JSTests:
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-04-05  Caitlin Potter  <caitp@igalia.com>
2
3         [JSC] throw if ownKeys Proxy trap result contains duplicate keys
4         https://bugs.webkit.org/show_bug.cgi?id=185211
5
6         Reviewed by Saam Barati.
7
8         Implements the normative spec change in https://github.com/tc39/ecma262/pull/833
9
10         This involves tracking duplicate keys returned from the ownKeys trap in yet
11         another HashTable, and may incur a minor performance penalty in some cases. This
12         is not expected to significantly affect web performance.
13
14         * runtime/ProxyObject.cpp:
15         (JSC::ProxyObject::performGetOwnPropertyNames):
16
17 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
18
19         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
20         https://bugs.webkit.org/show_bug.cgi?id=196631
21
22         Reviewed by Saam Barati.
23
24         makeBoundFunction assumes that "length" argument is always Int32. But this should not be done since this "length" value is calculated in builtin JS code.
25         DFG may store this value in Double format so that we should not rely on that this value is Int32. This patch fixes makeBoundFunction function to perform
26         toInt32 operation. We also insert a missing exception check for `JSString::value(ExecState*)` in makeBoundFunction.
27
28         * JavaScriptCore.xcodeproj/project.pbxproj:
29         * Sources.txt:
30         * interpreter/CallFrameInlines.h:
31         * runtime/DoublePredictionFuzzerAgent.cpp: Copied from Source/JavaScriptCore/interpreter/CallFrameInlines.h.
32         (JSC::DoublePredictionFuzzerAgent::DoublePredictionFuzzerAgent):
33         (JSC::DoublePredictionFuzzerAgent::getPrediction):
34         * runtime/DoublePredictionFuzzerAgent.h: Copied from Source/JavaScriptCore/interpreter/CallFrameInlines.h.
35         * runtime/JSGlobalObject.cpp:
36         (JSC::makeBoundFunction):
37         * runtime/Options.h:
38         * runtime/VM.cpp:
39         (JSC::VM::VM):
40
41 2019-04-04  Robin Morisset  <rmorisset@apple.com>
42
43         B3ReduceStrength should know that Mul distributes over Add and Sub
44         https://bugs.webkit.org/show_bug.cgi?id=196325
45         <rdar://problem/49441650>
46
47         Reviewed by Saam Barati.
48
49         Fix some obviously wrong code that was due to an accidental copy-paste.
50         It made the entire optimization dead code that never ran.
51
52         * b3/B3ReduceStrength.cpp:
53
54 2019-04-04  Saam Barati  <sbarati@apple.com>
55
56         Unreviewed, build fix for CLoop after r243886
57
58         * interpreter/Interpreter.cpp:
59         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
60         * interpreter/StackVisitor.cpp:
61         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
62         * interpreter/StackVisitor.h:
63
64 2019-04-04  Commit Queue  <commit-queue@webkit.org>
65
66         Unreviewed, rolling out r243898.
67         https://bugs.webkit.org/show_bug.cgi?id=196624
68
69         `#if !ENABLE(C_LOOP) && NUMBER_OF_CALLEE_SAVES_REGISTERS > 0`
70         does not work well (Requested by yusukesuzuki on #webkit).
71
72         Reverted changeset:
73
74         "Unreviewed, build fix for CLoop and Windows after r243886"
75         https://bugs.webkit.org/show_bug.cgi?id=196387
76         https://trac.webkit.org/changeset/243898
77
78 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
79
80         Unreviewed, build fix for CLoop and Windows after r243886
81         https://bugs.webkit.org/show_bug.cgi?id=196387
82
83         RegisterAtOffsetList does not exist if ENABLE(ASSEMBLER) is false.
84
85         * interpreter/StackVisitor.cpp:
86         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
87         * interpreter/StackVisitor.h:
88
89 2019-04-04  Saam barati  <sbarati@apple.com>
90
91         Teach Call ICs how to call Wasm
92         https://bugs.webkit.org/show_bug.cgi?id=196387
93
94         Reviewed by Filip Pizlo.
95
96         This patch teaches JS to call Wasm without going through the native thunk.
97         Currently, we emit a JIT "JS" callee stub which marshals arguments from
98         JS to Wasm. Like the native version of this, this thunk is responsible
99         for saving and restoring the VM's current Wasm context. Instead of emitting
100         an exception handler, we also teach the unwinder how to read the previous
101         wasm context to restore it as it unwindws past this frame.
102         
103         This patch is straight forward, and leaves some areas for perf improvement:
104         - We can teach the DFG/FTL to directly use the Wasm calling convention when
105           it knows it's calling a single Wasm function. This way we don't shuffle
106           registers to the stack and then back into registers.
107         - We bail out to the slow path for mismatched arity. I opened a bug to fix
108           optimize arity check failures: https://bugs.webkit.org/show_bug.cgi?id=196564
109         - We bail out to the slow path Double JSValues flowing into i32 arguments.
110           We should teach this thunk how to do that conversion directly.
111         
112         This patch also refactors the code to explicitly have a single pinned size register.
113         We used pretend in some places that we could have more than one pinned size register.
114         However, there was other code that just asserted the size was one. This patch just rips
115         out this code since we never moved to having more than one pinned size register. Doing
116         this refactoring cleans up the various places where we set up the size register.
117         
118         This patch is a 50-60% progression on JetStream 2's richards-wasm.
119
120         * JavaScriptCore.xcodeproj/project.pbxproj:
121         * Sources.txt:
122         * assembler/MacroAssemblerCodeRef.h:
123         (JSC::MacroAssemblerCodeRef::operator=):
124         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
125         * interpreter/Interpreter.cpp:
126         (JSC::UnwindFunctor::operator() const):
127         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
128         * interpreter/StackVisitor.cpp:
129         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
130         (JSC::StackVisitor::Frame::calleeSaveRegisters): Deleted.
131         * interpreter/StackVisitor.h:
132         * jit/JITOperations.cpp:
133         * jit/RegisterSet.cpp:
134         (JSC::RegisterSet::runtimeTagRegisters):
135         (JSC::RegisterSet::specialRegisters):
136         (JSC::RegisterSet::runtimeRegisters): Deleted.
137         * jit/RegisterSet.h:
138         * jit/Repatch.cpp:
139         (JSC::linkPolymorphicCall):
140         * runtime/JSFunction.cpp:
141         (JSC::getCalculatedDisplayName):
142         * runtime/JSGlobalObject.cpp:
143         (JSC::JSGlobalObject::init):
144         (JSC::JSGlobalObject::visitChildren):
145         * runtime/JSGlobalObject.h:
146         (JSC::JSGlobalObject::jsToWasmICCalleeStructure const):
147         * runtime/VM.cpp:
148         (JSC::VM::VM):
149         * runtime/VM.h:
150         * wasm/WasmAirIRGenerator.cpp:
151         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
152         (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
153         (JSC::Wasm::AirIRGenerator::addCallIndirect):
154         * wasm/WasmB3IRGenerator.cpp:
155         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
156         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
157         (JSC::Wasm::B3IRGenerator::addCallIndirect):
158         * wasm/WasmBinding.cpp:
159         (JSC::Wasm::wasmToWasm):
160         * wasm/WasmContext.h:
161         (JSC::Wasm::Context::pointerToInstance):
162         * wasm/WasmContextInlines.h:
163         (JSC::Wasm::Context::store):
164         * wasm/WasmMemoryInformation.cpp:
165         (JSC::Wasm::getPinnedRegisters):
166         (JSC::Wasm::PinnedRegisterInfo::get):
167         (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
168         * wasm/WasmMemoryInformation.h:
169         (JSC::Wasm::PinnedRegisterInfo::toSave const):
170         * wasm/WasmOMGPlan.cpp:
171         (JSC::Wasm::OMGPlan::work):
172         * wasm/js/JSToWasm.cpp:
173         (JSC::Wasm::createJSToWasmWrapper):
174         * wasm/js/JSToWasmICCallee.cpp: Added.
175         (JSC::JSToWasmICCallee::create):
176         (JSC::JSToWasmICCallee::createStructure):
177         (JSC::JSToWasmICCallee::visitChildren):
178         * wasm/js/JSToWasmICCallee.h: Added.
179         (JSC::JSToWasmICCallee::function):
180         (JSC::JSToWasmICCallee::JSToWasmICCallee):
181         * wasm/js/WebAssemblyFunction.cpp:
182         (JSC::WebAssemblyFunction::useTagRegisters const):
183         (JSC::WebAssemblyFunction::calleeSaves const):
184         (JSC::WebAssemblyFunction::usedCalleeSaveRegisters const):
185         (JSC::WebAssemblyFunction::previousInstanceOffset const):
186         (JSC::WebAssemblyFunction::previousInstance):
187         (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
188         (JSC::WebAssemblyFunction::visitChildren):
189         (JSC::WebAssemblyFunction::destroy):
190         * wasm/js/WebAssemblyFunction.h:
191         * wasm/js/WebAssemblyFunctionHeapCellType.cpp: Added.
192         (JSC::WebAssemblyFunctionDestroyFunc::operator() const):
193         (JSC::WebAssemblyFunctionHeapCellType::WebAssemblyFunctionHeapCellType):
194         (JSC::WebAssemblyFunctionHeapCellType::~WebAssemblyFunctionHeapCellType):
195         (JSC::WebAssemblyFunctionHeapCellType::finishSweep):
196         (JSC::WebAssemblyFunctionHeapCellType::destroy):
197         * wasm/js/WebAssemblyFunctionHeapCellType.h: Added.
198         * wasm/js/WebAssemblyPrototype.h:
199
200 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
201
202         [JSC] Pass CodeOrigin to FuzzerAgent
203         https://bugs.webkit.org/show_bug.cgi?id=196590
204
205         Reviewed by Saam Barati.
206
207         Pass CodeOrigin instead of bytecodeIndex. CodeOrigin includes richer information (InlineCallFrame*).
208         We also mask prediction with SpecBytecodeTop in DFGByteCodeParser. The fuzzer can produce any SpeculatedTypes,
209         but DFGByteCodeParser should only see predictions that can be actually produced from the bytecode execution.
210
211         * dfg/DFGByteCodeParser.cpp:
212         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
213         * runtime/FuzzerAgent.cpp:
214         (JSC::FuzzerAgent::getPrediction):
215         * runtime/FuzzerAgent.h:
216         * runtime/RandomizingFuzzerAgent.cpp:
217         (JSC::RandomizingFuzzerAgent::getPrediction):
218         * runtime/RandomizingFuzzerAgent.h:
219
220 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
221
222         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
223         https://bugs.webkit.org/show_bug.cgi?id=194944
224
225         Reviewed by Keith Miller.
226
227         Based on profile data collected on JetStream2, Speedometer 2 and
228         other benchmarks, it is very rare having non-empty
229         UnlinkedFunctionExecutable::m_parentScopeTDZVariables.
230
231         - Data collected from Speedometer2
232             Total number of UnlinkedFunctionExecutable: 39463
233             Total number of non-empty parentScopeTDZVars: 428 (~1%)
234
235         - Data collected from JetStream2
236             Total number of UnlinkedFunctionExecutable: 83715
237             Total number of non-empty parentScopeTDZVars: 5285 (~6%)
238
239         We also collected numbers on 6 of top 10 Alexia sites.
240
241         - Data collected from youtube.com
242             Total number of UnlinkedFunctionExecutable: 29599
243             Total number of non-empty parentScopeTDZVars: 97 (~0.3%)
244
245         - Data collected from twitter.com
246             Total number of UnlinkedFunctionExecutable: 23774
247             Total number of non-empty parentScopeTDZVars: 172 (~0.7%)
248
249         - Data collected from google.com
250             Total number of UnlinkedFunctionExecutable: 33209
251             Total number of non-empty parentScopeTDZVars: 174 (~0.5%)
252
253         - Data collected from amazon.com:
254             Total number of UnlinkedFunctionExecutable: 15182
255             Total number of non-empty parentScopeTDZVars: 166 (~1%)
256
257         - Data collected from facebook.com:
258             Total number of UnlinkedFunctionExecutable: 54443
259             Total number of non-empty parentScopeTDZVars: 269 (~0.4%)
260
261         - Data collected from netflix.com:
262             Total number of UnlinkedFunctionExecutable: 39266
263             Total number of non-empty parentScopeTDZVars: 97 (~0.2%)
264
265         Considering such numbers, this patch is moving `m_parentScopeTDZVariables`
266         to RareData. This decreases sizeof(UnlinkedFunctionExecutable) by
267         16 bytes. With this change, now UnlinkedFunctionExecutable constructors
268         receives an `Optional<VariableEnvironmentMap::Handle>` and only stores
269         it when `value != WTF::nullopt`. We also changed
270         UnlinkedFunctionExecutable::parentScopeTDZVariables() and it returns
271         `VariableEnvironment()` whenever the Executable doesn't have RareData,
272         or VariableEnvironmentMap::Handle is unitialized. This is required
273         because RareData is instantiated when any of its field is stored and
274         we can have an unitialized `Handle` even on cases when parentScopeTDZVariables
275         is `WTF::nullopt`.
276
277         Results on memory usage on JetStrem2 is neutral.
278
279             Mean of memory peak on ToT: 4258633728 bytes (confidence interval: 249720072.95)
280             Mean of memory peak on Changes: 4367325184 bytes (confidence interval: 321285583.61)
281
282         * builtins/BuiltinExecutables.cpp:
283         (JSC::BuiltinExecutables::createExecutable):
284         * bytecode/UnlinkedFunctionExecutable.cpp:
285         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
286         * bytecode/UnlinkedFunctionExecutable.h:
287         * bytecompiler/BytecodeGenerator.cpp:
288         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
289
290         BytecodeGenerator::getVariablesUnderTDZ now also caches if m_cachedVariablesUnderTDZ
291         is empty, so we can properly return `WTF::nullopt` without the
292         reconstruction of a VariableEnvironment to check if it is empty.
293
294         * bytecompiler/BytecodeGenerator.h:
295         (JSC::BytecodeGenerator::makeFunction):
296         * parser/VariableEnvironment.h:
297         (JSC::VariableEnvironment::isEmpty const):
298         * runtime/CachedTypes.cpp:
299         (JSC::CachedCompactVariableMapHandle::decode const):
300
301         It returns an unitialized Handle when there is no
302         CompactVariableEnvironment. This can happen when RareData is ensured
303         because of another field.
304
305         (JSC::CachedFunctionExecutableRareData::encode):
306         (JSC::CachedFunctionExecutableRareData::decode const):
307         (JSC::CachedFunctionExecutable::encode):
308         (JSC::CachedFunctionExecutable::decode const):
309         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
310         * runtime/CodeCache.cpp:
311
312         Instead of creating a dummyVariablesUnderTDZ, we simply pass
313         WTF::nullopt.
314
315         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
316
317 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
318
319         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
320         https://bugs.webkit.org/show_bug.cgi?id=196409
321
322         Reviewed by Saam Barati.
323
324         Some of the helpers in jsc.cpp, such as `functionRunString`, were stll using
325         using `makeSource` instead of `jscSource`, which does not use the ShellSourceProvider
326         and therefore does not write the bytecode cache to disk.
327
328         Changing that revealed a bug in bytecode cache. The Encoder keeps a mapping
329         of pointers to offsets of already cached objects, in order to avoid caching
330         the same object twice. Similarly, the Decoder keeps a mapping from offsets
331         to pointers, in order to avoid creating multiple objects in memory for the
332         same cached object. The following was happening:
333         1) A StringImpl* S was cached as CachedPtr<CachedStringImpl> at offset O. We add
334         an entry in the Encoder mapping that S has already been encoded at O.
335         2) We cache StringImpl* S again, but now as CachedPtr<CachedUniquedStringImpl>.
336         We find an entry in the Encoder mapping for S, and return the offset O. However,
337         the object cached at O is a CachedPtr<CachedStringImpl> (i.e. not Uniqued).
338
339         3) When decoding, there are 2 possibilities:
340         3.1) We find S for the first time through a CachedPtr<CachedStringImpl>. In
341         this case, everything works as expected since we add an entry in the decoder
342         mapping from the offset O to the decoded StringImpl* S. The next time we find
343         S through the uniqued version, we'll return the already decoded S.
344         3.2) We find S through a CachedPtr<CachedUniquedStringImpl>. Now we have a
345         problem, since the CachedPtr has the offset of a CachedStringImpl (not uniqued),
346         which has a different shape and we crash.
347
348         We fix this by making CachedStringImpl and CachedUniquedStringImpl share the
349         same implementation. Since it doesn't matter whether a string is uniqued for
350         encoding, and we always decode strings as uniqued either way, they can be used
351         interchangeably.
352
353         * jsc.cpp:
354         (functionRunString):
355         (functionLoadString):
356         (functionDollarAgentStart):
357         (functionCheckModuleSyntax):
358         (runInteractive):
359         * runtime/CachedTypes.cpp:
360         (JSC::CachedUniquedStringImplBase::decode const):
361         (JSC::CachedFunctionExecutable::rareData const):
362         (JSC::CachedCodeBlock::rareData const):
363         (JSC::CachedFunctionExecutable::encode):
364         (JSC::CachedCodeBlock<CodeBlockType>::encode):
365         (JSC::CachedUniquedStringImpl::encode): Deleted.
366         (JSC::CachedUniquedStringImpl::decode const): Deleted.
367         (JSC::CachedStringImpl::encode): Deleted.
368         (JSC::CachedStringImpl::decode const): Deleted.
369
370 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
371
372         UnlinkedCodeBlock constructor from cache should initialize m_didOptimize
373         https://bugs.webkit.org/show_bug.cgi?id=196396
374
375         Reviewed by Saam Barati.
376
377         The UnlinkedCodeBlock constructor in CachedTypes was missing the initialization
378         for m_didOptimize, which leads to crashes in CodeBlock::thresholdForJIT.
379
380         * runtime/CachedTypes.cpp:
381         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
382
383 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
384
385         Unreviewed, rolling in r243843 with the build fix
386         https://bugs.webkit.org/show_bug.cgi?id=196586
387
388         * runtime/Options.cpp:
389         (JSC::recomputeDependentOptions):
390         * runtime/Options.h:
391         * runtime/RandomizingFuzzerAgent.cpp:
392         (JSC::RandomizingFuzzerAgent::getPrediction):
393
394 2019-04-03  Ryan Haddad  <ryanhaddad@apple.com>
395
396         Unreviewed, rolling out r243843.
397
398         Broke CLoop and Windows builds.
399
400         Reverted changeset:
401
402         "[JSC] Add dump feature for RandomizingFuzzerAgent"
403         https://bugs.webkit.org/show_bug.cgi?id=196586
404         https://trac.webkit.org/changeset/243843
405
406 2019-04-03  Robin Morisset  <rmorisset@apple.com>
407
408         B3 should use associativity to optimize expression trees
409         https://bugs.webkit.org/show_bug.cgi?id=194081
410
411         Reviewed by Filip Pizlo.
412
413         This patch adds a new B3 pass, that tries to find and optimize expression trees made purely of any one associative and commutative operator (Add/Mul/BitOr/BitAnd/BitXor).
414         The pass only runs in O2, and runs once, after lowerMacros and just before a run of B3ReduceStrength (which helps clean up the dead code it tends to leave behind).
415         I had to separate killDeadCode out of B3ReduceStrength (as a new B3EliminateDeadCode pass) to run it before B3OptimizeAssociativeExpressionTrees, as otherwise it is stopped by high use counts
416         inherited from CSE.
417         This extra run of DCE is by itself a win, most notably on microbenchmarks/instanceof-always-hit-two (1.5x faster), and on microbenchmarks/licm-dragons(-out-of-bounds) (both get 1.16x speedup).
418         I suspect it is because it runs between CSE and tail-dedup, and as a result allows a lot more tail-dedup to occur.
419
420         The pass is currently extremely conservative, not trying anything if it would cause _any_ code duplication.
421         For this purpose, it starts by computing use counts for the potentially interesting nodes (those with the right opcodes), and segregate them into expression trees.
422         The root of an expression tree is a node that is either used in multiple places, or is used by a value with a different opcode.
423         The leaves of an expression tree are nodes that are either used in multiple places, or have a different opcode.
424         All constant leaves of a tree are combined, as well as all leaves that are identical. What remains is then laid out into a balanced binary tree, hopefully maximizing ILP.
425
426         This optimization was implemented as a stand-alone pass and not as part of B3ReduceStrength mostly because it needs use counts to avoid code duplication.
427         It also benefits from finding all tree roots first, and not trying to repeatedly optimize subtrees.
428
429         I added several tests to testB3 with varying patterns of trees. It is also tested in a less focused way by lots of older tests.
