Web Inspector: Timelines: can't reliably stop/start a recording
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-04-11  Devin Rousso  <drousso@apple.com>
2
3         Web Inspector: Timelines: can't reliably stop/start a recording
4         https://bugs.webkit.org/show_bug.cgi?id=196778
5         <rdar://problem/47606798>
6
7         Reviewed by Timothy Hatcher.
8
9         * inspector/protocol/ScriptProfiler.json:
10         * inspector/protocol/Timeline.json:
11         It is possible to determine when programmatic capturing starts/stops in the frontend based
12         on the state when the backend causes the state to change, such as if the state is "inactive"
13         when the frontend is told that the backend has started capturing.
14
15         * inspector/protocol/CPUProfiler.json:
16         * inspector/protocol/Memory.json:
17         Send an end timestamp to match other instruments.
18
19         * inspector/JSGlobalObjectConsoleClient.cpp:
20         (Inspector::JSGlobalObjectConsoleClient::startConsoleProfile):
21         (Inspector::JSGlobalObjectConsoleClient::stopConsoleProfile):
22
23         * inspector/agents/InspectorScriptProfilerAgent.h:
24         * inspector/agents/InspectorScriptProfilerAgent.cpp:
25         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
26         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStarted): Deleted.
27         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStopped): Deleted.
28
29 2019-04-11  Saam barati  <sbarati@apple.com>
30
31         Rename SetArgument to SetArgumentDefinitely
32         https://bugs.webkit.org/show_bug.cgi?id=196828
33
34         Reviewed by Yusuke Suzuki.
35
36         This is in preparation for https://bugs.webkit.org/show_bug.cgi?id=196712
37         where we will introduce a node named SetArgumentMaybe. Doing this refactoring
38         first will make reviewing that other patch easier.
39
40         * dfg/DFGAbstractInterpreterInlines.h:
41         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
42         * dfg/DFGByteCodeParser.cpp:
43         (JSC::DFG::ByteCodeParser::handleVarargsInlining):
44         (JSC::DFG::ByteCodeParser::parseBlock):
45         * dfg/DFGCPSRethreadingPhase.cpp:
46         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
47         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
48         (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
49         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
50         (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
51         (JSC::DFG::CPSRethreadingPhase::propagatePhis):
52         (JSC::DFG::CPSRethreadingPhase::computeIsFlushed):
53         * dfg/DFGClobberize.h:
54         (JSC::DFG::clobberize):
55         * dfg/DFGCommon.h:
56         * dfg/DFGDoesGC.cpp:
57         (JSC::DFG::doesGC):
58         * dfg/DFGFixupPhase.cpp:
59         (JSC::DFG::FixupPhase::fixupNode):
60         * dfg/DFGGraph.cpp:
61         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
62         * dfg/DFGGraph.h:
63         * dfg/DFGInPlaceAbstractState.cpp:
64         (JSC::DFG::InPlaceAbstractState::initialize):
65         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
66         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
67         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch):
68         * dfg/DFGMaximalFlushInsertionPhase.cpp:
69         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
70         (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
71         * dfg/DFGMayExit.cpp:
72         * dfg/DFGNode.cpp:
73         (JSC::DFG::Node::hasVariableAccessData):
74         * dfg/DFGNode.h:
75         (JSC::DFG::Node::convertPhantomToPhantomLocal):
76         * dfg/DFGNodeType.h:
77         * dfg/DFGOSREntrypointCreationPhase.cpp:
78         (JSC::DFG::OSREntrypointCreationPhase::run):
79         * dfg/DFGPhantomInsertionPhase.cpp:
80         * dfg/DFGPredictionPropagationPhase.cpp:
81         * dfg/DFGSSAConversionPhase.cpp:
82         (JSC::DFG::SSAConversionPhase::run):
83         * dfg/DFGSafeToExecute.h:
84         (JSC::DFG::safeToExecute):
85         * dfg/DFGSpeculativeJIT.cpp:
86         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
87         * dfg/DFGSpeculativeJIT32_64.cpp:
88         (JSC::DFG::SpeculativeJIT::compile):
89         * dfg/DFGSpeculativeJIT64.cpp:
90         (JSC::DFG::SpeculativeJIT::compile):
91         * dfg/DFGTypeCheckHoistingPhase.cpp:
92         (JSC::DFG::TypeCheckHoistingPhase::run):
93         * dfg/DFGValidate.cpp:
94         * ftl/FTLCapabilities.cpp:
95         (JSC::FTL::canCompile):
96
97 2019-04-11  Truitt Savell  <tsavell@apple.com>
98
99         Unreviewed, rolling out r244158.
100
101         Casued 8 inspector/timeline/ test failures.
102
103         Reverted changeset:
104
105         "Web Inspector: Timelines: can't reliably stop/start a
106         recording"
107         https://bugs.webkit.org/show_bug.cgi?id=196778
108         https://trac.webkit.org/changeset/244158
109
110 2019-04-10  Saam Barati  <sbarati@apple.com>
111
112         AbstractValue::validateOSREntryValue is wrong for Int52 constants
113         https://bugs.webkit.org/show_bug.cgi?id=196801
114         <rdar://problem/49771122>
115
116         Reviewed by Yusuke Suzuki.
117
118         validateOSREntryValue should not care about the format of the incoming
119         value for Int52s. This patch normalizes the format of m_value and
120         the incoming value when comparing them.
121
122         * dfg/DFGAbstractValue.h:
123         (JSC::DFG::AbstractValue::validateOSREntryValue const):
124
125 2019-04-10  Saam Barati  <sbarati@apple.com>
126
127         ArithSub over Int52 has shouldCheckOverflow as always true
128         https://bugs.webkit.org/show_bug.cgi?id=196796
129
130         Reviewed by Yusuke Suzuki.
131
132         AI was checking for ArithSub over Int52 if !shouldCheckOverflow. However,
133         shouldCheckOverflow is always true, so !shouldCheckOverflow is always
134         false. We shouldn't check something we assert against.
135
136         * dfg/DFGAbstractInterpreterInlines.h:
137         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
138
139 2019-04-10  Basuke Suzuki  <basuke.suzuki@sony.com>
140
141         [PlayStation] Specify byte order clearly on Remote Inspector Protocol
142         https://bugs.webkit.org/show_bug.cgi?id=196790
143
144         Reviewed by Ross Kirsling.
145
146         Original implementation lacks byte order specification. Network byte order is the
147         good candidate if there's no strong reason to choose other.
148         Currently no client exists for PlayStation remote inspector protocol, so we can
149         change the byte order without care.
150
151         * inspector/remote/playstation/RemoteInspectorMessageParserPlayStation.cpp:
152         (Inspector::MessageParser::createMessage):
153         (Inspector::MessageParser::parse):
154
155 2019-04-10  Devin Rousso  <drousso@apple.com>
156
157        Web Inspector: Inspector: lazily create the agent
158        https://bugs.webkit.org/show_bug.cgi?id=195971
159        <rdar://problem/49039645>
160
161        Reviewed by Joseph Pecoraro.
162
163        * inspector/JSGlobalObjectInspectorController.cpp:
164        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
165        (Inspector::JSGlobalObjectInspectorController::connectFrontend):
166        (Inspector::JSGlobalObjectInspectorController::appendExtraAgent):
167        (Inspector::JSGlobalObjectInspectorController::createLazyAgents):
168
169        * inspector/agents/InspectorAgent.h:
170        * inspector/agents/InspectorAgent.cpp:
171
172 2019-04-10  Saam Barati  <sbarati@apple.com>
173
174         Work around an arm64_32 LLVM miscompile bug
175         https://bugs.webkit.org/show_bug.cgi?id=196788
176
177         Reviewed by Yusuke Suzuki.
178
179         * runtime/CachedTypes.cpp:
180
181 2019-04-10  Devin Rousso  <drousso@apple.com>
182
183         Web Inspector: Timelines: can't reliably stop/start a recording
184         https://bugs.webkit.org/show_bug.cgi?id=196778
185         <rdar://problem/47606798>
186
187         Reviewed by Timothy Hatcher.
188
189         * inspector/protocol/ScriptProfiler.json:
190         * inspector/protocol/Timeline.json:
191         It is possible to determine when programmatic capturing starts/stops in the frontend based
192         on the state when the backend causes the state to change, such as if the state is "inactive"
193         when the frontend is told that the backend has started capturing.
194
195         * inspector/protocol/CPUProfiler.json:
196         * inspector/protocol/Memory.json:
197         Send an end timestamp to match other instruments.
198
199         * inspector/JSGlobalObjectConsoleClient.cpp:
200         (Inspector::JSGlobalObjectConsoleClient::startConsoleProfile):
201         (Inspector::JSGlobalObjectConsoleClient::stopConsoleProfile):
202
203         * inspector/agents/InspectorScriptProfilerAgent.h:
204         * inspector/agents/InspectorScriptProfilerAgent.cpp:
205         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
206         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStarted): Deleted.
207         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStopped): Deleted.
208
209 2019-04-10  Tadeu Zagallo  <tzagallo@apple.com>
210
211         Unreviewed, fix watch build after r244143
212         https://bugs.webkit.org/show_bug.cgi?id=195000
213
214         The result of `lseek` should be `off_t` rather than `int`.
215
216         * jsc.cpp:
217
218 2019-04-10  Tadeu Zagallo  <tzagallo@apple.com>
219
220         Add support for incremental bytecode cache updates
221         https://bugs.webkit.org/show_bug.cgi?id=195000
222
223         Reviewed by Filip Pizlo.
224
225         Add support for incremental updates to the bytecode cache. The cache
226         is constructed as follows:
227         - When the cache is empty, the initial payload can be added to the BytecodeCache
228         by calling BytecodeCache::addGlobalUpdate. This represents the encoded
229         top-level UnlinkedCodeBlock.
230         - Afterwards, updates can be added by calling BytecodeCache::addFunctionUpdate.
231         The update is applied by appending the encoded UnlinkedFunctionCodeBlock
232         to the existing cache and updating the CachedFunctionExecutableMetadata
233         and the offset of the new CachedFunctionCodeBlock in the owner CachedFunctionExecutable.
234
235         * API/JSScript.mm:
236         (-[JSScript readCache]):
237         (-[JSScript isUsingBytecodeCache]):
238         (-[JSScript init]):
239         (-[JSScript cachedBytecode]):
240         (-[JSScript writeCache:]):
241         * API/JSScriptInternal.h:
242         * API/JSScriptSourceProvider.h:
243         * API/JSScriptSourceProvider.mm:
244         (JSScriptSourceProvider::cachedBytecode const):
245         * CMakeLists.txt:
246         * JavaScriptCore.xcodeproj/project.pbxproj:
247         * Sources.txt:
248         * bytecode/UnlinkedFunctionExecutable.cpp:
249         (JSC::generateUnlinkedFunctionCodeBlock):
250         * jsc.cpp:
251         (ShellSourceProvider::~ShellSourceProvider):
252         (ShellSourceProvider::cachePath const):
253         (ShellSourceProvider::loadBytecode const):
254         (ShellSourceProvider::ShellSourceProvider):
255         (ShellSourceProvider::cacheEnabled):
256         * parser/SourceProvider.h:
257         (JSC::SourceProvider::cachedBytecode const):
258         (JSC::SourceProvider::updateCache const):
259         (JSC::SourceProvider::commitCachedBytecode const):
260         * runtime/CachePayload.cpp: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
261         (JSC::CachePayload::makeMappedPayload):
262         (JSC::CachePayload::makeMallocPayload):
263         (JSC::CachePayload::makeEmptyPayload):
264         (JSC::CachePayload::CachePayload):
265         (JSC::CachePayload::~CachePayload):
266         (JSC::CachePayload::operator=):
267         (JSC::CachePayload::freeData):
268         * runtime/CachePayload.h: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
269         (JSC::CachePayload::data const):
270         (JSC::CachePayload::size const):
271         (JSC::CachePayload::CachePayload):
272         * runtime/CacheUpdate.cpp: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
273         (JSC::CacheUpdate::CacheUpdate):
274         (JSC::CacheUpdate::operator=):
275         (JSC::CacheUpdate::isGlobal const):
276         (JSC::CacheUpdate::asGlobal const):
277         (JSC::CacheUpdate::asFunction const):
278         * runtime/CacheUpdate.h: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
279         * runtime/CachedBytecode.cpp: Added.
280         (JSC::CachedBytecode::addGlobalUpdate):
281         (JSC::CachedBytecode::addFunctionUpdate):
282         (JSC::CachedBytecode::copyLeafExecutables):
283         (JSC::CachedBytecode::commitUpdates const):
284         * runtime/CachedBytecode.h: Added.
285         (JSC::CachedBytecode::create):
286         (JSC::CachedBytecode::leafExecutables):
287         (JSC::CachedBytecode::data const):
288         (JSC::CachedBytecode::size const):
289         (JSC::CachedBytecode::hasUpdates const):
290         (JSC::CachedBytecode::sizeForUpdate const):
291         (JSC::CachedBytecode::CachedBytecode):
292         * runtime/CachedTypes.cpp:
293         (JSC::Encoder::addLeafExecutable):
294         (JSC::Encoder::release):
295         (JSC::Decoder::Decoder):
296         (JSC::Decoder::create):
297         (JSC::Decoder::size const):
298         (JSC::Decoder::offsetOf):
299         (JSC::Decoder::ptrForOffsetFromBase):
300         (JSC::Decoder::addLeafExecutable):
301         (JSC::VariableLengthObject::VariableLengthObject):
302         (JSC::VariableLengthObject::buffer const):
303         (JSC::CachedPtrOffsets::offsetOffset):
304         (JSC::CachedWriteBarrierOffsets::ptrOffset):
305         (JSC::CachedFunctionExecutable::features const):
306         (JSC::CachedFunctionExecutable::hasCapturedVariables const):
307         (JSC::CachedFunctionExecutableOffsets::codeBlockForCallOffset):
308         (JSC::CachedFunctionExecutableOffsets::codeBlockForConstructOffset):
309         (JSC::CachedFunctionExecutableOffsets::metadataOffset):
310         (JSC::CachedFunctionExecutable::encode):
311         (JSC::CachedFunctionExecutable::decode const):
312         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
313         (JSC::encodeCodeBlock):
314         (JSC::encodeFunctionCodeBlock):
315         (JSC::decodeCodeBlockImpl):
316         (JSC::isCachedBytecodeStillValid):
317         * runtime/CachedTypes.h:
318         (JSC::VariableLengthObjectBase::VariableLengthObjectBase):
319         (JSC::decodeCodeBlock):
320         * runtime/CodeCache.cpp:
321         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
322         (JSC::CodeCache::updateCache):
323         (JSC::CodeCache::write):
324         (JSC::writeCodeBlock):
325         (JSC::serializeBytecode):
326         * runtime/CodeCache.h:
327         (JSC::SourceCodeValue::SourceCodeValue):
328         (JSC::CodeCacheMap::findCacheAndUpdateAge):
329         (JSC::CodeCacheMap::fetchFromDiskImpl):
330         * runtime/Completion.cpp:
331         (JSC::generateProgramBytecode):
332         (JSC::generateModuleBytecode):
333         * runtime/Completion.h:
334         * runtime/LeafExecutable.cpp: Copied from Source/JavaScriptCore/API/JSScriptSourceProvider.mm.
335         (JSC::LeafExecutable::operator+ const):
336         * runtime/LeafExecutable.h: Copied from Source/JavaScriptCore/API/JSScriptSourceProvider.mm.
337         (JSC::LeafExecutable::LeafExecutable):
338         (JSC::LeafExecutable::base const):
339
340 2019-04-10  Michael Catanzaro  <mcatanzaro@igalia.com>
341
342         Unreviewed, rolling out r243989.
343
344         Broke i686 builds
345
346         Reverted changeset:
347
348         "[CMake] Detect SSE2 at compile time"
349         https://bugs.webkit.org/show_bug.cgi?id=196488
350         https://trac.webkit.org/changeset/243989
351
352 2019-04-10  Robin Morisset  <rmorisset@apple.com>
353
354         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
355         https://bugs.webkit.org/show_bug.cgi?id=196746
356
357         Reviewed by Yusuke Suzuki..
358
359         It should be safe as in that case we are not completing the operation, and so not going to have any buffer overflow.
360
361         * runtime/ObjectConstructor.cpp:
362         (JSC::defineProperties):
363
364 2019-04-10  Antoine Quint  <graouts@apple.com>
365
366         Enable Pointer Events on watchOS
367         https://bugs.webkit.org/show_bug.cgi?id=196771
368         <rdar://problem/49040909>
369
370         Reviewed by Dean Jackson.
371
372         * Configurations/FeatureDefines.xcconfig:
373
374 2019-04-09  Keith Rollin  <krollin@apple.com>
375
376         Unreviewed build maintenance -- update .xcfilelists.
377
378         * DerivedSources-input.xcfilelist:
379
380 2019-04-09  Ross Kirsling  <ross.kirsling@sony.com>
381
382         JSC should build successfully even with -DENABLE_UNIFIED_BUILDS=OFF
383         https://bugs.webkit.org/show_bug.cgi?id=193073
384
385         Reviewed by Keith Miller.
386
387         * bytecompiler/BytecodeGenerator.cpp:
388         (JSC::BytecodeGenerator::emitEqualityOpImpl):
389         (JSC::BytecodeGenerator::emitEqualityOp): Deleted.
390         * bytecompiler/BytecodeGenerator.h:
391         (JSC::BytecodeGenerator::emitEqualityOp):
392         Factor out the logic that uses the template parameter and keep it in the header.
393
394         * jit/JITPropertyAccess.cpp:
395         List off the template specializations needed by JITOperations.cpp.
396         This is unfortunate but at least there are only two (x2) by definition?
397         Trying to do away with this incurs a severe domino effect...
398
399         * API/JSValueRef.cpp:
400         * b3/B3OptimizeAssociativeExpressionTrees.cpp:
401         * b3/air/AirHandleCalleeSaves.cpp:
402         * builtins/BuiltinNames.cpp:
403         * bytecode/AccessCase.cpp:
404         * bytecode/BytecodeIntrinsicRegistry.cpp:
405         * bytecode/BytecodeIntrinsicRegistry.h:
406         * bytecode/BytecodeRewriter.cpp:
407         * bytecode/BytecodeUseDef.h:
408         * bytecode/CodeBlock.cpp:
409         * bytecode/InstanceOfAccessCase.cpp:
410         * bytecode/MetadataTable.cpp:
411         * bytecode/PolyProtoAccessChain.cpp:
412         * bytecode/StructureSet.cpp:
413         * bytecompiler/NodesCodegen.cpp:
414         * dfg/DFGCFAPhase.cpp:
415         * dfg/DFGPureValue.cpp:
416         * heap/GCSegmentedArray.h:
417         * heap/HeapInlines.h:
418         * heap/IsoSubspace.cpp:
419         * heap/LocalAllocator.cpp:
420         * heap/LocalAllocator.h:
421         * heap/LocalAllocatorInlines.h:
422         * heap/MarkingConstraintSolver.cpp:
423         * inspector/ScriptArguments.cpp:
424         (Inspector::ScriptArguments::isEqual const):
425         * inspector/ScriptCallStackFactory.cpp:
426         * interpreter/CallFrame.h:
427         * interpreter/Interpreter.cpp:
428         * interpreter/StackVisitor.cpp:
429         * llint/LLIntEntrypoint.cpp:
430         * runtime/ArrayIteratorPrototype.cpp:
431         * runtime/BigIntPrototype.cpp:
432         * runtime/CachedTypes.cpp:
433         * runtime/ErrorType.cpp:
434         * runtime/IndexingType.cpp:
435         * runtime/JSCellInlines.h:
436         * runtime/JSImmutableButterfly.h:
437         * runtime/Operations.h:
438         * runtime/RegExpCachedResult.cpp:
439         * runtime/RegExpConstructor.cpp:
440         * runtime/RegExpGlobalData.cpp:
441         * runtime/StackFrame.h:
442         * wasm/WasmSignature.cpp:
443         * wasm/js/JSToWasm.cpp:
444         * wasm/js/JSToWasmICCallee.cpp:
445         * wasm/js/WebAssemblyFunction.h:
446         Fix includes / forward declarations (and a couple of nearby clang warnings).
447
448 2019-04-09  Don Olmstead  <don.olmstead@sony.com>
449
450         [CMake] Apple builds should use ICU_INCLUDE_DIRS
451         https://bugs.webkit.org/show_bug.cgi?id=196720
452
453         Reviewed by Konstantin Tokarev.
454
455         * PlatformMac.cmake:
456
457 2019-04-09  Saam barati  <sbarati@apple.com>
458
459         Clean up Int52 code and some bugs in it
460         https://bugs.webkit.org/show_bug.cgi?id=196639
461         <rdar://problem/49515757>
462
463         Reviewed by Yusuke Suzuki.
464
465         This patch fixes bugs in our Int52 code. The primary change in this patch is
466         adopting a segregated type lattice for Int52. Previously, for Int52 values,
467         we represented them with SpecInt32Only and SpecInt52Only. For an Int52,
468         SpecInt32Only meant that the value is in int32 range. And SpecInt52Only meant
469         that the is outside of the int32 range.
