LinkBuffer::copyCompactAndLinkCode() needs to be aware of ENABLE(SEPARATED_WX_HEAP).
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-12-10  Mark Lam  <mark.lam@apple.com>
2
3         LinkBuffer::copyCompactAndLinkCode() needs to be aware of ENABLE(SEPARATED_WX_HEAP).
4         https://bugs.webkit.org/show_bug.cgi?id=192569
5         <rdar://problem/45615617>
6
7         Reviewed by Saam Barati.
8
9         * assembler/LinkBuffer.cpp:
10         (JSC::LinkBuffer::copyCompactAndLinkCode):
11
12 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
13
14         [BigInt] Add ValueMul into DFG
15         https://bugs.webkit.org/show_bug.cgi?id=186175
16
17         Reviewed by Yusuke Suzuki.
18
19         This patch is adding a new DFG node called ValueMul. This node is
20         responsible to handle multiplication operations that can result into
21         non-number values. We emit such node during DFGByteCodeParser when the
22         operands are not numbers. During FixupPhase, we change this
23         operation to ArithMul if we can speculate Number/Boolean operands.
24
25         The BigInt specialization shows a small progression:
26
27                                 noSpec                changes
28
29         big-int-simple-mul  18.8090+-1.0435  ^  17.4305+-0.2673  ^ definitely 1.0791x faster
30
31         * dfg/DFGAbstractInterpreterInlines.h:
32         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
33         * dfg/DFGBackwardsPropagationPhase.cpp:
34         (JSC::DFG::BackwardsPropagationPhase::propagate):
35         * dfg/DFGByteCodeParser.cpp:
36         (JSC::DFG::ByteCodeParser::makeSafe):
37         (JSC::DFG::ByteCodeParser::parseBlock):
38         * dfg/DFGClobberize.h:
39         (JSC::DFG::clobberize):
40         * dfg/DFGDoesGC.cpp:
41         (JSC::DFG::doesGC):
42         * dfg/DFGFixupPhase.cpp:
43         (JSC::DFG::FixupPhase::fixupMultiplication):
44         (JSC::DFG::FixupPhase::fixupNode):
45         * dfg/DFGNode.h:
46         (JSC::DFG::Node::arithNodeFlags):
47         * dfg/DFGNodeType.h:
48         * dfg/DFGOperations.cpp:
49         * dfg/DFGOperations.h:
50         * dfg/DFGPredictionPropagationPhase.cpp:
51         * dfg/DFGSafeToExecute.h:
52         (JSC::DFG::safeToExecute):
53         * dfg/DFGSpeculativeJIT.cpp:
54         (JSC::DFG::SpeculativeJIT::compileValueMul):
55         (JSC::DFG::SpeculativeJIT::compileArithMul):
56         * dfg/DFGSpeculativeJIT.h:
57         * dfg/DFGSpeculativeJIT64.cpp:
58         (JSC::DFG::SpeculativeJIT::compile):
59         * dfg/DFGValidate.cpp:
60         * ftl/FTLCapabilities.cpp:
61         (JSC::FTL::canCompile):
62         * ftl/FTLLowerDFGToB3.cpp:
63         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
64         (JSC::FTL::DFG::LowerDFGToB3::compileValueMul):
65         (JSC::FTL::DFG::LowerDFGToB3::compileArithMul):
66
67 2018-12-08  Mark Lam  <mark.lam@apple.com>
68
69         Reduce size of PropertySlot and PutPropertySlot.
70         https://bugs.webkit.org/show_bug.cgi?id=192526
71
72         Reviewed by Keith Miller.
73
74         With some minor adjustments, we can reduce the size of PropertySlot from 80 bytes
75         (19 padding bytes) to 64 bytes (3 padding bytes), and PutPropertySlot from 40
76         bytes (4 padding bytes) to 32 bytes (0 padding bytes but with 6 unused bits).
77         These measurements are for a 64-bit build.
78
79         * runtime/PropertySlot.h:
80         * runtime/PutPropertySlot.h:
81         (JSC::PutPropertySlot::PutPropertySlot):
82
83 2018-12-08  Dominik Infuehr  <dinfuehr@igalia.com>
84
85         Record right offset with aligned wide instructions
86         https://bugs.webkit.org/show_bug.cgi?id=192006
87
88         Reviewed by Yusuke Suzuki.
89
90         Aligning bytecode instructions inserts nops into the instruction stream.
91         Emitting an instruction did not record the actual start of the instruction with
92         aligned instructions, but the nop just before the actual instruction. This was
93         problematic with the StaticPropertyAnalyzer that used the wrong instruction offset.
94
95         * bytecode/InstructionStream.h:
96         (JSC::InstructionStream::MutableRef::clone):
97         * bytecompiler/BytecodeGenerator.cpp:
98         (JSC::BytecodeGenerator::alignWideOpcode):
99         (JSC::BytecodeGenerator::emitCreateThis):
100         (JSC::BytecodeGenerator::emitNewObject):
101         * generator/Opcode.rb:
102
103 2018-12-07  Tadeu Zagallo  <tzagallo@apple.com>
104
105         Align the metadata table on all platforms
106         https://bugs.webkit.org/show_bug.cgi?id=192050
107         <rdar://problem/46312674>
108
109         Reviewed by Mark Lam.
110
111         Although certain platforms don't require the metadata to be aligned,
112         values were being concurrently read and written to ValueProfiles,
113         which caused crashes since these operations are not atomic on unaligned
114         addresses.
115
116         * bytecode/Opcode.cpp:
117         (JSC::metadataAlignment):
118         * bytecode/Opcode.h:
119         * bytecode/UnlinkedMetadataTableInlines.h:
120         (JSC::UnlinkedMetadataTable::finalize):
121
122 2018-12-05  Mark Lam  <mark.lam@apple.com>
123
124         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
125         https://bugs.webkit.org/show_bug.cgi?id=192441
126         <rdar://problem/46480355>
127
128         Reviewed by Saam Barati.
129
130         This is because a regular String (non-Identifier) can be converted into an
131         Identifier.  During DFG/FTL compilation, AbstractValue::checkConsistency() may
132         expect a value to be of type SpecStringVar, but the mutator thread may have
133         converted the string into an Identifier.  This creates a race where
134         AbstractValue::checkConsistency() may fail because it sees a SpecStringIdent when
135         it expects the a SpecStringVar.  
136
137         The fix is to speculate non-Identifier strings as type SpecString which allows it
138         to be SpecStringVar or SpecStringIndent.
139
140         * bytecode/SpeculatedType.cpp:
141         (JSC::speculationFromCell):
142
143 2018-12-04  Mark Lam  <mark.lam@apple.com>
144
145         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
146         https://bugs.webkit.org/show_bug.cgi?id=192386
147         <rdar://problem/46445516>
148
149         Reviewed by Saam Barati.
150
151         This violates an invariant documented by a RELEASE_ASSERT in operationLinkDirectCall().
152
153         * dfg/DFGStrengthReductionPhase.cpp:
154         (JSC::DFG::StrengthReductionPhase::handleNode):
155
156 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
157
158         [ESNext][BigInt] Support logic operations
159         https://bugs.webkit.org/show_bug.cgi?id=179903
160
161         Reviewed by Yusuke Suzuki.
162
163         We are introducing in this patch the ToBoolean support for JSBigInt.
164         With this change, we can implement the correct behavior of BigInt as
165         operand of logical opertions. During JIT genertion into DFG and FTL,
166         we are using JSBigInt::m_length to verify if the number is 0n or not,
167         following the same approach used by JSString. This is also safe in the case
168         of BigInt, because only 0n has m_length == 0.
169
170         We are not including BigInt speculation into Branch nodes in this
171         patch, but the plan is to implement it in further patches.
172
173         * ftl/FTLAbstractHeapRepository.h:
174         * ftl/FTLLowerDFGToB3.cpp:
175         (JSC::FTL::DFG::LowerDFGToB3::boolify):
176         (JSC::FTL::DFG::LowerDFGToB3::isBigInt):
177         * jit/AssemblyHelpers.cpp:
178         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
179         (JSC::AssemblyHelpers::branchIfValue):
180         * runtime/JSBigInt.cpp:
181         (JSC::JSBigInt::isZero const):
182         (JSC::JSBigInt::offsetOfLength):
183         (JSC::JSBigInt::toBoolean const):
184         (JSC::JSBigInt::isZero): Deleted.
185         * runtime/JSBigInt.h:
186         * runtime/JSCellInlines.h:
187         (JSC::JSCell::toBoolean const):
188         (JSC::JSCell::pureToBoolean const):
189
190 2018-12-04  Devin Rousso  <drousso@apple.com>
191
192         Web Inspector: Audit: tests should support async operations
193         https://bugs.webkit.org/show_bug.cgi?id=192171
194         <rdar://problem/46423562>
195
196         Reviewed by Joseph Pecoraro.
197
198         Add `awaitPromise` command for executing a callback when a Promise gets settled.
199
200         Drive-by: allow `wasThrown` to be optional, instead of expecting it to always have a value.
201
202         * inspector/protocol/Runtime.json:
203
204         * inspector/InjectedScriptSource.js:
205         (InjectedScript.prototype.awaitPromise): Added.
206
207         * inspector/InjectedScript.h:
208         * inspector/InjectedScript.cpp:
209         (Inspector::InjectedScript::evaluate):
210         (Inspector::InjectedScript::awaitPromise): Added.
211         (Inspector::InjectedScript::callFunctionOn):
212         (Inspector::InjectedScript::evaluateOnCallFrame):
213
214         * inspector/InjectedScriptBase.h:
215         * inspector/InjectedScriptBase.cpp:
216         (Inspector::InjectedScriptBase::makeEvalCall):
217         (Inspector::InjectedScriptBase::makeAsyncCall): Added.
218         (Inspector::InjcetedScriptBase::checkCallResult): Added.
219         (Inspector::InjcetedScriptBase::checkAsyncCallResult): Added.
220
221         * inspector/agents/InspectorRuntimeAgent.h:
222         * inspector/agents/InspectorRuntimeAgent.cpp:
223         (Inspector::InspectorRuntimeAgent::evaluate):
224         (Inspector::InspectorRuntimeAgent::awaitPromise):
225         (Inspector::InspectorRuntimeAgent::callFunctionOn):
226
227         * inspector/agents/InspectorDebuggerAgent.cpp:
228         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
229
230 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
231
232         Unreviewed, rolling out r238833.
233
234         Breaks macOS and iOS debug builds.
235
236         Reverted changeset:
237
238         "[ESNext][BigInt] Support logic operations"
239         https://bugs.webkit.org/show_bug.cgi?id=179903
240         https://trac.webkit.org/changeset/238833
241
242 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
243
244         [ESNext][BigInt] Support logic operations
245         https://bugs.webkit.org/show_bug.cgi?id=179903
246
247         Reviewed by Yusuke Suzuki.
248
249         We are introducing in this patch the ToBoolean support for JSBigInt.
250         With this change, we can implement the correct behavior of BigInt as
251         operand of logical opertions. During JIT genertion into DFG and FTL,
252         we are using JSBigInt::m_length to verify if the number is 0n or not,
253         following the same approach used by JSString. This is also safe in the case
254         of BigInt, because only 0n has m_length == 0.
255
256         We are not including BigInt speculation into Branch nodes in this
257         patch, but the plan is to implement it in further patches.
258
259         * ftl/FTLAbstractHeapRepository.h:
260         * ftl/FTLLowerDFGToB3.cpp:
261         (JSC::FTL::DFG::LowerDFGToB3::boolify):
262         (JSC::FTL::DFG::LowerDFGToB3::isBigInt):
263         * jit/AssemblyHelpers.cpp:
264         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
265         (JSC::AssemblyHelpers::branchIfValue):
266         * runtime/JSBigInt.cpp:
267         (JSC::JSBigInt::isZero const):
268         (JSC::JSBigInt::offsetOfLength):
269         (JSC::JSBigInt::toBoolean const):
270         (JSC::JSBigInt::isZero): Deleted.
271         * runtime/JSBigInt.h:
272         * runtime/JSCellInlines.h:
273         (JSC::JSCell::toBoolean const):
274         (JSC::JSCell::pureToBoolean const):
275
276 2018-12-03  Keith Rollin  <krollin@apple.com>
277
278         Add .xcfilelist files
279         https://bugs.webkit.org/show_bug.cgi?id=192082
280         <rdar://problem/46312533>
281
282         Reviewed by Brent Fulgham.
283
284         Add .xcfilelist files for Generate Derived Sources and Generate
285         Unified Sources build phases in Xcode. These are just being staged for
286         now; they'll be added to the Xcode projects later.
287
288         * DerivedSources-input.xcfilelist: Added.
289         * DerivedSources-output.xcfilelist: Added.
290         * UnifiedSources-input.xcfilelist: Added.
291         * UnifiedSources-output.xcfilelist: Added.
292
293 2018-12-03  Mark Lam  <mark.lam@apple.com>
294
295         Fix the bytecode code generator scripts to pretty print BytecodeStructs.h and BytecodeIndices.h.
296         https://bugs.webkit.org/show_bug.cgi?id=192271
297
298         Reviewed by Keith Miller.
299
300         This makes the generated code style compliant and human readable.
301
302         * generator/Argument.rb:
303         * generator/DSL.rb:
304         * generator/Fits.rb:
305         * generator/Metadata.rb:
306         * generator/Opcode.rb:
307
308 2018-12-02  Zalan Bujtas  <zalan@apple.com>
309
310         Add a runtime feature flag for LayoutFormattingContext.
311         https://bugs.webkit.org/show_bug.cgi?id=192280
312
313         Reviewed by Simon Fraser.
314
315         * Configurations/FeatureDefines.xcconfig:
316
317 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
318
319         [ESNext][BigInt] Implement support for "<<" and ">>"
320         https://bugs.webkit.org/show_bug.cgi?id=186233
321
322         Reviewed by Yusuke Suzuki.
323
324         This patch is introducing the support for BigInt into lshift and
325         rshift into LLint and Baseline layers.
326
327         * runtime/CommonSlowPaths.cpp:
328         (JSC::SLOW_PATH_DECL):
329         * runtime/JSBigInt.cpp:
330         (JSC::JSBigInt::createWithLength):
331         (JSC::JSBigInt::leftShift):
332         (JSC::JSBigInt::signedRightShift):
333         (JSC::JSBigInt::leftShiftByAbsolute):
334         (JSC::JSBigInt::rightShiftByAbsolute):
335         (JSC::JSBigInt::rightShiftByMaximum):
336         (JSC::JSBigInt::toShiftAmount):
337         * runtime/JSBigInt.h:
338
339 2018-12-01  Simon Fraser  <simon.fraser@apple.com>
340
341         Heap.h refers to the non-existent HeapStatistics
342         https://bugs.webkit.org/show_bug.cgi?id=187882
343
344         Reviewed by Keith Miller.
345         
346         Just remove the "friend class HeapStatistics".
347
348         * heap/Heap.h:
349
350 2018-11-29  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
351
352         [JSC] Keep TypeMaybeBigInt small
353         https://bugs.webkit.org/show_bug.cgi?id=192203
354
355         Reviewed by Saam Barati.
356
357         As BigInt is being implemented, more and more bytecodes start returning BigInt.
358         It means that ResultType of these bytecodes include TypeMaybeBigInt. However,
359         TypeMaybeBigInt was large number 0x20, leading to wide instruction since ResultType
360         easily becomes larger than 32 (e.g. TypeInt32 | TypeMaybeBigInt == 33).
361
362         This patch sorts the numbers of TypeMaybeXXX based on the frequency of appearance in
363         the code.
364
365         * parser/ResultType.h:
366
367 2018-11-30  Dean Jackson  <dino@apple.com>
368
369         Try to fix Windows build by using strcmp instead of strcasecmp.
370
371         * jsc.cpp:
372         (isMJSFile):
373
374 2018-11-30  Mark Lam  <mark.lam@apple.com>
375
376         Fix the bytecode code generator scripts to pretty print Bytecodes.h.
377         https://bugs.webkit.org/show_bug.cgi?id=192258
378
379         Reviewed by Keith Miller.
380
381         This makes Bytecodes.h more human readable.
382
383         * generator/DSL.rb:
384         * generator/Section.rb:
385
386 2018-11-30  Mark Lam  <mark.lam@apple.com>
387
388         Add the generator directory to the Xcode project.
389         https://bugs.webkit.org/show_bug.cgi?id=192252
390
391         Reviewed by Michael Saboff.
392
393         This is so that we can work with these bytecode class generator files easily in Xcode.
394
395         * JavaScriptCore.xcodeproj/project.pbxproj:
396
397 2018-11-30  Don Olmstead  <don.olmstead@sony.com>
398
399         Rename ENABLE_SUBTLE_CRYPTO to ENABLE_WEB_CRYPTO
400         https://bugs.webkit.org/show_bug.cgi?id=192197
401
402         Reviewed by Jiewen Tan.
403
404         * Configurations/FeatureDefines.xcconfig:
405
406 2018-11-30  Dean Jackson  <dino@apple.com>
407
408         Add first-class support for .mjs files in jsc binary
409         https://bugs.webkit.org/show_bug.cgi?id=192190
410         <rdar://problem/46375715>
411
412         Reviewed by Keith Miller.
413
414         Treat files with a .mjs extension as a module, regardless
415         of whether or not the --module-file argument was given.
416
417         * jsc.cpp:
418         (printUsageStatement): Update usage.
419         (isMJSFile): Helper to look for .mjs extensions.
420         (CommandLine::parseArguments): Pick the appropriate script type.
421
422 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
423
424         [BigInt] Implement ValueBitXor into DFG
425         https://bugs.webkit.org/show_bug.cgi?id=190264
426
427         Reviewed by Yusuke Suzuki.
428
429         This patch is splitting the BitXor node into ArithBitXor and
430         ValueBitXor. This is necessary due the introduction of
431         BigInt, since BitXor operations now can result into Int32 or BigInt.
432         In such case, we use ArithBitXor when operands are Int and fallback to
433         ValueBitXor when operands are anything else. In the case of
434         ValueBitXor, we speculate BigInt when op1 and op2 are predicted as
435         BigInt as well. BigInt specialization consist into call
436         `operationBigIntBitXor` function, that calls JSBigInt::bitXor.
437
438         * bytecode/BytecodeList.rb:
439         * bytecode/CodeBlock.cpp:
440         (JSC::CodeBlock::finishCreation):
441         (JSC::CodeBlock::arithProfileForPC):
442         * bytecode/Opcode.h:
443         (JSC::padOpcodeName):
444         * bytecompiler/BytecodeGenerator.h:
445         * dfg/DFGAbstractInterpreterInlines.h:
446         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
447         * dfg/DFGBackwardsPropagationPhase.cpp:
448         (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
449         (JSC::DFG::BackwardsPropagationPhase::propagate):
450         * dfg/DFGByteCodeParser.cpp:
451         (JSC::DFG::ByteCodeParser::parseBlock):
452         * dfg/DFGClobberize.h:
453         (JSC::DFG::clobberize):
454         * dfg/DFGDoesGC.cpp:
455         (JSC::DFG::doesGC):
456         * dfg/DFGFixupPhase.cpp:
457         (JSC::DFG::FixupPhase::fixupNode):
458         * dfg/DFGNodeType.h:
459         * dfg/DFGOperations.cpp:
460         * dfg/DFGOperations.h:
461         * dfg/DFGPredictionPropagationPhase.cpp:
462         * dfg/DFGSafeToExecute.h:
463         (JSC::DFG::safeToExecute):
464         * dfg/DFGSpeculativeJIT.cpp:
465         (JSC::DFG::SpeculativeJIT::compileValueBitwiseOp):
466         (JSC::DFG::SpeculativeJIT::compileBitwiseOp):
467         * dfg/DFGSpeculativeJIT.h:
468         (JSC::DFG::SpeculativeJIT::bitOp):
469         * dfg/DFGSpeculativeJIT32_64.cpp:
470         (JSC::DFG::SpeculativeJIT::compile):
471         * dfg/DFGSpeculativeJIT64.cpp:
472         (JSC::DFG::SpeculativeJIT::compile):
473         * dfg/DFGStrengthReductionPhase.cpp:
474         (JSC::DFG::StrengthReductionPhase::handleNode):
475         * ftl/FTLCapabilities.cpp:
476         (JSC::FTL::canCompile):
477         * ftl/FTLLowerDFGToB3.cpp:
478         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
479         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitXor):
480         (JSC::FTL::DFG::LowerDFGToB3::compileArithBitXor):
481         (JSC::FTL::DFG::LowerDFGToB3::compileBitXor): Deleted.