430
431         In the future this pass could be expanded to allow some bounded amount of code duplication, and merging more leaves (e.g. Mul(a, 3) and a in an Add tree, into Mul(a, 4))
432         The latter will need exposing the peephole optimizations out of B3ReduceStrength to avoid duplicating code.
433
434         * JavaScriptCore.xcodeproj/project.pbxproj:
435         * Sources.txt:
436         * b3/B3Common.cpp:
437         (JSC::B3::shouldDumpIR):
438         (JSC::B3::shouldDumpIRAtEachPhase):
439         * b3/B3Common.h:
440         * b3/B3EliminateDeadCode.cpp: Added.
441         (JSC::B3::EliminateDeadCode::run):
442         (JSC::B3::eliminateDeadCode):
443         * b3/B3EliminateDeadCode.h: Added.
444         (JSC::B3::EliminateDeadCode::EliminateDeadCode):
445         * b3/B3Generate.cpp:
446         (JSC::B3::generateToAir):
447         * b3/B3OptimizeAssociativeExpressionTrees.cpp: Added.
448         (JSC::B3::OptimizeAssociativeExpressionTrees::OptimizeAssociativeExpressionTrees):
449         (JSC::B3::OptimizeAssociativeExpressionTrees::neutralElement):
450         (JSC::B3::OptimizeAssociativeExpressionTrees::isAbsorbingElement):
451         (JSC::B3::OptimizeAssociativeExpressionTrees::combineConstants):
452         (JSC::B3::OptimizeAssociativeExpressionTrees::emitValue):
453         (JSC::B3::OptimizeAssociativeExpressionTrees::optimizeRootedTree):
454         (JSC::B3::OptimizeAssociativeExpressionTrees::run):
455         (JSC::B3::optimizeAssociativeExpressionTrees):
456         * b3/B3OptimizeAssociativeExpressionTrees.h: Added.
457         * b3/B3ReduceStrength.cpp:
458         * b3/B3Value.cpp:
459         (JSC::B3::Value::replaceWithIdentity):
460         * b3/testb3.cpp:
461         (JSC::B3::testBitXorTreeArgs):
462         (JSC::B3::testBitXorTreeArgsEven):
463         (JSC::B3::testBitXorTreeArgImm):
464         (JSC::B3::testAddTreeArg32):
465         (JSC::B3::testMulTreeArg32):
466         (JSC::B3::testBitAndTreeArg32):
467         (JSC::B3::testBitOrTreeArg32):
468         (JSC::B3::run):
469
470 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
471
472         [JSC] Add dump feature for RandomizingFuzzerAgent
473         https://bugs.webkit.org/show_bug.cgi?id=196586
474
475         Reviewed by Saam Barati.
476
477         Towards deterministic tests for the results from randomizing fuzzer agent, this patch adds Options::dumpRandomizingFuzzerAgentPredictions, which dumps the generated types.
478         The results is like this.
479
480             getPrediction name:(#C2q9xD),bytecodeIndex:(22),original:(Array),generated:(OtherObj|Array|Float64Array|BigInt|NonIntAsDouble)
481             getPrediction name:(makeUnwriteableUnconfigurableObject#AiEJv1),bytecodeIndex:(14),original:(OtherObj),generated:(Final|Uint8Array|Float64Array|SetObject|WeakSetObject|BigInt|NonIntAsDouble)
482
483         * runtime/Options.cpp:
484         (JSC::recomputeDependentOptions):
485         * runtime/Options.h:
486         * runtime/RandomizingFuzzerAgent.cpp:
487         (JSC::RandomizingFuzzerAgent::getPrediction):
488
489 2019-04-03  Myles C. Maxfield  <mmaxfield@apple.com>
490
491         -apple-trailing-word is needed for browser detection
492         https://bugs.webkit.org/show_bug.cgi?id=196575
493
494         Unreviewed.
495
496         * Configurations/FeatureDefines.xcconfig:
497
498 2019-04-03  Michael Saboff  <msaboff@apple.com>
499
500         REGRESSION (r243642): com.apple.JavaScriptCore crash in JSC::RegExpObject::execInline
501         https://bugs.webkit.org/show_bug.cgi?id=196477
502
503         Reviewed by Keith Miller.
504
505         The problem here is that when we advance the index by 2 for a character class that only
506         has non-BMP characters, we might go past the end of the string.  This can happen for
507         greedy counted character classes that are part of a alternative where there is one
508         character to match after the greedy non-BMP character class.
509
510         The "do we have string left to match" check at the top of the JIT loop for the counted
511         character class checks to see if index is not equal to the string length.  For non-BMP
512         character classes, we need to check to see if there are at least 2 characters left.
513         Therefore we now temporarily add 1 to the current index before comparing.  This checks
514         to see if there are iat least 2 characters left to match, instead of 1.
515
516         * yarr/YarrJIT.cpp:
517         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
518         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
519
520 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
521
522         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
523         https://bugs.webkit.org/show_bug.cgi?id=196574
524
525         Reviewed by Saam Barati.
526
527         This patch adds missing exception check in operationArrayIndexOfValueInt32OrContiguous.
528
529         * dfg/DFGOperations.cpp:
530
531 2019-04-03  Don Olmstead  <don.olmstead@sony.com>
532
533         [CMake][WTF] Mirror XCode header directories
534         https://bugs.webkit.org/show_bug.cgi?id=191662
535
536         Reviewed by Konstantin Tokarev.
537
538         Use WTFFramework as a dependency and include frameworks/WTF.cmake for AppleWin internal
539         builds.
540
541         * CMakeLists.txt:
542         * shell/CMakeLists.txt:
543
544 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
545
546         [JSC] Add FuzzerAgent, which has a hooks to get feedback & inject fuzz data into JSC
547         https://bugs.webkit.org/show_bug.cgi?id=196530
548
549         Reviewed by Saam Barati.
550
551         This patch adds FuzzerAgent interface and simple RandomizingFuzzerAgent to JSC.
552         This RandomizingFuzzerAgent returns random SpeculatedType for value profiling to find
553         the issues in JSC. The seed for randomization can be specified by seedOfRandomizingFuzzerAgent.
554
555         I ran this with seedOfRandomizingFuzzerAgent=1 last night and it finds 3 failures in the current JSC tests,
556         they should be fixed in subsequent patches.
557
558         * CMakeLists.txt:
559         * JavaScriptCore.xcodeproj/project.pbxproj:
560         * Sources.txt:
561         * dfg/DFGByteCodeParser.cpp:
562         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
563         * runtime/FuzzerAgent.cpp: Added.
564         (JSC::FuzzerAgent::~FuzzerAgent):
565         (JSC::FuzzerAgent::getPrediction):
566         * runtime/FuzzerAgent.h: Added.
567         * runtime/JSGlobalObjectFunctions.cpp:
568         * runtime/Options.h:
569         * runtime/RandomizingFuzzerAgent.cpp: Added.
570         (JSC::RandomizingFuzzerAgent::RandomizingFuzzerAgent):
571         (JSC::RandomizingFuzzerAgent::getPrediction):
572         * runtime/RandomizingFuzzerAgent.h: Added.
573         * runtime/RegExpCachedResult.h:
574         * runtime/RegExpGlobalData.cpp:
575         * runtime/VM.cpp:
576         (JSC::VM::VM):
577         * runtime/VM.h:
578         (JSC::VM::fuzzerAgent const):
579         (JSC::VM::setFuzzerAgent):
580
581 2019-04-03  Myles C. Maxfield  <mmaxfield@apple.com>
582
583         Remove support for -apple-trailing-word
584         https://bugs.webkit.org/show_bug.cgi?id=196525
585
586         Reviewed by Zalan Bujtas.
587
588         This CSS property is nonstandard and not used.
589
590         * Configurations/FeatureDefines.xcconfig:
591
592 2019-04-03  Joseph Pecoraro  <pecoraro@apple.com>
593
594         Web Inspector: Remote Inspector indicate callback should always happen on the main thread
595         https://bugs.webkit.org/show_bug.cgi?id=196513
596         <rdar://problem/49498284>
597
598         Reviewed by Devin Rousso.
599
600         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
601         (Inspector::RemoteInspector::receivedIndicateMessage):
602         When we have a WebThread, don't just run on the WebThread,
603         run on the MainThread with the WebThreadLock.
604
605 2019-04-02  Michael Saboff  <msaboff@apple.com>
606
607         Crash in Options::setOptions() using --configFile option and libgmalloc
608         https://bugs.webkit.org/show_bug.cgi?id=196506
609
610         Reviewed by Keith Miller.
611
612         Changed to call CString::data() while making the call to Options::setOptions().  This keeps
613         the implicit CString temporary alive until after setOptions() returns.
614
615         * runtime/ConfigFile.cpp:
616         (JSC::ConfigFile::parse):
617
618 2019-04-02  Fujii Hironori  <Hironori.Fujii@sony.com>
619
620         [CMake] WEBKIT_MAKE_FORWARDING_HEADERS shouldn't use POST_BUILD to copy generated headers
621         https://bugs.webkit.org/show_bug.cgi?id=182757
622
623         Reviewed by Don Olmstead.
624
625         * CMakeLists.txt: Do not use DERIVED_SOURCE_DIRECTORIES parameter
626         of WEBKIT_MAKE_FORWARDING_HEADERS. Added generated headers to
627         JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS.
628
629 2019-04-02  Saam barati  <sbarati@apple.com>
630
631         Add a ValueRepReduction phase
632         https://bugs.webkit.org/show_bug.cgi?id=196234
633
634         Reviewed by Filip Pizlo.
635
636         This patch adds a ValueRepReduction phase. The main idea here is
637         to try to reduce DoubleRep(RealNumberUse:ValueRep(DoubleRepUse:@x))
638         to just be @x. This patch handles such above strengh reduction rules
639         as long as we prove that all users of the ValueRep can be converted
640         to using the incoming double value. That way we prevent introducing
641         a parallel live range for the double value.
642         
643         This patch tracks the uses of the ValueRep through Phi variables,
644         so we can convert entire Phi variables to being Double instead
645         of JSValue if the Phi also has only double uses.
646         
647         This is implemented through a simple escape analysis. DoubleRep(RealNumberUse:)
648         and OSR exit hints are not counted as escapes. All other uses are counted
649         as escapes. Connected Phi graphs are converted to being Double only if the
650         entire graph is ok with the result being Double.
651         
652         Some ways we could extend this phase in the future:
653         - There are a lot of DoubleRep(NumberUse:@ValueRep(@x)) uses. This ensures
654           that the result of the DoubleRep of @x is not impure NaN. We could
655           handle this case if we introduced a PurifyNaN node and replace the DoubleRep
656           with PurifyNaN(@x). Alternatively, we could see if certain users of this
657           DoubleRep are okay with impure NaN flowing into them and we'd need to ensure
658           their output type is always treated as if the input is impure NaN.
659         - We could do sinking of ValueRep where we think it's profitable. So instead
660           of an escape making it so we never represent the variable as a Double, we
661           could make the escape reconstruct the JSValueRep where profitable.
662         - We can extend this phase to handle Int52Rep if it's profitable.
663         - We can opt other nodes into accepting incoming Doubles so we no longer
664           treat them as escapes.
665         
666         This patch is somewhere between neutral and a 1% progression on JetStream 2.
667
668         * JavaScriptCore.xcodeproj/project.pbxproj:
669         * Sources.txt:
670         * dfg/DFGPlan.cpp:
671         (JSC::DFG::Plan::compileInThreadImpl):
672         * dfg/DFGValueRepReductionPhase.cpp: Added.
673         (JSC::DFG::ValueRepReductionPhase::ValueRepReductionPhase):
674         (JSC::DFG::ValueRepReductionPhase::run):
675         (JSC::DFG::ValueRepReductionPhase::convertValueRepsToDouble):
676         (JSC::DFG::performValueRepReduction):
677         * dfg/DFGValueRepReductionPhase.h: Added.
678         * runtime/Options.h:
679
680 2019-04-01  Yusuke Suzuki  <ysuzuki@apple.com>
681
682         [JSC] JSRunLoopTimer::Manager should be small
683         https://bugs.webkit.org/show_bug.cgi?id=196425
684
685         Reviewed by Darin Adler.
686
687         Using very large Key or Value in HashMap potentially bloats memory since HashMap pre-allocates large size of
688         memory ((sizeof(Key) + sizeof(Value)) * N) for its backing storage's array. Using std::unique_ptr<> for JSRunLoopTimer's
689         PerVMData to keep HashMap's backing store size small.
690
691         * runtime/JSRunLoopTimer.cpp:
692         (JSC::JSRunLoopTimer::Manager::timerDidFire):
693         (JSC::JSRunLoopTimer::Manager::registerVM):
694         (JSC::JSRunLoopTimer::Manager::scheduleTimer):
695         (JSC::JSRunLoopTimer::Manager::cancelTimer):
696         (JSC::JSRunLoopTimer::Manager::timeUntilFire):
697         (JSC::JSRunLoopTimer::Manager::didChangeRunLoop):
698         * runtime/JSRunLoopTimer.h:
699
700 2019-04-01  Stephan Szabo  <stephan.szabo@sony.com>
701
702         [PlayStation] Add initialization for JSC shell for PlayStation port
703         https://bugs.webkit.org/show_bug.cgi?id=195411
704
705         Reviewed by Ross Kirsling.
706
707         Add ps options
708
709         * shell/PlatformPlayStation.cmake: Added.
710         * shell/playstation/Initializer.cpp: Added.
711         (initializer):
712
713 2019-04-01  Michael Catanzaro  <mcatanzaro@igalia.com>
714
715         Stop trying to support building JSC with clang 3.8
716         https://bugs.webkit.org/show_bug.cgi?id=195947
717         <rdar://problem/49069219>
718
719         Reviewed by Darin Adler.
720
721         It seems WebKit hasn't built with clang 3.8 in a while, no devs are using this compiler, we
722         don't know how much effort it would be to make JSC work again, and it's making the code
723         worse. Remove my hacks to support clang 3.8 from JSC.
724
725         * bindings/ScriptValue.cpp:
726         (Inspector::jsToInspectorValue):
727         * bytecode/GetterSetterAccessCase.cpp:
728         (JSC::GetterSetterAccessCase::create):
729         (JSC::GetterSetterAccessCase::clone const):
730         * bytecode/InstanceOfAccessCase.cpp:
731         (JSC::InstanceOfAccessCase::clone const):
732         * bytecode/IntrinsicGetterAccessCase.cpp:
733         (JSC::IntrinsicGetterAccessCase::clone const):
734         * bytecode/ModuleNamespaceAccessCase.cpp:
735         (JSC::ModuleNamespaceAccessCase::clone const):
736         * bytecode/ProxyableAccessCase.cpp:
737         (JSC::ProxyableAccessCase::clone const):
738
739 2019-03-31  Yusuke Suzuki  <ysuzuki@apple.com>
740
741         [JSC] Butterfly allocation from LargeAllocation should try "realloc" behavior if collector thread is not active
742         https://bugs.webkit.org/show_bug.cgi?id=196160
743
744         Reviewed by Saam Barati.
745
746         "realloc" can be effective in terms of peak/current memory footprint when realloc succeeds because,
747
748         1. It does not allocate additional memory while expanding a vector
749         2. It does not deallocate an old memory, just reusing the current memory by expanding, so that memory footprint is tight even before scavenging
750
751         We found that we can "realloc" large butterflies in certain conditions are met because,
752
753         1. If it goes to LargeAllocation, this memory region is never reused until GC sweeps it.
754         2. Butterflies are owned by owner JSObjects, so we know the lifetime of Butterflies.
755
756         This patch attempts to use "realloc" onto butterflies if,
757
758         1. Butterflies are allocated in LargeAllocation kind
759         2. Concurrent collector is not active
760         3. Butterflies do not have property storage
761
762         The condition (2) is required to avoid deallocating butterflies while the concurrent collector looks into it. The condition (3) is
763         also required to avoid deallocating butterflies while the concurrent compiler looks into it.
764
765         We also change LargeAllocation mechanism to using "malloc" and "free" instead of "posix_memalign". This allows us to use "realloc"
766         safely in all the platforms. Since LargeAllocation uses alignment to distinguish LargeAllocation and MarkedBlock, we manually adjust
767         16B alignment by allocating 8B more memory in "malloc".
768
769         Speedometer2 and JetStream2 are neutral. RAMification shows about 1% progression (even in some of JIT tests).
770
771         * heap/AlignedMemoryAllocator.h:
772         * heap/CompleteSubspace.cpp:
773         (JSC::CompleteSubspace::tryAllocateSlow):
774         (JSC::CompleteSubspace::reallocateLargeAllocationNonVirtual):
775         * heap/CompleteSubspace.h:
776         * heap/FastMallocAlignedMemoryAllocator.cpp:
777         (JSC::FastMallocAlignedMemoryAllocator::tryAllocateMemory):
778         (JSC::FastMallocAlignedMemoryAllocator::freeMemory):
779         (JSC::FastMallocAlignedMemoryAllocator::tryReallocateMemory):
780         * heap/FastMallocAlignedMemoryAllocator.h:
781         * heap/GigacageAlignedMemoryAllocator.cpp:
782         (JSC::GigacageAlignedMemoryAllocator::tryAllocateMemory):
783         (JSC::GigacageAlignedMemoryAllocator::freeMemory):
784         (JSC::GigacageAlignedMemoryAllocator::tryReallocateMemory):
785         * heap/GigacageAlignedMemoryAllocator.h:
786         * heap/IsoAlignedMemoryAllocator.cpp:
787         (JSC::IsoAlignedMemoryAllocator::tryAllocateMemory):
788         (JSC::IsoAlignedMemoryAllocator::freeMemory):
789         (JSC::IsoAlignedMemoryAllocator::tryReallocateMemory):
790         * heap/IsoAlignedMemoryAllocator.h:
791         * heap/LargeAllocation.cpp:
792         (JSC::isAlignedForLargeAllocation):
793         (JSC::LargeAllocation::tryCreate):
794         (JSC::LargeAllocation::tryReallocate):
795         (JSC::LargeAllocation::LargeAllocation):
796         (JSC::LargeAllocation::destroy):
797         * heap/LargeAllocation.h:
798         (JSC::LargeAllocation::indexInSpace):
799         (JSC::LargeAllocation::setIndexInSpace):
800         (JSC::LargeAllocation::basePointer const):
801         * heap/MarkedSpace.cpp:
802         (JSC::MarkedSpace::sweepLargeAllocations):
803         (JSC::MarkedSpace::prepareForConservativeScan):
804         * heap/WeakSet.h:
805         (JSC::WeakSet::isTriviallyDestructible const):
806         * runtime/Butterfly.h:
807         * runtime/ButterflyInlines.h:
808         (JSC::Butterfly::reallocArrayRightIfPossible):
809         * runtime/JSObject.cpp:
810         (JSC::JSObject::ensureLengthSlow):
811
812 2019-03-31  Sam Weinig  <weinig@apple.com>
813
814         Remove more i386 specific configurations
815         https://bugs.webkit.org/show_bug.cgi?id=196430
816
817         Reviewed by Alexey Proskuryakov.
818
819         * Configurations/FeatureDefines.xcconfig:
820         ENABLE_WEB_AUTHN_macosx can now be enabled unconditionally on macOS.
821
822         * Configurations/ToolExecutable.xcconfig:
823         ARC can be enabled unconditionally now.
824
825 2019-03-29  Yusuke Suzuki  <ysuzuki@apple.com>
826
827         [JSC] JSWrapperMap should not use Objective-C Weak map (NSMapTable with NSPointerFunctionsWeakMemory) for m_cachedObjCWrappers
828         https://bugs.webkit.org/show_bug.cgi?id=196392
829
830         Reviewed by Saam Barati.
831
832         Weak representation in Objective-C is surprisingly costly in terms of memory. We can see that very easy program shows 10KB memory consumption due to
833         this weak wrapper map in JavaScriptCore.framework. But we do not need this weak map since Objective-C JSValue has a dealloc. We can unregister itself
834         from the map when it is deallocated without using Objective-C weak mechanism. And since Objective-C JSValue is tightly coupled to a specific JSContext,
835         and wrapper map is created per JSContext, JSValue wrapper and actual JavaScriptCore value is one-on-one, and [JSValue dealloc] knows which JSContext's
836         wrapper map holds itself.
837
838         1. We do not use Objective-C weak mechanism. We use WTF::HashSet instead. When JSValue is allocated, we register it to JSWrapperMap's HashSet. And unregister
839            JSValue from this map when JSValue is deallocated.
840         2. We use HashSet<JSValue> (logically) instead of HashMap<JSValueRef, JSValue> to keep JSValueRef and JSValue relationship. We can achieve it because JSValue
841            holds JSValueRef inside it.
