480f7162ce817bd87bc62394c40b9dc419e7cd09
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-09-13  Alexey Shvayka  <shvaikalesh@gmail.com>
2
3         Date.prototype.toJSON does not execute steps 1-2
4         https://bugs.webkit.org/show_bug.cgi?id=105282
5
6         Reviewed by Ross Kirsling.
7
8         According to https://tc39.es/ecma262/#sec-built-in-function-objects, built-in methods must be
9         strict mode functions. Before this change, `this` value in Date.prototype.toJSON was resolved
10         using sloppy mode semantics, resulting in `toISOString` being called on global object if `this`
11         value equals `null` or `undefined`.
12
13         * runtime/DatePrototype.cpp:
14         (JSC::dateProtoFuncToJSON): Resolve thisValue using strict semantics and simplify std::isfinite check.
15
16 2019-09-13  Mark Lam  <mark.lam@apple.com>
17
18         performJITMemcpy() should do its !Gigacage assertion on exit.
19         https://bugs.webkit.org/show_bug.cgi?id=201780
20         <rdar://problem/55354867>
21
22         Reviewed by Robin Morisset.
23
24         Re-doing previous fix.
25
26         * jit/ExecutableAllocator.h:
27         (JSC::performJITMemcpy):
28         (JSC::GigacageAssertScope::GigacageAssertScope): Deleted.
29         (JSC::GigacageAssertScope::~GigacageAssertScope): Deleted.
30
31 2019-09-13  Mark Lam  <mark.lam@apple.com>
32
33         performJITMemcpy() should do its !Gigacage assertion on exit.
34         https://bugs.webkit.org/show_bug.cgi?id=201780
35         <rdar://problem/55354867>
36
37         Reviewed by Robin Morisset.
38
39         * jit/ExecutableAllocator.h:
40         (JSC::GigacageAssertScope::GigacageAssertScope):
41         (JSC::GigacageAssertScope::~GigacageAssertScope):
42         (JSC::performJITMemcpy):
43
44 2019-09-13  Yusuke Suzuki  <ysuzuki@apple.com>
45
46         [JSC] Micro-optimize YarrJIT's surrogate pair handling
47         https://bugs.webkit.org/show_bug.cgi?id=201750
48
49         Reviewed by Michael Saboff.
50
51         Optimize sequence of machine code used to get code-point with unicode flag.
52
53         * yarr/YarrJIT.cpp:
54         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
55
56 2019-09-13  Mark Lam  <mark.lam@apple.com>
57
58         We should assert $vm is enabled on entry and exit in its functions.
59         https://bugs.webkit.org/show_bug.cgi?id=201762
60         <rdar://problem/55338742>
61
62         Rubber-stamped by Michael Saboff.
63
64         1. Also do the same for FunctionOverrides.
65         2. Added the DollarVMAssertScope and FunctionOverridesAssertScope to achieve this.
66         3. Also added assertions to lambda functions in $vm.
67
68         * tools/FunctionOverrides.cpp:
69         (JSC::FunctionOverridesAssertScope::FunctionOverridesAssertScope):
70         (JSC::FunctionOverridesAssertScope::~FunctionOverridesAssertScope):
71         (JSC::FunctionOverrides::overrides):
72         (JSC::FunctionOverrides::FunctionOverrides):
73         (JSC::FunctionOverrides::reinstallOverrides):
74         (JSC::initializeOverrideInfo):
75         (JSC::FunctionOverrides::initializeOverrideFor):
76         (JSC::parseClause):
77         (JSC::FunctionOverrides::parseOverridesInFile):
78         * tools/JSDollarVM.cpp:
79         (JSC::JSDollarVMCallFrame::JSDollarVMCallFrame):
80         (JSC::JSDollarVMCallFrame::createStructure):
81         (JSC::JSDollarVMCallFrame::create):
82         (JSC::JSDollarVMCallFrame::finishCreation):
83         (JSC::JSDollarVMCallFrame::addProperty):
84         (JSC::Element::Element):
85         (JSC::Element::create):
86         (JSC::Element::visitChildren):
87         (JSC::Element::createStructure):
88         (JSC::Root::Root):
89         (JSC::Root::setElement):
90         (JSC::Root::create):
91         (JSC::Root::createStructure):
92         (JSC::Root::visitChildren):
93         (JSC::SimpleObject::SimpleObject):
94         (JSC::SimpleObject::create):
95         (JSC::SimpleObject::visitChildren):
96         (JSC::SimpleObject::createStructure):
97         (JSC::ImpureGetter::ImpureGetter):
98         (JSC::ImpureGetter::createStructure):
99         (JSC::ImpureGetter::create):
100         (JSC::ImpureGetter::finishCreation):
101         (JSC::ImpureGetter::getOwnPropertySlot):
102         (JSC::ImpureGetter::visitChildren):
103         (JSC::CustomGetter::CustomGetter):
104         (JSC::CustomGetter::createStructure):
105         (JSC::CustomGetter::create):
106         (JSC::CustomGetter::getOwnPropertySlot):
107         (JSC::CustomGetter::customGetter):
108         (JSC::CustomGetter::customGetterAcessor):
109         (JSC::RuntimeArray::create):
110         (JSC::RuntimeArray::destroy):
111         (JSC::RuntimeArray::getOwnPropertySlot):
112         (JSC::RuntimeArray::getOwnPropertySlotByIndex):
113         (JSC::RuntimeArray::createPrototype):
114         (JSC::RuntimeArray::createStructure):
115         (JSC::RuntimeArray::finishCreation):
116         (JSC::RuntimeArray::RuntimeArray):
117         (JSC::RuntimeArray::lengthGetter):
118         (JSC::DOMJITNode::DOMJITNode):
119         (JSC::DOMJITNode::createStructure):
120         (JSC::DOMJITNode::checkSubClassSnippet):
121         (JSC::DOMJITNode::create):
122         (JSC::DOMJITGetter::DOMJITGetter):
123         (JSC::DOMJITGetter::createStructure):
124         (JSC::DOMJITGetter::create):
125         (JSC::DOMJITGetter::DOMJITAttribute::slowCall):
126         (JSC::DOMJITGetter::DOMJITAttribute::callDOMGetter):
127         (JSC::DOMJITGetter::customGetter):
128         (JSC::DOMJITGetter::finishCreation):
129         (JSC::DOMJITGetterComplex::DOMJITGetterComplex):
130         (JSC::DOMJITGetterComplex::createStructure):
131         (JSC::DOMJITGetterComplex::create):
132         (JSC::DOMJITGetterComplex::DOMJITAttribute::slowCall):
133         (JSC::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
134         (JSC::DOMJITGetterComplex::functionEnableException):
135         (JSC::DOMJITGetterComplex::customGetter):
136         (JSC::DOMJITGetterComplex::finishCreation):
137         (JSC::DOMJITFunctionObject::DOMJITFunctionObject):
138         (JSC::DOMJITFunctionObject::createStructure):
139         (JSC::DOMJITFunctionObject::create):
140         (JSC::DOMJITFunctionObject::functionWithTypeCheck):
141         (JSC::DOMJITFunctionObject::functionWithoutTypeCheck):
142         (JSC::DOMJITFunctionObject::checkSubClassSnippet):
143         (JSC::DOMJITFunctionObject::finishCreation):
144         (JSC::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
145         (JSC::DOMJITCheckSubClassObject::createStructure):
146         (JSC::DOMJITCheckSubClassObject::create):
147         (JSC::DOMJITCheckSubClassObject::functionWithTypeCheck):
148         (JSC::DOMJITCheckSubClassObject::functionWithoutTypeCheck):
149         (JSC::DOMJITCheckSubClassObject::finishCreation):
150         (JSC::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject):
151         (JSC::DOMJITGetterBaseJSObject::createStructure):
152         (JSC::DOMJITGetterBaseJSObject::create):
153         (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
154         (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter):
155         (JSC::DOMJITGetterBaseJSObject::customGetter):
156         (JSC::DOMJITGetterBaseJSObject::finishCreation):
157         (JSC::JSTestCustomGetterSetter::JSTestCustomGetterSetter):
158         (JSC::JSTestCustomGetterSetter::create):
159         (JSC::JSTestCustomGetterSetter::createStructure):
160         (JSC::customSetAccessor):
161         (JSC::customSetValue):
162         (JSC::JSTestCustomGetterSetter::finishCreation):
163         (JSC::Element::handleOwner):
164         (JSC::Element::finishCreation):
165         (JSC::WasmStreamingParser::WasmStreamingParser):
166         (JSC::WasmStreamingParser::create):
167         (JSC::WasmStreamingParser::createStructure):
168         (JSC::WasmStreamingParser::finishCreation):
169         (JSC::functionWasmStreamingParserAddBytes):
170         (JSC::functionWasmStreamingParserFinalize):
171         (JSC::functionCrash):
172         (JSC::functionBreakpoint):
173         (JSC::functionDFGTrue):
174         (JSC::functionFTLTrue):
175         (JSC::functionCpuMfence):
176         (JSC::functionCpuRdtsc):
177         (JSC::functionCpuCpuid):
178         (JSC::functionCpuPause):
179         (JSC::functionCpuClflush):
180         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
181         (JSC::getExecutableForFunction):
182         (JSC::functionLLintTrue):
183         (JSC::functionJITTrue):
184         (JSC::functionNoInline):
185         (JSC::functionGC):
186         (JSC::functionEdenGC):
187         (JSC::functionDumpSubspaceHashes):
188         (JSC::functionCallFrame):
189         (JSC::functionCodeBlockForFrame):
190         (JSC::codeBlockFromArg):
191         (JSC::functionCodeBlockFor):
192         (JSC::functionDumpSourceFor):
193         (JSC::functionDumpBytecodeFor):
194         (JSC::doPrint):
195         (JSC::functionDataLog):
196         (JSC::functionPrint):
197         (JSC::functionDumpCallFrame):
198         (JSC::functionDumpStack):
199         (JSC::functionDumpRegisters):
200         (JSC::functionDumpCell):
201         (JSC::functionIndexingMode):
202         (JSC::functionInlineCapacity):
203         (JSC::functionValue):
204         (JSC::functionGetPID):
205         (JSC::functionHaveABadTime):
206         (JSC::functionIsHavingABadTime):
207         (JSC::functionCreateGlobalObject):
208         (JSC::functionCreateProxy):
209         (JSC::functionCreateRuntimeArray):
210         (JSC::functionCreateNullRopeString):
211         (JSC::functionCreateImpureGetter):
212         (JSC::functionCreateCustomGetterObject):
213         (JSC::functionCreateDOMJITNodeObject):
214         (JSC::functionCreateDOMJITGetterObject):
215         (JSC::functionCreateDOMJITGetterComplexObject):
216         (JSC::functionCreateDOMJITFunctionObject):
217         (JSC::functionCreateDOMJITCheckSubClassObject):
218         (JSC::functionCreateDOMJITGetterBaseJSObject):
219         (JSC::functionCreateWasmStreamingParser):
220         (JSC::functionSetImpureGetterDelegate):
221         (JSC::functionCreateBuiltin):
222         (JSC::functionGetPrivateProperty):
223         (JSC::functionCreateRoot):
224         (JSC::functionCreateElement):
225         (JSC::functionGetElement):
226         (JSC::functionCreateSimpleObject):
227         (JSC::functionGetHiddenValue):
228         (JSC::functionSetHiddenValue):
229         (JSC::functionShadowChickenFunctionsOnStack):
230         (JSC::functionSetGlobalConstRedeclarationShouldNotThrow):
231         (JSC::functionFindTypeForExpression):
232         (JSC::functionReturnTypeFor):
233         (JSC::functionFlattenDictionaryObject):
234         (JSC::functionDumpBasicBlockExecutionRanges):
235         (JSC::functionHasBasicBlockExecuted):
236         (JSC::functionBasicBlockExecutionCount):
237         (JSC::functionEnableExceptionFuzz):
238         (JSC::changeDebuggerModeWhenIdle):
239         (JSC::functionEnableDebuggerModeWhenIdle):
240         (JSC::functionDisableDebuggerModeWhenIdle):
241         (JSC::functionDeleteAllCodeWhenIdle):
242         (JSC::functionGlobalObjectCount):
243         (JSC::functionGlobalObjectForObject):
244         (JSC::functionGetGetterSetter):
245         (JSC::functionLoadGetterFromGetterSetter):
246         (JSC::functionCreateCustomTestGetterSetter):
247         (JSC::functionDeltaBetweenButterflies):
248         (JSC::functionTotalGCTime):
249         (JSC::functionParseCount):
250         (JSC::functionIsWasmSupported):
251         (JSC::JSDollarVM::finishCreation):
252         (JSC::JSDollarVM::addFunction):
253         (JSC::JSDollarVM::addConstructibleFunction):
254         * tools/JSDollarVM.h:
255         (JSC::DollarVMAssertScope::DollarVMAssertScope):
256         (JSC::DollarVMAssertScope::~DollarVMAssertScope):
257
258 2019-09-13  Joseph Pecoraro  <pecoraro@apple.com>
259
260         Web Inspector: Formatter: Pretty Print HTML resources (including inline <script>/<style>)
261         https://bugs.webkit.org/show_bug.cgi?id=201535
262         <rdar://problem/29119232>
263
264         Reviewed by Devin Rousso.
265
266         * debugger/Debugger.cpp:
267         (JSC::Debugger::resolveBreakpoint):
268         When resolving a breakpoint inside of an inline <script> we need to adjust
269         based on the starting position of the <script> in the HTML resource.
270
271 2019-09-13  Yusuke Suzuki  <ysuzuki@apple.com>
272
273         [JSC] X86Registers.h callee-save register definition is wrong
274         https://bugs.webkit.org/show_bug.cgi?id=201756
275
276         Reviewed by Mark Lam.
277
278         I think nobody is using X86 JIT backend, but it is simply wrong.
279         edi and esi should be callee-save.
280
281         * assembler/X86Registers.h:
282
283 2019-09-12  Mark Lam  <mark.lam@apple.com>
284
285         Harden JSC against the abuse of runtime options.
286         https://bugs.webkit.org/show_bug.cgi?id=201597
287         <rdar://problem/55167068>
288
289         Reviewed by Filip Pizlo.
290
291         Linux parts contributed by Carlos Garcia Campos <cgarcia@igalia.com>.
292
293         1. Introduce a JSC::Config struct that will be protected as ReadOnly once the
294            first VM instance is constructed.  The end of the VM constructor calls
295            Config::permanentlyFreeze() which will make the Config ReadOnly.
296
297            Note: this is currently only supported for OS(DARWIN) and OS(LINUX).
298            OS(WINDOWS) will need to implement some missing pieces before it can enable
299            this hardening (see FIXME in JSCConfig.cpp).
300
301            The hardening strategy here is to put immutable global values into the Config.
302            Any modifications that need to be made to these values must be done before the
303            first VM instance is done instantiating.  This ensures that no script will
304            ever run while the Config is still writable.
305
306            Also, the policy for this hardening is that a process is opted in by default.
307            If there's a valid need to disable this hardening (e.g. for some test
308            environments), the relevant process will need to opt itself out by calling
309            Config::configureForTesting().
310
311            The jsc shell, WK2 UI and WebContent processes are opted in by default.
312            Only test processes may be opt out.
313
314         2. Put all JSC::Options in the Config.  This enforces the invariant that options
315            can only be changed before we instantiate a VM.  Once a VM is instantiated,
316            the options are immutable.