470         
471         However, this got confusing because we reused SpecInt32Only both for JSValue
472         representations and Int52 representations. This actually lead to some bugs.
473         
474         1. It's possible that roundtripping through Int52 representation would say
475         it produces the wrong type. For example, consider this program and how we
476         used to annotate types in AI:
477         a: JSConstant(10.0) => m_type is SpecAnyIntAsDouble
478         b: Int52Rep(@a) => m_type is SpecInt52Only
479         c: ValueRep(@b) => m_type is SpecAnyIntAsDouble
480         
481         In AI, for the above program, we'd say that @c produces SpecAnyIntAsDouble.
482         However, the execution semantics are such that it'd actually produce a boxed
483         Int32. This patch fixes the bug where we'd say that Int52Rep over SpecAnyIntAsDouble
484         would produce SpecInt52Only. This is clearly wrong, as SpecAnyIntAsDouble can
485         mean an int value in either int32 or int52 range.
486         
487         2. AsbstractValue::validateTypeAcceptingBoxedInt52 was wrong in how it
488         accepted Int52 values. It was wrong in two different ways:
489         a: If the AbstractValue's type was SpecInt52Only, and the incoming value
490         was a boxed double, but represented a value in int32 range, the incoming
491         value would incorrectly validate as being acceptable. However, we should
492         have rejected this value.
493         b: If the AbstractValue's type was SpecInt32Only, and the incoming value
494         was an Int32 boxed in a double, this would not validate, even though
495         it should have validated.
496         
497         Solving 2 was easiest if we segregated out the Int52 type into its own
498         lattice. This patch makes a new Int52 lattice, which is composed of
499         SpecInt32AsInt52 and SpecNonInt32AsInt52.
500         
501         The conversion rules are now really simple.
502         
503         Int52 rep => JSValue rep
504         SpecInt32AsInt52 => SpecInt32Only
505         SpecNonInt32AsInt52 => SpecAnyIntAsDouble
506         
507         JSValue rep => Int52 rep
508         SpecInt32Only => SpecInt32AsInt52
509         SpecAnyIntAsDouble => SpecInt52Any
510         
511         With these rules, the program in (1) will now correctly report that @c
512         returns SpecInt32Only | SpecAnyIntAsDouble.
513
514         * bytecode/SpeculatedType.cpp:
515         (JSC::dumpSpeculation):
516         (JSC::speculationToAbbreviatedString):
517         (JSC::int52AwareSpeculationFromValue):
518         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
519         (JSC::speculationFromString):
520         * bytecode/SpeculatedType.h:
521         (JSC::isInt32SpeculationForArithmetic):
522         (JSC::isInt32OrBooleanSpeculationForArithmetic):
523         (JSC::isAnyInt52Speculation):
524         (JSC::isIntAnyFormat):
525         (JSC::isInt52Speculation): Deleted.
526         (JSC::isAnyIntSpeculation): Deleted.
527         * dfg/DFGAbstractInterpreterInlines.h:
528         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
529         * dfg/DFGAbstractValue.cpp:
530         (JSC::DFG::AbstractValue::fixTypeForRepresentation):
531         (JSC::DFG::AbstractValue::checkConsistency const):
532         * dfg/DFGAbstractValue.h:
533         (JSC::DFG::AbstractValue::isInt52Any const):
534         (JSC::DFG::AbstractValue::validateTypeAcceptingBoxedInt52 const):
535         * dfg/DFGFixupPhase.cpp:
536         (JSC::DFG::FixupPhase::fixupArithMul):
537         (JSC::DFG::FixupPhase::fixupNode):
538         (JSC::DFG::FixupPhase::fixupGetPrototypeOf):
539         (JSC::DFG::FixupPhase::fixupToThis):
540         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
541         (JSC::DFG::FixupPhase::observeUseKindOnNode):
542         (JSC::DFG::FixupPhase::fixIntConvertingEdge):
543         (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
544         (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
545         (JSC::DFG::FixupPhase::fixupChecksInBlock):
546         * dfg/DFGGraph.h:
547         (JSC::DFG::Graph::addShouldSpeculateInt52):
548         (JSC::DFG::Graph::binaryArithShouldSpeculateInt52):
549         (JSC::DFG::Graph::unaryArithShouldSpeculateInt52):
550         (JSC::DFG::Graph::addShouldSpeculateAnyInt): Deleted.
551         (JSC::DFG::Graph::binaryArithShouldSpeculateAnyInt): Deleted.
552         (JSC::DFG::Graph::unaryArithShouldSpeculateAnyInt): Deleted.
553         * dfg/DFGNode.h:
554         (JSC::DFG::Node::shouldSpeculateInt52):
555         (JSC::DFG::Node::shouldSpeculateAnyInt): Deleted.
556         * dfg/DFGPredictionPropagationPhase.cpp:
557         * dfg/DFGSpeculativeJIT.cpp:
558         (JSC::DFG::SpeculativeJIT::setIntTypedArrayLoadResult):
559         (JSC::DFG::SpeculativeJIT::compileArithAdd):
560         (JSC::DFG::SpeculativeJIT::compileArithSub):
561         (JSC::DFG::SpeculativeJIT::compileArithNegate):
562         * dfg/DFGSpeculativeJIT64.cpp:
563         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
564         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
565         * dfg/DFGUseKind.h:
566         (JSC::DFG::typeFilterFor):
567         * dfg/DFGVariableAccessData.cpp:
568         (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
569         (JSC::DFG::VariableAccessData::couldRepresentInt52Impl):
570         * ftl/FTLLowerDFGToB3.cpp:
571         (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
572         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
573         (JSC::FTL::DFG::LowerDFGToB3::setIntTypedArrayLoadResult):
574
575 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
576
577         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
578         https://bugs.webkit.org/show_bug.cgi?id=196708
579         <rdar://problem/49556803>
580
581         Reviewed by Yusuke Suzuki.
582
583         `operationPutToScope` needs to return early if an exception is thrown while
584         checking if `hasProperty`.
585
586         * jit/JITOperations.cpp:
587
588 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
589
590         [JSC] DFG should respect node's strict flag
591         https://bugs.webkit.org/show_bug.cgi?id=196617
592
593         Reviewed by Saam Barati.
594
595         We accidentally use codeBlock->isStrictMode() directly in DFG and FTL. But this is wrong since this CodeBlock is the top level DFG/FTL CodeBlock,
596         and this code does not respect the isStrictMode flag for the inlined CodeBlocks. In this patch, we start using isStrictModeFor(CodeOrigin) consistently
597         in DFG and FTL to get the right isStrictMode flag for the DFG node.
598         And we also split compilePutDynamicVar into compilePutDynamicVarStrict and compilePutDynamicVarNonStrict since (1) it is cleaner than accessing inlined
599         callframe in the operation function, and (2) it is aligned to the other functions like operationPutByValDirectNonStrict etc.
600         This bug is discovered by RandomizingFuzzerAgent by expanding the DFG coverage.
601
602         * dfg/DFGAbstractInterpreterInlines.h:
603         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
604         * dfg/DFGConstantFoldingPhase.cpp:
605         (JSC::DFG::ConstantFoldingPhase::foldConstants):
606         * dfg/DFGFixupPhase.cpp:
607         (JSC::DFG::FixupPhase::fixupToThis):
608         * dfg/DFGOperations.cpp:
609         * dfg/DFGOperations.h:
610         * dfg/DFGPredictionPropagationPhase.cpp:
611         * dfg/DFGSpeculativeJIT.cpp:
612         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
613         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
614         (JSC::DFG::SpeculativeJIT::compilePutDynamicVar):
615         (JSC::DFG::SpeculativeJIT::compileToThis):
616         * dfg/DFGSpeculativeJIT32_64.cpp:
617         (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
618         (JSC::DFG::SpeculativeJIT::compile):
619         * dfg/DFGSpeculativeJIT64.cpp:
620         (JSC::DFG::SpeculativeJIT::compile):
621         * ftl/FTLLowerDFGToB3.cpp:
622         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
623         (JSC::FTL::DFG::LowerDFGToB3::compilePutDynamicVar):
624
625 2019-04-08  Don Olmstead  <don.olmstead@sony.com>
626
627         [CMake][WinCairo] Separate copied headers into different directories
628         https://bugs.webkit.org/show_bug.cgi?id=196655
629
630         Reviewed by Michael Catanzaro.
631
632         * CMakeLists.txt:
633         * shell/PlatformWin.cmake:
634
635 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
636
637         [JSC] isRope jump in StringSlice should not jump over register allocations
638         https://bugs.webkit.org/show_bug.cgi?id=196716
639
640         Reviewed by Saam Barati.
641
642         Jumping over the register allocation code in DFG (like the following) is wrong.
643
644             auto jump = m_jit.branchXXX();
645             {
646                 GPRTemporary reg(this);
647                 GPRReg regGPR = reg.gpr();
648                 ...
649             }
650             jump.link(&m_jit);
651
652         When GPRTemporary::gpr allocates a new register, it can flush the previous register value into the stack and make the register usable.
653         Jumping over this register allocation code skips the flushing code, and makes the DFG's stack and register content tracking inconsistent:
654         DFG thinks that the content is flushed and stored in particular stack slot even while this flushing code is skipped.
655         In this patch, we perform register allocations before jumping to the slow path based on `isRope` condition in StringSlice.
656
657         * dfg/DFGSpeculativeJIT.cpp:
658         (JSC::DFG::SpeculativeJIT::compileStringSlice):
659
660 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
661
662         [JSC] to_index_string should not assume incoming value is Uint32
663         https://bugs.webkit.org/show_bug.cgi?id=196713
664
665         Reviewed by Saam Barati.
666
667         The slow path of to_index_string assumes that incoming value is Uint32. But we should not have
668         this assumption since DFG may decide we should have it double format. This patch removes this
669         assumption, and instead, we should assume that incoming value is AnyInt and the range of this
670         is within Uint32.
671
672         * runtime/CommonSlowPaths.cpp:
673         (JSC::SLOW_PATH_DECL):
674
675 2019-04-08  Justin Fan  <justin_fan@apple.com>
676
677         [Web GPU] Fix Web GPU experimental feature on iOS
678         https://bugs.webkit.org/show_bug.cgi?id=196632
679
680         Reviewed by Myles C. Maxfield.
681
682         Properly make Web GPU available on iOS 11+.
683
684         * Configurations/FeatureDefines.xcconfig:
685         * Configurations/WebKitTargetConditionals.xcconfig:
686
687 2019-04-08  Ross Kirsling  <ross.kirsling@sony.com>
688
689         -f[no-]var-tracking-assignments is GCC-only
690         https://bugs.webkit.org/show_bug.cgi?id=196699
691
692         Reviewed by Don Olmstead.
693
694         * CMakeLists.txt:
695         Just remove the build flag altogether -- it supposedly doesn't solve the problem it was meant to
696         and said problem evidently no longer occurs as of GCC 9.
697
698 2019-04-08  Saam Barati  <sbarati@apple.com>
699
700         WebAssembly.RuntimeError missing exception check
701         https://bugs.webkit.org/show_bug.cgi?id=196700
702         <rdar://problem/49693932>
703
704         Reviewed by Yusuke Suzuki.
705
706         * wasm/js/JSWebAssemblyRuntimeError.h:
707         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
708         (JSC::constructJSWebAssemblyRuntimeError):
709
710 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
711
712         Unreviewed, rolling in r243948 with test fix
713         https://bugs.webkit.org/show_bug.cgi?id=196486
714
715         * parser/ASTBuilder.h:
716         (JSC::ASTBuilder::createString):
717         * parser/Lexer.cpp:
718         (JSC::Lexer<T>::parseMultilineComment):
719         (JSC::Lexer<T>::lexWithoutClearingLineTerminator):
720         (JSC::Lexer<T>::lex): Deleted.
721         * parser/Lexer.h:
722         (JSC::Lexer::hasLineTerminatorBeforeToken const):
723         (JSC::Lexer::setHasLineTerminatorBeforeToken):
724         (JSC::Lexer<T>::lex):
725         (JSC::Lexer::prevTerminator const): Deleted.
726         (JSC::Lexer::setTerminator): Deleted.
727         * parser/Parser.cpp:
728         (JSC::Parser<LexerType>::allowAutomaticSemicolon):
729         (JSC::Parser<LexerType>::parseSingleFunction):
730         (JSC::Parser<LexerType>::parseStatementListItem):
731         (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement):
732         (JSC::Parser<LexerType>::parseFunctionInfo):
733         (JSC::Parser<LexerType>::parseClass):
734         (JSC::Parser<LexerType>::parseExportDeclaration):
735         (JSC::Parser<LexerType>::parseAssignmentExpression):
736         (JSC::Parser<LexerType>::parseYieldExpression):
737         (JSC::Parser<LexerType>::parseProperty):
738         (JSC::Parser<LexerType>::parsePrimaryExpression):
739         (JSC::Parser<LexerType>::parseMemberExpression):
740         * parser/Parser.h:
741         (JSC::Parser::nextWithoutClearingLineTerminator):
742         (JSC::Parser::lexCurrentTokenAgainUnderCurrentContext):
743         (JSC::Parser::internalSaveLexerState):
744         (JSC::Parser::restoreLexerState):
745
746 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
747
748         Unreviewed, rolling out r243948.
749
750         Caused inspector/runtime/parse.html to fail
751
752         Reverted changeset:
753
754         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
755         https://bugs.webkit.org/show_bug.cgi?id=196486
756         https://trac.webkit.org/changeset/243948
757
758 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
759
760         Unreviewed, rolling out r243943.
761
762         Caused test262 failures.
763
764         Reverted changeset:
765
766         "[JSC] Filter DontEnum properties in
767         ProxyObject::getOwnPropertyNames()"
768         https://bugs.webkit.org/show_bug.cgi?id=176810
769         https://trac.webkit.org/changeset/243943
770
771 2019-04-08  Claudio Saavedra  <csaavedra@igalia.com>
772
773         [JSC] Partially fix the build with unified builds disabled
774         https://bugs.webkit.org/show_bug.cgi?id=196647
775
776         Reviewed by Konstantin Tokarev.
777
778         If you disable unified builds you find all kind of build
779         errors. This partially tries to fix them but there's a lot
780         more.
781
782         * API/JSBaseInternal.h:
783         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp:
784         * b3/air/AirHandleCalleeSaves.h:
785         * bytecode/ExecutableToCodeBlockEdge.cpp:
786         * bytecode/ExitFlag.h:
787         * bytecode/ICStatusUtils.h:
788         * bytecode/UnlinkedMetadataTable.h:
789         * dfg/DFGPureValue.h:
790         * heap/IsoAlignedMemoryAllocator.cpp:
791         * heap/IsoAlignedMemoryAllocator.h:
792
793 2019-04-08  Guillaume Emont  <guijemont@igalia.com>
794
795         Enable DFG on MIPS
796         https://bugs.webkit.org/show_bug.cgi?id=196689
797
798         Reviewed by Žan Doberšek.
799
800         Since the bytecode change, we enabled the baseline JIT on mips in
801         r240432, but DFG is still missing. With this change, all tests are
802         passing on a ci20 board.
803
804         * jit/RegisterSet.cpp:
805         (JSC::RegisterSet::calleeSaveRegisters):
806         Added s0, which is used in llint.
807
808 2019-04-08  Xan Lopez  <xan@igalia.com>
809
810         [CMake] Detect SSE2 at compile time
811         https://bugs.webkit.org/show_bug.cgi?id=196488
812
813         Reviewed by Carlos Garcia Campos.
814
815         * assembler/MacroAssemblerX86Common.cpp: Remove unnecessary (and
816         incorrect) static_assert.
817
818 2019-04-07  Michael Saboff  <msaboff@apple.com>
819
820         REGRESSION (r243642): Crash in reddit.com page
821         https://bugs.webkit.org/show_bug.cgi?id=196684
822
823         Reviewed by Geoffrey Garen.
824
825         In r243642, the code that saves and restores the count for non-greedy character classes
826         was inadvertently put inside an if statement.  This code should be generated for all
827         non-greedy character classes.
828
829         * yarr/YarrJIT.cpp:
830         (JSC::Yarr::YarrGenerator::generateCharacterClassNonGreedy):
831         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
832
833 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
834
835         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
836         https://bugs.webkit.org/show_bug.cgi?id=196683
837
838         Reviewed by Saam Barati.
839
840         In r243626, we stop repatching CallLinkInfo when the CallLinkInfo is held by jettisoned CodeBlock.
841         But we still need to clear the Callee or CodeBlock since they are now dead. Otherwise, CodeBlock's
842         visitWeak eventually accesses this dead cells and crashes because the owner CodeBlock of CallLinkInfo
843         can be still live.
844
845         We also move all repatching operations from CallLinkInfo.cpp to Repatch.cpp for consistency because the
846         other repatching operations in CallLinkInfo are implemented in Repatch.cpp side.
847
848         * bytecode/CallLinkInfo.cpp:
849         (JSC::CallLinkInfo::setCallee):
850         (JSC::CallLinkInfo::clearCallee):
851         * jit/Repatch.cpp:
852         (JSC::linkFor):
853         (JSC::revertCall):
854
855 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
856
857         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
858         https://bugs.webkit.org/show_bug.cgi?id=196582
859
860         Reviewed by Saam Barati.
861
862         In DFG, our ArithAdd with overflow is executed speculatively, and we recover the value when overflow flag is set.
863         The recovery is subtracting the operand from the destination to get the original two operands. Our recovery code
864         handles A + B = A, A + B = B cases. But it misses A + A = A case (here, A and B are GPRReg). Our recovery code
865         attempts to produce the original operand by performing A - A, and it always produces zero accidentally.
866
867         This patch adds the recovery code for A + A = A case. Because we know that this ArithAdd overflows, and operands were
868         same values, we can calculate the original operand from the destination value by `((int32_t)value >> 1) ^ 0x80000000`.
869
870         We also found that FTL recovery code is dead. We remove them in this patch.
871
872         * dfg/DFGOSRExit.cpp:
873         (JSC::DFG::OSRExit::executeOSRExit):
874         (JSC::DFG::OSRExit::compileExit):
875         * dfg/DFGOSRExit.h:
876         (JSC::DFG::SpeculationRecovery::SpeculationRecovery):
877         * dfg/DFGSpeculativeJIT.cpp:
878         (JSC::DFG::SpeculativeJIT::compileArithAdd):
879         * ftl/FTLExitValue.cpp:
880         (JSC::FTL::ExitValue::dataFormat const):
881         (JSC::FTL::ExitValue::dumpInContext const):
882         * ftl/FTLExitValue.h:
883         (JSC::FTL::ExitValue::isArgument const):
884         (JSC::FTL::ExitValue::hasIndexInStackmapLocations const):
885         (JSC::FTL::ExitValue::adjustStackmapLocationsIndexByOffset):
886         (JSC::FTL::ExitValue::recovery): Deleted.
887         (JSC::FTL::ExitValue::isRecovery const): Deleted.
888         (JSC::FTL::ExitValue::leftRecoveryArgument const): Deleted.
889         (JSC::FTL::ExitValue::rightRecoveryArgument const): Deleted.
890         (JSC::FTL::ExitValue::recoveryFormat const): Deleted.
891         (JSC::FTL::ExitValue::recoveryOpcode const): Deleted.
892         * ftl/FTLLowerDFGToB3.cpp:
893         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
894         (JSC::FTL::DFG::LowerDFGToB3::preparePatchpointForExceptions):
895         (JSC::FTL::DFG::LowerDFGToB3::appendOSRExit):
896         (JSC::FTL::DFG::LowerDFGToB3::exitValueForNode):
897         (JSC::FTL::DFG::LowerDFGToB3::addAvailableRecovery): Deleted.