482         * jit/JITArithmetic.cpp:
483         (JSC::JIT::emit_op_bitxor):
484         * llint/LowLevelInterpreter32_64.asm:
485         * llint/LowLevelInterpreter64.asm:
486         * runtime/CommonSlowPaths.cpp:
487         (JSC::SLOW_PATH_DECL):
488
489 2018-11-29  Justin Michaud  <justin_michaud@apple.com>
490
491         CSS Painting API should pass 'this' correctly to paint callback, and repaint when properties change.
492         https://bugs.webkit.org/show_bug.cgi?id=191443
493
494         Reviewed by Dean Jackson.
495
496         Export the simpler construct() method for use in WebCore.
497
498         * runtime/ConstructData.h:
499
500 2018-11-28  Mark Lam  <mark.lam@apple.com>
501
502         ENABLE_SEPARATED_WX_HEAP needs to be defined in Platform.h.
503         https://bugs.webkit.org/show_bug.cgi?id=192110
504         <rdar://problem/46317746>
505
506         Reviewed by Saam Barati.
507
508         * config.h:
509
510 2018-11-28  Keith Rollin  <krollin@apple.com>
511
512         Update generate-{derived,unified}-sources scripts to support generating .xcfilelist files
513         https://bugs.webkit.org/show_bug.cgi?id=192031
514         <rdar://problem/46286816>
515
516         Reviewed by Alex Christensen.
517
518         The Generate Derived Sources and Generate Unified Sources build phases
519         in Xcode need to have their inputs and outputs specified. This
520         specification will come in the form of .xcfilelist files that will be
521         attached to these build phases. There is one .xcfilelist file that
522         lists the input file and one that lists the output files. As part of
523         this work, the various generate-{derived,unified}-sources scripts that
524         are executed in these Generate build phases are modified to help in
525         the creation of these .xcfilelist files. In particular, they can now
526         be invoked with command-line parameters. These parameters are then
527         used to alter the normal execution of these scripts, causing them to
528         produce the .xcfilelist files as opposed to actually generating the
529         files that are listed in those files.
530
531         * Scripts/generate-derived-sources.sh:
532         * Scripts/generate-unified-sources.sh:
533
534 2018-11-28  Keith Rollin  <krollin@apple.com>
535
536         Revert print_all_generated_files work in r238008; tighten up target specifications
537         https://bugs.webkit.org/show_bug.cgi?id=192025
538         <rdar://problem/46284301>
539
540         Reviewed by Alex Christensen.
541
542         In r238008, I added a facility for DerivedSources.make makefiles to
543         print out the list of files that they generate. This output was used
544         in the generation of .xcfilelist files used to specify the output of
545         the associated Generate Derived Sources build phases in Xcode. This
546         approach worked, but it meant that people would need to follow a
547         specific convention to keep this mechanism working.
548
549         Instead of continuing this approach, I'm going to implement a new
550         facility based on the output of `make` when passed the -d flag (which
551         prints dependency information). This new mechanism is completely
552         automatic and doesn't need maintainers to follow a convention. To that
553         end, remove most of the work performed in r238008 that supports the
554         print_all_generated_files target.
555
556         At the same time, it's important for the sets of targets and their
557         dependencies to be complete and correct. Therefore, also include
558         changes to bring those up-to-date. As part of that, you'll see
559         prevalent use of a particular technique. Here's an example:
560
561             BYTECODE_FILES = \
562                 Bytecodes.h \
563                 BytecodeIndices.h \
564                 BytecodeStructs.h \
565                 InitBytecodes.asm \
566             #
567             BYTECODE_FILES_PATTERNS = $(subst .,%,$(BYTECODE_FILES))
568
569             all : $(BYTECODE_FILES)
570
571             $(BYTECODE_FILES_PATTERNS): $(wildcard $(JavaScriptCore)/generator/*.rb) $(JavaScriptCore)/bytecode/BytecodeList.rb
572                 ...
573
574         These lines indicate a set of generated files (those specified in
575         BYTECODE_FILES). These files are generated by the BytecodeList.rb
576         tool. But, as opposed to the normal rule where a single foo.output is
577         generated by foo.input plus some additional dependencies, this rule
578         produces multiple output files from a tool whose connection to the
579         output files is not immediately clear. A special approach is needed
580         where a single rule produces multiple output files. The normal way to
581         implement this is to use an .INTERMEDIATE target. However, we used
582         this approach in the past and ran into a problem with it, addressing
583         it with an alternate approach in r210507. The above example shows this
584         approach. The .'s in the list of target files are replaced with %'s,
585         and the result is used as the left side of the dependency rule.
586
587         * DerivedSources.make:
588
589 2018-11-28  Keith Rollin  <krollin@apple.com>
590
591         Remove Postprocess Headers dependencies
592         https://bugs.webkit.org/show_bug.cgi?id=192023
593         <rdar://problem/46283377>
594
595         Reviewed by Mark Lam.
596
597         JavaScriptCore's Xcode Postprocess Headers build phase used to have a
598         dependency on a specific handful of files. In r234227, the script used
599         in this phase (postprocess-headers.sh) was completely rewritten to
600         operate on *all* files in JSC's Public and Private headers directories
601         instead of just this handful. This rewrite makes the previous
602         dependency specification insufficient, leading to incorrect
603         incremental builds if the right files weren't touched. Address this by
604         removing the dependencies completely. This will cause
605         postprocess-headers.sh to always be executed, even when none of its
606         files are touch. Running this script all the time is OK, since it has
607         built-in protections against unnecessarily touching files that haven't
608         changed.
609
610         * JavaScriptCore.xcodeproj/project.pbxproj:
611
612 2018-11-27  Mark Lam  <mark.lam@apple.com>
613
614         ENABLE_FAST_JIT_PERMISSIONS should be false for iosmac.
615         https://bugs.webkit.org/show_bug.cgi?id=192055
616         <rdar://problem/46288783>
617
618         Reviewed by Saam Barati.
619
620         * Configurations/FeatureDefines.xcconfig:
621
622 2018-11-27  Saam barati  <sbarati@apple.com>
623
624         r238510 broke scopes of size zero
625         https://bugs.webkit.org/show_bug.cgi?id=192033
626         <rdar://problem/46281734>
627
628         Reviewed by Keith Miller.
629
630         In r238510, I wrote the loop like this: 
631         `for (ScopeOffset offset { 0 }; offset <= symbolTable->maxScopeOffset(); offset += 1)`
632         
633         This breaks for scopes of size zero because maxScopeOffset() will be UINT_MAX.
634         
635         This patch fixes this by writing the loop as:
636         `for (unsigned offset = 0; offset < symbolTable->scopeSize(); ++offset)`
637
638         * dfg/DFGObjectAllocationSinkingPhase.cpp:
639
640 2018-11-27  Mark Lam  <mark.lam@apple.com>
641
642         ASSERTION FAILED: capacity && isPageAligned(capacity) in JSC::CLoopStack::CLoopStack(JSC::VM&).
643         https://bugs.webkit.org/show_bug.cgi?id=192018
644
645         Reviewed by Saam Barati.
646
647         This assertion failed because the regress-191579.js test was specifying
648         --maxPerThreadStackUsage=400000 i.e. it was running with a stack size that is not
649         page aligned.  Given that the user can specify any arbitrary stack size, and the
650         CLoop stack expects to be page aligned, we'll just round up the requested capacity
651         to the next page alignment.
652
653         * interpreter/CLoopStack.cpp:
654         (JSC::CLoopStack::CLoopStack):
655
656 2018-11-27  Mark Lam  <mark.lam@apple.com>
657
658         [Re-landing] NaNs read from Wasm code needs to be be purified.
659         https://bugs.webkit.org/show_bug.cgi?id=191056
660         <rdar://problem/45660341>
661
662         Reviewed by Filip Pizlo.
663
664         * wasm/js/WebAssemblyModuleRecord.cpp:
665         (JSC::WebAssemblyModuleRecord::link):
666
667 2018-11-27  Timothy Hatcher  <timothy@apple.com>
668
669         Web Inspector: Add support for forcing color scheme appearance in DOM tree.
670         https://bugs.webkit.org/show_bug.cgi?id=191820
671         rdar://problem/46153172
672
673         Reviewed by Devin Rousso.
674
675         * inspector/protocol/Page.json: Added setForcedAppearance.
676         Also added the defaultAppearanceDidChange event and Appearance enum.
677
678 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
679
680         Unreviewed, rolling out r238509.
681
682         Causes JSC tests to fail on iOS.
683
684         Reverted changeset:
685
686         "NaNs read from Wasm code needs to be be purified."
687         https://bugs.webkit.org/show_bug.cgi?id=191056
688         https://trac.webkit.org/changeset/238509
689
690 2018-11-27  Mark Lam  <mark.lam@apple.com>
691
692         Introducing a ENABLE_SEPARATED_WX_HEAP macro.
693         https://bugs.webkit.org/show_bug.cgi?id=192013
694         <rdar://problem/45494310>
695
696         Reviewed by Keith Miller.
697
698         This makes the code a little more readable.
699
700         I put the definition of ENABLE_SEPARATED_WX_HEAP in JSC's config.h instead of
701         Platform.h because ENABLE_SEPARATED_WX_HEAP is only needed inside JSC.  Also,
702         ENABLE_SEPARATED_WX_HEAP depends on ENABLE(FAST_JIT_PERMISSIONS), which is only
703         defined for JSC.
704
705         * config.h:
706         * jit/ExecutableAllocator.cpp:
707         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
708         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
709         * jit/ExecutableAllocator.h:
710         (JSC::performJITMemcpy):
711         * runtime/Options.cpp:
712         (JSC::recomputeDependentOptions):
713
714 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
715
716         Re-introduce op_bitnot
717         https://bugs.webkit.org/show_bug.cgi?id=190923
718
719         Reviewed by Yusuke Suzuki.
720
721         With the introduction of BigInt as a new type, we can't emit bitwise
722         not as `x ^ -1` anymore, because this is incompatible with the new type.
723         Based on that, this Patch is adding `op_bitnot` as a new operation
724         into LLInt, as well as introducing ArithBitNot node into DFG to support
725         JIT compilation of such opcode. We will use the ValueProfile of this
726         intruction in the future to generate better code when its operand
727         is not Int32.
728
729         * assembler/MacroAssemblerARM64.h:
730         (JSC::MacroAssemblerARM64::not32):
731         * assembler/MacroAssemblerARMv7.h:
732         (JSC::MacroAssemblerARMv7::not32):
733         * assembler/MacroAssemblerMIPS.h:
734         (JSC::MacroAssemblerMIPS::not32):
735         * bytecode/BytecodeList.rb:
736         * bytecode/BytecodeUseDef.h:
737         (JSC::computeUsesForBytecodeOffset):
738         (JSC::computeDefsForBytecodeOffset):
739         * bytecode/CodeBlock.cpp:
740         (JSC::CodeBlock::finishCreation):
741         * bytecode/Opcode.h:
742         (JSC::padOpcodeName):
743         * bytecompiler/BytecodeGenerator.cpp:
744         (JSC::BytecodeGenerator::emitUnaryOp):
745         * bytecompiler/NodesCodegen.cpp:
746         (JSC::UnaryPlusNode::emitBytecode):
747         (JSC::BitwiseNotNode::emitBytecode): Deleted.
748         * dfg/DFGAbstractInterpreterInlines.h:
749         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
750         * dfg/DFGBackwardsPropagationPhase.cpp:
751         (JSC::DFG::BackwardsPropagationPhase::propagate):
752         * dfg/DFGByteCodeParser.cpp:
753         (JSC::DFG::ByteCodeParser::parseBlock):
754         * dfg/DFGCapabilities.cpp:
755         (JSC::DFG::capabilityLevel):
756         * dfg/DFGClobberize.h:
757         (JSC::DFG::clobberize):
758         * dfg/DFGDoesGC.cpp:
759         (JSC::DFG::doesGC):
760         * dfg/DFGFixupPhase.cpp:
761         (JSC::DFG::FixupPhase::fixupNode):
762         * dfg/DFGNodeType.h:
763         * dfg/DFGOperations.cpp:
764         * dfg/DFGOperations.h:
765         * dfg/DFGPredictionPropagationPhase.cpp:
766         * dfg/DFGSafeToExecute.h:
767         (JSC::DFG::safeToExecute):
768         * dfg/DFGSpeculativeJIT.cpp:
769         (JSC::DFG::SpeculativeJIT::compileBitwiseNot):
770         * dfg/DFGSpeculativeJIT.h:
771         * dfg/DFGSpeculativeJIT32_64.cpp:
772         (JSC::DFG::SpeculativeJIT::compile):
773         * dfg/DFGSpeculativeJIT64.cpp:
774         (JSC::DFG::SpeculativeJIT::compile):
775         * ftl/FTLCapabilities.cpp:
776         (JSC::FTL::canCompile):
777         * ftl/FTLLowerDFGToB3.cpp:
778         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
779         (JSC::FTL::DFG::LowerDFGToB3::compileArithBitNot):
780         * jit/JIT.cpp:
781         (JSC::JIT::privateCompileMainPass):
782         (JSC::JIT::privateCompileSlowCases):
783         * jit/JIT.h:
784         * jit/JITArithmetic.cpp:
785         (JSC::JIT::emit_op_bitnot):
786         * llint/LowLevelInterpreter32_64.asm:
787         * llint/LowLevelInterpreter64.asm:
788         * offlineasm/cloop.rb:
789         * parser/NodeConstructors.h:
790         (JSC::BitwiseNotNode::BitwiseNotNode):
791         * parser/Nodes.h:
792         * parser/ResultType.h:
793         (JSC::ResultType::bigIntOrInt32Type):
794         (JSC::ResultType::forBitOp):
795         * runtime/CommonSlowPaths.cpp:
796         (JSC::SLOW_PATH_DECL):
797         * runtime/CommonSlowPaths.h:
798
799 2018-11-26  Saam barati  <sbarati@apple.com>
800
801         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
802         https://bugs.webkit.org/show_bug.cgi?id=191956
803         <rdar://problem/45665806>
804
805         Reviewed by Yusuke Suzuki.
806
807         This is a similar bug to what Keith fixed in r232134. The issue is if we have
808         a program like this:
809         
810         a: JSConstant(jsNumber(0))
811         b: SetLocal(Int32:@a, loc1, FlushedInt32)
812         c: ArrayifyToStructure(Cell:@a)
813         d: Jump(...)
814         
815         At the point in the program right after the Jump, a GetLocal for loc1
816         would return whatever the ArrayifyToStructure resulting type is. This breaks
817         the invariant that a GetLocal must return a value that is a subtype of its
818         FlushFormat. InPlaceAbstractState::endBasicBlock will know if a SetLocal is
819         the final node touching a local slot. If so, it'll see if any nodes later
820         in the block may have refined the type of the value stored in that slot. If
821         so, endBasicBlock() further refines the type to ensure that any GetLocals
822         loading from the same slot will result in having this more refined type.
823         However, we must ensure that this logic only considers types within the
824         hierarchy of the variable access data's FlushFormat, otherwise, we may
825         break the invariant that a GetLocal's type is a subtype of its FlushFormat.
826
827         * dfg/DFGInPlaceAbstractState.cpp:
828         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
829
830 2018-11-26  Saam barati  <sbarati@apple.com>
831
832         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
833         https://bugs.webkit.org/show_bug.cgi?id=191958
834         <rdar://problem/46221877>
835
836         Reviewed by Yusuke Suzuki.
837
838         There may be more entries in an activation than unique variables
839         in a symbol table's hashmap. For example, if you have two parameters
840         to a function, and they both are the same name, and the function
841         uses eval, we'll end up with two scope slots, but only a single
842         entry in the hashmap in the symbol table. Object allocation sinking
843         phase was previously iterating over the hashmap, assuming these
844         values were equivalent. This is wrong in the above case. Instead,
845         we need to iterate over each scope offset.
846
847         * dfg/DFGObjectAllocationSinkingPhase.cpp:
848         * runtime/GenericOffset.h:
849         (JSC::GenericOffset::operator+=):
850         (JSC::GenericOffset::operator-=):
851
852 2018-11-26  Mark Lam  <mark.lam@apple.com>
853
854         NaNs read from Wasm code needs to be be purified.
855         https://bugs.webkit.org/show_bug.cgi?id=191056
856         <rdar://problem/45660341>
857
858         Reviewed by Filip Pizlo.
859
860         * wasm/js/WebAssemblyModuleRecord.cpp:
861         (JSC::WebAssemblyModuleRecord::link):
862
863 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
864
865         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
866         https://bugs.webkit.org/show_bug.cgi?id=191716
867         <rdar://problem/45723878>
868
869         Reviewed by Saam Barati.
870
871         After https://bugs.webkit.org/show_bug.cgi?id=187373, when updating
872         jump targets during generatorification, we only stored the new jump
873         target when it changed. However, the out-of-line jump targets are
874         cleared at the beginning of the pass, so we need to store it
875         unconditionally.
876
877         * bytecode/PreciseJumpTargetsInlines.h:
878         (JSC::extractStoredJumpTargetsForInstruction):
879         (JSC::updateStoredJumpTargetsForInstruction):
880
881 2018-11-23  Wenson Hsieh  <wenson_hsieh@apple.com>
882
883         Enable drag and drop support for iOSMac
884         https://bugs.webkit.org/show_bug.cgi?id=191818
885         <rdar://problem/43907454>
886
887         Reviewed by Dean Jackson.
888
889         * Configurations/FeatureDefines.xcconfig:
890
891 2018-11-22  Mark Lam  <mark.lam@apple.com>
892
893         Make the jsc shell's dumpException() more robust against long exception strings.
894         https://bugs.webkit.org/show_bug.cgi?id=191910
895         <rdar://problem/46212980>
896
897         Reviewed by Michael Saboff.
898
899         This only affects the dumping of the exception string in the jsc shell due to
900         unhandled exceptions or exceptions at shell boot time before any JS code is
901         running.
902
903         * jsc.cpp:
904         (dumpException):
905
906 2018-11-21  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
907
908         [JSC] Drop ARM_TRADITIONAL support in LLInt, baseline JIT, and DFG
909         https://bugs.webkit.org/show_bug.cgi?id=191675
910
911         Reviewed by Mark Lam.
912
913         We no longer maintain ARM_TRADITIONAL LLInt and JIT in JSC. This architecture will use
914         CLoop instead. This patch removes ARM_TRADITIONAL support in LLInt and JIT.
915
916         Discussed in https://lists.webkit.org/pipermail/webkit-dev/2018-October/030220.html.
917
918         * CMakeLists.txt:
919         * JavaScriptCore.xcodeproj/project.pbxproj:
920         * Sources.txt:
921         * assembler/ARMAssembler.cpp: Removed.
922         * assembler/ARMAssembler.h: Removed.
923         * assembler/LinkBuffer.cpp:
924         (JSC::LinkBuffer::linkCode):
925         (JSC::LinkBuffer::dumpCode):
926         * assembler/MacroAssembler.h:
927         (JSC::MacroAssembler::patchableBranch32):
928         * assembler/MacroAssemblerARM.cpp: Removed.
929         * assembler/MacroAssemblerARM.h: Removed.