842
843         * API/JSContext.mm:
844         (-[JSContext removeWrapper:]):
845         * API/JSContextInternal.h:
846         * API/JSValue.mm:
847         (-[JSValue dealloc]):
848         (-[JSValue initWithValue:inContext:]):
849         * API/JSWrapperMap.h:
850         * API/JSWrapperMap.mm:
851         (WrapperKey::hashTableDeletedValue):
852         (WrapperKey::WrapperKey):
853         (WrapperKey::isHashTableDeletedValue const):
854         (WrapperKey::Hash::hash):
855         (WrapperKey::Hash::equal):
856         (WrapperKey::Traits::isEmptyValue):
857         (WrapperKey::Translator::hash):
858         (WrapperKey::Translator::equal):
859         (WrapperKey::Translator::translate):
860         (-[JSWrapperMap initWithGlobalContextRef:]):
861         (-[JSWrapperMap dealloc]):
862         (-[JSWrapperMap objcWrapperForJSValueRef:inContext:]):
863         (-[JSWrapperMap removeWrapper:]):
864         * API/tests/testapi.mm:
865         (testObjectiveCAPIMain):
866
867 2019-03-29  Robin Morisset  <rmorisset@apple.com>
868
869         B3ReduceStrength should know that Mul distributes over Add and Sub
870         https://bugs.webkit.org/show_bug.cgi?id=196325
871
872         Reviewed by Michael Saboff.
873
874         In this patch I add the following patterns to B3ReduceStrength:
875         - Turn this: Integer Neg(Mul(value, c))
876           Into this: Mul(value, -c), as long as -c does not overflow
877         - Turn these: Integer Mul(value, Neg(otherValue)) and Integer Mul(Neg(value), otherValue)
878           Into this: Neg(Mul(value, otherValue))
879         - For Op==Add or Sub, turn any of these:
880              Op(Mul(x1, x2), Mul(x1, x3))
881              Op(Mul(x2, x1), Mul(x1, x3))
882              Op(Mul(x1, x2), Mul(x3, x1))
883              Op(Mul(x2, x1), Mul(x3, x1))
884           Into this: Mul(x1, Op(x2, x3))
885
886         Also includes a trivial change: a similar reduction for the distributivity of BitAnd over BitOr/BitXor now
887         emits the arguments to BitAnd in the other order, to minimize the probability that we'll spend a full fixpoint step just to flip them.
888
889         * b3/B3ReduceStrength.cpp:
890         * b3/testb3.cpp:
891         (JSC::B3::testAddMulMulArgs):
892         (JSC::B3::testMulArgNegArg):
893         (JSC::B3::testMulNegArgArg):
894         (JSC::B3::testNegMulArgImm):
895         (JSC::B3::testSubMulMulArgs):
896         (JSC::B3::run):
897
898 2019-03-29  Yusuke Suzuki  <ysuzuki@apple.com>
899
900         [JSC] Remove distancing for LargeAllocation
901         https://bugs.webkit.org/show_bug.cgi?id=196335
902
903         Reviewed by Saam Barati.
904
905         In r230226, we removed distancing feature from our GC. This patch removes remaining distancing thing in LargeAllocation.
906
907         * heap/HeapCell.h:
908         * heap/LargeAllocation.cpp:
909         (JSC::LargeAllocation::tryCreate):
910         * heap/MarkedBlock.h:
911
912 2019-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
913
914         Delete WebMetal implementation in favor of WebGPU
915         https://bugs.webkit.org/show_bug.cgi?id=195418
916
917         Reviewed by Dean Jackson.
918
919         * Configurations/FeatureDefines.xcconfig:
920         * inspector/protocol/Canvas.json:
921         * inspector/scripts/codegen/generator.py:
922
923 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
924
925         Assertion failed in JSC::createError
926         https://bugs.webkit.org/show_bug.cgi?id=196305
927         <rdar://problem/49387382>
928
929         Reviewed by Saam Barati.
930
931         JSC::createError assumes that `errorDescriptionForValue` will either
932         throw an exception or return a valid description string. However, that
933         is not true if the value is a rope string and we successfully resolve it,
934         but later fail to wrap the string in quotes with `tryMakeString`.
935
936         * runtime/ExceptionHelpers.cpp:
937         (JSC::createError):
938
939 2019-03-29  Devin Rousso  <drousso@apple.com>
940
941         Web Inspector: add fast returns for instrumentation hooks that have no affect before a frontend is connected
942         https://bugs.webkit.org/show_bug.cgi?id=196382
943         <rdar://problem/49403417>
944
945         Reviewed by Joseph Pecoraro.
946
947         Ensure that all instrumentation hooks use `FAST_RETURN_IF_NO_FRONTENDS` or check that
948         `developerExtrasEnabled`. There should be no activity to/from any inspector objects until
949         developer extras are enabled.
950
951         * inspector/agents/InspectorConsoleAgent.cpp:
952         (Inspector::InspectorConsoleAgent::startTiming):
953         (Inspector::InspectorConsoleAgent::stopTiming):
954         (Inspector::InspectorConsoleAgent::count):
955         (Inspector::InspectorConsoleAgent::addConsoleMessage):
956
957 2019-03-29  Cathie Chen  <cathiechen@igalia.com>
958
959         Implement ResizeObserver.
960         https://bugs.webkit.org/show_bug.cgi?id=157743
961
962         Reviewed by Simon Fraser.
963
964         Add ENABLE_RESIZE_OBSERVER.
965
966         * Configurations/FeatureDefines.xcconfig:
967
968 2019-03-28  Michael Saboff  <msaboff@apple.com>
969
970         [YARR] Precompute BMP / non-BMP status when constructing character classes
971         https://bugs.webkit.org/show_bug.cgi?id=196296
972
973         Reviewed by Keith Miller.
974
975         Changed CharacterClass::m_hasNonBMPCharacters into a character width bit field which
976         indicateis if the class includes characters from either BMP, non-BMP or both ranges.
977         This allows the recognizing code to eliminate checks for the width of a matched
978         characters when the class has only one width.  The character width is needed to
979         determine if we advance 1 or 2 character.  Also, the pre-computed width of character
980         classes that contains either all BMP or all non-BMP characters allows the parser to
981         use fixed widths for terms using those character classes.  Changed both the code gen
982         scripts and Yarr compiler to compute this bit field during the construction of
983         character classes.
984
985         For JIT'ed code of character classes that contain either all BMP or all non-BMP
986         characters, we can eliminate the generic check we were doing do compute how much
987         to advance after sucessfully matching a character in the class.
988
989                 Generic isBMP check      BMP only            non-BMP only
990                 --------------           --------------      --------------
991                 inc %r9d                 inc %r9d            add $0x2, %r9d
992                 cmp $0x10000, %eax
993                 jl isBMP
994                 cmp %edx, %esi
995                 jz atEndOfString
996                 inc %r9d
997                 inc %esi
998          isBMP:
999
1000         For character classes that contained non-BMP characters, we were always generating
1001         the code in the left column.  The middle column is the code we generate for character
1002         classes that contain only BMP characters.  The right column is the code we now
1003         generate if the character class has only non-BMP characters.  In the fix width cases,
1004         we can eliminate both the isBMP check as well as the atEndOfString check.  The
1005         atEndOfstring check is eliminated since we know how many characters this character
1006         class requires and that check can be factored out to the beginning of the current
1007         alternative.  For character classes that contain both BMP and non-BMP characters,
1008         we still generate the generic left column.
1009
1010         This change is a ~8% perf progression on UniPoker and a ~2% improvement on RexBench
1011         as a whole.
1012
1013         * runtime/RegExp.cpp:
1014         (JSC::RegExp::matchCompareWithInterpreter):
1015         * runtime/RegExpInlines.h:
1016         (JSC::RegExp::matchInline):
1017         * yarr/YarrInterpreter.cpp:
1018         (JSC::Yarr::Interpreter::checkCharacterClassDontAdvanceInputForNonBMP):
1019         (JSC::Yarr::Interpreter::matchCharacterClass):
1020         * yarr/YarrJIT.cpp:
1021         (JSC::Yarr::YarrGenerator::optimizeAlternative):
1022         (JSC::Yarr::YarrGenerator::matchCharacterClass):
1023         (JSC::Yarr::YarrGenerator::advanceIndexAfterCharacterClassTermMatch):
1024         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
1025         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
1026         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
1027         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
1028         (JSC::Yarr::YarrGenerator::backtrackCharacterClassGreedy):
1029         (JSC::Yarr::YarrGenerator::generateCharacterClassNonGreedy):
1030         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
1031         (JSC::Yarr::YarrGenerator::generateEnter):
1032         (JSC::Yarr::YarrGenerator::YarrGenerator):
1033         (JSC::Yarr::YarrGenerator::compile):
1034         * yarr/YarrPattern.cpp:
1035         (JSC::Yarr::CharacterClassConstructor::CharacterClassConstructor):
1036         (JSC::Yarr::CharacterClassConstructor::reset):
1037         (JSC::Yarr::CharacterClassConstructor::charClass):
1038         (JSC::Yarr::CharacterClassConstructor::addSorted):
1039         (JSC::Yarr::CharacterClassConstructor::addSortedRange):
1040         (JSC::Yarr::CharacterClassConstructor::hasNonBMPCharacters):
1041         (JSC::Yarr::CharacterClassConstructor::characterWidths):
1042         (JSC::Yarr::PatternTerm::dump):
1043         (JSC::Yarr::anycharCreate):
1044         * yarr/YarrPattern.h:
1045         (JSC::Yarr::operator|):
1046         (JSC::Yarr::operator&):
1047         (JSC::Yarr::operator|=):
1048         (JSC::Yarr::CharacterClass::CharacterClass):
1049         (JSC::Yarr::CharacterClass::hasNonBMPCharacters):
1050         (JSC::Yarr::CharacterClass::hasOneCharacterSize):
1051         (JSC::Yarr::CharacterClass::hasOnlyNonBMPCharacters):
1052         (JSC::Yarr::PatternTerm::invert const):
1053         (JSC::Yarr::PatternTerm::invert): Deleted.
1054         * yarr/create_regex_tables:
1055         * yarr/generateYarrUnicodePropertyTables.py:
1056
1057 2019-03-28  Saam Barati  <sbarati@apple.com>
1058
1059         BackwardsGraph needs to consider back edges as the backward's root successor
1060         https://bugs.webkit.org/show_bug.cgi?id=195991
1061
1062         Reviewed by Filip Pizlo.
1063
1064         * b3/testb3.cpp:
1065         (JSC::B3::testInfiniteLoopDoesntCauseBadHoisting):
1066         (JSC::B3::run):
1067
1068 2019-03-28  Fujii Hironori  <Hironori.Fujii@sony.com>
1069
1070         Opcode.h(159,27): warning: adding 'unsigned int' to a string does not append to the string [-Wstring-plus-int]
1071         https://bugs.webkit.org/show_bug.cgi?id=196343
1072
1073         Reviewed by Saam Barati.
1074
1075         Clang reports a compilation warning and recommend '&PADDING_STRING[PADDING_STRING_LENGTH]'
1076         instead of 'PADDING_STRING + PADDING_STRING_LENGTH'.
1077
1078         * bytecode/Opcode.cpp:
1079         (JSC::padOpcodeName): Moved padOpcodeName from Opcode.h because
1080         this function is used only in Opcode.cpp. Changed macros
1081         PADDING_STRING and PADDING_STRING_LENGTH to simple variables.
1082         (JSC::compareOpcodePairIndices): Replaced pair with std::pair.
1083         * bytecode/Opcode.h:
1084         (JSC::padOpcodeName): Moved.
1085
1086 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
1087
1088         CodeBlock::jettison() should disallow repatching its own calls
1089         https://bugs.webkit.org/show_bug.cgi?id=196359
1090         <rdar://problem/48973663>
1091
1092         Reviewed by Saam Barati.
1093
1094         CodeBlock::jettison() calls CommonData::invalidate, which replaces the `hlt`
1095         instruction with the jump to OSR exit. However, if the `hlt` was immediately
1096         followed by a call to the CodeBlock being jettisoned, we would write over the
1097         OSR exit address while unlinking all the incoming CallLinkInfos later in
1098         CodeBlock::jettison().
1099
1100         Change it so that we set a flag, `clearedByJettison`, in all the CallLinkInfos
1101         owned by the CodeBlock being jettisoned. If the flag is set, we will avoid
1102         repatching the call during unlinking. This is safe because this call will never
1103         be reachable again after the CodeBlock is jettisoned.
1104
1105         * bytecode/CallLinkInfo.cpp:
1106         (JSC::CallLinkInfo::CallLinkInfo):
1107         (JSC::CallLinkInfo::setCallee):
1108         (JSC::CallLinkInfo::clearCallee):
1109         (JSC::CallLinkInfo::setCodeBlock):
1110         (JSC::CallLinkInfo::clearCodeBlock):
1111         * bytecode/CallLinkInfo.h:
1112         (JSC::CallLinkInfo::clearedByJettison):
1113         (JSC::CallLinkInfo::setClearedByJettison):
1114         * bytecode/CodeBlock.cpp:
1115         (JSC::CodeBlock::jettison):
1116         * jit/Repatch.cpp:
1117         (JSC::revertCall):
1118
1119 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
1120
1121         [JSC] Drop VM and Context cache map in JavaScriptCore.framework
1122         https://bugs.webkit.org/show_bug.cgi?id=196341
1123
1124         Reviewed by Saam Barati.
1125
1126         Previously, we created Objective-C weak map to maintain JSVirtualMachine and JSContext wrappers corresponding to VM and JSGlobalObject.
1127         But Objective-C weak map is really memory costly. Even if the entry is only one, it consumes 2.5KB per weak map. Since we can modify
1128         JSC intrusively for JavaScriptCore.framework (and we already did it, like, holding JSWrapperMap in JSGlobalObject), we can just hold
1129         a pointer to a wrapper in VM and JSGlobalObject.
1130
1131         This patch adds void* members to VM and JSGlobalObject, which holds a non-strong reference to a wrapper. When a wrapper is gone, we
1132         clear this pointer too. This removes unnecessary two Objective-C weak maps, and save 5KB.
1133
1134         * API/JSContext.mm:
1135         (-[JSContext initWithVirtualMachine:]):
1136         (-[JSContext dealloc]):
1137         (-[JSContext initWithGlobalContextRef:]):
1138         (-[JSContext wrapperMap]):
1139         (+[JSContext contextWithJSGlobalContextRef:]):
1140         * API/JSVirtualMachine.mm:
1141         (-[JSVirtualMachine initWithContextGroupRef:]):
1142         (-[JSVirtualMachine dealloc]):
1143         (+[JSVirtualMachine virtualMachineWithContextGroupRef:]):
1144         (scanExternalObjectGraph):
1145         (scanExternalRememberedSet):
1146         (initWrapperCache): Deleted.
1147         (wrapperCache): Deleted.
1148         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]): Deleted.
1149         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]): Deleted.
1150         (-[JSVirtualMachine contextForGlobalContextRef:]): Deleted.
1151         (-[JSVirtualMachine addContext:forGlobalContextRef:]): Deleted.
1152         * API/JSVirtualMachineInternal.h:
1153         * runtime/JSGlobalObject.h:
1154         (JSC::JSGlobalObject::setAPIWrapper):
1155         (JSC::JSGlobalObject::apiWrapper const):
1156         * runtime/VM.h:
1157
1158 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
1159
1160         In-memory code cache should not share bytecode across domains
1161         https://bugs.webkit.org/show_bug.cgi?id=196321
1162
1163         Reviewed by Geoffrey Garen.
1164
1165         Use the SourceProvider's URL to make sure that the hosts match for the
1166         two SourceCodeKeys in operator==.
1167
1168         * parser/SourceCodeKey.h:
1169         (JSC::SourceCodeKey::host const):
1170         (JSC::SourceCodeKey::operator== const):
1171
1172 2019-03-28  Víctor Manuel Jáquez Leal  <vjaquez@igalia.com>
1173
1174         Silence lot of warnings when compiling with clang
1175         https://bugs.webkit.org/show_bug.cgi?id=196310
1176
1177         Reviewed by Michael Catanzaro.
1178
1179         Initialize variable with default constructor.
1180
1181         * API/glib/JSCOptions.cpp:
1182         (jsc_options_foreach):
1183
1184 2019-03-27  Saam Barati  <sbarati@apple.com>
1185
1186         validateOSREntryValue with Int52 should box the value being checked into double format
1187         https://bugs.webkit.org/show_bug.cgi?id=196313
1188         <rdar://problem/49306703>
1189
1190         Reviewed by Yusuke Suzuki.
1191
1192         * dfg/DFGOSREntry.cpp:
1193         (JSC::DFG::prepareOSREntry):
1194         * ftl/FTLLowerDFGToB3.cpp:
1195         (JSC::FTL::DFG::LowerDFGToB3::validateAIState):
1196
1197 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
1198
1199         [JSC] Owner of watchpoints should validate at GC finalizing phase
1200         https://bugs.webkit.org/show_bug.cgi?id=195827
1201
1202         Reviewed by Filip Pizlo.
1203
1204         This patch fixes JSC's watchpoint liveness issue by the following two policies.
1205
1206         1. Watchpoint should have owner cell, and "fire" operation should be gaurded with owner cell's isLive check.
1207
1208         Watchpoints should hold its owner cell, and fire procedure should be guarded by `owner->isLive()`.
1209         When the owner cell is destroyed, these watchpoints are destroyed too. But this destruction can
1210         be delayed due to incremental sweeper. So the following condition can happen.
1211
1212         When we have a watchpoint like the following.
1213
1214             class XXXWatchpoint {
1215                 ObjectPropertyCondition m_key;
1216                 JSCell* m_owner;
1217             };
1218
1219         Both m_key's cell and m_owner is now unreachable from the root. So eventually, m_owner cell's destructor
1220         is called and this watchpoint will be destroyed. But before that, m_key's cell can be destroyed. And this
1221         watchpoint's fire procedure can be called since m_owner's destructor is not called yet. In this situation,
1222         we encounter the destroyed cell held in m_key. This problem can be avoided if we guard fire procedure with
1223         `m_owner->isLive()`. Until the owner cell is destroyed, this guard avoids "fire" procedure execution. And
1224         once the destructor of m_owner is called, this watchpoint will be destroyed too.
1225
1226         2. Watchpoint liveness should be maintained by owner cell's unconditional finalizer
1227
1228         Watchpoints often hold weak references to the other cell (like, m_key in the above example). If we do not
1229         delete watchpoints with dead cells when these weak cells become dead, these watchpoints continue holding dead cells,
1230         and watchpoint's fire operation can use these dead cells accidentally. isLive / isStillLive check for these weak cells
1231         in fire operation is not useful. Because these dead cells can be reused to the other live cells eventually, and this
1232         isLive / isStillLive checks fail to see these cells are live if they are reused. Appropriate way is deleting watchpoints
1233         with dead cells when finalizing GC. In this patch, we do this in unconditional finalizers in owner cells of watchpoints.
1234         We already did this in CodeBlock etc. We add the same thing to StructureRareData which owns watchpoints for toString operations.
1235
1236         * JavaScriptCore.xcodeproj/project.pbxproj:
1237         * Sources.txt:
1238         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.h:
1239         (JSC::AdaptiveInferredPropertyValueWatchpointBase::StructureWatchpoint::StructureWatchpoint): Deleted.
1240         (JSC::AdaptiveInferredPropertyValueWatchpointBase::PropertyWatchpoint::PropertyWatchpoint): Deleted.
1241         * bytecode/CodeBlockJettisoningWatchpoint.h:
1242         (JSC::CodeBlockJettisoningWatchpoint::CodeBlockJettisoningWatchpoint): Deleted.
1243         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
1244         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::LLIntPrototypeLoadAdaptiveStructureWatchpoint):
1245         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
1246         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
1247         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::key const): Deleted.
1248         * bytecode/StructureStubClearingWatchpoint.cpp:
1249         (JSC::StructureStubClearingWatchpoint::fireInternal):
1250         (JSC::WatchpointsOnStructureStubInfo::isValid const):
1251         * bytecode/StructureStubClearingWatchpoint.h:
1252         (JSC::StructureStubClearingWatchpoint::StructureStubClearingWatchpoint): Deleted.
1253         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
1254         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::isValid const):
1255         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.h:
1256         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
1257         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
1258         * dfg/DFGAdaptiveStructureWatchpoint.h:
1259         (JSC::DFG::AdaptiveStructureWatchpoint::key const): Deleted.
1260         * dfg/DFGDesiredWatchpoints.cpp:
1261         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
1262         * heap/Heap.cpp:
1263         (JSC::Heap::finalizeUnconditionalFinalizers):
1264         * llint/LLIntSlowPaths.cpp:
1265         (JSC::LLInt::setupGetByIdPrototypeCache):
1266         * runtime/ArrayBuffer.cpp:
1267         (JSC::ArrayBuffer::notifyIncommingReferencesOfTransfer):
1268         * runtime/ArrayBufferNeuteringWatchpointSet.cpp: Renamed from Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpoint.cpp.