317
318         3. Remove functionForceGCSlowPaths() from the jsc shell.  Setting
319            Options::forceGCSlowPaths this way is no longer allowed.
320
321         4. Re-factored the Options code (Options.h) into:
322            - OptionEntry.h: the data structure that stores the option values.
323            - OptionsList.h: the list of options.
324            - Options.h: the Options singleton object which is the interface for accessing options.
325
326            Renamed the JSC_OPTIONS macro to FOR_EACH_JSC_OPTION, because
327            "FOR_EACH_JSC_OPTION(SET_OPTION_VALUE)" reads a lot better than
328            "JSC_OPTIONS(FOR_EACH_OPTION)".
329
330         5. Change testapi to call Config::configureForTesting().  Parts of testapi makes
331            use of setting options in its tests.  Hence, this hardening is disabled for
332            testapi.
333
334            Note: the jsc shell does enable this hardening.
335
336         6. Put ExecutableAllocator's immutable globals in the Config.
337
338         7. RELEASE_ASSERT that restrictedOptionsEnabled in order to use the
339            FunctionOverrides test utility.
340
341         8. RELEASE_ASSERT that Options::useDollarVM() is enabled in order to use the $vm.
342
343            We must RELEASE_ASSERT(Options::useDollarVM()) in all JSDollarVM functions
344            that are non-trivial at an eye's glance.  This includes (but is not limited to):
345                constructors
346                create() factory
347                createStructure() factory
348                finishCreation()
349                HOST_CALL or operation functions
350                Constructors and methods of utility and test classes
351
352            The only exception are some constexpr constructors used for instantiating
353            globals (since these must have trivial constructors) e.g. DOMJITAttribute.
354            Instead, these constructors should always be ALWAYS_INLINE.
355
356         * API/glib/JSCOptions.cpp:
357         (jscOptionsSetValue):
358         (jscOptionsGetValue):
359         (jsc_options_foreach):
360         (jsc_options_get_option_group):
361         * API/tests/testapi.c:
362         (main):
363         * API/tests/testapi.cpp:
364         (configureJSCForTesting):
365         * CMakeLists.txt:
366         * JavaScriptCore.xcodeproj/project.pbxproj:
367         * Sources.txt:
368         * jit/ExecutableAllocator.cpp:
369         (JSC::isJITEnabled):
370         (JSC::ExecutableAllocator::setJITEnabled):
371         (JSC::ExecutableAllocator::initializeUnderlyingAllocator):
372         (JSC::ExecutableAllocator::isValid const):
373         (JSC::ExecutableAllocator::underMemoryPressure):
374         (JSC::ExecutableAllocator::memoryPressureMultiplier):
375         (JSC::ExecutableAllocator::allocate):
376         (JSC::ExecutableAllocator::isValidExecutableMemory):
377         (JSC::ExecutableAllocator::getLock const):
378         (JSC::ExecutableAllocator::committedByteCount):
379         (JSC::ExecutableAllocator::dumpProfile):
380         (JSC::startOfFixedExecutableMemoryPoolImpl):
381         (JSC::endOfFixedExecutableMemoryPoolImpl):
382         (JSC::isJITPC):
383         (JSC::dumpJITMemory):
384         (JSC::ExecutableAllocator::initialize):
385         (JSC::ExecutableAllocator::singleton):
386         * jit/ExecutableAllocator.h:
387         (JSC::performJITMemcpy):
388         * jsc.cpp:
389         (GlobalObject::finishCreation):
390         (functionJSCOptions):
391         (jscmain):
392         (functionForceGCSlowPaths): Deleted.
393         * runtime/ConfigFile.cpp:
394         (JSC::ConfigFile::parse):
395         * runtime/InitializeThreading.cpp:
396         (JSC::initializeThreading):
397         * runtime/JSCConfig.cpp: Added.
398         (JSC::Config::disableFreezingForTesting):
399         (JSC::Config::enableRestrictedOptions):
400         (JSC::Config::permanentlyFreeze):
401         * runtime/JSCConfig.h: Added.
402         (JSC::Config::configureForTesting):
403         * runtime/JSGlobalObject.cpp:
404         (JSC::JSGlobalObject::exposeDollarVM):
405         * runtime/OptionEntry.h: Added.
406         (JSC::OptionRange::operator= ):
407         (JSC::OptionRange::rangeString const):
408         * runtime/Options.cpp:
409         (JSC::Options::isAvailable):
410         (JSC::scaleJITPolicy):
411         (JSC::Options::initialize):
412         (JSC::Options::setOptions):
413         (JSC::Options::setOptionWithoutAlias):
414         (JSC::Options::setAliasedOption):
415         (JSC::Option::dump const):
416         (JSC::Option::operator== const):
417         (): Deleted.
418         (JSC::Options::enableRestrictedOptions): Deleted.
419         * runtime/Options.h:
420         (JSC::Option::Option):
421         (JSC::Option::defaultOption const):
422         (JSC::Option::boolVal):
423         (JSC::Option::unsignedVal):
424         (JSC::Option::doubleVal):
425         (JSC::Option::int32Val):
426         (JSC::Option::optionRangeVal):
427         (JSC::Option::optionStringVal):
428         (JSC::Option::gcLogLevelVal):
429         (JSC::OptionRange::operator= ): Deleted.
430         (JSC::OptionRange::rangeString const): Deleted.
431         * runtime/OptionsList.h: Added.
432         (JSC::countNumberOfJSCOptions):
433         * runtime/VM.cpp:
434         (JSC::VM::VM):
435         * tools/FunctionOverrides.cpp:
436         (JSC::FunctionOverrides::FunctionOverrides):
437         (JSC::FunctionOverrides::reinstallOverrides):
438         (JSC::FunctionOverrides::initializeOverrideFor):
439         (JSC::FunctionOverrides::parseOverridesInFile):
440         * tools/JSDollarVM.cpp:
441         (JSC::JSDollarVMCallFrame::JSDollarVMCallFrame):
442         (JSC::JSDollarVMCallFrame::createStructure):
443         (JSC::JSDollarVMCallFrame::create):
444         (JSC::JSDollarVMCallFrame::finishCreation):
445         (JSC::JSDollarVMCallFrame::addProperty):
446         (JSC::Element::Element):
447         (JSC::Element::create):
448         (JSC::Element::createStructure):
449         (JSC::Root::Root):
450         (JSC::Root::create):
451         (JSC::Root::createStructure):
452         (JSC::SimpleObject::SimpleObject):
453         (JSC::SimpleObject::create):
454         (JSC::SimpleObject::createStructure):
455         (JSC::ImpureGetter::ImpureGetter):
456         (JSC::ImpureGetter::createStructure):
457         (JSC::ImpureGetter::create):
458         (JSC::ImpureGetter::finishCreation):
459         (JSC::ImpureGetter::getOwnPropertySlot):
460         (JSC::CustomGetter::CustomGetter):
461         (JSC::CustomGetter::createStructure):
462         (JSC::CustomGetter::create):
463         (JSC::CustomGetter::getOwnPropertySlot):
464         (JSC::CustomGetter::customGetter):
465         (JSC::CustomGetter::customGetterAcessor):
466         (JSC::RuntimeArray::create):
467         (JSC::RuntimeArray::destroy):
468         (JSC::RuntimeArray::getOwnPropertySlot):
469         (JSC::RuntimeArray::getOwnPropertySlotByIndex):
470         (JSC::RuntimeArray::createPrototype):
471         (JSC::RuntimeArray::createStructure):
472         (JSC::RuntimeArray::finishCreation):
473         (JSC::RuntimeArray::RuntimeArray):
474         (JSC::RuntimeArray::lengthGetter):
475         (JSC::DOMJITNode::DOMJITNode):
476         (JSC::DOMJITNode::createStructure):
477         (JSC::DOMJITNode::checkSubClassSnippet):
478         (JSC::DOMJITNode::create):
479         (JSC::DOMJITGetter::DOMJITGetter):
480         (JSC::DOMJITGetter::createStructure):
481         (JSC::DOMJITGetter::create):
482         (JSC::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
483         (JSC::DOMJITGetter::DOMJITAttribute::slowCall):
484         (JSC::DOMJITGetter::DOMJITAttribute::callDOMGetter):
485         (JSC::DOMJITGetter::customGetter):
486         (JSC::DOMJITGetter::finishCreation):
487         (JSC::DOMJITGetterComplex::DOMJITGetterComplex):
488         (JSC::DOMJITGetterComplex::createStructure):
489         (JSC::DOMJITGetterComplex::create):
490         (JSC::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
491         (JSC::DOMJITGetterComplex::DOMJITAttribute::slowCall):
492         (JSC::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
493         (JSC::DOMJITGetterComplex::functionEnableException):
494         (JSC::DOMJITGetterComplex::customGetter):
495         (JSC::DOMJITGetterComplex::finishCreation):
496         (JSC::DOMJITFunctionObject::DOMJITFunctionObject):
497         (JSC::DOMJITFunctionObject::createStructure):
498         (JSC::DOMJITFunctionObject::create):
499         (JSC::DOMJITFunctionObject::functionWithTypeCheck):
500         (JSC::DOMJITFunctionObject::functionWithoutTypeCheck):
501         (JSC::DOMJITFunctionObject::checkSubClassSnippet):
502         (JSC::DOMJITFunctionObject::finishCreation):
503         (JSC::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
504         (JSC::DOMJITCheckSubClassObject::createStructure):
505         (JSC::DOMJITCheckSubClassObject::create):
506         (JSC::DOMJITCheckSubClassObject::functionWithTypeCheck):
507         (JSC::DOMJITCheckSubClassObject::functionWithoutTypeCheck):
508         (JSC::DOMJITCheckSubClassObject::finishCreation):
509         (JSC::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject):
510         (JSC::DOMJITGetterBaseJSObject::createStructure):
511         (JSC::DOMJITGetterBaseJSObject::create):
512         (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute):
513         (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
514         (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter):
515         (JSC::DOMJITGetterBaseJSObject::customGetter):
516         (JSC::DOMJITGetterBaseJSObject::finishCreation):
517         (JSC::JSTestCustomGetterSetter::JSTestCustomGetterSetter):
518         (JSC::JSTestCustomGetterSetter::create):
519         (JSC::JSTestCustomGetterSetter::createStructure):
520         (JSC::customSetAccessor):
521         (JSC::customSetValue):
522         (JSC::JSTestCustomGetterSetter::finishCreation):
523         (JSC::Element::handleOwner):
524         (JSC::Element::finishCreation):
525         (JSC::WasmStreamingParser::WasmStreamingParser):
526         (JSC::WasmStreamingParser::create):
527         (JSC::WasmStreamingParser::createStructure):
528         (JSC::WasmStreamingParser::finishCreation):
529         (JSC::functionWasmStreamingParserAddBytes):
530         (JSC::functionWasmStreamingParserFinalize):
531         (JSC::functionCrash):
532         (JSC::functionBreakpoint):
533         (JSC::functionDFGTrue):
534         (JSC::functionFTLTrue):
535         (JSC::functionCpuMfence):
536         (JSC::functionCpuRdtsc):
537         (JSC::functionCpuCpuid):
538         (JSC::functionCpuPause):
539         (JSC::functionCpuClflush):
540         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
541         (JSC::getExecutableForFunction):
542         (JSC::functionLLintTrue):
543         (JSC::functionJITTrue):
544         (JSC::functionNoInline):
545         (JSC::functionGC):
546         (JSC::functionEdenGC):
547         (JSC::functionDumpSubspaceHashes):
548         (JSC::functionCallFrame):
549         (JSC::functionCodeBlockForFrame):
550         (JSC::codeBlockFromArg):
551         (JSC::functionCodeBlockFor):
552         (JSC::functionDumpSourceFor):
553         (JSC::functionDumpBytecodeFor):
554         (JSC::doPrint):
555         (JSC::functionDataLog):
556         (JSC::functionPrint):
557         (JSC::functionDumpCallFrame):
558         (JSC::functionDumpStack):
559         (JSC::functionDumpRegisters):
560         (JSC::functionDumpCell):
561         (JSC::functionIndexingMode):
562         (JSC::functionInlineCapacity):
563         (JSC::functionValue):
564         (JSC::functionGetPID):
565         (JSC::functionHaveABadTime):
566         (JSC::functionIsHavingABadTime):
567         (JSC::functionCreateGlobalObject):
568         (JSC::functionCreateProxy):
569         (JSC::functionCreateRuntimeArray):
570         (JSC::functionCreateNullRopeString):
571         (JSC::functionCreateImpureGetter):
572         (JSC::functionCreateCustomGetterObject):
573         (JSC::functionCreateDOMJITNodeObject):
574         (JSC::functionCreateDOMJITGetterObject):
575         (JSC::functionCreateDOMJITGetterComplexObject):
576         (JSC::functionCreateDOMJITFunctionObject):
577         (JSC::functionCreateDOMJITCheckSubClassObject):
578         (JSC::functionCreateDOMJITGetterBaseJSObject):
579         (JSC::functionCreateWasmStreamingParser):
580         (JSC::functionSetImpureGetterDelegate):
581         (JSC::functionCreateBuiltin):
582         (JSC::functionGetPrivateProperty):
583         (JSC::functionCreateRoot):
584         (JSC::functionCreateElement):
585         (JSC::functionGetElement):
586         (JSC::functionCreateSimpleObject):
587         (JSC::functionGetHiddenValue):
588         (JSC::functionSetHiddenValue):
589         (JSC::functionShadowChickenFunctionsOnStack):
590         (JSC::functionSetGlobalConstRedeclarationShouldNotThrow):
591         (JSC::functionFindTypeForExpression):
592         (JSC::functionReturnTypeFor):
593         (JSC::functionFlattenDictionaryObject):
594         (JSC::functionDumpBasicBlockExecutionRanges):
595         (JSC::functionHasBasicBlockExecuted):
596         (JSC::functionBasicBlockExecutionCount):
597         (JSC::functionEnableExceptionFuzz):
598         (JSC::changeDebuggerModeWhenIdle):
599         (JSC::functionEnableDebuggerModeWhenIdle):
600         (JSC::functionDisableDebuggerModeWhenIdle):
601         (JSC::functionDeleteAllCodeWhenIdle):
602         (JSC::functionGlobalObjectCount):
603         (JSC::functionGlobalObjectForObject):
604         (JSC::functionGetGetterSetter):
605         (JSC::functionLoadGetterFromGetterSetter):
606         (JSC::functionCreateCustomTestGetterSetter):
607         (JSC::functionDeltaBetweenButterflies):
608         (JSC::functionTotalGCTime):
609         (JSC::functionParseCount):
610         (JSC::functionIsWasmSupported):
611         (JSC::JSDollarVM::finishCreation):
612         (JSC::JSDollarVM::addFunction):
613         (JSC::JSDollarVM::addConstructibleFunction):
614         * tools/JSDollarVM.h:
615
616 2019-09-11  Devin Rousso  <drousso@apple.com>
617
618         Web Inspector: Canvas: instrument WebGPUDevice instead of GPUCanvasContext
619         https://bugs.webkit.org/show_bug.cgi?id=201650
620
621         Reviewed by Joseph Pecoraro.
622
623         Most of the actual "work" done with Web GPU actually uses a `WebGPUDevice`.
624
625         A `GPUCanvasContext` is basically just a display "client" of the device, and isn't even
626         required (e.g. compute pipeline).  We should treat the `GPUCanvasContext` almost like a
627         `-webkit-canvas` client of a `WebGPUDevice`.
