         (JSC::FunctionOverrides::overrides):
1976         (JSC::FunctionOverrides::FunctionOverrides):
1977         (JSC::FunctionOverrides::reinstallOverrides):
1978         (JSC::initializeOverrideInfo):
1979         (JSC::FunctionOverrides::initializeOverrideFor):
1980         (JSC::parseClause):
1981         (JSC::FunctionOverrides::parseOverridesInFile):
1982         * tools/JSDollarVM.cpp:
1983         (JSC::JSDollarVMCallFrame::JSDollarVMCallFrame):
1984         (JSC::JSDollarVMCallFrame::createStructure):
1985         (JSC::JSDollarVMCallFrame::create):
1986         (JSC::JSDollarVMCallFrame::finishCreation):
1987         (JSC::JSDollarVMCallFrame::addProperty):
1988         (JSC::Element::Element):
1989         (JSC::Element::create):
1990         (JSC::Element::visitChildren):
1991         (JSC::Element::createStructure):
1992         (JSC::Root::Root):
1993         (JSC::Root::setElement):
1994         (JSC::Root::create):
1995         (JSC::Root::createStructure):
1996         (JSC::Root::visitChildren):
1997         (JSC::SimpleObject::SimpleObject):
1998         (JSC::SimpleObject::create):
1999         (JSC::SimpleObject::visitChildren):
2000         (JSC::SimpleObject::createStructure):
2001         (JSC::ImpureGetter::ImpureGetter):
2002         (JSC::ImpureGetter::createStructure):
2003         (JSC::ImpureGetter::create):
2004         (JSC::ImpureGetter::finishCreation):
2005         (JSC::ImpureGetter::getOwnPropertySlot):
2006         (JSC::ImpureGetter::visitChildren):
2007         (JSC::CustomGetter::CustomGetter):
2008         (JSC::CustomGetter::createStructure):
2009         (JSC::CustomGetter::create):
2010         (JSC::CustomGetter::getOwnPropertySlot):
2011         (JSC::CustomGetter::customGetter):
2012         (JSC::CustomGetter::customGetterAcessor):
2013         (JSC::RuntimeArray::create):
2014         (JSC::RuntimeArray::destroy):
2015         (JSC::RuntimeArray::getOwnPropertySlot):
2016         (JSC::RuntimeArray::getOwnPropertySlotByIndex):
2017         (JSC::RuntimeArray::createPrototype):
2018         (JSC::RuntimeArray::createStructure):
2019         (JSC::RuntimeArray::finishCreation):
2020         (JSC::RuntimeArray::RuntimeArray):
2021         (JSC::RuntimeArray::lengthGetter):
2022         (JSC::DOMJITNode::DOMJITNode):
2023         (JSC::DOMJITNode::createStructure):
2024         (JSC::DOMJITNode::checkSubClassSnippet):
2025         (JSC::DOMJITNode::create):
2026         (JSC::DOMJITGetter::DOMJITGetter):
2027         (JSC::DOMJITGetter::createStructure):
2028         (JSC::DOMJITGetter::create):
2029         (JSC::DOMJITGetter::DOMJITAttribute::slowCall):
2030         (JSC::DOMJITGetter::DOMJITAttribute::callDOMGetter):
2031         (JSC::DOMJITGetter::customGetter):
2032         (JSC::DOMJITGetter::finishCreation):
2033         (JSC::DOMJITGetterComplex::DOMJITGetterComplex):
2034         (JSC::DOMJITGetterComplex::createStructure):
2035         (JSC::DOMJITGetterComplex::create):
2036         (JSC::DOMJITGetterComplex::DOMJITAttribute::slowCall):
2037         (JSC::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
2038         (JSC::DOMJITGetterComplex::functionEnableException):
2039         (JSC::DOMJITGetterComplex::customGetter):
2040         (JSC::DOMJITGetterComplex::finishCreation):
2041         (JSC::DOMJITFunctionObject::DOMJITFunctionObject):
2042         (JSC::DOMJITFunctionObject::createStructure):
2043         (JSC::DOMJITFunctionObject::create):
2044         (JSC::DOMJITFunctionObject::functionWithTypeCheck):
2045         (JSC::DOMJITFunctionObject::functionWithoutTypeCheck):
2046         (JSC::DOMJITFunctionObject::checkSubClassSnippet):
2047         (JSC::DOMJITFunctionObject::finishCreation):
2048         (JSC::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
2049         (JSC::DOMJITCheckSubClassObject::createStructure):
2050         (JSC::DOMJITCheckSubClassObject::create):
2051         (JSC::DOMJITCheckSubClassObject::functionWithTypeCheck):
2052         (JSC::DOMJITCheckSubClassObject::functionWithoutTypeCheck):
2053         (JSC::DOMJITCheckSubClassObject::finishCreation):
2054         (JSC::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject):
2055         (JSC::DOMJITGetterBaseJSObject::createStructure):
2056         (JSC::DOMJITGetterBaseJSObject::create):
2057         (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
2058         (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter):
2059         (JSC::DOMJITGetterBaseJSObject::customGetter):
2060         (JSC::DOMJITGetterBaseJSObject::finishCreation):
2061         (JSC::JSTestCustomGetterSetter::JSTestCustomGetterSetter):
2062         (JSC::JSTestCustomGetterSetter::create):
2063         (JSC::JSTestCustomGetterSetter::createStructure):
2064         (JSC::customSetAccessor):
2065         (JSC::customSetValue):
2066         (JSC::JSTestCustomGetterSetter::finishCreation):
2067         (JSC::Element::handleOwner):
2068         (JSC::Element::finishCreation):
2069         (JSC::WasmStreamingParser::WasmStreamingParser):
2070         (JSC::WasmStreamingParser::create):
2071         (JSC::WasmStreamingParser::createStructure):
2072         (JSC::WasmStreamingParser::finishCreation):
2073         (JSC::functionWasmStreamingParserAddBytes):
2074         (JSC::functionWasmStreamingParserFinalize):
2075         (JSC::functionCrash):
2076         (JSC::functionBreakpoint):
2077         (JSC::functionDFGTrue):
2078         (JSC::functionFTLTrue):
2079         (JSC::functionCpuMfence):
2080         (JSC::functionCpuRdtsc):
2081         (JSC::functionCpuCpuid):
2082         (JSC::functionCpuPause):
2083         (JSC::functionCpuClflush):
2084         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
2085         (JSC::getExecutableForFunction):
2086         (JSC::functionLLintTrue):
2087         (JSC::functionJITTrue):
2088         (JSC::functionNoInline):
2089         (JSC::functionGC):
2090         (JSC::functionEdenGC):
2091         (JSC::functionDumpSubspaceHashes):
2092         (JSC::functionCallFrame):
2093         (JSC::functionCodeBlockForFrame):
2094         (JSC::codeBlockFromArg):
2095         (JSC::functionCodeBlockFor):
2096         (JSC::functionDumpSourceFor):
2097         (JSC::functionDumpBytecodeFor):
2098         (JSC::doPrint):
2099         (JSC::functionDataLog):
2100         (JSC::functionPrint):
2101         (JSC::functionDumpCallFrame):
2102         (JSC::functionDumpStack):
2103         (JSC::functionDumpRegisters):
2104         (JSC::functionDumpCell):
2105         (JSC::functionIndexingMode):
2106         (JSC::functionInlineCapacity):
2107         (JSC::functionValue):
2108         (JSC::functionGetPID):
2109         (JSC::functionHaveABadTime):
2110         (JSC::functionIsHavingABadTime):
2111         (JSC::functionCreateGlobalObject):
2112         (JSC::functionCreateProxy):
2113         (JSC::functionCreateRuntimeArray):
2114         (JSC::functionCreateNullRopeString):
2115         (JSC::functionCreateImpureGetter):
2116         (JSC::functionCreateCustomGetterObject):
2117         (JSC::functionCreateDOMJITNodeObject):
2118         (JSC::functionCreateDOMJITGetterObject):
2119         (JSC::functionCreateDOMJITGetterComplexObject):
2120         (JSC::functionCreateDOMJITFunctionObject):
2121         (JSC::functionCreateDOMJITCheckSubClassObject):
2122         (JSC::functionCreateDOMJITGetterBaseJSObject):
2123         (JSC::functionCreateWasmStreamingParser):
2124         (JSC::functionSetImpureGetterDelegate):
2125         (JSC::functionCreateBuiltin):
2126         (JSC::functionGetPrivateProperty):
2127         (JSC::functionCreateRoot):
2128         (JSC::functionCreateElement):
2129         (JSC::functionGetElement):
2130         (JSC::functionCreateSimpleObject):
2131         (JSC::functionGetHiddenValue):
2132         (JSC::functionSetHiddenValue):
2133         (JSC::functionShadowChickenFunctionsOnStack):
2134         (JSC::functionSetGlobalConstRedeclarationShouldNotThrow):
2135         (JSC::functionFindTypeForExpression):
2136         (JSC::functionReturnTypeFor):
2137         (JSC::functionFlattenDictionaryObject):
2138         (JSC::functionDumpBasicBlockExecutionRanges):
2139         (JSC::functionHasBasicBlockExecuted):
2140         (JSC::functionBasicBlockExecutionCount):
2141         (JSC::functionEnableExceptionFuzz):
2142         (JSC::changeDebuggerModeWhenIdle):
2143         (JSC::functionEnableDebuggerModeWhenIdle):
2144         (JSC::functionDisableDebuggerModeWhenIdle):
2145         (JSC::functionDeleteAllCodeWhenIdle):
2146         (JSC::functionGlobalObjectCount):
2147         (JSC::functionGlobalObjectForObject):
2148         (JSC::functionGetGetterSetter):
2149         (JSC::functionLoadGetterFromGetterSetter):
2150         (JSC::functionCreateCustomTestGetterSetter):
2151         (JSC::functionDeltaBetweenButterflies):
2152         (JSC::functionTotalGCTime):
2153         (JSC::functionParseCount):
2154         (JSC::functionIsWasmSupported):
2155         (JSC::JSDollarVM::finishCreation):
2156         (JSC::JSDollarVM::addFunction):
2157         (JSC::JSDollarVM::addConstructibleFunction):
2158         * tools/JSDollarVM.h:
2159         (JSC::DollarVMAssertScope::DollarVMAssertScope):
2160         (JSC::DollarVMAssertScope::~DollarVMAssertScope):