898         * ftl/FTLOSRExitCompiler.cpp:
899         (JSC::FTL::compileRecovery):
900
901 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
902
903         Unreviewed, rolling out r243665.
904
905         Caused iOS JSC tests to exit with an exception.
906
907         Reverted changeset:
908
909         "Assertion failed in JSC::createError"
910         https://bugs.webkit.org/show_bug.cgi?id=196305
911         https://trac.webkit.org/changeset/243665
912
913 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
914
915         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
916         https://bugs.webkit.org/show_bug.cgi?id=196486
917
918         Reviewed by Saam Barati.
919
920         When parsing a FunctionExpression / FunctionDeclaration etc., we use SyntaxChecker for the body of the function because we do not have any interest on the nodes of the body at that time.
921         The nodes will be parsed with the ASTBuilder when the function itself is parsed for code generation. This works well previously because all the function ends with "}" previously.
922         SyntaxChecker lexes this "}" token, and parser restores the context back to ASTBuilder and continues parsing.
923
924         But now, we have ArrowFunctionExpression without braces `arrow => expr`. Let's consider the following code.
925
926                 arrow => expr
927                 "string!"
928
929         We parse arrow function's body with SyntaxChecker. At that time, we lex "string!" token under the SyntaxChecker context. But this means that we may not build string content for this token
930         since SyntaxChecker may not have interest on string content itself in certain case. After the parser is back to ASTBuilder, we parse "string!" as ExpressionStatement with string constant,
931         generate StringNode with non-built identifier (nullptr), and we accidentally create StringNode with nullptr.
932
933         This patch fixes this problem. The root cause of this problem is that the last token lexed in the previous context is used. We add lexCurrentTokenAgainUnderCurrentContext which will re-lex
934         the current token under the current context (may be ASTBuilder). This should be done only when the caller's context is different from SyntaxChecker, which avoids unnecessary lexing.
935         We leverage existing SavePoint mechanism to implement lexCurrentTokenAgainUnderCurrentContext cleanly.
936
937         And we also fix the bug in the existing SavePoint mechanism, which is shown in the attached test script. When we save LexerState, we do not save line terminator status. This patch also introduces
938         lexWithoutClearingLineTerminator, which lex the token without clearing line terminator status.
939
940         * parser/ASTBuilder.h:
941         (JSC::ASTBuilder::createString):
942         * parser/Lexer.cpp:
943         (JSC::Lexer<T>::parseMultilineComment):
944         (JSC::Lexer<T>::lexWithoutClearingLineTerminator): EOF token also should record offset information. This offset information is correctly handled in Lexer::setOffset too.
945         (JSC::Lexer<T>::lex): Deleted.
946         * parser/Lexer.h:
947         (JSC::Lexer::hasLineTerminatorBeforeToken const):
948         (JSC::Lexer::setHasLineTerminatorBeforeToken):
949         (JSC::Lexer<T>::lex):
950         (JSC::Lexer::prevTerminator const): Deleted.
951         (JSC::Lexer::setTerminator): Deleted.
952         * parser/Parser.cpp:
953         (JSC::Parser<LexerType>::allowAutomaticSemicolon):
954         (JSC::Parser<LexerType>::parseSingleFunction):
955         (JSC::Parser<LexerType>::parseStatementListItem):
956         (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement):
957         (JSC::Parser<LexerType>::parseFunctionInfo):
958         (JSC::Parser<LexerType>::parseClass):
959         (JSC::Parser<LexerType>::parseExportDeclaration):
960         (JSC::Parser<LexerType>::parseAssignmentExpression):
961         (JSC::Parser<LexerType>::parseYieldExpression):
962         (JSC::Parser<LexerType>::parseProperty):
963         (JSC::Parser<LexerType>::parsePrimaryExpression):
964         (JSC::Parser<LexerType>::parseMemberExpression):
965         * parser/Parser.h:
966         (JSC::Parser::nextWithoutClearingLineTerminator):
967         (JSC::Parser::lexCurrentTokenAgainUnderCurrentContext):
968         (JSC::Parser::internalSaveLexerState):
969         (JSC::Parser::restoreLexerState):
970
971 2019-04-05  Caitlin Potter  <caitp@igalia.com>
972
973         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
974         https://bugs.webkit.org/show_bug.cgi?id=176810
975
976         Reviewed by Saam Barati.
977
978         This adds conditional logic following the invariant checks, to perform
979         filtering in common uses of getOwnPropertyNames.
980
981         While this would ideally only be done in JSPropertyNameEnumerator, adding
982         the filtering to ProxyObject::performGetOwnPropertyNames maintains the
983         invariant that the EnumerationMode is properly followed.
984
985         * runtime/PropertyNameArray.h:
986         (JSC::PropertyNameArray::reset):
987         * runtime/ProxyObject.cpp:
988         (JSC::ProxyObject::performGetOwnPropertyNames):
989
990 2019-04-05  Commit Queue  <commit-queue@webkit.org>
991
992         Unreviewed, rolling out r243833.
993         https://bugs.webkit.org/show_bug.cgi?id=196645
994
995         This change breaks build of WPE and GTK ports (Requested by
996         annulen on #webkit).
997
998         Reverted changeset:
999
1000         "[CMake][WTF] Mirror XCode header directories"
1001         https://bugs.webkit.org/show_bug.cgi?id=191662
1002         https://trac.webkit.org/changeset/243833
1003
1004 2019-04-05  Caitlin Potter  <caitp@igalia.com>
1005
1006         [JSC] throw if ownKeys Proxy trap result contains duplicate keys
1007         https://bugs.webkit.org/show_bug.cgi?id=185211
1008
1009         Reviewed by Saam Barati.
1010
1011         Implements the normative spec change in https://github.com/tc39/ecma262/pull/833
1012
1013         This involves tracking duplicate keys returned from the ownKeys trap in yet
1014         another HashTable, and may incur a minor performance penalty in some cases. This
1015         is not expected to significantly affect web performance.
1016
1017         * runtime/ProxyObject.cpp:
1018         (JSC::ProxyObject::performGetOwnPropertyNames):
1019
1020 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
1021
1022         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
1023         https://bugs.webkit.org/show_bug.cgi?id=196631
1024
1025         Reviewed by Saam Barati.
1026
1027         makeBoundFunction assumes that "length" argument is always Int32. But this should not be done since this "length" value is calculated in builtin JS code.
1028         DFG may store this value in Double format so that we should not rely on that this value is Int32. This patch fixes makeBoundFunction function to perform
1029         toInt32 operation. We also insert a missing exception check for `JSString::value(ExecState*)` in makeBoundFunction.
1030
1031         * JavaScriptCore.xcodeproj/project.pbxproj:
1032         * Sources.txt:
1033         * interpreter/CallFrameInlines.h:
1034         * runtime/DoublePredictionFuzzerAgent.cpp: Copied from Source/JavaScriptCore/interpreter/CallFrameInlines.h.
1035         (JSC::DoublePredictionFuzzerAgent::DoublePredictionFuzzerAgent):
1036         (JSC::DoublePredictionFuzzerAgent::getPrediction):
1037         * runtime/DoublePredictionFuzzerAgent.h: Copied from Source/JavaScriptCore/interpreter/CallFrameInlines.h.
1038         * runtime/JSGlobalObject.cpp:
1039         (JSC::makeBoundFunction):
1040         * runtime/Options.h:
1041         * runtime/VM.cpp:
1042         (JSC::VM::VM):
1043
1044 2019-04-04  Robin Morisset  <rmorisset@apple.com>
1045
1046         B3ReduceStrength should know that Mul distributes over Add and Sub
1047         https://bugs.webkit.org/show_bug.cgi?id=196325
1048         <rdar://problem/49441650>
1049
1050         Reviewed by Saam Barati.
1051
1052         Fix some obviously wrong code that was due to an accidental copy-paste.
1053         It made the entire optimization dead code that never ran.
1054
1055         * b3/B3ReduceStrength.cpp:
1056
1057 2019-04-04  Saam Barati  <sbarati@apple.com>
1058
1059         Unreviewed, build fix for CLoop after r243886
1060
1061         * interpreter/Interpreter.cpp:
1062         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
1063         * interpreter/StackVisitor.cpp:
1064         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
1065         * interpreter/StackVisitor.h:
1066
1067 2019-04-04  Commit Queue  <commit-queue@webkit.org>
1068
1069         Unreviewed, rolling out r243898.
1070         https://bugs.webkit.org/show_bug.cgi?id=196624
1071
1072         `#if !ENABLE(C_LOOP) && NUMBER_OF_CALLEE_SAVES_REGISTERS > 0`
1073         does not work well (Requested by yusukesuzuki on #webkit).
1074
1075         Reverted changeset:
1076
1077         "Unreviewed, build fix for CLoop and Windows after r243886"
1078         https://bugs.webkit.org/show_bug.cgi?id=196387
1079         https://trac.webkit.org/changeset/243898
1080
1081 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
1082
1083         Unreviewed, build fix for CLoop and Windows after r243886
1084         https://bugs.webkit.org/show_bug.cgi?id=196387
1085
1086         RegisterAtOffsetList does not exist if ENABLE(ASSEMBLER) is false.
1087
1088         * interpreter/StackVisitor.cpp:
1089         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
1090         * interpreter/StackVisitor.h:
1091
1092 2019-04-04  Saam barati  <sbarati@apple.com>
1093
1094         Teach Call ICs how to call Wasm
1095         https://bugs.webkit.org/show_bug.cgi?id=196387
1096
1097         Reviewed by Filip Pizlo.
1098
1099         This patch teaches JS to call Wasm without going through the native thunk.
1100         Currently, we emit a JIT "JS" callee stub which marshals arguments from
1101         JS to Wasm. Like the native version of this, this thunk is responsible
1102         for saving and restoring the VM's current Wasm context. Instead of emitting
1103         an exception handler, we also teach the unwinder how to read the previous
1104         wasm context to restore it as it unwindws past this frame.
1105         
1106         This patch is straight forward, and leaves some areas for perf improvement:
1107         - We can teach the DFG/FTL to directly use the Wasm calling convention when
1108           it knows it's calling a single Wasm function. This way we don't shuffle
1109           registers to the stack and then back into registers.
1110         - We bail out to the slow path for mismatched arity. I opened a bug to fix
1111           optimize arity check failures: https://bugs.webkit.org/show_bug.cgi?id=196564
1112         - We bail out to the slow path Double JSValues flowing into i32 arguments.
1113           We should teach this thunk how to do that conversion directly.
1114         
1115         This patch also refactors the code to explicitly have a single pinned size register.
1116         We used pretend in some places that we could have more than one pinned size register.
1117         However, there was other code that just asserted the size was one. This patch just rips
1118         out this code since we never moved to having more than one pinned size register. Doing
1119         this refactoring cleans up the various places where we set up the size register.
1120         
1121         This patch is a 50-60% progression on JetStream 2's richards-wasm.
1122
1123         * JavaScriptCore.xcodeproj/project.pbxproj:
1124         * Sources.txt:
1125         * assembler/MacroAssemblerCodeRef.h:
1126         (JSC::MacroAssemblerCodeRef::operator=):
1127         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
1128         * interpreter/Interpreter.cpp:
1129         (JSC::UnwindFunctor::operator() const):
1130         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
1131         * interpreter/StackVisitor.cpp:
1132         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
1133         (JSC::StackVisitor::Frame::calleeSaveRegisters): Deleted.
1134         * interpreter/StackVisitor.h:
1135         * jit/JITOperations.cpp:
1136         * jit/RegisterSet.cpp:
1137         (JSC::RegisterSet::runtimeTagRegisters):
1138         (JSC::RegisterSet::specialRegisters):
1139         (JSC::RegisterSet::runtimeRegisters): Deleted.
1140         * jit/RegisterSet.h:
1141         * jit/Repatch.cpp:
1142         (JSC::linkPolymorphicCall):
1143         * runtime/JSFunction.cpp:
1144         (JSC::getCalculatedDisplayName):
1145         * runtime/JSGlobalObject.cpp:
1146         (JSC::JSGlobalObject::init):
1147         (JSC::JSGlobalObject::visitChildren):
1148         * runtime/JSGlobalObject.h:
1149         (JSC::JSGlobalObject::jsToWasmICCalleeStructure const):
1150         * runtime/VM.cpp:
1151         (JSC::VM::VM):
1152         * runtime/VM.h:
1153         * wasm/WasmAirIRGenerator.cpp:
1154         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
1155         (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
1156         (JSC::Wasm::AirIRGenerator::addCallIndirect):
1157         * wasm/WasmB3IRGenerator.cpp:
1158         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1159         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
1160         (JSC::Wasm::B3IRGenerator::addCallIndirect):
1161         * wasm/WasmBinding.cpp:
1162         (JSC::Wasm::wasmToWasm):
1163         * wasm/WasmContext.h:
1164         (JSC::Wasm::Context::pointerToInstance):
1165         * wasm/WasmContextInlines.h:
1166         (JSC::Wasm::Context::store):
1167         * wasm/WasmMemoryInformation.cpp:
1168         (JSC::Wasm::getPinnedRegisters):
1169         (JSC::Wasm::PinnedRegisterInfo::get):
1170         (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
1171         * wasm/WasmMemoryInformation.h:
1172         (JSC::Wasm::PinnedRegisterInfo::toSave const):
1173         * wasm/WasmOMGPlan.cpp:
1174         (JSC::Wasm::OMGPlan::work):
1175         * wasm/js/JSToWasm.cpp:
1176         (JSC::Wasm::createJSToWasmWrapper):
1177         * wasm/js/JSToWasmICCallee.cpp: Added.
1178         (JSC::JSToWasmICCallee::create):
1179         (JSC::JSToWasmICCallee::createStructure):
1180         (JSC::JSToWasmICCallee::visitChildren):
1181         * wasm/js/JSToWasmICCallee.h: Added.
1182         (JSC::JSToWasmICCallee::function):
1183         (JSC::JSToWasmICCallee::JSToWasmICCallee):
1184         * wasm/js/WebAssemblyFunction.cpp:
1185         (JSC::WebAssemblyFunction::useTagRegisters const):
1186         (JSC::WebAssemblyFunction::calleeSaves const):
1187         (JSC::WebAssemblyFunction::usedCalleeSaveRegisters const):
1188         (JSC::WebAssemblyFunction::previousInstanceOffset const):
1189         (JSC::WebAssemblyFunction::previousInstance):
1190         (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
1191         (JSC::WebAssemblyFunction::visitChildren):
1192         (JSC::WebAssemblyFunction::destroy):
1193         * wasm/js/WebAssemblyFunction.h:
1194         * wasm/js/WebAssemblyFunctionHeapCellType.cpp: Added.
1195         (JSC::WebAssemblyFunctionDestroyFunc::operator() const):
1196         (JSC::WebAssemblyFunctionHeapCellType::WebAssemblyFunctionHeapCellType):
1197         (JSC::WebAssemblyFunctionHeapCellType::~WebAssemblyFunctionHeapCellType):
1198         (JSC::WebAssemblyFunctionHeapCellType::finishSweep):
1199         (JSC::WebAssemblyFunctionHeapCellType::destroy):
1200         * wasm/js/WebAssemblyFunctionHeapCellType.h: Added.
1201         * wasm/js/WebAssemblyPrototype.h:
1202
1203 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
1204
1205         [JSC] Pass CodeOrigin to FuzzerAgent
1206         https://bugs.webkit.org/show_bug.cgi?id=196590
1207
1208         Reviewed by Saam Barati.
1209
1210         Pass CodeOrigin instead of bytecodeIndex. CodeOrigin includes richer information (InlineCallFrame*).
1211         We also mask prediction with SpecBytecodeTop in DFGByteCodeParser. The fuzzer can produce any SpeculatedTypes,
1212         but DFGByteCodeParser should only see predictions that can be actually produced from the bytecode execution.
1213
1214         * dfg/DFGByteCodeParser.cpp:
1215         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
1216         * runtime/FuzzerAgent.cpp:
1217         (JSC::FuzzerAgent::getPrediction):
1218         * runtime/FuzzerAgent.h:
1219         * runtime/RandomizingFuzzerAgent.cpp:
1220         (JSC::RandomizingFuzzerAgent::getPrediction):
1221         * runtime/RandomizingFuzzerAgent.h:
1222
1223 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
1224
1225         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
1226         https://bugs.webkit.org/show_bug.cgi?id=194944
1227
1228         Reviewed by Keith Miller.
1229
1230         Based on profile data collected on JetStream2, Speedometer 2 and
1231         other benchmarks, it is very rare having non-empty
1232         UnlinkedFunctionExecutable::m_parentScopeTDZVariables.
1233
1234         - Data collected from Speedometer2
1235             Total number of UnlinkedFunctionExecutable: 39463
1236             Total number of non-empty parentScopeTDZVars: 428 (~1%)
1237
1238         - Data collected from JetStream2
1239             Total number of UnlinkedFunctionExecutable: 83715
1240             Total number of non-empty parentScopeTDZVars: 5285 (~6%)
1241
1242         We also collected numbers on 6 of top 10 Alexia sites.
1243
1244         - Data collected from youtube.com
1245             Total number of UnlinkedFunctionExecutable: 29599
1246             Total number of non-empty parentScopeTDZVars: 97 (~0.3%)
1247
1248         - Data collected from twitter.com
1249             Total number of UnlinkedFunctionExecutable: 23774
1250             Total number of non-empty parentScopeTDZVars: 172 (~0.7%)
1251
1252         - Data collected from google.com
1253             Total number of UnlinkedFunctionExecutable: 33209
1254             Total number of non-empty parentScopeTDZVars: 174 (~0.5%)
1255
1256         - Data collected from amazon.com:
1257             Total number of UnlinkedFunctionExecutable: 15182
1258             Total number of non-empty parentScopeTDZVars: 166 (~1%)
1259
1260         - Data collected from facebook.com:
1261             Total number of UnlinkedFunctionExecutable: 54443
1262             Total number of non-empty parentScopeTDZVars: 269 (~0.4%)
1263
1264         - Data collected from netflix.com:
1265             Total number of UnlinkedFunctionExecutable: 39266
1266             Total number of non-empty parentScopeTDZVars: 97 (~0.2%)
1267
1268         Considering such numbers, this patch is moving `m_parentScopeTDZVariables`
1269         to RareData. This decreases sizeof(UnlinkedFunctionExecutable) by
1270         16 bytes. With this change, now UnlinkedFunctionExecutable constructors
1271         receives an `Optional<VariableEnvironmentMap::Handle>` and only stores
1272         it when `value != WTF::nullopt`. We also changed
1273         UnlinkedFunctionExecutable::parentScopeTDZVariables() and it returns
1274         `VariableEnvironment()` whenever the Executable doesn't have RareData,
1275         or VariableEnvironmentMap::Handle is unitialized. This is required
1276         because RareData is instantiated when any of its field is stored and
1277         we can have an unitialized `Handle` even on cases when parentScopeTDZVariables
1278         is `WTF::nullopt`.
1279
1280         Results on memory usage on JetStrem2 is neutral.
1281
1282             Mean of memory peak on ToT: 4258633728 bytes (confidence interval: 249720072.95)
1283             Mean of memory peak on Changes: 4367325184 bytes (confidence interval: 321285583.61)
1284
1285         * builtins/BuiltinExecutables.cpp:
1286         (JSC::BuiltinExecutables::createExecutable):
1287         * bytecode/UnlinkedFunctionExecutable.cpp:
1288         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1289         * bytecode/UnlinkedFunctionExecutable.h:
1290         * bytecompiler/BytecodeGenerator.cpp:
1291         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
1292
1293         BytecodeGenerator::getVariablesUnderTDZ now also caches if m_cachedVariablesUnderTDZ
1294         is empty, so we can properly return `WTF::nullopt` without the
1295         reconstruction of a VariableEnvironment to check if it is empty.
1296
1297         * bytecompiler/BytecodeGenerator.h:
1298         (JSC::BytecodeGenerator::makeFunction):
1299         * parser/VariableEnvironment.h:
1300         (JSC::VariableEnvironment::isEmpty const):
1301         * runtime/CachedTypes.cpp:
1302         (JSC::CachedCompactVariableMapHandle::decode const):
1303
1304         It returns an unitialized Handle when there is no
1305         CompactVariableEnvironment. This can happen when RareData is ensured
1306         because of another field.
1307
1308         (JSC::CachedFunctionExecutableRareData::encode):
1309         (JSC::CachedFunctionExecutableRareData::decode const):
1310         (JSC::CachedFunctionExecutable::encode):
1311         (JSC::CachedFunctionExecutable::decode const):
1312         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1313         * runtime/CodeCache.cpp:
1314
1315         Instead of creating a dummyVariablesUnderTDZ, we simply pass
1316         WTF::nullopt.
1317
1318         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
1319
1320 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
1321
1322         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
1323         https://bugs.webkit.org/show_bug.cgi?id=196409
1324
1325         Reviewed by Saam Barati.
1326
1327         Some of the helpers in jsc.cpp, such as `functionRunString`, were stll using
1328         using `makeSource` instead of `jscSource`, which does not use the ShellSourceProvider
1329         and therefore does not write the bytecode cache to disk.