628
629         * inspector/protocol/Canvas.json:
630          - Add `powerPreference` key to `ContextAttributes` type.
631          - Rename `requestCSSCanvasClientNodes` command to `requestClientNodes` for the above reason.
632          - Rename `cssCanvasClientNodesChanged` event to `clientNodesChanged` for the above reason.
633          - Rename `resolveCanvasContext` command to `resolveContext` since a `WebGPUDevice` isn't
634            really a "canvas".
635
636 2019-09-11  Yusuke Suzuki  <ysuzuki@apple.com>
637
638         [JSC] Add StringCodePointAt intrinsic
639         https://bugs.webkit.org/show_bug.cgi?id=201673
640
641         Reviewed by Michael Saboff.
642
643         JetStream2/UniPoker executes String#codePointAt frequently. We should handle it in ThunkGenerator, DFG, and FTL like we are doing so for String#charCodeAt.
644         This patch adds these supports for String#codePointAt to get ~10% score improvement in JetStream2/UniPoker.
645
646         In ThunkGenerator, we add a thunk for String#codePointAt, which accelerates LLInt and Baseline. In DFG, we handle this as StringCodePointAt node, and emit
647         inlined code in DFG and FTL. The characteristics of StringCodePointAt node is basically the same to StringCharAt. It has String array-mode, so it emits
648         preceding CheckArray. This ensures that (1) StringCodePointAt node itself does not do GC since the string is always resolved, and (2) we can skip the rope
649         check. This thing is just the same to the existing StringCharCodeAt mechanism.
650
651         * dfg/DFGAbstractInterpreterInlines.h:
652         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
653         * dfg/DFGBackwardsPropagationPhase.cpp:
654         (JSC::DFG::BackwardsPropagationPhase::propagate):
655         * dfg/DFGByteCodeParser.cpp:
656         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
657         * dfg/DFGClobberize.h:
658         (JSC::DFG::clobberize):
659         * dfg/DFGDoesGC.cpp:
660         (JSC::DFG::doesGC):
661         * dfg/DFGFixupPhase.cpp:
662         (JSC::DFG::FixupPhase::fixupNode):
663         * dfg/DFGNode.h:
664         (JSC::DFG::Node::hasArrayMode):
665         * dfg/DFGNodeType.h:
666         * dfg/DFGPredictionPropagationPhase.cpp:
667         * dfg/DFGSafeToExecute.h:
668         (JSC::DFG::safeToExecute):
669         * dfg/DFGSpeculativeJIT.h:
670         * dfg/DFGSpeculativeJIT32_64.cpp:
671         (JSC::DFG::SpeculativeJIT::compile):
672         * dfg/DFGSpeculativeJIT64.cpp:
673         (JSC::DFG::SpeculativeJIT::compile):
674         (JSC::DFG::SpeculativeJIT::compileStringCodePointAt):
675         * ftl/FTLCapabilities.cpp:
676         (JSC::FTL::canCompile):
677         * ftl/FTLLowerDFGToB3.cpp:
678         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
679         (JSC::FTL::DFG::LowerDFGToB3::compileStringCodePointAt):
680         * jit/JITInlines.h:
681         (JSC::JIT::emitLoadCharacterString):
682         * jit/ThunkGenerators.cpp:
683         (JSC::stringGetByValGenerator):
684         (JSC::stringCharLoad):
685         (JSC::stringPrototypeCodePointAtThunkGenerator):
686         * jit/ThunkGenerators.h:
687         * runtime/Intrinsic.cpp:
688         (JSC::intrinsicName):
689         * runtime/Intrinsic.h:
690         * runtime/StringPrototype.cpp:
691         (JSC::StringPrototype::finishCreation):
692         * runtime/VM.cpp:
693         (JSC::thunkGeneratorForIntrinsic):
694
695 2019-09-11  Michael Saboff  <msaboff@apple.com>
696
697         JSC crashes due to stack overflow while building RegExp
698         https://bugs.webkit.org/show_bug.cgi?id=201649
699
700         Reviewed by Yusuke Suzuki.
701
702         Check for running out of stack when we are optimizing RegExp containing BOL terms or
703         other deep copying of disjunctions.
704
705         * yarr/YarrPattern.cpp:
706         (JSC::Yarr::YarrPatternConstructor::copyDisjunction):
707         (JSC::Yarr::YarrPatternConstructor::copyTerm):
708         (JSC::Yarr::YarrPatternConstructor::error):
709         (JSC::Yarr::YarrPattern::compile):
710
711 2019-09-11  Truitt Savell  <tsavell@apple.com>
712
713         Unreviewed, rolling out r249753.
714
715         caused inspector/canvas/shaderProgram-add-remove-webgl.html to
716         crash on all Mac platforms.
717
718         Reverted changeset:
719
720         "Web Inspector: Canvas: instrument WebGPUDevice instead of
721         GPUCanvasContext"
722         https://bugs.webkit.org/show_bug.cgi?id=201650
723         https://trac.webkit.org/changeset/249753
724
725 2019-09-10  Devin Rousso  <drousso@apple.com>
726
727         Web Inspector: Canvas: instrument WebGPUDevice instead of GPUCanvasContext
728         https://bugs.webkit.org/show_bug.cgi?id=201650
729
730         Reviewed by Joseph Pecoraro.
731
732         Most of the actual "work" done with Web GPU actually uses a `WebGPUDevice`.
733
734         A `GPUCanvasContext` is basically just a display "client" of the device, and isn't even
735         required (e.g. compute pipeline).  We should treat the `GPUCanvasContext` almost like a
736         `-webkit-canvas` client of a `WebGPUDevice`.
737
738         * inspector/protocol/Canvas.json:
739          - Add `powerPreference` key to `ContextAttributes` type.
740          - Rename `requestCSSCanvasClientNodes` command to `requestClientNodes` for the above reason.
741          - Rename `cssCanvasClientNodesChanged` event to `clientNodesChanged` for the above reason.
742          - Rename `resolveCanvasContext` command to `resolveContext` since a `WebGPUDevice` isn't
743            really a "canvas".
744
745 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
746
747         [JSC] 32bit bitwide operation with all-one (-1) is wrong in B3
748         https://bugs.webkit.org/show_bug.cgi?id=201634
749
750         Reviewed by Mark Lam and Robin Morisset.
751
752         This patch includes two things. One is fixing 32bit bitwise operation with allOne constants. Another is fixing the existing bug in BitAnd strength reduction.
753
754         1. 32bit bitwise operation with allOne constants
755
756             Accidentally, the B3::Value is ConstInt32(-1), `value->isInt(std::numeric_limits<uint32_t>::max())` returns `false`!
757             For example, in BitAnd strength reduction,
758
759                 1034             // Turn this: BitAnd(value, all-ones)
760                 1035             // Into this: value.
761                 1036             if ((m_value->type() == Int64 && m_value->child(1)->isInt(std::numeric_limits<uint64_t>::max()))
762                 1037                 || (m_value->type() == Int32 && m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max()))) {
763                 1038                 replaceWithIdentity(m_value->child(0));
764                 1039                 break;
765                 1040             }
766
767             We use `m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max())`. However, Value::isInt is,
768
769                 262 inline bool Value::isInt(int64_t value) const
770                 263 {
771                 264     return hasInt() && asInt() == value;
772                 265 }
773
774             So, UINT32_MAX is expanded to int64_t, but it is not -1 since UINT32_MAX can be representable in int64_t. And Value::asInt implementation is,
775
776                 257 inline int64_t Value::asInt() const
777                 258 {
778                 259     return hasInt32() ? asInt32() : asInt64();
779                 260 }
780
781             So, we perform `static_cast<int64_t>(-1) == static_cast<int64_t>(UINT32_MAX)`. This is false, but this comparison is not what we want!
782             We should use `isInt32` and `isInt64` for bit patterns (like, operands for Bitwise opcodes).
783
784         2. BitAnd and BitOr strength reduction bug
785
786             We also fix the following optimization.
787
788                 // Turn this: BitAnd(Op(value, constant1), constant2)
789                 //     where !(constant1 & constant2)
790                 //       and Op is BitOr or BitXor
791                 // into this: BitAnd(value, constant2)
792
793             Since we stop further optimization when we match `if (m_value->child(1)->hasInt())`, the following optimization is never taken.
794
795                 // Turn this: BitAnd(BitXor(x, allOnes), c)
796                 // Into this: BitXor(BitOr(x, ~c), allOnes)
797
798             And we also found that this not-used optimization has a bug not inserting a newly produced constant B3::Value. This patch also fixes it.
799
800         For both, this patch adds tests. And (2) fix can be ensured that the testb3 does not crash with validate-graph option.
801
802         * b3/B3LowerToAir.cpp:
803         * b3/B3ReduceStrength.cpp:
804         * b3/testb3.h:
805         * b3/testb3_2.cpp:
806         (testBitAndNotNot32):
807         (testBitAndNotImm):
808         (testBitAndNotImm32):
809         (testBitOrAndAndArgs32):
810         (testBitOrAndSameArgs32):
811         (testBitOrNotNot32):
812         (testBitOrNotImm32):
813         (addBitTests):
814         * b3/testb3_3.cpp:
815         (testBitXorAndAndArgs32):
816         (testBitXorAndSameArgs32):
817
818 2019-09-10  Commit Queue  <commit-queue@webkit.org>
819
820         Unreviewed, rolling out r249721.
821         https://bugs.webkit.org/show_bug.cgi?id=201667
822
823         Discovering existing bug (Requested by yusukesuzuki on
824         #webkit).
825
826         Reverted changeset:
827
828         "[JSC] 32bit bitwide operation with all-one (-1) is wrong in
829         B3"
830         https://bugs.webkit.org/show_bug.cgi?id=201634
831         https://trac.webkit.org/changeset/249721
832
833 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
834
835         [JSC] CodeBlock::calleeSaveRegisters should not see half-baked JITData
836         https://bugs.webkit.org/show_bug.cgi?id=201664
837         <rdar://problem/52126927>
838
839         Reviewed by Tadeu Zagallo.
840
841         We are hitting the crash accessing invalid-pointer as CodeBlock::calleeSaveRegisters result.
842         This is because concurrent Baseline JIT compiler can access m_jitData without taking a lock through CodeBlock::calleeSaveRegisters.
843         Since m_jitData can be initialized in the main thread while calling CodeBlock::calleeSaveRegisters from concurrent Baseline JIT compiler thread,
844         we can see half-baked JITData structure which holds garbage pointers.
845
846         But we do not want to make CodeBlock::calleeSaveRegisters() call with CodeBlock::m_lock due to several reasons.
847
848         1. This function is very primitive one and it is called from various AssemblyHelpers functions and other code-generation functions. Some of these functions are
849            called while taking this exact same lock, so dead-lock can happen.
850         2. JITData::m_calleeSaveRegisters is filled only for DFG and FTL CodeBlock. And DFG and FTL code accesses these field after initializing properly. For Baseline JIT
851            compiler case, only thing we should do is that JITData should say m_calleeSaveRegisters is nullptr and it won't be filled for this CodeBlock.
852
853         Instead of guarding CodeBlock::calleeSaveRegisters() function with CodeBlock::m_lock, this patch inserts WTF::storeStoreFence when filling m_jitData. This ensures that
854         JITData::m_calleeSaveRegisters is initialized with nullptr when this JITData pointer is exposed to concurrent Baseline JIT compiler thread.
855
856         * bytecode/CodeBlock.cpp:
857         (JSC::CodeBlock::ensureJITDataSlow):
858
859 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
860
861         [JSC] ResultType implementation is wrong for bit ops, and ends up making ArithDiv take the DFG Int32 fast path even if Baseline constantly produces Double result
862         https://bugs.webkit.org/show_bug.cgi?id=198253
863
864         Reviewed by Mark Lam.
865
866         ResultType of bitwise operation needs to include TypeMaybeNumber. TypeInt32 is something like a flag indicating the number looks like a int32.
867         When it is specified, TypeMaybeNumber must exist too. This issue compiles op_div in JetStream2/async-fs slow-path. And eventually DFG first mis-compiles
868         it with Int32 ArithDiv while that div always produces double. And unnecessary OSR exit happens.
869
870         In this patch, we add TypeMaybeNumber to bigIntOrInt32Type correctly.
871
872         * parser/ResultType.h:
873         (JSC::ResultType::bigIntOrInt32Type):
874
875 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
876
877         [JSC] 32bit bitwide operation with all-one (-1) is wrong in B3
878         https://bugs.webkit.org/show_bug.cgi?id=201634
879
880         Reviewed by Mark Lam.
881
882         Accidentally, the B3::Value is ConstInt32(-1), `value->isInt(std::numeric_limits<uint32_t>::max())` returns `false`!
883         For example, in BitAnd strength reduction,
884
885             1034             // Turn this: BitAnd(value, all-ones)
886             1035             // Into this: value.
887             1036             if ((m_value->type() == Int64 && m_value->child(1)->isInt(std::numeric_limits<uint64_t>::max()))
888             1037                 || (m_value->type() == Int32 && m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max()))) {
889             1038                 replaceWithIdentity(m_value->child(0));
890             1039                 break;
891             1040             }
892
893         We use `m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max())`. However, Value::isInt is,
894
895             262 inline bool Value::isInt(int64_t value) const
896             263 {
897             264     return hasInt() && asInt() == value;
898             265 }
899
900         So, UINT32_MAX is expanded to int64_t, but it is not -1 since UINT32_MAX can be representable in int64_t. And Value::asInt implementation is,
901
902             257 inline int64_t Value::asInt() const
903             258 {
904             259     return hasInt32() ? asInt32() : asInt64();
905             260 }
906
907         So, we perform `static_cast<int64_t>(-1) == static_cast<int64_t>(UINT32_MAX)`. This is false, but this comparison is not what we want!
908         We should use `isInt32` and `isInt64` for bit patterns (like, operands for Bitwise opcodes).
909
910         We also fix the following optimization.
911
912             // Turn this: BitAnd(Op(value, constant1), constant2)
913             //     where !(constant1 & constant2)
914             //       and Op is BitOr or BitXor
915             // into this: BitAnd(value, constant2)
916
917         Since we stop further optimization when we match `if (m_value->child(1)->hasInt())`, the following optimization is never taken.