2161
2162 2019-09-13  Joseph Pecoraro  <pecoraro@apple.com>
2163
2164         Web Inspector: Formatter: Pretty Print HTML resources (including inline <script>/<style>)
2165         https://bugs.webkit.org/show_bug.cgi?id=201535
2166         <rdar://problem/29119232>
2167
2168         Reviewed by Devin Rousso.
2169
2170         * debugger/Debugger.cpp:
2171         (JSC::Debugger::resolveBreakpoint):
2172         When resolving a breakpoint inside of an inline <script> we need to adjust
2173         based on the starting position of the <script> in the HTML resource.
2174
2175 2019-09-13  Yusuke Suzuki  <ysuzuki@apple.com>
2176
2177         [JSC] X86Registers.h callee-save register definition is wrong
2178         https://bugs.webkit.org/show_bug.cgi?id=201756
2179
2180         Reviewed by Mark Lam.
2181
2182         I think nobody is using X86 JIT backend, but it is simply wrong.
2183         edi and esi should be callee-save.
2184
2185         * assembler/X86Registers.h:
2186
2187 2019-09-12  Mark Lam  <mark.lam@apple.com>
2188
2189         Harden JSC against the abuse of runtime options.
2190         https://bugs.webkit.org/show_bug.cgi?id=201597
2191         <rdar://problem/55167068>
2192
2193         Reviewed by Filip Pizlo.
2194
2195         Linux parts contributed by Carlos Garcia Campos <cgarcia@igalia.com>.
2196
2197         1. Introduce a JSC::Config struct that will be protected as ReadOnly once the
2198            first VM instance is constructed.  The end of the VM constructor calls
2199            Config::permanentlyFreeze() which will make the Config ReadOnly.
2200
2201            Note: this is currently only supported for OS(DARWIN) and OS(LINUX).
2202            OS(WINDOWS) will need to implement some missing pieces before it can enable
2203            this hardening (see FIXME in JSCConfig.cpp).
2204
2205            The hardening strategy here is to put immutable global values into the Config.
2206            Any modifications that need to be made to these values must be done before the
2207            first VM instance is done instantiating.  This ensures that no script will
2208            ever run while the Config is still writable.
2209
2210            Also, the policy for this hardening is that a process is opted in by default.
2211            If there's a valid need to disable this hardening (e.g. for some test
2212            environments), the relevant process will need to opt itself out by calling
2213            Config::configureForTesting().
2214
2215            The jsc shell, WK2 UI and WebContent processes are opted in by default.
2216            Only test processes may be opt out.
2217
2218         2. Put all JSC::Options in the Config.  This enforces the invariant that options
2219            can only be changed before we instantiate a VM.  Once a VM is instantiated,
2220            the options are immutable.
2221
2222         3. Remove functionForceGCSlowPaths() from the jsc shell.  Setting
2223            Options::forceGCSlowPaths this way is no longer allowed.
2224
2225         4. Re-factored the Options code (Options.h) into:
2226            - OptionEntry.h: the data structure that stores the option values.
2227            - OptionsList.h: the list of options.
2228            - Options.h: the Options singleton object which is the interface for accessing options.
2229
2230            Renamed the JSC_OPTIONS macro to FOR_EACH_JSC_OPTION, because
2231            "FOR_EACH_JSC_OPTION(SET_OPTION_VALUE)" reads a lot better than
2232            "JSC_OPTIONS(FOR_EACH_OPTION)".
2233
2234         5. Change testapi to call Config::configureForTesting().  Parts of testapi makes
2235            use of setting options in its tests.  Hence, this hardening is disabled for
2236            testapi.
2237
2238            Note: the jsc shell does enable this hardening.
2239
2240         6. Put ExecutableAllocator's immutable globals in the Config.
2241
2242         7. RELEASE_ASSERT that restrictedOptionsEnabled in order to use the
2243            FunctionOverrides test utility.
2244
2245         8. RELEASE_ASSERT that Options::useDollarVM() is enabled in order to use the $vm.
2246
2247            We must RELEASE_ASSERT(Options::useDollarVM()) in all JSDollarVM functions
2248            that are non-trivial at an eye's glance.  This includes (but is not limited to):
2249                constructors
2250                create() factory
2251                createStructure() factory
2252                finishCreation()
2253                HOST_CALL or operation functions
2254                Constructors and methods of utility and test classes
2255
2256            The only exception are some constexpr constructors used for instantiating
2257            globals (since these must have trivial constructors) e.g. DOMJITAttribute.
2258            Instead, these constructors should always be ALWAYS_INLINE.
2259
2260         * API/glib/JSCOptions.cpp:
2261         (jscOptionsSetValue):
2262         (jscOptionsGetValue):
2263         (jsc_options_foreach):
2264         (jsc_options_get_option_group):
2265         * API/tests/testapi.c:
2266         (main):
2267         * API/tests/testapi.cpp:
2268         (configureJSCForTesting):
2269         * CMakeLists.txt:
2270         * JavaScriptCore.xcodeproj/project.pbxproj:
2271         * Sources.txt:
2272         * jit/ExecutableAllocator.cpp:
2273         (JSC::isJITEnabled):
2274         (JSC::ExecutableAllocator::setJITEnabled):
2275         (JSC::ExecutableAllocator::initializeUnderlyingAllocator):
2276         (JSC::ExecutableAllocator::isValid const):
2277         (JSC::ExecutableAllocator::underMemoryPressure):
2278         (JSC::ExecutableAllocator::memoryPressureMultiplier):
2279         (JSC::ExecutableAllocator::allocate):
2280         (JSC::ExecutableAllocator::isValidExecutableMemory):
2281         (JSC::ExecutableAllocator::getLock const):
2282         (JSC::ExecutableAllocator::committedByteCount):
2283         (JSC::ExecutableAllocator::dumpProfile):
2284         (JSC::startOfFixedExecutableMemoryPoolImpl):
2285         (JSC::endOfFixedExecutableMemoryPoolImpl):
2286         (JSC::isJITPC):
2287         (JSC::dumpJITMemory):
2288         (JSC::ExecutableAllocator::initialize):
2289         (JSC::ExecutableAllocator::singleton):
2290         * jit/ExecutableAllocator.h:
2291         (JSC::performJITMemcpy):
2292         * jsc.cpp:
2293         (GlobalObject::finishCreation):
2294         (functionJSCOptions):
2295         (jscmain):
2296         (functionForceGCSlowPaths): Deleted.
2297         * runtime/ConfigFile.cpp:
2298         (JSC::ConfigFile::parse):
2299         * runtime/InitializeThreading.cpp:
2300         (JSC::initializeThreading):
2301         * runtime/JSCConfig.cpp: Added.
2302         (JSC::Config::disableFreezingForTesting):
2303         (JSC::Config::enableRestrictedOptions):
2304         (JSC::Config::permanentlyFreeze):
2305         * runtime/JSCConfig.h: Added.