1330
1331         Changing that revealed a bug in bytecode cache. The Encoder keeps a mapping
1332         of pointers to offsets of already cached objects, in order to avoid caching
1333         the same object twice. Similarly, the Decoder keeps a mapping from offsets
1334         to pointers, in order to avoid creating multiple objects in memory for the
1335         same cached object. The following was happening:
1336         1) A StringImpl* S was cached as CachedPtr<CachedStringImpl> at offset O. We add
1337         an entry in the Encoder mapping that S has already been encoded at O.
1338         2) We cache StringImpl* S again, but now as CachedPtr<CachedUniquedStringImpl>.
1339         We find an entry in the Encoder mapping for S, and return the offset O. However,
1340         the object cached at O is a CachedPtr<CachedStringImpl> (i.e. not Uniqued).
1341
1342         3) When decoding, there are 2 possibilities:
1343         3.1) We find S for the first time through a CachedPtr<CachedStringImpl>. In
1344         this case, everything works as expected since we add an entry in the decoder
1345         mapping from the offset O to the decoded StringImpl* S. The next time we find
1346         S through the uniqued version, we'll return the already decoded S.
1347         3.2) We find S through a CachedPtr<CachedUniquedStringImpl>. Now we have a
1348         problem, since the CachedPtr has the offset of a CachedStringImpl (not uniqued),
1349         which has a different shape and we crash.
1350
1351         We fix this by making CachedStringImpl and CachedUniquedStringImpl share the
1352         same implementation. Since it doesn't matter whether a string is uniqued for
1353         encoding, and we always decode strings as uniqued either way, they can be used
1354         interchangeably.
1355
1356         * jsc.cpp:
1357         (functionRunString):
1358         (functionLoadString):
1359         (functionDollarAgentStart):
1360         (functionCheckModuleSyntax):
1361         (runInteractive):
1362         * runtime/CachedTypes.cpp:
1363         (JSC::CachedUniquedStringImplBase::decode const):
1364         (JSC::CachedFunctionExecutable::rareData const):
1365         (JSC::CachedCodeBlock::rareData const):
1366         (JSC::CachedFunctionExecutable::encode):
1367         (JSC::CachedCodeBlock<CodeBlockType>::encode):
1368         (JSC::CachedUniquedStringImpl::encode): Deleted.
1369         (JSC::CachedUniquedStringImpl::decode const): Deleted.
1370         (JSC::CachedStringImpl::encode): Deleted.
1371         (JSC::CachedStringImpl::decode const): Deleted.
1372
1373 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
1374
1375         UnlinkedCodeBlock constructor from cache should initialize m_didOptimize
1376         https://bugs.webkit.org/show_bug.cgi?id=196396
1377
1378         Reviewed by Saam Barati.
1379
1380         The UnlinkedCodeBlock constructor in CachedTypes was missing the initialization
1381         for m_didOptimize, which leads to crashes in CodeBlock::thresholdForJIT.
1382
1383         * runtime/CachedTypes.cpp:
1384         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1385
1386 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
1387
1388         Unreviewed, rolling in r243843 with the build fix
1389         https://bugs.webkit.org/show_bug.cgi?id=196586
1390
1391         * runtime/Options.cpp:
1392         (JSC::recomputeDependentOptions):
1393         * runtime/Options.h:
1394         * runtime/RandomizingFuzzerAgent.cpp:
1395         (JSC::RandomizingFuzzerAgent::getPrediction):
1396
1397 2019-04-03  Ryan Haddad  <ryanhaddad@apple.com>
1398
1399         Unreviewed, rolling out r243843.
1400
1401         Broke CLoop and Windows builds.
1402
1403         Reverted changeset:
1404
1405         "[JSC] Add dump feature for RandomizingFuzzerAgent"
1406         https://bugs.webkit.org/show_bug.cgi?id=196586
1407         https://trac.webkit.org/changeset/243843
1408
1409 2019-04-03  Robin Morisset  <rmorisset@apple.com>
1410
1411         B3 should use associativity to optimize expression trees
1412         https://bugs.webkit.org/show_bug.cgi?id=194081
1413
1414         Reviewed by Filip Pizlo.
1415
1416         This patch adds a new B3 pass, that tries to find and optimize expression trees made purely of any one associative and commutative operator (Add/Mul/BitOr/BitAnd/BitXor).
1417         The pass only runs in O2, and runs once, after lowerMacros and just before a run of B3ReduceStrength (which helps clean up the dead code it tends to leave behind).
1418         I had to separate killDeadCode out of B3ReduceStrength (as a new B3EliminateDeadCode pass) to run it before B3OptimizeAssociativeExpressionTrees, as otherwise it is stopped by high use counts
1419         inherited from CSE.
1420         This extra run of DCE is by itself a win, most notably on microbenchmarks/instanceof-always-hit-two (1.5x faster), and on microbenchmarks/licm-dragons(-out-of-bounds) (both get 1.16x speedup).
1421         I suspect it is because it runs between CSE and tail-dedup, and as a result allows a lot more tail-dedup to occur.
1422
1423         The pass is currently extremely conservative, not trying anything if it would cause _any_ code duplication.
1424         For this purpose, it starts by computing use counts for the potentially interesting nodes (those with the right opcodes), and segregate them into expression trees.
1425         The root of an expression tree is a node that is either used in multiple places, or is used by a value with a different opcode.
1426         The leaves of an expression tree are nodes that are either used in multiple places, or have a different opcode.
1427         All constant leaves of a tree are combined, as well as all leaves that are identical. What remains is then laid out into a balanced binary tree, hopefully maximizing ILP.
1428
1429         This optimization was implemented as a stand-alone pass and not as part of B3ReduceStrength mostly because it needs use counts to avoid code duplication.
1430         It also benefits from finding all tree roots first, and not trying to repeatedly optimize subtrees.
1431
1432         I added several tests to testB3 with varying patterns of trees. It is also tested in a less focused way by lots of older tests.
1433
1434         In the future this pass could be expanded to allow some bounded amount of code duplication, and merging more leaves (e.g. Mul(a, 3) and a in an Add tree, into Mul(a, 4))
1435         The latter will need exposing the peephole optimizations out of B3ReduceStrength to avoid duplicating code.
1436
1437         * JavaScriptCore.xcodeproj/project.pbxproj:
1438         * Sources.txt:
1439         * b3/B3Common.cpp:
1440         (JSC::B3::shouldDumpIR):
1441         (JSC::B3::shouldDumpIRAtEachPhase):
1442         * b3/B3Common.h:
1443         * b3/B3EliminateDeadCode.cpp: Added.
1444         (JSC::B3::EliminateDeadCode::run):
1445         (JSC::B3::eliminateDeadCode):
1446         * b3/B3EliminateDeadCode.h: Added.
1447         (JSC::B3::EliminateDeadCode::EliminateDeadCode):
1448         * b3/B3Generate.cpp:
1449         (JSC::B3::generateToAir):
1450         * b3/B3OptimizeAssociativeExpressionTrees.cpp: Added.
1451         (JSC::B3::OptimizeAssociativeExpressionTrees::OptimizeAssociativeExpressionTrees):
1452         (JSC::B3::OptimizeAssociativeExpressionTrees::neutralElement):
1453         (JSC::B3::OptimizeAssociativeExpressionTrees::isAbsorbingElement):
1454         (JSC::B3::OptimizeAssociativeExpressionTrees::combineConstants):
1455         (JSC::B3::OptimizeAssociativeExpressionTrees::emitValue):
1456         (JSC::B3::OptimizeAssociativeExpressionTrees::optimizeRootedTree):
1457         (JSC::B3::OptimizeAssociativeExpressionTrees::run):
1458         (JSC::B3::optimizeAssociativeExpressionTrees):
1459         * b3/B3OptimizeAssociativeExpressionTrees.h: Added.
1460         * b3/B3ReduceStrength.cpp:
1461         * b3/B3Value.cpp:
1462         (JSC::B3::Value::replaceWithIdentity):
1463         * b3/testb3.cpp:
1464         (JSC::B3::testBitXorTreeArgs):
1465         (JSC::B3::testBitXorTreeArgsEven):
1466         (JSC::B3::testBitXorTreeArgImm):
1467         (JSC::B3::testAddTreeArg32):
1468         (JSC::B3::testMulTreeArg32):
1469         (JSC::B3::testBitAndTreeArg32):
1470         (JSC::B3::testBitOrTreeArg32):
1471         (JSC::B3::run):
1472
1473 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
1474
1475         [JSC] Add dump feature for RandomizingFuzzerAgent
1476         https://bugs.webkit.org/show_bug.cgi?id=196586
1477
1478         Reviewed by Saam Barati.
1479
1480         Towards deterministic tests for the results from randomizing fuzzer agent, this patch adds Options::dumpRandomizingFuzzerAgentPredictions, which dumps the generated types.
1481         The results is like this.
1482
1483             getPrediction name:(#C2q9xD),bytecodeIndex:(22),original:(Array),generated:(OtherObj|Array|Float64Array|BigInt|NonIntAsDouble)
1484             getPrediction name:(makeUnwriteableUnconfigurableObject#AiEJv1),bytecodeIndex:(14),original:(OtherObj),generated:(Final|Uint8Array|Float64Array|SetObject|WeakSetObject|BigInt|NonIntAsDouble)
1485
1486         * runtime/Options.cpp:
1487         (JSC::recomputeDependentOptions):
1488         * runtime/Options.h:
1489         * runtime/RandomizingFuzzerAgent.cpp:
1490         (JSC::RandomizingFuzzerAgent::getPrediction):
1491
1492 2019-04-03  Myles C. Maxfield  <mmaxfield@apple.com>
1493
1494         -apple-trailing-word is needed for browser detection
1495         https://bugs.webkit.org/show_bug.cgi?id=196575
1496
1497         Unreviewed.
1498
1499         * Configurations/FeatureDefines.xcconfig:
1500
1501 2019-04-03  Michael Saboff  <msaboff@apple.com>
1502
1503         REGRESSION (r243642): com.apple.JavaScriptCore crash in JSC::RegExpObject::execInline
1504         https://bugs.webkit.org/show_bug.cgi?id=196477
1505
1506         Reviewed by Keith Miller.
1507
1508         The problem here is that when we advance the index by 2 for a character class that only
1509         has non-BMP characters, we might go past the end of the string.  This can happen for
1510         greedy counted character classes that are part of a alternative where there is one
1511         character to match after the greedy non-BMP character class.
1512
1513         The "do we have string left to match" check at the top of the JIT loop for the counted
1514         character class checks to see if index is not equal to the string length.  For non-BMP
1515         character classes, we need to check to see if there are at least 2 characters left.
1516         Therefore we now temporarily add 1 to the current index before comparing.  This checks
1517         to see if there are iat least 2 characters left to match, instead of 1.
1518
1519         * yarr/YarrJIT.cpp:
1520         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
1521         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
1522
1523 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
1524
1525         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
1526         https://bugs.webkit.org/show_bug.cgi?id=196574
1527
1528         Reviewed by Saam Barati.
1529
1530         This patch adds missing exception check in operationArrayIndexOfValueInt32OrContiguous.
1531
1532         * dfg/DFGOperations.cpp:
1533
1534 2019-04-03  Don Olmstead  <don.olmstead@sony.com>
1535
1536         [CMake][WTF] Mirror XCode header directories
1537         https://bugs.webkit.org/show_bug.cgi?id=191662
1538
1539         Reviewed by Konstantin Tokarev.
1540
1541         Use WTFFramework as a dependency and include frameworks/WTF.cmake for AppleWin internal
1542         builds.
1543
1544         * CMakeLists.txt:
1545         * shell/CMakeLists.txt:
1546
1547 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
1548
1549         [JSC] Add FuzzerAgent, which has a hooks to get feedback & inject fuzz data into JSC
1550         https://bugs.webkit.org/show_bug.cgi?id=196530
1551
1552         Reviewed by Saam Barati.
1553
1554         This patch adds FuzzerAgent interface and simple RandomizingFuzzerAgent to JSC.
1555         This RandomizingFuzzerAgent returns random SpeculatedType for value profiling to find
1556         the issues in JSC. The seed for randomization can be specified by seedOfRandomizingFuzzerAgent.
1557
1558         I ran this with seedOfRandomizingFuzzerAgent=1 last night and it finds 3 failures in the current JSC tests,
1559         they should be fixed in subsequent patches.
1560
1561         * CMakeLists.txt:
1562         * JavaScriptCore.xcodeproj/project.pbxproj:
1563         * Sources.txt:
1564         * dfg/DFGByteCodeParser.cpp:
1565         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
1566         * runtime/FuzzerAgent.cpp: Added.
1567         (JSC::FuzzerAgent::~FuzzerAgent):
1568         (JSC::FuzzerAgent::getPrediction):
1569         * runtime/FuzzerAgent.h: Added.
1570         * runtime/JSGlobalObjectFunctions.cpp:
1571         * runtime/Options.h:
1572         * runtime/RandomizingFuzzerAgent.cpp: Added.
1573         (JSC::RandomizingFuzzerAgent::RandomizingFuzzerAgent):
1574         (JSC::RandomizingFuzzerAgent::getPrediction):
1575         * runtime/RandomizingFuzzerAgent.h: Added.
1576         * runtime/RegExpCachedResult.h:
1577         * runtime/RegExpGlobalData.cpp:
1578         * runtime/VM.cpp:
1579         (JSC::VM::VM):
1580         * runtime/VM.h:
1581         (JSC::VM::fuzzerAgent const):
1582         (JSC::VM::setFuzzerAgent):
1583
1584 2019-04-03  Myles C. Maxfield  <mmaxfield@apple.com>
1585
1586         Remove support for -apple-trailing-word
1587         https://bugs.webkit.org/show_bug.cgi?id=196525
1588
1589         Reviewed by Zalan Bujtas.
1590
1591         This CSS property is nonstandard and not used.
1592
1593         * Configurations/FeatureDefines.xcconfig:
1594
1595 2019-04-03  Joseph Pecoraro  <pecoraro@apple.com>
1596
1597         Web Inspector: Remote Inspector indicate callback should always happen on the main thread
1598         https://bugs.webkit.org/show_bug.cgi?id=196513
1599         <rdar://problem/49498284>
1600
1601         Reviewed by Devin Rousso.
1602
1603         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
1604         (Inspector::RemoteInspector::receivedIndicateMessage):
1605         When we have a WebThread, don't just run on the WebThread,
1606         run on the MainThread with the WebThreadLock.
1607
1608 2019-04-02  Michael Saboff  <msaboff@apple.com>
1609
1610         Crash in Options::setOptions() using --configFile option and libgmalloc
1611         https://bugs.webkit.org/show_bug.cgi?id=196506
1612
1613         Reviewed by Keith Miller.
1614
1615         Changed to call CString::data() while making the call to Options::setOptions().  This keeps
1616         the implicit CString temporary alive until after setOptions() returns.
1617
1618         * runtime/ConfigFile.cpp:
1619         (JSC::ConfigFile::parse):
1620
1621 2019-04-02  Fujii Hironori  <Hironori.Fujii@sony.com>
1622
1623         [CMake] WEBKIT_MAKE_FORWARDING_HEADERS shouldn't use POST_BUILD to copy generated headers
1624         https://bugs.webkit.org/show_bug.cgi?id=182757
1625
1626         Reviewed by Don Olmstead.
1627
1628         * CMakeLists.txt: Do not use DERIVED_SOURCE_DIRECTORIES parameter
1629         of WEBKIT_MAKE_FORWARDING_HEADERS. Added generated headers to
1630         JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS.
1631
1632 2019-04-02  Saam barati  <sbarati@apple.com>
1633
1634         Add a ValueRepReduction phase
1635         https://bugs.webkit.org/show_bug.cgi?id=196234
1636
1637         Reviewed by Filip Pizlo.
1638
1639         This patch adds a ValueRepReduction phase. The main idea here is
1640         to try to reduce DoubleRep(RealNumberUse:ValueRep(DoubleRepUse:@x))
1641         to just be @x. This patch handles such above strengh reduction rules
1642         as long as we prove that all users of the ValueRep can be converted
1643         to using the incoming double value. That way we prevent introducing
1644         a parallel live range for the double value.
1645         
1646         This patch tracks the uses of the ValueRep through Phi variables,
1647         so we can convert entire Phi variables to being Double instead
1648         of JSValue if the Phi also has only double uses.
1649         
1650         This is implemented through a simple escape analysis. DoubleRep(RealNumberUse:)
1651         and OSR exit hints are not counted as escapes. All other uses are counted
1652         as escapes. Connected Phi graphs are converted to being Double only if the
1653         entire graph is ok with the result being Double.
1654         
1655         Some ways we could extend this phase in the future:
1656         - There are a lot of DoubleRep(NumberUse:@ValueRep(@x)) uses. This ensures
1657           that the result of the DoubleRep of @x is not impure NaN. We could
1658           handle this case if we introduced a PurifyNaN node and replace the DoubleRep
1659           with PurifyNaN(@x). Alternatively, we could see if certain users of this
1660           DoubleRep are okay with impure NaN flowing into them and we'd need to ensure
1661           their output type is always treated as if the input is impure NaN.
1662         - We could do sinking of ValueRep where we think it's profitable. So instead
1663           of an escape making it so we never represent the variable as a Double, we
1664           could make the escape reconstruct the JSValueRep where profitable.
1665         - We can extend this phase to handle Int52Rep if it's profitable.
1666         - We can opt other nodes into accepting incoming Doubles so we no longer
1667           treat them as escapes.
1668         
1669         This patch is somewhere between neutral and a 1% progression on JetStream 2.
1670
1671         * JavaScriptCore.xcodeproj/project.pbxproj:
1672         * Sources.txt:
1673         * dfg/DFGPlan.cpp:
1674         (JSC::DFG::Plan::compileInThreadImpl):
1675         * dfg/DFGValueRepReductionPhase.cpp: Added.
1676         (JSC::DFG::ValueRepReductionPhase::ValueRepReductionPhase):
1677         (JSC::DFG::ValueRepReductionPhase::run):
1678         (JSC::DFG::ValueRepReductionPhase::convertValueRepsToDouble):
1679         (JSC::DFG::performValueRepReduction):
1680         * dfg/DFGValueRepReductionPhase.h: Added.
1681         * runtime/Options.h:
1682
1683 2019-04-01  Yusuke Suzuki  <ysuzuki@apple.com>
1684
1685         [JSC] JSRunLoopTimer::Manager should be small
1686         https://bugs.webkit.org/show_bug.cgi?id=196425
1687
1688         Reviewed by Darin Adler.
1689
1690         Using very large Key or Value in HashMap potentially bloats memory since HashMap pre-allocates large size of
1691         memory ((sizeof(Key) + sizeof(Value)) * N) for its backing storage's array. Using std::unique_ptr<> for JSRunLoopTimer's
1692         PerVMData to keep HashMap's backing store size small.
1693
1694         * runtime/JSRunLoopTimer.cpp:
1695         (JSC::JSRunLoopTimer::Manager::timerDidFire):
1696         (JSC::JSRunLoopTimer::Manager::registerVM):
1697         (JSC::JSRunLoopTimer::Manager::scheduleTimer):
1698         (JSC::JSRunLoopTimer::Manager::cancelTimer):
1699         (JSC::JSRunLoopTimer::Manager::timeUntilFire):
1700         (JSC::JSRunLoopTimer::Manager::didChangeRunLoop):
1701         * runtime/JSRunLoopTimer.h:
1702
1703 2019-04-01  Stephan Szabo  <stephan.szabo@sony.com>
1704
1705         [PlayStation] Add initialization for JSC shell for PlayStation port
1706         https://bugs.webkit.org/show_bug.cgi?id=195411
1707
1708         Reviewed by Ross Kirsling.
1709
1710         Add ps options
1711
1712         * shell/PlatformPlayStation.cmake: Added.
1713         * shell/playstation/Initializer.cpp: Added.
1714         (initializer):
1715
1716 2019-04-01  Michael Catanzaro  <mcatanzaro@igalia.com>
1717
1718         Stop trying to support building JSC with clang 3.8
1719         https://bugs.webkit.org/show_bug.cgi?id=195947
1720         <rdar://problem/49069219>
1721
1722         Reviewed by Darin Adler.
1723
1724         It seems WebKit hasn't built with clang 3.8 in a while, no devs are using this compiler, we
1725         don't know how much effort it would be to make JSC work again, and it's making the code
1726         worse. Remove my hacks to support clang 3.8 from JSC.