1269         (JSC::ArrayBufferNeuteringWatchpointSet::ArrayBufferNeuteringWatchpointSet):
1270         (JSC::ArrayBufferNeuteringWatchpointSet::destroy):
1271         (JSC::ArrayBufferNeuteringWatchpointSet::create):
1272         (JSC::ArrayBufferNeuteringWatchpointSet::createStructure):
1273         (JSC::ArrayBufferNeuteringWatchpointSet::fireAll):
1274         * runtime/ArrayBufferNeuteringWatchpointSet.h: Renamed from Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpoint.h.
1275         * runtime/FunctionRareData.h:
1276         * runtime/JSGlobalObject.cpp:
1277         (JSC::JSGlobalObject::init):
1278         (JSC::JSGlobalObject::tryInstallArraySpeciesWatchpoint):
1279         * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h:
1280         (JSC::ObjectPropertyChangeAdaptiveWatchpoint::ObjectPropertyChangeAdaptiveWatchpoint): Deleted.
1281         * runtime/StructureRareData.cpp:
1282         (JSC::StructureRareData::finalizeUnconditionally):
1283         * runtime/StructureRareData.h:
1284         * runtime/VM.cpp:
1285         (JSC::VM::VM):
1286
1287 2019-03-26  Saam Barati  <sbarati@apple.com>
1288
1289         FTL: Emit code to validate AI's state when running the compiled code
1290         https://bugs.webkit.org/show_bug.cgi?id=195924
1291         <rdar://problem/49003422>
1292
1293         Reviewed by Filip Pizlo.
1294
1295         This patch adds code that between the execution of each node that validates
1296         the types that AI proves. This option is too expensive to turn on for our
1297         regression testing, but we think it will be valuable in other types of running
1298         modes, such as when running with a fuzzer.
1299         
1300         This patch also adds options to only probabilistically run this validation
1301         after the execution of each node. As the probability is lowered, there is
1302         less of a perf hit.
1303         
1304         This patch just adds this validation in the FTL. A follow-up patch will land
1305         it in the DFG too: https://bugs.webkit.org/show_bug.cgi?id=196219
1306
1307         * ftl/FTLLowerDFGToB3.cpp:
1308         (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
1309         (JSC::FTL::DFG::LowerDFGToB3::compileBlock):
1310         (JSC::FTL::DFG::LowerDFGToB3::validateAIState):
1311         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1312         (JSC::FTL::DFG::LowerDFGToB3::lowJSValue):
1313         * runtime/Options.h:
1314
1315 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
1316
1317         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
1318         https://bugs.webkit.org/show_bug.cgi?id=196217
1319
1320         Reviewed by Saam Barati.
1321
1322         Generalize the fix for f32.max to properly handle NaN by doing an extra GreatherThan
1323         comparison in r243446 to all min and max float operations.
1324
1325         * wasm/WasmAirIRGenerator.cpp:
1326         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Min>):
1327         (JSC::Wasm::AirIRGenerator::addFloatingPointMinOrMax):
1328         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Max>):
1329         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Min>):
1330         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Max>):
1331         * wasm/wasm.json:
1332
1333 2019-03-26  Andy VanWagoner  <andy@vanwagoner.family>
1334
1335         Intl.DateTimeFormat should obey 2-digit hour
1336         https://bugs.webkit.org/show_bug.cgi?id=195974
1337
1338         Reviewed by Keith Miller.
1339
1340         * runtime/IntlDateTimeFormat.cpp:
1341         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1342
1343 2019-03-25  Yusuke Suzuki  <ysuzuki@apple.com>
1344
1345         Heap::isMarked and friends should be instance methods
1346         https://bugs.webkit.org/show_bug.cgi?id=179988
1347
1348         Reviewed by Saam Barati.
1349
1350         Almost all the callers of Heap::isMarked have VM& reference. We should make Heap::isMarked instance function instead of static function
1351         so that we do not need to look up Heap from the cell.
1352
1353         * API/JSAPIWrapperObject.mm:
1354         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
1355         * API/JSMarkingConstraintPrivate.cpp:
1356         (JSC::isMarked):
1357         * API/glib/JSAPIWrapperObjectGLib.cpp:
1358         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
1359         * builtins/BuiltinExecutables.cpp:
1360         (JSC::BuiltinExecutables::finalizeUnconditionally):
1361         * bytecode/AccessCase.cpp:
1362         (JSC::AccessCase::visitWeak const):
1363         (JSC::AccessCase::propagateTransitions const):
1364         * bytecode/CallLinkInfo.cpp:
1365         (JSC::CallLinkInfo::visitWeak):
1366         * bytecode/CallLinkStatus.cpp:
1367         (JSC::CallLinkStatus::finalize):
1368         * bytecode/CallLinkStatus.h:
1369         * bytecode/CallVariant.cpp:
1370         (JSC::CallVariant::finalize):
1371         * bytecode/CallVariant.h:
1372         * bytecode/CodeBlock.cpp:
1373         (JSC::CodeBlock::shouldJettisonDueToWeakReference):
1374         (JSC::CodeBlock::shouldJettisonDueToOldAge):
1375         (JSC::shouldMarkTransition):
1376         (JSC::CodeBlock::propagateTransitions):
1377         (JSC::CodeBlock::determineLiveness):
1378         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1379         (JSC::CodeBlock::finalizeUnconditionally):
1380         (JSC::CodeBlock::jettison):
1381         * bytecode/CodeBlock.h:
1382         * bytecode/ExecutableToCodeBlockEdge.cpp:
1383         (JSC::ExecutableToCodeBlockEdge::visitChildren):
1384         (JSC::ExecutableToCodeBlockEdge::finalizeUnconditionally):
1385         (JSC::ExecutableToCodeBlockEdge::runConstraint):
1386         * bytecode/GetByIdStatus.cpp:
1387         (JSC::GetByIdStatus::finalize):
1388         * bytecode/GetByIdStatus.h:
1389         * bytecode/GetByIdVariant.cpp:
1390         (JSC::GetByIdVariant::finalize):
1391         * bytecode/GetByIdVariant.h:
1392         * bytecode/InByIdStatus.cpp:
1393         (JSC::InByIdStatus::finalize):
1394         * bytecode/InByIdStatus.h:
1395         * bytecode/InByIdVariant.cpp:
1396         (JSC::InByIdVariant::finalize):
1397         * bytecode/InByIdVariant.h:
1398         * bytecode/ObjectPropertyCondition.cpp:
1399         (JSC::ObjectPropertyCondition::isStillLive const):
1400         * bytecode/ObjectPropertyCondition.h:
1401         * bytecode/ObjectPropertyConditionSet.cpp:
1402         (JSC::ObjectPropertyConditionSet::areStillLive const):
1403         * bytecode/ObjectPropertyConditionSet.h:
1404         * bytecode/PolymorphicAccess.cpp:
1405         (JSC::PolymorphicAccess::visitWeak const):
1406         * bytecode/PropertyCondition.cpp:
1407         (JSC::PropertyCondition::isStillLive const):
1408         * bytecode/PropertyCondition.h:
1409         * bytecode/PutByIdStatus.cpp:
1410         (JSC::PutByIdStatus::finalize):
1411         * bytecode/PutByIdStatus.h:
1412         * bytecode/PutByIdVariant.cpp:
1413         (JSC::PutByIdVariant::finalize):
1414         * bytecode/PutByIdVariant.h:
1415         * bytecode/RecordedStatuses.cpp:
1416         (JSC::RecordedStatuses::finalizeWithoutDeleting):
1417         (JSC::RecordedStatuses::finalize):
1418         * bytecode/RecordedStatuses.h:
1419         * bytecode/StructureSet.cpp:
1420         (JSC::StructureSet::isStillAlive const):
1421         * bytecode/StructureSet.h:
1422         * bytecode/StructureStubInfo.cpp:
1423         (JSC::StructureStubInfo::visitWeakReferences):
1424         * dfg/DFGPlan.cpp:
1425         (JSC::DFG::Plan::finalizeInGC):
1426         (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
1427         * heap/GCIncomingRefCounted.h:
1428         * heap/GCIncomingRefCountedInlines.h:
1429         (JSC::GCIncomingRefCounted<T>::filterIncomingReferences):
1430         * heap/GCIncomingRefCountedSet.h:
1431         * heap/GCIncomingRefCountedSetInlines.h:
1432         (JSC::GCIncomingRefCountedSet<T>::lastChanceToFinalize):
1433         (JSC::GCIncomingRefCountedSet<T>::sweep):
1434         (JSC::GCIncomingRefCountedSet<T>::removeAll): Deleted.
1435         (JSC::GCIncomingRefCountedSet<T>::removeDead): Deleted.
1436         * heap/Heap.cpp:
1437         (JSC::Heap::addToRememberedSet):
1438         (JSC::Heap::runEndPhase):
1439         (JSC::Heap::sweepArrayBuffers):
1440         (JSC::Heap::addCoreConstraints):
1441         * heap/Heap.h:
1442         * heap/HeapInlines.h:
1443         (JSC::Heap::isMarked):
1444         * heap/HeapSnapshotBuilder.cpp:
1445         (JSC::HeapSnapshotBuilder::appendNode):
1446         * heap/SlotVisitor.cpp:
1447         (JSC::SlotVisitor::appendToMarkStack):
1448         (JSC::SlotVisitor::visitChildren):
1449         * jit/PolymorphicCallStubRoutine.cpp:
1450         (JSC::PolymorphicCallStubRoutine::visitWeak):
1451         * runtime/ErrorInstance.cpp:
1452         (JSC::ErrorInstance::finalizeUnconditionally):
1453         * runtime/InferredValueInlines.h:
1454         (JSC::InferredValue::finalizeUnconditionally):
1455         * runtime/StackFrame.h:
1456         (JSC::StackFrame::isMarked const):
1457         * runtime/Structure.cpp:
1458         (JSC::Structure::isCheapDuringGC):
1459         (JSC::Structure::markIfCheap):
1460         * runtime/Structure.h:
1461         * runtime/TypeProfiler.cpp:
1462         (JSC::TypeProfiler::invalidateTypeSetCache):
1463         * runtime/TypeProfiler.h:
1464         * runtime/TypeSet.cpp:
1465         (JSC::TypeSet::invalidateCache):
1466         * runtime/TypeSet.h:
1467         * runtime/WeakMapImpl.cpp:
1468         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitOutputConstraints):
1469         * runtime/WeakMapImplInlines.h:
1470         (JSC::WeakMapImpl<WeakMapBucket>::finalizeUnconditionally):
1471
1472 2019-03-25  Keith Miller  <keith_miller@apple.com>
1473
1474         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
1475         https://bugs.webkit.org/show_bug.cgi?id=196176
1476
1477         Reviewed by Saam Barati.
1478
1479         convertToCompareEqPtr should allow for either CompareStrictEq or
1480         the SameValue DFG node. This fixes the old assertion that only
1481         allowed CompareStrictEq.
1482
1483         * dfg/DFGNode.h:
1484         (JSC::DFG::Node::convertToCompareEqPtr):
1485
1486 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
1487
1488         WebAssembly: f32.max with NaN generates incorrect result
1489         https://bugs.webkit.org/show_bug.cgi?id=175691
1490         <rdar://problem/33952228>
1491
1492         Reviewed by Saam Barati.
1493
1494         Fix the B3 and Air compilation for f32.max. In order to handle the NaN
1495         case, we need an extra GreaterThan comparison on top of the existing
1496         Equal and LessThan ones.
1497
1498         * wasm/WasmAirIRGenerator.cpp:
1499         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Max>):
1500         * wasm/wasm.json:
1501
1502 2019-03-25  Yusuke Suzuki  <ysuzuki@apple.com>
1503
1504         Unreviewed, speculative fix for CLoop build on CPU(UNKNOWN)
1505         https://bugs.webkit.org/show_bug.cgi?id=195982
1506
1507         * jit/ExecutableAllocator.h:
1508         (JSC::ExecutableAllocator::initializeUnderlyingAllocator):
1509
1510 2019-03-25  Gyuyoung Kim  <gyuyoung.kim@webkit.org>
1511
1512         Remove NavigatorContentUtils in WebCore/Modules
1513         https://bugs.webkit.org/show_bug.cgi?id=196070
1514
1515         Reviewed by Alex Christensen.
1516
1517         NavigatorContentUtils was to support the custom scheme spec [1].
1518         However, in WebKit side, no port has supported the feature in
1519         WebKit layer after EFL port was removed. So there has been the
1520         only IDL implementation of the NavigatorContentUtils in WebCore.
1521         So we don't need to keep the implementation in WebCore anymore.
1522
1523         [1] https://html.spec.whatwg.org/multipage/system-state.html#custom-handlers
1524
1525         * Configurations/FeatureDefines.xcconfig:
1526
1527 2019-03-23  Mark Lam  <mark.lam@apple.com>
1528
1529         Rolling out r243032 and r243071 because the fix is incorrect.
1530         https://bugs.webkit.org/show_bug.cgi?id=195892
1531         <rdar://problem/48981239>
1532
1533         Not reviewed.
1534
1535         The fix is incorrect: it relies on being able to determine liveness of an object
1536         in an ObjectPropertyCondition based on the state of the object's MarkedBit.
1537         However, there's no guarantee that GC has run and that the MarkedBit is already
1538         set even if the object is live.  As a result, we may not re-install adaptive
1539         watchpoints based on presumed dead objects which are actually live.
1540
1541         I'm rolling this out, and will implement a more comprehensive fix to handle
1542         watchpoint liveness later.
1543
1544         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
1545         (JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):
1546         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
1547         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
1548         * bytecode/ObjectPropertyCondition.cpp:
1549         (JSC::ObjectPropertyCondition::dumpInContext const):
1550         * bytecode/StructureStubClearingWatchpoint.cpp:
1551         (JSC::StructureStubClearingWatchpoint::fireInternal):
1552         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
1553         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
1554         * runtime/StructureRareData.cpp:
1555         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
1556
1557 2019-03-23  Keith Miller  <keith_miller@apple.com>
1558
1559         Refactor clz/ctz and fix getLSBSet.
1560         https://bugs.webkit.org/show_bug.cgi?id=196162
1561
1562         Reviewed by Saam Barati.
1563
1564         Refactor references of clz32/64 and ctz32 to use clz and ctz,
1565         respectively.
1566
1567         * dfg/DFGAbstractInterpreterInlines.h:
1568         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1569         * dfg/DFGOperations.cpp:
1570         * runtime/JSBigInt.cpp:
1571         (JSC::JSBigInt::digitDiv):
1572         (JSC::JSBigInt::absoluteDivWithBigIntDivisor):
1573         (JSC::JSBigInt::calculateMaximumCharactersRequired):
1574         (JSC::JSBigInt::toStringBasePowerOfTwo):
1575         (JSC::JSBigInt::compareToDouble):
1576         * runtime/MathObject.cpp:
1577         (JSC::mathProtoFuncClz32):
1578
1579 2019-03-23  Yusuke Suzuki  <ysuzuki@apple.com>
1580
1581         [JSC] Shrink sizeof(RegExp)
1582         https://bugs.webkit.org/show_bug.cgi?id=196133
1583
1584         Reviewed by Mark Lam.
1585
1586         Some applications have many RegExp cells. But RegExp cells are very large (144B).
1587         This patch reduces the size from 144B to 48B by,
1588
1589         1. Allocate Yarr::YarrCodeBlock in non-GC heap. We can avoid this allocation if JIT is disabled.
1590         2. m_captureGroupNames and m_namedGroupToParenIndex are moved to RareData. They are only used when RegExp has named capture groups.
1591
1592         * runtime/RegExp.cpp:
1593         (JSC::RegExp::finishCreation):
1594         (JSC::RegExp::estimatedSize):
1595         (JSC::RegExp::compile):
1596         (JSC::RegExp::matchConcurrently):
1597         (JSC::RegExp::compileMatchOnly):
1598         (JSC::RegExp::deleteCode):
1599         (JSC::RegExp::printTraceData):
1600         * runtime/RegExp.h:
1601         * runtime/RegExpInlines.h:
1602         (JSC::RegExp::hasCodeFor):
1603         (JSC::RegExp::matchInline):
1604         (JSC::RegExp::hasMatchOnlyCodeFor):
1605
1606 2019-03-22  Keith Rollin  <krollin@apple.com>
1607
1608         Enable ThinLTO support in Production builds
1609         https://bugs.webkit.org/show_bug.cgi?id=190758
1610         <rdar://problem/45413233>
1611
1612         Reviewed by Daniel Bates.
1613
1614         Tweak JavaScriptCore's Base.xcconfig to be more in-line with other
1615         .xcconfig files with regards to LTO settings. However, don't actually
1616         enable LTO for JavaScriptCore. LTO is not enabled for JavaScriptCore
1617         due to <rdar://problem/24543547>.
1618
1619         * Configurations/Base.xcconfig:
1620
1621 2019-03-22  Mark Lam  <mark.lam@apple.com>
1622
1623         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
1624         https://bugs.webkit.org/show_bug.cgi?id=196154
1625         <rdar://problem/49145307>
1626
1627         Reviewed by Filip Pizlo.
1628
1629         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1630         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
1631
1632 2019-03-22  Mark Lam  <mark.lam@apple.com>
1633
1634         Placate exception check validation in constructJSWebAssemblyLinkError().
1635         https://bugs.webkit.org/show_bug.cgi?id=196152
1636         <rdar://problem/49145257>
1637
1638         Reviewed by Michael Saboff.
1639
1640         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
1641         (JSC::constructJSWebAssemblyLinkError):
1642
1643 2019-03-22  Timothy Hatcher  <timothy@apple.com>
1644
1645         Change macosx() to macos() in WK_API... and JSC_API... macros.
1646         https://bugs.webkit.org/show_bug.cgi?id=196106
1647
1648         Reviewed by Brian Burg.
1649
1650         * API/JSBasePrivate.h:
1651         * API/JSContext.h:
1652         * API/JSContextPrivate.h:
1653         * API/JSContextRef.h:
1654         * API/JSContextRefInternal.h:
1655         * API/JSContextRefPrivate.h:
1656         * API/JSManagedValue.h:
1657         * API/JSObjectRef.h:
1658         * API/JSObjectRefPrivate.h:
1659         * API/JSRemoteInspector.h:
1660         * API/JSScript.h:
1661         * API/JSTypedArray.h:
1662         * API/JSValue.h:
1663         * API/JSValuePrivate.h:
1664         * API/JSValueRef.h:
1665         * API/JSVirtualMachinePrivate.h:
1666
1667 2019-03-22  Yusuke Suzuki  <ysuzuki@apple.com>
1668
1669         Unreviewed, build fix for Windows
1670         https://bugs.webkit.org/show_bug.cgi?id=196122
1671
1672         * runtime/FunctionExecutable.cpp:
1673
1674 2019-03-21  Yusuke Suzuki  <ysuzuki@apple.com>
1675
1676         [JSC] Shrink sizeof(FunctionExecutable) by 16bytes
1677         https://bugs.webkit.org/show_bug.cgi?id=196122
1678
1679         Reviewed by Saam Barati.
1680
1681         This patch reduces sizeof(FunctionExecutable) by 16 bytes.
1682
1683         1. ScriptExecutable::m_numParametersForCall and ScriptExecutable::m_numParametersForConstruct are not used in a meaningful way. Removed them.
1684         2. ScriptExecutable::m_lastLine and ScriptExecutable::m_endColumn can be calculated from UnlinkedFunctionExecutable. So FunctionExecutable does not need to hold it.
1685            This patch adds GlobalExecutable, which are non-function ScriptExecutables, and move m_lastLine and m_endColumn to this class.
1686         3. FunctionExecutable still needs to have the feature overriding m_lastLine and m_endColumn. We move overridden data in FunctionExecutable::RareData.
1687
1688         * CMakeLists.txt:
1689         * JavaScriptCore.xcodeproj/project.pbxproj:
1690         * Sources.txt:
1691         * bytecode/UnlinkedFunctionExecutable.cpp:
1692         (JSC::UnlinkedFunctionExecutable::link):
1693         * runtime/EvalExecutable.cpp:
1694         (JSC::EvalExecutable::EvalExecutable):
1695         * runtime/EvalExecutable.h:
1696         * runtime/FunctionExecutable.cpp:
1697         (JSC::FunctionExecutable::FunctionExecutable):
1698         (JSC::FunctionExecutable::ensureRareDataSlow):
1699         (JSC::FunctionExecutable::overrideInfo):
1700         * runtime/FunctionExecutable.h:
1701         * runtime/GlobalExecutable.cpp: Copied from Source/JavaScriptCore/tools/FunctionOverrides.h.
1702         * runtime/GlobalExecutable.h: Copied from Source/JavaScriptCore/tools/FunctionOverrides.h.