2306         (JSC::Config::configureForTesting):
2307         * runtime/JSGlobalObject.cpp:
2308         (JSC::JSGlobalObject::exposeDollarVM):
2309         * runtime/OptionEntry.h: Added.
2310         (JSC::OptionRange::operator= ):
2311         (JSC::OptionRange::rangeString const):
2312         * runtime/Options.cpp:
2313         (JSC::Options::isAvailable):
2314         (JSC::scaleJITPolicy):
2315         (JSC::Options::initialize):
2316         (JSC::Options::setOptions):
2317         (JSC::Options::setOptionWithoutAlias):
2318         (JSC::Options::setAliasedOption):
2319         (JSC::Option::dump const):
2320         (JSC::Option::operator== const):
2321         (): Deleted.
2322         (JSC::Options::enableRestrictedOptions): Deleted.
2323         * runtime/Options.h:
2324         (JSC::Option::Option):
2325         (JSC::Option::defaultOption const):
2326         (JSC::Option::boolVal):
2327         (JSC::Option::unsignedVal):
2328         (JSC::Option::doubleVal):
2329         (JSC::Option::int32Val):
2330         (JSC::Option::optionRangeVal):
2331         (JSC::Option::optionStringVal):
2332         (JSC::Option::gcLogLevelVal):
2333         (JSC::OptionRange::operator= ): Deleted.
2334         (JSC::OptionRange::rangeString const): Deleted.
2335         * runtime/OptionsList.h: Added.
2336         (JSC::countNumberOfJSCOptions):
2337         * runtime/VM.cpp:
2338         (JSC::VM::VM):
2339         * tools/FunctionOverrides.cpp:
2340         (JSC::FunctionOverrides::FunctionOverrides):
2341         (JSC::FunctionOverrides::reinstallOverrides):
2342         (JSC::FunctionOverrides::initializeOverrideFor):
2343         (JSC::FunctionOverrides::parseOverridesInFile):
2344         * tools/JSDollarVM.cpp:
2345         (JSC::JSDollarVMCallFrame::JSDollarVMCallFrame):
2346         (JSC::JSDollarVMCallFrame::createStructure):
2347         (JSC::JSDollarVMCallFrame::create):
2348         (JSC::JSDollarVMCallFrame::finishCreation):
2349         (JSC::JSDollarVMCallFrame::addProperty):
2350         (JSC::Element::Element):
2351         (JSC::Element::create):
2352         (JSC::Element::createStructure):
2353         (JSC::Root::Root):
2354         (JSC::Root::create):
2355         (JSC::Root::createStructure):
2356         (JSC::SimpleObject::SimpleObject):
2357         (JSC::SimpleObject::create):
2358         (JSC::SimpleObject::createStructure):
2359         (JSC::ImpureGetter::ImpureGetter):
2360         (JSC::ImpureGetter::createStructure):
2361         (JSC::ImpureGetter::create):
2362         (JSC::ImpureGetter::finishCreation):
2363         (JSC::ImpureGetter::getOwnPropertySlot):
2364         (JSC::CustomGetter::CustomGetter):
2365         (JSC::CustomGetter::createStructure):
2366         (JSC::CustomGetter::create):
2367         (JSC::CustomGetter::getOwnPropertySlot):
2368         (JSC::CustomGetter::customGetter):
2369         (JSC::CustomGetter::customGetterAcessor):
2370         (JSC::RuntimeArray::create):
2371         (JSC::RuntimeArray::destroy):
2372         (JSC::RuntimeArray::getOwnPropertySlot):
2373         (JSC::RuntimeArray::getOwnPropertySlotByIndex):
2374         (JSC::RuntimeArray::createPrototype):
2375         (JSC::RuntimeArray::createStructure):
2376         (JSC::RuntimeArray::finishCreation):
2377         (JSC::RuntimeArray::RuntimeArray):
2378         (JSC::RuntimeArray::lengthGetter):
2379         (JSC::DOMJITNode::DOMJITNode):
2380         (JSC::DOMJITNode::createStructure):
2381         (JSC::DOMJITNode::checkSubClassSnippet):
2382         (JSC::DOMJITNode::create):
2383         (JSC::DOMJITGetter::DOMJITGetter):
2384         (JSC::DOMJITGetter::createStructure):
2385         (JSC::DOMJITGetter::create):
2386         (JSC::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
2387         (JSC::DOMJITGetter::DOMJITAttribute::slowCall):
2388         (JSC::DOMJITGetter::DOMJITAttribute::callDOMGetter):
2389         (JSC::DOMJITGetter::customGetter):
2390         (JSC::DOMJITGetter::finishCreation):
2391         (JSC::DOMJITGetterComplex::DOMJITGetterComplex):
2392         (JSC::DOMJITGetterComplex::createStructure):
2393         (JSC::DOMJITGetterComplex::create):
2394         (JSC::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
2395         (JSC::DOMJITGetterComplex::DOMJITAttribute::slowCall):
2396         (JSC::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
2397         (JSC::DOMJITGetterComplex::functionEnableException):
2398         (JSC::DOMJITGetterComplex::customGetter):
2399         (JSC::DOMJITGetterComplex::finishCreation):
2400         (JSC::DOMJITFunctionObject::DOMJITFunctionObject):
2401         (JSC::DOMJITFunctionObject::createStructure):
2402         (JSC::DOMJITFunctionObject::create):
2403         (JSC::DOMJITFunctionObject::functionWithTypeCheck):
2404         (JSC::DOMJITFunctionObject::functionWithoutTypeCheck):
2405         (JSC::DOMJITFunctionObject::checkSubClassSnippet):
2406         (JSC::DOMJITFunctionObject::finishCreation):
2407         (JSC::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
2408         (JSC::DOMJITCheckSubClassObject::createStructure):
2409         (JSC::DOMJITCheckSubClassObject::create):
2410         (JSC::DOMJITCheckSubClassObject::functionWithTypeCheck):
2411         (JSC::DOMJITCheckSubClassObject::functionWithoutTypeCheck):
2412         (JSC::DOMJITCheckSubClassObject::finishCreation):
2413         (JSC::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject):
2414         (JSC::DOMJITGetterBaseJSObject::createStructure):
2415         (JSC::DOMJITGetterBaseJSObject::create):
2416         (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute):
2417         (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
2418         (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter):
2419         (JSC::DOMJITGetterBaseJSObject::customGetter):
2420         (JSC::DOMJITGetterBaseJSObject::finishCreation):
2421         (JSC::JSTestCustomGetterSetter::JSTestCustomGetterSetter):
2422         (JSC::JSTestCustomGetterSetter::create):
2423         (JSC::JSTestCustomGetterSetter::createStructure):
2424         (JSC::customSetAccessor):
2425         (JSC::customSetValue):
2426         (JSC::JSTestCustomGetterSetter::finishCreation):
2427         (JSC::Element::handleOwner):
2428         (JSC::Element::finishCreation):
2429         (JSC::WasmStreamingParser::WasmStreamingParser):
2430         (JSC::WasmStreamingParser::create):
2431         (JSC::WasmStreamingParser::createStructure):
2432         (JSC::WasmStreamingParser::finishCreation):
2433         (JSC::functionWasmStreamingParserAddBytes):
2434         (JSC::functionWasmStreamingParserFinalize):
2435         (JSC::functionCrash):
2436         (JSC::functionBreakpoint):
2437         (JSC::functionDFGTrue):
2438         (JSC::functionFTLTrue):
2439         (JSC::functionCpuMfence):
2440         (JSC::functionCpuRdtsc):
2441         (JSC::functionCpuCpuid):
2442         (JSC::functionCpuPause):
2443         (JSC::functionCpuClflush):
2444         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
2445         (JSC::getExecutableForFunction):
2446         (JSC::functionLLintTrue):
2447         (JSC::functionJITTrue):
2448         (JSC::functionNoInline):
2449         (JSC::functionGC):
2450         (JSC::functionEdenGC):
2451         (JSC::functionDumpSubspaceHashes):
2452         (JSC::functionCallFrame):
2453         (JSC::functionCodeBlockForFrame):
2454         (JSC::codeBlockFromArg):
2455         (JSC::functionCodeBlockFor):
2456         (JSC::functionDumpSourceFor):
2457         (JSC::functionDumpBytecodeFor):
2458         (JSC::doPrint):
2459         (JSC::functionDataLog):
2460         (JSC::functionPrint):
2461         (JSC::functionDumpCallFrame):
2462         (JSC::functionDumpStack):