918
919             // Turn this: BitAnd(BitXor(x, allOnes), c)
920             // Into this: BitXor(BitOr(x, ~c), allOnes)
921
922         We add 32bit version of B3 tests for these optimizations.
923
924         * b3/B3LowerToAir.cpp:
925         * b3/B3ReduceStrength.cpp:
926         * b3/testb3.h:
927         * b3/testb3_2.cpp:
928         (testBitAndNotNot32):
929         (testBitAndNotImm):
930         (testBitAndNotImm32):
931         (testBitOrAndAndArgs32):
932         (testBitOrAndSameArgs32):
933         (testBitOrNotNot32):
934         (testBitOrNotImm32):
935         (addBitTests):
936         * b3/testb3_3.cpp:
937         (testBitXorAndAndArgs32):
938         (testBitXorAndSameArgs32):
939
940 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
941
942         [WebAssembly] Use StreamingParser in existing Wasm::BBQPlan
943         https://bugs.webkit.org/show_bug.cgi?id=189043
944
945         Reviewed by Keith Miller.
946
947         This patch integrates Wasm::StreamingParser into the existing Wasm::BBQPlan.
948         And remove Wasm::ModuleParser. This patch paves the way to implementing Wasm streaming features by
949         using Wasm::StreamingParser.
950
951         Currently, we are not using streaming feature of StreamingParser. In a subsequent patch, we will
952         create a mechanism to pipe a chunk of data to streaming parser to enable WebAssembly.compileStreaming
953         and instantiateStreaming.
954
955         * JavaScriptCore.xcodeproj/project.pbxproj:
956         * Sources.txt:
957         * tools/JSDollarVM.cpp:
958         (JSC::WasmStreamingParser::WasmStreamingParser):
959         * wasm/WasmAirIRGenerator.cpp:
960         (JSC::Wasm::parseAndCompileAir):
961         * wasm/WasmAirIRGenerator.h:
962         * wasm/WasmB3IRGenerator.cpp:
963         (JSC::Wasm::parseAndCompile): Use FunctionData, it is good since it is more strongly typed.
964         * wasm/WasmB3IRGenerator.h:
965         * wasm/WasmBBQPlan.cpp:
966         (JSC::Wasm::BBQPlan::BBQPlan):
967         (JSC::Wasm::BBQPlan::didReceiveFunctionData): Add a callback, which invokes validation.
968         (JSC::Wasm::BBQPlan::parseAndValidateModule): Use StreamingParser instead of old ModuleParser.
969         (JSC::Wasm::BBQPlan::compileFunctions):
970         (JSC::Wasm::BBQPlan::complete):
971         * wasm/WasmBBQPlan.h:
972         * wasm/WasmModuleParser.cpp: Removed.
973         * wasm/WasmModuleParser.h: Removed.
974         * wasm/WasmOMGForOSREntryPlan.cpp:
975         (JSC::Wasm::OMGForOSREntryPlan::work):
976         * wasm/WasmOMGPlan.cpp:
977         (JSC::Wasm::OMGPlan::work):
978         * wasm/WasmPlan.cpp:
979         (JSC::Wasm::Plan::fail): Make fail function callable multiple times. The first error will be used.
980         * wasm/WasmSectionParser.cpp:
981         (JSC::Wasm::SectionParser::parseCode): Since the Code section is specially handled in StreamingParser, this code is never used.
982         * wasm/WasmStreamingParser.cpp:
983         (JSC::Wasm::StreamingParser::StreamingParser):
984         (JSC::Wasm::StreamingParser::parseCodeSectionSize):
985         (JSC::Wasm::StreamingParser::parseFunctionPayload):
986         (JSC::Wasm::StreamingParser::parseSectionPayload):
987         (JSC::Wasm::StreamingParser::finalize): Call client's callbacks at appropriate timings.
988         * wasm/WasmStreamingParser.h:
989         (JSC::Wasm::StreamingParserClient::didReceiveSectionData):
990         (JSC::Wasm::StreamingParserClient::didReceiveFunctionData):
991         (JSC::Wasm::StreamingParserClient::didFinishParsing): Add StreamingParserClient,
992         which has 3 callbacks right now. StreamingParser gets this client and call these callbacks
993         at appropriate timings.
994         * wasm/WasmValidate.cpp:
995         (JSC::Wasm::validateFunction):
996         * wasm/WasmValidate.h: Use FunctionData, it is good since it is more strongly typed.
997
998 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
999
1000         [JSC] CodeBlock::m_constantRegisters should be guarded by ConcurrentJSLock when Vector reallocate memory
1001         https://bugs.webkit.org/show_bug.cgi?id=201622
1002
1003         Reviewed by Mark Lam.
1004
1005         CodeBlock::visitChildren takes ConcurrentJSLock while iterating m_constantRegisters, some of the places reallocate
1006         this Vector without taking a lock. If a Vector memory is reallocated while iterating it in concurrent collector,
1007         the concurrent collector can see a garbage. This patch guards m_constantRegisters reallocation with ConcurrentJSLock.
1008
1009         * bytecode/CodeBlock.cpp:
1010         (JSC::CodeBlock::finishCreation):
1011         (JSC::CodeBlock::setConstantRegisters):
1012         * bytecode/CodeBlock.h:
1013         (JSC::CodeBlock::addConstant):
1014         (JSC::CodeBlock::addConstantLazily):
1015         * dfg/DFGDesiredWatchpoints.cpp:
1016         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
1017         (JSC::DFG::SymbolTableAdaptor::add):
1018         (JSC::DFG::FunctionExecutableAdaptor::add):
1019         * dfg/DFGGraph.cpp:
1020         (JSC::DFG::Graph::registerFrozenValues):
1021         * dfg/DFGJITFinalizer.cpp:
1022         (JSC::DFG::JITFinalizer::finalizeCommon):
1023         * dfg/DFGLazyJSValue.cpp:
1024         (JSC::DFG::LazyJSValue::emit const):
1025
1026 2019-09-09  Robin Morisset  <rmorisset@apple.com>
1027
1028         [Air] highOrderAdjacents in AbstractColoringAllocator::conservativeHeuristic should be some kind of array
1029         https://bugs.webkit.org/show_bug.cgi?id=197305
1030
1031         Reviewed by Keith Miller.
1032
1033         Currently it is a HashSet, but it only ever holds at most registerCount() items. And linear search tends to be faster on such a small collection than hashing + searching in a HashSet.
1034         Further benefits include avoiding the allocation of the HashSet, not actually adding the nodes adjacent to V (since there are no duplicates in the adjacency lists).
1035
1036         This patch also contains a trivial optimization: if the remaining number of nodes to consider + the number of highOrderAdjacents already seen is smaller than registerCount() we can return true directly.
1037         Apart from that, the patch got some trivial cleanup of GraphColoringRegisterAllocation::allocateOnBank() (that for example was only logging the number of iterations for FP registers, and not the more interesting number for GP registers).
1038
1039         The time spent in the register allocator throughout JetStream2 on this MacBook Pro moves from 3767 / 3710 / 3785 ms to 3551 / 3454 / 3503 ms.
1040         So about a 6% speedup for that phase, and between 1 and 1.5% speedup for FTL/OMG compilation overall.
1041
1042         No new tests as there is no intended change to the code being generated, and this was already tested by running testb3 + JetStream2.
1043
1044         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
1045
1046 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
1047
1048         [JSC] Use metadata table to iterate specific bytecode metadata instead of propertyAccessInstructions vector
1049         https://bugs.webkit.org/show_bug.cgi?id=201613
1050
1051         Reviewed by Mark Lam.
1052
1053         We do not need to maintain propertyAccessInstructions vector to access metadata tied to a specific bytecode opcode
1054         since we have MetadataTable::forEach<Op> feature. This removes propertyAccessInstructions entirely, and fixes the
1055         issue that `op_create_promise` missed propertyAccessInstructions registration (a name "propertyAccessInstructions" is
1056         misleading, it is like "instructions-requires-llint-finalize").
1057
1058         * bytecode/CodeBlock.cpp:
1059         (JSC::CodeBlock::propagateTransitions):
1060         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1061         * bytecode/UnlinkedCodeBlock.cpp:
1062         (JSC::UnlinkedCodeBlock::applyModification):
1063         (JSC::UnlinkedCodeBlock::shrinkToFit):
1064         * bytecode/UnlinkedCodeBlock.h:
1065         (JSC::UnlinkedCodeBlock::addPropertyAccessInstruction): Deleted.
1066         (JSC::UnlinkedCodeBlock::numberOfPropertyAccessInstructions const): Deleted.
1067         (JSC::UnlinkedCodeBlock::propertyAccessInstructions const): Deleted.
1068         * bytecompiler/BytecodeGenerator.cpp:
1069         (JSC::BytecodeGenerator::emitResolveScope):
1070         (JSC::BytecodeGenerator::emitGetFromScope):
1071         (JSC::BytecodeGenerator::emitPutToScope):
1072         (JSC::BytecodeGenerator::emitGetById):
1073         (JSC::BytecodeGenerator::emitDirectGetById):
1074         (JSC::BytecodeGenerator::emitPutById):
1075         (JSC::BytecodeGenerator::emitDirectPutById):
1076         (JSC::BytecodeGenerator::emitCreateThis):
1077         (JSC::BytecodeGenerator::emitToThis):
1078         * runtime/CachedTypes.cpp:
1079         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
1080         (JSC::CachedCodeBlock<CodeBlockType>::encode):
1081
1082 2019-09-07  Keith Miller  <keith_miller@apple.com>
1083
1084         OSR entry into wasm misses some contexts
1085         https://bugs.webkit.org/show_bug.cgi?id=201569
1086
1087         Reviewed by Yusuke Suzuki.
1088
1089         This patch fixes an issue where we could fail to capture some of
1090         our contexts when OSR entering into wasm code. Before we would
1091         only capture the state of the block immediately surrounding the
1092         entrance loop block header. We actually need to capture all
1093         enclosed stacks.
1094
1095         Additionally, we don't need to use variables for all the captured
1096         values. We can use a Phi and insert an upsilon just below the
1097         captured value.
1098
1099         * interpreter/CallFrame.h:
1100         * jsc.cpp:
1101         (GlobalObject::finishCreation):
1102         (functionCallerIsOMGCompiled):
1103         * wasm/WasmAirIRGenerator.cpp:
1104         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
1105         (JSC::Wasm::AirIRGenerator::emitEntryTierUpCheck):
1106         (JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck):
1107         (JSC::Wasm::AirIRGenerator::addLoop):
1108         * wasm/WasmB3IRGenerator.cpp:
1109         (JSC::Wasm::B3IRGenerator::createStack):
1110         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1111         (JSC::Wasm::B3IRGenerator::addConstant):
1112         (JSC::Wasm::B3IRGenerator::emitEntryTierUpCheck):
1113         (JSC::Wasm::B3IRGenerator::emitLoopTierUpCheck):
1114         (JSC::Wasm::B3IRGenerator::addLoop):
1115         (JSC::Wasm::B3IRGenerator::addEndToUnreachable):
1116         (JSC::Wasm::dumpExpressionStack):
1117         (JSC::Wasm::B3IRGenerator::dump):
1118         (JSC::Wasm::B3IRGenerator::Stack::Stack): Deleted.
1119         (JSC::Wasm::B3IRGenerator::Stack::append): Deleted.
1120         (JSC::Wasm::B3IRGenerator::Stack::takeLast): Deleted.
1121         (JSC::Wasm::B3IRGenerator::Stack::last): Deleted.
1122         (JSC::Wasm::B3IRGenerator::Stack::size const): Deleted.
1123         (JSC::Wasm::B3IRGenerator::Stack::isEmpty const): Deleted.
1124         (JSC::Wasm::B3IRGenerator::Stack::convertToExpressionList): Deleted.
1125         (JSC::Wasm::B3IRGenerator::Stack::at const): Deleted.
1126         (JSC::Wasm::B3IRGenerator::Stack::variableAt const): Deleted.
1127         (JSC::Wasm::B3IRGenerator::Stack::shrink): Deleted.
1128         (JSC::Wasm::B3IRGenerator::Stack::swap): Deleted.
1129         (JSC::Wasm::B3IRGenerator::Stack::dump const): Deleted.
1130         * wasm/WasmFunctionParser.h:
1131         (JSC::Wasm::FunctionParser::controlStack):
1132
1133 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
1134
1135         [JSC] Promise resolve/reject functions should be created more efficiently
1136         https://bugs.webkit.org/show_bug.cgi?id=201488
1137
1138         Reviewed by Mark Lam.
1139
1140         While r246553 fixed an important issue, it makes anonymous-builtin-function creation costly since it enforces FunctionRareData allocations.
1141         Unfortunately, anonymous-builtin-function function can be created frequently since this type of function is used
1142         for `resolve` and `reject` arguments of Promise's executor (e.g. `new Promise((resolve, reject) => ...)`'s resolve and reject).
1143         Since we are now always creating FunctionRareData for these functions, this additional allocation makes promise creation slower.
1144
1145         In this patch, we use `isAnonymousBuiltinFunction` information for `hasReifiedName` correctly. And we propagate `isAnonymousBuiltinFunction` information
1146         to FunctionRareData to initialize `m_hasReifiedName` correctly. Then we can avoid unnecessary FunctionRareData allocation, which makes
1147         anonymous-builtin-function creation faster.
1148
1149         We can ensure that this patch does not revert r246553's fix by running JSTests/stress/builtin-private-function-name.js test.
1150         The simple microbenchmark shows 1.7x improvement.
1151
1152                                               ToT                     Patched
1153
1154             promise-creation-many       45.6701+-0.1488     ^     26.8663+-1.8336        ^ definitely 1.6999x faster
1155
1156         * dfg/DFGSpeculativeJIT.cpp:
1157         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
1158         * ftl/FTLLowerDFGToB3.cpp:
1159         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
1160         * runtime/FunctionRareData.cpp:
1161         (JSC::FunctionRareData::create):
1162         (JSC::FunctionRareData::FunctionRareData):
1163         * runtime/FunctionRareData.h:
1164         * runtime/JSFunction.cpp:
1165         (JSC::JSFunction::finishCreation):
1166         (JSC::JSFunction::allocateRareData):
1167         (JSC::JSFunction::allocateAndInitializeRareData):
1168         * runtime/JSFunctionInlines.h:
1169         (JSC::JSFunction::hasReifiedName const):
1170
1171 2019-09-07  Mark Lam  <mark.lam@apple.com>
1172
1173         performJITMemcpy() source buffer should not be in the Gigacage.
1174         https://bugs.webkit.org/show_bug.cgi?id=201577
1175         <rdar://problem/55142606>
1176
1177         Reviewed by Michael Saboff.
1178
1179         Add a RELEASE_ASSERT in performJITMemcpy() to ensure that the passed in source
1180         buffer is not in the Gigacage.
1181
1182         * jit/ExecutableAllocator.h:
1183         (JSC::performJITMemcpy):
1184
1185 2019-09-07  Mark Lam  <mark.lam@apple.com>
1186
1187         The jsc shell should allow disabling of the Gigacage for testing purposes.
1188         https://bugs.webkit.org/show_bug.cgi?id=201579
1189
1190         Reviewed by Michael Saboff.
1191
1192         Check for the same GIGACAGE_ENABLED env var that is checked by Gigacage code.  If
1193         this env var is present and it has a falsy value, then do not
1194         forbidDisablingPrimitiveGigacage() in the jsc shell.