1703         (JSC::GlobalExecutable::lastLine const):
1704         (JSC::GlobalExecutable::endColumn const):
1705         (JSC::GlobalExecutable::recordParse):
1706         (JSC::GlobalExecutable::GlobalExecutable):
1707         * runtime/ModuleProgramExecutable.cpp:
1708         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
1709         * runtime/ModuleProgramExecutable.h:
1710         * runtime/ProgramExecutable.cpp:
1711         (JSC::ProgramExecutable::ProgramExecutable):
1712         * runtime/ProgramExecutable.h:
1713         * runtime/ScriptExecutable.cpp:
1714         (JSC::ScriptExecutable::clearCode):
1715         (JSC::ScriptExecutable::installCode):
1716         (JSC::ScriptExecutable::hasClearableCode const):
1717         (JSC::ScriptExecutable::newCodeBlockFor):
1718         (JSC::ScriptExecutable::typeProfilingEndOffset const):
1719         (JSC::ScriptExecutable::recordParse):
1720         (JSC::ScriptExecutable::lastLine const):
1721         (JSC::ScriptExecutable::endColumn const):
1722         * runtime/ScriptExecutable.h:
1723         (JSC::ScriptExecutable::hasJITCodeForCall const):
1724         (JSC::ScriptExecutable::hasJITCodeForConstruct const):
1725         (JSC::ScriptExecutable::recordParse):
1726         (JSC::ScriptExecutable::lastLine const): Deleted.
1727         (JSC::ScriptExecutable::endColumn const): Deleted.
1728         * tools/FunctionOverrides.h:
1729
1730 2019-03-21  Yusuke Suzuki  <ysuzuki@apple.com>
1731
1732         [JSC] Shrink sizeof(RegExpObject)
1733         https://bugs.webkit.org/show_bug.cgi?id=196130
1734
1735         Reviewed by Saam Barati.
1736
1737         sizeof(RegExpObject) is 48B due to one bool flag. We should compress this flag into lower bit of RegExp* field so that we can make RegExpObject 32B.
1738         It saves memory footprint 1.3% in RAMification's regexp.
1739
1740         * dfg/DFGSpeculativeJIT.cpp:
1741         (JSC::DFG::SpeculativeJIT::compileNewRegexp):
1742         (JSC::DFG::SpeculativeJIT::compileSetRegExpObjectLastIndex):
1743         * ftl/FTLAbstractHeapRepository.h:
1744         * ftl/FTLLowerDFGToB3.cpp:
1745         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
1746         (JSC::FTL::DFG::LowerDFGToB3::compileSetRegExpObjectLastIndex):
1747         * runtime/RegExpObject.cpp:
1748         (JSC::RegExpObject::RegExpObject):
1749         (JSC::RegExpObject::visitChildren):
1750         (JSC::RegExpObject::getOwnPropertySlot):
1751         (JSC::RegExpObject::defineOwnProperty):
1752         * runtime/RegExpObject.h:
1753
1754 2019-03-21  Tomas Popela  <tpopela@redhat.com>
1755
1756         [JSC] Fix build after r243232 on unsupported 64bit architectures
1757         https://bugs.webkit.org/show_bug.cgi?id=196072
1758
1759         Reviewed by Keith Miller.
1760
1761         As Keith suggested we already expect 16 free bits at the top of any
1762         pointer for JSValue even for the unsupported 64 bit arches.
1763
1764         * bytecode/CodeOrigin.h:
1765
1766 2019-03-21  Mark Lam  <mark.lam@apple.com>
1767
1768         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
1769         https://bugs.webkit.org/show_bug.cgi?id=196116
1770         <rdar://problem/48976951>
1771
1772         Reviewed by Filip Pizlo.
1773
1774         The DFG backend should not make assumptions about what optimizations the front end
1775         will or will not do.  The assertion asserts that the operand cannot be known to be
1776         a cell.  However, it is not guaranteed that the front end will fold away this case.
1777         Also, the DFG backend is perfectly capable of generating code to handle the case
1778         where the operand is a cell.
1779
1780         The attached test case demonstrates a case where the operand can be a known cell.
1781         The test needs to be run with the concurrent JIT and GC, and is racy.  It used to
1782         trip up this assertion about once every 10 runs or so.
1783
1784         * dfg/DFGSpeculativeJIT64.cpp:
1785         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
1786
1787 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
1788
1789         JSC::createError should clear exception thrown by errorDescriptionForValue
1790         https://bugs.webkit.org/show_bug.cgi?id=196089
1791
1792         Reviewed by Mark Lam.
1793
1794         errorDescriptionForValue returns a nullString in case of failure, but it
1795         might also throw an OOM exception when resolving a rope string. We need
1796         to clear any potential exceptions thrown by errorDescriptionForValue
1797         before returning the OOM from JSC::createError.
1798
1799         * runtime/ExceptionHelpers.cpp:
1800         (JSC::createError):
1801
1802 2019-03-21  Robin Morisset  <rmorisset@apple.com>
1803
1804         B3::Opcode can fit in a single byte, shrinking B3Value by 8 bytes
1805         https://bugs.webkit.org/show_bug.cgi?id=196014
1806
1807         Reviewed by Keith Miller.
1808
1809         B3::Opcode has less than one hundred cases, so it can easily fit in one byte (from two currently)
1810         This shrinks B3::Kind from 4 bytes to 2 (by removing the byte of padding at the end).
1811         This in turns eliminate padding from B3::Value, shrinking it by 8 bytes (out of 80).
1812
1813         * b3/B3Opcode.h:
1814
1815 2019-03-21  Michael Catanzaro  <mcatanzaro@igalia.com>
1816
1817         Unreviewed, more clang 3.8 build fixes
1818         https://bugs.webkit.org/show_bug.cgi?id=195947
1819         <rdar://problem/49069219>
1820
1821         In the spirit of making our code worse to please old compilers....
1822
1823         * bindings/ScriptValue.cpp:
1824         (Inspector::jsToInspectorValue):
1825         * bytecode/GetterSetterAccessCase.cpp:
1826         (JSC::GetterSetterAccessCase::create):
1827         (JSC::GetterSetterAccessCase::clone const):
1828         * bytecode/InstanceOfAccessCase.cpp:
1829         (JSC::InstanceOfAccessCase::clone const):
1830         * bytecode/IntrinsicGetterAccessCase.cpp:
1831         (JSC::IntrinsicGetterAccessCase::clone const):
1832         * bytecode/ModuleNamespaceAccessCase.cpp:
1833         (JSC::ModuleNamespaceAccessCase::clone const):
1834         * bytecode/ProxyableAccessCase.cpp:
1835         (JSC::ProxyableAccessCase::clone const):
1836
1837 2019-03-21  Yusuke Suzuki  <ysuzuki@apple.com>
1838
1839         [JSC] Do not create JIT related data under non-JIT mode
1840         https://bugs.webkit.org/show_bug.cgi?id=195982
1841
1842         Reviewed by Mark Lam.
1843
1844         We avoid creations of JIT related data structures under non-JIT mode.
1845         This patch removes the following allocations.
1846
1847         1. JITThunks
1848         2. FTLThunks
1849         3. FixedVMPoolExecutableAllocator
1850         4. noJITValueProfileSingleton since it is no longer used
1851         5. ARM disassembler should be initialized when it is used
1852         6. Wasm related data structures are accidentally allocated if VM::canUseJIT() == false &&
1853            Options::useWebAssembly() == true. Add Wasm::isSupported() function to check the both conditions.
1854
1855         * CMakeLists.txt:
1856         * JavaScriptCore.xcodeproj/project.pbxproj:
1857         * heap/Heap.cpp:
1858         (JSC::Heap::runEndPhase):
1859         * jit/ExecutableAllocator.cpp:
1860         (JSC::FixedVMPoolExecutableAllocator::~FixedVMPoolExecutableAllocator):
1861         (JSC::ExecutableAllocator::initializeUnderlyingAllocator):
1862         (JSC::ExecutableAllocator::isValid const):
1863         (JSC::ExecutableAllocator::underMemoryPressure):
1864         (JSC::ExecutableAllocator::memoryPressureMultiplier):
1865         (JSC::ExecutableAllocator::allocate):
1866         (JSC::ExecutableAllocator::isValidExecutableMemory):
1867         (JSC::ExecutableAllocator::getLock const):
1868         (JSC::ExecutableAllocator::committedByteCount):
1869         (JSC::ExecutableAllocator::dumpProfile):
1870         (JSC::startOfFixedExecutableMemoryPoolImpl):
1871         (JSC::endOfFixedExecutableMemoryPoolImpl):
1872         (JSC::ExecutableAllocator::initialize):
1873         (JSC::ExecutableAllocator::initializeAllocator): Deleted.
1874         (JSC::ExecutableAllocator::ExecutableAllocator): Deleted.
1875         (JSC::ExecutableAllocator::~ExecutableAllocator): Deleted.
1876         * jit/ExecutableAllocator.h:
1877         (JSC::ExecutableAllocatorBase::isValid const):
1878         (JSC::ExecutableAllocatorBase::underMemoryPressure):
1879         (JSC::ExecutableAllocatorBase::memoryPressureMultiplier):
1880         (JSC::ExecutableAllocatorBase::dumpProfile):
1881         (JSC::ExecutableAllocatorBase::allocate):
1882         (JSC::ExecutableAllocatorBase::setJITEnabled):
1883         (JSC::ExecutableAllocatorBase::isValidExecutableMemory):
1884         (JSC::ExecutableAllocatorBase::committedByteCount):
1885         (JSC::ExecutableAllocatorBase::getLock const):
1886         (JSC::ExecutableAllocator::isValid const): Deleted.
1887         (JSC::ExecutableAllocator::underMemoryPressure): Deleted.
1888         (JSC::ExecutableAllocator::memoryPressureMultiplier): Deleted.
1889         (JSC::ExecutableAllocator::allocate): Deleted.
1890         (JSC::ExecutableAllocator::setJITEnabled): Deleted.
1891         (JSC::ExecutableAllocator::isValidExecutableMemory): Deleted.
1892         (JSC::ExecutableAllocator::committedByteCount): Deleted.
1893         (JSC::ExecutableAllocator::getLock const): Deleted.
1894         * jsc.cpp:
1895         (functionWebAssemblyMemoryMode):
1896         * runtime/InitializeThreading.cpp:
1897         (JSC::initializeThreading):
1898         * runtime/JSGlobalObject.cpp:
1899         (JSC::JSGlobalObject::init):
1900         * runtime/JSLock.cpp:
1901         (JSC::JSLock::didAcquireLock):
1902         * runtime/Options.cpp:
1903         (JSC::recomputeDependentOptions):
1904         * runtime/VM.cpp:
1905         (JSC::enableAssembler):
1906         (JSC::VM::canUseAssembler):
1907         (JSC::VM::VM):
1908         * runtime/VM.h:
1909         * wasm/WasmCapabilities.h: Added.
1910         (JSC::Wasm::isSupported):
1911         * wasm/WasmFaultSignalHandler.cpp:
1912         (JSC::Wasm::enableFastMemory):
1913
1914 2019-03-21  Yusuke Suzuki  <ysuzuki@apple.com>
1915
1916         [JSC] Fix JSC build with newer ICU
1917         https://bugs.webkit.org/show_bug.cgi?id=196098
1918
1919         Reviewed by Keith Miller.
1920
1921         IntlDateTimeFormat and IntlNumberFormat have switch statement over ICU's enums. However it lacks "default" clause so that
1922         the compile error occurs when a new enum value is added in ICU side. We should have "default" clause which just fallbacks
1923         "unknown"_s case. The behavior is not changed since we already have `return "unknown"_s;` statement anyway after the
1924         switch statement. This patch just suppresses a compile error.
1925
1926         * runtime/IntlDateTimeFormat.cpp:
1927         (JSC::IntlDateTimeFormat::partTypeString):
1928         * runtime/IntlNumberFormat.cpp:
1929         (JSC::IntlNumberFormat::partTypeString):
1930
1931 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
1932
1933         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
1934         https://bugs.webkit.org/show_bug.cgi?id=196078
1935         <rdar://problem/35925380>
1936
1937         Reviewed by Mark Lam.
1938
1939         Unlike the other variations of putByIndex, it only checked if the index
1940         was larger than MIN_SPARSE_ARRAY_INDEX when the indexingType was
1941         ALL_BLANK_INDEXING_TYPES. This resulted in a huge butterfly being
1942         allocated for object literals (e.g. `{[9e4]: ...}`) and objects parsed
1943         from JSON.
1944
1945         * runtime/JSObject.cpp:
1946         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
1947
1948 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
1949
1950         CachedUnlinkedSourceCodeShape::m_provider should be a CachedRefPtr
1951         https://bugs.webkit.org/show_bug.cgi?id=196079
1952
1953         Reviewed by Saam Barati.
1954
1955         It was mistakenly cached as CachedPtr, which was leaking the decoded SourceProvider.
1956
1957         * runtime/CachedTypes.cpp:
1958         (JSC::CachedUnlinkedSourceCodeShape::encode):
1959
1960 2019-03-21  Mark Lam  <mark.lam@apple.com>
1961
1962         Placate exception check validation in operationArrayIndexOfString().
1963         https://bugs.webkit.org/show_bug.cgi?id=196067
1964         <rdar://problem/49056572>
1965
1966         Reviewed by Michael Saboff.
1967
1968         * dfg/DFGOperations.cpp:
1969
1970 2019-03-21  Xan Lopez  <xan@igalia.com>
1971
1972         [JSC][x86] Drop support for x87 floating point
1973         https://bugs.webkit.org/show_bug.cgi?id=194853
1974
1975         Reviewed by Don Olmstead.
1976
1977         Require SSE2 throughout the codebase, and remove x87 support where
1978         it was optionally available. SSE2 detection happens at compile
1979         time through a static_assert.
1980
1981         * assembler/MacroAssemblerX86.h:
1982         (JSC::MacroAssemblerX86::storeDouble):
1983         (JSC::MacroAssemblerX86::moveDoubleToInts):
1984         (JSC::MacroAssemblerX86::supportsFloatingPoint):
1985         (JSC::MacroAssemblerX86::supportsFloatingPointTruncate):
1986         (JSC::MacroAssemblerX86::supportsFloatingPointSqrt):
1987         (JSC::MacroAssemblerX86::supportsFloatingPointAbs):
1988         * assembler/MacroAssemblerX86Common.cpp:
1989         * assembler/MacroAssemblerX86Common.h:
1990         (JSC::MacroAssemblerX86Common::moveDouble):
1991         (JSC::MacroAssemblerX86Common::loadDouble):
1992         (JSC::MacroAssemblerX86Common::loadFloat):
1993         (JSC::MacroAssemblerX86Common::storeDouble):
1994         (JSC::MacroAssemblerX86Common::storeFloat):
1995         (JSC::MacroAssemblerX86Common::convertDoubleToFloat):
1996         (JSC::MacroAssemblerX86Common::convertFloatToDouble):
1997         (JSC::MacroAssemblerX86Common::addDouble):
1998         (JSC::MacroAssemblerX86Common::addFloat):
1999         (JSC::MacroAssemblerX86Common::divDouble):
2000         (JSC::MacroAssemblerX86Common::divFloat):
2001         (JSC::MacroAssemblerX86Common::subDouble):
2002         (JSC::MacroAssemblerX86Common::subFloat):
2003         (JSC::MacroAssemblerX86Common::mulDouble):
2004         (JSC::MacroAssemblerX86Common::mulFloat):
2005         (JSC::MacroAssemblerX86Common::convertInt32ToDouble):
2006         (JSC::MacroAssemblerX86Common::convertInt32ToFloat):
2007         (JSC::MacroAssemblerX86Common::branchDouble):
2008         (JSC::MacroAssemblerX86Common::branchFloat):
2009         (JSC::MacroAssemblerX86Common::compareDouble):
2010         (JSC::MacroAssemblerX86Common::compareFloat):
2011         (JSC::MacroAssemblerX86Common::branchTruncateDoubleToInt32):
2012         (JSC::MacroAssemblerX86Common::truncateDoubleToInt32):
2013         (JSC::MacroAssemblerX86Common::truncateFloatToInt32):
2014         (JSC::MacroAssemblerX86Common::branchConvertDoubleToInt32):
2015         (JSC::MacroAssemblerX86Common::branchDoubleNonZero):
2016         (JSC::MacroAssemblerX86Common::branchDoubleZeroOrNaN):
2017         (JSC::MacroAssemblerX86Common::lshiftPacked):
2018         (JSC::MacroAssemblerX86Common::rshiftPacked):
2019         (JSC::MacroAssemblerX86Common::orPacked):
2020         (JSC::MacroAssemblerX86Common::move32ToFloat):
2021         (JSC::MacroAssemblerX86Common::moveFloatTo32):
2022         (JSC::MacroAssemblerX86Common::moveConditionallyDouble):
2023         (JSC::MacroAssemblerX86Common::moveConditionallyFloat):
2024         * offlineasm/x86.rb:
2025         * runtime/MathCommon.cpp:
2026         (JSC::operationMathPow):
2027
2028 2019-03-21  Carlos Garcia Campos  <cgarcia@igalia.com>
2029
2030         [GLIB] User data not correctly passed to callback of functions and constructors with no parameters
2031         https://bugs.webkit.org/show_bug.cgi?id=196073
2032
2033         Reviewed by Michael Catanzaro.
2034
2035         This is because GClosure always expects a first parameter as instance. In case of functions or constructors with
2036         no parameters we insert a fake instance which is just a null pointer that is ignored by the callback. But
2037         if the function/constructor has user data the callback will expect one parameter for the user data. In that case
2038         we can simply swap instance/user data so that the fake instance will be the second argument and user data the
2039         first one.
2040
2041         * API/glib/JSCClass.cpp:
2042         (jscClassCreateConstructor): Use g_cclosure_new_swap() if parameters is empty and user data was provided.
2043         * API/glib/JSCValue.cpp:
2044         (jscValueFunctionCreate): Ditto.
2045
2046 2019-03-21  Pablo Saavedra  <psaavedra@igalia.com>
2047
2048         [JSC][32-bit] Build failure after r243232
2049         https://bugs.webkit.org/show_bug.cgi?id=196068
2050
2051         Reviewed by Mark Lam.
2052
2053         * dfg/DFGOSRExit.cpp:
2054         (JSC::DFG::reifyInlinedCallFrames):
2055         * dfg/DFGOSRExitCompilerCommon.cpp:
2056         (JSC::DFG::reifyInlinedCallFrames):
2057
2058 2019-03-21  Carlos Garcia Campos  <cgarcia@igalia.com>
2059
2060         [GLib] Returning G_TYPE_OBJECT from a method does not work
2061         https://bugs.webkit.org/show_bug.cgi?id=195574
2062
2063         Reviewed by Michael Catanzaro.
2064
2065         Add more documentation to clarify the ownership of wrapped objects when created and when returned by functions.
2066
2067         * API/glib/JSCCallbackFunction.cpp:
2068         (JSC::JSCCallbackFunction::construct): Also allow to return boxed types from a constructor.
2069         * API/glib/JSCClass.cpp:
2070         * API/glib/JSCValue.cpp:
2071
2072 2019-03-21  Mark Lam  <mark.lam@apple.com>
2073
2074         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
2075         https://bugs.webkit.org/show_bug.cgi?id=196055
2076         <rdar://problem/49067448>
2077
2078         Reviewed by Yusuke Suzuki.
2079
2080         We are doing this because:
2081         1. We expect the array to be densely packed.
2082         2. SpeculativeJIT::compileAllocateNewArrayWithSize() (and the FTL equivalent)
2083            expects the array length to be less than MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH
2084            if we don't want to use an ArrayStorage shape.
2085         3. There's no reason why an array with spread needs to be that large anyway.
2086            MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH is plenty.
2087
2088         In this patch, we also add a debug assert in compileAllocateNewArrayWithSize() and
2089         emitAllocateButterfly() to check for overflows.
2090
2091         * assembler/AbortReason.h:
2092         * dfg/DFGOperations.cpp:
2093         * dfg/DFGSpeculativeJIT.cpp:
2094         (JSC::DFG::SpeculativeJIT::compileCreateRest):
2095         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
2096         (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
2097         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
2098         * ftl/FTLLowerDFGToB3.cpp:
2099         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
2100         * runtime/ArrayConventions.h:
2101         * runtime/CommonSlowPaths.cpp:
2102         (JSC::SLOW_PATH_DECL):
2103
2104 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
2105
2106         [JSC] Use finalizer in JSGlobalLexicalEnvironment and JSGlobalObject
2107         https://bugs.webkit.org/show_bug.cgi?id=195992
2108
2109         Reviewed by Keith Miller and Mark Lam.
2110
2111         JSGlobalLexicalEnvironment and JSGlobalObject have their own CompleteSubspace to call destructors while they are not inheriting JSDestructibleObject.