1727
1728         * bindings/ScriptValue.cpp:
1729         (Inspector::jsToInspectorValue):
1730         * bytecode/GetterSetterAccessCase.cpp:
1731         (JSC::GetterSetterAccessCase::create):
1732         (JSC::GetterSetterAccessCase::clone const):
1733         * bytecode/InstanceOfAccessCase.cpp:
1734         (JSC::InstanceOfAccessCase::clone const):
1735         * bytecode/IntrinsicGetterAccessCase.cpp:
1736         (JSC::IntrinsicGetterAccessCase::clone const):
1737         * bytecode/ModuleNamespaceAccessCase.cpp:
1738         (JSC::ModuleNamespaceAccessCase::clone const):
1739         * bytecode/ProxyableAccessCase.cpp:
1740         (JSC::ProxyableAccessCase::clone const):
1741
1742 2019-03-31  Yusuke Suzuki  <ysuzuki@apple.com>
1743
1744         [JSC] Butterfly allocation from LargeAllocation should try "realloc" behavior if collector thread is not active
1745         https://bugs.webkit.org/show_bug.cgi?id=196160
1746
1747         Reviewed by Saam Barati.
1748
1749         "realloc" can be effective in terms of peak/current memory footprint when realloc succeeds because,
1750
1751         1. It does not allocate additional memory while expanding a vector
1752         2. It does not deallocate an old memory, just reusing the current memory by expanding, so that memory footprint is tight even before scavenging
1753
1754         We found that we can "realloc" large butterflies in certain conditions are met because,
1755
1756         1. If it goes to LargeAllocation, this memory region is never reused until GC sweeps it.
1757         2. Butterflies are owned by owner JSObjects, so we know the lifetime of Butterflies.
1758
1759         This patch attempts to use "realloc" onto butterflies if,
1760
1761         1. Butterflies are allocated in LargeAllocation kind
1762         2. Concurrent collector is not active
1763         3. Butterflies do not have property storage
1764
1765         The condition (2) is required to avoid deallocating butterflies while the concurrent collector looks into it. The condition (3) is
1766         also required to avoid deallocating butterflies while the concurrent compiler looks into it.
1767
1768         We also change LargeAllocation mechanism to using "malloc" and "free" instead of "posix_memalign". This allows us to use "realloc"
1769         safely in all the platforms. Since LargeAllocation uses alignment to distinguish LargeAllocation and MarkedBlock, we manually adjust
1770         16B alignment by allocating 8B more memory in "malloc".
1771
1772         Speedometer2 and JetStream2 are neutral. RAMification shows about 1% progression (even in some of JIT tests).
1773
1774         * heap/AlignedMemoryAllocator.h:
1775         * heap/CompleteSubspace.cpp:
1776         (JSC::CompleteSubspace::tryAllocateSlow):
1777         (JSC::CompleteSubspace::reallocateLargeAllocationNonVirtual):
1778         * heap/CompleteSubspace.h:
1779         * heap/FastMallocAlignedMemoryAllocator.cpp:
1780         (JSC::FastMallocAlignedMemoryAllocator::tryAllocateMemory):
1781         (JSC::FastMallocAlignedMemoryAllocator::freeMemory):
1782         (JSC::FastMallocAlignedMemoryAllocator::tryReallocateMemory):
1783         * heap/FastMallocAlignedMemoryAllocator.h:
1784         * heap/GigacageAlignedMemoryAllocator.cpp:
1785         (JSC::GigacageAlignedMemoryAllocator::tryAllocateMemory):
1786         (JSC::GigacageAlignedMemoryAllocator::freeMemory):
1787         (JSC::GigacageAlignedMemoryAllocator::tryReallocateMemory):
1788         * heap/GigacageAlignedMemoryAllocator.h:
1789         * heap/IsoAlignedMemoryAllocator.cpp:
1790         (JSC::IsoAlignedMemoryAllocator::tryAllocateMemory):
1791         (JSC::IsoAlignedMemoryAllocator::freeMemory):
1792         (JSC::IsoAlignedMemoryAllocator::tryReallocateMemory):
1793         * heap/IsoAlignedMemoryAllocator.h:
1794         * heap/LargeAllocation.cpp:
1795         (JSC::isAlignedForLargeAllocation):
1796         (JSC::LargeAllocation::tryCreate):
1797         (JSC::LargeAllocation::tryReallocate):
1798         (JSC::LargeAllocation::LargeAllocation):
1799         (JSC::LargeAllocation::destroy):
1800         * heap/LargeAllocation.h:
1801         (JSC::LargeAllocation::indexInSpace):
1802         (JSC::LargeAllocation::setIndexInSpace):
1803         (JSC::LargeAllocation::basePointer const):
1804         * heap/MarkedSpace.cpp:
1805         (JSC::MarkedSpace::sweepLargeAllocations):
1806         (JSC::MarkedSpace::prepareForConservativeScan):
1807         * heap/WeakSet.h:
1808         (JSC::WeakSet::isTriviallyDestructible const):
1809         * runtime/Butterfly.h:
1810         * runtime/ButterflyInlines.h:
1811         (JSC::Butterfly::reallocArrayRightIfPossible):
1812         * runtime/JSObject.cpp:
1813         (JSC::JSObject::ensureLengthSlow):
1814
1815 2019-03-31  Sam Weinig  <weinig@apple.com>
1816
1817         Remove more i386 specific configurations
1818         https://bugs.webkit.org/show_bug.cgi?id=196430
1819
1820         Reviewed by Alexey Proskuryakov.
1821
1822         * Configurations/FeatureDefines.xcconfig:
1823         ENABLE_WEB_AUTHN_macosx can now be enabled unconditionally on macOS.
1824
1825         * Configurations/ToolExecutable.xcconfig:
1826         ARC can be enabled unconditionally now.
1827
1828 2019-03-29  Yusuke Suzuki  <ysuzuki@apple.com>
1829
1830         [JSC] JSWrapperMap should not use Objective-C Weak map (NSMapTable with NSPointerFunctionsWeakMemory) for m_cachedObjCWrappers
1831         https://bugs.webkit.org/show_bug.cgi?id=196392
1832
1833         Reviewed by Saam Barati.
1834
1835         Weak representation in Objective-C is surprisingly costly in terms of memory. We can see that very easy program shows 10KB memory consumption due to
1836         this weak wrapper map in JavaScriptCore.framework. But we do not need this weak map since Objective-C JSValue has a dealloc. We can unregister itself
1837         from the map when it is deallocated without using Objective-C weak mechanism. And since Objective-C JSValue is tightly coupled to a specific JSContext,
1838         and wrapper map is created per JSContext, JSValue wrapper and actual JavaScriptCore value is one-on-one, and [JSValue dealloc] knows which JSContext's
1839         wrapper map holds itself.
1840
1841         1. We do not use Objective-C weak mechanism. We use WTF::HashSet instead. When JSValue is allocated, we register it to JSWrapperMap's HashSet. And unregister
1842            JSValue from this map when JSValue is deallocated.
1843         2. We use HashSet<JSValue> (logically) instead of HashMap<JSValueRef, JSValue> to keep JSValueRef and JSValue relationship. We can achieve it because JSValue
1844            holds JSValueRef inside it.
1845
1846         * API/JSContext.mm:
1847         (-[JSContext removeWrapper:]):
1848         * API/JSContextInternal.h:
1849         * API/JSValue.mm:
1850         (-[JSValue dealloc]):
1851         (-[JSValue initWithValue:inContext:]):
1852         * API/JSWrapperMap.h:
1853         * API/JSWrapperMap.mm:
1854         (WrapperKey::hashTableDeletedValue):
1855         (WrapperKey::WrapperKey):
1856         (WrapperKey::isHashTableDeletedValue const):
1857         (WrapperKey::Hash::hash):
1858         (WrapperKey::Hash::equal):
1859         (WrapperKey::Traits::isEmptyValue):
1860         (WrapperKey::Translator::hash):
1861         (WrapperKey::Translator::equal):
1862         (WrapperKey::Translator::translate):
1863         (-[JSWrapperMap initWithGlobalContextRef:]):
1864         (-[JSWrapperMap dealloc]):
1865         (-[JSWrapperMap objcWrapperForJSValueRef:inContext:]):
1866         (-[JSWrapperMap removeWrapper:]):
1867         * API/tests/testapi.mm:
1868         (testObjectiveCAPIMain):
1869
1870 2019-03-29  Robin Morisset  <rmorisset@apple.com>
1871
1872         B3ReduceStrength should know that Mul distributes over Add and Sub
1873         https://bugs.webkit.org/show_bug.cgi?id=196325
1874
1875         Reviewed by Michael Saboff.
1876
1877         In this patch I add the following patterns to B3ReduceStrength:
1878         - Turn this: Integer Neg(Mul(value, c))
1879           Into this: Mul(value, -c), as long as -c does not overflow
1880         - Turn these: Integer Mul(value, Neg(otherValue)) and Integer Mul(Neg(value), otherValue)
1881           Into this: Neg(Mul(value, otherValue))
1882         - For Op==Add or Sub, turn any of these:
1883              Op(Mul(x1, x2), Mul(x1, x3))
1884              Op(Mul(x2, x1), Mul(x1, x3))
1885              Op(Mul(x1, x2), Mul(x3, x1))
1886              Op(Mul(x2, x1), Mul(x3, x1))
1887           Into this: Mul(x1, Op(x2, x3))
1888
1889         Also includes a trivial change: a similar reduction for the distributivity of BitAnd over BitOr/BitXor now
1890         emits the arguments to BitAnd in the other order, to minimize the probability that we'll spend a full fixpoint step just to flip them.
1891
1892         * b3/B3ReduceStrength.cpp:
1893         * b3/testb3.cpp:
1894         (JSC::B3::testAddMulMulArgs):
1895         (JSC::B3::testMulArgNegArg):
1896         (JSC::B3::testMulNegArgArg):
1897         (JSC::B3::testNegMulArgImm):
1898         (JSC::B3::testSubMulMulArgs):
1899         (JSC::B3::run):
1900
1901 2019-03-29  Yusuke Suzuki  <ysuzuki@apple.com>
1902
1903         [JSC] Remove distancing for LargeAllocation
1904         https://bugs.webkit.org/show_bug.cgi?id=196335
1905
1906         Reviewed by Saam Barati.
1907
1908         In r230226, we removed distancing feature from our GC. This patch removes remaining distancing thing in LargeAllocation.
1909
1910         * heap/HeapCell.h:
1911         * heap/LargeAllocation.cpp:
1912         (JSC::LargeAllocation::tryCreate):
1913         * heap/MarkedBlock.h:
1914
1915 2019-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
1916
1917         Delete WebMetal implementation in favor of WebGPU
1918         https://bugs.webkit.org/show_bug.cgi?id=195418
1919
1920         Reviewed by Dean Jackson.
1921
1922         * Configurations/FeatureDefines.xcconfig:
1923         * inspector/protocol/Canvas.json:
1924         * inspector/scripts/codegen/generator.py:
1925
1926 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
1927
1928         Assertion failed in JSC::createError
1929         https://bugs.webkit.org/show_bug.cgi?id=196305
1930         <rdar://problem/49387382>
1931
1932         Reviewed by Saam Barati.
1933
1934         JSC::createError assumes that `errorDescriptionForValue` will either
1935         throw an exception or return a valid description string. However, that
1936         is not true if the value is a rope string and we successfully resolve it,
1937         but later fail to wrap the string in quotes with `tryMakeString`.
1938
1939         * runtime/ExceptionHelpers.cpp:
1940         (JSC::createError):
1941
1942 2019-03-29  Devin Rousso  <drousso@apple.com>
1943
1944         Web Inspector: add fast returns for instrumentation hooks that have no affect before a frontend is connected
1945         https://bugs.webkit.org/show_bug.cgi?id=196382
1946         <rdar://problem/49403417>
1947
1948         Reviewed by Joseph Pecoraro.
1949
1950         Ensure that all instrumentation hooks use `FAST_RETURN_IF_NO_FRONTENDS` or check that
1951         `developerExtrasEnabled`. There should be no activity to/from any inspector objects until
1952         developer extras are enabled.
1953
1954         * inspector/agents/InspectorConsoleAgent.cpp:
1955         (Inspector::InspectorConsoleAgent::startTiming):
1956         (Inspector::InspectorConsoleAgent::stopTiming):
1957         (Inspector::InspectorConsoleAgent::count):
1958         (Inspector::InspectorConsoleAgent::addConsoleMessage):
1959
1960 2019-03-29  Cathie Chen  <cathiechen@igalia.com>
1961
1962         Implement ResizeObserver.
1963         https://bugs.webkit.org/show_bug.cgi?id=157743
1964
1965         Reviewed by Simon Fraser.
1966
1967         Add ENABLE_RESIZE_OBSERVER.
1968
1969         * Configurations/FeatureDefines.xcconfig:
1970
1971 2019-03-28  Michael Saboff  <msaboff@apple.com>
1972
1973         [YARR] Precompute BMP / non-BMP status when constructing character classes
1974         https://bugs.webkit.org/show_bug.cgi?id=196296
1975
1976         Reviewed by Keith Miller.
1977
1978         Changed CharacterClass::m_hasNonBMPCharacters into a character width bit field which
1979         indicateis if the class includes characters from either BMP, non-BMP or both ranges.
1980         This allows the recognizing code to eliminate checks for the width of a matched
1981         characters when the class has only one width.  The character width is needed to
1982         determine if we advance 1 or 2 character.  Also, the pre-computed width of character
1983         classes that contains either all BMP or all non-BMP characters allows the parser to
1984         use fixed widths for terms using those character classes.  Changed both the code gen
1985         scripts and Yarr compiler to compute this bit field during the construction of
1986         character classes.
1987
1988         For JIT'ed code of character classes that contain either all BMP or all non-BMP
1989         characters, we can eliminate the generic check we were doing do compute how much
1990         to advance after sucessfully matching a character in the class.
1991
1992                 Generic isBMP check      BMP only            non-BMP only
1993                 --------------           --------------      --------------
1994                 inc %r9d                 inc %r9d            add $0x2, %r9d
1995                 cmp $0x10000, %eax
1996                 jl isBMP
1997                 cmp %edx, %esi
1998                 jz atEndOfString
1999                 inc %r9d
2000                 inc %esi
2001          isBMP:
2002
2003         For character classes that contained non-BMP characters, we were always generating
2004         the code in the left column.  The middle column is the code we generate for character
2005         classes that contain only BMP characters.  The right column is the code we now
2006         generate if the character class has only non-BMP characters.  In the fix width cases,
2007         we can eliminate both the isBMP check as well as the atEndOfString check.  The
2008         atEndOfstring check is eliminated since we know how many characters this character
2009         class requires and that check can be factored out to the beginning of the current
2010         alternative.  For character classes that contain both BMP and non-BMP characters,
2011         we still generate the generic left column.
2012
2013         This change is a ~8% perf progression on UniPoker and a ~2% improvement on RexBench
2014         as a whole.
2015
2016         * runtime/RegExp.cpp:
2017         (JSC::RegExp::matchCompareWithInterpreter):
2018         * runtime/RegExpInlines.h:
2019         (JSC::RegExp::matchInline):
2020         * yarr/YarrInterpreter.cpp:
2021         (JSC::Yarr::Interpreter::checkCharacterClassDontAdvanceInputForNonBMP):
2022         (JSC::Yarr::Interpreter::matchCharacterClass):
2023         * yarr/YarrJIT.cpp:
2024         (JSC::Yarr::YarrGenerator::optimizeAlternative):
2025         (JSC::Yarr::YarrGenerator::matchCharacterClass):
2026         (JSC::Yarr::YarrGenerator::advanceIndexAfterCharacterClassTermMatch):
2027         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
2028         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
2029         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
2030         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
2031         (JSC::Yarr::YarrGenerator::backtrackCharacterClassGreedy):
2032         (JSC::Yarr::YarrGenerator::generateCharacterClassNonGreedy):
2033         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
2034         (JSC::Yarr::YarrGenerator::generateEnter):
2035         (JSC::Yarr::YarrGenerator::YarrGenerator):
2036         (JSC::Yarr::YarrGenerator::compile):
2037         * yarr/YarrPattern.cpp:
2038         (JSC::Yarr::CharacterClassConstructor::CharacterClassConstructor):
2039         (JSC::Yarr::CharacterClassConstructor::reset):
2040         (JSC::Yarr::CharacterClassConstructor::charClass):
2041         (JSC::Yarr::CharacterClassConstructor::addSorted):
2042         (JSC::Yarr::CharacterClassConstructor::addSortedRange):
2043         (JSC::Yarr::CharacterClassConstructor::hasNonBMPCharacters):
2044         (JSC::Yarr::CharacterClassConstructor::characterWidths):
2045         (JSC::Yarr::PatternTerm::dump):
2046         (JSC::Yarr::anycharCreate):
2047         * yarr/YarrPattern.h:
2048         (JSC::Yarr::operator|):
2049         (JSC::Yarr::operator&):
2050         (JSC::Yarr::operator|=):
2051         (JSC::Yarr::CharacterClass::CharacterClass):
2052         (JSC::Yarr::CharacterClass::hasNonBMPCharacters):
2053         (JSC::Yarr::CharacterClass::hasOneCharacterSize):
2054         (JSC::Yarr::CharacterClass::hasOnlyNonBMPCharacters):
2055         (JSC::Yarr::PatternTerm::invert const):
2056         (JSC::Yarr::PatternTerm::invert): Deleted.
2057         * yarr/create_regex_tables:
2058         * yarr/generateYarrUnicodePropertyTables.py:
2059
2060 2019-03-28  Saam Barati  <sbarati@apple.com>
2061
2062         BackwardsGraph needs to consider back edges as the backward's root successor
2063         https://bugs.webkit.org/show_bug.cgi?id=195991
2064
2065         Reviewed by Filip Pizlo.
2066
2067         * b3/testb3.cpp:
2068         (JSC::B3::testInfiniteLoopDoesntCauseBadHoisting):
2069         (JSC::B3::run):
2070
2071 2019-03-28  Fujii Hironori  <Hironori.Fujii@sony.com>
2072
2073         Opcode.h(159,27): warning: adding 'unsigned int' to a string does not append to the string [-Wstring-plus-int]
2074         https://bugs.webkit.org/show_bug.cgi?id=196343
2075
2076         Reviewed by Saam Barati.
2077
2078         Clang reports a compilation warning and recommend '&PADDING_STRING[PADDING_STRING_LENGTH]'
2079         instead of 'PADDING_STRING + PADDING_STRING_LENGTH'.
2080
2081         * bytecode/Opcode.cpp:
2082         (JSC::padOpcodeName): Moved padOpcodeName from Opcode.h because
2083         this function is used only in Opcode.cpp. Changed macros
2084         PADDING_STRING and PADDING_STRING_LENGTH to simple variables.
2085         (JSC::compareOpcodePairIndices): Replaced pair with std::pair.
2086         * bytecode/Opcode.h:
2087         (JSC::padOpcodeName): Moved.
2088
2089 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
2090
2091         CodeBlock::jettison() should disallow repatching its own calls
2092         https://bugs.webkit.org/show_bug.cgi?id=196359
2093         <rdar://problem/48973663>
2094
2095         Reviewed by Saam Barati.
2096
2097         CodeBlock::jettison() calls CommonData::invalidate, which replaces the `hlt`
2098         instruction with the jump to OSR exit. However, if the `hlt` was immediately
2099         followed by a call to the CodeBlock being jettisoned, we would write over the
2100         OSR exit address while unlinking all the incoming CallLinkInfos later in
2101         CodeBlock::jettison().
2102
2103         Change it so that we set a flag, `clearedByJettison`, in all the CallLinkInfos
2104         owned by the CodeBlock being jettisoned. If the flag is set, we will avoid
2105         repatching the call during unlinking. This is safe because this call will never
2106         be reachable again after the CodeBlock is jettisoned.