1195
1196         * jsc.cpp:
1197         (jscmain):
1198
1199 2019-09-06  Mark Lam  <mark.lam@apple.com>
1200
1201         Harden protection of the Gigacage Config parameters.
1202         https://bugs.webkit.org/show_bug.cgi?id=201570
1203         <rdar://problem/55134229>
1204
1205         Reviewed by Saam Barati.
1206
1207         Just renaming some function names here.
1208
1209         * assembler/testmasm.cpp:
1210         (JSC::testCagePreservesPACFailureBit):
1211         * jit/AssemblyHelpers.h:
1212         (JSC::AssemblyHelpers::cageConditionally):
1213         * jsc.cpp:
1214         (jscmain):
1215
1216 2019-09-06  Ross Kirsling  <ross.kirsling@sony.com>
1217
1218         Math.round() produces wrong result for value prior to 0.5
1219         https://bugs.webkit.org/show_bug.cgi?id=185115
1220
1221         Reviewed by Saam Barati.
1222
1223         Our Math.round implementation goes in the wrong direction for double values like 0.49999999999999994.
1224         This requires just a subtle adjustment for three of our four versions; only baseline JIT needed a full rewrite.
1225
1226         Specifically:
1227           - While 0.49999999999999994 is representable, 1 - 0.49999999999999994 is not (it turns into 0.5),
1228             so taking the difference between ceil(value)` and `value` is problematic.
1229           - The baseline implementation was doing `floor(x + 0.5)` for positive doubles and slowpathing negative ones
1230             (by falling back to jsRound). This patch gives baseline a legitimate implementation too.
1231
1232         * dfg/DFGSpeculativeJIT.cpp:
1233         (JSC::DFG::SpeculativeJIT::compileArithRounding):
1234         * ftl/FTLLowerDFGToB3.cpp:
1235         (JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
1236         * jit/ThunkGenerators.cpp:
1237         (JSC::roundThunkGenerator):
1238         * runtime/MathCommon.cpp:
1239
1240 2019-09-05  Joseph Pecoraro  <pecoraro@apple.com>
1241
1242         Tail Deleted Frames shown in Web Inspector are sometimes incorrect (Shadow Chicken)
1243         https://bugs.webkit.org/show_bug.cgi?id=201366
1244
1245         Reviewed by Saam Barati.
1246
1247         It is possible for the log buffer to be full right as someone is trying to
1248         log a function prologue. In such a case the machine stack has already been
1249         updated to include the new JavaScript call frame, but the prologue packet
1250         cannot be included in the update because the log is full. This would mean
1251         that the update fails to rationalize the machine stack with the shadow
1252         log / stack. Namely, the current JavaScript call frame is unable to
1253         find a matching prologue (the one we are holding to include after the update)
1254         and inserts a questionable value into the stack; and in the process
1255         missing and removing real potential tail calls.
1256
1257         For example:
1258         
1259             "use strict";
1260             function third() { return 1; }
1261             function second() { return third(); }
1262             function first() { return second(); }
1263             function start() { return first(); }
1264
1265         If the the log fills up just as we are entering `b` then we may have a list
1266         full log of packets looking like:
1267
1268           Shadow Log:
1269             ...
1270             { prologue-packet: entering `start` ... }
1271             { prologue-packet: entering `first` ... }
1272             { tail-packet: leaving `first` with a tail call }
1273
1274           Incoming Packet:
1275             { prologue-packet: entering `second` ... }
1276
1277           Current JS Stack:
1278             second
1279             start
1280
1281         Since the Current JavaScript stack already has `second`, if we process the
1282         log without the prologue for `second` then we push a confused entry on the
1283         shadow stack and clear the log such that we eventually lose the tail-call
1284         information for `first` to `second`.
1285
1286         This patch solves this issue by providing enough extra space in the log
1287         to always process the incoming packet when that forces an update. This way
1288         clients can continue to behave exactly as they are.
1289
1290         --
1291
1292         We also document a corner case in some circumstances where the shadow
1293         log may currently be insufficient to know how to reconcile:
1294         
1295         For example:
1296
1297             "use strict";
1298             function third() { return 1; }
1299             function second() { return third(); }
1300             function first() { return second(); }
1301             function doNothingTail() { return Math.random() }
1302             function start() {
1303                 for (i=0;i<1000;++i) doNothingTail();
1304                 return first();
1305             }
1306
1307         In this case the ShadowChicken log may be processed multiple times due
1308         to the many calls to `doNothingTail` / `Math.random()`. When calling the
1309         Native function no prologue packet is emitted, so it is unclear that we
1310         temporarly go deeper and come back out on the stack, so the log appears
1311         to have lots of doNothingTail calls reusing the same frame:
1312
1313           Shadow Log:
1314             ...
1315             , [123] {callee = 0x72a21aee0, frame = 0x7ffeef897270, callerFrame = 0x7ffeef8972e0, name = start}
1316             , [124] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
1317             , [125] tail-packet:{frame = 0x7ffeef8971f0}
1318             , [126] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
1319             , [127] tail-packet:{frame = 0x7ffeef8971f0}
1320             ...
1321             , [140] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
1322             , [141] tail-packet:{frame = 0x7ffeef8971f0}
1323             , [142] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
1324             , [143] tail-packet:{frame = 0x7ffeef8971f0}
1325             , [144] {callee = 0x72a21aeb0, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = first}
1326             , [145] tail-packet:{frame = 0x7ffeef8971f0}
1327             , [146] {callee = 0x72a21ae80, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = second}
1328             ...
1329
1330         This log would seem to be indistinguishable from real tail recursion, such as:
1331
1332             "use strict";
1333             function third() { return 1; }
1334             function second() { return third(); }
1335             function first() { return second(); }
1336             function doNothingTail(n) {
1337                 return n ? doNothingTail(n-1) : first();
1338             }
1339             function start() {
1340                 return doNothingTail(1000);
1341             }
1342
1343         Likewise there are more cases where the shadow log appears to be ambiguous with determining
1344         the appropriate parent call frame with intermediate function calls. In practice this may
1345         not be too problematic, as this is a best effort reconstruction of tail deleted frames.
1346         It seems likely we would only show additional frames that did in fact happen serially
1347         between JavaScript call frames, but may not actually be the proper parent frames
1348         heirachy in the stack.
1349
1350         * interpreter/ShadowChicken.cpp:
1351         (JSC::ShadowChicken::Packet::dump const):
1352         (JSC::ShadowChicken::Frame::dump const):
1353         (JSC::ShadowChicken::dump const):
1354         Improved debugging output. Especially for functions.
1355
1356         (JSC::ShadowChicken::ShadowChicken):
1357         Make space in the log for 1 additional packet to process when we slow log.
1358
1359         (JSC::ShadowChicken::log):
1360         Include this packet in our update.
1361
1362         (JSC::ShadowChicken::update):
1363         Address an edge case where we can eliminate tail-deleted frames that don't make sense.
1364
1365 2019-09-06  Ryan Haddad  <ryanhaddad@apple.com>
1366
1367         Unreviewed, rolling out r249566.
1368
1369         Causes inspector layout test crashes under GuardMalloc
1370
1371         Reverted changeset:
1372
1373         "Tail Deleted Frames shown in Web Inspector are sometimes
1374         incorrect (Shadow Chicken)"
1375         https://bugs.webkit.org/show_bug.cgi?id=201366
1376         https://trac.webkit.org/changeset/249566
1377
1378 2019-09-06  Guillaume Emont  <guijemont@igalia.com>
1379
1380         testmasm: save r6 in JIT'ed code on ARM_THUMB2
1381         https://bugs.webkit.org/show_bug.cgi?id=201138
1382
1383         Reviewed by Mark Lam.
1384
1385         MacroAssemblerArmv7 uses r6 as a temporary register, and it is a
1386         callee-saved register. The JITs use
1387         AssemblyHelpers::emitSaveCalleeSaves() and friends to save
1388         callee-saved registers, but there is no such mechanism in testmasm,
1389         which seems to make the assumption that the macroassembler does not
1390         use callee-saved registers (which I guess is true for all other
1391         architectures, but not for Armv7).
1392
1393         This issue means that testmasm crashes on Armv7 since code generated
1394         by gcc uses r6, and it gets modified by JIT'ed code.
1395
1396         This change makes sure that we save and restore r6 for all code
1397         compiled by testmasm on Armv7.
1398
1399         * assembler/testmasm.cpp:
1400         (JSC::emitFunctionPrologue):
1401         (JSC::emitFunctionEpilogue):
1402         (JSC::testSimple):
1403         (JSC::testGetEffectiveAddress):
1404         (JSC::testBranchTruncateDoubleToInt32):
1405         (JSC::testBranchTestBit32RegReg):
1406         (JSC::testBranchTestBit32RegImm):
1407         (JSC::testBranchTestBit32AddrImm):
1408         (JSC::testBranchTestBit64RegReg):
1409         (JSC::testBranchTestBit64RegImm):
1410         (JSC::testBranchTestBit64AddrImm):
1411         (JSC::testCompareDouble):
1412         (JSC::testMul32WithImmediates):
1413         (JSC::testMul32SignExtend):
1414         (JSC::testCompareFloat):
1415         (JSC::testProbeReadsArgumentRegisters):
1416         (JSC::testProbeWritesArgumentRegisters):
1417         (JSC::testProbePreservesGPRS):
1418         (JSC::testProbeModifiesStackPointer):
1419         (JSC::testProbeModifiesProgramCounter):
1420         (JSC::testProbeModifiesStackValues):
1421         (JSC::testByteSwap):
1422         (JSC::testMoveDoubleConditionally32):
1423         (JSC::testMoveDoubleConditionally64):
1424         (JSC::testCagePreservesPACFailureBit):
1425
1426 2019-09-05  Joseph Pecoraro  <pecoraro@apple.com>
1427
1428         Tail Deleted Frames shown in Web Inspector are sometimes incorrect (Shadow Chicken)
1429         https://bugs.webkit.org/show_bug.cgi?id=201366
1430
1431         Reviewed by Saam Barati.
1432
1433         It is possible for the log buffer to be full right as someone is trying to
1434         log a function prologue. In such a case the machine stack has already been
1435         updated to include the new JavaScript call frame, but the prologue packet
1436         cannot be included in the update because the log is full. This would mean
1437         that the update fails to rationalize the machine stack with the shadow
1438         log / stack. Namely, the current JavaScript call frame is unable to
1439         find a matching prologue (the one we are holding to include after the update)
1440         and inserts a questionable value into the stack; and in the process
1441         missing and removing real potential tail calls.
1442
1443         For example:
1444         
1445             "use strict";
1446             function third() { return 1; }
1447             function second() { return third(); }
1448             function first() { return second(); }
1449             function start() { return first(); }
1450
1451         If the the log fills up just as we are entering `b` then we may have a list
1452         full log of packets looking like:
1453
1454           Shadow Log:
1455             ...
1456             { prologue-packet: entering `start` ... }
1457             { prologue-packet: entering `first` ... }
1458             { tail-packet: leaving `first` with a tail call }
1459
1460           Incoming Packet:
1461             { prologue-packet: entering `second` ... }
1462
1463           Current JS Stack:
1464             second
1465             start
1466
1467         Since the Current JavaScript stack already has `second`, if we process the
1468         log without the prologue for `second` then we push a confused entry on the
1469         shadow stack and clear the log such that we eventually lose the tail-call
1470         information for `first` to `second`.
1471
1472         This patch solves this issue by providing enough extra space in the log
1473         to always process the incoming packet when that forces an update. This way
1474         clients can continue to behave exactly as they are.
1475
1476         --
1477
1478         We also document a corner case in some circumstances where the shadow
1479         log may currently be insufficient to know how to reconcile:
1480         
1481         For example:
1482
1483             "use strict";
1484             function third() { return 1; }
1485             function second() { return third(); }
1486             function first() { return second(); }
1487             function doNothingTail() { return Math.random() }
1488             function start() {
1489                 for (i=0;i<1000;++i) doNothingTail();
1490                 return first();
1491             }
1492
1493         In this case the ShadowChicken log may be processed multiple times due
1494         to the many calls to `doNothingTail` / `Math.random()`. When calling the
1495         Native function no prologue packet is emitted, so it is unclear that we
1496         temporarly go deeper and come back out on the stack, so the log appears
1497         to have lots of doNothingTail calls reusing the same frame:
1498
1499           Shadow Log:
1500             ...
1501             , [123] {callee = 0x72a21aee0, frame = 0x7ffeef897270, callerFrame = 0x7ffeef8972e0, name = start}
1502             , [124] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
1503             , [125] tail-packet:{frame = 0x7ffeef8971f0}
1504             , [126] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
1505             , [127] tail-packet:{frame = 0x7ffeef8971f0}
1506             ...
1507             , [140] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
1508             , [141] tail-packet:{frame = 0x7ffeef8971f0}
1509             , [142] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
1510             , [143] tail-packet:{frame = 0x7ffeef8971f0}
1511             , [144] {callee = 0x72a21aeb0, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = first}
1512             , [145] tail-packet:{frame = 0x7ffeef8971f0}
1513             , [146] {callee = 0x72a21ae80, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = second}
1514             ...
1515
1516         This log would seem to be indistinguishable from real tail recursion, such as:
1517
1518             "use strict";
1519             function third() { return 1; }
1520             function second() { return third(); }
1521             function first() { return second(); }
1522             function doNothingTail(n) {
1523                 return n ? doNothingTail(n-1) : first();
1524             }
1525             function start() {
1526                 return doNothingTail(1000);
1527             }
1528
1529         Likewise there are more cases where the shadow log appears to be ambiguous with determining
1530         the appropriate parent call frame with intermediate function calls. In practice this may
1531         not be too problematic, as this is a best effort reconstruction of tail deleted frames.
1532         It seems likely we would only show additional frames that did in fact happen serially
1533         between JavaScript call frames, but may not actually be the proper parent frames
1534         heirachy in the stack.
1535
1536         * interpreter/ShadowChicken.cpp:
1537         (JSC::ShadowChicken::Packet::dump const):
1538         (JSC::ShadowChicken::Frame::dump const):
1539         (JSC::ShadowChicken::dump const):
1540         Improved debugging output. Especially for functions.
1541
1542         (JSC::ShadowChicken::ShadowChicken):
1543         Make space in the log for 1 additional packet to process when we slow log.
1544
1545         (JSC::ShadowChicken::log):
1546         Include this packet in our update.
1547
1548         (JSC::ShadowChicken::update):
1549         Address an edge case where we can eliminate tail-deleted frames that don't make sense.
1550
1551 2019-09-05  Mark Lam  <mark.lam@apple.com>
1552
1553         Refactor the Gigacage code to require less pointer casting.
1554         https://bugs.webkit.org/show_bug.cgi?id=201521
1555
1556         Reviewed by Saam Barati.
1557
1558         Change LLInt's loadCagedJSValue() to skip the caging if Gigacage is not enabled
1559         in the build.  This allows us to remove the unneeded stubs in WTF Gigacage.h.