2112         But it is too costly since (1) it requires CompleteSubspace in VM, (2) both objects allocate MarkedBlocks while # of them are really small.
2113
2114         Instead of using CompleteSubspace, we just set finalizers for them. Since these objects are rarely allocated, setting finalizers does not show
2115         memory / performance problems (actually, previously we used finalizer for ArrayPrototype due to the same reason, and it does not show any problems).
2116
2117         And we also add following two changes to JSSegmentedVariableObject.
2118
2119         1. Remove one boolean used for debugging in Release build. It enlarges sizeof(JSSegmentedVariableObject) and allocates one more MarkedBlock.
2120         2. Use cellLock() instead.
2121
2122         * CMakeLists.txt:
2123         * JavaScriptCore.xcodeproj/project.pbxproj:
2124         * Sources.txt:
2125         * runtime/JSSegmentedVariableObject.cpp:
2126         (JSC::JSSegmentedVariableObject::findVariableIndex):
2127         (JSC::JSSegmentedVariableObject::addVariables):
2128         (JSC::JSSegmentedVariableObject::visitChildren):
2129         (JSC::JSSegmentedVariableObject::~JSSegmentedVariableObject):
2130         (JSC::JSSegmentedVariableObject::finishCreation):
2131         * runtime/JSSegmentedVariableObject.h:
2132         (JSC::JSSegmentedVariableObject::subspaceFor): Deleted.
2133         * runtime/JSSegmentedVariableObjectHeapCellType.cpp: Removed.
2134         * runtime/JSSegmentedVariableObjectHeapCellType.h: Removed.
2135         * runtime/StringIteratorPrototype.cpp:
2136         * runtime/VM.cpp:
2137         (JSC::VM::VM):
2138         * runtime/VM.h:
2139
2140 2019-03-20  Saam Barati  <sbarati@apple.com>
2141
2142         DFG::AbstractValue::validateOSREntry is wrong when isHeapTop and the incoming value is Empty
2143         https://bugs.webkit.org/show_bug.cgi?id=195721
2144
2145         Reviewed by Filip Pizlo.
2146
2147         There was a check in AbstractValue::validateOSREntry where it checked
2148         if isHeapTop(), and if so, just returned true. However, this is wrong
2149         if the value we're checking against is the empty value, since HeapTop
2150         does not include the Empty value. Instead, this check should be
2151         isBytecodeTop(), which does account for the empty value.
2152         
2153         This patch also does a couple of other things:
2154         - For our OSR entry AbstractValues, we were using HeapTop to mark
2155          a dead value. That is now changed to BytecodeTop. (The idea here
2156          is just to have validateOSREntry return early.)
2157         - It wasn't obvious to me how I could make this fail in JS code.
2158          The symptom we'd end up seeing is something like a nullptr derefernece
2159          from forgetting to do a TDZ check. Instead, I've added a unit test.
2160          This unit test lives in a new test file: testdfg. testdfg is similar
2161          to testb3/testair/testapi.
2162
2163         * JavaScriptCore.xcodeproj/project.pbxproj:
2164         * bytecode/SpeculatedType.h:
2165         * dfg/DFGAbstractValue.h:
2166         (JSC::DFG::AbstractValue::isBytecodeTop const):
2167         (JSC::DFG::AbstractValue::validateOSREntryValue const):
2168         * dfg/testdfg.cpp: Added.
2169         (hiddenTruthBecauseNoReturnIsStupid):
2170         (usage):
2171         (JSC::DFG::testEmptyValueDoesNotValidateWithHeapTop):
2172         (JSC::DFG::run):
2173         (run):
2174         (main):
2175         * shell/CMakeLists.txt:
2176
2177 2019-03-20  Saam Barati  <sbarati@apple.com>
2178
2179         typeOfDoubleSum is wrong for when NaN can be produced
2180         https://bugs.webkit.org/show_bug.cgi?id=196030
2181
2182         Reviewed by Filip Pizlo.
2183
2184         We were using typeOfDoubleSum(SpeculatedType, SpeculatedType) for add/sub/mul.
2185         It assumed that the only way the resulting type could be NaN is if one of
2186         the inputs were NaN. However, this is wrong. NaN can be produced in at least
2187         these cases:
2188           Infinity - Infinity
2189           Infinity + (-Infinity)
2190           Infinity * 0
2191
2192         * bytecode/SpeculatedType.cpp:
2193         (JSC::typeOfDoubleSumOrDifferenceOrProduct):
2194         (JSC::typeOfDoubleSum):
2195         (JSC::typeOfDoubleDifference):
2196         (JSC::typeOfDoubleProduct):
2197
2198 2019-03-20  Simon Fraser  <simon.fraser@apple.com>
2199
2200         Rename ENABLE_ACCELERATED_OVERFLOW_SCROLLING macro to ENABLE_OVERFLOW_SCROLLING_TOUCH
2201         https://bugs.webkit.org/show_bug.cgi?id=196049
2202
2203         Reviewed by Tim Horton.
2204
2205         This macro is about the -webkit-overflow-scrolling CSS property, not accelerated
2206         overflow scrolling in general, so rename it.
2207
2208         * Configurations/FeatureDefines.xcconfig:
2209
2210 2019-03-20  Saam Barati  <sbarati@apple.com>
2211
2212         GetCallee does not report the correct type in AI
2213         https://bugs.webkit.org/show_bug.cgi?id=195981
2214
2215         Reviewed by Yusuke Suzuki.
2216
2217         I found this as part of my work in:
2218         https://bugs.webkit.org/show_bug.cgi?id=195924
2219         
2220         I'm not sure how to write a test for it.
2221         
2222         GetCallee was always reporting that the result is SpecFunction. However,
2223         for eval, it may result in just a JSCallee object, which is not a JSFunction.
2224
2225         * dfg/DFGAbstractInterpreterInlines.h:
2226         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2227
2228 2019-03-20  Mark Lam  <mark.lam@apple.com>
2229
2230         Open source arm64e code.
2231         https://bugs.webkit.org/show_bug.cgi?id=196012
2232         <rdar://problem/49066237>
2233
2234         Reviewed by Keith Miller.
2235
2236         * JavaScriptCore.xcodeproj/project.pbxproj:
2237         * Sources.txt:
2238         * assembler/ARM64EAssembler.h: Added.
2239         (JSC::ARM64EAssembler::encodeGroup1):
2240         (JSC::ARM64EAssembler::encodeGroup2):
2241         (JSC::ARM64EAssembler::encodeGroup4):
2242         (JSC::ARM64EAssembler::pacia1716):
2243         (JSC::ARM64EAssembler::pacib1716):
2244         (JSC::ARM64EAssembler::autia1716):
2245         (JSC::ARM64EAssembler::autib1716):
2246         (JSC::ARM64EAssembler::paciaz):
2247         (JSC::ARM64EAssembler::paciasp):
2248         (JSC::ARM64EAssembler::pacibz):
2249         (JSC::ARM64EAssembler::pacibsp):
2250         (JSC::ARM64EAssembler::autiaz):
2251         (JSC::ARM64EAssembler::autiasp):
2252         (JSC::ARM64EAssembler::autibz):
2253         (JSC::ARM64EAssembler::autibsp):
2254         (JSC::ARM64EAssembler::xpaclri):
2255         (JSC::ARM64EAssembler::pacia):
2256         (JSC::ARM64EAssembler::pacib):
2257         (JSC::ARM64EAssembler::pacda):
2258         (JSC::ARM64EAssembler::pacdb):
2259         (JSC::ARM64EAssembler::autia):
2260         (JSC::ARM64EAssembler::autib):
2261         (JSC::ARM64EAssembler::autda):
2262         (JSC::ARM64EAssembler::autdb):
2263         (JSC::ARM64EAssembler::paciza):
2264         (JSC::ARM64EAssembler::pacizb):
2265         (JSC::ARM64EAssembler::pacdza):
2266         (JSC::ARM64EAssembler::pacdzb):
2267         (JSC::ARM64EAssembler::autiza):
2268         (JSC::ARM64EAssembler::autizb):
2269         (JSC::ARM64EAssembler::autdza):
2270         (JSC::ARM64EAssembler::autdzb):
2271         (JSC::ARM64EAssembler::xpaci):
2272         (JSC::ARM64EAssembler::xpacd):
2273         (JSC::ARM64EAssembler::pacga):
2274         (JSC::ARM64EAssembler::braa):
2275         (JSC::ARM64EAssembler::brab):
2276         (JSC::ARM64EAssembler::blraa):
2277         (JSC::ARM64EAssembler::blrab):
2278         (JSC::ARM64EAssembler::braaz):
2279         (JSC::ARM64EAssembler::brabz):
2280         (JSC::ARM64EAssembler::blraaz):
2281         (JSC::ARM64EAssembler::blrabz):
2282         (JSC::ARM64EAssembler::retaa):
2283         (JSC::ARM64EAssembler::retab):
2284         (JSC::ARM64EAssembler::eretaa):
2285         (JSC::ARM64EAssembler::eretab):
2286         (JSC::ARM64EAssembler::linkPointer):
2287         (JSC::ARM64EAssembler::repatchPointer):
2288         (JSC::ARM64EAssembler::setPointer):
2289         (JSC::ARM64EAssembler::readPointer):
2290         (JSC::ARM64EAssembler::readCallTarget):
2291         (JSC::ARM64EAssembler::ret):
2292         * assembler/MacroAssembler.cpp:
2293         * assembler/MacroAssembler.h:
2294         * assembler/MacroAssemblerARM64.cpp:
2295         * assembler/MacroAssemblerARM64E.h: Added.
2296         (JSC::MacroAssemblerARM64E::tagReturnAddress):
2297         (JSC::MacroAssemblerARM64E::untagReturnAddress):
2298         (JSC::MacroAssemblerARM64E::tagPtr):
2299         (JSC::MacroAssemblerARM64E::untagPtr):
2300         (JSC::MacroAssemblerARM64E::removePtrTag):
2301         (JSC::MacroAssemblerARM64E::callTrustedPtr):
2302         (JSC::MacroAssemblerARM64E::call):
2303         (JSC::MacroAssemblerARM64E::callRegister):
2304         (JSC::MacroAssemblerARM64E::jump):
2305         * dfg/DFGOSRExit.cpp:
2306         (JSC::DFG::reifyInlinedCallFrames):
2307         * dfg/DFGOSRExitCompilerCommon.cpp:
2308         (JSC::DFG::reifyInlinedCallFrames):
2309         * ftl/FTLThunks.cpp:
2310         (JSC::FTL::genericGenerationThunkGenerator):
2311         * jit/CCallHelpers.h:
2312         (JSC::CCallHelpers::prepareForTailCallSlow):
2313         * jit/CallFrameShuffler.cpp:
2314         (JSC::CallFrameShuffler::prepareForTailCall):
2315         * jit/ExecutableAllocator.cpp:
2316         (JSC::ExecutableAllocator::allocate):
2317         * jit/ThunkGenerators.cpp:
2318         (JSC::arityFixupGenerator):
2319         * llint/LLIntOfflineAsmConfig.h:
2320         * llint/LowLevelInterpreter.asm:
2321         * llint/LowLevelInterpreter64.asm:
2322         * runtime/ClassInfo.h:
2323         * runtime/InitializeThreading.cpp:
2324         (JSC::initializeThreading):
2325         * runtime/JSCPtrTag.cpp: Added.
2326         (JSC::tagForPtr):
2327         (JSC::ptrTagName):
2328         (JSC::initializePtrTagLookup):
2329         * runtime/JSCPtrTag.h:
2330         (JSC::initializePtrTagLookup):
2331         * runtime/Options.cpp:
2332         (JSC::recomputeDependentOptions):
2333
2334 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
2335
2336         JSC::createError needs to check for OOM in errorDescriptionForValue
2337         https://bugs.webkit.org/show_bug.cgi?id=196032
2338         <rdar://problem/46842740>
2339
2340         Reviewed by Mark Lam.
2341
2342         We were missing exceptions checks at two levels:
2343         - In errorDescriptionForValue, when the value is a string, we should
2344           check that JSString::value returns a valid string, since we might run
2345           out of memory if it is a rope and we need to resolve it.
2346         - In createError, we should check for the result of errorDescriptionForValue
2347           before concatenating it with the message provided by the caller.
2348
2349         * runtime/ExceptionHelpers.cpp:
2350         (JSC::errorDescriptionForValue):
2351         (JSC::createError):
2352         * runtime/ExceptionHelpers.h:
2353
2354 2019-03-20  Devin Rousso  <drousso@apple.com>
2355
2356         Web Inspector: DOM: include window as part of any event listener chain
2357         https://bugs.webkit.org/show_bug.cgi?id=195730
2358         <rdar://problem/48916872>
2359
2360         Reviewed by Timothy Hatcher.
2361
2362         * inspector/protocol/DOM.json:
2363         Modify `DOM.getEventListenersForNode` to not save the handler object, as that was never
2364         used by the frontend. Add an `onWindow` optional property to `DOM.EventListener` that is set
2365         when the event listener was retrieved from the `window` object.
2366
2367 2019-03-20  Devin Rousso  <drousso@apple.com>
2368
2369         Web Inspector: Runtime: lazily create the agent
2370         https://bugs.webkit.org/show_bug.cgi?id=195972
2371         <rdar://problem/49039655>
2372
2373         Reviewed by Timothy Hatcher.
2374
2375         * inspector/JSGlobalObjectInspectorController.cpp:
2376         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2377         (Inspector::JSGlobalObjectInspectorController::createLazyAgents):
2378
2379         * inspector/agents/InspectorRuntimeAgent.h:
2380         (Inspector::InspectorRuntimeAgent::enabled): Deleted.
2381         * inspector/agents/InspectorRuntimeAgent.cpp:
2382         (Inspector::InspectorRuntimeAgent::didCreateFrontendAndBackend): Added.
2383         (Inspector::InspectorRuntimeAgent::willDestroyFrontendAndBackend):
2384
2385         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
2386         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
2387         (Inspector::JSGlobalObjectRuntimeAgent::didCreateFrontendAndBackend): Deleted.
2388
2389 2019-03-20  Michael Saboff  <msaboff@apple.com>
2390
2391         JSC test crash: stress/dont-strength-reduce-regexp-with-compile-error.js.default
2392         https://bugs.webkit.org/show_bug.cgi?id=195906
2393
2394         Reviewed by Mark Lam.
2395
2396         The problem here as that we may successfully parsed a RegExp without running out of stack,
2397         but later run out of stack when trying to JIT compile the same expression.
2398
2399         Added a check for available stack space when we call into one of the parenthesis compilation
2400         functions that recurse.  When we don't have enough stack space to recurse, we fail the JIT
2401         compilation and let the interpreter handle the expression.
2402
2403         From code inspection of the YARR interpreter it has the same issue, but I couldn't cause a failure.
2404         Filed a new bug and added a FIXME comment for the Interpreter to have similar checks.
2405         Given that we can reproduce a failure, this is sufficient for now.
2406
2407         This change is covered by the previously added failing test,
2408         JSTests/stress/dont-strength-reduce-regexp-with-compile-error.js.
2409
2410         * yarr/YarrInterpreter.cpp:
2411         (JSC::Yarr::Interpreter::interpret):
2412         * yarr/YarrJIT.cpp:
2413         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
2414         (JSC::Yarr::YarrGenerator::opCompileParentheticalAssertion):
2415         (JSC::Yarr::YarrGenerator::opCompileBody):
2416         (JSC::Yarr::dumpCompileFailure):
2417         * yarr/YarrJIT.h:
2418
2419 2019-03-20  Robin Morisset  <rmorisset@apple.com>
2420
2421         DFGNodeAllocator.h is dead code
2422         https://bugs.webkit.org/show_bug.cgi?id=196019
2423
2424         Reviewed by Yusuke Suzuki.
2425
2426         As explained by Yusuke on IRC, the comment on DFG::Node saying that it cannot have a destructor is obsolete since https://trac.webkit.org/changeset/216815/webkit.
2427         This patch removes both the comment and DFGNodeAllocator.h that that patch forgot to remove.
2428
2429         * dfg/DFGNode.h:
2430         (JSC::DFG::Node::dumpChildren):
2431         * dfg/DFGNodeAllocator.h: Removed.
2432
2433 2019-03-20  Robin Morisset  <rmorisset@apple.com>
2434
2435         Compress CodeOrigin into a single word in the common case
2436         https://bugs.webkit.org/show_bug.cgi?id=195928
2437
2438         Reviewed by Saam Barati.
2439
2440         The trick is that pointers only take 48 bits on x86_64 in practice (and we can even use the bottom three bits of that thanks to alignment), and even less on ARM64.
2441         So we can shove the bytecode index in the top bits almost all the time.
2442         If the bytecodeIndex is too ginormous (1<<16 in practice on x86_64), we just set one bit at the bottom and store a pointer to some out-of-line storage instead.
2443         Finally we represent an invalid bytecodeIndex (which used to be represented by UINT_MAX) by setting the second least signifcant bit.
2444
2445         The patch looks very long, but most of it is just replacing direct accesses to inlineCallFrame and bytecodeIndex by the relevant getters.
2446
2447         End result: CodeOrigin in the common case moves from 16 bytes (8 for InlineCallFrame*, 4 for unsigned bytecodeIndex, 4 of padding) to 8.
2448         As a reference, during running JetStream2 we allocate more than 35M CodeOrigins. While they won't all be alive at the same time, it is still quite a lot of objects, so I am hoping for some small
2449         improvement to RAMification from this work.
2450
2451         The one slightly tricky part is that we must implement copy and move assignment operators and constructors to make sure that any out-of-line storage belongs to a single CodeOrigin and is destroyed exactly once.
2452
2453         * bytecode/ByValInfo.h:
2454         * bytecode/CallLinkStatus.cpp:
2455         (JSC::CallLinkStatus::computeFor):
2456         * bytecode/CodeBlock.cpp:
2457         (JSC::CodeBlock::globalObjectFor):
2458         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
2459         (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):
2460         * bytecode/CodeOrigin.cpp:
2461         (JSC::CodeOrigin::inlineDepth const):
2462         (JSC::CodeOrigin::isApproximatelyEqualTo const):
2463         (JSC::CodeOrigin::approximateHash const):
2464         (JSC::CodeOrigin::inlineStack const):
2465         (JSC::CodeOrigin::codeOriginOwner const):
2466         (JSC::CodeOrigin::stackOffset const):
2467         (JSC::CodeOrigin::dump const):
2468         (JSC::CodeOrigin::inlineDepthForCallFrame): Deleted.
2469         * bytecode/CodeOrigin.h:
2470         (JSC::OutOfLineCodeOrigin::OutOfLineCodeOrigin):
2471         (JSC::CodeOrigin::CodeOrigin):
2472         (JSC::CodeOrigin::~CodeOrigin):
2473         (JSC::CodeOrigin::isSet const):
2474         (JSC::CodeOrigin::isHashTableDeletedValue const):
2475         (JSC::CodeOrigin::bytecodeIndex const):
2476         (JSC::CodeOrigin::inlineCallFrame const):
2477         (JSC::CodeOrigin::buildCompositeValue):
2478         (JSC::CodeOrigin::hash const):
2479         (JSC::CodeOrigin::operator== const):
2480         (JSC::CodeOrigin::exitingInlineKind const): Deleted.