2107
2108         * bytecode/CallLinkInfo.cpp:
2109         (JSC::CallLinkInfo::CallLinkInfo):
2110         (JSC::CallLinkInfo::setCallee):
2111         (JSC::CallLinkInfo::clearCallee):
2112         (JSC::CallLinkInfo::setCodeBlock):
2113         (JSC::CallLinkInfo::clearCodeBlock):
2114         * bytecode/CallLinkInfo.h:
2115         (JSC::CallLinkInfo::clearedByJettison):
2116         (JSC::CallLinkInfo::setClearedByJettison):
2117         * bytecode/CodeBlock.cpp:
2118         (JSC::CodeBlock::jettison):
2119         * jit/Repatch.cpp:
2120         (JSC::revertCall):
2121
2122 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
2123
2124         [JSC] Drop VM and Context cache map in JavaScriptCore.framework
2125         https://bugs.webkit.org/show_bug.cgi?id=196341
2126
2127         Reviewed by Saam Barati.
2128
2129         Previously, we created Objective-C weak map to maintain JSVirtualMachine and JSContext wrappers corresponding to VM and JSGlobalObject.
2130         But Objective-C weak map is really memory costly. Even if the entry is only one, it consumes 2.5KB per weak map. Since we can modify
2131         JSC intrusively for JavaScriptCore.framework (and we already did it, like, holding JSWrapperMap in JSGlobalObject), we can just hold
2132         a pointer to a wrapper in VM and JSGlobalObject.
2133
2134         This patch adds void* members to VM and JSGlobalObject, which holds a non-strong reference to a wrapper. When a wrapper is gone, we
2135         clear this pointer too. This removes unnecessary two Objective-C weak maps, and save 5KB.
2136
2137         * API/JSContext.mm:
2138         (-[JSContext initWithVirtualMachine:]):
2139         (-[JSContext dealloc]):
2140         (-[JSContext initWithGlobalContextRef:]):
2141         (-[JSContext wrapperMap]):
2142         (+[JSContext contextWithJSGlobalContextRef:]):
2143         * API/JSVirtualMachine.mm:
2144         (-[JSVirtualMachine initWithContextGroupRef:]):
2145         (-[JSVirtualMachine dealloc]):
2146         (+[JSVirtualMachine virtualMachineWithContextGroupRef:]):
2147         (scanExternalObjectGraph):
2148         (scanExternalRememberedSet):
2149         (initWrapperCache): Deleted.
2150         (wrapperCache): Deleted.
2151         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]): Deleted.
2152         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]): Deleted.
2153         (-[JSVirtualMachine contextForGlobalContextRef:]): Deleted.
2154         (-[JSVirtualMachine addContext:forGlobalContextRef:]): Deleted.
2155         * API/JSVirtualMachineInternal.h:
2156         * runtime/JSGlobalObject.h:
2157         (JSC::JSGlobalObject::setAPIWrapper):
2158         (JSC::JSGlobalObject::apiWrapper const):
2159         * runtime/VM.h:
2160
2161 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
2162
2163         In-memory code cache should not share bytecode across domains
2164         https://bugs.webkit.org/show_bug.cgi?id=196321
2165
2166         Reviewed by Geoffrey Garen.
2167
2168         Use the SourceProvider's URL to make sure that the hosts match for the
2169         two SourceCodeKeys in operator==.
2170
2171         * parser/SourceCodeKey.h:
2172         (JSC::SourceCodeKey::host const):
2173         (JSC::SourceCodeKey::operator== const):
2174
2175 2019-03-28  Víctor Manuel Jáquez Leal  <vjaquez@igalia.com>
2176
2177         Silence lot of warnings when compiling with clang
2178         https://bugs.webkit.org/show_bug.cgi?id=196310
2179
2180         Reviewed by Michael Catanzaro.
2181
2182         Initialize variable with default constructor.
2183
2184         * API/glib/JSCOptions.cpp:
2185         (jsc_options_foreach):
2186
2187 2019-03-27  Saam Barati  <sbarati@apple.com>
2188
2189         validateOSREntryValue with Int52 should box the value being checked into double format
2190         https://bugs.webkit.org/show_bug.cgi?id=196313
2191         <rdar://problem/49306703>
2192
2193         Reviewed by Yusuke Suzuki.
2194
2195         * dfg/DFGOSREntry.cpp:
2196         (JSC::DFG::prepareOSREntry):
2197         * ftl/FTLLowerDFGToB3.cpp:
2198         (JSC::FTL::DFG::LowerDFGToB3::validateAIState):
2199
2200 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
2201
2202         [JSC] Owner of watchpoints should validate at GC finalizing phase
2203         https://bugs.webkit.org/show_bug.cgi?id=195827
2204
2205         Reviewed by Filip Pizlo.
2206
2207         This patch fixes JSC's watchpoint liveness issue by the following two policies.
2208
2209         1. Watchpoint should have owner cell, and "fire" operation should be gaurded with owner cell's isLive check.
2210
2211         Watchpoints should hold its owner cell, and fire procedure should be guarded by `owner->isLive()`.
2212         When the owner cell is destroyed, these watchpoints are destroyed too. But this destruction can
2213         be delayed due to incremental sweeper. So the following condition can happen.
2214
2215         When we have a watchpoint like the following.
2216
2217             class XXXWatchpoint {
2218                 ObjectPropertyCondition m_key;
2219                 JSCell* m_owner;
2220             };
2221
2222         Both m_key's cell and m_owner is now unreachable from the root. So eventually, m_owner cell's destructor
2223         is called and this watchpoint will be destroyed. But before that, m_key's cell can be destroyed. And this
2224         watchpoint's fire procedure can be called since m_owner's destructor is not called yet. In this situation,
2225         we encounter the destroyed cell held in m_key. This problem can be avoided if we guard fire procedure with
2226         `m_owner->isLive()`. Until the owner cell is destroyed, this guard avoids "fire" procedure execution. And
2227         once the destructor of m_owner is called, this watchpoint will be destroyed too.
2228
2229         2. Watchpoint liveness should be maintained by owner cell's unconditional finalizer
2230
2231         Watchpoints often hold weak references to the other cell (like, m_key in the above example). If we do not
2232         delete watchpoints with dead cells when these weak cells become dead, these watchpoints continue holding dead cells,
2233         and watchpoint's fire operation can use these dead cells accidentally. isLive / isStillLive check for these weak cells
2234         in fire operation is not useful. Because these dead cells can be reused to the other live cells eventually, and this
2235         isLive / isStillLive checks fail to see these cells are live if they are reused. Appropriate way is deleting watchpoints
2236         with dead cells when finalizing GC. In this patch, we do this in unconditional finalizers in owner cells of watchpoints.
2237         We already did this in CodeBlock etc. We add the same thing to StructureRareData which owns watchpoints for toString operations.
2238
2239         * JavaScriptCore.xcodeproj/project.pbxproj:
2240         * Sources.txt:
2241         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.h:
2242         (JSC::AdaptiveInferredPropertyValueWatchpointBase::StructureWatchpoint::StructureWatchpoint): Deleted.
2243         (JSC::AdaptiveInferredPropertyValueWatchpointBase::PropertyWatchpoint::PropertyWatchpoint): Deleted.
2244         * bytecode/CodeBlockJettisoningWatchpoint.h:
2245         (JSC::CodeBlockJettisoningWatchpoint::CodeBlockJettisoningWatchpoint): Deleted.
2246         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
2247         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::LLIntPrototypeLoadAdaptiveStructureWatchpoint):
2248         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
2249         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
2250         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::key const): Deleted.
2251         * bytecode/StructureStubClearingWatchpoint.cpp:
2252         (JSC::StructureStubClearingWatchpoint::fireInternal):
2253         (JSC::WatchpointsOnStructureStubInfo::isValid const):
2254         * bytecode/StructureStubClearingWatchpoint.h:
2255         (JSC::StructureStubClearingWatchpoint::StructureStubClearingWatchpoint): Deleted.
2256         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
2257         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::isValid const):
2258         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.h:
2259         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
2260         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
2261         * dfg/DFGAdaptiveStructureWatchpoint.h:
2262         (JSC::DFG::AdaptiveStructureWatchpoint::key const): Deleted.
2263         * dfg/DFGDesiredWatchpoints.cpp:
2264         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
2265         * heap/Heap.cpp:
2266         (JSC::Heap::finalizeUnconditionalFinalizers):
2267         * llint/LLIntSlowPaths.cpp:
2268         (JSC::LLInt::setupGetByIdPrototypeCache):
2269         * runtime/ArrayBuffer.cpp:
2270         (JSC::ArrayBuffer::notifyIncommingReferencesOfTransfer):
2271         * runtime/ArrayBufferNeuteringWatchpointSet.cpp: Renamed from Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpoint.cpp.
2272         (JSC::ArrayBufferNeuteringWatchpointSet::ArrayBufferNeuteringWatchpointSet):
2273         (JSC::ArrayBufferNeuteringWatchpointSet::destroy):
2274         (JSC::ArrayBufferNeuteringWatchpointSet::create):
2275         (JSC::ArrayBufferNeuteringWatchpointSet::createStructure):
2276         (JSC::ArrayBufferNeuteringWatchpointSet::fireAll):
2277         * runtime/ArrayBufferNeuteringWatchpointSet.h: Renamed from Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpoint.h.
2278         * runtime/FunctionRareData.h:
2279         * runtime/JSGlobalObject.cpp:
2280         (JSC::JSGlobalObject::init):
2281         (JSC::JSGlobalObject::tryInstallArraySpeciesWatchpoint):
2282         * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h:
2283         (JSC::ObjectPropertyChangeAdaptiveWatchpoint::ObjectPropertyChangeAdaptiveWatchpoint): Deleted.
2284         * runtime/StructureRareData.cpp:
2285         (JSC::StructureRareData::finalizeUnconditionally):
2286         * runtime/StructureRareData.h:
2287         * runtime/VM.cpp:
2288         (JSC::VM::VM):
2289
2290 2019-03-26  Saam Barati  <sbarati@apple.com>
2291
2292         FTL: Emit code to validate AI's state when running the compiled code
2293         https://bugs.webkit.org/show_bug.cgi?id=195924
2294         <rdar://problem/49003422>
2295
2296         Reviewed by Filip Pizlo.
2297
2298         This patch adds code that between the execution of each node that validates
2299         the types that AI proves. This option is too expensive to turn on for our
2300         regression testing, but we think it will be valuable in other types of running
2301         modes, such as when running with a fuzzer.
2302         
2303         This patch also adds options to only probabilistically run this validation
2304         after the execution of each node. As the probability is lowered, there is
2305         less of a perf hit.
2306         
2307         This patch just adds this validation in the FTL. A follow-up patch will land
2308         it in the DFG too: https://bugs.webkit.org/show_bug.cgi?id=196219
2309
2310         * ftl/FTLLowerDFGToB3.cpp:
2311         (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
2312         (JSC::FTL::DFG::LowerDFGToB3::compileBlock):
2313         (JSC::FTL::DFG::LowerDFGToB3::validateAIState):
2314         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2315         (JSC::FTL::DFG::LowerDFGToB3::lowJSValue):
2316         * runtime/Options.h:
2317
2318 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
2319
2320         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
2321         https://bugs.webkit.org/show_bug.cgi?id=196217
2322
2323         Reviewed by Saam Barati.
2324
2325         Generalize the fix for f32.max to properly handle NaN by doing an extra GreatherThan
2326         comparison in r243446 to all min and max float operations.
2327
2328         * wasm/WasmAirIRGenerator.cpp:
2329         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Min>):
2330         (JSC::Wasm::AirIRGenerator::addFloatingPointMinOrMax):
2331         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Max>):
2332         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Min>):
2333         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Max>):
2334         * wasm/wasm.json:
2335
2336 2019-03-26  Andy VanWagoner  <andy@vanwagoner.family>
2337
2338         Intl.DateTimeFormat should obey 2-digit hour
2339         https://bugs.webkit.org/show_bug.cgi?id=195974
2340
2341         Reviewed by Keith Miller.
2342
2343         * runtime/IntlDateTimeFormat.cpp:
2344         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2345
2346 2019-03-25  Yusuke Suzuki  <ysuzuki@apple.com>
2347
2348         Heap::isMarked and friends should be instance methods
2349         https://bugs.webkit.org/show_bug.cgi?id=179988
2350
2351         Reviewed by Saam Barati.
2352
2353         Almost all the callers of Heap::isMarked have VM& reference. We should make Heap::isMarked instance function instead of static function
2354         so that we do not need to look up Heap from the cell.
2355
2356         * API/JSAPIWrapperObject.mm:
2357         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
2358         * API/JSMarkingConstraintPrivate.cpp:
2359         (JSC::isMarked):
2360         * API/glib/JSAPIWrapperObjectGLib.cpp:
2361         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
2362         * builtins/BuiltinExecutables.cpp:
2363         (JSC::BuiltinExecutables::finalizeUnconditionally):
2364         * bytecode/AccessCase.cpp:
2365         (JSC::AccessCase::visitWeak const):
2366         (JSC::AccessCase::propagateTransitions const):
2367         * bytecode/CallLinkInfo.cpp:
2368         (JSC::CallLinkInfo::visitWeak):
2369         * bytecode/CallLinkStatus.cpp:
2370         (JSC::CallLinkStatus::finalize):
2371         * bytecode/CallLinkStatus.h:
2372         * bytecode/CallVariant.cpp:
2373         (JSC::CallVariant::finalize):
2374         * bytecode/CallVariant.h:
2375         * bytecode/CodeBlock.cpp:
2376         (JSC::CodeBlock::shouldJettisonDueToWeakReference):
2377         (JSC::CodeBlock::shouldJettisonDueToOldAge):
2378         (JSC::shouldMarkTransition):
2379         (JSC::CodeBlock::propagateTransitions):
2380         (JSC::CodeBlock::determineLiveness):
2381         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2382         (JSC::CodeBlock::finalizeUnconditionally):
2383         (JSC::CodeBlock::jettison):
2384         * bytecode/CodeBlock.h:
2385         * bytecode/ExecutableToCodeBlockEdge.cpp:
2386         (JSC::ExecutableToCodeBlockEdge::visitChildren):
2387         (JSC::ExecutableToCodeBlockEdge::finalizeUnconditionally):
2388         (JSC::ExecutableToCodeBlockEdge::runConstraint):
2389         * bytecode/GetByIdStatus.cpp:
2390         (JSC::GetByIdStatus::finalize):
2391         * bytecode/GetByIdStatus.h:
2392         * bytecode/GetByIdVariant.cpp:
2393         (JSC::GetByIdVariant::finalize):
2394         * bytecode/GetByIdVariant.h:
2395         * bytecode/InByIdStatus.cpp:
2396         (JSC::InByIdStatus::finalize):
2397         * bytecode/InByIdStatus.h:
2398         * bytecode/InByIdVariant.cpp:
2399         (JSC::InByIdVariant::finalize):
2400         * bytecode/InByIdVariant.h:
2401         * bytecode/ObjectPropertyCondition.cpp:
2402         (JSC::ObjectPropertyCondition::isStillLive const):
2403         * bytecode/ObjectPropertyCondition.h:
2404         * bytecode/ObjectPropertyConditionSet.cpp:
2405         (JSC::ObjectPropertyConditionSet::areStillLive const):
2406         * bytecode/ObjectPropertyConditionSet.h:
2407         * bytecode/PolymorphicAccess.cpp:
2408         (JSC::PolymorphicAccess::visitWeak const):
2409         * bytecode/PropertyCondition.cpp:
2410         (JSC::PropertyCondition::isStillLive const):
2411         * bytecode/PropertyCondition.h:
2412         * bytecode/PutByIdStatus.cpp:
2413         (JSC::PutByIdStatus::finalize):
2414         * bytecode/PutByIdStatus.h:
2415         * bytecode/PutByIdVariant.cpp:
2416         (JSC::PutByIdVariant::finalize):
2417         * bytecode/PutByIdVariant.h:
2418         * bytecode/RecordedStatuses.cpp:
2419         (JSC::RecordedStatuses::finalizeWithoutDeleting):
2420         (JSC::RecordedStatuses::finalize):
2421         * bytecode/RecordedStatuses.h:
2422         * bytecode/StructureSet.cpp:
2423         (JSC::StructureSet::isStillAlive const):
2424         * bytecode/StructureSet.h:
2425         * bytecode/StructureStubInfo.cpp:
2426         (JSC::StructureStubInfo::visitWeakReferences):
2427         * dfg/DFGPlan.cpp:
2428         (JSC::DFG::Plan::finalizeInGC):
2429         (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
2430         * heap/GCIncomingRefCounted.h:
2431         * heap/GCIncomingRefCountedInlines.h:
2432         (JSC::GCIncomingRefCounted<T>::filterIncomingReferences):
2433         * heap/GCIncomingRefCountedSet.h:
2434         * heap/GCIncomingRefCountedSetInlines.h:
2435         (JSC::GCIncomingRefCountedSet<T>::lastChanceToFinalize):
2436         (JSC::GCIncomingRefCountedSet<T>::sweep):
2437         (JSC::GCIncomingRefCountedSet<T>::removeAll): Deleted.
2438         (JSC::GCIncomingRefCountedSet<T>::removeDead): Deleted.
2439         * heap/Heap.cpp:
2440         (JSC::Heap::addToRememberedSet):
2441         (JSC::Heap::runEndPhase):
2442         (JSC::Heap::sweepArrayBuffers):
2443         (JSC::Heap::addCoreConstraints):
2444         * heap/Heap.h:
2445         * heap/HeapInlines.h:
2446         (JSC::Heap::isMarked):
2447         * heap/HeapSnapshotBuilder.cpp:
2448         (JSC::HeapSnapshotBuilder::appendNode):
2449         * heap/SlotVisitor.cpp:
2450         (JSC::SlotVisitor::appendToMarkStack):
2451         (JSC::SlotVisitor::visitChildren):
2452         * jit/PolymorphicCallStubRoutine.cpp:
2453         (JSC::PolymorphicCallStubRoutine::visitWeak):
2454         * runtime/ErrorInstance.cpp:
2455         (JSC::ErrorInstance::finalizeUnconditionally):
2456         * runtime/InferredValueInlines.h:
2457         (JSC::InferredValue::finalizeUnconditionally):
2458         * runtime/StackFrame.h:
2459         (JSC::StackFrame::isMarked const):
2460         * runtime/Structure.cpp:
2461         (JSC::Structure::isCheapDuringGC):
2462         (JSC::Structure::markIfCheap):
2463         * runtime/Structure.h:
2464         * runtime/TypeProfiler.cpp:
2465         (JSC::TypeProfiler::invalidateTypeSetCache):
2466         * runtime/TypeProfiler.h:
2467         * runtime/TypeSet.cpp:
2468         (JSC::TypeSet::invalidateCache):
2469         * runtime/TypeSet.h:
2470         * runtime/WeakMapImpl.cpp:
2471         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitOutputConstraints):
2472         * runtime/WeakMapImplInlines.h:
2473         (JSC::WeakMapImpl<WeakMapBucket>::finalizeUnconditionally):
2474
2475 2019-03-25  Keith Miller  <keith_miller@apple.com>
2476
2477         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
2478         https://bugs.webkit.org/show_bug.cgi?id=196176
2479
2480         Reviewed by Saam Barati.
2481
2482         convertToCompareEqPtr should allow for either CompareStrictEq or
2483         the SameValue DFG node. This fixes the old assertion that only
2484         allowed CompareStrictEq.
2485
2486         * dfg/DFGNode.h:
2487         (JSC::DFG::Node::convertToCompareEqPtr):
2488
2489 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
2490
2491         WebAssembly: f32.max with NaN generates incorrect result
2492         https://bugs.webkit.org/show_bug.cgi?id=175691
2493         <rdar://problem/33952228>
2494
2495         Reviewed by Saam Barati.
2496
2497         Fix the B3 and Air compilation for f32.max. In order to handle the NaN
2498         case, we need an extra GreaterThan comparison on top of the existing
2499         Equal and LessThan ones.
2500
2501         * wasm/WasmAirIRGenerator.cpp:
2502         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Max>):
2503         * wasm/wasm.json:
2504
2505 2019-03-25  Yusuke Suzuki  <ysuzuki@apple.com>
2506
2507         Unreviewed, speculative fix for CLoop build on CPU(UNKNOWN)
2508         https://bugs.webkit.org/show_bug.cgi?id=195982
2509
2510         * jit/ExecutableAllocator.h:
2511         (JSC::ExecutableAllocator::initializeUnderlyingAllocator):
2512
2513 2019-03-25  Gyuyoung Kim  <gyuyoung.kim@webkit.org>
2514
2515         Remove NavigatorContentUtils in WebCore/Modules
2516         https://bugs.webkit.org/show_bug.cgi?id=196070
2517
2518         Reviewed by Alex Christensen.
2519
2520         NavigatorContentUtils was to support the custom scheme spec [1].
2521         However, in WebKit side, no port has supported the feature in
2522         WebKit layer after EFL port was removed. So there has been the
2523         only IDL implementation of the NavigatorContentUtils in WebCore.