930         * assembler/PerfLog.cpp:
931         * assembler/PerfLog.h:
932         * assembler/ProbeContext.h:
933         (JSC::Probe::CPUState::pc):
934         (JSC::Probe::CPUState::fp):
935         (JSC::Probe::CPUState::sp):
936         * assembler/testmasm.cpp:
937         (JSC::isPC):
938         (JSC::testProbeModifiesStackPointer):
939         (JSC::testProbeModifiesStackValues):
940         * bytecode/InlineAccess.h:
941         (JSC::InlineAccess::sizeForPropertyAccess):
942         (JSC::InlineAccess::sizeForPropertyReplace):
943         (JSC::InlineAccess::sizeForLengthAccess):
944         * dfg/DFGSpeculativeJIT.h:
945         * disassembler/CapstoneDisassembler.cpp:
946         (JSC::tryToDisassemble):
947         * jit/AssemblyHelpers.cpp:
948         (JSC::AssemblyHelpers::debugCall):
949         * jit/AssemblyHelpers.h:
950         * jit/CCallHelpers.h:
951         (JSC::CCallHelpers::setupArgumentsImpl):
952         (JSC::CCallHelpers::prepareForTailCallSlow):
953         * jit/CallFrameShuffler.cpp:
954         (JSC::CallFrameShuffler::prepareForTailCall):
955         * jit/HostCallReturnValue.cpp:
956         * jit/JITMathIC.h:
957         (JSC::isProfileEmpty):
958         * jit/RegisterSet.cpp:
959         (JSC::RegisterSet::reservedHardwareRegisters):
960         (JSC::RegisterSet::calleeSaveRegisters):
961         (JSC::RegisterSet::llintBaselineCalleeSaveRegisters):
962         (JSC::RegisterSet::dfgCalleeSaveRegisters):
963         * jit/Repatch.cpp:
964         (JSC::forceICFailure):
965         * jit/ThunkGenerators.cpp:
966         (JSC::nativeForGenerator):
967         * llint/LLIntOfflineAsmConfig.h:
968         * llint/LowLevelInterpreter.asm:
969         * llint/LowLevelInterpreter32_64.asm:
970         * offlineasm/arm.rb:
971         * offlineasm/backends.rb:
972         * yarr/YarrJIT.cpp:
973         (JSC::Yarr::YarrGenerator::generateEnter):
974         (JSC::Yarr::YarrGenerator::generateReturn):
975
976 2018-11-21  Saam barati  <sbarati@apple.com>
977
978         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
979         https://bugs.webkit.org/show_bug.cgi?id=191897
980         <rdar://problem/45871998>
981
982         Reviewed by Mark Lam.
983
984         exitOK is a statement about it being legal to exit. mayExit() is about being
985         conservative and returning false only if an OSR exit *could never* happen.
986         mayExit() tries to be as smart as possible to see if it can return false.
987         It can't return false if a runtime exit *could* happen. However, there is
988         code in the compiler where mayExit() returns false (because it uses data
989         generated from AI about type checks being proved), but the code we emit in the
990         compiler backend unconditionally generates an OSR exit, even if that exit may
991         never execute. For example, let's say we have this IR:
992         
993         SomeNode(Boolean:@input)
994         
995         And we always emit code like this as a way of emitting a boolean type check:
996         
997         jump L1 if input == true
998         jump L1 if input == false
999         emit an OSR exit
1000         
1001         In such a program, when we generate the above OSR exit, in a validationEnabled()
1002         build, and if @input is proved to be a boolean, we'll end up crashing because we
1003         have the bogus assertion saying !exitOK. This is one reason why things are cleaner
1004         if we don't conflate mayExit() with exitOK.
1005
1006         * dfg/DFGSpeculativeJIT.cpp:
1007         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1008
1009 2018-11-21  Saam barati  <sbarati@apple.com>
1010
1011         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1012         https://bugs.webkit.org/show_bug.cgi?id=191895
1013         <rdar://problem/46167406>
1014
1015         Reviewed by Mark Lam.
1016
1017         We were asserting that the input edge should have type SpecCell but it should
1018         really be SpecCellCheck since the type filter for KnownCellUse is SpecCellCheck.
1019         
1020         This patch cleans up that assertion code by joining a bunch of cases into a
1021         single function call which grabs the type filter for the edge UseKind and
1022         asserts that the incoming edge meets the type filter criteria.
1023
1024         * dfg/DFGSpeculativeJIT.cpp:
1025         (JSC::DFG::SpeculativeJIT::speculate):
1026         * ftl/FTLLowerDFGToB3.cpp:
1027         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1028
1029 2018-11-21  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1030
1031         [JSC] Use ProtoCallFrame::numberOfRegisters instead of raw number `4`
1032         https://bugs.webkit.org/show_bug.cgi?id=191877
1033
1034         Reviewed by Sam Weinig.
1035
1036         Instead of hard-coding `4` into LowLevelInterpreter, use ProtoCallFrame::numberOfRegisters.
1037
1038         * interpreter/ProtoCallFrame.h:
1039         * llint/LowLevelInterpreter32_64.asm:
1040         * llint/LowLevelInterpreter64.asm:
1041
1042 2018-11-21  Mark Lam  <mark.lam@apple.com>
1043
1044         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1045         https://bugs.webkit.org/show_bug.cgi?id=191776
1046         <rdar://problem/46152851>
1047
1048         Reviewed by Saam Barati.
1049
1050         * wasm/WasmMemory.cpp:
1051         (JSC::Wasm::Memory::tryCreate):
1052         - return nullptr if the requested bytes exceed MAX_ARRAY_BUFFER_SIZE.
1053           The clients will already do a null check and throw an OutOfMemoryError if needed.
1054         (JSC::Wasm::Memory::grow):
1055         - throw OOME if newPageCount.bytes() > MAX_ARRAY_BUFFER_SIZE.
1056         * wasm/js/WebAssemblyMemoryConstructor.cpp:
1057         (JSC::constructJSWebAssemblyMemory):
1058         - throw OOME if newPageCount.bytes() > MAX_ARRAY_BUFFER_SIZE.
1059
1060 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1061
1062         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1063         https://bugs.webkit.org/show_bug.cgi?id=190836
1064
1065         Reviewed by Saam Barati and Yusuke Suzuki.
1066
1067         In this patch we are creating a new method called `JSBigInt::createWithLengthUnchecked`
1068         where we allocate a BigInt trusting the length received as argument.
1069         With this additional method, we now check if length passed to
1070         `JSBigInt::tryCreateWithLength` is not greater than JSBigInt::maxLength.
1071         When the length is greater than JSBigInt::maxLength, we then throw OOM
1072         exception.
1073         This required us to change the interface of some JSBigInt operations to
1074         receive `ExecState*` instead of `VM&`. We changed only operations that
1075         can throw because of OOM.
1076         We beleive that this approach of throwing instead of finishing the
1077         execution abruptly is better because JS programs can catch such
1078         exception and handle this issue properly.
1079
1080         * dfg/DFGOperations.cpp:
1081         * jit/JITOperations.cpp:
1082         * runtime/CommonSlowPaths.cpp:
1083         (JSC::SLOW_PATH_DECL):
1084         * runtime/JSBigInt.cpp:
1085         (JSC::JSBigInt::createZero):
1086         (JSC::JSBigInt::tryCreateWithLength):
1087         (JSC::JSBigInt::createWithLengthUnchecked):
1088         (JSC::JSBigInt::createFrom):
1089         (JSC::JSBigInt::multiply):
1090         (JSC::JSBigInt::divide):
1091         (JSC::JSBigInt::copy):
1092         (JSC::JSBigInt::unaryMinus):
1093         (JSC::JSBigInt::remainder):
1094         (JSC::JSBigInt::add):
1095         (JSC::JSBigInt::sub):
1096         (JSC::JSBigInt::bitwiseAnd):
1097         (JSC::JSBigInt::bitwiseOr):
1098         (JSC::JSBigInt::bitwiseXor):
1099         (JSC::JSBigInt::absoluteAdd):
1100         (JSC::JSBigInt::absoluteSub):
1101         (JSC::JSBigInt::absoluteDivWithDigitDivisor):
1102         (JSC::JSBigInt::absoluteDivWithBigIntDivisor):
1103         (JSC::JSBigInt::absoluteLeftShiftAlwaysCopy):
1104         (JSC::JSBigInt::absoluteBitwiseOp):
1105         (JSC::JSBigInt::absoluteAddOne):
1106         (JSC::JSBigInt::absoluteSubOne):
1107         (JSC::JSBigInt::toStringGeneric):
1108         (JSC::JSBigInt::rightTrim):
1109         (JSC::JSBigInt::allocateFor):
1110         (JSC::JSBigInt::createWithLength): Deleted.
1111         * runtime/JSBigInt.h:
1112         * runtime/Operations.cpp:
1113         (JSC::jsAddSlowCase):
1114         * runtime/Operations.h:
1115         (JSC::jsSub):
1116         (JSC::jsMul):
1117
1118 2018-11-20  Mark Lam  <mark.lam@apple.com>
1119
1120         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1121         https://bugs.webkit.org/show_bug.cgi?id=191856
1122         <rdar://problem/46089992>
1123
1124         Reviewed by Yusuke Suzuki.
1125
1126         The ASSERT(vm.traps().needTrapHandling()) assertion in SignalSender's SigAction
1127         function is invalid because we can't be sure that the trap has been handled yet
1128         by the time the trap fires.  This is because the main thread may also check traps
1129         (in LLInt, baseline JIT and VM runtime code).  There's a race to handle the trap.
1130         Hence, the SigAction cannot assume that the trap still needs handling by the time
1131         it is executed.  This patch removed the invalid assertion.
1132
1133         Also renamed m_trapSet to m_condition because it is a AutomaticThreadCondition,
1134         and all the ways it is used is as a condvar.  The m_trapSet name doesn't seem
1135         appropriate nor meaningful.
1136
1137         * runtime/VMTraps.cpp:
1138         (JSC::VMTraps::tryInstallTrapBreakpoints):
1139         - Added a !needTrapHandling() check as an optimization: there's no need to install
1140           VMTrap breakpoints if someone already beat us to handling the trap (remember,
1141           the main thread is racing against the VMTraps signalling thread to handle the
1142           trap too).  We only need to install the VMTraps breakpoints if we need DFG/FTL
1143           compiled code to deopt so that they can check and handle pending traps.  If the
1144           trap has already been handled, it's better to not deopt any DFG/FTL functions.
1145
1146         (JSC::VMTraps::willDestroyVM):
1147         (JSC::VMTraps::fireTrap):
1148         (JSC::VMTraps::VMTraps):
1149         * runtime/VMTraps.h:
1150
1151 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1152
1153         Enable JIT on ARM/Linux
1154         https://bugs.webkit.org/show_bug.cgi?id=191548
1155
1156         Reviewed by Yusuke Suzuki.
1157
1158         Enable JIT by default on ARMv7/Linux after it was disabled with
1159         recent bytcode format change.
1160
1161         * bytecode/CodeBlock.cpp:
1162         (JSC::CodeBlock::getICStatusMap):
1163         * bytecode/CodeBlock.h:
1164         (JSC::CodeBlock::metadata):
1165         * bytecode/InByIdStatus.cpp:
1166         (JSC::InByIdStatus::computeFor):
1167         * bytecode/Instruction.h:
1168         (JSC::Instruction::cast):
1169         * bytecode/MetadataTable.h:
1170         (JSC::MetadataTable::forEach):
1171         * bytecode/PutByIdStatus.cpp:
1172         (JSC::PutByIdStatus::computeFor):
1173         (JSC::PutByIdStatus::hasExitSite): Deleted.
1174         * bytecode/PutByIdStatus.h:
1175         * dfg/DFGOSRExit.cpp:
1176         (JSC::DFG::reifyInlinedCallFrames):
1177         * dfg/DFGOSRExitCompilerCommon.cpp:
1178         (JSC::DFG::reifyInlinedCallFrames):
1179         * generator/Argument.rb:
1180         * generator/Opcode.rb:
1181         * jit/GPRInfo.h:
1182         * jit/JIT.h:
1183         * jit/JITArithmetic32_64.cpp:
1184         (JSC::JIT::emit_compareAndJump):
1185         (JSC::JIT::emit_compareUnsignedAndJump):
1186         (JSC::JIT::emit_compareUnsigned):
1187         (JSC::JIT::emit_compareAndJumpSlow):
1188         (JSC::JIT::emit_op_unsigned):
1189         (JSC::JIT::emit_op_inc):
1190         (JSC::JIT::emit_op_dec):
1191         (JSC::JIT::emitBinaryDoubleOp):
1192         (JSC::JIT::emit_op_mod):
1193         (JSC::JIT::emitSlow_op_mod):
1194         * jit/JITCall32_64.cpp:
1195         (JSC::JIT::emitPutCallResult):
1196         (JSC::JIT::emit_op_ret):
1197         (JSC::JIT::emitSlow_op_call):
1198         (JSC::JIT::emitSlow_op_tail_call):
1199         (JSC::JIT::emitSlow_op_call_eval):
1200         (JSC::JIT::emitSlow_op_call_varargs):
1201         (JSC::JIT::emitSlow_op_tail_call_varargs):
1202         (JSC::JIT::emitSlow_op_tail_call_forward_arguments):
1203         (JSC::JIT::emitSlow_op_construct_varargs):
1204         (JSC::JIT::emitSlow_op_construct):
1205         (JSC::JIT::emit_op_call):
1206         (JSC::JIT::emit_op_tail_call):
1207         (JSC::JIT::emit_op_call_eval):
1208         (JSC::JIT::emit_op_call_varargs):
1209         (JSC::JIT::emit_op_tail_call_varargs):
1210         (JSC::JIT::emit_op_tail_call_forward_arguments):
1211         (JSC::JIT::emit_op_construct_varargs):
1212         (JSC::JIT::emit_op_construct):
1213         (JSC::JIT::compileSetupFrame):
1214         (JSC::JIT::compileCallEval):
1215         (JSC::JIT::compileCallEvalSlowCase):
1216         (JSC::JIT::compileOpCall):
1217         (JSC::JIT::compileOpCallSlowCase):
1218         (JSC::JIT::compileSetupVarargsFrame): Deleted.
1219         * jit/JITInlines.h:
1220         (JSC::JIT::updateTopCallFrame):
1221         * jit/JITOpcodes.cpp:
1222         (JSC::JIT::emit_op_catch):
1223         (JSC::JIT::emitSlow_op_loop_hint):
1224         * jit/JITOpcodes32_64.cpp:
1225         (JSC::JIT::emit_op_mov):
1226         (JSC::JIT::emit_op_end):
1227         (JSC::JIT::emit_op_jmp):
1228         (JSC::JIT::emit_op_new_object):
1229         (JSC::JIT::emitSlow_op_new_object):
1230         (JSC::JIT::emit_op_overrides_has_instance):
1231         (JSC::JIT::emit_op_instanceof):
1232         (JSC::JIT::emit_op_instanceof_custom):
1233         (JSC::JIT::emitSlow_op_instanceof):
1234         (JSC::JIT::emitSlow_op_instanceof_custom):
1235         (JSC::JIT::emit_op_is_empty):
1236         (JSC::JIT::emit_op_is_undefined):
1237         (JSC::JIT::emit_op_is_boolean):
1238         (JSC::JIT::emit_op_is_number):
1239         (JSC::JIT::emit_op_is_cell_with_type):
1240         (JSC::JIT::emit_op_is_object):
1241         (JSC::JIT::emit_op_to_primitive):
1242         (JSC::JIT::emit_op_set_function_name):
1243         (JSC::JIT::emit_op_not):
1244         (JSC::JIT::emit_op_jfalse):
1245         (JSC::JIT::emit_op_jtrue):
1246         (JSC::JIT::emit_op_jeq_null):
1247         (JSC::JIT::emit_op_jneq_null):
1248         (JSC::JIT::emit_op_jneq_ptr):
1249         (JSC::JIT::emit_op_eq):
1250         (JSC::JIT::emitSlow_op_eq):
1251         (JSC::JIT::emit_op_jeq):
1252         (JSC::JIT::emitSlow_op_jeq):
1253         (JSC::JIT::emit_op_neq):
1254         (JSC::JIT::emitSlow_op_neq):
1255         (JSC::JIT::emit_op_jneq):
1256         (JSC::JIT::emitSlow_op_jneq):
1257         (JSC::JIT::compileOpStrictEq):
1258         (JSC::JIT::emit_op_stricteq):
1259         (JSC::JIT::emit_op_nstricteq):
1260         (JSC::JIT::compileOpStrictEqJump):
1261         (JSC::JIT::emit_op_jstricteq):
1262         (JSC::JIT::emit_op_jnstricteq):
1263         (JSC::JIT::emitSlow_op_jstricteq):
1264         (JSC::JIT::emitSlow_op_jnstricteq):
1265         (JSC::JIT::emit_op_eq_null):
1266         (JSC::JIT::emit_op_neq_null):
1267         (JSC::JIT::emit_op_throw):
1268         (JSC::JIT::emit_op_to_number):
1269         (JSC::JIT::emit_op_to_string):
1270         (JSC::JIT::emit_op_to_object):
1271         (JSC::JIT::emit_op_catch):
1272         (JSC::JIT::emit_op_identity_with_profile):
1273         (JSC::JIT::emit_op_get_parent_scope):
1274         (JSC::JIT::emit_op_switch_imm):
1275         (JSC::JIT::emit_op_switch_char):
1276         (JSC::JIT::emit_op_switch_string):
1277         (JSC::JIT::emit_op_debug):
1278         (JSC::JIT::emit_op_enter):
1279         (JSC::JIT::emit_op_get_scope):
1280         (JSC::JIT::emit_op_create_this):
1281         (JSC::JIT::emit_op_to_this):
1282         (JSC::JIT::emit_op_check_tdz):
1283         (JSC::JIT::emit_op_has_structure_property):
1284         (JSC::JIT::privateCompileHasIndexedProperty):
1285         (JSC::JIT::emit_op_has_indexed_property):
1286         (JSC::JIT::emitSlow_op_has_indexed_property):
1287         (JSC::JIT::emit_op_get_direct_pname):
1288         (JSC::JIT::emit_op_enumerator_structure_pname):
1289         (JSC::JIT::emit_op_enumerator_generic_pname):
1290         (JSC::JIT::emit_op_profile_type):
1291         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
1292         (JSC::JIT::emit_op_log_shadow_chicken_tail):
1293         * jit/JITPropertyAccess32_64.cpp:
1294         (JSC::JIT::emit_op_put_getter_by_id):
1295         (JSC::JIT::emit_op_put_setter_by_id):
1296         (JSC::JIT::emit_op_put_getter_setter_by_id):
1297         (JSC::JIT::emit_op_put_getter_by_val):
1298         (JSC::JIT::emit_op_put_setter_by_val):
1299         (JSC::JIT::emit_op_del_by_id):
1300         (JSC::JIT::emit_op_del_by_val):
1301         (JSC::JIT::emit_op_get_by_val):
1302         (JSC::JIT::emitGetByValWithCachedId):
1303         (JSC::JIT::emitSlow_op_get_by_val):
1304         (JSC::JIT::emit_op_put_by_val_direct):
1305         (JSC::JIT::emit_op_put_by_val):
1306         (JSC::JIT::emitGenericContiguousPutByVal):
1307         (JSC::JIT::emitArrayStoragePutByVal):
1308         (JSC::JIT::emitPutByValWithCachedId):
1309         (JSC::JIT::emitSlow_op_put_by_val):
1310         (JSC::JIT::emit_op_try_get_by_id):
1311         (JSC::JIT::emitSlow_op_try_get_by_id):
1312         (JSC::JIT::emit_op_get_by_id_direct):
1313         (JSC::JIT::emitSlow_op_get_by_id_direct):
1314         (JSC::JIT::emit_op_get_by_id):
1315         (JSC::JIT::emitSlow_op_get_by_id):
1316         (JSC::JIT::emit_op_get_by_id_with_this):
1317         (JSC::JIT::emitSlow_op_get_by_id_with_this):
1318         (JSC::JIT::emit_op_put_by_id):
1319         (JSC::JIT::emitSlow_op_put_by_id):
1320         (JSC::JIT::emit_op_in_by_id):
1321         (JSC::JIT::emitSlow_op_in_by_id):
1322         (JSC::JIT::emit_op_resolve_scope):
1323         (JSC::JIT::emit_op_get_from_scope):
1324         (JSC::JIT::emitSlow_op_get_from_scope):
1325         (JSC::JIT::emit_op_put_to_scope):
1326         (JSC::JIT::emitSlow_op_put_to_scope):
1327         (JSC::JIT::emit_op_get_from_arguments):
1328         (JSC::JIT::emit_op_put_to_arguments):
1329         * jit/RegisterSet.cpp:
1330         (JSC::RegisterSet::vmCalleeSaveRegisters):
1331         * llint/LLIntData.cpp:
1332         (JSC::LLInt::Data::performAssertions):
1333         * llint/LowLevelInterpreter.asm:
1334         * runtime/SamplingProfiler.cpp:
1335         (JSC::tryGetBytecodeIndex):
1336
1337 2018-11-20  Saam barati  <sbarati@apple.com>
1338
1339         Merging an IC variant may lead to the IC status containing overlapping structure sets
1340         https://bugs.webkit.org/show_bug.cgi?id=191869
1341         <rdar://problem/45403453>
1342
1343         Reviewed by Mark Lam.
1344
1345         When merging two IC variant lists, we may end up in a world where we have
1346         overlapping structure sets. We defend against this when we append a new
1347         variant, but we should also defend against it once we merge in a new variant.
1348         
1349         Consider this case with MultiPutByOffset, where we merge two PutByIdStatuses
1350         together, P1 and P2.