2463         (JSC::functionDumpRegisters):
2464         (JSC::functionDumpCell):
2465         (JSC::functionIndexingMode):
2466         (JSC::functionInlineCapacity):
2467         (JSC::functionValue):
2468         (JSC::functionGetPID):
2469         (JSC::functionHaveABadTime):
2470         (JSC::functionIsHavingABadTime):
2471         (JSC::functionCreateGlobalObject):
2472         (JSC::functionCreateProxy):
2473         (JSC::functionCreateRuntimeArray):
2474         (JSC::functionCreateNullRopeString):
2475         (JSC::functionCreateImpureGetter):
2476         (JSC::functionCreateCustomGetterObject):
2477         (JSC::functionCreateDOMJITNodeObject):
2478         (JSC::functionCreateDOMJITGetterObject):
2479         (JSC::functionCreateDOMJITGetterComplexObject):
2480         (JSC::functionCreateDOMJITFunctionObject):
2481         (JSC::functionCreateDOMJITCheckSubClassObject):
2482         (JSC::functionCreateDOMJITGetterBaseJSObject):
2483         (JSC::functionCreateWasmStreamingParser):
2484         (JSC::functionSetImpureGetterDelegate):
2485         (JSC::functionCreateBuiltin):
2486         (JSC::functionGetPrivateProperty):
2487         (JSC::functionCreateRoot):
2488         (JSC::functionCreateElement):
2489         (JSC::functionGetElement):
2490         (JSC::functionCreateSimpleObject):
2491         (JSC::functionGetHiddenValue):
2492         (JSC::functionSetHiddenValue):
2493         (JSC::functionShadowChickenFunctionsOnStack):
2494         (JSC::functionSetGlobalConstRedeclarationShouldNotThrow):
2495         (JSC::functionFindTypeForExpression):
2496         (JSC::functionReturnTypeFor):
2497         (JSC::functionFlattenDictionaryObject):
2498         (JSC::functionDumpBasicBlockExecutionRanges):
2499         (JSC::functionHasBasicBlockExecuted):
2500         (JSC::functionBasicBlockExecutionCount):
2501         (JSC::functionEnableExceptionFuzz):
2502         (JSC::changeDebuggerModeWhenIdle):
2503         (JSC::functionEnableDebuggerModeWhenIdle):
2504         (JSC::functionDisableDebuggerModeWhenIdle):
2505         (JSC::functionDeleteAllCodeWhenIdle):
2506         (JSC::functionGlobalObjectCount):
2507         (JSC::functionGlobalObjectForObject):
2508         (JSC::functionGetGetterSetter):
2509         (JSC::functionLoadGetterFromGetterSetter):
2510         (JSC::functionCreateCustomTestGetterSetter):
2511         (JSC::functionDeltaBetweenButterflies):
2512         (JSC::functionTotalGCTime):
2513         (JSC::functionParseCount):
2514         (JSC::functionIsWasmSupported):
2515         (JSC::JSDollarVM::finishCreation):
2516         (JSC::JSDollarVM::addFunction):
2517         (JSC::JSDollarVM::addConstructibleFunction):
2518         * tools/JSDollarVM.h:
2519
2520 2019-09-11  Devin Rousso  <drousso@apple.com>
2521
2522         Web Inspector: Canvas: instrument WebGPUDevice instead of GPUCanvasContext
2523         https://bugs.webkit.org/show_bug.cgi?id=201650
2524
2525         Reviewed by Joseph Pecoraro.
2526
2527         Most of the actual "work" done with Web GPU actually uses a `WebGPUDevice`.
2528
2529         A `GPUCanvasContext` is basically just a display "client" of the device, and isn't even
2530         required (e.g. compute pipeline).  We should treat the `GPUCanvasContext` almost like a
2531         `-webkit-canvas` client of a `WebGPUDevice`.
2532
2533         * inspector/protocol/Canvas.json:
2534          - Add `powerPreference` key to `ContextAttributes` type.
2535          - Rename `requestCSSCanvasClientNodes` command to `requestClientNodes` for the above reason.
2536          - Rename `cssCanvasClientNodesChanged` event to `clientNodesChanged` for the above reason.
2537          - Rename `resolveCanvasContext` command to `resolveContext` since a `WebGPUDevice` isn't
2538            really a "canvas".
2539
2540 2019-09-11  Yusuke Suzuki  <ysuzuki@apple.com>
2541
2542         [JSC] Add StringCodePointAt intrinsic
2543         https://bugs.webkit.org/show_bug.cgi?id=201673
2544
2545         Reviewed by Michael Saboff.
2546
2547         JetStream2/UniPoker executes String#codePointAt frequently. We should handle it in ThunkGenerator, DFG, and FTL like we are doing so for String#charCodeAt.
2548         This patch adds these supports for String#codePointAt to get ~10% score improvement in JetStream2/UniPoker.
2549
2550         In ThunkGenerator, we add a thunk for String#codePointAt, which accelerates LLInt and Baseline. In DFG, we handle this as StringCodePointAt node, and emit
2551         inlined code in DFG and FTL. The characteristics of StringCodePointAt node is basically the same to StringCharAt. It has String array-mode, so it emits
2552         preceding CheckArray. This ensures that (1) StringCodePointAt node itself does not do GC since the string is always resolved, and (2) we can skip the rope
2553         check. This thing is just the same to the existing StringCharCodeAt mechanism.
2554
2555         * dfg/DFGAbstractInterpreterInlines.h:
2556         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2557         * dfg/DFGBackwardsPropagationPhase.cpp:
2558         (JSC::DFG::BackwardsPropagationPhase::propagate):
2559         * dfg/DFGByteCodeParser.cpp:
2560         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2561         * dfg/DFGClobberize.h:
2562         (JSC::DFG::clobberize):
2563         * dfg/DFGDoesGC.cpp:
2564         (JSC::DFG::doesGC):
2565         * dfg/DFGFixupPhase.cpp:
2566         (JSC::DFG::FixupPhase::fixupNode):
2567         * dfg/DFGNode.h:
2568         (JSC::DFG::Node::hasArrayMode):
2569         * dfg/DFGNodeType.h:
2570         * dfg/DFGPredictionPropagationPhase.cpp:
2571         * dfg/DFGSafeToExecute.h:
2572         (JSC::DFG::safeToExecute):
2573         * dfg/DFGSpeculativeJIT.h:
2574         * dfg/DFGSpeculativeJIT32_64.cpp:
2575         (JSC::DFG::SpeculativeJIT::compile):
2576         * dfg/DFGSpeculativeJIT64.cpp:
2577         (JSC::DFG::SpeculativeJIT::compile):
2578         (JSC::DFG::SpeculativeJIT::compileStringCodePointAt):
2579         * ftl/FTLCapabilities.cpp:
2580         (JSC::FTL::canCompile):
2581         * ftl/FTLLowerDFGToB3.cpp:
2582         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2583         (JSC::FTL::DFG::LowerDFGToB3::compileStringCodePointAt):
2584         * jit/JITInlines.h:
2585         (JSC::JIT::emitLoadCharacterString):
2586         * jit/ThunkGenerators.cpp:
2587         (JSC::stringGetByValGenerator):
2588         (JSC::stringCharLoad):
2589         (JSC::stringPrototypeCodePointAtThunkGenerator):
2590         * jit/ThunkGenerators.h:
2591         * runtime/Intrinsic.cpp:
2592         (JSC::intrinsicName):
2593         * runtime/Intrinsic.h:
2594         * runtime/StringPrototype.cpp:
2595         (JSC::StringPrototype::finishCreation):
2596         * runtime/VM.cpp:
2597         (JSC::thunkGeneratorForIntrinsic):
2598
2599 2019-09-11  Michael Saboff  <msaboff@apple.com>
2600
2601         JSC crashes due to stack overflow while building RegExp
2602         https://bugs.webkit.org/show_bug.cgi?id=201649
2603
2604         Reviewed by Yusuke Suzuki.
2605
2606         Check for running out of stack when we are optimizing RegExp containing BOL terms or
2607         other deep copying of disjunctions.
2608
2609         * yarr/YarrPattern.cpp:
2610         (JSC::Yarr::YarrPatternConstructor::copyDisjunction):
2611         (JSC::Yarr::YarrPatternConstructor::copyTerm):
2612         (JSC::Yarr::YarrPatternConstructor::error):
2613         (JSC::Yarr::YarrPattern::compile):
2614
2615 2019-09-11  Truitt Savell  <tsavell@apple.com>
2616
2617         Unreviewed, rolling out r249753.
2618
2619         caused inspector/canvas/shaderProgram-add-remove-webgl.html to
2620         crash on all Mac platforms.