2481         * bytecode/DeferredSourceDump.h:
2482         * bytecode/GetByIdStatus.cpp:
2483         (JSC::GetByIdStatus::computeForStubInfo):
2484         (JSC::GetByIdStatus::computeFor):
2485         * bytecode/ICStatusMap.cpp:
2486         (JSC::ICStatusContext::isInlined const):
2487         * bytecode/InByIdStatus.cpp:
2488         (JSC::InByIdStatus::computeFor):
2489         (JSC::InByIdStatus::computeForStubInfo):
2490         * bytecode/InlineCallFrame.cpp:
2491         (JSC::InlineCallFrame::dumpInContext const):
2492         * bytecode/InlineCallFrame.h:
2493         (JSC::InlineCallFrame::computeCallerSkippingTailCalls):
2494         (JSC::InlineCallFrame::getCallerInlineFrameSkippingTailCalls):
2495         (JSC::baselineCodeBlockForOriginAndBaselineCodeBlock):
2496         (JSC::CodeOrigin::walkUpInlineStack):
2497         * bytecode/InstanceOfStatus.h:
2498         * bytecode/PutByIdStatus.cpp:
2499         (JSC::PutByIdStatus::computeForStubInfo):
2500         (JSC::PutByIdStatus::computeFor):
2501         * dfg/DFGAbstractInterpreterInlines.h:
2502         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2503         * dfg/DFGArgumentsEliminationPhase.cpp:
2504         * dfg/DFGArgumentsUtilities.cpp:
2505         (JSC::DFG::argumentsInvolveStackSlot):
2506         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
2507         * dfg/DFGArrayMode.h:
2508         * dfg/DFGByteCodeParser.cpp:
2509         (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
2510         (JSC::DFG::ByteCodeParser::setLocal):
2511         (JSC::DFG::ByteCodeParser::setArgument):
2512         (JSC::DFG::ByteCodeParser::flushForTerminalImpl):
2513         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
2514         (JSC::DFG::ByteCodeParser::parseBlock):
2515         (JSC::DFG::ByteCodeParser::parseCodeBlock):
2516         (JSC::DFG::ByteCodeParser::handlePutByVal):
2517         * dfg/DFGClobberize.h:
2518         (JSC::DFG::clobberize):
2519         * dfg/DFGConstantFoldingPhase.cpp:
2520         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2521         * dfg/DFGFixupPhase.cpp:
2522         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
2523         * dfg/DFGForAllKills.h:
2524         (JSC::DFG::forAllKilledOperands):
2525         * dfg/DFGGraph.cpp:
2526         (JSC::DFG::Graph::dumpCodeOrigin):
2527         (JSC::DFG::Graph::dump):
2528         (JSC::DFG::Graph::isLiveInBytecode):
2529         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2530         (JSC::DFG::Graph::willCatchExceptionInMachineFrame):
2531         * dfg/DFGGraph.h:
2532         (JSC::DFG::Graph::executableFor):
2533         (JSC::DFG::Graph::isStrictModeFor):
2534         (JSC::DFG::Graph::hasExitSite):
2535         (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
2536         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
2537         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch):
2538         * dfg/DFGMinifiedNode.cpp:
2539         (JSC::DFG::MinifiedNode::fromNode):
2540         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2541         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
2542         * dfg/DFGOSRExit.cpp:
2543         (JSC::DFG::OSRExit::executeOSRExit):
2544         (JSC::DFG::reifyInlinedCallFrames):
2545         (JSC::DFG::adjustAndJumpToTarget):
2546         (JSC::DFG::printOSRExit):
2547         (JSC::DFG::OSRExit::compileExit):
2548         * dfg/DFGOSRExitBase.cpp:
2549         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
2550         * dfg/DFGOSRExitCompilerCommon.cpp:
2551         (JSC::DFG::handleExitCounts):
2552         (JSC::DFG::reifyInlinedCallFrames):
2553         (JSC::DFG::adjustAndJumpToTarget):
2554         * dfg/DFGOSRExitPreparation.cpp:
2555         (JSC::DFG::prepareCodeOriginForOSRExit):
2556         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2557         * dfg/DFGOperations.cpp:
2558         * dfg/DFGPreciseLocalClobberize.h:
2559         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
2560         * dfg/DFGSpeculativeJIT.cpp:
2561         (JSC::DFG::SpeculativeJIT::emitGetLength):
2562         (JSC::DFG::SpeculativeJIT::emitGetCallee):
2563         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2564         (JSC::DFG::SpeculativeJIT::compileValueAdd):
2565         (JSC::DFG::SpeculativeJIT::compileValueSub):
2566         (JSC::DFG::SpeculativeJIT::compileValueNegate):
2567         (JSC::DFG::SpeculativeJIT::compileValueMul):
2568         (JSC::DFG::SpeculativeJIT::compileForwardVarargs):
2569         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
2570         * dfg/DFGSpeculativeJIT32_64.cpp:
2571         (JSC::DFG::SpeculativeJIT::emitCall):
2572         * dfg/DFGSpeculativeJIT64.cpp:
2573         (JSC::DFG::SpeculativeJIT::emitCall):
2574         (JSC::DFG::SpeculativeJIT::compile):
2575         * dfg/DFGTierUpCheckInjectionPhase.cpp:
2576         (JSC::DFG::TierUpCheckInjectionPhase::run):
2577         (JSC::DFG::TierUpCheckInjectionPhase::canOSREnterAtLoopHint):
2578         (JSC::DFG::TierUpCheckInjectionPhase::buildNaturalLoopToLoopHintMap):
2579         * dfg/DFGTypeCheckHoistingPhase.cpp:
2580         (JSC::DFG::TypeCheckHoistingPhase::run):
2581         * dfg/DFGVariableEventStream.cpp:
2582         (JSC::DFG::VariableEventStream::reconstruct const):
2583         * ftl/FTLLowerDFGToB3.cpp:
2584         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
2585         (JSC::FTL::DFG::LowerDFGToB3::compileValueSub):
2586         (JSC::FTL::DFG::LowerDFGToB3::compileValueMul):
2587         (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
2588         (JSC::FTL::DFG::LowerDFGToB3::compileValueNegate):
2589         (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
2590         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
2591         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
2592         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
2593         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
2594         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargs):
2595         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargsWithSpread):
2596         (JSC::FTL::DFG::LowerDFGToB3::getArgumentsLength):
2597         (JSC::FTL::DFG::LowerDFGToB3::getCurrentCallee):
2598         (JSC::FTL::DFG::LowerDFGToB3::getArgumentsStart):
2599         (JSC::FTL::DFG::LowerDFGToB3::codeOriginDescriptionOfCallSite const):
2600         * ftl/FTLOSRExitCompiler.cpp:
2601         (JSC::FTL::compileStub):
2602         * ftl/FTLOperations.cpp:
2603         (JSC::FTL::operationMaterializeObjectInOSR):
2604         * interpreter/CallFrame.cpp:
2605         (JSC::CallFrame::bytecodeOffset):
2606         * interpreter/StackVisitor.cpp:
2607         (JSC::StackVisitor::unwindToMachineCodeBlockFrame):
2608         (JSC::StackVisitor::readFrame):
2609         (JSC::StackVisitor::readNonInlinedFrame):
2610         (JSC::inlinedFrameOffset):
2611         (JSC::StackVisitor::readInlinedFrame):
2612         * interpreter/StackVisitor.h:
2613         * jit/AssemblyHelpers.cpp:
2614         (JSC::AssemblyHelpers::executableFor):
2615         * jit/AssemblyHelpers.h:
2616         (JSC::AssemblyHelpers::isStrictModeFor):
2617         (JSC::AssemblyHelpers::argumentsStart):
2618         (JSC::AssemblyHelpers::argumentCount):
2619         * jit/PCToCodeOriginMap.cpp:
2620         (JSC::PCToCodeOriginMap::PCToCodeOriginMap):
2621         (JSC::PCToCodeOriginMap::findPC const):
2622         * profiler/ProfilerOriginStack.cpp:
2623         (JSC::Profiler::OriginStack::OriginStack):
2624         * profiler/ProfilerOriginStack.h:
2625         * runtime/ErrorInstance.cpp:
2626         (JSC::appendSourceToError):
2627         * runtime/SamplingProfiler.cpp:
2628         (JSC::SamplingProfiler::processUnverifiedStackTraces):
2629
2630 2019-03-20  Devin Rousso  <drousso@apple.com>
2631
2632         Web Inspector: Search: allow DOM searches to be case sensitive
2633         https://bugs.webkit.org/show_bug.cgi?id=194673
2634         <rdar://problem/48087577>
2635
2636         Reviewed by Timothy Hatcher.
2637
2638         Since `DOM.performSearch` also searches by selector and XPath, some results may appear
2639         as unexpected. As an example, searching for "BoDy" will still return the <body> as a result,
2640         as although the literal node name ("BODY") didn't match, it did match via selector/XPath.
2641
2642         * inspector/protocol/DOM.json:
2643         Allow `DOM.performSearch` to be case sensitive.
2644
2645 2019-03-20  Saam Barati  <sbarati@apple.com>
2646
2647         AI rule for ValueBitNot/ValueBitXor/ValueBitAnd/ValueBitOr is wrong
2648         https://bugs.webkit.org/show_bug.cgi?id=195980
2649
2650         Reviewed by Yusuke Suzuki.
2651
2652         They were all saying they could be type: (SpecBoolInt32, SpecBigInt)
2653         However, they should have been type: (SpecInt32Only, SpecBigInt)
2654
2655         * dfg/DFGAbstractInterpreterInlines.h:
2656         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2657
2658 2019-03-20  Michael Catanzaro  <mcatanzaro@igalia.com>
2659
2660         Remove copyRef() calls added in r243163
2661         https://bugs.webkit.org/show_bug.cgi?id=195962
2662
2663         Reviewed by Chris Dumez.
2664
2665         As best I can tell, may be a GCC 9 bug. It shouldn't warn about this case because the return
2666         value is noncopyable and the WTFMove() is absolutely required. We can avoid the warning
2667         without refcount churn by introducing an intermediate variable.
2668
2669         * inspector/scripts/codegen/cpp_generator_templates.py:
2670
2671 2019-03-20  Carlos Garcia Campos  <cgarcia@igalia.com>
2672
2673         [GLIB] Optimize jsc_value_object_define_property_data|accessor
2674         https://bugs.webkit.org/show_bug.cgi?id=195679
2675
2676         Reviewed by Saam Barati.
2677
2678         Use direct C++ call instead of using the JSC GLib API to create the descriptor object and invoke Object.defineProperty().
2679
2680         * API/glib/JSCValue.cpp:
2681         (jsc_value_object_define_property_data):
2682         (jsc_value_object_define_property_accessor):
2683
2684 2019-03-19  Devin Rousso  <drousso@apple.com>
2685
2686         Web Inspector: Debugger: lazily create the agent
2687         https://bugs.webkit.org/show_bug.cgi?id=195973
2688         <rdar://problem/49039674>
2689
2690         Reviewed by Joseph Pecoraro.
2691
2692         * inspector/JSGlobalObjectInspectorController.cpp:
2693         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2694         (Inspector::JSGlobalObjectInspectorController::frontendInitialized):
2695         (Inspector::JSGlobalObjectInspectorController::createLazyAgents):
2696
2697         * inspector/JSGlobalObjectConsoleClient.h:
2698         (Inspector::JSGlobalObjectConsoleClient::setInspectorDebuggerAgent): Added.
2699         * inspector/JSGlobalObjectConsoleClient.cpp:
2700         (Inspector::JSGlobalObjectConsoleClient::JSGlobalObjectConsoleClient):
2701         (Inspector::JSGlobalObjectConsoleClient::startConsoleProfile):
2702         (Inspector::JSGlobalObjectConsoleClient::stopConsoleProfile):
2703
2704         * inspector/agents/InspectorDebuggerAgent.h:
2705         (Inspector::InspectorDebuggerAgent::addListener): Added.
2706         (Inspector::InspectorDebuggerAgent::removeListener): Added.
2707         (Inspector::InspectorDebuggerAgent::setListener): Deleted.
2708         * inspector/agents/InspectorDebuggerAgent.cpp:
2709         (Inspector::InspectorDebuggerAgent::InspectorDebuggerAgent):
2710         (Inspector::InspectorDebuggerAgent::enable):
2711         (Inspector::InspectorDebuggerAgent::disable):
2712         (Inspector::InspectorDebuggerAgent::getScriptSource):
2713         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
2714         (Inspector::InspectorDebuggerAgent::didPause):
2715         (Inspector::InspectorDebuggerAgent::breakProgram):
2716         (Inspector::InspectorDebuggerAgent::clearBreakDetails):
2717         Drive-by: reorder some member variables for better sizing.
2718         Drive-by: rename some member variables for clarity.
2719
2720 2019-03-19  Saam barati  <sbarati@apple.com>
2721
2722         Prune code after ForceOSRExit
2723         https://bugs.webkit.org/show_bug.cgi?id=195913
2724
2725         Reviewed by Keith Miller.
2726
2727         I removed our original implementation of this in r242989 because
2728         it was not sound. It broke backwards propagation because it removed
2729         uses of a node that backwards propagation relied on to be sound.
2730         Essentially, backwards propagation relies on being able to see uses
2731         that would exist in bytecode to be sound.
2732         
2733         The rollout in r242989 was a 1% Speedometer2 regression. This patch
2734         rolls back in the optimization in a sound way.
2735         
2736         This patch augments the code we had prior to r242989 to be sound. In
2737         addition to preserving liveness, we now also convert all uses after
2738         the ForceOSRExit to be Phantom. This may pessimize the optimizations
2739         we do in backwards propagation, but it will prevent that phase from
2740         making unsound optimizations.
2741
2742         * dfg/DFGByteCodeParser.cpp:
2743         (JSC::DFG::ByteCodeParser::addToGraph):
2744         (JSC::DFG::ByteCodeParser::parse):
2745
2746 2019-03-19  Michael Catanzaro  <mcatanzaro@igalia.com>
2747
2748         Build cleanly with GCC 9
2749         https://bugs.webkit.org/show_bug.cgi?id=195920
2750
2751         Reviewed by Chris Dumez.
2752
2753         WebKit triggers three new GCC 9 warnings:
2754
2755         """
2756         -Wdeprecated-copy, implied by -Wextra, warns about the C++11 deprecation of implicitly
2757         declared copy constructor and assignment operator if one of them is user-provided.
2758         """
2759
2760         Solution is to either add a copy constructor or copy assignment operator, if required, or
2761         else remove one if it is redundant.
2762
2763         """
2764         -Wredundant-move, implied by -Wextra, warns about redundant calls to std::move.
2765         -Wpessimizing-move, implied by -Wall, warns when a call to std::move prevents copy elision.
2766         """
2767
2768         These account for most of this patch. Solution is to just remove the bad WTFMove().
2769
2770         Additionally, -Wclass-memaccess has been enhanced to catch a few cases that GCC 8 didn't.
2771         These are solved by casting nontrivial types to void* before using memcpy. (Of course, it
2772         would be safer to not use memcpy on nontrivial types, but that's too complex for this
2773         patch. Searching for memcpy used with static_cast<void*> will reveal other cases to fix.)
2774
2775         * b3/B3ValueRep.h:
2776         * bindings/ScriptValue.cpp:
2777         (Inspector::jsToInspectorValue):
2778         * bytecode/GetterSetterAccessCase.cpp:
2779         (JSC::GetterSetterAccessCase::create):
2780         (JSC::GetterSetterAccessCase::clone const):
2781         * bytecode/InstanceOfAccessCase.cpp:
2782         (JSC::InstanceOfAccessCase::clone const):
2783         * bytecode/IntrinsicGetterAccessCase.cpp:
2784         (JSC::IntrinsicGetterAccessCase::clone const):
2785         * bytecode/ModuleNamespaceAccessCase.cpp:
2786         (JSC::ModuleNamespaceAccessCase::clone const):
2787         * bytecode/ProxyableAccessCase.cpp:
2788         (JSC::ProxyableAccessCase::clone const):
2789         * bytecode/StructureSet.h:
2790         * debugger/Breakpoint.h:
2791         * dfg/DFGRegisteredStructureSet.h:
2792         * inspector/agents/InspectorDebuggerAgent.cpp:
2793         (Inspector::buildDebuggerLocation):
2794         * inspector/scripts/codegen/cpp_generator_templates.py:
2795         * parser/UnlinkedSourceCode.h:
2796         * wasm/WasmAirIRGenerator.cpp:
2797         (JSC::Wasm::parseAndCompileAir):
2798         * wasm/WasmB3IRGenerator.cpp:
2799         (JSC::Wasm::parseAndCompile):
2800         * wasm/WasmNameSectionParser.cpp:
2801         (JSC::Wasm::NameSectionParser::parse):
2802         * wasm/WasmStreamingParser.cpp:
2803         (JSC::Wasm::StreamingParser::consume):
2804
2805 2019-03-19  Saam Barati  <sbarati@apple.com>
2806
2807         Style fix: remove C style cast in Instruction.h
2808         https://bugs.webkit.org/show_bug.cgi?id=195917
2809
2810         Reviewed by Filip Pizlo.
2811
2812         * bytecode/Instruction.h:
2813         (JSC::Instruction::wide const):
2814
2815 2019-03-19  Devin Rousso  <drousso@apple.com>
2816
2817         Web Inspector: Provide $event in the console when paused on an event listener
2818         https://bugs.webkit.org/show_bug.cgi?id=188672
2819
2820         Reviewed by Timothy Hatcher.
2821
2822         * inspector/InjectedScript.h:
2823         * inspector/InjectedScript.cpp:
2824         (Inspector::InjectedScript::setEventValue): Added.
2825         (Inspector::InjectedScript::clearEventValue): Added.
2826
2827         * inspector/InjectedScriptManager.h:
2828         * inspector/InjectedScriptManager.cpp:
2829         (Inspector::InjectedScriptManager::clearEventValue): Added.
2830
2831         * inspector/InjectedScriptSource.js:
2832         (WI.InjectedScript.prototype.setEventValue): Added.
2833         (WI.InjectedScript.prototype.clearEventValue): Added.
2834         (BasicCommandLineAPI):
2835
2836 2019-03-19  Devin Rousso  <drousso@apple.com>
2837
2838         Web Inspector: ScriptProfiler: lazily create the agent
2839         https://bugs.webkit.org/show_bug.cgi?id=195591
2840         <rdar://problem/48791756>
2841
2842         Reviewed by Joseph Pecoraro.
2843
2844         * inspector/JSGlobalObjectConsoleClient.h:
2845         (Inspector::JSGlobalObjectConsoleClient::setInspectorScriptProfilerAgent): Added.
2846         * inspector/JSGlobalObjectConsoleClient.cpp:
2847         (Inspector::JSGlobalObjectConsoleClient::JSGlobalObjectConsoleClient):
2848         (Inspector::JSGlobalObjectConsoleClient::startConsoleProfile):
2849         (Inspector::JSGlobalObjectConsoleClient::stopConsoleProfile):
2850
2851         * inspector/JSGlobalObjectInspectorController.cpp:
2852         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2853         (Inspector::JSGlobalObjectInspectorController::createLazyAgents):
2854
2855 2019-03-19  Devin Rousso  <drousso@apple.com>
2856
2857         Web Inspector: Heap: lazily create the agent
2858         https://bugs.webkit.org/show_bug.cgi?id=195590
2859         <rdar://problem/48791750>
2860
2861         Reviewed by Joseph Pecoraro.
2862
2863         * inspector/agents/InspectorHeapAgent.h:
2864         * inspector/agents/InspectorHeapAgent.cpp:
2865         (Inspector::InspectorHeapAgent::~InspectorHeapAgent): Deleted.
2866
2867         * inspector/agents/InspectorConsoleAgent.h:
2868         (Inspector::InspectorConsoleAgent::setInspectorHeapAgent): Added.
2869         * inspector/agents/InspectorConsoleAgent.cpp:
2870         (Inspector::InspectorConsoleAgent::InspectorConsoleAgent):
2871         (Inspector::InspectorConsoleAgent::takeHeapSnapshot):
2872         (Inspector::InspectorConsoleAgent::~InspectorConsoleAgent): Deleted.
2873
2874         * inspector/JSGlobalObjectInspectorController.cpp:
2875         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2876         (Inspector::JSGlobalObjectInspectorController::createLazyAgents):
2877
2878 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
2879
2880         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
2881         https://bugs.webkit.org/show_bug.cgi?id=194648
2882
2883         Reviewed by Keith Miller.
2884
2885         1. Making LLIntThunks singleton. 
2886
2887         Motivation: Former implementation has one LLIntThunk per type per VM.
2888         However, the generated code for every kind of thunk is essentially the
2889         same and we end up wasting memory (right now jitAllocationGranule = 32 bytes)
2890         when we have 2 or more VM instantiated. Turn these thunks into
2891         singleton will avoid such wasting.
2892
2893         Tradeoff: This change comes with a price, because we will keep thunks
2894         allocated even when there is no VM instantiated. Considering WebCore use case,
2895         the situation of having no VM instantiated is uncommon, since once a
2896         VM is created through `commomVM()`, it will never be destroyed. Given
2897         that, this change does not impact the overall memory comsumption of
2898         WebCore/JSC. It also doesn't impact memory footprint, since thunks are
2899         generated lazily (see results below).
2900
2901         Since we are keeping a static `MacroAssemblerCodeRef<JITThunkPtrTag>`,
2902         we have the assurance that JITed code will never be deallocated,
2903         given it is being pointed by `RefPtr<ExecutableMemoryHandle> m_executableMemory`.
2904         To understand why we decided to make LLIntThunks singleton instead of
2905         removing them, please see the comment on `llint/LLIntThunks.cpp`.
2906
2907         2. Making all LLIntEntrypoints singleton
2908
2909         Motivation: With singleton LLIntThunks, we also can have singleton
2910         DirectJITCodes and NativeJITCodes for each LLIntEntrypoint type and
2911         avoid multiple allocations of objects with the same content.
2912
2913         Tradeoff: As explained before, once we allocate an entrypoint, it
2914         will be alive until the program exits. However, the gains we can
2915         achieve in some use cases justifies such allocations.
2916
2917         As DirectJITCode and NativeJITCode are ThreadSafeRefCounted and we are using
2918         `codeBlock->setJITCode(makeRef(*jitCode))`, their reference counter
2919         will never be less than 1.