1351         
1352         Let's consider these structures:
1353         s1 = {}
1354         s2 = {p: 0}
1355         s3 = {p: 0, p2: 1}
1356         
1357         P1 contains these variants:
1358         Transition: [s1 => s2]
1359         Replace: [s2, s3]
1360         
1361         P2 contains:
1362         Replace: [s2]
1363         
1364         Because of the ordering of the variants, we may end up combining
1365         P2's replace into P1's transition, forming this new list:
1366         Transition: [(s1, s2) => s2]
1367         Replace: [s2, s3]
1368         
1369         Obviously the ideal thing here is to have some ordering when we merge
1370         in variants to choose the most ideal option. It'd be ideal for P2's
1371         Replace to be merged into P1's replace.
1372         
1373         If we notice that this is super important, we can implement some kind
1374         of ordering. None of our tests (until this patch) stress this. This patch
1375         just makes it so we defend against this crazy scenario by falling back
1376         to the slow path gracefully. This prevents us from emitting invalid
1377         IR in FTL->B3 lowering by creating a switch with two case labels being
1378         identical values.
1379
1380         * bytecode/ICStatusUtils.h:
1381         (JSC::appendICStatusVariant):
1382
1383 2018-11-20  Fujii Hironori  <Hironori.Fujii@sony.com>
1384
1385         REGRESSION(r238039) WebCore::JSDOMGlobalObject::createStructure is using JSC::Structure::create without including StructureInlines.h
1386         https://bugs.webkit.org/show_bug.cgi?id=191626
1387         <rdar://problem/46161064>
1388
1389         Unreviewed adding comment for my change r238366.
1390
1391         * runtime/Structure.h: Added a comment for Structure::create.
1392
1393 2018-11-19  Mark Lam  <mark.lam@apple.com>
1394
1395         globalFuncImportModule() should return a promise when it clears exceptions.
1396         https://bugs.webkit.org/show_bug.cgi?id=191792
1397         <rdar://problem/46090763>
1398
1399         Reviewed by Michael Saboff.
1400
1401         If we're clearing the exceptions in a CatchScope, then it means that we've handled
1402         the exception, and is able to proceed in a normal manner.  Hence, we should not
1403         return the empty JSValue in this case: instead, we should return a Promise as
1404         expected by import's API.
1405
1406         The only time when we can't return a promise is when we fail to create a Promise.
1407         In that case, we should be propagating the exception.
1408
1409         Hence, globalFuncImportModule() contains a ThrowScope (for propagating the
1410         exception that arises from failure to create the Promise) wrapping a CatchScope
1411         (for catching any exception that arises from failure to execute the import).
1412
1413         Also fixed similar issues, and some exception check issues in JSModuleLoader and
1414         the jsc shell.
1415
1416         * jsc.cpp:
1417         (GlobalObject::moduleLoaderImportModule):
1418         (GlobalObject::moduleLoaderFetch):
1419         * runtime/JSGlobalObjectFunctions.cpp:
1420         (JSC::globalFuncImportModule):
1421         * runtime/JSModuleLoader.cpp:
1422         (JSC::JSModuleLoader::loadAndEvaluateModule):
1423         (JSC::JSModuleLoader::loadModule):
1424         (JSC::JSModuleLoader::requestImportModule):
1425         (JSC::JSModuleLoader::importModule):
1426         (JSC::JSModuleLoader::resolve):
1427         (JSC::JSModuleLoader::fetch):
1428         (JSC::moduleLoaderParseModule):
1429         (JSC::moduleLoaderResolveSync):
1430
1431 2018-11-19  Alex Christensen  <achristensen@webkit.org>
1432
1433         Add SPI to disable JIT in a WKWebView
1434         https://bugs.webkit.org/show_bug.cgi?id=191822
1435         <rdar://problem/28119360>
1436
1437         Reviewed by Geoffrey Garen.
1438
1439         * jit/ExecutableAllocator.cpp:
1440         (JSC::jitDisabled):
1441         (JSC::allowJIT):
1442         (JSC::ExecutableAllocator::setJITEnabled):
1443         * jit/ExecutableAllocator.h:
1444         (JSC::ExecutableAllocator::setJITEnabled):
1445
1446 2018-11-19  Fujii Hironori  <Hironori.Fujii@sony.com>
1447
1448         [MSVC] X86Assembler.h(108): error C2666: 'WebCore::operator -': 7 overloads have similar conversions
1449         https://bugs.webkit.org/show_bug.cgi?id=189467
1450         <rdar://problem/44290945>
1451
1452         Reviewed by Mark Lam.
1453
1454         This issue has happened several times. And, it seems that it will
1455         take more time for Microsoft to fix the MSVC bug. We need a
1456         effective workaround not to repeat this issue until they fix MSVC.
1457
1458         Remove ": int8_t" of RegisterID only for COMPILER(MSVC).
1459
1460         * assembler/X86Assembler.h: Added JSC_X86_ASM_REGISTER_ID_ENUM_BASE_TYPE macro.
1461
1462 2018-11-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1463
1464         [WebAssembly] I64 arguments / return value check should be moved from callWebAssemblyFunction to JSToWasm wrapper
1465         https://bugs.webkit.org/show_bug.cgi?id=190512
1466
1467         Reviewed by Keith Miller.
1468
1469         This patch moves I64 arguments / return value check from callWebAssemblyFunction to JSToWasm wrapper. Since this
1470         check can be done when compiling the function, we should encode the result into the generated wrapper instead of
1471         checking every time we call callWebAssemblyFunction. This change is also one of the steps removing callWebAssemblyFunction
1472         entirely.
1473
1474         * wasm/WasmExceptionType.h:
1475         * wasm/js/JSToWasm.cpp:
1476         (JSC::Wasm::createJSToWasmWrapper):
1477         * wasm/js/WebAssemblyFunction.cpp:
1478         (JSC::callWebAssemblyFunction):
1479         * wasm/js/WebAssemblyWrapperFunction.cpp:
1480         (JSC::callWebAssemblyWrapperFunction):
1481
1482 2018-11-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1483
1484         Consider removing double load for accessing the instructions from LLInt
1485         https://bugs.webkit.org/show_bug.cgi?id=190932
1486
1487         Reviewed by Mark Lam.
1488
1489         Changing InstructionStream to RefCountedArray like structure involves so much changes
1490         including BytecodeGraph, PreciseJumpTargets etc. Instead, CodeBlock simply hold a raw
1491         pointer to the InstructionStream's data. Since InstructionStream is not changed
1492         anymore, this pointer is valid while CodeBlock is live.
1493
1494         * bytecode/CodeBlock.cpp:
1495         (JSC::CodeBlock::CodeBlock):
1496         * bytecode/CodeBlock.h:
1497         * bytecode/InstructionStream.h:
1498         (JSC::InstructionStream::rawPointer const):
1499         * llint/LowLevelInterpreter.asm:
1500         * llint/LowLevelInterpreter32_64.asm:
1501         * llint/LowLevelInterpreter64.asm:
1502
1503 2018-11-18  Fujii Hironori  <Hironori.Fujii@sony.com>
1504
1505         REGRESSION(r238039) WebCore::JSDOMGlobalObject::createStructure is using JSC::Structure::create without including StructureInlines.h
1506         https://bugs.webkit.org/show_bug.cgi?id=191626
1507
1508         Reviewed by Yusuke Suzuki.
1509
1510         JSC::Structure::create is used everywhere. It should be defined in
1511         Structure.h, not in StructureInlines.h.
1512
1513         * runtime/Structure.h:
1514         (JSC::Structure::create): Moved.
1515         * runtime/StructureInlines.h: Moved JSC::Structure::create.
1516
1517 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1518
1519         Unreviewed, rolling in the rest of r237254
1520         https://bugs.webkit.org/show_bug.cgi?id=190340
1521
1522         * parser/ParserModes.h:
1523         * parser/ParserTokens.h:
1524         (JSC::JSTextPosition::JSTextPosition):
1525         (JSC::JSTokenLocation::JSTokenLocation): Deleted.
1526         * runtime/CodeCache.cpp:
1527         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
1528         * runtime/FunctionConstructor.cpp:
1529         (JSC::constructFunctionSkippingEvalEnabledCheck):
1530
1531 2018-11-17  Devin Rousso  <drousso@apple.com>
1532
1533         Web Inspector: Network: add button to show system certificate dialog
1534         https://bugs.webkit.org/show_bug.cgi?id=191458
1535         <rdar://problem/45977019>
1536
1537         Reviewed by Joseph Pecoraro.
1538
1539         * inspector/protocol/Network.json:
1540         Add `getSerializedCertificate` command.
1541
1542 2018-11-17  Dominik Infuehr  <dinfuehr@igalia.com>
1543
1544         Fix build with disabled DFG/FTL
1545         https://bugs.webkit.org/show_bug.cgi?id=191256
1546
1547         Reviewed by Yusuke Suzuki.
1548
1549         Fix compilation errors and warnings with both DFG and FTL
1550         disabled at compile-time.
1551
1552         * bytecode/CodeBlock.cpp:
1553         (JSC::CodeBlock::getICStatusMap):
1554         * bytecode/InByIdStatus.cpp:
1555         (JSC::InByIdStatus::computeFor):
1556         * bytecode/PutByIdStatus.cpp:
1557         (JSC::PutByIdStatus::computeFor):
1558         (JSC::PutByIdStatus::hasExitSite): Deleted.
1559         * bytecode/PutByIdStatus.h:
1560         * jit/JITOpcodes.cpp:
1561         (JSC::JIT::emit_op_catch):
1562
1563 2018-11-16  Joseph Pecoraro  <pecoraro@apple.com>
1564
1565         Web Inspector: Keep Web Inspector window alive across process swaps (PSON) (Local Inspector)
1566         https://bugs.webkit.org/show_bug.cgi?id=191740
1567         <rdar://problem/45470897>
1568
1569         Reviewed by Timothy Hatcher.
1570
1571         * inspector/InspectorFrontendChannel.h:
1572         Expose EnumTraits for ConnectionType for WebKit IPC messages.
1573
1574 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1575
1576         All users of ArrayBuffer should agree on the same max size
1577         https://bugs.webkit.org/show_bug.cgi?id=191771
1578
1579         Reviewed by Mark Lam.
1580
1581         Array buffers cannot be larger than 0x7fffffff, because otherwise loading typedArray.length in the DFG/FTL would produce
1582         a uint32 or would require a signedness check, neither of which sounds reasonable. It's better to just bound their max size
1583         instead.
1584
1585         * runtime/ArrayBuffer.cpp:
1586         (JSC::ArrayBufferContents::ArrayBufferContents):
1587         (JSC::ArrayBufferContents::tryAllocate):
1588         (JSC::ArrayBufferContents::transferTo):
1589         (JSC::ArrayBufferContents::copyTo):
1590         (JSC::ArrayBufferContents::shareWith):
1591         * runtime/ArrayBuffer.h:
1592         * wasm/WasmMemory.cpp:
1593         (JSC::Wasm::Memory::tryCreate):
1594         (JSC::Wasm::Memory::grow):
1595         * wasm/WasmPageCount.h:
1596
1597 2018-11-16  Saam Barati  <sbarati@apple.com>
1598
1599         KnownCellUse should also have SpecCellCheck as its type filter
1600         https://bugs.webkit.org/show_bug.cgi?id=191729
1601         <rdar://problem/45872852>
1602
1603         Reviewed by Filip Pizlo.
1604
1605         We write transformations in the compiler like this where we emit edges with
1606         KnownCellUse if we know we're inserting code at a point where we're dominated
1607         by a Cell check:
1608         
1609         a: SomeValue
1610         b: Something(Cell:@a)
1611         c: SomethingElse(@b)
1612         d: CheckNotEmpty(@a)
1613         
1614         =>
1615         
1616         a: SomeValue
1617         b: Something(Cell:@a)
1618         e: RandomOtherThing(KnownCellUse:@a)
1619         c: SomethingElse(@b)
1620         d: CheckNotEmpty(@a)
1621         
1622         However, doing this used to lead to subtly incorrect programs since KnownCellUse
1623         did not allow the empty value to flow through it. We used to end up incorrectly
1624         deleting @d in the above program. We fix this, we make KnownCellUse allow the empty
1625         value to flow through.
1626
1627         * dfg/DFGUseKind.h:
1628         (JSC::DFG::typeFilterFor):
1629
1630 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
1631
1632         Fix assertion failure on BytecodeGenerator::recordOpcode
1633         https://bugs.webkit.org/show_bug.cgi?id=191724
1634         <rdar://problem/45724395>
1635
1636         Reviewed by Saam Barati.
1637
1638         Since https://bugs.webkit.org/show_bug.cgi?id=187373, we were not
1639         restoring m_lastInstruction after patching the bytecode when
1640         finalizing StructureForInContexts, only m_lastOpcodeID, which led to
1641         the assertion failure.
1642
1643         * bytecompiler/BytecodeGenerator.cpp:
1644         (JSC::StructureForInContext::finalize):
1645
1646 2018-11-15  Mark Lam  <mark.lam@apple.com>
1647
1648         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
1649         https://bugs.webkit.org/show_bug.cgi?id=191730
1650         <rdar://problem/46048517>
1651
1652         Reviewed by Saam Barati.
1653
1654         According to the spec https://www.ecma-international.org/ecma-262/9.0/index.html#sec-regexp.prototype-@@match,
1655         the RegExp match results are filled in using the spec's CreateDataProperty()
1656         function which does not consult the prototype for setters.  JSArray:push()
1657         consults the prototype for setters.  We should be using putDirectIndex() instead.
1658
1659         * runtime/RegExpObjectInlines.h:
1660         (JSC::collectMatches):
1661
1662 2018-11-15  Mark Lam  <mark.lam@apple.com>
1663
1664         RegExp operations should not take fast patch if lastIndex is not numeric.
1665         https://bugs.webkit.org/show_bug.cgi?id=191731
1666         <rdar://problem/46017305>
1667
1668         Reviewed by Saam Barati.
1669
1670         This is because if lastIndex is an object with a valueOf() method, it can execute
1671         arbitrary code which may have side effects, and side effects are not permitted by
1672         the RegExp fast paths.
1673
1674         * builtins/RegExpPrototype.js:
1675         (globalPrivate.hasObservableSideEffectsForRegExpMatch):
1676         (overriddenName.string_appeared_here.search):
1677         (globalPrivate.hasObservableSideEffectsForRegExpSplit):
1678         (intrinsic.RegExpTestIntrinsic.test):
1679         * builtins/StringPrototype.js:
1680         (globalPrivate.hasObservableSideEffectsForStringReplace):
1681
1682 2018-11-15  Keith Rollin  <krollin@apple.com>
1683
1684         Delete old .xcfilelist files
1685         https://bugs.webkit.org/show_bug.cgi?id=191669
1686         <rdar://problem/46081994>
1687
1688         Reviewed by Chris Dumez.
1689
1690         .xcfilelist files were created and added to the Xcode project files in
1691         https://trac.webkit.org/changeset/238008/webkit. However, they caused
1692         build issues and they were removed from the Xcode projects in
1693         https://trac.webkit.org/changeset/238055/webkit. This check-in removes
1694         the files from the repository altogether. They'll ultimately be
1695         replaced with new files with names that indicate whether the
1696         associated files are inputs to the Run Script phase or are files
1697         created by the Run Script phase.
1698
1699         * DerivedSources.xcfilelist: Removed.
1700         * UnifiedSources.xcfilelist: Removed.
1701
1702 2018-11-14  Keith Rollin  <krollin@apple.com>
1703
1704         Move scripts for Derived and Unified Sources to external files
1705         https://bugs.webkit.org/show_bug.cgi?id=191670
1706         <rdar://problem/46082278>
1707
1708         Reviewed by Keith Miller.
1709
1710         Move the scripts in the Generate Derived Sources and Generate Unified
1711         Sources Run Script phases from the Xcode projects to external shell
1712         script files. Then invoke those scripts from the Run Script phases.
1713         This refactoring is being performed to support later work that will
1714         invoke these scripts in other contexts.
1715
1716         The scripts were maintained as-is when making the move. I did a little
1717         reformatting and added 'set -e' to the top of each file, but that's
1718         it.
1719
1720         * JavaScriptCore.xcodeproj/project.pbxproj:
1721         * Scripts/generate-derived-sources.sh: Added.
1722         * Scripts/generate-unified-sources.sh: Added.
1723
1724 2018-11-14  Joseph Pecoraro  <pecoraro@apple.com>
1725
1726         Web Inspector: Pass Inspector::FrontendChannel as a reference connect/disconnect methods
1727         https://bugs.webkit.org/show_bug.cgi?id=191612
1728
1729         Reviewed by Matt Baker.
1730
1731         * inspector/InspectorFrontendRouter.cpp:
1732         (Inspector::FrontendRouter::connectFrontend):
1733         (Inspector::FrontendRouter::disconnectFrontend):
1734         * inspector/InspectorFrontendRouter.h:
1735         * inspector/JSGlobalObjectInspectorController.cpp:
1736         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
1737         (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
1738         * inspector/JSGlobalObjectInspectorController.h:
1739         * inspector/remote/RemoteControllableTarget.h:
1740         * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:
1741         (Inspector::RemoteConnectionToTarget::setup):
1742         (Inspector::RemoteConnectionToTarget::close):
1743         * inspector/remote/glib/RemoteConnectionToTargetGlib.cpp:
1744         (Inspector::RemoteConnectionToTarget::setup):
1745         (Inspector::RemoteConnectionToTarget::close):
1746         * runtime/JSGlobalObjectDebuggable.cpp:
1747         (JSC::JSGlobalObjectDebuggable::connect):
1748         (JSC::JSGlobalObjectDebuggable::disconnect):
1749         * runtime/JSGlobalObjectDebuggable.h:
1750
1751 2018-11-14  Joseph Pecoraro  <pecoraro@apple.com>
1752
1753         Web Inspector: Keep Web Inspector window alive across process swaps (PSON) (Remote Inspector)
1754         https://bugs.webkit.org/show_bug.cgi?id=191494
1755         <rdar://problem/45469854>
1756
1757         Reviewed by Devin Rousso.
1758
1759         * CMakeLists.txt:
1760         * DerivedSources.make:
1761         * JavaScriptCore.xcodeproj/project.pbxproj:
1762         * Sources.txt:
1763         New domain and resources.
1764
1765         * inspector/protocol/Target.json: Added.
1766         New protocol domain, modeled after Worker.json, to allow for
1767         multiplexing between different targets.
1768
1769         * inspector/InspectorTarget.h:
1770         Each target will instantiate an InspectorTarget and must
1771         provide an identifier, type, and means of connecting/disconnecting
1772         to a frontend channel.
1773
1774         * inspector/agents/InspectorTargetAgent.cpp: Added.
1775         (Inspector::InspectorTargetAgent::InspectorTargetAgent):
1776         (Inspector::InspectorTargetAgent::didCreateFrontendAndBackend):
1777         (Inspector::InspectorTargetAgent::willDestroyFrontendAndBackend):
1778         (Inspector::InspectorTargetAgent::exists):
1779         (Inspector::InspectorTargetAgent::initialized):
1780         (Inspector::InspectorTargetAgent::sendMessageToTarget):
1781         (Inspector::InspectorTargetAgent::sendMessageFromTargetToFrontend):
1782         (Inspector::targetTypeToProtocolType):
1783         (Inspector::buildTargetInfoObject):
1784         (Inspector::InspectorTargetAgent::targetCreated):
1785         (Inspector::InspectorTargetAgent::targetTerminated):
1786         (Inspector::InspectorTargetAgent::connectToTargets):
1787         (Inspector::InspectorTargetAgent::disconnectFromTargets):
1788         * inspector/agents/InspectorTargetAgent.h: Added.
1789         TargetAgent holds a list of targets, and connects/disconnects to each
1790         of the targets when a frontend connects/disconnects.
1791
1792         * inspector/scripts/codegen/generator.py:
1793         Better enum casing of ServiceWorker.
1794
1795 2018-11-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1796
1797         Unreviewed, rolling in CodeCache in r237254
1798         https://bugs.webkit.org/show_bug.cgi?id=190340
1799
1800         Land the CodeCache part without adding an additional hash value.
1801
1802         * bytecode/UnlinkedFunctionExecutable.cpp:
1803         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
1804         * bytecode/UnlinkedFunctionExecutable.h:
1805         * parser/SourceCodeKey.h:
1806         (JSC::SourceCodeKey::SourceCodeKey):
1807         (JSC::SourceCodeKey::operator== const):
1808         * runtime/CodeCache.cpp:
1809         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
1810         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
1811         * runtime/CodeCache.h:
1812         * runtime/FunctionConstructor.cpp:
1813         (JSC::constructFunctionSkippingEvalEnabledCheck):
1814         * runtime/FunctionExecutable.cpp:
1815         (JSC::FunctionExecutable::fromGlobalCode):
1816         * runtime/FunctionExecutable.h:
1817
1818 2018-11-13  Saam Barati  <sbarati@apple.com>
1819
1820         ProxyObject should check for VMInquiry and return early before throwing a stack overflow exception
1821         https://bugs.webkit.org/show_bug.cgi?id=191601
1822
1823         Reviewed by Mark Lam.
1824
1825         This doesn't fix any bugs today, but it may reduce future bugs. It was
1826         always weird that ProxyObject::getOwnPropertySlot with VMInquiry might
1827         throw a stack overflow error instead of just returning false like it
1828         normally does when VMInquiry is passed in.