2621
2622         Reverted changeset:
2623
2624         "Web Inspector: Canvas: instrument WebGPUDevice instead of
2625         GPUCanvasContext"
2626         https://bugs.webkit.org/show_bug.cgi?id=201650
2627         https://trac.webkit.org/changeset/249753
2628
2629 2019-09-10  Devin Rousso  <drousso@apple.com>
2630
2631         Web Inspector: Canvas: instrument WebGPUDevice instead of GPUCanvasContext
2632         https://bugs.webkit.org/show_bug.cgi?id=201650
2633
2634         Reviewed by Joseph Pecoraro.
2635
2636         Most of the actual "work" done with Web GPU actually uses a `WebGPUDevice`.
2637
2638         A `GPUCanvasContext` is basically just a display "client" of the device, and isn't even
2639         required (e.g. compute pipeline).  We should treat the `GPUCanvasContext` almost like a
2640         `-webkit-canvas` client of a `WebGPUDevice`.
2641
2642         * inspector/protocol/Canvas.json:
2643          - Add `powerPreference` key to `ContextAttributes` type.
2644          - Rename `requestCSSCanvasClientNodes` command to `requestClientNodes` for the above reason.
2645          - Rename `cssCanvasClientNodesChanged` event to `clientNodesChanged` for the above reason.
2646          - Rename `resolveCanvasContext` command to `resolveContext` since a `WebGPUDevice` isn't
2647            really a "canvas".
2648
2649 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
2650
2651         [JSC] 32bit bitwide operation with all-one (-1) is wrong in B3
2652         https://bugs.webkit.org/show_bug.cgi?id=201634
2653
2654         Reviewed by Mark Lam and Robin Morisset.
2655
2656         This patch includes two things. One is fixing 32bit bitwise operation with allOne constants. Another is fixing the existing bug in BitAnd strength reduction.
2657
2658         1. 32bit bitwise operation with allOne constants
2659
2660             Accidentally, the B3::Value is ConstInt32(-1), `value->isInt(std::numeric_limits<uint32_t>::max())` returns `false`!
2661             For example, in BitAnd strength reduction,
2662
2663                 1034             // Turn this: BitAnd(value, all-ones)
2664                 1035             // Into this: value.
2665                 1036             if ((m_value->type() == Int64 && m_value->child(1)->isInt(std::numeric_limits<uint64_t>::max()))
2666                 1037                 || (m_value->type() == Int32 && m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max()))) {
2667                 1038                 replaceWithIdentity(m_value->child(0));
2668                 1039                 break;
2669                 1040             }
2670
2671             We use `m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max())`. However, Value::isInt is,
2672
2673                 262 inline bool Value::isInt(int64_t value) const
2674                 263 {
2675                 264     return hasInt() && asInt() == value;
2676                 265 }
2677
2678             So, UINT32_MAX is expanded to int64_t, but it is not -1 since UINT32_MAX can be representable in int64_t. And Value::asInt implementation is,
2679
2680                 257 inline int64_t Value::asInt() const
2681                 258 {
2682                 259     return hasInt32() ? asInt32() : asInt64();
2683                 260 }
2684
2685             So, we perform `static_cast<int64_t>(-1) == static_cast<int64_t>(UINT32_MAX)`. This is false, but this comparison is not what we want!
2686             We should use `isInt32` and `isInt64` for bit patterns (like, operands for Bitwise opcodes).
2687
2688         2. BitAnd and BitOr strength reduction bug
2689
2690             We also fix the following optimization.
2691
2692                 // Turn this: BitAnd(Op(value, constant1), constant2)
2693                 //     where !(constant1 & constant2)
2694                 //       and Op is BitOr or BitXor
2695                 // into this: BitAnd(value, constant2)
2696
2697             Since we stop further optimization when we match `if (m_value->child(1)->hasInt())`, the following optimization is never taken.
2698
2699                 // Turn this: BitAnd(BitXor(x, allOnes), c)
2700                 // Into this: BitXor(BitOr(x, ~c), allOnes)
2701
2702             And we also found that this not-used optimization has a bug not inserting a newly produced constant B3::Value. This patch also fixes it.
2703
2704         For both, this patch adds tests. And (2) fix can be ensured that the testb3 does not crash with validate-graph option.
2705
2706         * b3/B3LowerToAir.cpp:
2707         * b3/B3ReduceStrength.cpp:
2708         * b3/testb3.h:
2709         * b3/testb3_2.cpp:
2710         (testBitAndNotNot32):
2711         (testBitAndNotImm):
2712         (testBitAndNotImm32):
2713         (testBitOrAndAndArgs32):
2714         (testBitOrAndSameArgs32):
2715         (testBitOrNotNot32):
2716         (testBitOrNotImm32):
2717         (addBitTests):
2718         * b3/testb3_3.cpp:
2719         (testBitXorAndAndArgs32):
2720         (testBitXorAndSameArgs32):
2721
2722 2019-09-10  Commit Queue  <commit-queue@webkit.org>
2723
2724         Unreviewed, rolling out r249721.
2725         https://bugs.webkit.org/show_bug.cgi?id=201667
2726
2727         Discovering existing bug (Requested by yusukesuzuki on
2728         #webkit).
2729
2730         Reverted changeset:
2731
2732         "[JSC] 32bit bitwide operation with all-one (-1) is wrong in
2733         B3"
2734         https://bugs.webkit.org/show_bug.cgi?id=201634
2735         https://trac.webkit.org/changeset/249721
2736
2737 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
2738
2739         [JSC] CodeBlock::calleeSaveRegisters should not see half-baked JITData
2740         https://bugs.webkit.org/show_bug.cgi?id=201664
2741         <rdar://problem/52126927>
2742
2743         Reviewed by Tadeu Zagallo.
2744
2745         We are hitting the crash accessing invalid-pointer as CodeBlock::calleeSaveRegisters result.
2746         This is because concurrent Baseline JIT compiler can access m_jitData without taking a lock through CodeBlock::calleeSaveRegisters.
2747         Since m_jitData can be initialized in the main thread while calling CodeBlock::calleeSaveRegisters from concurrent Baseline JIT compiler thread,
2748         we can see half-baked JITData structure which holds garbage pointers.
2749
2750         But we do not want to make CodeBlock::calleeSaveRegisters() call with CodeBlock::m_lock due to several reasons.
2751
2752         1. This function is very primitive one and it is called from various AssemblyHelpers functions and other code-generation functions. Some of these functions are
2753            called while taking this exact same lock, so dead-lock can happen.
2754         2. JITData::m_calleeSaveRegisters is filled only for DFG and FTL CodeBlock. And DFG and FTL code accesses these field after initializing properly. For Baseline JIT
2755            compiler case, only thing we should do is that JITData should say m_calleeSaveRegisters is nullptr and it won't be filled for this CodeBlock.
2756
2757         Instead of guarding CodeBlock::calleeSaveRegisters() function with CodeBlock::m_lock, this patch inserts WTF::storeStoreFence when filling m_jitData. This ensures that
2758         JITData::m_calleeSaveRegisters is initialized with nullptr when this JITData pointer is exposed to concurrent Baseline JIT compiler thread.
2759
2760         * bytecode/CodeBlock.cpp:
2761         (JSC::CodeBlock::ensureJITDataSlow):
2762
2763 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
2764
2765         [JSC] ResultType implementation is wrong for bit ops, and ends up making ArithDiv take the DFG Int32 fast path even if Baseline constantly produces Double result
2766         https://bugs.webkit.org/show_bug.cgi?id=198253
2767
2768         Reviewed by Mark Lam.
2769
2770         ResultType of bitwise operation needs to include TypeMaybeNumber. TypeInt32 is something like a flag indicating the number looks like a int32.
2771         When it is specified, TypeMaybeNumber must exist too. This issue compiles op_div in JetStream2/async-fs slow-path. And eventually DFG first mis-compiles
2772         it with Int32 ArithDiv while that div always produces double. And unnecessary OSR exit happens.
2773
2774         In this patch, we add TypeMaybeNumber to bigIntOrInt32Type correctly.
2775
2776         * parser/ResultType.h:
2777         (JSC::ResultType::bigIntOrInt32Type):
2778
2779 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
2780
2781         [JSC] 32bit bitwide operation with all-one (-1) is wrong in B3
2782         https://bugs.webkit.org/show_bug.cgi?id=201634
2783
2784         Reviewed by Mark Lam.
2785
2786         Accidentally, the B3::Value is ConstInt32(-1), `value->isInt(std::numeric_limits<uint32_t>::max())` returns `false`!