2920
2921         3. Memory usage analysis
2922
2923         This change reduces memory usage on stress/generate-multiple-llint-entrypoints.js
2924         by 2% and is neutral on JetStream 2. Following results were generated
2925         running each benchmark 6 times and using 95% Student's t distribution
2926         confidence interval.
2927
2928         microbenchmarks/generate-multiple-llint-entrypoints.js (Changes uses less memory): 
2929             Mean of memory peak on ToT: 122576896 bytes (confidence interval: 67747.2316)
2930             Mean of memory peak on Changes: 119248213.33 bytes (confidence interval: 50251.2718)
2931
2932         JetStream2 (Neutral):
2933             Mean of memory peak on ToT: 5442742272 bytes (confidence interval: 134381565.9117)
2934             Mean of memory peak on Changes: 5384949760 bytes (confidence interval: 158413904.8352)
2935
2936         4. Performance Analysis
2937
2938         This change is performance neutral on JetStream 2 and Speedometer 2.
2939         See results below.:
2940
2941         JetStream 2 (Neutral):
2942             Mean of score on ToT: 139.58 (confidence interval: 2.44)
2943             Mean of score on Changes: 141.46 (confidence interval: 4.24)
2944
2945         Speedometer run #1
2946            ToT: 110 +- 2.9
2947            Changes: 110 +- 1.8
2948
2949         Speedometer run #2
2950            ToT: 110 +- 1.6
2951            Changes: 108 +- 2.3
2952
2953         Speedometer run #3
2954            ToT: 110 +- 3.0
2955            Changes: 110 +- 1.4
2956
2957         * jit/JSInterfaceJIT.h:
2958         (JSC::JSInterfaceJIT::JSInterfaceJIT):
2959         * llint/LLIntEntrypoint.cpp:
2960
2961         Here we are changing the usage or DirectJITCode by NativeJITCode on cases
2962         where there is no difference from address of calls with and without
2963         ArithCheck.
2964
2965         (JSC::LLInt::setFunctionEntrypoint):
2966         (JSC::LLInt::setEvalEntrypoint):
2967         (JSC::LLInt::setProgramEntrypoint):
2968         (JSC::LLInt::setModuleProgramEntrypoint):
2969         (JSC::LLInt::setEntrypoint):
2970         * llint/LLIntEntrypoint.h:
2971         * llint/LLIntThunks.cpp:
2972         (JSC::LLInt::generateThunkWithJumpTo):
2973         (JSC::LLInt::functionForCallEntryThunk):
2974         (JSC::LLInt::functionForConstructEntryThunk):
2975         (JSC::LLInt::functionForCallArityCheckThunk):
2976         (JSC::LLInt::functionForConstructArityCheckThunk):
2977         (JSC::LLInt::evalEntryThunk):
2978         (JSC::LLInt::programEntryThunk):
2979         (JSC::LLInt::moduleProgramEntryThunk):
2980         (JSC::LLInt::functionForCallEntryThunkGenerator): Deleted.
2981         (JSC::LLInt::functionForConstructEntryThunkGenerator): Deleted.
2982         (JSC::LLInt::functionForCallArityCheckThunkGenerator): Deleted.
2983         (JSC::LLInt::functionForConstructArityCheckThunkGenerator): Deleted.
2984         (JSC::LLInt::evalEntryThunkGenerator): Deleted.
2985         (JSC::LLInt::programEntryThunkGenerator): Deleted.
2986         (JSC::LLInt::moduleProgramEntryThunkGenerator): Deleted.
2987         * llint/LLIntThunks.h:
2988         * runtime/ScriptExecutable.cpp:
2989         (JSC::setupLLInt):
2990         (JSC::ScriptExecutable::prepareForExecutionImpl):
2991
2992 2019-03-18  Yusuke Suzuki  <ysuzuki@apple.com>
2993
2994         [JSC] Add missing exception checks revealed by newly added exception checks, follow-up after r243081
2995         https://bugs.webkit.org/show_bug.cgi?id=195927
2996
2997         Reviewed by Mark Lam.
2998
2999         r243081 adds more exception checks which are previously missing, and it reveals missing exception checks in the caller.
3000         This patch is a follow-up patch after r243081, adding missing exception checks more to fix debug test failures.
3001
3002         * runtime/RegExpConstructor.cpp:
3003         (JSC::setRegExpConstructorInput):
3004         (JSC::setRegExpConstructorMultiline):
3005         * runtime/RegExpGlobalData.cpp:
3006         (JSC::RegExpGlobalData::getBackref):
3007         (JSC::RegExpGlobalData::getLastParen):
3008
3009 2019-03-18  Yusuke Suzuki  <ysuzuki@apple.com>
3010
3011         [JSC] Generator should not create JSLexicalEnvironment if it is not necessary
3012         https://bugs.webkit.org/show_bug.cgi?id=195901
3013
3014         Reviewed by Saam Barati.
3015
3016         It is not rare that generators do not need to have any registers to be suspended and resumed.
3017         Since currently we always emit op_create_lexical_environment for generator code, we sometimes
3018         create empty JSLexicalEnvironment while it is not required. We can see that a lot of empty JSLexicalEnvironment
3019         are allocated in RAMification's Basic test.
3020
3021         This patch removes this unnecessary allocation. We introduce op_create_generator_frame_environment, which is
3022         a marker, similar to op_yield. And generatorification phase decides whether we should actually emit op_create_lexical_environment,
3023         based on the result of the analysis in generatorification. This can remove unnecessary JSLexicalEnvironment allocations.
3024
3025         We run RAMification in 6 times, use average of them.
3026         RAMification's Basic in JIT mode shows 1.4% improvement.
3027         ToT
3028             Current: 55076864.00, Peak: 55080960.00
3029         Patched
3030             Current: 54325930.67, Peak: 54329344.00
3031
3032         RAMification's Basic in non-JIT mode shows 5.0% improvement.
3033         ToT
3034             Current: 12485290.67, Peak: 12485290.67
3035         Patched
3036             Current: 11894101.33, Peak: 11894101.33
3037
3038         * bytecode/BytecodeGeneratorification.cpp:
3039         (JSC::BytecodeGeneratorification::BytecodeGeneratorification):
3040         (JSC::BytecodeGeneratorification::generatorFrameData const):
3041         (JSC::BytecodeGeneratorification::run):
3042         * bytecode/BytecodeList.rb:
3043         * bytecode/BytecodeUseDef.h:
3044         (JSC::computeUsesForBytecodeOffset):
3045         (JSC::computeDefsForBytecodeOffset):
3046         * bytecompiler/BytecodeGenerator.cpp:
3047         (JSC::BytecodeGenerator::BytecodeGenerator):
3048         * dfg/DFGCapabilities.cpp:
3049         (JSC::DFG::capabilityLevel):
3050         * llint/LowLevelInterpreter.asm:
3051
3052 2019-03-18  Robin Morisset  <rmorisset@apple.com>
3053
3054         Remove the inline capacity of Operands
3055         https://bugs.webkit.org/show_bug.cgi?id=195898
3056
3057         Reviewed by Yusuke Suzuki.
3058
3059         Operands currently has a vector with an inline capacity of 24.
3060         I tested on JetStream2, and only 4776 functions out of 12035 (that reach the DFG tier) have 24 or fewer elements in it.
3061         This is a major problem, because we have 5 Operands in every DFG::BasicBlock, resulting in 2688 bytes of inline capacity per basic block.
3062         Still on JetStream 2, functions have an average of 18 BB, but those functions whose operands overflow have an average of 27 BB (so we are wasting 72kB on average when compiling them), and the largest function has 1241 BB (!), for a total of 3.3MB being wasted while it is compiled.
3063         
3064         So I removed the inline capacity of the vector in Operands, and here are the results:
3065         Baseline Jetstream2:
3066         159.741
3067         159.746
3068         159.989
3069         Baseline RAMification on grouped and jit tests: (end/peak/score)
3070         89.288/89.763/89.526
3071         90.166/90.761/90.418
3072         89.560/90.014/89.787
3073         After optimization Jetstream2:
3074         159.342
3075         161.812
3076         162.037
3077         After optimization RAMification:
3078         89.147/89.644/89.395
3079         89.102.89.585/89.343
3080         88.953/89.536/89.2444
3081         
3082         So it looks like a roughly 1% improvement on RAMification (at least the tests where the JIT is enabled), and more surprisingly also a 1% progression on Jetstream2 (although I have more doubts about this one considering the variability in my numbers).
3083         I hope to land this, and get more accurate results from the bots.
3084
3085         * bytecode/Operands.h:
3086
3087 2019-03-18  Yusuke Suzuki  <ysuzuki@apple.com>
3088
3089         [JSC] Add --destroy-vm shell option and dumpHeapStatisticsAtVMDestruction option
3090         https://bugs.webkit.org/show_bug.cgi?id=195897
3091
3092         Reviewed by Keith Miller.
3093
3094         It is useful if we have an option logging the status of all the existing MarkedBlocks and their objects at VM destruction.
3095         I used this feature to find wasting memory, and successfully removed many wasted MarkedBlocks and JS cells like r243081.
3096         This patch adds,
3097
3098         1. --destroy-vm option to JSC shell to destroy main thread JSC::VM
3099         2. dumpHeapStatisticsAtVMDestruction to dump MarkedBlocks at VM destruction
3100
3101         While the current option name is "dumpHeapStatisticsAtVMDestruction", we just dump the status of MarkedBlocks and cells. But eventually,
3102         we would like to collect heap statistics and dump them to investigate Heap status more.
3103
3104         This patch also removes logHeapStatisticsAtExit option since it is no longer used in JSC.
3105
3106         * heap/Heap.cpp:
3107         (JSC::Heap::dumpHeapStatisticsAtVMDestruction):
3108         (JSC::Heap::lastChanceToFinalize):
3109         * heap/Heap.h:
3110         * jsc.cpp:
3111         (printUsageStatement):
3112         (CommandLine::parseArguments):
3113         (runJSC):
3114         * runtime/Options.h:
3115
3116 2019-03-18  Yusuke Suzuki  <ysuzuki@apple.com>
3117
3118         [JSC] jsSubstring should resolve rope before calling JSRopeString::create
3119         https://bugs.webkit.org/show_bug.cgi?id=195840
3120
3121         Reviewed by Geoffrey Garen.
3122
3123         jsSubstring always ends up resolving rope of the base string because substring JSRopeString only accepts non-rope JSString
3124         as its base. Instead of resolving ropes in finishCreationSubstring, we should resolve before passing it to JSRopeString.
3125         So that, we can access string data before creating JSRopeString, and we can introduce optimizations like avoiding creation
3126         of single character substrings.
3127
3128         We can find that a lot of substrings for length = 1 are allocated in RAMification regexp tests. This patch avoids creation of these
3129         strings to save memory.
3130
3131         This patch also strengthen error checks caused by rope resolution for base of substrings. Previously we sometimes miss this checks.
3132
3133         * dfg/DFGOperations.cpp:
3134         * runtime/JSString.cpp:
3135         (JSC::JSString::dumpToStream):
3136         * runtime/JSString.h:
3137         (JSC::jsSubstring):
3138         (JSC::jsSubstringOfResolved):
3139         (JSC::jsSingleCharacterString):
3140         * runtime/RegExpCachedResult.cpp:
3141         (JSC::RegExpCachedResult::lastResult): We no longer need to have length = 0 path since jsSubstring returns an empty string if length == 0.
3142         (JSC::RegExpCachedResult::leftContext):
3143         (JSC::RegExpCachedResult::rightContext):
3144         (JSC::RegExpCachedResult::setInput):
3145         * runtime/RegExpGlobalData.cpp:
3146         (JSC::RegExpGlobalData::getBackref):
3147         (JSC::RegExpGlobalData::getLastParen):
3148         * runtime/StringObject.h:
3149         (JSC::jsStringWithReuse):
3150         (JSC::jsSubstring):
3151         * runtime/StringPrototype.cpp:
3152         (JSC::replaceUsingRegExpSearch):
3153         (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
3154         (JSC::replaceUsingStringSearch):
3155         (JSC::stringProtoFuncSlice):
3156         (JSC::splitStringByOneCharacterImpl):
3157         (JSC::stringProtoFuncSplitFast):
3158         (JSC::stringProtoFuncSubstr):
3159         (JSC::stringProtoFuncSubstring):
3160         (JSC::stringProtoFuncToLowerCase):
3161         (JSC::stringProtoFuncToUpperCase):
3162         Some `const String& value = string->value(exec)` is dangerous if GC happens later. Changed to getting `String` instead of `const String&` here.
3163
3164         * runtime/StringPrototypeInlines.h:
3165         (JSC::stringSlice):
3166
3167 2019-03-18  Mark Lam  <mark.lam@apple.com>
3168
3169         Missing a ThrowScope release in JSObject::toString().
3170         https://bugs.webkit.org/show_bug.cgi?id=195893
3171         <rdar://problem/48970986>
3172
3173         Reviewed by Michael Saboff.
3174
3175         Placate the validator with a RELEASE_AND_RETURN().
3176
3177         * runtime/JSObject.cpp:
3178         (JSC::JSObject::toString const):
3179
3180 2019-03-18  Mark Lam  <mark.lam@apple.com>
3181
3182         Structure::flattenDictionary() should clear unused property slots.
3183         https://bugs.webkit.org/show_bug.cgi?id=195871
3184         <rdar://problem/48959497>
3185
3186         Reviewed by Michael Saboff.
3187
3188         It currently attempts to do this but fails because it's actually clearing up the
3189         preCapacity region instead.  The fix is simply to account for the preCapacity
3190         when computing the start address of the property slots.
3191
3192         * runtime/Structure.cpp:
3193         (JSC::Structure::flattenDictionaryStructure):
3194
3195 2019-03-18  Robin Morisset  <rmorisset@apple.com>
3196
3197         B3 should reduce Shl(<S|Z>Shr(@x, @const), @const) to BitAnd(@x, -(1<<@const))
3198         https://bugs.webkit.org/show_bug.cgi?id=152164
3199
3200         Reviewed by Filip Pizlo.
3201
3202         Turn this: Shl(<S|Z>Shr(@x, @const), @const)
3203         Into this: BitAnd(@x, -(1<<@const))
3204
3205         I added two tests: one for ZShr/32 bits, and one for SShr/64 bits, I think it is enough coverage (no reason for any interaction between the signedness of the shift and the bitwidth).
3206         I also modified a few adjacent tests to remove undefined behaviours.
3207
3208         * b3/B3ReduceStrength.cpp:
3209         * b3/testb3.cpp:
3210         (JSC::B3::testShlImms):
3211         (JSC::B3::testShlArgImm):
3212         (JSC::B3::testShlSShrArgImm):
3213         (JSC::B3::testShlImms32):
3214         (JSC::B3::testShlArgImm32):
3215         (JSC::B3::testShlZShrArgImm32):
3216         (JSC::B3::run):
3217
3218 2019-03-17  Robin Morisset  <rmorisset@apple.com>
3219
3220         ParserError can be shrunk by 8 bytes
3221         https://bugs.webkit.org/show_bug.cgi?id=195496
3222
3223         Reviewed by Mark Lam.
3224
3225         * parser/ParserError.h:
3226
3227 2019-03-17  Diego Pino Garcia  <dpino@igalia.com>
3228
3229         Fix WPE and GTK Debug builds after r243049
3230         https://bugs.webkit.org/show_bug.cgi?id=195860
3231
3232         Unreviewed, build fix after r243049.
3233
3234         * runtime/StringPrototype.cpp:
3235         (JSC::normalizationAffects8Bit):
3236
3237 2019-03-17  Yusuke Suzuki  <ysuzuki@apple.com>
3238
3239         REGRESSION: !vm.isInitializingObject() void* JSC::tryAllocateCellHelper<JSC::Structure> JSC::Structure::create
3240         https://bugs.webkit.org/show_bug.cgi?id=195858
3241
3242         Reviewed by Mark Lam.
3243
3244         r243011 changed WebAssembly related structures lazily-allocated. It means that this lazy allocation must not be done in the middle of
3245         the other object allocations. This patch changes the signature of wasm related objects' ::create functions to taking Structure*.
3246         This prevents us from materializing lazily-allocated structures while allocating wasm related objects, and this style is used in the
3247         other places to fix the same problem. This bug is caught by existing debug tests for wasm.
3248
3249         * runtime/JSGlobalObject.h:
3250         * wasm/js/JSWebAssemblyCompileError.cpp:
3251         (JSC::createJSWebAssemblyCompileError):
3252         * wasm/js/JSWebAssemblyInstance.cpp:
3253         (JSC::JSWebAssemblyInstance::finalizeCreation):
3254         (JSC::JSWebAssemblyInstance::create):
3255         * wasm/js/JSWebAssemblyLinkError.cpp:
3256         (JSC::createJSWebAssemblyLinkError):
3257         * wasm/js/JSWebAssemblyModule.cpp:
3258         (JSC::JSWebAssemblyModule::createStub):
3259         (JSC::JSWebAssemblyModule::finishCreation):
3260         * wasm/js/WasmToJS.cpp:
3261         (JSC::Wasm::wasmToJSException):
3262         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
3263         (JSC::constructJSWebAssemblyCompileError):
3264         (JSC::callJSWebAssemblyCompileError):
3265         * wasm/js/WebAssemblyFunction.cpp:
3266         (JSC::WebAssemblyFunction::create):
3267         * wasm/js/WebAssemblyFunction.h:
3268         * wasm/js/WebAssemblyInstanceConstructor.cpp:
3269         (JSC::constructJSWebAssemblyInstance):
3270         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
3271         (JSC::constructJSWebAssemblyLinkError):
3272         (JSC::callJSWebAssemblyLinkError):
3273         * wasm/js/WebAssemblyMemoryConstructor.cpp:
3274         (JSC::constructJSWebAssemblyMemory):
3275         * wasm/js/WebAssemblyModuleConstructor.cpp:
3276         (JSC::WebAssemblyModuleConstructor::createModule):
3277         * wasm/js/WebAssemblyModuleRecord.cpp:
3278         (JSC::WebAssemblyModuleRecord::link):
3279         (JSC::WebAssemblyModuleRecord::evaluate):
3280         * wasm/js/WebAssemblyPrototype.cpp:
3281         (JSC::webAssemblyModuleValidateAsyncInternal):
3282         (JSC::instantiate):
3283         (JSC::compileAndInstantiate):
3284         (JSC::webAssemblyModuleInstantinateAsyncInternal):
3285         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
3286         (JSC::constructJSWebAssemblyRuntimeError):
3287         (JSC::callJSWebAssemblyRuntimeError):
3288         * wasm/js/WebAssemblyTableConstructor.cpp:
3289         (JSC::constructJSWebAssemblyTable):
3290         * wasm/js/WebAssemblyToJSCallee.cpp:
3291         (JSC::WebAssemblyToJSCallee::create):
3292         * wasm/js/WebAssemblyToJSCallee.h:
3293         * wasm/js/WebAssemblyWrapperFunction.cpp:
3294         (JSC::WebAssemblyWrapperFunction::create):
3295         * wasm/js/WebAssemblyWrapperFunction.h:
3296
3297 2019-03-16  Darin Adler  <darin@apple.com>
3298
3299         Improve normalization code, including moving from unorm.h to unorm2.h
3300         https://bugs.webkit.org/show_bug.cgi?id=195330
3301
3302         Reviewed by Michael Catanzaro.
3303
3304         * runtime/JSString.h: Move StringViewWithUnderlyingString to StringView.h.
3305
3306         * runtime/StringPrototype.cpp: Include unorm2.h instead of unorm.h.
3307         (JSC::normalizer): Added. Function to create normalizer object given
3308         enumeration value indicating which is selected. Simplified because we
3309         know the function will not fail and so we don't need error handling code.
3310         (JSC::normalize): Changed this function to take a JSString* so we can
3311         optimize the case where no normalization is needed. Added an early exit
3312         if the string is stored as 8-bit and another if the string is already
3313         normalized, using unorm2_isNormalized. Changed error handling to only
3314         check cases that can actually fail in practice. Also did other small
3315         optimizations like passing VM rather than ExecState.
3316         (JSC::stringProtoFuncNormalize): Used smaller enumeration names that are
3317         identical to the names used in the API and normalization parlance rather
3318         than longer ones that expand the acronyms. Updated to pass JSString* to
3319         the normalize function, so we can optimize 8-bit and already-normalized
3320         cases, rather than callling the expensive String::upconvertedCharacters
3321         function. Use throwVMRangeError.
3322
3323 2019-03-15  Mark Lam  <mark.lam@apple.com>
3324
3325         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
3326         https://bugs.webkit.org/show_bug.cgi?id=195827
3327         <rdar://problem/48845513>
3328
3329         Reviewed by Filip Pizlo.
3330
3331         m_object in ObjectPropertyCondition may no lon