1829
1830         * runtime/ProxyObject.cpp:
1831         (JSC::ProxyObject::getOwnPropertySlotCommon):
1832
1833 2018-11-13  Saam Barati  <sbarati@apple.com>
1834
1835         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
1836         https://bugs.webkit.org/show_bug.cgi?id=191600
1837
1838         Reviewed by Mark Lam.
1839
1840         processLogEntries will call into calculatedClassName, which will clear
1841         any exceptions it encounters (it assumes that they're stack overflow exceptions).
1842         However, this code may be called when an exception is already pending on the 
1843         VM (e.g, when we throw an exception in the DFG, we compile an OSR exit
1844         offramp, which may compile a baseline codeblock, which will process
1845         the type profiler log). To get around this, processLogEntires should stash
1846         away and re-apply any pending exceptions.
1847
1848         * dfg/DFGDriver.cpp:
1849         (JSC::DFG::compileImpl):
1850         * dfg/DFGOperations.cpp:
1851         * inspector/agents/InspectorRuntimeAgent.cpp:
1852         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1853         * jit/JIT.cpp:
1854         (JSC::JIT::doMainThreadPreparationBeforeCompile):
1855         * jit/JITOperations.cpp:
1856         * runtime/CommonSlowPaths.cpp:
1857         (JSC::SLOW_PATH_DECL):
1858         * runtime/TypeProfilerLog.cpp:
1859         (JSC::TypeProfilerLog::processLogEntries):
1860         * runtime/TypeProfilerLog.h:
1861         * runtime/VM.cpp:
1862         (JSC::VM::dumpTypeProfilerData):
1863         * runtime/VM.h:
1864         (JSC::VM::DeferExceptionScope::DeferExceptionScope):
1865         * tools/JSDollarVM.cpp:
1866         (JSC::functionFindTypeForExpression):
1867         (JSC::functionReturnTypeFor):
1868
1869 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
1870
1871         Unreviewed, rolling out r238132.
1872
1873         The test added with this change is timing out on Debug JSC
1874         bots.
1875
1876         Reverted changeset:
1877
1878         "[BigInt] JSBigInt::createWithLength should throw when length
1879         is greater than JSBigInt::maxLength"
1880         https://bugs.webkit.org/show_bug.cgi?id=190836
1881         https://trac.webkit.org/changeset/238132
1882
1883 2018-11-12  Mark Lam  <mark.lam@apple.com>
1884
1885         Add OOM detection to StringPrototype's substituteBackreferences().
1886         https://bugs.webkit.org/show_bug.cgi?id=191563
1887         <rdar://problem/45720428>
1888
1889         Reviewed by Saam Barati.
1890
1891         * dfg/DFGStrengthReductionPhase.cpp:
1892         (JSC::DFG::StrengthReductionPhase::handleNode):
1893         * runtime/StringPrototype.cpp:
1894         (JSC::substituteBackreferencesSlow):
1895         (JSC::substituteBackreferencesInline):
1896         (JSC::substituteBackreferences):
1897         (JSC::replaceUsingRegExpSearch):
1898         (JSC::replaceUsingStringSearch):
1899         * runtime/StringPrototype.h:
1900
1901 2018-11-13  Mark Lam  <mark.lam@apple.com>
1902
1903         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
1904         https://bugs.webkit.org/show_bug.cgi?id=191579
1905         <rdar://problem/45942472>
1906
1907         Reviewed by Saam Barati.
1908
1909         Both of these functions do a lot of work.  It would be good for the topCallFrame
1910         to be correct should we need to throw an exception.
1911
1912         For example, we've observed the following crash trace:
1913
1914           * frame #0: WTFCrash() at Assertions.cpp:253
1915             frame #1: ...
1916             frame #2: JSC::StructureIDTable::get(this=0x00006040000162f0, structureID=1874583248) at StructureIDTable.h:129
1917             frame #3: JSC::VM::getStructure(this=0x0000604000016210, id=4022066896) at VM.h:705
1918             frame #4: JSC::JSCell::structure(this=0x00007ffeefbbde30, vm=0x0000604000016210) const at JSCellInlines.h:125
1919             frame #5: JSC::JSCell::classInfo(this=0x00007ffeefbbde30, vm=0x0000604000016210) const at JSCellInlines.h:335
1920             frame #6: JSC::JSCell::inherits(this=0x00007ffeefbbde30, vm=0x0000604000016210, info=0x0000000105eaf020) const at JSCellInlines.h:302
1921             frame #7: JSC::JSObject* JSC::jsCast<JSC::JSObject*, JSC::JSCell>(from=0x00007ffeefbbde30) at JSCast.h:36
1922             frame #8: JSC::asObject(cell=0x00007ffeefbbde30) at JSObject.h:1299
1923             frame #9: JSC::asObject(value=JSValue @ 0x00007ffeefbba380) at JSObject.h:1304
1924             frame #10: JSC::Register::object(this=0x00007ffeefbbdd58) const at JSObject.h:1514
1925             frame #11: JSC::ExecState::jsCallee(this=0x00007ffeefbbdd40) const at CallFrame.h:107
1926             frame #12: JSC::ExecState::isStackOverflowFrame(this=0x00007ffeefbbdd40) const at CallFrameInlines.h:36
1927             frame #13: JSC::StackVisitor::StackVisitor(this=0x00007ffeefbba860, startFrame=0x00007ffeefbbdd40, vm=0x0000631000000800) at StackVisitor.cpp:52
1928             frame #14: JSC::StackVisitor::StackVisitor(this=0x00007ffeefbba860, startFrame=0x00007ffeefbbdd40, vm=0x0000631000000800) at StackVisitor.cpp:41
1929             frame #15: void JSC::StackVisitor::visit<(JSC::StackVisitor::EmptyEntryFrameAction)0, JSC::Interpreter::getStackTrace(JSC::JSCell*, WTF::Vector<JSC::StackFrame, 0ul, WTF::CrashOnOverflow, 16ul>&, unsigned long, unsigned long)::$_3>(startFrame=0x00007ffeefbbdd40, vm=0x0000631000000800, functor=0x00007ffeefbbaa60)::$_3 const&) at StackVisitor.h:147
1930             frame #16: JSC::Interpreter::getStackTrace(this=0x0000602000005db0, owner=0x000062d00020cbe0, results=0x00006020000249d0, framesToSkip=0, maxStackSize=1) at Interpreter.cpp:437
1931             frame #17: JSC::getStackTrace(exec=0x000062d00002c048, vm=0x0000631000000800, obj=0x000062d00020cbe0, useCurrentFrame=true) at Error.cpp:170
1932             frame #18: JSC::ErrorInstance::finishCreation(this=0x000062d00020cbe0, exec=0x000062d00002c048, vm=0x0000631000000800, message=0x00007ffeefbbb800, useCurrentFrame=true) at ErrorInstance.cpp:119
1933             frame #19: JSC::ErrorInstance::create(exec=0x000062d00002c048, vm=0x0000631000000800, structure=0x000062d0000f5730, message=0x00007ffeefbbb800, appender=0x0000000000000000, type=TypeNothing, useCurrentFrame=true)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred), JSC::RuntimeType, bool) at ErrorInstance.h:49
1934             frame #20: JSC::createRangeError(exec=0x000062d00002c048, globalObject=0x000062d00002c000, message=0x00007ffeefbbb800, appender=0x0000000000000000)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred)) at Error.cpp:68
1935             frame #21: JSC::createRangeError(exec=0x000062d00002c048, globalObject=0x000062d00002c000, message=0x00007ffeefbbb800) at Error.cpp:316
1936             frame #22: JSC::createStackOverflowError(exec=0x000062d00002c048, globalObject=0x000062d00002c000) at ExceptionHelpers.cpp:77
1937             frame #23: JSC::createStackOverflowError(exec=0x000062d00002c048) at ExceptionHelpers.cpp:72
1938             frame #24: JSC::throwStackOverflowError(exec=0x000062d00002c048, scope=0x00007ffeefbbbaa0) at ExceptionHelpers.cpp:335
1939             frame #25: JSC::ProxyObject::getOwnPropertySlotCommon(this=0x000062d000200e40, exec=0x000062d00002c048, propertyName=PropertyName @ 0x00007ffeefbbba80, slot=0x00007ffeefbbc720) at ProxyObject.cpp:372
1940             frame #26: JSC::ProxyObject::getOwnPropertySlot(object=0x000062d000200e40, exec=0x000062d00002c048, propertyName=PropertyName @ 0x00007ffeefbbbd40, slot=0x00007ffeefbbc720) at ProxyObject.cpp:395
1941             frame #27: JSC::JSObject::getNonIndexPropertySlot(this=0x000062d000200e40, exec=0x000062d00002c048, propertyName=PropertyName @ 0x00007ffeefbbbea0, slot=0x00007ffeefbbc720) at JSObjectInlines.h:150
1942             frame #28: bool JSC::JSObject::getPropertySlot<false>(this=0x000062d000200e40, exec=0x000062d00002c048, propertyName=PropertyName @ 0x00007ffeefbbc320, slot=0x00007ffeefbbc720) at JSObject.h:1424
1943             frame #29: JSC::JSObject::calculatedClassName(object=0x000062d000200e40) at JSObject.cpp:535
1944             frame #30: JSC::Structure::toStructureShape(this=0x000062d000007410, value=JSValue @ 0x00007ffeefbbcae0, sawPolyProtoStructure=0x00007ffeefbbcf60) at Structure.cpp:1142
1945             frame #31: JSC::TypeProfilerLog::processLogEntries(this=0x000060400000a950, reason=0x00007ffeefbbd5c0) at TypeProfilerLog.cpp:89
1946             frame #32: JSC::JIT::doMainThreadPreparationBeforeCompile(this=0x0000619000034da0) at JIT.cpp:951
1947             frame #33: JSC::JITWorklist::Plan::Plan(this=0x0000619000034d80, codeBlock=0x000062d0001d88c0, loopOSREntryBytecodeOffset=0) at JITWorklist.cpp:43
1948             frame #34: JSC::JITWorklist::Plan::Plan(this=0x0000619000034d80, codeBlock=0x000062d0001d88c0, loopOSREntryBytecodeOffset=0) at JITWorklist.cpp:42
1949             frame #35: JSC::JITWorklist::compileLater(this=0x0000616000001b80, codeBlock=0x000062d0001d88c0, loopOSREntryBytecodeOffset=0) at JITWorklist.cpp:256
1950             frame #36: JSC::LLInt::jitCompileAndSetHeuristics(codeBlock=0x000062d0001d88c0, exec=0x00007ffeefbbde30, loopOSREntryBytecodeOffset=0) at LLIntSlowPaths.cpp:391
1951             frame #37: llint_replace(exec=0x00007ffeefbbde30, pc=0x00006040000161ba) at LLIntSlowPaths.cpp:516
1952             frame #38: llint_entry at LowLevelInterpreter64.asm:98
1953             frame #39: vmEntryToJavaScript at LowLevelInterpreter64.asm:296
1954             ...
1955
1956         This crash occurred because StackVisitor was seeing an invalid topCallFrame while
1957         trying to capture the Error stack while throwing a StackOverflowError below
1958         llint_replace.  While in this specific example, it is questionable whether we
1959         should be executing JS code below TypeProfilerLog::processLogEntries(), it is
1960         correct to have set the topCallFrame in llint_replace.  We do this by calling
1961         LLINT_BEGIN_NO_SET_PC() at the top of llint_replace.
1962
1963         We also do the same for llint_osr.
1964         
1965         Note: both of these LLInt slow path functions are called with a fully initialized
1966         CallFrame.  Hence, there's no issue with setting topCallFrame to their CallFrames
1967         for these functions.
1968
1969         * llint/LLIntSlowPaths.cpp:
1970         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1971
1972 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
1973
1974         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1975         https://bugs.webkit.org/show_bug.cgi?id=190836
1976
1977         Reviewed by Saam Barati.
1978
1979         In this patch we are creating a new method called `JSBigInt::createWithLengthUnchecked`
1980         where we allocate a BigInt trusting the length received as argument.
1981         With this additional method, we now check if length passed to
1982         `JSBigInt::createWithLength` is not greater than JSBigInt::maxLength.
1983         When the length is greater than maxLength, we then throw OOM
1984         exception.
1985         This required change the interface of some JSBigInt operations to
1986         receive `ExecState*` instead of `VM&`. We changed only operations that
1987         can throw because of OOM.
1988         We beleive that this approach of throwing instead of finishing the
1989         execution abruptly is better because JS programs can catch such
1990         exception and handle this issue properly.
1991
1992         * dfg/DFGOperations.cpp:
1993         * jit/JITOperations.cpp:
1994         * runtime/CommonSlowPaths.cpp:
1995         (JSC::SLOW_PATH_DECL):
1996         * runtime/JSBigInt.cpp:
1997         (JSC::JSBigInt::createZero):
1998         (JSC::JSBigInt::tryCreateWithLength):
1999         (JSC::JSBigInt::createWithLengthUnchecked):
2000         (JSC::JSBigInt::createFrom):
2001         (JSC::JSBigInt::multiply):
2002         (JSC::JSBigInt::divide):
2003         (JSC::JSBigInt::copy):
2004         (JSC::JSBigInt::unaryMinus):
2005         (JSC::JSBigInt::remainder):
2006         (JSC::JSBigInt::add):
2007         (JSC::JSBigInt::sub):
2008         (JSC::JSBigInt::bitwiseAnd):
2009         (JSC::JSBigInt::bitwiseOr):
2010         (JSC::JSBigInt::bitwiseXor):
2011         (JSC::JSBigInt::absoluteAdd):
2012         (JSC::JSBigInt::absoluteSub):
2013         (JSC::JSBigInt::absoluteDivWithDigitDivisor):
2014         (JSC::JSBigInt::absoluteDivWithBigIntDivisor):
2015         (JSC::JSBigInt::absoluteLeftShiftAlwaysCopy):
2016         (JSC::JSBigInt::absoluteBitwiseOp):
2017         (JSC::JSBigInt::absoluteAddOne):
2018         (JSC::JSBigInt::absoluteSubOne):
2019         (JSC::JSBigInt::toStringGeneric):
2020         (JSC::JSBigInt::rightTrim):
2021         (JSC::JSBigInt::allocateFor):
2022         (JSC::JSBigInt::createWithLength): Deleted.
2023         * runtime/JSBigInt.h:
2024         * runtime/Operations.cpp:
2025         (JSC::jsAddSlowCase):
2026         * runtime/Operations.h:
2027         (JSC::jsSub):
2028         (JSC::jsMul):
2029
2030 2018-11-12  Devin Rousso  <drousso@apple.com>
2031
2032         Web Inspector: Network: show secure certificate details per-request
2033         https://bugs.webkit.org/show_bug.cgi?id=191447
2034         <rdar://problem/30019476>
2035
2036         Reviewed by Joseph Pecoraro.
2037
2038         Add Security domain to hold security related protocol types.
2039
2040         * CMakeLists.txt:
2041         * DerivedSources.make:
2042         * inspector/protocol/Network.json:
2043         * inspector/protocol/Security.json: Added.
2044         * inspector/scripts/codegen/objc_generator.py:
2045         (ObjCGenerator):
2046
2047 2018-11-12  Saam barati  <sbarati@apple.com>
2048
2049         Unreviewed. Rollout 238026: It caused ~8% JetStream 2 regressions on some iOS devices
2050         https://bugs.webkit.org/show_bug.cgi?id=191555
2051
2052         * bytecode/UnlinkedFunctionExecutable.cpp:
2053         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
2054         * bytecode/UnlinkedFunctionExecutable.h:
2055         * parser/SourceCodeKey.h:
2056         (JSC::SourceCodeKey::SourceCodeKey):
2057         (JSC::SourceCodeKey::operator== const):
2058         * runtime/CodeCache.cpp:
2059         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
2060         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
2061         * runtime/CodeCache.h:
2062         * runtime/FunctionConstructor.cpp:
2063         (JSC::constructFunctionSkippingEvalEnabledCheck):
2064         * runtime/FunctionExecutable.cpp:
2065         (JSC::FunctionExecutable::fromGlobalCode):
2066         * runtime/FunctionExecutable.h:
2067
2068 2018-11-11  Benjamin Poulain  <benjamin@webkit.org>
2069
2070         Fix a fixme: rename wtfObjcMsgSend to wtfObjCMsgSend
2071         https://bugs.webkit.org/show_bug.cgi?id=191492
2072
2073         Reviewed by Alex Christensen.
2074
2075         Rename file.
2076
2077         * API/JSValue.mm:
2078
2079 2018-11-10  Benjamin Poulain  <benjamin@webkit.org>
2080
2081         Fix a fixme: rename wtfObjcMsgSend to wtfObjCMsgSend
2082         https://bugs.webkit.org/show_bug.cgi?id=191492
2083
2084         Reviewed by Alex Christensen.
2085
2086         * API/JSValue.mm:
2087
2088 2018-11-10  Michael Catanzaro  <mcatanzaro@igalia.com>
2089
2090         Unreviewed, silence -Wunused-variable warning
2091
2092         * bytecode/Opcode.h:
2093         (JSC::padOpcodeName):
2094
2095 2018-11-09  Keith Rollin  <krollin@apple.com>
2096
2097         Unreviewed build fix after https://bugs.webkit.org/show_bug.cgi?id=191324
2098
2099         Remove the use of .xcfilelists until their side-effects are better
2100         understood.
2101
2102         * JavaScriptCore.xcodeproj/project.pbxproj:
2103
2104 2018-11-09  Keith Miller  <keith_miller@apple.com>
2105
2106         LLInt VectorSizeOffset should be based on offset extraction
2107         https://bugs.webkit.org/show_bug.cgi?id=191468
2108
2109         Reviewed by Yusuke Suzuki.
2110
2111         This patch also adds some usings to LLIntOffsetsExtractor that
2112         make it possible to use the bare names of Vector/RefCountedArray
2113         in offsets extraction.
2114
2115         * llint/LLIntOffsetsExtractor.cpp:
2116         * llint/LowLevelInterpreter.asm:
2117
2118 2018-11-09  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2119
2120         Unreviewed, rolling in CodeCache in r237254
2121         https://bugs.webkit.org/show_bug.cgi?id=190340
2122
2123         Land the CodeCache part, which uses DefaultHash<>::Hash instead of computeHash.
2124
2125         * bytecode/UnlinkedFunctionExecutable.cpp:
2126         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
2127         * bytecode/UnlinkedFunctionExecutable.h:
2128         * parser/SourceCodeKey.h:
2129         (JSC::SourceCodeKey::SourceCodeKey):
2130         (JSC::SourceCodeKey::operator== const):
2131         * runtime/CodeCache.cpp:
2132         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
2133         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
2134         * runtime/CodeCache.h:
2135         * runtime/FunctionConstructor.cpp:
2136         (JSC::constructFunctionSkippingEvalEnabledCheck):
2137         * runtime/FunctionExecutable.cpp:
2138         (JSC::FunctionExecutable::fromGlobalCode):
2139         * runtime/FunctionExecutable.h:
2140
2141 2018-11-08  Keith Miller  <keith_miller@apple.com>
2142
2143         put_by_val opcodes need to add the number tag as a 64-bit register
2144         https://bugs.webkit.org/show_bug.cgi?id=191456
2145
2146         Reviewed by Saam Barati.
2147
2148         Previously the LLInt would add it as a pointer sized value. That is
2149         wrong if pointer size is less 64-bits.