1560
1561         * jit/AssemblyHelpers.h:
1562         (JSC::AssemblyHelpers::cageConditionally):
1563         * llint/LowLevelInterpreter.asm:
1564         * llint/LowLevelInterpreter64.asm:
1565         * runtime/VM.h:
1566         (JSC::VM::gigacageAuxiliarySpace):
1567
1568 2019-09-05  Yusuke Suzuki  <ysuzuki@apple.com>
1569
1570         Unreviewed, follow-up after r249530 and r249509
1571         https://bugs.webkit.org/show_bug.cgi?id=201495
1572
1573         Rename FTLOutput::weakPointer to alreadyRegisteredWeakPointer and alreadyRegisteredFrozenPointer.
1574
1575         * builtins/PromiseConstructor.js:
1576         (nakedConstructor.Promise.resolve):
1577         (nakedConstructor.Promise.reject):
1578         (nakedConstructor.Promise):
1579         (nakedConstructor.InternalPromise.resolve):
1580         (nakedConstructor.InternalPromise.reject):
1581         (nakedConstructor.InternalPromise):
1582         * ftl/FTLLowerDFGToB3.cpp:
1583         (JSC::FTL::DFG::LowerDFGToB3::weakPointer):
1584         (JSC::FTL::DFG::LowerDFGToB3::frozenPointer):
1585         (JSC::FTL::DFG::LowerDFGToB3::weakStructure):
1586         * ftl/FTLOutput.h:
1587         (JSC::FTL::Output::alreadyRegisteredWeakPointer):
1588         (JSC::FTL::Output::alreadyRegisteredFrozenPointer):
1589         (JSC::FTL::Output::weakPointer): Deleted.
1590
1591 2019-09-05  Yusuke Suzuki  <ysuzuki@apple.com>
1592
1593         [JSC] Generalize Get/PutPromiseInternalField for InternalFieldObjectImpl
1594         https://bugs.webkit.org/show_bug.cgi?id=201513
1595
1596         Reviewed by Ross Kirsling.
1597
1598         This patch extracts JSPromise's internal fields mechanism as JSInternalFieldsObjectImpl, and make it reusable for the other objects.
1599         It is preparation for using this internal fields mechanism for generators, async functions, async generators, array iterators and so on.
1600
1601         The profiler is telling many recompilation of Generator's resume function (including async generator's one). We are using properties
1602         with private-symbols as a storage for internal state of generators. However, the spec defines that each generator from different generator-functions
1603         has different [[Prototype]]. While we need to share one Generator.prototype.next function, generators tend to have different Structures due to
1604         different [[Prototype]] and accessing internal fields with `get_by_id_direct` sadly becomes super megamorphic while it is not necessary.
1605         And every time new Structure for new generator pops up, DFG/FTL code for generator resume function gets OSR exit or eventually this function gets
1606         emits super generic code unfortunately. By using internal fields for storing these state, we can avoid this performance problem.
1607
1608         Bytecodes and corresponding DFG nodes are just renamed. JSPromise is now inheriting JSInternalFieldsObjectImpl, which can holds specified
1609         number of internal fields. And op_get_internal_field / op_put_internal_field can access these internal fields.
1610
1611         * CMakeLists.txt:
1612         * JavaScriptCore.xcodeproj/project.pbxproj:
1613         * bytecode/BytecodeList.rb:
1614         * bytecode/BytecodeUseDef.h:
1615         (JSC::computeUsesForBytecodeOffset):
1616         (JSC::computeDefsForBytecodeOffset):
1617         * bytecode/CodeBlock.cpp:
1618         (JSC::CodeBlock::finishCreation):
1619         * bytecode/Opcode.h:
1620         * bytecompiler/BytecodeGenerator.cpp:
1621         (JSC::BytecodeGenerator::emitGetInternalField):
1622         (JSC::BytecodeGenerator::emitPutInternalField):
1623         (JSC::BytecodeGenerator::emitGetPromiseInternalField): Deleted.
1624         (JSC::BytecodeGenerator::emitPutPromiseInternalField): Deleted.
1625         * bytecompiler/BytecodeGenerator.h:
1626         * bytecompiler/NodesCodegen.cpp:
1627         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getPromiseInternalField):
1628         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putPromiseInternalField):
1629         * dfg/DFGAbstractInterpreterInlines.h:
1630         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1631         * dfg/DFGByteCodeParser.cpp:
1632         (JSC::DFG::ByteCodeParser::parseBlock):
1633         * dfg/DFGCapabilities.cpp:
1634         (JSC::DFG::capabilityLevel):
1635         * dfg/DFGClobberize.h:
1636         (JSC::DFG::clobberize):
1637         * dfg/DFGDoesGC.cpp:
1638         (JSC::DFG::doesGC):
1639         * dfg/DFGFixupPhase.cpp:
1640         (JSC::DFG::FixupPhase::fixupNode):
1641         * dfg/DFGMayExit.cpp:
1642         * dfg/DFGNode.h:
1643         (JSC::DFG::Node::hasInternalFieldIndex):
1644         (JSC::DFG::Node::hasHeapPrediction):
1645         * dfg/DFGNodeType.h:
1646         * dfg/DFGPredictionPropagationPhase.cpp:
1647         * dfg/DFGSafeToExecute.h:
1648         (JSC::DFG::safeToExecute):
1649         * dfg/DFGSpeculativeJIT.cpp:
1650         (JSC::DFG::SpeculativeJIT::compileGetInternalField):
1651         (JSC::DFG::SpeculativeJIT::compilePutInternalField):
1652         (JSC::DFG::SpeculativeJIT::compileCreatePromise):
1653         (JSC::DFG::SpeculativeJIT::compileNewPromise):
1654         (JSC::DFG::SpeculativeJIT::compileGetPromiseInternalField): Deleted.
1655         (JSC::DFG::SpeculativeJIT::compilePutPromiseInternalField): Deleted.
1656         * dfg/DFGSpeculativeJIT.h:
1657         * dfg/DFGSpeculativeJIT32_64.cpp:
1658         (JSC::DFG::SpeculativeJIT::compile):
1659         * dfg/DFGSpeculativeJIT64.cpp:
1660         (JSC::DFG::SpeculativeJIT::compile):
1661         * dfg/DFGStoreBarrierInsertionPhase.cpp:
1662         * ftl/FTLAbstractHeapRepository.h:
1663         * ftl/FTLCapabilities.cpp:
1664         (JSC::FTL::canCompile):
1665         * ftl/FTLLowerDFGToB3.cpp:
1666         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1667         (JSC::FTL::DFG::LowerDFGToB3::compileNewPromise):
1668         (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
1669         (JSC::FTL::DFG::LowerDFGToB3::compileGetInternalField):
1670         (JSC::FTL::DFG::LowerDFGToB3::compilePutInternalField):
1671         (JSC::FTL::DFG::LowerDFGToB3::compileGetPromiseInternalField): Deleted.
1672         (JSC::FTL::DFG::LowerDFGToB3::compilePutPromiseInternalField): Deleted.
1673         * jit/JIT.cpp:
1674         (JSC::JIT::privateCompileMainPass):
1675         * jit/JIT.h:
1676         * jit/JITPropertyAccess.cpp:
1677         (JSC::JIT::emit_op_get_internal_field):
1678         (JSC::JIT::emit_op_put_internal_field):
1679         (JSC::JIT::emit_op_get_promise_internal_field): Deleted.
1680         (JSC::JIT::emit_op_put_promise_internal_field): Deleted.
1681         * jit/JITPropertyAccess32_64.cpp:
1682         (JSC::JIT::emit_op_get_internal_field):
1683         (JSC::JIT::emit_op_put_internal_field):
1684         (JSC::JIT::emit_op_get_promise_internal_field): Deleted.
1685         (JSC::JIT::emit_op_put_promise_internal_field): Deleted.
1686         * llint/LLIntOffsetsExtractor.cpp:
1687         * llint/LowLevelInterpreter.asm:
1688         * llint/LowLevelInterpreter32_64.asm:
1689         * llint/LowLevelInterpreter64.asm:
1690         * runtime/JSInternalFieldObjectImpl.h: Copied from Source/JavaScriptCore/runtime/JSPromise.h.
1691         (JSC::JSInternalFieldObjectImpl::allocationSize):
1692         (JSC::JSInternalFieldObjectImpl::internalField const):
1693         (JSC::JSInternalFieldObjectImpl::internalField):
1694         (JSC::JSInternalFieldObjectImpl::offsetOfInternalFields):
1695         (JSC::JSInternalFieldObjectImpl::offsetOfInternalField):
1696         (JSC::JSInternalFieldObjectImpl::JSInternalFieldObjectImpl):
1697         * runtime/JSInternalFieldObjectImplInlines.h: Added.
1698         (JSC::JSInternalFieldObjectImpl<passedNumberOfInternalFields>::visitChildren):
1699         * runtime/JSPromise.cpp:
1700         (JSC::JSPromise::finishCreation):
1701         (JSC::JSPromise::visitChildren):
1702         (JSC::JSPromise::status const):
1703         (JSC::JSPromise::result const):
1704         (JSC::JSPromise::isHandled const):
1705         * runtime/JSPromise.h:
1706         (JSC::JSPromise::allocationSize): Deleted.
1707         (JSC::JSPromise::offsetOfInternalFields): Deleted.
1708         (JSC::JSPromise::offsetOfInternalField): Deleted.
1709         (): Deleted.
1710
1711 2019-09-05  Commit Queue  <commit-queue@webkit.org>
1712
1713         Unreviewed, rolling out r247463.
1714         https://bugs.webkit.org/show_bug.cgi?id=201515
1715
1716         JetStream2 code-load related regression (Requested by
1717         yusukesuzuki on #webkit).
1718
1719         Reverted changeset:
1720
1721         "Keyword lookup can use memcmp to get around unaligned load
1722         undefined behavior"
1723         https://bugs.webkit.org/show_bug.cgi?id=199650
1724         https://trac.webkit.org/changeset/247463
1725
1726 2019-09-05  Tadeu Zagallo  <tzagallo@apple.com>
1727
1728         LazyClassStructure::setConstructor should not store the constructor to the global object
1729         https://bugs.webkit.org/show_bug.cgi?id=201484
1730         <rdar://problem/50400451>
1731
1732         Reviewed by Yusuke Suzuki.
1733
1734         LazyClassStructure::setConstructor sets the constructor as a property of the global object.
1735         This became a problem when it started being used for WebAssembly constructors, such as Module
1736         and Instance, since they are properties of the WebAssembly object, not the global object. That
1737         resulted in properties of the global object replaced whenever a lazy WebAssembly constructor
1738         was first accessed. e.g.
1739
1740         globalThis.Module = x;
1741         WebAssembly.Module;
1742         globalThis.Module === WebAssembly.Module;
1743
1744         * runtime/LazyClassStructure.cpp:
1745         (JSC::LazyClassStructure::Initializer::setConstructor):
1746         * runtime/LazyClassStructure.h:
1747         * runtime/Lookup.h:
1748         (JSC::reifyStaticProperty):
1749
1750 2019-09-05  Yusuke Suzuki  <ysuzuki@apple.com>
1751
1752         [JSC] Do not use FTLOutput::weakPointer directly
1753         https://bugs.webkit.org/show_bug.cgi?id=201495
1754
1755         Reviewed by Filip Pizlo.
1756
1757         FTLOutput::weakPointer does not register the cell as a weak pointer.
1758         CreatePromise's implementation is accidentally using m_out.weakPointer and hits the debug assertion.
1759         While the current implementation is not posing correctness issue since these cells are live so long as JSGlobalObject is live,
1760         and we register JSGlobalObject as a weakPointer, we should always use FTLLowerDFGToB3's helper function.
1761         For FrozenValue, we should use frozenPointer helper function.
1762
1763         * ftl/FTLLowerDFGToB3.cpp:
1764         (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
1765         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
1766
1767 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
1768
1769         Unreviewed, partial roll out r249372 due to JetStream2/Basic ~10% regression
1770         https://bugs.webkit.org/show_bug.cgi?id=201373
1771
1772         * bytecode/BytecodeList.rb:
1773         * bytecode/BytecodeUseDef.h:
1774         (JSC::computeUsesForBytecodeOffset):
1775         (JSC::computeDefsForBytecodeOffset):
1776         * bytecompiler/BytecodeGenerator.cpp:
1777         (JSC::BytecodeGenerator::BytecodeGenerator):
1778         (JSC::BytecodeGenerator::emitLoopHint):
1779         (JSC::BytecodeGenerator::emitCheckTraps):
1780         * bytecompiler/BytecodeGenerator.h:
1781         * dfg/DFGByteCodeParser.cpp:
1782         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
1783         (JSC::DFG::ByteCodeParser::parseBlock):
1784         * dfg/DFGCapabilities.cpp:
1785         (JSC::DFG::capabilityLevel):
1786         * jit/JIT.cpp:
1787         (JSC::JIT::emitEnterOptimizationCheck):
1788         (JSC::JIT::privateCompileMainPass):
1789         (JSC::JIT::privateCompileSlowCases):
1790         * jit/JIT.h:
1791         * jit/JITOpcodes.cpp:
1792         (JSC::JIT::emit_op_enter):
1793         (JSC::JIT::emit_op_loop_hint):
1794         (JSC::JIT::emitSlow_op_loop_hint):
1795         (JSC::JIT::emit_op_check_traps):
1796         (JSC::JIT::emitSlow_op_check_traps):
1797         (JSC::JIT::emitSlow_op_enter): Deleted.
1798         * jit/JITOpcodes32_64.cpp:
1799         (JSC::JIT::emit_op_enter):
1800         * llint/LowLevelInterpreter.asm:
1801         * llint/LowLevelInterpreter32_64.asm:
1802         * llint/LowLevelInterpreter64.asm:
1803         * runtime/CommonSlowPaths.cpp:
1804         (JSC::SLOW_PATH_DECL):
1805         * runtime/CommonSlowPaths.h:
1806
1807 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
1808
1809         Unreviewed, rebaseline builtin generator test results
1810         https://bugs.webkit.org/show_bug.cgi?id=200898
1811
1812         Rebaseline the result files.
1813
1814         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
1815         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
1816         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
1817         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
1818         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
1819         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
1820         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
1821         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
1822         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
1823         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
1824         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
1825         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
1826         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
1827
1828 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
1829
1830         [JSC] FunctionOverrides should have a lock to ensure concurrent access to hash table does not happen
1831         https://bugs.webkit.org/show_bug.cgi?id=201485
1832
1833         Reviewed by Tadeu Zagallo.
1834
1835         FunctionOverrides is a per-process singleton for registering overrides information. But we are accessing
1836         it without taking a lock. If multiple threads with multiple VMs are accessing this concurrently, we have
1837         a race issue like,
1838
1839         1. While one thread is adding overrides information,
1840         2. Another thread is accessing this hash table.
1841
1842         This patch adds a lock to make sure that only one thread can access this registry.
1843
1844         * tools/FunctionOverrides.cpp:
1845         (JSC::FunctionOverrides::FunctionOverrides):
1846         (JSC::FunctionOverrides::reinstallOverrides):
1847         (JSC::FunctionOverrides::initializeOverrideFor):
1848         (JSC::FunctionOverrides::parseOverridesInFile):
1849         * tools/FunctionOverrides.h:
1850         (JSC::FunctionOverrides::clear):
1851
1852 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
1853
1854         [JSC] Make Promise implementation faster
1855         https://bugs.webkit.org/show_bug.cgi?id=200898
1856
1857         Reviewed by Saam Barati.
1858
1859         This is the major change of the Promise implementation and it improves JetStream2/async-fs by 62%.
1860
1861         1. Make JSPromise C++ friendly
1862
1863             Instead of using objects with private properties (properties with private symbols), we put internal fields in JSPromise.