2524         So we don't need to keep the implementation in WebCore anymore.
2525
2526         [1] https://html.spec.whatwg.org/multipage/system-state.html#custom-handlers
2527
2528         * Configurations/FeatureDefines.xcconfig:
2529
2530 2019-03-23  Mark Lam  <mark.lam@apple.com>
2531
2532         Rolling out r243032 and r243071 because the fix is incorrect.
2533         https://bugs.webkit.org/show_bug.cgi?id=195892
2534         <rdar://problem/48981239>
2535
2536         Not reviewed.
2537
2538         The fix is incorrect: it relies on being able to determine liveness of an object
2539         in an ObjectPropertyCondition based on the state of the object's MarkedBit.
2540         However, there's no guarantee that GC has run and that the MarkedBit is already
2541         set even if the object is live.  As a result, we may not re-install adaptive
2542         watchpoints based on presumed dead objects which are actually live.
2543
2544         I'm rolling this out, and will implement a more comprehensive fix to handle
2545         watchpoint liveness later.
2546
2547         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
2548         (JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):
2549         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
2550         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
2551         * bytecode/ObjectPropertyCondition.cpp:
2552         (JSC::ObjectPropertyCondition::dumpInContext const):
2553         * bytecode/StructureStubClearingWatchpoint.cpp:
2554         (JSC::StructureStubClearingWatchpoint::fireInternal):
2555         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
2556         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
2557         * runtime/StructureRareData.cpp:
2558         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
2559
2560 2019-03-23  Keith Miller  <keith_miller@apple.com>
2561
2562         Refactor clz/ctz and fix getLSBSet.
2563         https://bugs.webkit.org/show_bug.cgi?id=196162
2564
2565         Reviewed by Saam Barati.
2566
2567         Refactor references of clz32/64 and ctz32 to use clz and ctz,
2568         respectively.
2569
2570         * dfg/DFGAbstractInterpreterInlines.h:
2571         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2572         * dfg/DFGOperations.cpp:
2573         * runtime/JSBigInt.cpp:
2574         (JSC::JSBigInt::digitDiv):
2575         (JSC::JSBigInt::absoluteDivWithBigIntDivisor):
2576         (JSC::JSBigInt::calculateMaximumCharactersRequired):
2577         (JSC::JSBigInt::toStringBasePowerOfTwo):
2578         (JSC::JSBigInt::compareToDouble):
2579         * runtime/MathObject.cpp:
2580         (JSC::mathProtoFuncClz32):
2581
2582 2019-03-23  Yusuke Suzuki  <ysuzuki@apple.com>
2583
2584         [JSC] Shrink sizeof(RegExp)
2585         https://bugs.webkit.org/show_bug.cgi?id=196133
2586
2587         Reviewed by Mark Lam.
2588
2589         Some applications have many RegExp cells. But RegExp cells are very large (144B).
2590         This patch reduces the size from 144B to 48B by,
2591
2592         1. Allocate Yarr::YarrCodeBlock in non-GC heap. We can avoid this allocation if JIT is disabled.
2593         2. m_captureGroupNames and m_namedGroupToParenIndex are moved to RareData. They are only used when RegExp has named capture groups.
2594
2595         * runtime/RegExp.cpp:
2596         (JSC::RegExp::finishCreation):
2597         (JSC::RegExp::estimatedSize):
2598         (JSC::RegExp::compile):
2599         (JSC::RegExp::matchConcurrently):
2600         (JSC::RegExp::compileMatchOnly):
2601         (JSC::RegExp::deleteCode):
2602         (JSC::RegExp::printTraceData):
2603         * runtime/RegExp.h:
2604         * runtime/RegExpInlines.h:
2605         (JSC::RegExp::hasCodeFor):
2606         (JSC::RegExp::matchInline):
2607         (JSC::RegExp::hasMatchOnlyCodeFor):
2608
2609 2019-03-22  Keith Rollin  <krollin@apple.com>
2610
2611         Enable ThinLTO support in Production builds
2612         https://bugs.webkit.org/show_bug.cgi?id=190758
2613         <rdar://problem/45413233>
2614
2615         Reviewed by Daniel Bates.
2616
2617         Tweak JavaScriptCore's Base.xcconfig to be more in-line with other
2618         .xcconfig files with regards to LTO settings. However, don't actually
2619         enable LTO for JavaScriptCore. LTO is not enabled for JavaScriptCore
2620         due to <rdar://problem/24543547>.
2621
2622         * Configurations/Base.xcconfig:
2623
2624 2019-03-22  Mark Lam  <mark.lam@apple.com>
2625
2626         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
2627         https://bugs.webkit.org/show_bug.cgi?id=196154
2628         <rdar://problem/49145307>
2629
2630         Reviewed by Filip Pizlo.
2631
2632         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2633         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
2634
2635 2019-03-22  Mark Lam  <mark.lam@apple.com>
2636
2637         Placate exception check validation in constructJSWebAssemblyLinkError().
2638         https://bugs.webkit.org/show_bug.cgi?id=196152
2639         <rdar://problem/49145257>
2640
2641         Reviewed by Michael Saboff.
2642
2643         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
2644         (JSC::constructJSWebAssemblyLinkError):
2645
2646 2019-03-22  Timothy Hatcher  <timothy@apple.com>
2647
2648         Change macosx() to macos() in WK_API... and JSC_API... macros.
2649         https://bugs.webkit.org/show_bug.cgi?id=196106
2650
2651         Reviewed by Brian Burg.
2652
2653         * API/JSBasePrivate.h:
2654         * API/JSContext.h:
2655         * API/JSContextPrivate.h:
2656         * API/JSContextRef.h:
2657         * API/JSContextRefInternal.h:
2658         * API/JSContextRefPrivate.h:
2659         * API/JSManagedValue.h:
2660         * API/JSObjectRef.h:
2661         * API/JSObjectRefPrivate.h:
2662         * API/JSRemoteInspector.h:
2663         * API/JSScript.h:
2664         * API/JSTypedArray.h:
2665         * API/JSValue.h:
2666         * API/JSValuePrivate.h:
2667         * API/JSValueRef.h:
2668         * API/JSVirtualMachinePrivate.h:
2669
2670 2019-03-22  Yusuke Suzuki  <ysuzuki@apple.com>
2671
2672         Unreviewed, build fix for Windows
2673         https://bugs.webkit.org/show_bug.cgi?id=196122
2674
2675         * runtime/FunctionExecutable.cpp:
2676
2677 2019-03-21  Yusuke Suzuki  <ysuzuki@apple.com>
2678
2679         [JSC] Shrink sizeof(FunctionExecutable) by 16bytes
2680         https://bugs.webkit.org/show_bug.cgi?id=196122
2681
2682         Reviewed by Saam Barati.
2683
2684         This patch reduces sizeof(FunctionExecutable) by 16 bytes.
2685
2686         1. ScriptExecutable::m_numParametersForCall and ScriptExecutable::m_numParametersForConstruct are not used in a meaningful way. Removed them.
2687         2. ScriptExecutable::m_lastLine and ScriptExecutable::m_endColumn can be calculated from UnlinkedFunctionExecutable. So FunctionExecutable does not need to hold it.
2688            This patch adds GlobalExecutable, which are non-function ScriptExecutables, and move m_lastLine and m_endColumn to this class.
2689         3. FunctionExecutable still needs to have the feature overriding m_lastLine and m_endColumn. We move overridden data in FunctionExecutable::RareData.
2690
2691         * CMakeLists.txt:
2692         * JavaScriptCore.xcodeproj/project.pbxproj:
2693         * Sources.txt:
2694         * bytecode/UnlinkedFunctionExecutable.cpp:
2695         (JSC::UnlinkedFunctionExecutable::link):
2696         * runtime/EvalExecutable.cpp:
2697         (JSC::EvalExecutable::EvalExecutable):
2698         * runtime/EvalExecutable.h:
2699         * runtime/FunctionExecutable.cpp:
2700         (JSC::FunctionExecutable::FunctionExecutable):
2701         (JSC::FunctionExecutable::ensureRareDataSlow):
2702         (JSC::FunctionExecutable::overrideInfo):
2703         * runtime/FunctionExecutable.h:
2704         * runtime/GlobalExecutable.cpp: Copied from Source/JavaScriptCore/tools/FunctionOverrides.h.
2705         * runtime/GlobalExecutable.h: Copied from Source/JavaScriptCore/tools/FunctionOverrides.h.
2706         (JSC::GlobalExecutable::lastLine const):
2707         (JSC::GlobalExecutable::endColumn const):
2708         (JSC::GlobalExecutable::recordParse):
2709         (JSC::GlobalExecutable::GlobalExecutable):
2710         * runtime/ModuleProgramExecutable.cpp:
2711         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
2712         * runtime/ModuleProgramExecutable.h:
2713         * runtime/ProgramExecutable.cpp:
2714         (JSC::ProgramExecutable::ProgramExecutable):
2715         * runtime/ProgramExecutable.h:
2716         * runtime/ScriptExecutable.cpp:
2717         (JSC::ScriptExecutable::clearCode):
2718         (JSC::ScriptExecutable::installCode):
2719         (JSC::ScriptExecutable::hasClearableCode const):
2720         (JSC::ScriptExecutable::newCodeBlockFor):
2721         (JSC::ScriptExecutable::typeProfilingEndOffset const):
2722         (JSC::ScriptExecutable::recordParse):
2723         (JSC::ScriptExecutable::lastLine const):
2724         (JSC::ScriptExecutable::endColumn const):
2725         * runtime/ScriptExecutable.h:
2726         (JSC::ScriptExecutable::hasJITCodeForCall const):
2727         (JSC::ScriptExecutable::hasJITCodeForConstruct const):
2728         (JSC::ScriptExecutable::recordParse):
2729         (JSC::ScriptExecutable::lastLine const): Deleted.
2730         (JSC::ScriptExecutable::endColumn const): Deleted.
2731         * tools/FunctionOverrides.h:
2732
2733 2019-03-21  Yusuke Suzuki  <ysuzuki@apple.com>
2734
2735         [JSC] Shrink sizeof(RegExpObject)
2736         https://bugs.webkit.org/show_bug.cgi?id=196130
2737
2738         Reviewed by Saam Barati.
2739
2740         sizeof(RegExpObject) is 48B due to one bool flag. We should compress this flag into lower bit of RegExp* field so that we can make RegExpObject 32B.
2741         It saves memory footprint 1.3% in RAMification's regexp.
2742
2743         * dfg/DFGSpeculativeJIT.cpp:
2744         (JSC::DFG::SpeculativeJIT::compileNewRegexp):
2745         (JSC::DFG::SpeculativeJIT::compileSetRegExpObjectLastIndex):
2746         * ftl/FTLAbstractHeapRepository.h:
2747         * ftl/FTLLowerDFGToB3.cpp:
2748         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
2749         (JSC::FTL::DFG::LowerDFGToB3::compileSetRegExpObjectLastIndex):
2750         * runtime/RegExpObject.cpp:
2751         (JSC::RegExpObject::RegExpObject):
2752         (JSC::RegExpObject::visitChildren):
2753         (JSC::RegExpObject::getOwnPropertySlot):
2754         (JSC::RegExpObject::defineOwnProperty):
2755         * runtime/RegExpObject.h:
2756
2757 2019-03-21  Tomas Popela  <tpopela@redhat.com>
2758
2759         [JSC] Fix build after r243232 on unsupported 64bit architectures
2760         https://bugs.webkit.org/show_bug.cgi?id=196072
2761
2762         Reviewed by Keith Miller.
2763
2764         As Keith suggested we already expect 16 free bits at the top of any
2765         pointer for JSValue even for the unsupported 64 bit arches.
2766
2767         * bytecode/CodeOrigin.h:
2768
2769 2019-03-21  Mark Lam  <mark.lam@apple.com>
2770
2771         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
2772         https://bugs.webkit.org/show_bug.cgi?id=196116
2773         <rdar://problem/48976951>
2774
2775         Reviewed by Filip Pizlo.
2776
2777         The DFG backend should not make assumptions about what optimizations the front end
2778         will or will not do.  The assertion asserts that the operand cannot be known to be
2779         a cell.  However, it is not guaranteed that the front end will fold away this case.
2780         Also, the DFG backend is perfectly capable of generating code to handle the case
2781         where the operand is a cell.
2782
2783         The attached test case demonstrates a case where the operand can be a known cell.
2784         The test needs to be run with the concurrent JIT and GC, and is racy.  It used to
2785         trip up this assertion about once every 10 runs or so.
2786
2787         * dfg/DFGSpeculativeJIT64.cpp:
2788         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
2789
2790 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
2791
2792         JSC::createError should clear exception thrown by errorDescriptionForValue
2793         https://bugs.webkit.org/show_bug.cgi?id=196089
2794
2795         Reviewed by Mark Lam.
2796
2797         errorDescriptionForValue returns a nullString in case of failure, but it
2798         might also throw an OOM exception when resolving a rope string. We need
2799         to clear any potential exceptions thrown by errorDescriptionForValue
2800         before returning the OOM from JSC::createError.
2801
2802         * runtime/ExceptionHelpers.cpp:
2803         (JSC::createError):
2804
2805 2019-03-21  Robin Morisset  <rmorisset@apple.com>
2806
2807         B3::Opcode can fit in a single byte, shrinking B3Value by 8 bytes
2808         https://bugs.webkit.org/show_bug.cgi?id=196014
2809
2810         Reviewed by Keith Miller.
2811
2812         B3::Opcode has less than one hundred cases, so it can easily fit in one byte (from two currently)
2813         This shrinks B3::Kind from 4 bytes to 2 (by removing the byte of padding at the end).
2814         This in turns eliminate padding from B3::Value, shrinking it by 8 bytes (out of 80).
2815
2816         * b3/B3Opcode.h:
2817
2818 2019-03-21  Michael Catanzaro  <mcatanzaro@igalia.com>
2819
2820         Unreviewed, more clang 3.8 build fixes
2821         https://bugs.webkit.org/show_bug.cgi?id=195947
2822         <rdar://problem/49069219>
2823
2824         In the spirit of making our code worse to please old compilers....
2825
2826         * bindings/ScriptValue.cpp:
2827         (Inspector::jsToInspectorValue):
2828         * bytecode/GetterSetterAccessCase.cpp:
2829         (JSC::GetterSetterAccessCase::create):
2830         (JSC::GetterSetterAccessCase::clone const):
2831         * bytecode/InstanceOfAccessCase.cpp:
2832         (JSC::InstanceOfAccessCase::clone const):
2833         * bytecode/IntrinsicGetterAccessCase.cpp:
2834         (JSC::IntrinsicGetterAccessCase::clone const):
2835         * bytecode/ModuleNamespaceAccessCase.cpp:
2836         (JSC::ModuleNamespaceAccessCase::clone const):
2837         * bytecode/ProxyableAccessCase.cpp:
2838         (JSC::ProxyableAccessCase::clone const):
2839
2840 2019-03-21  Yusuke Suzuki  <ysuzuki@apple.com>
2841
2842         [JSC] Do not create JIT related data under non-JIT mode
2843         https://bugs.webkit.org/show_bug.cgi?id=195982
2844
2845         Reviewed by Mark Lam.
2846
2847         We avoid creations of JIT related data structures under non-JIT mode.
2848         This patch removes the following allocations.
2849
2850         1. JITThunks
2851         2. FTLThunks
2852         3. FixedVMPoolExecutableAllocator
2853         4. noJITValueProfileSingleton since it is no longer used
2854         5. ARM disassembler should be initialized when it is used
2855         6. Wasm related data structures are accidentally allocated if VM::canUseJIT() == false &&
2856            Options::useWebAssembly() == true. Add Wasm::isSupported() function to check the both conditions.
2857
2858         * CMakeLists.txt:
2859         * JavaScriptCore.xcodeproj/project.pbxproj:
2860         * heap/Heap.cpp:
2861         (JSC::Heap::runEndPhase):
2862         * jit/ExecutableAllocator.cpp:
2863         (JSC::FixedVMPoolExecutableAllocator::~FixedVMPoolExecutableAllocator):
2864         (JSC::ExecutableAllocator::initializeUnderlyingAllocator):
2865         (JSC::ExecutableAllocator::isValid const):
2866         (JSC::ExecutableAllocator::underMemoryPressure):
2867         (JSC::ExecutableAllocator::memoryPressureMultiplier):
2868         (JSC::ExecutableAllocator::allocate):
2869         (JSC::ExecutableAllocator::isValidExecutableMemory):
2870         (JSC::ExecutableAllocator::getLock const):
2871         (JSC::ExecutableAllocator::committedByteCount):
2872         (JSC::ExecutableAllocator::dumpProfile):
2873         (JSC::startOfFixedExecutableMemoryPoolImpl):
2874         (JSC::endOfFixedExecutableMemoryPoolImpl):
2875         (JSC::ExecutableAllocator::initialize):
2876         (JSC::ExecutableAllocator::initializeAllocator): Deleted.
2877         (JSC::ExecutableAllocator::ExecutableAllocator): Deleted.
2878         (JSC::ExecutableAllocator::~ExecutableAllocator): Deleted.
2879         * jit/ExecutableAllocator.h:
2880         (JSC::ExecutableAllocatorBase::isValid const):
2881         (JSC::ExecutableAllocatorBase::underMemoryPressure):
2882         (JSC::ExecutableAllocatorBase::memoryPressureMultiplier):
2883         (JSC::ExecutableAllocatorBase::dumpProfile):
2884         (JSC::ExecutableAllocatorBase::allocate):
2885         (JSC::ExecutableAllocatorBase::setJITEnabled):
2886         (JSC::ExecutableAllocatorBase::isValidExecutableMemory):
2887         (JSC::ExecutableAllocatorBase::committedByteCount):
2888         (JSC::ExecutableAllocatorBase::getLock const):
2889         (JSC::ExecutableAllocator::isValid const): Deleted.
2890         (JSC::ExecutableAllocator::underMemoryPressure): Deleted.
2891         (JSC::ExecutableAllocator::memoryPressureMultiplier): Deleted.
2892         (JSC::ExecutableAllocator::allocate): Deleted.
2893         (JSC::ExecutableAllocator::setJITEnabled): Deleted.
2894         (JSC::ExecutableAllocator::isValidExecutableMemory): Deleted.
2895         (JSC::ExecutableAllocator::committedByteCount): Deleted.
2896         (JSC::ExecutableAllocator::getLock const): Deleted.
2897         * jsc.cpp:
2898         (functionWebAssemblyMemoryMode):
2899         * runtime/InitializeThreading.cpp:
2900         (JSC::initializeThreading):
2901         * runtime/JSGlobalObject.cpp:
2902         (JSC::JSGlobalObject::init):
2903         * runtime/JSLock.cpp:
2904         (JSC::JSLock::didAcquireLock):
2905         * runtime/Options.cpp:
2906         (JSC::recomputeDependentOptions):
2907         * runtime/VM.cpp:
2908         (JSC::enableAssembler):
2909         (JSC::VM::canUseAssembler):
2910         (JSC::VM::VM):
2911         * runtime/VM.h:
2912         * wasm/WasmCapabilities.h: Added.
2913         (JSC::Wasm::isSupported):
2914         * wasm/WasmFaultSignalHandler.cpp:
2915         (JSC::Wasm::enableFastMemory):
2916
2917 2019-03-21  Yusuke Suzuki  <ysuzuki@apple.com>
2918
2919         [JSC] Fix JSC build with newer ICU
2920         https://bugs.webkit.org/show_bug.cgi?id=196098
2921
2922         Reviewed by Keith Miller.
2923
2924         IntlDateTimeFormat and IntlNumberFormat have switch statement over ICU's enums. However it lacks "default" clause so that
2925         the compile error occurs when a new enum value is added in ICU side. We should have "default" clause which just fallbacks
2926         "unknown"_s case. The behavior is not changed since we already have `return "unknown"_s;` statement anyway after the
2927         switch statement. This patch just suppresses a compile error.
2928
2929         * runtime/IntlDateTimeFormat.cpp:
2930         (JSC::IntlDateTimeFormat::partTypeString):
2931         * runtime/IntlNumberFormat.cpp:
2932         (JSC::IntlNumberFormat::partTypeString):
2933
2934 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
2935
2936         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
2937         https://bugs.webkit.org/show_bug.cgi?id=196078
2938         <rdar://problem/35925380>
2939
2940         Reviewed by Mark Lam.
2941
2942         Unlike the other variations of putByIndex, it only checked if the index
2943         was larger than MIN_SPARSE_ARRAY_INDEX when the indexingType was
2944         ALL_BLANK_INDEXING_TYPES. This resulted in a huge butterfly being
2945         allocated for object literals (e.g. `{[9e4]: ...}`) and objects parsed
2946         from JSON.