2150
2151         * llint/LowLevelInterpreter64.asm:
2152
2153 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2154
2155         [JSC] isStrWhiteSpace seems redundant with Lexer<UChar>::isWhiteSpace
2156         https://bugs.webkit.org/show_bug.cgi?id=191439
2157
2158         Reviewed by Saam Barati.
2159
2160         * CMakeLists.txt:
2161         * runtime/ParseInt.h:
2162         (JSC::isStrWhiteSpace):
2163         Define isStrWhiteSpace in terms of isWhiteSpace and isLineTerminator.
2164
2165 2018-11-08  Michael Saboff  <msaboff@apple.com>
2166
2167         Options::useRegExpJIT() should use jitEnabledByDefault() just like useJIT()
2168         https://bugs.webkit.org/show_bug.cgi?id=191444
2169
2170         Reviewed by Saam Barati.
2171
2172         * runtime/Options.h:
2173
2174 2018-11-08  Fujii Hironori  <Hironori.Fujii@sony.com>
2175
2176         [Win] UDis86Disassembler.cpp: warning: format specifies type 'unsigned long' but the argument has type 'uintptr_t' (aka 'unsigned long long')
2177         https://bugs.webkit.org/show_bug.cgi?id=191416
2178
2179         Reviewed by Saam Barati.
2180
2181         * disassembler/UDis86Disassembler.cpp:
2182         (JSC::tryToDisassembleWithUDis86): Use PRIxPTR for uintptr_t.
2183
2184 2018-11-08  Keith Rollin  <krollin@apple.com>
2185
2186         Create .xcfilelist files
2187         https://bugs.webkit.org/show_bug.cgi?id=191324
2188         <rdar://problem/45852819>
2189
2190         Reviewed by Alex Christensen.
2191
2192         As part of preparing for enabling XCBuild, create and use .xcfilelist
2193         files. These files are using during Run Script build phases in an
2194         Xcode project. If a Run Script build phase produces new files that are
2195         used later as inputs to subsequent build phases, XCBuild needs to know
2196         about these files. These files can be either specified in an "output
2197         files" section of the Run Script phase editor, or in .xcfilelist files
2198         that are associated with the Run Script build phase.
2199
2200         This patch takes the second approach. It consists of three sets of changes:
2201
2202         - Modify the DerivedSources.make files to have a
2203           'print_all_generated_files" target that produces a list of the files
2204           they create.
2205
2206         - Create a shell script that produces .xcfilelist files from the
2207           output of the previous step, as well as for the files created in the
2208           Generate Unified Sources build steps.
2209
2210         - Add the new .xcfilelist files to the associated projects.
2211
2212         Note that, with these changes, the Xcode workspace and projects can no
2213         longer be fully loaded into Xcode 9. Xcode will attempt to load the
2214         projects that have .xcfilelist files associated with them, but will
2215         fail and display a placeholder for those projects instead. It's
2216         expected that all developers are using Xcode 10 by now and that not
2217         being able to load into Xcode 9 is not a practical issue. Keep in mind
2218         that this is strictly an IDE issue, and that the projects can still be
2219         built with `xcodebuild`.
2220
2221         Also note that the shell script that creates the .xcfilelist files can
2222         also be used to verify that the set of files that's currently checked
2223         in is up-to-date. This checking can be used as part of a check-in hook
2224         or part of check-webkit-style to sooner catch cases where the
2225         .xcfilelist files need to be regenerated.
2226
2227         * DerivedSources.make:
2228         * DerivedSources.xcfilelist: Added.
2229         * JavaScriptCore.xcodeproj/project.pbxproj:
2230         * UnifiedSources.xcfilelist: Added.
2231
2232 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2233
2234         U+180E is no longer a whitespace character
2235         https://bugs.webkit.org/show_bug.cgi?id=191415
2236
2237         Reviewed by Saam Barati.
2238
2239         Mongolian Vowel Separator stopped being a valid whitespace character as of ES2016.
2240         (https://github.com/tc39/ecma262/pull/300)
2241
2242         * parser/Lexer.h:
2243         (JSC::Lexer<UChar>::isWhiteSpace):
2244         * runtime/ParseInt.h:
2245         (JSC::isStrWhiteSpace):
2246         * yarr/create_regex_tables:
2247
2248 2018-11-08  Keith Miller  <keith_miller@apple.com>
2249
2250         jitEnabledByDefault() should be on useJIT not useBaselineJIT
2251         https://bugs.webkit.org/show_bug.cgi?id=191434
2252
2253         Reviewed by Saam Barati.
2254
2255         * runtime/Options.h:
2256
2257 2018-11-08  Joseph Pecoraro  <pecoraro@apple.com>
2258
2259         Web Inspector: Restrict domains at the target level instead of only at the window level
2260         https://bugs.webkit.org/show_bug.cgi?id=191344
2261
2262         Reviewed by Devin Rousso.
2263
2264         * inspector/protocol/Console.json:
2265         * inspector/protocol/Debugger.json:
2266         * inspector/protocol/Heap.json:
2267         * inspector/protocol/Runtime.json:
2268         Remove workerSupported as it is now no longer necessary. It is implied
2269         by availability being empty (meaning it is supported everywhere).
2270
2271         * inspector/protocol/Inspector.json:
2272         * inspector/protocol/ScriptProfiler.json:
2273         Restrict to "javascript" and "web" debuggables, not available in workers.
2274
2275         * inspector/protocol/Worker.json:
2276         Cleanup, remove empty types list.
2277         
2278         * inspector/protocol/Recording.json:
2279         Cleanup, only expose this in the "web" domain for now.
2280
2281         * inspector/scripts/codegen/generate_js_backend_commands.py:
2282         (JSBackendCommandsGenerator.generate_domain):
2283         * inspector/scripts/codegen/models.py:
2284         (Protocol.parse_domain):
2285         Allow a list of debuggable types. Add "worker" even though it is unused
2286         since that is a type we would want to allow or consider.
2287
2288         (Domain.__init__):
2289         (Domains):
2290         Remove now unnecessary workerSupported code.
2291         Allow availability on a domain with only types.
2292
2293         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result: Removed.
2294         * inspector/scripts/tests/generic/worker-supported-domains.json: Removed.
2295
2296 2018-11-07  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2297
2298         Consider removing double load for accessing the MetadataTable from LLInt
2299         https://bugs.webkit.org/show_bug.cgi?id=190933
2300
2301         Reviewed by Keith Miller.
2302
2303         This patch removes double load for accesses to MetadataTable from LLInt.
2304         MetadataTable is now specially RefCounted class, which has interesting memory layout.
2305         When refcount becomes 0, MetadataTable asks UnlinkedMetadataTable to destroy itself.
2306
2307         * bytecode/CodeBlock.cpp:
2308         (JSC::CodeBlock::finishCreation):
2309         (JSC::CodeBlock::estimatedSize):
2310         (JSC::CodeBlock::visitChildren):
2311         * bytecode/CodeBlock.h:
2312         (JSC::CodeBlock::metadata):
2313         * bytecode/CodeBlockInlines.h:
2314         (JSC::CodeBlock::forEachValueProfile):
2315         (JSC::CodeBlock::forEachArrayProfile):
2316         (JSC::CodeBlock::forEachArrayAllocationProfile):
2317         (JSC::CodeBlock::forEachObjectAllocationProfile):
2318         (JSC::CodeBlock::forEachLLIntCallLinkInfo):
2319         * bytecode/MetadataTable.cpp:
2320         (JSC::MetadataTable::MetadataTable):
2321         (JSC::MetadataTable::~MetadataTable):
2322         (JSC::MetadataTable::sizeInBytes):
2323         * bytecode/MetadataTable.h:
2324         (JSC::MetadataTable::get):
2325         (JSC::MetadataTable::forEach):
2326         (JSC::MetadataTable::ref const):
2327         (JSC::MetadataTable::deref const):
2328         (JSC::MetadataTable::refCount const):
2329         (JSC::MetadataTable::hasOneRef const):
2330         (JSC::MetadataTable::buffer):
2331         (JSC::MetadataTable::linkingData const):
2332         (JSC::MetadataTable::getImpl):
2333         * bytecode/UnlinkedMetadataTable.h:
2334         (JSC::UnlinkedMetadataTable::buffer const):
2335         * bytecode/UnlinkedMetadataTableInlines.h:
2336         (JSC::UnlinkedMetadataTable::UnlinkedMetadataTable):
2337         (JSC::UnlinkedMetadataTable::~UnlinkedMetadataTable):
2338         (JSC::UnlinkedMetadataTable::addEntry):
2339         (JSC::UnlinkedMetadataTable::sizeInBytes):
2340         (JSC::UnlinkedMetadataTable::finalize):
2341         (JSC::UnlinkedMetadataTable::link):
2342         (JSC::UnlinkedMetadataTable::unlink):
2343         * llint/LowLevelInterpreter.asm:
2344         * llint/LowLevelInterpreter32_64.asm:
2345
2346 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2347
2348         [BigInt] Add support to BigInt into ValueAdd
2349         https://bugs.webkit.org/show_bug.cgi?id=186177
2350
2351         Reviewed by Keith Miller.
2352
2353         We are adding a very primitive specialization case of BigInts into ValueAdd.
2354         When compiling a speculated version of this node to BigInt, we are currently
2355         calling 'operationAddBigInt', a function that expects only BigInts as
2356         parameter and effectly add numbers using JSBigInt::add. To properly
2357         speculate BigInt operands, we changed ArithProfile to observe when
2358         its result is a BigInt. With this new observation, we are able to identify
2359         when ValueAdd results into a String or BigInt.
2360
2361         Here are some numbers for this specialization running
2362         microbenchmarks:
2363
2364         big-int-simple-add                   21.5411+-1.1096  ^  15.3502+-0.7027  ^ definitely 1.4033x faster
2365         big-int-add-prediction-propagation   13.7762+-0.5578  ^  10.8117+-0.5330  ^ definitely 1.2742x faster
2366
2367         * bytecode/ArithProfile.cpp:
2368         (JSC::ArithProfile::emitObserveResult):
2369         (JSC::ArithProfile::shouldEmitSetNonNumeric const):
2370         (JSC::ArithProfile::shouldEmitSetBigInt const):
2371         (JSC::ArithProfile::emitSetNonNumeric const):
2372         (JSC::ArithProfile::emitSetBigInt const):
2373         (WTF::printInternal):
2374         (JSC::ArithProfile::shouldEmitSetNonNumber const): Deleted.
2375         (JSC::ArithProfile::emitSetNonNumber const): Deleted.
2376         * bytecode/ArithProfile.h:
2377         (JSC::ArithProfile::observedUnaryInt):
2378         (JSC::ArithProfile::observedUnaryNumber):
2379         (JSC::ArithProfile::observedBinaryIntInt):
2380         (JSC::ArithProfile::observedBinaryNumberInt):
2381         (JSC::ArithProfile::observedBinaryIntNumber):
2382         (JSC::ArithProfile::observedBinaryNumberNumber):
2383         (JSC::ArithProfile::didObserveNonInt32 const):
2384         (JSC::ArithProfile::didObserveNonNumeric const):
2385         (JSC::ArithProfile::didObserveBigInt const):
2386         (JSC::ArithProfile::setObservedNonNumeric):
2387         (JSC::ArithProfile::setObservedBigInt):
2388         (JSC::ArithProfile::observeResult):
2389         (JSC::ArithProfile::didObserveNonNumber const): Deleted.
2390         (JSC::ArithProfile::setObservedNonNumber): Deleted.
2391         * dfg/DFGByteCodeParser.cpp:
2392         (JSC::DFG::ByteCodeParser::makeSafe):
2393         * dfg/DFGFixupPhase.cpp:
2394         (JSC::DFG::FixupPhase::fixupNode):
2395         * dfg/DFGNode.h:
2396         (JSC::DFG::Node::mayHaveNonNumericResult):
2397         (JSC::DFG::Node::mayHaveBigIntResult):
2398         (JSC::DFG::Node::mayHaveNonNumberResult): Deleted.
2399         * dfg/DFGNodeFlags.cpp:
2400         (JSC::DFG::dumpNodeFlags):
2401         * dfg/DFGNodeFlags.h:
2402         * dfg/DFGOperations.cpp:
2403         * dfg/DFGOperations.h:
2404         * dfg/DFGPredictionPropagationPhase.cpp:
2405         * dfg/DFGSpeculativeJIT.cpp:
2406         (JSC::DFG::SpeculativeJIT::compileValueAdd):
2407         * ftl/FTLLowerDFGToB3.cpp:
2408         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
2409         * runtime/CommonSlowPaths.cpp:
2410         (JSC::updateArithProfileForUnaryArithOp):
2411         (JSC::updateArithProfileForBinaryArithOp):
2412
2413 2018-11-07  Joseph Pecoraro  <pecoraro@apple.com>
2414
2415         Web Inspector: Fix "Javascript" => "JavaScript" enum in protocol generated objects
2416         https://bugs.webkit.org/show_bug.cgi?id=191340
2417
2418         Reviewed by Devin Rousso.
2419
2420         * inspector/ConsoleMessage.cpp:
2421         (Inspector::messageSourceValue):
2422         Use new enum name.
2423
2424         * inspector/scripts/codegen/generator.py:
2425         Correct the casing of "JavaScript".
2426
2427 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2428
2429         Align wide opcodes in the instruction stream
2430         https://bugs.webkit.org/show_bug.cgi?id=191254
2431
2432         Reviewed by Keith Miller.
2433
2434         Pad the bytecode with nops to ensure that wide opcodes are 4-byte
2435         aligned on platforms that don't like unaligned memory access.
2436
2437         For that, add a new type to represent jump targets, BoundLabel, which
2438         delays computing the offset in case we need to emit nops for padding.
2439         Extra padding is also emitted before op_yield and at the of each
2440         BytecodeWriter fragment, to ensure that the bytecode remains aligned
2441         after the rewriting.
2442
2443         As a side effect, we can longer guarantee that the point immediately
2444         before emitting an opcode is the start of that opcode, since nops
2445         might be emitted in between if the opcode needs to be wide. To fix
2446         that, we only take the offset of opcodes after they have been emitted,
2447         using `m_lastInstruction.offset()`.
2448
2449         * bytecode/BytecodeDumper.h:
2450         (JSC::BytecodeDumper::dumpValue):
2451         * bytecode/BytecodeGeneratorification.cpp:
2452         (JSC::BytecodeGeneratorification::run):
2453         * bytecode/BytecodeList.rb:
2454         * bytecode/BytecodeRewriter.h:
2455         (JSC::BytecodeRewriter::Fragment::align):
2456         (JSC::BytecodeRewriter::insertFragmentBefore):
2457         (JSC::BytecodeRewriter::insertFragmentAfter):
2458         * bytecode/Fits.h:
2459         * bytecode/InstructionStream.h:
2460         (JSC::InstructionStreamWriter::ref):
2461         * bytecode/PreciseJumpTargetsInlines.h:
2462         (JSC::updateStoredJumpTargetsForInstruction):
2463         * bytecompiler/BytecodeGenerator.cpp:
2464         (JSC::Label::setLocation):
2465         (JSC::BoundLabel::target):
2466         (JSC::BoundLabel::saveTarget):
2467         (JSC::BoundLabel::commitTarget):
2468         (JSC::BytecodeGenerator::generate):
2469         (JSC::BytecodeGenerator::recordOpcode):
2470         (JSC::BytecodeGenerator::alignWideOpcode):
2471         (JSC::BytecodeGenerator::emitProfileControlFlow):
2472         (JSC::BytecodeGenerator::emitResolveScope):
2473         (JSC::BytecodeGenerator::emitGetFromScope):
2474         (JSC::BytecodeGenerator::emitPutToScope):
2475         (JSC::BytecodeGenerator::emitGetById):
2476         (JSC::BytecodeGenerator::emitDirectGetById):
2477         (JSC::BytecodeGenerator::emitPutById):
2478         (JSC::BytecodeGenerator::emitDirectPutById):
2479         (JSC::BytecodeGenerator::emitGetByVal):
2480         (JSC::BytecodeGenerator::emitCreateThis):
2481         (JSC::BytecodeGenerator::beginSwitch):
2482         (JSC::BytecodeGenerator::endSwitch):
2483         (JSC::BytecodeGenerator::emitRequireObjectCoercible):
2484         (JSC::BytecodeGenerator::emitYieldPoint):
2485         (JSC::BytecodeGenerator::emitToThis):
2486         (JSC::Label::bind): Deleted.
2487         * bytecompiler/BytecodeGenerator.h:
2488         (JSC::BytecodeGenerator::recordOpcode): Deleted.
2489         * bytecompiler/Label.h:
2490         (JSC::BoundLabel::BoundLabel):
2491         (JSC::BoundLabel::operator int):
2492         (JSC::Label::bind):
2493         * generator/Opcode.rb:
2494
2495 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2496
2497         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2498         https://bugs.webkit.org/show_bug.cgi?id=191184
2499
2500         Reviewed by Saam Barati.
2501
2502         Fix API test on CLoop: we can only disable the LLInt when the JIT is enabled.
2503
2504         * API/tests/PingPongStackOverflowTest.cpp:
2505         (testPingPongStackOverflow):
2506
2507 2018-11-06  Justin Fan  <justin_fan@apple.com>
2508
2509         [WebGPU] Experimental prototype for WebGPURenderPipeline and WebGPUSwapChain
2510         https://bugs.webkit.org/show_bug.cgi?id=191291
2511
2512         Reviewed by Myles Maxfield.
2513
2514         Properly disable WEBGPU on all non-Metal platforms for now.
2515
2516         * Configurations/FeatureDefines.xcconfig:
2517
2518 2018-11-06  Keith Rollin  <krollin@apple.com>
2519
2520         Adjust handling of Include paths that need quoting
2521         https://bugs.webkit.org/show_bug.cgi?id=191314
2522         <rdar://problem/45849143>
2523
2524         Reviewed by Dan Bernstein.
2525
2526         There are several places in the JavaScriptCore Xcode project where the
2527         paths defined in HEADER_SEARCH_PATHS are quoted. That is, the
2528         definitions look like:
2529
2530             HEADER_SEARCH_PATHS = (
2531                 "\"${BUILT_PRODUCTS_DIR}/DerivedSources/JavaScriptCore\"",
2532                 "\"${BUILT_PRODUCTS_DIR}/LLIntOffsets/${ARCHS}\"",
2533                 "\"$(JAVASCRIPTCORE_FRAMEWORKS_DIR)/JavaScriptCore.framework/PrivateHeaders\"",
2534                 "$(inherited)",
2535             );
2536
2537         The idea here is presumably to have the resulting $(CPP) command have
2538         -I options where the associated paths are themselves quoted,
2539         protecting against space characters in the paths.
2540
2541         This approach to quote management can break under Xcode 9. If
2542         .xcfilelist files are added to the project, the 'objectVersion' value
2543         in the Xcode project file is changed from 46 to 51. If a project with
2544         objectVersion=51 is presented to Xcode 9 (as can happen when we build
2545         for older OS's), it produces build lines where the quotes are escaped,
2546         thereby becoming part of the path. The build then fails because a
2547         search for a file normally found in a directory called "Foo" will be
2548         looked for in "\"Foo\"", which doesn't exist.
2549
2550         Simply removing the escaped quotes from the HEADER_SEARCH_PATHS
2551         definition doesn't work, leading to paths that need quoting due to
2552         space characters but that don't get this quoting (the part of the path
2553         after the space appears to simply go missing).
2554
2555         Removing the escaped quotes from the HEADER_SEARCH_PATHS and moving
2556         the definitions to the .xcconfig fixes this problem.
2557
2558         * Configurations/ToolExecutable.xcconfig:
2559         * JavaScriptCore.xcodeproj/project.pbxproj:
2560
2561 2018-11-06  Michael Saboff  <msaboff@apple.com>
2562
2563         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2564         https://bugs.webkit.org/show_bug.cgi?id=191271
2565
2566         Reviewed by Saam Barati.
2567
2568         Fixed use of ThrowScope my adding release() calls.  Found a few places where we needed
2569         RETURN_IF_EXCEPTION().  After some code inspections determined that we need to cover the
2570         exception bubbling for String.match() with a global RegExp as well as String.replace()
2571         and String.search().