1864             This avoids allocating unnecessary butterflies for these private fields, and makes allocating JSPromise and accessing these
1865             fields from C++ easy. Moreover, this patch reduces # of fields of JSPromise from 4 to 2 to make JSPromise compact. To access these internal
1866             fields efficiently from JS, we add `op_get_promise_internal_field` and `op_put_promise_internal_field` bytecodes, and corresponding DFG/FTL
1867             supports. They are similar to GetClosureVar / PutClosureVar implementation. These two bytecodes are intentionally generic to later expand
1868             this support to generator and async-generator by renaming them to `op_get_internal_field` and `op_put_internal_field`. It is filed in [1].
1869
1870             We also add JSPromiseType as JSType. And structures for JSPromise should have that. So that now `@isPromise` is efficiently implemented.
1871             This also requires adding SpecPromiseObject and PromiseObjectUse to DFG.
1872
1873             Further, by introducing another bit flag representing `alreadyResolved` to JSPromise's flags, we can remove JSPromiseDeferred. This extension
1874             is filed in [2].
1875
1876         2. Make JSPromise constructor JS friendly
1877
1878             The old JSPromise constructor was very inefficient: JSPromise constructor is InternalFunction in C++, and in it, it
1879             calls `initializePromise` JS function. And this `initializePromise` function invokes `executor` function passed by user program.
1880             If we can implement JSPromise constructor fully in JS, we can recognize `executor` and we have a chance to fully inline them.
1881             Unfortunately, we cannot inline JSPromise constructor for now since it takes 120 bytecode cost while our inlining threshold for
1882             construct is 100. We might want to investigate getting it inlined in the future[3].
1883
1884             We can avoid C++ <-> JS dance in such an important operation, allocating JSPromise. This patch introduces @nakedConstructor
1885             annotation to builtin JS. And this is propagated as `ConstructorKind::Naked`. If this kind is attached, the bytecode generator
1886             do not emit `op_create_this` implicitly and the constructor does not return `this` object implicitly. The naked constructor allows
1887             us to emit bare-metal bytecode, specifically necessary to allocate non-final JSObject from JS constructor. We introduce op_create_promise,
1888             which is similar to op_create_this, but it allocates JSPromise. And by using @createPromise bytecode intrinsic, we implement
1889             JSPromise constructor fully in JS.
1890             With this, we can start introducing object-allocation-sinking for JSPromise too. It is filed in [4].
1891
1892         3. DFG supports for JSPromise operations
1893
1894             This patch adds four DFG nodes, CreatePromise, NewPromise, GetPromiseInternalField, and PutPromiseInternalField. CreatePromise mimics CreateThis,
1895             and NewPromise mimics NewObject. CreatePromise can be converted to NewPromise with some condition checks and NewPromise can efficiently allocate
1896             promises. CreatePromise and NewPromise have `isInternalPromise` flag so that InternalPromise is also correctly handled in DFG.
1897             When converting CreatePromise to NewPromise, we need to get the correct structure with a specified `callee.prototype`. We mimic the mechanism
1898             used in CreateThis, but we use InternalFunctionAllocationProfile instead of ObjectAllocationProfile because (1) InternalFunctionAllocationProfile
1899             can handle non-final JSObjects and (2) we do not need to handle inline-capacity for promises. To make InternalFunctionAllocationProfile usable
1900             in DFG, we connect watchpoint to InternalFunctionAllocationProfile's invalidation so that DFG code can notice when InternalFunctionAllocationProfile's
1901             structure is invalidated: `callee.prototype` is replaced.
1902
1903         4. Avoid creating unnecessary promises
1904
1905             Some promises are never shown to users, and they are never rejected. One example is `await`'s promise. And some of promise creation can be avoided.
1906             For example, when resolving a value with `Promise.resolve`, if a value is promise and if it's `then` method is the builtin `then`, we can avoid creating
1907             intermediate promise. To handle these things well, we introduce `@resolveWithoutPromise`, `@rejectWithoutPromise`, and `@fulfillWithoutPromise`. They
1908             take `onFulfilled` and `onRejected` handlers and they do not need an intermediate promise for resolving. This removes internal promise allocations
1909             in major cases and makes promise / async-functions efficient. And we also expose builtin `then` function as `@then`, and insert `@isPromise(xxx) && then === @then`
1910             check to take a fast path. We introduced four types of promise reactions to avoid some of object allocations. And microtask reaction is handling these four types.
1911
1912         5. Avoid creating resolving-functions and promise capabilities
1913
1914             Resolving functions have `alreadyResolved` flag to prevent calling `resolve` and `reject` multiple times. For the first resolving function creation, this
1915             patch embeds one bit flag to JSPromise itself which indicates `alreadyResolved` in the first created resolving functions (resolving functions can be later
1916             created again for the same promise. In that case, we just create a usual resolving functions). By doing so, we avoid unnecessary resolving functions
1917             and promise capability allocations. We introduce a wrapper function `@resolvePromiseWithFirstResolvingFunctionCallCheck` and `@rejectPromiseWithFirstResolvingFunctionCallCheck`.
1918             The resolving functions which are first created with `@newPromiseCapability` can be mechanically replaced with the calls to these functions, e.g. replacing
1919             `promiseCapability.@resolve.@call(@undefined, value)` with `@resolvePromiseWithFirstResolvingFunctionCallCheck(promise, value)`.
1920             This mechanism will be used to drop JSPromiseDeferred in a separate patch.
1921
1922         JetStream2/async-fs results.
1923             ToT:
1924                 Running async-fs:
1925                     Startup: 116.279
1926                     Worst Case: 151.515
1927                     Average: 176.630
1928                     Score: 145.996
1929                     Wall time: 0:01.149
1930
1931             Patched:
1932                 Running async-fs:
1933                     Startup: 166.667
1934                     Worst Case: 267.857
1935                     Average: 299.080
1936                     Score: 237.235
1937                     Wall time: 0:00.683
1938
1939         [1]: https://bugs.webkit.org/show_bug.cgi?id=201159
1940         [2]: https://bugs.webkit.org/show_bug.cgi?id=201160
1941         [3]: https://bugs.webkit.org/show_bug.cgi?id=201452
1942         [4]: https://bugs.webkit.org/show_bug.cgi?id=201158
1943
1944         * CMakeLists.txt:
1945         * JavaScriptCore.xcodeproj/project.pbxproj:
1946         * Scripts/wkbuiltins/builtins_generate_combined_header.py:
1947         (ConstructAbility):
1948         (ConstructorKind):
1949         * Scripts/wkbuiltins/builtins_generate_separate_header.py:
1950         * Scripts/wkbuiltins/builtins_generator.py:
1951         (BuiltinsGenerator.generate_embedded_code_data_for_function):
1952         (BuiltinsGenerator.generate_embedded_code_string_section_for_data):
1953         * Scripts/wkbuiltins/builtins_model.py:
1954         (BuiltinFunction.__init__):
1955         (BuiltinFunction.fromString):
1956         * Scripts/wkbuiltins/builtins_templates.py:
1957         * builtins/AsyncFromSyncIteratorPrototype.js:
1958         (next.try):
1959         (next):
1960         (return.try):
1961         (return):
1962         (throw.try):
1963         (throw):
1964         * builtins/AsyncFunctionPrototype.js:
1965         (globalPrivate.asyncFunctionResume):
1966         * builtins/AsyncGeneratorPrototype.js:
1967         (globalPrivate.asyncGeneratorQueueIsEmpty):
1968         (globalPrivate.asyncGeneratorQueueEnqueue):
1969         (globalPrivate.asyncGeneratorQueueDequeue):
1970         (globalPrivate.asyncGeneratorReject):
1971         (globalPrivate.asyncGeneratorResolve):
1972         (globalPrivate.asyncGeneratorYield):
1973         (onRejected):
1974         (globalPrivate.awaitValue):
1975         (onFulfilled):
1976         (globalPrivate.doAsyncGeneratorBodyCall):
1977         (globalPrivate.asyncGeneratorResumeNext):
1978         (globalPrivate.asyncGeneratorEnqueue):
1979         (globalPrivate.asyncGeneratorDequeue): Deleted.
1980         (const.onRejected): Deleted.
1981         (const.onFulfilled): Deleted.
1982         (globalPrivate.asyncGeneratorResumeNext.): Deleted.
1983         * builtins/BuiltinExecutableCreator.h:
1984         * builtins/BuiltinExecutables.cpp:
1985         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
1986         (JSC::BuiltinExecutables::createDefaultConstructor):
1987         (JSC::BuiltinExecutables::createBuiltinExecutable):
1988         (JSC::BuiltinExecutables::createExecutable):
1989         (JSC::createBuiltinExecutable): Deleted.
1990         * builtins/BuiltinExecutables.h:
1991         * builtins/BuiltinNames.h:
1992         * builtins/BuiltinUtils.h:
1993         * builtins/ModuleLoader.js:
1994         (forceFulfillPromise):
1995         * builtins/PromiseConstructor.js:
1996         (nakedConstructor.Promise.resolve):
1997         (nakedConstructor.Promise.reject):
1998         (nakedConstructor.Promise):
1999         (nakedConstructor.InternalPromise.resolve):
2000         (nakedConstructor.InternalPromise.reject):
2001         (nakedConstructor.InternalPromise):
2002         * builtins/PromiseOperations.js:
2003         (globalPrivate.newPromiseReaction):
2004         (globalPrivate.newPromiseCapability):
2005         (globalPrivate.newHandledRejectedPromise):
2006         (globalPrivate.triggerPromiseReactions):
2007         (globalPrivate.resolvePromise):
2008         (globalPrivate.rejectPromise):
2009         (globalPrivate.fulfillPromise):
2010         (globalPrivate.resolvePromiseWithFirstResolvingFunctionCallCheck):
2011         (globalPrivate.rejectPromiseWithFirstResolvingFunctionCallCheck):
2012         (globalPrivate.createResolvingFunctions.resolve):
2013         (globalPrivate.createResolvingFunctions.reject):
2014         (globalPrivate.createResolvingFunctions):
2015         (globalPrivate.promiseReactionJobWithoutPromise):
2016         (globalPrivate.resolveWithoutPromise):
2017         (globalPrivate.rejectWithoutPromise):
2018         (globalPrivate.fulfillWithoutPromise):
2019         (resolve):
2020         (reject):
2021         (globalPrivate.createResolvingFunctionsWithoutPromise):
2022         (globalPrivate.promiseReactionJob):
2023         (globalPrivate.promiseResolveThenableJobFast):
2024         (globalPrivate.promiseResolveThenableJobWithoutPromiseFast):
2025         (globalPrivate.promiseResolveThenableJob):
2026         (globalPrivate.isPromise): Deleted.
2027         (globalPrivate.newPromiseCapability.executor): Deleted.
2028         (globalPrivate.initializePromise): Deleted.
2029         * builtins/PromisePrototype.js:
2030         (then):
2031         * bytecode/BytecodeIntrinsicRegistry.cpp:
2032         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
2033         * bytecode/BytecodeIntrinsicRegistry.h:
2034         * bytecode/BytecodeList.rb:
2035         * bytecode/BytecodeUseDef.h:
2036         (JSC::computeUsesForBytecodeOffset):
2037         (JSC::computeDefsForBytecodeOffset):
2038         * bytecode/CodeBlock.cpp:
2039         (JSC::CodeBlock::finishCreation):
2040         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2041         * bytecode/Opcode.h:
2042         * bytecode/SpeculatedType.cpp:
2043         (JSC::dumpSpeculation):
2044         (JSC::speculationFromClassInfo):
2045         (JSC::speculationFromJSType):
2046         (JSC::speculationFromString):
2047         * bytecode/SpeculatedType.h:
2048         * bytecode/UnlinkedFunctionExecutable.h:
2049         * bytecompiler/BytecodeGenerator.cpp:
2050         (JSC::BytecodeGenerator::generate):
2051         (JSC::BytecodeGenerator::BytecodeGenerator):
2052         (JSC::BytecodeGenerator::emitGetPromiseInternalField):
2053         (JSC::BytecodeGenerator::emitPutPromiseInternalField):
2054         (JSC::BytecodeGenerator::emitCreatePromise):
2055         (JSC::BytecodeGenerator::emitNewPromise):
2056         (JSC::BytecodeGenerator::emitReturn):
2057         * bytecompiler/BytecodeGenerator.h:
2058         (JSC::BytecodeGenerator::promiseRegister):
2059         (JSC::BytecodeGenerator::emitIsPromise):
2060         (JSC::BytecodeGenerator::promiseCapabilityRegister): Deleted.