2787         For example, in BitAnd strength reduction,
2788
2789             1034             // Turn this: BitAnd(value, all-ones)
2790             1035             // Into this: value.
2791             1036             if ((m_value->type() == Int64 && m_value->child(1)->isInt(std::numeric_limits<uint64_t>::max()))
2792             1037                 || (m_value->type() == Int32 && m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max()))) {
2793             1038                 replaceWithIdentity(m_value->child(0));
2794             1039                 break;
2795             1040             }
2796
2797         We use `m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max())`. However, Value::isInt is,
2798
2799             262 inline bool Value::isInt(int64_t value) const
2800             263 {
2801             264     return hasInt() && asInt() == value;
2802             265 }
2803
2804         So, UINT32_MAX is expanded to int64_t, but it is not -1 since UINT32_MAX can be representable in int64_t. And Value::asInt implementation is,
2805
2806             257 inline int64_t Value::asInt() const
2807             258 {
2808             259     return hasInt32() ? asInt32() : asInt64();
2809             260 }
2810
2811         So, we perform `static_cast<int64_t>(-1) == static_cast<int64_t>(UINT32_MAX)`. This is false, but this comparison is not what we want!
2812         We should use `isInt32` and `isInt64` for bit patterns (like, operands for Bitwise opcodes).
2813
2814         We also fix the following optimization.
2815
2816             // Turn this: BitAnd(Op(value, constant1), constant2)
2817             //     where !(constant1 & constant2)
2818             //       and Op is BitOr or BitXor
2819             // into this: BitAnd(value, constant2)
2820
2821         Since we stop further optimization when we match `if (m_value->child(1)->hasInt())`, the following optimization is never taken.
2822
2823             // Turn this: BitAnd(BitXor(x, allOnes), c)
2824             // Into this: BitXor(BitOr(x, ~c), allOnes)
2825
2826         We add 32bit version of B3 tests for these optimizations.
2827
2828         * b3/B3LowerToAir.cpp:
2829         * b3/B3ReduceStrength.cpp:
2830         * b3/testb3.h:
2831         * b3/testb3_2.cpp:
2832         (testBitAndNotNot32):
2833         (testBitAndNotImm):
2834         (testBitAndNotImm32):
2835         (testBitOrAndAndArgs32):
2836         (testBitOrAndSameArgs32):
2837         (testBitOrNotNot32):
2838         (testBitOrNotImm32):
2839         (addBitTests):
2840         * b3/testb3_3.cpp:
2841         (testBitXorAndAndArgs32):
2842         (testBitXorAndSameArgs32):
2843
2844 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
2845
2846         [WebAssembly] Use StreamingParser in existing Wasm::BBQPlan
2847         https://bugs.webkit.org/show_bug.cgi?id=189043
2848
2849         Reviewed by Keith Miller.
2850
2851         This patch integrates Wasm::StreamingParser into the existing Wasm::BBQPlan.
2852         And remove Wasm::ModuleParser. This patch paves the way to implementing Wasm streaming features by
2853         using Wasm::StreamingParser.
2854
2855         Currently, we are not using streaming feature of StreamingParser. In a subsequent patch, we will
2856         create a mechanism to pipe a chunk of data to streaming parser to enable WebAssembly.compileStreaming
2857         and instantiateStreaming.
2858
2859         * JavaScriptCore.xcodeproj/project.pbxproj:
2860         * Sources.txt:
2861         * tools/JSDollarVM.cpp:
2862         (JSC::WasmStreamingParser::WasmStreamingParser):
2863         * wasm/WasmAirIRGenerator.cpp:
2864         (JSC::Wasm::parseAndCompileAir):
2865         * wasm/WasmAirIRGenerator.h:
2866         * wasm/WasmB3IRGenerator.cpp:
2867         (JSC::Wasm::parseAndCompile): Use FunctionData, it is good since it is more strongly typed.
2868         * wasm/WasmB3IRGenerator.h:
2869         * wasm/WasmBBQPlan.cpp:
2870         (JSC::Wasm::BBQPlan::BBQPlan):
2871         (JSC::Wasm::BBQPlan::didReceiveFunctionData): Add a callback, which invokes validation.
2872         (JSC::Wasm::BBQPlan::parseAndValidateModule): Use StreamingParser instead of old ModuleParser.
2873         (JSC::Wasm::BBQPlan::compileFunctions):
2874         (JSC::Wasm::BBQPlan::complete):
2875         * wasm/WasmBBQPlan.h:
2876         * wasm/WasmModuleParser.cpp: Removed.
2877         * wasm/WasmModuleParser.h: Removed.
2878         * wasm/WasmOMGForOSREntryPlan.cpp:
2879         (JSC::Wasm::OMGForOSREntryPlan::work):
2880         * wasm/WasmOMGPlan.cpp:
2881         (JSC::Wasm::OMGPlan::work):
2882         * wasm/WasmPlan.cpp:
2883         (JSC::Wasm::Plan::fail): Make fail function callable multiple times. The first error will be used.
2884         * wasm/WasmSectionParser.cpp:
2885         (JSC::Wasm::SectionParser::parseCode): Since the Code section is specially handled in StreamingParser, this code is never used.
2886         * wasm/WasmStreamingParser.cpp:
2887         (JSC::Wasm::StreamingParser::StreamingParser):
2888         (JSC::Wasm::StreamingParser::parseCodeSectionSize):
2889         (JSC::Wasm::StreamingParser::parseFunctionPayload):
2890         (JSC::Wasm::StreamingParser::parseSectionPayload):
2891         (JSC::Wasm::StreamingParser::finalize): Call client's callbacks at appropriate timings.
2892         * wasm/WasmStreamingParser.h:
2893         (JSC::Wasm::StreamingParserClient::didReceiveSectionData):
2894         (JSC::Wasm::StreamingParserClient::didReceiveFunctionData):
2895         (JSC::Wasm::StreamingParserClient::didFinishParsing): Add StreamingParserClient,
2896         which has 3 callbacks right now. StreamingParser gets this client and call these callbacks
2897         at appropriate timings.
2898         * wasm/WasmValidate.cpp:
2899         (JSC::Wasm::validateFunction):
2900         * wasm/WasmValidate.h: Use FunctionData, it is good since it is more strongly typed.
2901
2902 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
2903
2904         [JSC] CodeBlock::m_constantRegisters should be guarded by ConcurrentJSLock when Vector reallocate memory
2905         https://bugs.webkit.org/show_bug.cgi?id=201622
2906
2907         Reviewed by Mark Lam.
2908
2909         CodeBlock::visitChildren takes ConcurrentJSLock while iterating m_constantRegisters, some of the places reallocate
2910         this Vector without taking a lock. If a Vector memory is reallocated while iterating it in concurrent collector,
2911         the concurrent collector can see a garbage. This patch guards m_constantRegisters reallocation with ConcurrentJSLock.
2912
2913         * bytecode/CodeBlock.cpp:
2914         (JSC::CodeBlock::finishCreation):
2915         (JSC::CodeBlock::setConstantRegisters):
2916         * bytecode/CodeBlock.h:
2917         (JSC::CodeBlock::addConstant):
2918         (JSC::CodeBlock::addConstantLazily):
2919         * dfg/DFGDesiredWatchpoints.cpp:
2920         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
2921         (JSC::DFG::SymbolTableAdaptor::add):
2922         (JSC::DFG::FunctionExecutableAdaptor::add):
2923         * dfg/DFGGraph.cpp:
2924         (JSC::DFG::Graph::registerFrozenValues):
2925         * dfg/DFGJITFinalizer.cpp:
2926         (JSC::DFG::JITFinalizer::finalizeCommon):
2927         * dfg/DFGLazyJSValue.cpp:
2928         (JSC::DFG::LazyJSValue::emit const):
2929
2930 2019-09-09  Robin Morisset  <rmorisset@apple.com>
2931
2932         [Air] highOrderAdjacents in AbstractColoringAllocator::conservativeHeuristic should be some kind of array
2933         https://bugs.webkit.org/show_bug.cgi?id=197305
2934
2935         Reviewed by Keith Miller.
2936
2937         Currently it is a HashSet, but it only ever holds at most registerCount() items. And linear search tends to be faster on such a small collection than hashing + searching in a HashSet.
2938         Further benefits include avoiding the allocation of the HashSet, not actually adding the nodes adjacent to V (since there are no duplicates in the adjacency lists).
2939
2940         This patch also contains a trivial optimization: if the remaining number of nodes to consider + the number of highOrderAdjacents already seen is smaller than registerCount() we can return true directly.