2572
2573         * runtime/RegExpObjectInlines.h:
2574         (JSC::RegExpObject::matchInline):
2575         (JSC::collectMatches):
2576         * runtime/RegExpPrototype.cpp:
2577         (JSC::regExpProtoFuncSearchFast):
2578         * runtime/StringPrototype.cpp:
2579         (JSC::removeUsingRegExpSearch):
2580         (JSC::replaceUsingRegExpSearch):
2581
2582 2018-11-05  Don Olmstead  <don.olmstead@sony.com>
2583
2584         Fix typos in closing ENABLE guards
2585         https://bugs.webkit.org/show_bug.cgi?id=191273
2586
2587         Reviewed by Keith Miller.
2588
2589         * ftl/FTLForOSREntryJITCode.h:
2590         * ftl/FTLJITCode.h:
2591         * jsc.cpp:
2592         * wasm/WasmMemoryInformation.h:
2593         * wasm/WasmPageCount.h:
2594
2595 2018-11-05  Keith Miller  <keith_miller@apple.com>
2596
2597         Make static_asserts in APICast into bitwise_cast
2598         https://bugs.webkit.org/show_bug.cgi?id=191272
2599
2600         Reviewed by Filip Pizlo.
2601
2602         * API/APICast.h:
2603         (toJS):
2604         (toJSForGC):
2605         (toRef):
2606
2607 2018-11-05  Dominik Infuehr  <dinfuehr@igalia.com>
2608
2609         Enable LLInt on ARMv7/Linux
2610         https://bugs.webkit.org/show_bug.cgi?id=191190
2611
2612         Reviewed by Yusuke Suzuki.
2613
2614         After enabling the new bytecode format in r237547, C_LOOP was
2615         forced on all 32-bit platforms. Now enable LLInt again on
2616         ARMv7-Thumb2/Linux.
2617
2618         This adds a callee-saved register in ARMv7/Linux for the metadataTable and
2619         stores/restores it on LLInt function calls. It also introduces the globaladdr-
2620         instruction for the ARM-offlineasm to access the opcode-table.
2621
2622         * jit/GPRInfo.h:
2623         * jit/RegisterSet.cpp:
2624         (JSC::RegisterSet::llintBaselineCalleeSaveRegisters):
2625         * llint/LowLevelInterpreter.asm:
2626         * llint/LowLevelInterpreter32_64.asm:
2627         * offlineasm/arm.rb:
2628         * offlineasm/asm.rb:
2629         * offlineasm/instructions.rb:
2630
2631 2018-11-05  Fujii Hironori  <Hironori.Fujii@sony.com>
2632
2633         [Win][Clang][JSC] JIT::is64BitType reports "warning: explicit specialization cannot have a storage class"
2634         https://bugs.webkit.org/show_bug.cgi?id=191146
2635
2636         Reviewed by Yusuke Suzuki.
2637
2638         * jit/JIT.h: Changed is64BitType from a template class method to a
2639         template inner class.
2640
2641 2018-11-02  Keith Miller  <keith_miller@apple.com>
2642
2643         Assert JSValues can fit into a pointer when API casting
2644         https://bugs.webkit.org/show_bug.cgi?id=191220
2645
2646         Reviewed by Michael Saboff.
2647
2648         * API/APICast.h:
2649         (toJS):
2650         (toJSForGC):
2651         (toRef):
2652
2653 2018-11-02  Michael Saboff  <msaboff@apple.com>
2654
2655         Rolling in r237753 with unreviewed build fix.
2656
2657         Fixed issues with DECLARE_THROW_SCOPE placement.
2658
2659 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2660
2661         Unreviewed, rolling out r237753.
2662
2663         Introduced JSC test failures
2664
2665         Reverted changeset:
2666
2667         "Running out of stack space not properly handled in
2668         RegExp::compile() and its callers"
2669         https://bugs.webkit.org/show_bug.cgi?id=191206
2670         https://trac.webkit.org/changeset/237753
2671
2672 2018-11-02  Michael Saboff  <msaboff@apple.com>
2673
2674         Running out of stack space not properly handled in RegExp::compile() and its callers
2675         https://bugs.webkit.org/show_bug.cgi?id=191206
2676
2677         Reviewed by Filip Pizlo.
2678
2679         Eliminated two RELEASE_ASSERT_NOT_REACHED() for errors returned by Yarr parsing code.  Bubbled those errors
2680         up to where they are turned into the appropriate exceptions in matchInline().  If the errors are not due
2681         to syntax, we reset the RegExp state in case the parsing is tried with a smaller stack.
2682
2683         * runtime/RegExp.cpp:
2684         (JSC::RegExp::compile):
2685         (JSC::RegExp::compileMatchOnly):
2686         * runtime/RegExp.h:
2687         * runtime/RegExpInlines.h:
2688         (JSC::RegExp::compileIfNecessary):
2689         (JSC::RegExp::matchInline):
2690         (JSC::RegExp::compileIfNecessaryMatchOnly):
2691         * runtime/RegExpObjectInlines.h:
2692         (JSC::RegExpObject::execInline):
2693         * yarr/YarrErrorCode.h:
2694         (JSC::Yarr::hasHardError):
2695
2696 2018-11-02  Keith Miller  <keith_miller@apple.com>
2697
2698         API should use wrapper object if address is 32-bit
2699         https://bugs.webkit.org/show_bug.cgi?id=191203
2700
2701         Reviewed by Filip Pizlo.
2702
2703         * API/APICast.h:
2704         (toJS):
2705         (toJSForGC):
2706         (toRef):
2707
2708 2018-11-02  Tadeu Zagallo  <tzagallo@apple.com>
2709
2710         Metadata should not be copyable
2711         https://bugs.webkit.org/show_bug.cgi?id=191193
2712
2713         Reviewed by Keith Miller.
2714
2715         We should only ever hold references to the entry in the metadata table.
2716
2717         * bytecode/CodeBlock.cpp:
2718         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2719         * dfg/DFGByteCodeParser.cpp:
2720         (JSC::DFG::ByteCodeParser::parseBlock):
2721         * generator/Metadata.rb:
2722
2723 2018-11-02  Tadeu Zagallo  <tzagallo@apple.com>
2724
2725         REGRESSION(r237547): Exception handlers should be aware of wide opcodes when JIT is disabled
2726         https://bugs.webkit.org/show_bug.cgi?id=191175
2727
2728         Reviewed by Keith Miller.
2729
2730         https://bugs.webkit.org/show_bug.cgi?id=191108 did not handle the case where JIT is not enabled
2731
2732         * jit/JITExceptions.cpp:
2733         (JSC::genericUnwind):
2734         * llint/LLIntData.h:
2735         (JSC::LLInt::getWideCodePtr):
2736
2737 2018-11-01  Fujii Hironori  <Hironori.Fujii@sony.com>
2738
2739         Rename <wtf/unicode/UTF8.h> to <wtf/unicode/UTF8Conversion.h> in order to avoid conflicting with ICU's unicode/utf8.h
2740         https://bugs.webkit.org/show_bug.cgi?id=189693
2741
2742         Reviewed by Yusuke Suzuki.
2743
2744         * API/JSClassRef.cpp: Replaced <wtf/unicode/UTF8.h> with <wtf/unicode/UTF8Conversion.h>.
2745         * API/JSStringRef.cpp: Ditto.
2746         * runtime/JSGlobalObjectFunctions.cpp: Ditto.
2747         * wasm/WasmParser.h: Ditto.
2748
2749 2018-11-01  Keith Miller  <keith_miller@apple.com>
2750
2751         Unreviewed, JavaScriptCore should only guarantee to produce a
2752         modulemap if we are building for iOSMac.
2753
2754         * Configurations/JavaScriptCore.xcconfig:
2755
2756 2018-10-31  Devin Rousso  <drousso@apple.com>
2757
2758         Web Inspector: Canvas: create a setting for auto-recording newly created contexts
2759         https://bugs.webkit.org/show_bug.cgi?id=190856
2760
2761         Reviewed by Brian Burg.
2762
2763         * inspector/protocol/Canvas.json:
2764         Add `setRecordingAutoCaptureFrameCount` command for setting the number of frames to record
2765         immediately after a context is created.
2766
2767         * inspector/protocol/Recording.json:
2768         Add `creation` value for `Initiator` enum.
2769
2770 2018-10-31  Devin Rousso  <drousso@apple.com>
2771
2772         Web Inspector: display low-power enter/exit events in Timelines and Network node waterfalls
2773         https://bugs.webkit.org/show_bug.cgi?id=190641
2774         <rdar://problem/45319049>
2775
2776         Reviewed by Joseph Pecoraro.
2777
2778         * inspector/protocol/DOM.json:
2779         Add `videoLowPowerChanged` event that is fired when `InspectorDOMAgent` is able to determine
2780         whether a video element's low power state has changed.
2781
2782 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2783
2784         Adjust inlining threshold for new bytecode format
2785         https://bugs.webkit.org/show_bug.cgi?id=191115
2786
2787         Reviewed by Saam Barati.
2788
2789         The new format reduced the number of operands for many opcodes, which
2790         changed inlining decisions and impacted performance negatively.
2791
2792         * runtime/Options.h:
2793
2794 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2795
2796         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2797         https://bugs.webkit.org/show_bug.cgi?id=191108
2798         <rdar://problem/45690700>
2799
2800         Reviewed by Saam Barati.
2801
2802         When linking the handler, we need to check whether the target op_catch is
2803         wide or narrow in order to chose the right code pointer for the handler.
2804
2805         * bytecode/CodeBlock.cpp:
2806         (JSC::CodeBlock::finishCreation):
2807
2808 2018-10-31  Dominik Infuehr  <dinfuehr@igalia.com>
2809
2810         Align entries in metadata table
2811         https://bugs.webkit.org/show_bug.cgi?id=191062
2812
2813         Reviewed by Filip Pizlo.
2814
2815         Entries in the metadata table need to be aligned on some 32-bit
2816         architectures.
2817
2818         * bytecode/MetadataTable.h:
2819         (JSC::MetadataTable::forEach):
2820         * bytecode/Opcode.cpp:
2821         (JSC::metadataAlignment):
2822         * bytecode/Opcode.h:
2823         * bytecode/UnlinkedMetadataTableInlines.h:
2824         (JSC::UnlinkedMetadataTable::finalize):
2825         * generator/Section.rb:
2826
2827 2018-10-31  Jim Mason  <jmason@ibinx.com>
2828
2829         Static global 'fastHandlerInstalled' conditionally declared in WasmFaultSignalHandler.cpp
2830         https://bugs.webkit.org/show_bug.cgi?id=191063
2831
2832         Reviewed by Yusuke Suzuki.
2833
2834         * wasm/WasmFaultSignalHandler.cpp:
2835
2836 2018-10-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2837
2838         [JSC][LLInt] Compact LLInt ASM code by removing unnecessary instructions
2839         https://bugs.webkit.org/show_bug.cgi?id=191092
2840
2841         Reviewed by Saam Barati.
2842
2843         Looking through LLIntAssembly.h, we can find several inefficiencies. This patch fixes the
2844         following things to tighten LLInt ASM code.
2845
2846         1. Remove unnecessary load instructions. Use jmp with BaseIndex directly.
2847         2. Introduce strength reduction for mul instructions in offlineasm layer. This is now critical
2848         since mul instruction is executed in `metadata` operation in LLInt. If the given immediate is
2849         a power of two, we convert it to lshift instruction.
2850
2851         * llint/LowLevelInterpreter32_64.asm:
2852         * llint/LowLevelInterpreter64.asm:
2853         * offlineasm/arm64.rb:
2854         * offlineasm/instructions.rb:
2855         * offlineasm/x86.rb:
2856
2857 2018-10-30  Don Olmstead  <don.olmstead@sony.com>
2858
2859         [PlayStation] Enable JavaScriptCore
2860         https://bugs.webkit.org/show_bug.cgi?id=191072
2861
2862         Reviewed by Brent Fulgham.
2863
2864         Add platform files for the PlayStation port.
2865
2866         * PlatformPlayStation.cmake: Added.
2867
2868 2018-10-30  Alexey Proskuryakov  <ap@apple.com>
2869
2870         Clean up some obsolete MAX_ALLOWED macros
2871         https://bugs.webkit.org/show_bug.cgi?id=190916
2872
2873         Reviewed by Tim Horton.
2874
2875         * API/JSManagedValue.mm:
2876         * API/JSVirtualMachine.mm:
2877         * API/JSWrapperMap.mm:
2878
2879 2018-10-30  Ross Kirsling  <ross.kirsling@sony.com>
2880
2881         useProbeOSRExit causes failures for Win64 DFG JIT
2882         https://bugs.webkit.org/show_bug.cgi?id=190656
2883
2884         Reviewed by Keith Miller.
2885
2886         * assembler/ProbeContext.cpp:
2887         (JSC::Probe::executeProbe):
2888         If lowWatermark is expected to equal lowWatermarkFromVisitingDirtyPages *regardless* of the input param,
2889         then let's just call lowWatermarkFromVisitingDirtyPages instead.
2890
2891         * dfg/DFGOSRExit.cpp:
2892         (JSC::DFG::OSRExit::executeOSRExit):
2893         The result of VariableEventStream::reconstruct appears to be inappropriate for direct use as a stack pointer offset;
2894         mimic the non-probe case and use requiredRegisterCountForExit from DFGCommonData instead.
2895         (Also, stop redundantly setting the stack pointer twice in a row.)
2896
2897 2018-10-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2898
2899         "Unreviewed, partial rolling in r237254"
2900         https://bugs.webkit.org/show_bug.cgi?id=190340
2901
2902         This only adds Parser.{cpp,h}. And it is not used in this patch.
2903         It examines that the regression is related to exact Parser changes.
2904
2905         * parser/Parser.cpp:
2906         (JSC::Parser<LexerType>::parseInner):
2907         (JSC::Parser<LexerType>::parseSingleFunction):
2908         (JSC::Parser<LexerType>::parseFunctionInfo):
2909         (JSC::Parser<LexerType>::parseFunctionDeclaration):
2910         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
2911         * parser/Parser.h:
2912         (JSC::Parser<LexerType>::parse):
2913         (JSC::parse):
2914         (JSC::parseFunctionForFunctionConstructor):
2915
2916 2018-10-29  Mark Lam  <mark.lam@apple.com>
2917
2918         Correctly detect string overflow when using the 'Function' constructor.
2919         https://bugs.webkit.org/show_bug.cgi?id=184883
2920         <rdar://problem/36320331>
2921
2922         Reviewed by Saam Barati.
2923
2924         Added StringBuilder::hasOverflowed() checks, and throwing OutOfMemoryErrors if
2925         we detect an overflow.
2926
2927         * runtime/FunctionConstructor.cpp:
2928         (JSC::constructFunctionSkippingEvalEnabledCheck):
2929         * runtime/JSGlobalObjectFunctions.cpp:
2930         (JSC::encode):
2931         (JSC::decode):
2932         * runtime/JSONObject.cpp:
2933         (JSC::Stringifier::stringify):
2934         (JSC::Stringifier::appendStringifiedValue):
2935
2936 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2937
2938         Unreviewed, fix JSC on arm64e after r237547
2939         https://bugs.webkit.org/show_bug.cgi?id=187373
2940
2941         Unreviewed.
2942
2943         Remove unused move guarded by POINTER_PROFILING that was trashing the
2944         metadata on arm64e.
2945
2946         * llint/LowLevelInterpreter64.asm:
2947
2948 2018-10-29  Keith Miller  <keith_miller@apple.com>
2949
2950         JSC should explicitly list its modulemap file
2951         https://bugs.webkit.org/show_bug.cgi?id=191032
2952
2953         Reviewed by Saam Barati.
2954
2955         The automagically generated module map file for JSC will
2956         include headers where they may not work out of the box.
2957         This patch makes it so we now export the same modulemap
2958         that used to be provided via the legacy system.
2959
2960         * Configurations/JavaScriptCore.xcconfig:
2961         * JavaScriptCore.modulemap: Added.
2962         * JavaScriptCore.xcodeproj/project.pbxproj:
2963
2964 2018-10-29  Tim Horton  <timothy_horton@apple.com>
2965
2966         Modernize WebKit nibs and lprojs for localization's sake
2967         https://bugs.webkit.org/show_bug.cgi?id=190911
2968         <rdar://problem/45349466>
2969
2970         Reviewed by Dan Bernstein.
2971
2972         * JavaScriptCore.xcodeproj/project.pbxproj:
2973         English->en
2974
2975 2018-10-29  Commit Queue  <commit-queue@webkit.org>
2976
2977         Unreviewed, rolling out r237492.
2978         https://bugs.webkit.org/show_bug.cgi?id=191035
2979
2980         "It regresses JetStream 2 by 5% on some iOS devices"
2981         (Requested by saamyjoon on #webkit).
2982
2983         Reverted changeset:
2984
2985         "Unreviewed, partial rolling in r237254"
2986         https://bugs.webkit.org/show_bug.cgi?id=190340
2987         https://trac.webkit.org/changeset/237492
2988
2989 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2990
2991         Add support for GetStack FlushedDouble
2992         https://bugs.webkit.org/show_bug.cgi?id=191012
2993         <rdar://problem/45265141>
2994
2995         Reviewed by Saam Barati.
2996
2997         LowerDFGToB3::compileGetStack assumed that we would not emit GetStack
2998         for doubles, but it turns out it may arise from the PutStack sinking
2999         phase: if we sink a PutStack into a successor block, other predecessors
3000         will emit a GetStack followed by a Upsilon.
3001
3002         * ftl/FTLLowerDFGToB3.cpp:
3003         (JSC::FTL::DFG::LowerDFGToB3::compileGetStack):
3004
3005 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
3006
3007         New bytecode format for JSC
3008         https://bugs.webkit.org/show_bug.cgi?id=187373
3009         <rdar://problem/44186758>
3010
3011         Reviewed by Filip Pizlo.
3012
3013         Replace unlinked and linked bytecode with a new immutable bytecode that does not embed
3014         any addresses. Instructions can be encoded as narrow (1-byte operands) or wide (4-byte
3015         operands) and might contain an extra operand, the metadataID. The metadataID is used to
3016         access the instruction's mutable data in a side table in the CodeBlock (the MetadataTable).
3017
3018         Bytecodes now must be structs declared in the new BytecodeList.rb. All bytecodes give names
3019         and types to all its operands. Additionally, reading a bytecode from the instruction stream
3020         requires decoding the whole bytecode, i.e. it's no longer possible to access arbitrary
3021         operands directly from the stream.
3022
3023
3024         * CMakeLists.txt:
3025         * DerivedSources.make:
3026         * JavaScriptCore.xcodeproj/project.pbxproj:
3027         * Sources.txt:
3028         * assembler/MacroAssemblerCodeRef.h:
3029         (JSC::ReturnAddressPtr::ReturnAddressPtr):
3030         (JSC::ReturnAddressPtr::value const):
3031         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
3032         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
3033         * bytecode/ArithProfile.h:
3034         (JSC::ArithProfile::ArithProfile):
3035         * bytecode/ArrayAllocationProfile.h:
3036         (JSC::ArrayAllocationProfile::ArrayAllocationProfile):
3037         * bytecode/ArrayProfile.h:
3038         * bytecode/BytecodeBasicBlock.cpp:
3039         (JSC::isJumpTarget):
3040         (JSC::BytecodeBasicBlock::computeImpl):
3041         (JSC::BytecodeBasicBlock::compute):
3042         * bytecode/BytecodeBasicBlock.h:
3043         (JSC::BytecodeBasicBlock::leaderOffset const):
3044         (JSC::BytecodeBasicBlock::totalLength const):
3045         (JSC::BytecodeBasicBlock::offsets const):
3046         (JSC::BytecodeBasicBlock::BytecodeBasicBlock):
3047         (JSC::BytecodeBasicBlock::addLength):
3048         * bytecode/BytecodeDumper.cpp:
3049         (JSC::BytecodeDumper<Block>::printLocationAndOp):
3050         (JSC::BytecodeDumper<Block>::dumpBytecode):
3051         (JSC::BytecodeDumper<Block>::dumpIdentifiers):
3052         (JSC::BytecodeDumper<Block>::dumpConstants):
3053         (JSC::BytecodeDumper<Block>::dumpExceptionHandlers):
3054         (JSC::BytecodeDumper<Block>::dumpSwitchJumpTables):
3055         (JSC::BytecodeDumper<Block>::dumpStringSwitchJumpTables):
3056         (JSC::BytecodeDumper<Block>::dumpBlock):
3057         * bytecode/BytecodeDumper.h:
3058         (JSC::BytecodeDumper::dumpOperand):
3059         (JSC::BytecodeDumper::dumpValue):
3060         (JSC::BytecodeDumper::BytecodeDumper):
3061         (JSC::BytecodeDumper::block const):
3062         * bytecode/BytecodeGeneratorification.cpp:
3063         (JSC::BytecodeGeneratorification::BytecodeGeneratorification):
3064         (JSC::BytecodeGeneratorification::enterPoint const):
3065         (JSC::BytecodeGeneratorification::instructions const):
3066         (JSC::GeneratorLivenessAnalysis::run):
3067         (JSC::BytecodeGeneratorification::run):
3068         (JSC::performGeneratorification):
3069         * bytecode/BytecodeGeneratorification.h:
3070         * bytecode/BytecodeGraph.h:
3071         (JSC::BytecodeGraph::blockContainsBytecodeOffset):
3072         (JSC::BytecodeGraph::findBasicBlockForBytecodeOffset):
3073         (JSC::BytecodeGraph::findBasicBlockWithLeaderOffset):
3074         (JSC::BytecodeGraph::BytecodeGraph):
3075         * bytecode/BytecodeKills.h:
3076         * bytecode/BytecodeList.json: Removed.