2947
2948         * runtime/JSObject.cpp:
2949         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
2950
2951 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
2952
2953         CachedUnlinkedSourceCodeShape::m_provider should be a CachedRefPtr
2954         https://bugs.webkit.org/show_bug.cgi?id=196079
2955
2956         Reviewed by Saam Barati.
2957
2958         It was mistakenly cached as CachedPtr, which was leaking the decoded SourceProvider.
2959
2960         * runtime/CachedTypes.cpp:
2961         (JSC::CachedUnlinkedSourceCodeShape::encode):
2962
2963 2019-03-21  Mark Lam  <mark.lam@apple.com>
2964
2965         Placate exception check validation in operationArrayIndexOfString().
2966         https://bugs.webkit.org/show_bug.cgi?id=196067
2967         <rdar://problem/49056572>
2968
2969         Reviewed by Michael Saboff.
2970
2971         * dfg/DFGOperations.cpp:
2972
2973 2019-03-21  Xan Lopez  <xan@igalia.com>
2974
2975         [JSC][x86] Drop support for x87 floating point
2976         https://bugs.webkit.org/show_bug.cgi?id=194853
2977
2978         Reviewed by Don Olmstead.
2979
2980         Require SSE2 throughout the codebase, and remove x87 support where
2981         it was optionally available. SSE2 detection happens at compile
2982         time through a static_assert.
2983
2984         * assembler/MacroAssemblerX86.h:
2985         (JSC::MacroAssemblerX86::storeDouble):
2986         (JSC::MacroAssemblerX86::moveDoubleToInts):
2987         (JSC::MacroAssemblerX86::supportsFloatingPoint):
2988         (JSC::MacroAssemblerX86::supportsFloatingPointTruncate):
2989         (JSC::MacroAssemblerX86::supportsFloatingPointSqrt):
2990         (JSC::MacroAssemblerX86::supportsFloatingPointAbs):
2991         * assembler/MacroAssemblerX86Common.cpp:
2992         * assembler/MacroAssemblerX86Common.h:
2993         (JSC::MacroAssemblerX86Common::moveDouble):
2994         (JSC::MacroAssemblerX86Common::loadDouble):
2995         (JSC::MacroAssemblerX86Common::loadFloat):
2996         (JSC::MacroAssemblerX86Common::storeDouble):
2997         (JSC::MacroAssemblerX86Common::storeFloat):
2998         (JSC::MacroAssemblerX86Common::convertDoubleToFloat):
2999         (JSC::MacroAssemblerX86Common::convertFloatToDouble):
3000         (JSC::MacroAssemblerX86Common::addDouble):
3001         (JSC::MacroAssemblerX86Common::addFloat):
3002         (JSC::MacroAssemblerX86Common::divDouble):
3003         (JSC::MacroAssemblerX86Common::divFloat):
3004         (JSC::MacroAssemblerX86Common::subDouble):
3005         (JSC::MacroAssemblerX86Common::subFloat):
3006         (JSC::MacroAssemblerX86Common::mulDouble):
3007         (JSC::MacroAssemblerX86Common::mulFloat):
3008         (JSC::MacroAssemblerX86Common::convertInt32ToDouble):
3009         (JSC::MacroAssemblerX86Common::convertInt32ToFloat):
3010         (JSC::MacroAssemblerX86Common::branchDouble):
3011         (JSC::MacroAssemblerX86Common::branchFloat):
3012         (JSC::MacroAssemblerX86Common::compareDouble):
3013         (JSC::MacroAssemblerX86Common::compareFloat):
3014         (JSC::MacroAssemblerX86Common::branchTruncateDoubleToInt32):
3015         (JSC::MacroAssemblerX86Common::truncateDoubleToInt32):
3016         (JSC::MacroAssemblerX86Common::truncateFloatToInt32):
3017         (JSC::MacroAssemblerX86Common::branchConvertDoubleToInt32):
3018         (JSC::MacroAssemblerX86Common::branchDoubleNonZero):
3019         (JSC::MacroAssemblerX86Common::branchDoubleZeroOrNaN):
3020         (JSC::MacroAssemblerX86Common::lshiftPacked):
3021         (JSC::MacroAssemblerX86Common::rshiftPacked):
3022         (JSC::MacroAssemblerX86Common::orPacked):
3023         (JSC::MacroAssemblerX86Common::move32ToFloat):
3024         (JSC::MacroAssemblerX86Common::moveFloatTo32):
3025         (JSC::MacroAssemblerX86Common::moveConditionallyDouble):
3026         (JSC::MacroAssemblerX86Common::moveConditionallyFloat):
3027         * offlineasm/x86.rb:
3028         * runtime/MathCommon.cpp:
3029         (JSC::operationMathPow):
3030
3031 2019-03-21  Carlos Garcia Campos  <cgarcia@igalia.com>
3032
3033         [GLIB] User data not correctly passed to callback of functions and constructors with no parameters
3034         https://bugs.webkit.org/show_bug.cgi?id=196073
3035
3036         Reviewed by Michael Catanzaro.
3037
3038         This is because GClosure always expects a first parameter as instance. In case of functions or constructors with
3039         no parameters we insert a fake instance which is just a null pointer that is ignored by the callback. But
3040         if the function/constructor has user data the callback will expect one parameter for the user data. In that case
3041         we can simply swap instance/user data so that the fake instance will be the second argument and user data the
3042         first one.
3043
3044         * API/glib/JSCClass.cpp:
3045         (jscClassCreateConstructor): Use g_cclosure_new_swap() if parameters is empty and user data was provided.
3046         * API/glib/JSCValue.cpp:
3047         (jscValueFunctionCreate): Ditto.
3048
3049 2019-03-21  Pablo Saavedra  <psaavedra@igalia.com>
3050
3051         [JSC][32-bit] Build failure after r243232
3052         https://bugs.webkit.org/show_bug.cgi?id=196068
3053
3054         Reviewed by Mark Lam.
3055
3056         * dfg/DFGOSRExit.cpp:
3057         (JSC::DFG::reifyInlinedCallFrames):
3058         * dfg/DFGOSRExitCompilerCommon.cpp:
3059         (JSC::DFG::reifyInlinedCallFrames):
3060
3061 2019-03-21  Carlos Garcia Campos  <cgarcia@igalia.com>
3062
3063         [GLib] Returning G_TYPE_OBJECT from a method does not work
3064         https://bugs.webkit.org/show_bug.cgi?id=195574
3065
3066         Reviewed by Michael Catanzaro.
3067
3068         Add more documentation to clarify the ownership of wrapped objects when created and when returned by functions.
3069
3070         * API/glib/JSCCallbackFunction.cpp:
3071         (JSC::JSCCallbackFunction::construct): Also allow to return boxed types from a constructor.
3072         * API/glib/JSCClass.cpp:
3073         * API/glib/JSCValue.cpp:
3074
3075 2019-03-21  Mark Lam  <mark.lam@apple.com>
3076
3077         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
3078         https://bugs.webkit.org/show_bug.cgi?id=196055
3079         <rdar://problem/49067448>
3080
3081         Reviewed by Yusuke Suzuki.
3082
3083         We are doing this because:
3084         1. We expect the array to be densely packed.
3085         2. SpeculativeJIT::compileAllocateNewArrayWithSize() (and the FTL equivalent)
3086            expects the array length to be less than MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH
3087            if we don't want to use an ArrayStorage shape.
3088         3. There's no reason why an array with spread needs to be that large anyway.
3089            MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH is plenty.
3090
3091         In this patch, we also add a debug assert in compileAllocateNewArrayWithSize() and
3092         emitAllocateButterfly() to check for overflows.
3093
3094         * assembler/AbortReason.h:
3095         * dfg/DFGOperations.cpp:
3096         * dfg/DFGSpeculativeJIT.cpp:
3097         (JSC::DFG::SpeculativeJIT::compileCreateRest):
3098         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
3099         (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
3100         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
3101         * ftl/FTLLowerDFGToB3.cpp:
3102         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
3103         * runtime/ArrayConventions.h:
3104         * runtime/CommonSlowPaths.cpp:
3105         (JSC::SLOW_PATH_DECL):
3106
3107 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
3108
3109         [JSC] Use finalizer in JSGlobalLexicalEnvironment and JSGlobalObject
3110         https://bugs.webkit.org/show_bug.cgi?id=195992
3111
3112         Reviewed by Keith Miller and Mark Lam.
3113
3114         JSGlobalLexicalEnvironment and JSGlobalObject have their own CompleteSubspace to call destructors while they are not inheriting JSDestructibleObject.
3115         But it is too costly since (1) it requires CompleteSubspace in VM, (2) both objects allocate MarkedBlocks while # of them are really small.
3116
3117         Instead of using CompleteSubspace, we just set finalizers for them. Since these objects are rarely allocated, setting finalizers does not show
3118         memory / performance problems (actually, previously we used finalizer for ArrayPrototype due to the same reason, and it does not show any problems).
3119
3120         And we also add following two changes to JSSegmentedVariableObject.
3121
3122         1. Remove one boolean used for debugging in Release build. It enlarges sizeof(JSSegmentedVariableObject) and allocates one more MarkedBlock.
3123         2. Use cellLock() instead.
3124
3125         * CMakeLists.txt:
3126         * JavaScriptCore.xcodeproj/project.pbxproj:
3127         * Sources.txt:
3128         * runtime/JSSegmentedVariableObject.cpp:
3129         (JSC::JSSegmentedVariableObject::findVariableIndex):
3130         (JSC::JSSegmentedVariableObject::addVariables):
3131         (JSC::JSSegmentedVariableObject::visitChildren):
3132         (JSC::JSSegmentedVariableObject::~JSSegmentedVariableObject):
3133         (JSC::JSSegmentedVariableObject::finishCreation):
3134         * runtime/JSSegmentedVariableObject.h:
3135         (JSC::JSSegmentedVariableObject::subspaceFor): Deleted.
3136         * runtime/JSSegmentedVariableObjectHeapCellType.cpp: Removed.
3137         * runtime/JSSegmentedVariableObjectHeapCellType.h: Removed.
3138         * runtime/StringIteratorPrototype.cpp:
3139         * runtime/VM.cpp:
3140         (JSC::VM::VM):
3141         * runtime/VM.h:
3142
3143 2019-03-20  Saam Barati  <sbarati@apple.com>
3144
3145         DFG::AbstractValue::validateOSREntry is wrong when isHeapTop and the incoming value is Empty
3146         https://bugs.webkit.org/show_bug.cgi?id=195721
3147
3148         Reviewed by Filip Pizlo.
3149
3150         There was a check in AbstractValue::validateOSREntry where it checked
3151         if isHeapTop(), and if so, just returned true. However, this is wrong
3152         if the value we're checking against is the empty value, since HeapTop
3153         does not include the Empty value. Instead, this check should be
3154         isBytecodeTop(), which does account for the empty value.
3155         
3156         This patch also does a couple of other things:
3157         - For our OSR entry AbstractValues, we were using HeapTop to mark
3158          a dead value. That is now changed to BytecodeTop. (The idea here
3159          is just to have validateOSREntry return early.)
3160         - It wasn't obvious to me how I could make this fail in JS code.
3161          The symptom we'd end up seeing is something like a nullptr derefernece
3162          from forgetting to do a TDZ check. Instead, I've added a unit test.
3163          This unit test lives in a new test file: testdfg. testdfg is similar
3164          to testb3/testair/testapi.
3165
3166         * JavaScriptCore.xcodeproj/project.pbxproj:
3167         * bytecode/SpeculatedType.h:
3168         * dfg/DFGAbstractValue.h:
3169         (JSC::DFG::AbstractValue::isBytecodeTop const):
3170         (JSC::DFG::AbstractValue::validateOSREntryValue const):
3171         * dfg/testdfg.cpp: Added.
3172         (hiddenTruthBecauseNoReturnIsStupid):
3173         (usage):
3174         (JSC::DFG::testEmptyValueDoesNotValidateWithHeapTop):
3175         (JSC::DFG::run):
3176         (run):
3177         (main):
3178         * shell/CMakeLists.txt:
3179
3180 2019-03-20  Saam Barati  <sbarati@apple.com>
3181
3182         typeOfDoubleSum is wrong for when NaN can be produced
3183         https://bugs.webkit.org/show_bug.cgi?id=196030
3184
3185         Reviewed by Filip Pizlo.
3186
3187         We were using typeOfDoubleSum(SpeculatedType, SpeculatedType) for add/sub/mul.
3188         It assumed that the only way the resulting type could be NaN is if one of
3189         the inputs were NaN. However, this is wrong. NaN can be produced in at least
3190         these cases:
3191           Infinity - Infinity
3192           Infinity + (-Infinity)
3193           Infinity * 0
3194
3195         * bytecode/SpeculatedType.cpp:
3196         (JSC::typeOfDoubleSumOrDifferenceOrProduct):
3197         (JSC::typeOfDoubleSum):
3198         (JSC::typeOfDoubleDifference):
3199         (JSC::typeOfDoubleProduct):
3200
3201 2019-03-20  Simon Fraser  <simon.fraser@apple.com>
3202
3203         Rename ENABLE_ACCELERATED_OVERFLOW_SCROLLING macro to ENABLE_OVERFLOW_SCROLLING_TOUCH
3204         https://bugs.webkit.org/show_bug.cgi?id=196049
3205
3206         Reviewed by Tim Horton.
3207
3208         This macro is about the -webkit-overflow-scrolling CSS property, not accelerated
3209         overflow scrolling in general, so rename it.
3210
3211         * Configurations/FeatureDefines.xcconfig:
3212
3213 2019-03-20  Saam Barati  <sbarati@apple.com>
3214
3215         GetCallee does not report the correct type in AI
3216         https://bugs.webkit.org/show_bug.cgi?id=195981
3217
3218         Reviewed by Yusuke Suzuki.
3219
3220         I found this as part of my work in:
3221         https://bugs.webkit.org/show_bug.cgi?id=195924
3222         
3223         I'm not sure how to write a test for it.
3224         
3225         GetCallee was always reporting that the result is SpecFunction. However,
3226         for eval, it may result in just a JSCallee object, which is not a JSFunction.
3227
3228         * dfg/DFGAbstractInterpreterInlines.h:
3229         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3230
3231 2019-03-20  Mark Lam  <mark.lam@apple.com>
3232
3233         Open source arm64e code.
3234         https://bugs.webkit.org/show_bug.cgi?id=196012
3235         <rdar://problem/49066237>
3236
3237         Reviewed by Keith Miller.
3238
3239         * JavaScriptCore.xcodeproj/project.pbxproj:
3240         * Sources.txt:
3241         * assembler/ARM64EAssembler.h: Added.
3242         (JSC::ARM64EAssembler::encodeGroup1):
3243         (JSC::ARM64EAssembler::encodeGroup2):
3244         (JSC::ARM64EAssembler::encodeGroup4):
3245         (JSC::ARM64EAssembler::pacia1716):
3246         (JSC::ARM64EAssembler::pacib1716):
3247         (JSC::ARM64EAssembler::autia1716):
3248         (JSC::ARM64EAssembler::autib1716):
3249         (JSC::ARM64EAssembler::paciaz):
3250         (JSC::ARM64EAssembler::paciasp):
3251         (JSC::ARM64EAssembler::pacibz):
3252         (JSC::ARM64EAssembler::pacibsp):
3253         (JSC::ARM64EAssembler::autiaz):
3254         (JSC::ARM64EAssembler::autiasp):
3255         (JSC::ARM64EAssembler::autibz):
3256         (JSC::ARM64EAssembler::autibsp):
3257         (JSC::ARM64EAssembler::xpaclri):
3258         (JSC::ARM64EAssembler::pacia):
3259         (JSC::ARM64EAssembler::pacib):
3260         (JSC::ARM64EAssembler::pacda):
3261         (JSC::ARM64EAssembler::pacdb):
3262         (JSC::ARM64EAssembler::autia):
3263         (JSC::ARM64EAssembler::autib):
3264         (JSC::ARM64EAssembler::autda):
3265         (JSC::ARM64EAssembler::autdb):
3266         (JSC::ARM64EAssembler::paciza):
3267         (JSC::ARM64EAssembler::pacizb):
3268         (JSC::ARM64EAssembler::pacdza):
3269         (JSC::ARM64EAssembler::pacdzb):
3270         (JSC::ARM64EAssembler::autiza):
3271         (JSC::ARM64EAssembler::autizb):
3272         (JSC::ARM64EAssembler::autdza):
3273         (JSC::ARM64EAssembler::autdzb):
3274         (JSC::ARM64EAssembler::xpaci):
3275         (JSC::ARM64EAssembler::xpacd):
3276         (JSC::ARM64EAssembler::pacga):
3277         (JSC::ARM64EAssembler::braa):
3278         (JSC::ARM64EAssembler::brab):
3279         (JSC::ARM64EAssembler::blraa):
3280         (JSC::ARM64EAssembler::blrab):
3281         (JSC::ARM64EAssembler::braaz):
3282         (JSC::ARM64EAssembler::brabz):
3283         (JSC::ARM64EAssembler::blraaz):
3284         (JSC::ARM64EAssembler::blrabz):
3285         (JSC::ARM64EAssembler::retaa):
3286         (JSC::ARM64EAssembler::retab):
3287         (JSC::ARM64EAssembler::eretaa):
3288         (JSC::ARM64EAssembler::eretab):
3289         (JSC::ARM64EAssembler::linkPointer):
3290         (JSC::ARM64EAssembler::repatchPointer):
3291         (JSC::ARM64EAssembler::setPointer):
3292         (JSC::ARM64EAssembler::readPointer):
3293         (JSC::ARM64EAssembler::readCallTarget):
3294         (JSC::ARM64EAssembler::ret):
3295         * assembler/MacroAssembler.cpp:
3296         * assembler/MacroAssembler.h:
3297         * assembler/MacroAssemblerARM64.cpp:
3298         * assembler/MacroAssemblerARM64E.h: Added.
3299         (JSC::MacroAssemblerARM64E::tagReturnAddress):
3300         (JSC::MacroAssemblerARM64E::untagReturnAddress):
3301         (JSC::MacroAssemblerARM64E::tagPtr):
3302         (JSC::MacroAssemblerARM64E::untagPtr):
3303         (JSC::MacroAssemblerARM64E::removePtrTag):
3304         (JSC::MacroAssemblerARM64E::callTrustedPtr):
3305         (JSC::MacroAssemblerARM64E::call):
3306         (JSC::MacroAssemblerARM64E::callRegister):
3307         (JSC::MacroAssemblerARM64E::jump):
3308         * dfg/DFGOSRExit.cpp:
3309         (JSC::DFG::reifyInlinedCallFrames):
3310         * dfg/DFGOSRExitCompilerCommon.cpp:
3311         (JSC::DFG::reifyInlinedCallFrames):
3312         * ftl/FTLThunks.cpp:
3313         (JSC::FTL::genericGenerationThunkGenerator):
3314         * jit/CCallHelpers.h:
3315         (JSC::CCallHelpers::prepareForTailCallSlow):
3316         * jit/CallFrameShuffler.cpp:
3317         (JSC::CallFrameShuffler::prepareForTailCall):
3318         * jit/ExecutableAllocator.cpp:
3319         (JSC::ExecutableAllocator::allocate):
3320         * jit/ThunkGenerators.cpp:
3321         (JSC::arityFixupGenerator):
3322         * llint/LLIntOfflineAsmConfig.h:
3323         * llint/LowLevelInterpreter.asm:
3324         * llint/LowLevelInterpreter64.asm:
3325         * runtime/ClassInfo.h:
3326         * runtime/InitializeThreading.cpp:
3327         (JSC::initializeThreading):
3328         * runtime/JSCPtrTag.cpp: Added.
3329         (JSC::tagForPtr):
3330         (JSC::ptrTagName):
3331         (JSC::initializePtrTagLookup):
3332         * runtime/JSCPtrTag.h:
3333         (JSC::initializePtrTagLookup):
3334         * runtime/Options.cpp:
3335         (JSC::recomputeDependentOptions):
3336
3337 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
3338
3339         JSC::createError needs to check for OOM in errorDescriptionForValue
3340         https://bugs.webkit.org/show_bug.cgi?id=196032
3341         <rdar://problem/46842740>
3342
3343         Reviewed by Mark Lam.
3344
3345         We were missing exceptions checks at two levels:
3346         - In errorDescriptionForValue, when the value is a string, we should