2941         Apart from that, the patch got some trivial cleanup of GraphColoringRegisterAllocation::allocateOnBank() (that for example was only logging the number of iterations for FP registers, and not the more interesting number for GP registers).
2942
2943         The time spent in the register allocator throughout JetStream2 on this MacBook Pro moves from 3767 / 3710 / 3785 ms to 3551 / 3454 / 3503 ms.
2944         So about a 6% speedup for that phase, and between 1 and 1.5% speedup for FTL/OMG compilation overall.
2945
2946         No new tests as there is no intended change to the code being generated, and this was already tested by running testb3 + JetStream2.
2947
2948         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
2949
2950 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
2951
2952         [JSC] Use metadata table to iterate specific bytecode metadata instead of propertyAccessInstructions vector
2953         https://bugs.webkit.org/show_bug.cgi?id=201613
2954
2955         Reviewed by Mark Lam.
2956
2957         We do not need to maintain propertyAccessInstructions vector to access metadata tied to a specific bytecode opcode
2958         since we have MetadataTable::forEach<Op> feature. This removes propertyAccessInstructions entirely, and fixes the
2959         issue that `op_create_promise` missed propertyAccessInstructions registration (a name "propertyAccessInstructions" is
2960         misleading, it is like "instructions-requires-llint-finalize").
2961
2962         * bytecode/CodeBlock.cpp:
2963         (JSC::CodeBlock::propagateTransitions):
2964         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2965         * bytecode/UnlinkedCodeBlock.cpp:
2966         (JSC::UnlinkedCodeBlock::applyModification):
2967         (JSC::UnlinkedCodeBlock::shrinkToFit):
2968         * bytecode/UnlinkedCodeBlock.h:
2969         (JSC::UnlinkedCodeBlock::addPropertyAccessInstruction): Deleted.
2970         (JSC::UnlinkedCodeBlock::numberOfPropertyAccessInstructions const): Deleted.
2971         (JSC::UnlinkedCodeBlock::propertyAccessInstructions const): Deleted.
2972         * bytecompiler/BytecodeGenerator.cpp:
2973         (JSC::BytecodeGenerator::emitResolveScope):
2974         (JSC::BytecodeGenerator::emitGetFromScope):
2975         (JSC::BytecodeGenerator::emitPutToScope):
2976         (JSC::BytecodeGenerator::emitGetById):
2977         (JSC::BytecodeGenerator::emitDirectGetById):
2978         (JSC::BytecodeGenerator::emitPutById):
2979         (JSC::BytecodeGenerator::emitDirectPutById):
2980         (JSC::BytecodeGenerator::emitCreateThis):
2981         (JSC::BytecodeGenerator::emitToThis):
2982         * runtime/CachedTypes.cpp:
2983         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
2984         (JSC::CachedCodeBlock<CodeBlockType>::encode):
2985
2986 2019-09-07  Keith Miller  <keith_miller@apple.com>
2987
2988         OSR entry into wasm misses some contexts
2989         https://bugs.webkit.org/show_bug.cgi?id=201569
2990
2991         Reviewed by Yusuke Suzuki.
2992
2993         This patch fixes an issue where we could fail to capture some of
2994         our contexts when OSR entering into wasm code. Before we would
2995         only capture the state of the block immediately surrounding the
2996         entrance loop block header. We actually need to capture all
2997         enclosed stacks.
2998
2999         Additionally, we don't need to use variables for all the captured
3000         values. We can use a Phi and insert an upsilon just below the
3001         captured value.
3002
3003         * interpreter/CallFrame.h:
3004         * jsc.cpp:
3005         (GlobalObject::finishCreation):
3006         (functionCallerIsOMGCompiled):
3007         * wasm/WasmAirIRGenerator.cpp:
3008         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
3009         (JSC::Wasm::AirIRGenerator::emitEntryTierUpCheck):
3010         (JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck):
3011         (JSC::Wasm::AirIRGenerator::addLoop):
3012         * wasm/WasmB3IRGenerator.cpp:
3013         (JSC::Wasm::B3IRGenerator::createStack):
3014         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
3015         (JSC::Wasm::B3IRGenerator::addConstant):
3016         (JSC::Wasm::B3IRGenerator::emitEntryTierUpCheck):
3017         (JSC::Wasm::B3IRGenerator::emitLoopTierUpCheck):
3018         (JSC::Wasm::B3IRGenerator::addLoop):
3019         (JSC::Wasm::B3IRGenerator::addEndToUnreachable):
3020         (JSC::Wasm::dumpExpressionStack):
3021         (JSC::Wasm::B3IRGenerator::dump):
3022         (JSC::Wasm::B3IRGenerator::Stack::Stack): Deleted.
3023         (JSC::Wasm::B3IRGenerator::Stack::append): Deleted.
3024         (JSC::Wasm::B3IRGenerator::Stack::takeLast): Deleted.
3025         (JSC::Wasm::B3IRGenerator::Stack::last): Deleted.
3026         (JSC::Wasm::B3IRGenerator::Stack::size const): Deleted.
3027         (JSC::Wasm::B3IRGenerator::Stack::isEmpty const): Deleted.
3028         (JSC::Wasm::B3IRGenerator::Stack::convertToExpressionList): Deleted.
3029         (JSC::Wasm::B3IRGenerator::Stack::at const): Deleted.
3030         (JSC::Wasm::B3IRGenerator::Stack::variableAt const): Deleted.
3031         (JSC::Wasm::B3IRGenerator::Stack::shrink): Deleted.
3032         (JSC::Wasm::B3IRGenerator::Stack::swap): Deleted.
3033         (JSC::Wasm::B3IRGenerator::Stack::dump const): Deleted.
3034         * wasm/WasmFunctionParser.h:
3035         (JSC::Wasm::FunctionParser::controlStack):
3036
3037 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
3038
3039         [JSC] Promise resolve/reject functions should be created more efficiently
3040         https://bugs.webkit.org/show_bug.cgi?id=201488
3041
3042         Reviewed by Mark Lam.
3043
3044         While r246553 fixed an important issue, it makes anonymous-builtin-function creation costly since it enforces FunctionRareData allocations.
3045         Unfortunately, anonymous-builtin-function function can be created frequently since this type of function is used
3046         for `resolve` and `reject` arguments of Promise's executor (e.g. `new Promise((resolve, reject) => ...)`'s resolve and reject).
3047         Since we are now always creating FunctionRareData for these functions, this additional allocation makes promise creation slower.
3048
3049         In this patch, we use `isAnonymousBuiltinFunction` information for `hasReifiedName` correctly. And we propagate `isAnonymousBuiltinFunction` information
3050         to FunctionRareData to initialize `m_hasReifiedName` correctly. Then we can avoid unnecessary FunctionRareData allocation, which makes
3051         anonymous-builtin-function creation faster.
3052
3053         We can ensure that this patch does not revert r246553's fix by running JSTests/stress/builtin-private-function-name.js test.
3054         The simple microbenchmark shows 1.7x improvement.
3055
3056                                               ToT                     Patched
3057
3058             promise-creation-many       45.6701+-0.1488     ^     26.8663+-1.8336        ^ definitely 1.6999x faster
3059
3060         * dfg/DFGSpeculativeJIT.cpp:
3061         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
3062         * ftl/FTLLowerDFGToB3.cpp:
3063         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
3064         * runtime/FunctionRareData.cpp:
3065         (JSC::FunctionRareData::create):
3066         (JSC::FunctionRareData::FunctionRareData):
3067         * runtime/FunctionRareData.h:
3068         * runtime/JSFunction.cpp:
3069         (JSC::JSFunction::finishCreation):
3070         (JSC::JSFunction::allocateRareData):
3071         (JSC::JSFunction::allocateAndInitializeRareData):
3072         * runtime/JSFunctionInlines.h:
3073         (JSC::JSFunction::hasReifiedName const):
3074
3075 2019-09-07  Mark Lam  <mark.lam@apple.com>
3076
3077         performJITMemcpy() source buffer should not be in the Gigacage.
3078         https://bugs.webkit.org/show_bug.cgi?id=201577
3079         <rdar://problem/55142606>
3080
3081         Reviewed by Michael Saboff.
3082
3083         Add a RELEASE_ASSERT in performJITMemcpy() to ensure that the passed in source
3084         buffer is not in the Gigacage.
3085
3086         * jit/ExecutableAllocator.h:
3087         (JSC::performJITMemcpy):
3088
3089 2019-09-07  Mark Lam  <mark.lam@apple.com>
3090
3091         The jsc shell should allow disabling of the Gigacage for testing purposes.
3092         https://bugs.webkit.org/show_bug.cgi?id=201579
3093
3094         Reviewed by Michael Saboff.
3095
3096         Check for the same GIGACAGE_ENABLED env var that is checked by Gigacage code.  If
3097         this env var is present and it has a falsy value, then do not
3098         forbidDisablingPrimitiveGigacage() in the jsc shell.