3077         * bytecode/BytecodeList.rb: Added.
3078         * bytecode/BytecodeLivenessAnalysis.cpp:
3079         (JSC::BytecodeLivenessAnalysis::dumpResults):
3080         * bytecode/BytecodeLivenessAnalysis.h:
3081         * bytecode/BytecodeLivenessAnalysisInlines.h:
3082         (JSC::isValidRegisterForLiveness):
3083         (JSC::BytecodeLivenessPropagation::stepOverInstruction):
3084         * bytecode/BytecodeRewriter.cpp:
3085         (JSC::BytecodeRewriter::applyModification):
3086         (JSC::BytecodeRewriter::execute):
3087         (JSC::BytecodeRewriter::adjustJumpTargetsInFragment):
3088         (JSC::BytecodeRewriter::insertImpl):
3089         (JSC::BytecodeRewriter::adjustJumpTarget):
3090         (JSC::BytecodeRewriter::adjustJumpTargets):
3091         * bytecode/BytecodeRewriter.h:
3092         (JSC::BytecodeRewriter::InsertionPoint::InsertionPoint):
3093         (JSC::BytecodeRewriter::Fragment::Fragment):
3094         (JSC::BytecodeRewriter::Fragment::appendInstruction):
3095         (JSC::BytecodeRewriter::BytecodeRewriter):
3096         (JSC::BytecodeRewriter::insertFragmentBefore):
3097         (JSC::BytecodeRewriter::insertFragmentAfter):
3098         (JSC::BytecodeRewriter::removeBytecode):
3099         (JSC::BytecodeRewriter::adjustAbsoluteOffset):
3100         (JSC::BytecodeRewriter::adjustJumpTarget):
3101         * bytecode/BytecodeUseDef.h:
3102         (JSC::computeUsesForBytecodeOffset):
3103         (JSC::computeDefsForBytecodeOffset):
3104         * bytecode/CallLinkStatus.cpp:
3105         (JSC::CallLinkStatus::computeFromLLInt):
3106         * bytecode/CodeBlock.cpp:
3107         (JSC::CodeBlock::dumpBytecode):
3108         (JSC::CodeBlock::CodeBlock):
3109         (JSC::CodeBlock::finishCreation):
3110         (JSC::CodeBlock::estimatedSize):
3111         (JSC::CodeBlock::visitChildren):
3112         (JSC::CodeBlock::propagateTransitions):
3113         (JSC::CodeBlock::finalizeLLIntInlineCaches):
3114         (JSC::CodeBlock::addJITAddIC):
3115         (JSC::CodeBlock::addJITMulIC):
3116         (JSC::CodeBlock::addJITSubIC):
3117         (JSC::CodeBlock::addJITNegIC):
3118         (JSC::CodeBlock::stronglyVisitStrongReferences):
3119         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffset):
3120         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
3121         (JSC::CodeBlock::hasOpDebugForLineAndColumn):
3122         (JSC::CodeBlock::getArrayProfile):
3123         (JSC::CodeBlock::updateAllArrayPredictions):
3124         (JSC::CodeBlock::predictedMachineCodeSize):
3125         (JSC::CodeBlock::tryGetValueProfileForBytecodeOffset):
3126         (JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):
3127         (JSC::CodeBlock::valueProfileForBytecodeOffset):
3128         (JSC::CodeBlock::validate):
3129         (JSC::CodeBlock::outOfLineJumpOffset):
3130         (JSC::CodeBlock::outOfLineJumpTarget):
3131         (JSC::CodeBlock::arithProfileForBytecodeOffset):
3132         (JSC::CodeBlock::arithProfileForPC):
3133         (JSC::CodeBlock::couldTakeSpecialFastCase):
3134         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
3135         * bytecode/CodeBlock.h:
3136         (JSC::CodeBlock::addMathIC):
3137         (JSC::CodeBlock::outOfLineJumpOffset):
3138         (JSC::CodeBlock::bytecodeOffset):
3139         (JSC::CodeBlock::instructions const):
3140         (JSC::CodeBlock::instructionCount const):
3141         (JSC::CodeBlock::llintBaselineCalleeSaveSpaceAsVirtualRegisters):
3142         (JSC::CodeBlock::metadata):
3143         (JSC::CodeBlock::metadataSizeInBytes):
3144         (JSC::CodeBlock::numberOfNonArgumentValueProfiles):
3145         (JSC::CodeBlock::totalNumberOfValueProfiles):
3146         * bytecode/CodeBlockInlines.h: Added.
3147         (JSC::CodeBlock::forEachValueProfile):
3148         (JSC::CodeBlock::forEachArrayProfile):
3149         (JSC::CodeBlock::forEachArrayAllocationProfile):
3150         (JSC::CodeBlock::forEachObjectAllocationProfile):
3151         (JSC::CodeBlock::forEachLLIntCallLinkInfo):
3152         * bytecode/Fits.h: Added.
3153         * bytecode/GetByIdMetadata.h: Copied from Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h.
3154         * bytecode/GetByIdStatus.cpp:
3155         (JSC::GetByIdStatus::computeFromLLInt):
3156         * bytecode/Instruction.h:
3157         (JSC::Instruction::Instruction):
3158         (JSC::Instruction::Impl::opcodeID const):
3159         (JSC::Instruction::opcodeID const):
3160         (JSC::Instruction::name const):
3161         (JSC::Instruction::isWide const):
3162         (JSC::Instruction::size const):
3163         (JSC::Instruction::is const):
3164         (JSC::Instruction::as const):
3165         (JSC::Instruction::cast):
3166         (JSC::Instruction::cast const):
3167         (JSC::Instruction::narrow const):
3168         (JSC::Instruction::wide const):
3169         * bytecode/InstructionStream.cpp: Copied from Source/JavaScriptCore/bytecode/SpecialPointer.cpp.
3170         (JSC::InstructionStream::InstructionStream):
3171         (JSC::InstructionStream::sizeInBytes const):
3172         * bytecode/InstructionStream.h: Added.
3173         (JSC::InstructionStream::BaseRef::BaseRef):
3174         (JSC::InstructionStream::BaseRef::operator=):
3175         (JSC::InstructionStream::BaseRef::operator-> const):
3176         (JSC::InstructionStream::BaseRef::ptr const):
3177         (JSC::InstructionStream::BaseRef::operator!= const):
3178         (JSC::InstructionStream::BaseRef::next const):
3179         (JSC::InstructionStream::BaseRef::offset const):
3180         (JSC::InstructionStream::BaseRef::isValid const):
3181         (JSC::InstructionStream::BaseRef::unwrap const):
3182         (JSC::InstructionStream::MutableRef::freeze const):
3183         (JSC::InstructionStream::MutableRef::operator->):
3184         (JSC::InstructionStream::MutableRef::ptr):
3185         (JSC::InstructionStream::MutableRef::operator Ref):
3186         (JSC::InstructionStream::MutableRef::unwrap):
3187         (JSC::InstructionStream::iterator::operator*):
3188         (JSC::InstructionStream::iterator::operator++):
3189         (JSC::InstructionStream::begin const):
3190         (JSC::InstructionStream::end const):
3191         (JSC::InstructionStream::at const):
3192         (JSC::InstructionStream::size const):
3193         (JSC::InstructionStreamWriter::InstructionStreamWriter):
3194         (JSC::InstructionStreamWriter::ref):
3195         (JSC::InstructionStreamWriter::seek):
3196         (JSC::InstructionStreamWriter::position):
3197         (JSC::InstructionStreamWriter::write):
3198         (JSC::InstructionStreamWriter::rewind):
3199         (JSC::InstructionStreamWriter::finalize):
3200         (JSC::InstructionStreamWriter::swap):
3201         (JSC::InstructionStreamWriter::iterator::operator*):
3202         (JSC::InstructionStreamWriter::iterator::operator++):
3203         (JSC::InstructionStreamWriter::begin):
3204         (JSC::InstructionStreamWriter::end):
3205         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
3206         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::LLIntPrototypeLoadAdaptiveStructureWatchpoint):
3207         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
3208         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::clearLLIntGetByIdCache):
3209         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
3210         * bytecode/MetadataTable.cpp: Copied from Source/JavaScriptCore/bytecode/SpecialPointer.cpp.
3211         (JSC::MetadataTable::MetadataTable):
3212         (JSC::DeallocTable::withOpcodeType):
3213         (JSC::MetadataTable::~MetadataTable):
3214         (JSC::MetadataTable::sizeInBytes):
3215         * bytecode/MetadataTable.h: Copied from Source/JavaScriptCore/runtime/Watchdog.h.
3216         (JSC::MetadataTable::get):
3217         (JSC::MetadataTable::forEach):
3218         (JSC::MetadataTable::getImpl):
3219         * bytecode/Opcode.cpp:
3220         (JSC::metadataSize):
3221         * bytecode/Opcode.h:
3222         (JSC::padOpcodeName):
3223         * bytecode/OpcodeInlines.h:
3224         (JSC::isOpcodeShape):
3225         (JSC::getOpcodeType):
3226         * bytecode/OpcodeSize.h: Copied from Source/JavaScriptCore/bytecode/SpecialPointer.cpp.
3227         * bytecode/PreciseJumpTargets.cpp:
3228         (JSC::getJumpTargetsForInstruction):
3229         (JSC::computePreciseJumpTargetsInternal):
3230         (JSC::computePreciseJumpTargets):
3231         (JSC::recomputePreciseJumpTargets):
3232         (JSC::findJumpTargetsForInstruction):
3233         * bytecode/PreciseJumpTargets.h:
3234         * bytecode/PreciseJumpTargetsInlines.h:
3235         (JSC::jumpTargetForInstruction):
3236         (JSC::extractStoredJumpTargetsForInstruction):
3237         (JSC::updateStoredJumpTargetsForInstruction):
3238         * bytecode/PutByIdStatus.cpp:
3239         (JSC::PutByIdStatus::computeFromLLInt):
3240         * bytecode/SpecialPointer.cpp:
3241         (WTF::printInternal):
3242         * bytecode/SpecialPointer.h:
3243         * bytecode/UnlinkedCodeBlock.cpp:
3244         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
3245         (JSC::UnlinkedCodeBlock::visitChildren):
3246         (JSC::UnlinkedCodeBlock::estimatedSize):
3247         (JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset):
3248         (JSC::dumpLineColumnEntry):
3249         (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset const):
3250         (JSC::UnlinkedCodeBlock::setInstructions):
3251         (JSC::UnlinkedCodeBlock::instructions const):
3252         (JSC::UnlinkedCodeBlock::applyModification):
3253         (JSC::UnlinkedCodeBlock::addOutOfLineJumpTarget):
3254         (JSC::UnlinkedCodeBlock::outOfLineJumpOffset):
3255         * bytecode/UnlinkedCodeBlock.h:
3256         (JSC::UnlinkedCodeBlock::addPropertyAccessInstruction):
3257         (JSC::UnlinkedCodeBlock::propertyAccessInstructions const):
3258         (JSC::UnlinkedCodeBlock::addOpProfileControlFlowBytecodeOffset):
3259         (JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets const):
3260         (JSC::UnlinkedCodeBlock::metadata):
3261         (JSC::UnlinkedCodeBlock::metadataSizeInBytes):
3262         (JSC::UnlinkedCodeBlock::outOfLineJumpOffset):
3263         (JSC::UnlinkedCodeBlock::replaceOutOfLineJumpTargets):
3264         * bytecode/UnlinkedInstructionStream.cpp: Removed.
3265         * bytecode/UnlinkedInstructionStream.h: Removed.
3266         * bytecode/UnlinkedMetadataTable.h: Copied from Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h.
3267         * bytecode/UnlinkedMetadataTableInlines.h: Added.
3268         (JSC::UnlinkedMetadataTable::UnlinkedMetadataTable):
3269         (JSC::UnlinkedMetadataTable::~UnlinkedMetadataTable):
3270         (JSC::UnlinkedMetadataTable::addEntry):
3271         (JSC::UnlinkedMetadataTable::sizeInBytes):
3272         (JSC::UnlinkedMetadataTable::finalize):
3273         (JSC::UnlinkedMetadataTable::link):
3274         (JSC::UnlinkedMetadataTable::unlink):
3275         * bytecode/VirtualRegister.cpp:
3276         (JSC::VirtualRegister::VirtualRegister):
3277         * bytecode/VirtualRegister.h:
3278         * bytecompiler/BytecodeGenerator.cpp:
3279         (JSC::Label::setLocation):
3280         (JSC::Label::bind):
3281         (JSC::BytecodeGenerator::generate):
3282         (JSC::BytecodeGenerator::BytecodeGenerator):
3283         (JSC::BytecodeGenerator::initializeVarLexicalEnvironment):
3284         (JSC::BytecodeGenerator::emitEnter):
3285         (JSC::BytecodeGenerator::emitLoopHint):
3286         (JSC::BytecodeGenerator::emitJump):
3287         (JSC::BytecodeGenerator::emitCheckTraps):
3288         (JSC::BytecodeGenerator::rewind):
3289         (JSC::BytecodeGenerator::fuseCompareAndJump):
3290         (JSC::BytecodeGenerator::fuseTestAndJmp):
3291         (JSC::BytecodeGenerator::emitJumpIfTrue):
3292         (JSC::BytecodeGenerator::emitJumpIfFalse):
3293         (JSC::BytecodeGenerator::emitJumpIfNotFunctionCall):
3294         (JSC::BytecodeGenerator::emitJumpIfNotFunctionApply):
3295         (JSC::BytecodeGenerator::moveLinkTimeConstant):
3296         (JSC::BytecodeGenerator::moveEmptyValue):
3297         (JSC::BytecodeGenerator::emitMove):
3298         (JSC::BytecodeGenerator::emitUnaryOp):
3299         (JSC::BytecodeGenerator::emitBinaryOp):
3300         (JSC::BytecodeGenerator::emitToObject):
3301         (JSC::BytecodeGenerator::emitToNumber):
3302         (JSC::BytecodeGenerator::emitToString):
3303         (JSC::BytecodeGenerator::emitTypeOf):
3304         (JSC::BytecodeGenerator::emitInc):
3305         (JSC::BytecodeGenerator::emitDec):
3306         (JSC::BytecodeGenerator::emitEqualityOp):
3307         (JSC::BytecodeGenerator::emitProfileType):
3308         (JSC::BytecodeGenerator::emitProfileControlFlow):
3309         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
3310         (JSC::BytecodeGenerator::emitResolveScopeForHoistingFuncDeclInEval):
3311         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
3312         (JSC::BytecodeGenerator::emitOverridesHasInstance):
3313         (JSC::BytecodeGenerator::emitResolveScope):
3314         (JSC::BytecodeGenerator::emitGetFromScope):
3315         (JSC::BytecodeGenerator::emitPutToScope):
3316         (JSC::BytecodeGenerator::emitInstanceOf):
3317         (JSC::BytecodeGenerator::emitInstanceOfCustom):
3318         (JSC::BytecodeGenerator::emitInByVal):
3319         (JSC::BytecodeGenerator::emitInById):
3320         (JSC::BytecodeGenerator::emitTryGetById):
3321         (JSC::BytecodeGenerator::emitGetById):
3322         (JSC::BytecodeGenerator::emitDirectGetById):
3323         (JSC::BytecodeGenerator::emitPutById):
3324         (JSC::BytecodeGenerator::emitDirectPutById):
3325         (JSC::BytecodeGenerator::emitPutGetterById):
3326         (JSC::BytecodeGenerator::emitPutSetterById):
3327         (JSC::BytecodeGenerator::emitPutGetterSetter):
3328         (JSC::BytecodeGenerator::emitPutGetterByVal):
3329         (JSC::BytecodeGenerator::emitPutSetterByVal):
3330         (JSC::BytecodeGenerator::emitDeleteById):
3331         (JSC::BytecodeGenerator::emitGetByVal):
3332         (JSC::BytecodeGenerator::emitPutByVal):
3333         (JSC::BytecodeGenerator::emitDirectPutByVal):
3334         (JSC::BytecodeGenerator::emitDeleteByVal):
3335         (JSC::BytecodeGenerator::emitSuperSamplerBegin):
3336         (JSC::BytecodeGenerator::emitSuperSamplerEnd):
3337         (JSC::BytecodeGenerator::emitIdWithProfile):
3338         (JSC::BytecodeGenerator::emitUnreachable):
3339         (JSC::BytecodeGenerator::emitGetArgument):
3340         (JSC::BytecodeGenerator::emitCreateThis):
3341         (JSC::BytecodeGenerator::emitTDZCheck):
3342         (JSC::BytecodeGenerator::emitNewObject):
3343         (JSC::BytecodeGenerator::emitNewArrayBuffer):
3344         (JSC::BytecodeGenerator::emitNewArray):
3345         (JSC::BytecodeGenerator::emitNewArrayWithSpread):
3346         (JSC::BytecodeGenerator::emitNewArrayWithSize):
3347         (JSC::BytecodeGenerator::emitNewRegExp):
3348         (JSC::BytecodeGenerator::emitNewFunctionExpressionCommon):
3349         (JSC::BytecodeGenerator::emitNewDefaultConstructor):
3350         (JSC::BytecodeGenerator::emitNewFunction):
3351         (JSC::BytecodeGenerator::emitSetFunctionNameIfNeeded):
3352         (JSC::BytecodeGenerator::emitCall):
3353         (JSC::BytecodeGenerator::emitCallInTailPosition):
3354         (JSC::BytecodeGenerator::emitCallEval):
3355         (JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
3356         (JSC::BytecodeGenerator::emitCallVarargs):
3357         (JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
3358         (JSC::BytecodeGenerator::emitConstructVarargs):
3359         (JSC::BytecodeGenerator::emitCallForwardArgumentsInTailPosition):
3360         (JSC::BytecodeGenerator::emitLogShadowChickenPrologueIfNecessary):
3361         (JSC::BytecodeGenerator::emitLogShadowChickenTailIfNecessary):
3362         (JSC::BytecodeGenerator::emitCallDefineProperty):
3363         (JSC::BytecodeGenerator::emitReturn):
3364         (JSC::BytecodeGenerator::emitEnd):
3365         (JSC::BytecodeGenerator::emitConstruct):
3366         (JSC::BytecodeGenerator::emitStrcat):
3367         (JSC::BytecodeGenerator::emitToPrimitive):
3368         (JSC::BytecodeGenerator::emitGetScope):
3369         (JSC::BytecodeGenerator::emitPushWithScope):
3370         (JSC::BytecodeGenerator::emitGetParentScope):
3371         (JSC::BytecodeGenerator::emitDebugHook):
3372         (JSC::BytecodeGenerator::emitCatch):
3373         (JSC::BytecodeGenerator::emitThrow):
3374         (JSC::BytecodeGenerator::emitArgumentCount):
3375         (JSC::BytecodeGenerator::emitThrowStaticError):
3376         (JSC::BytecodeGenerator::beginSwitch):
3377         (JSC::prepareJumpTableForSwitch):
3378         (JSC::prepareJumpTableForStringSwitch):
3379         (JSC::BytecodeGenerator::endSwitch):
3380         (JSC::BytecodeGenerator::emitGetEnumerableLength):
3381         (JSC::BytecodeGenerator::emitHasGenericProperty):
3382         (JSC::BytecodeGenerator::emitHasIndexedProperty):
3383         (JSC::BytecodeGenerator::emitHasStructureProperty):
3384         (JSC::BytecodeGenerator::emitGetPropertyEnumerator):
3385         (JSC::BytecodeGenerator::emitEnumeratorStructurePropertyName):
3386         (JSC::BytecodeGenerator::emitEnumeratorGenericPropertyName):
3387         (JSC::BytecodeGenerator::emitToIndexString):
3388         (JSC::BytecodeGenerator::emitIsCellWithType):
3389         (JSC::BytecodeGenerator::emitIsObject):
3390         (JSC::BytecodeGenerator::emitIsNumber):
3391         (JSC::BytecodeGenerator::emitIsUndefined):
3392         (JSC::BytecodeGenerator::emitIsEmpty):