3099
3100         * jsc.cpp:
3101         (jscmain):
3102
3103 2019-09-06  Mark Lam  <mark.lam@apple.com>
3104
3105         Harden protection of the Gigacage Config parameters.
3106         https://bugs.webkit.org/show_bug.cgi?id=201570
3107         <rdar://problem/55134229>
3108
3109         Reviewed by Saam Barati.
3110
3111         Just renaming some function names here.
3112
3113         * assembler/testmasm.cpp:
3114         (JSC::testCagePreservesPACFailureBit):
3115         * jit/AssemblyHelpers.h:
3116         (JSC::AssemblyHelpers::cageConditionally):
3117         * jsc.cpp:
3118         (jscmain):
3119
3120 2019-09-06  Ross Kirsling  <ross.kirsling@sony.com>
3121
3122         Math.round() produces wrong result for value prior to 0.5
3123         https://bugs.webkit.org/show_bug.cgi?id=185115
3124
3125         Reviewed by Saam Barati.
3126
3127         Our Math.round implementation goes in the wrong direction for double values like 0.49999999999999994.
3128         This requires just a subtle adjustment for three of our four versions; only baseline JIT needed a full rewrite.
3129
3130         Specifically:
3131           - While 0.49999999999999994 is representable, 1 - 0.49999999999999994 is not (it turns into 0.5),
3132             so taking the difference between ceil(value)` and `value` is problematic.
3133           - The baseline implementation was doing `floor(x + 0.5)` for positive doubles and slowpathing negative ones
3134             (by falling back to jsRound). This patch gives baseline a legitimate implementation too.
3135
3136         * dfg/DFGSpeculativeJIT.cpp:
3137         (JSC::DFG::SpeculativeJIT::compileArithRounding):
3138         * ftl/FTLLowerDFGToB3.cpp:
3139         (JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
3140         * jit/ThunkGenerators.cpp:
3141         (JSC::roundThunkGenerator):
3142         * runtime/MathCommon.cpp:
3143
3144 2019-09-05  Joseph Pecoraro  <pecoraro@apple.com>
3145
3146         Tail Deleted Frames shown in Web Inspector are sometimes incorrect (Shadow Chicken)
3147         https://bugs.webkit.org/show_bug.cgi?id=201366
3148
3149         Reviewed by Saam Barati.
3150
3151         It is possible for the log buffer to be full right as someone is trying to
3152         log a function prologue. In such a case the machine stack has already been
3153         updated to include the new JavaScript call frame, but the prologue packet
3154         cannot be included in the update because the log is full. This would mean
3155         that the update fails to rationalize the machine stack with the shadow
3156         log / stack. Namely, the current JavaScript call frame is unable to
3157         find a matching prologue (the one we are holding to include after the update)
3158         and inserts a questionable value into the stack; and in the process
3159         missing and removing real potential tail calls.
3160
3161         For example:
3162         
3163             "use strict";
3164             function third() { return 1; }
3165             function second() { return third(); }
3166             function first() { return second(); }
3167             function start() { return first(); }
3168
3169         If the the log fills up just as we are entering `b` then we may have a list
3170         full log of packets looking like:
3171
3172           Shadow Log:
3173             ...
3174             { prologue-packet: entering `start` ... }
3175             { prologue-packet: entering `first` ... }
3176             { tail-packet: leaving `first` with a tail call }
3177
3178           Incoming Packet:
3179             { prologue-packet: entering `second` ... }
3180
3181           Current JS Stack:
3182             second
3183             start
3184
3185         Since the Current JavaScript stack already has `second`, if we process the
3186         log without the prologue for `second` then we push a confused entry on the
3187         shadow stack and clear the log such that we eventually lose the tail-call
3188         information for `first` to `second`.
3189
3190         This patch solves this issue by providing enough extra space in the log
3191         to always process the incoming packet when that forces an update. This way
3192         clients can continue to behave exactly as they are.
3193
3194         --
3195
3196         We also document a corner case in some circumstances where the shadow
3197         log may currently be insufficient to know how to reconcile:
3198         
3199         For example:
3200
3201             "use strict";
3202             function third() { return 1; }
3203             function second() { return third(); }
3204             function first() { return second(); }
3205             function doNothingTail() { return Math.random() }
3206             function start() {
3207                 for (i=0;i<1000;++i) doNothingTail();
3208                 return first();
3209             }
3210
3211         In this case the ShadowChicken log may be processed multiple times due
3212         to the many calls to `doNothingTail` / `Math.random()`. When calling the
3213         Native function no prologue packet is emitted, so it is unclear that we
3214         temporarly go deeper and come back out on the stack, so the log appears
3215         to have lots of doNothingTail calls reusing the same frame:
3216
3217           Shadow Log:
3218             ...
3219             , [123] {callee = 0x72a21aee0, frame = 0x7ffeef897270, callerFrame = 0x7ffeef8972e0, name = start}
3220             , [124] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
3221             , [125] tail-packet:{frame = 0x7ffeef8971f0}
3222             , [126] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
3223             , [127] tail-packet:{frame = 0x7ffeef8971f0}
3224             ...
3225             , [140] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
3226             , [141] tail-packet:{frame = 0x7ffeef8971f0}
3227             , [142] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
3228             , [143] tail-packet:{frame = 0x7ffeef8971f0}
3229             , [144] {callee = 0x72a21aeb0, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = first}
3230             , [145] tail-packet:{frame = 0x7ffeef8971f0}
3231             , [146] {callee = 0x72a21ae80, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = second}
3232             ...
3233
3234         This log would seem to be indistinguishable from real tail recursion, such as:
3235
3236             "use strict";
3237             function third() { return 1; }
3238             function second() { return third(); }
3239             function first() { return second(); }
3240             function doNothingTail(n) {
3241                 return n ? doNothingTail(n-1) : first();
3242             }
3243             function start() {
3244                 return doNothingTail(1000);
3245             }
3246
3247         Likewise there are more cases where the shadow log appears to be ambiguous with determining
3248         the appropriate parent call frame with intermediate function calls. In practice this may
3249         not be too problematic, as this is a best effort reconstruction of tail deleted frames.
3250         It seems likely we would only show additional frames that did in fact happen serially
3251         between JavaScript call frames, but may not actually be the proper parent frames
3252         heirachy in the stack.
3253
3254         * interpreter/ShadowChicken.cpp:
3255         (JSC::ShadowChicken::Packet::dump const):
3256         (JSC::ShadowChicken::Frame::dump const):
3257         (JSC::ShadowChicken::dump const):
3258         Improved debugging output. Especially for functions.
3259
3260         (JSC::ShadowChicken::ShadowChicken):
3261         Make space in the log for 1 additional packet to process when we slow log.
3262
3263         (JSC::ShadowChicken::log):
3264         Include this packet in our update.
3265
3266         (JSC::ShadowChicken::update):
3267         Address an edge case where we can eliminate tail-deleted frames that don't make sense.
3268
3269 2019-09-06  Ryan Haddad  <ryanhaddad@apple.com>
3270
3271         Unreviewed, rolling out r249566.
3272
3273         Causes inspector layout test crashes under GuardMalloc
3274
3275         Reverted changeset:
3276
3277         "Tail Deleted Frames shown in Web Inspector are sometimes
3278         incorrect (Shadow Chicken)"
3279         https://bugs.webkit.org/show_bug.cgi?id=201366
3280         https://trac.webkit.org/changeset/249566
3281
3282 2019-09-06  Guillaume Emont  <guijemont@igalia.com>
3283
3284         testmasm: save r6 in JIT'ed code on ARM_THUMB2
3285         https://bugs.webkit.org/show_bug.cgi?id=201138
3286
3287         Reviewed by Mark Lam.
3288
3289         MacroAssemblerArmv7 uses r6 as a temporary register, and it is a
3290         callee-saved register. The JITs use
3291         AssemblyHelpers::emitSaveCalleeSaves() and friends to save
3292         callee-saved registers, but there is no such mechanism in testmasm,
3293         which seems to make the assumption that the macroassembler does not
3294         use callee-saved registers (which I guess is true for all other
3295         architectures, but not for Armv7).
3296
3297         This issue means that testmasm crashes on Armv7 since code generated
3298         by gcc uses r6, and it gets modified by JIT'ed code.
3299
3300         This change makes sure that we save and restore r6 for all code
3301         compiled by testmasm on Armv7.