2061         * bytecompiler/NodesCodegen.cpp:
2062         (JSC::promiseInternalFieldIndex):
2063         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getPromiseInternalField):
2064         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putPromiseInternalField):
2065         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isPromise):
2066         (JSC::BytecodeIntrinsicNode::emit_intrinsic_createPromise):
2067         (JSC::BytecodeIntrinsicNode::emit_intrinsic_newPromise):
2068         (JSC::FunctionNode::emitBytecode):
2069         * dfg/DFGAbstractHeap.h:
2070         * dfg/DFGAbstractInterpreterInlines.h:
2071         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2072         * dfg/DFGByteCodeParser.cpp:
2073         (JSC::DFG::ByteCodeParser::parseBlock):
2074         * dfg/DFGCapabilities.cpp:
2075         (JSC::DFG::capabilityLevel):
2076         * dfg/DFGClobberize.h:
2077         (JSC::DFG::clobberize):
2078         * dfg/DFGClobbersExitState.cpp:
2079         (JSC::DFG::clobbersExitState):
2080         * dfg/DFGConstantFoldingPhase.cpp:
2081         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2082         * dfg/DFGDoesGC.cpp:
2083         (JSC::DFG::doesGC):
2084         * dfg/DFGFixupPhase.cpp:
2085         (JSC::DFG::FixupPhase::fixupNode):
2086         * dfg/DFGGraph.cpp:
2087         (JSC::DFG::Graph::dump):
2088         * dfg/DFGHeapLocation.cpp:
2089         (WTF::printInternal):
2090         * dfg/DFGHeapLocation.h:
2091         * dfg/DFGMayExit.cpp:
2092         * dfg/DFGNode.h:
2093         (JSC::DFG::Node::convertToNewPromise):
2094         (JSC::DFG::Node::hasIsInternalPromise):
2095         (JSC::DFG::Node::isInternalPromise):
2096         (JSC::DFG::Node::hasInternalFieldIndex):
2097         (JSC::DFG::Node::internalFieldIndex):
2098         (JSC::DFG::Node::hasHeapPrediction):
2099         (JSC::DFG::Node::hasStructure):
2100         * dfg/DFGNodeType.h:
2101         * dfg/DFGOperations.cpp:
2102         * dfg/DFGOperations.h:
2103         * dfg/DFGPredictionPropagationPhase.cpp:
2104         * dfg/DFGPromotedHeapLocation.cpp:
2105         (WTF::printInternal):
2106         * dfg/DFGPromotedHeapLocation.h:
2107         * dfg/DFGSafeToExecute.h:
2108         (JSC::DFG::SafeToExecuteEdge::operator()):
2109         (JSC::DFG::safeToExecute):
2110         * dfg/DFGSpeculativeJIT.cpp:
2111         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
2112         (JSC::DFG::SpeculativeJIT::speculatePromiseObject):
2113         (JSC::DFG::SpeculativeJIT::speculate):
2114         (JSC::DFG::SpeculativeJIT::compileGetPromiseInternalField):
2115         (JSC::DFG::SpeculativeJIT::compilePutPromiseInternalField):
2116         (JSC::DFG::SpeculativeJIT::compileCreatePromise):
2117         (JSC::DFG::SpeculativeJIT::compileNewPromise):
2118         * dfg/DFGSpeculativeJIT.h:
2119         * dfg/DFGSpeculativeJIT32_64.cpp:
2120         (JSC::DFG::SpeculativeJIT::compile):
2121         * dfg/DFGSpeculativeJIT64.cpp:
2122         (JSC::DFG::SpeculativeJIT::compile):
2123         * dfg/DFGStoreBarrierInsertionPhase.cpp:
2124         * dfg/DFGUseKind.cpp:
2125         (WTF::printInternal):
2126         * dfg/DFGUseKind.h:
2127         (JSC::DFG::typeFilterFor):
2128         (JSC::DFG::isCell):
2129         * ftl/FTLAbstractHeapRepository.h:
2130         * ftl/FTLCapabilities.cpp:
2131         (JSC::FTL::canCompile):
2132         * ftl/FTLLowerDFGToB3.cpp:
2133         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2134         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
2135         (JSC::FTL::DFG::LowerDFGToB3::compileNewPromise):
2136         (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
2137         (JSC::FTL::DFG::LowerDFGToB3::compileGetPromiseInternalField):
2138         (JSC::FTL::DFG::LowerDFGToB3::compilePutPromiseInternalField):
2139         (JSC::FTL::DFG::LowerDFGToB3::speculate):
2140         (JSC::FTL::DFG::LowerDFGToB3::speculatePromiseObject):
2141         * jit/JIT.cpp:
2142         (JSC::JIT::privateCompileMainPass):
2143         (JSC::JIT::privateCompileSlowCases):
2144         * jit/JIT.h:
2145         * jit/JITOperations.cpp:
2146         * jit/JITOperations.h:
2147         * jit/JITPropertyAccess.cpp:
2148         (JSC::JIT::emit_op_get_promise_internal_field):
2149         (JSC::JIT::emit_op_put_promise_internal_field):
2150         * jit/JITPropertyAccess32_64.cpp:
2151         (JSC::JIT::emit_op_get_promise_internal_field):
2152         (JSC::JIT::emit_op_put_promise_internal_field):
2153         * llint/LowLevelInterpreter.asm:
2154         * llint/LowLevelInterpreter32_64.asm:
2155         * llint/LowLevelInterpreter64.asm:
2156         * parser/Parser.cpp:
2157         (JSC::Parser<LexerType>::Parser):
2158         (JSC::Parser<LexerType>::parseFunctionInfo):
2159         * parser/Parser.h:
2160         (JSC::parse):
2161         * parser/ParserModes.h:
2162         * runtime/CommonSlowPaths.cpp:
2163         (JSC::SLOW_PATH_DECL):
2164         * runtime/CommonSlowPaths.h:
2165         * runtime/ConstructAbility.h:
2166         * runtime/ConstructorKind.h: Copied from Source/JavaScriptCore/runtime/ConstructAbility.h.
2167         * runtime/FunctionRareData.cpp:
2168         (JSC::FunctionRareData::FunctionRareData):
2169         (JSC::FunctionRareData::initializeObjectAllocationProfile):
2170         (JSC::FunctionRareData::clear):
2171         * runtime/FunctionRareData.h:
2172         * runtime/InternalFunction.cpp:
2173         (JSC::InternalFunction::createSubclassStructureSlow):
2174         * runtime/InternalFunction.h:
2175         (JSC::InternalFunction::createSubclassStructure):
2176         * runtime/JSCast.h:
2177         * runtime/JSGlobalObject.cpp:
2178         (JSC::enqueueJob):
2179         (JSC::JSGlobalObject::init):
2180         (JSC::JSGlobalObject::visitChildren):
2181         * runtime/JSGlobalObject.h:
2182         (JSC::JSGlobalObject::arrayProtoValuesFunction const):
2183         (JSC::JSGlobalObject::promiseProtoThenFunction const):
2184         (JSC::JSGlobalObject::initializePromiseFunction const): Deleted.
2185         * runtime/JSInternalPromise.cpp:
2186         (JSC::JSInternalPromise::createStructure):
2187         * runtime/JSInternalPromiseConstructor.cpp:
2188         (JSC::JSInternalPromiseConstructor::create):
2189         (JSC::JSInternalPromiseConstructor::createStructure):
2190         (JSC::JSInternalPromiseConstructor::JSInternalPromiseConstructor):
2191         (JSC::constructPromise): Deleted.
2192         * runtime/JSInternalPromiseConstructor.h:
2193         * runtime/JSInternalPromisePrototype.cpp:
2194         (JSC::JSInternalPromisePrototype::create):
2195         * runtime/JSMicrotask.cpp:
2196         (JSC::createJSMicrotask):
2197         (JSC::JSMicrotask::run):
2198         * runtime/JSMicrotask.h:
2199         * runtime/JSPromise.cpp:
2200         (JSC::JSPromise::createStructure):
2201         (JSC::JSPromise::finishCreation):
2202         (JSC::JSPromise::visitChildren):
2203         (JSC::JSPromise::status const):
2204         (JSC::JSPromise::result const):
2205         (JSC::JSPromise::isHandled const):
2206         (JSC::JSPromise::initialize): Deleted.
2207         * runtime/JSPromise.h:
2208         (JSC::JSPromise::allocationSize):
2209         (JSC::JSPromise::offsetOfInternalFields):
2210         (JSC::JSPromise::offsetOfInternalField):
2211         * runtime/JSPromiseConstructor.cpp:
2212         (JSC::JSPromiseConstructor::create):
2213         (JSC::JSPromiseConstructor::createStructure):
2214         (JSC::JSPromiseConstructor::JSPromiseConstructor):
2215         (JSC::JSPromiseConstructor::finishCreation):
2216         (JSC::constructPromise): Deleted.
2217         (JSC::callPromise): Deleted.
2218         * runtime/JSPromiseConstructor.h:
2219         * runtime/JSPromisePrototype.cpp:
2220         (JSC::JSPromisePrototype::create):
2221         (JSC::JSPromisePrototype::finishCreation):
2222         (JSC::JSPromisePrototype::addOwnInternalSlots):
2223         * runtime/JSPromisePrototype.h:
2224         * runtime/JSType.cpp:
2225         (WTF::printInternal):
2226         * runtime/JSType.h:
2227
2228 2019-09-04  Joseph Pecoraro  <pecoraro@apple.com>
2229
2230         Web Inspector: Local Overrides - Provide substitution content for resource loads (URL based)
2231         https://bugs.webkit.org/show_bug.cgi?id=201262
2232         <rdar://problem/13108764>
2233
2234         Reviewed by Devin Rousso.
2235
2236         When interception is enabled, Network requests that match any of the configured
2237         interception patterns will be paused on the backend and allowed to be modified
2238         by the frontend.
2239
2240         Currently the only time a network request can be intercepted is during the
2241         HTTP response. However, this intercepting interface is mean to extend to
2242         HTTP requests as well.
2243
2244         When a response is to be intercepted a new event is sent to the frontend:
2245
2246           `Network.responseIntercepted` event
2247
2248         With a `requestId` to identify that network request. The frontend
2249         must respond with one of the following commands to continue:
2250
2251           `Network.interceptContinue`     - proceed with the response unmodified
2252           `Network.interceptWithResponse` - provide a response
2253
2254         The response is paused in the meantime.
2255
2256         * inspector/protocol/Network.json:
2257         New interfaces for intercepting network responses and suppling override content.
2258
2259         * Scripts/generate-combined-inspector-json.py:
2260         * inspector/scripts/generate-inspector-protocol-bindings.py:
2261         (generate_from_specification.load_specification):
2262         Complete allowing comments in JSON protocol files.
2263
2264         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
2265         (ObjCBackendDispatcherImplementationGenerator._generate_invocation_for_command):
2266         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
2267         Allow optional enums in ObjC interfaces.
2268
2269 2019-09-03  Mark Lam  <mark.lam@apple.com>
2270
2271         Structure::storedPrototype() and storedPrototypeObject() should assert with isCompilationThread(), not !isMainThread().
2272         https://bugs.webkit.org/show_bug.cgi?id=201449
2273
2274         Reviewed by Yusuke Suzuki.
2275
2276         Using !isMainThread() in the assertion also disables the assertion for the mutator
2277         of worker threads.  This is not what we intended.
2278
2279         * runtime/StructureInlines.h:
2280         (JSC::Structure::storedPrototype const):
2281         (JSC::Structure::storedPrototypeObject const):
2282
2283 2019-09-04  Mark Lam  <mark.lam@apple.com>
2284
2285         Disambiguate a symbol used in JSDollarVM.
2286         https://bugs.webkit.org/show_bug.cgi?id=201466
2287         <rdar://problem/51826672>
2288
2289         Reviewed by Tadeu Zagallo.
2290
2291         This was causing a build issue on some internal build.
2292
2293         * tools/JSDollarVM.cpp:
2294
2295 2019-09-03  Mark Lam  <mark.lam@apple.com>
2296
2297         Assertions in JSArrayBufferView::byteOffset() are only valid for the mutator thread.
2298         https://bugs.webkit.org/show_bug.cgi?id=201309
2299         <rdar://problem/54832121>
2300
2301         Reviewed by Yusuke Suzuki.
2302
2303         * dfg/DFGAbstractInterpreterInlines.h:
2304         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2305         * runtime/JSArrayBufferView.h:
2306         * runtime/JSArrayBufferViewInlines.h:
2307         (JSC::JSArrayBufferView::possiblySharedBufferImpl):
2308         (JSC::JSArrayBufferView::possiblySharedBuffer):
2309         (JSC::JSArrayBufferView::byteOffsetImpl):
2310         (JSC::JSArrayBufferView::byteOffset):
2311         (JSC::JSArrayBufferView::byteOffsetConcurrently):
2312
2313 2019-09-03  Devin Rousso  <drousso@apple.com>
2314
2315         Web Inspector: implement blackboxing of script resources
2316         https://bugs.webkit.org/show_bug.cgi?id=17240
2317         <rdar://problem/5732847>
2318
2319         Reviewed by Joseph Pecoraro.
2320
2321         When a script is blackboxed and the debugger attempts to pause in that script, the pause
2322         reason/data will be saved and execution will continue until it has left the blackboxed
2323         script. Once outside, execution is paused with the saved reason/data.
2324
2325         This is especially useful when debugging issues using libraries/frameworks, as it allows the
2326         developer to "skip" the internal logic of the library/framework and instead focus only on
2327         how they're using it.
2328
2329         * inspector/protocol/Debugger.json:
2330         Add `setShouldBlackboxURL` command.
2331
2332         * inspector/agents/InspectorDebuggerAgent.h:
2333         * inspector/agents/InspectorDebuggerAgent.cpp:
2334         (Inspector::InspectorDebuggerAgent):
2335         (Inspector::InspectorDebuggerAgent::enable):
2336         (Inspector::InspectorDebuggerAgent::updatePauseReasonAndData): Added.
2337         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
2338         (Inspector::InspectorDebuggerAgent::cancelPauseOnNextStatement):
2339         (Inspector::InspectorDebuggerAgent::setShouldBlackboxURL): Added.
2340         (Inspector::InspectorDebuggerAgent::setPauseForInternalScripts):
2341         (Inspector::InspectorDebuggerAgent::didParseSource):
2342         (Inspector::InspectorDebuggerAgent::didPause):
2343         (Inspector::InspectorDebuggerAgent::didContinue):
2344         (Inspector::InspectorDebuggerAgent::breakProgram):
2345         (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
2346         (Inspector::InspectorDebuggerAgent::clearPauseDetails): Added.
2347         (Inspector::InspectorDebuggerAgent::clearBreakDetails): Deleted.
2348         Renamed "break" to "pause" to match `Debugger` naming.
2349
2350         * debugger/Debugger.h:
2351         * debugger/Debugger.cpp:
2352         (JSC::Debugger::pauseIfNeeded):
2353         (JSC::Debugger::setBlackboxType): Added.
2354         (JSC::Debugger::clearBlackbox): Added.
2355         (JSC::Debugger::isBlacklisted const): Deleted.
2356         (JSC::Debugger::addToBlacklist): Deleted.
2357         (JSC::Debugger::clearBlacklist): Deleted.
2358
2359 2019-09-03  Mark Lam  <mark.lam@apple.com>
2360
2361         Remove the need to pass performJITMemcpy as a pointer.
2362         https://bugs.webkit.org/show_bug.cgi?id=201413
2363
2364         Reviewed by Michael Saboff.
2365
2366         We want performJITMemcpy to always be inlined.  In this patch, we also clean up
2367         some template parameters to use enums instead of booleans to better document the
2368         intent of the code.
2369
2370         * assembler/ARM64Assembler.h:
2371         (JSC::ARM64Assembler::fillNops):
2372         (JSC::ARM64Assembler::linkJump):
2373         (JSC::ARM64Assembler::linkCall):
2374         (JSC::ARM64Assembler::relinkJump):
2375         (JSC::ARM64Assembler::relinkCall):
2376         (JSC::ARM64Assembler::link):
2377         (JSC::ARM64Assembler::linkJumpOrCall):
2378         (JSC::ARM64Assembler::linkCompareAndBranch):
2379         (JSC::ARM64Assembler::linkConditionalBranch):
2380         (JSC::ARM64Assembler::linkTestAndBranch):
2381         (JSC::ARM64Assembler::relinkJumpOrCall):
2382         (JSC::ARM64Assembler::CopyFunction::CopyFunction): Deleted.
2383         (JSC::ARM64Assembler::CopyFunction::operator()): Deleted.
2384         * assembler/ARMv7Assembler.h:
2385         (JSC::ARMv7Assembler::fillNops):
2386         (JSC::ARMv7Assembler::link):
2387         (JSC::ARMv7Assembler::linkJumpT1):
2388         (JSC::ARMv7Assembler::linkJumpT2):
2389         (JSC::ARMv7Assembler::linkJumpT3):
2390         (JSC::ARMv7Assembler::linkJumpT4):
2391         (JSC::ARMv7Assembler::linkConditionalJumpT4):
2392         (JSC::ARMv7Assembler::linkBX):
2393         (JSC::ARMv7Assembler::linkConditionalBX):
2394         * assembler/AbstractMacroAssembler.h:
2395         (JSC::AbstractMacroAssembler::emitNops):
2396         * assembler/LinkBuffer.cpp:
2397         (JSC::LinkBuffer::copyCompactAndLinkCode):
2398         * assembler/MIPSAssembler.h:
2399         (JSC::MIPSAssembler::fillNops):
2400         * assembler/MacroAssemblerARM64.h:
2401         (JSC::MacroAssemblerARM64::link):
2402         * assembler/MacroAssemblerARMv7.h:
2403         (JSC::MacroAssemblerARMv7::link):
2404         * assembler/X86Assembler.h:
2405         (JSC::X86Assembler::fillNops):
2406         * jit/ExecutableAllocator.h:
2407         (JSC::performJITMemcpy):
2408         * runtime/JSCPtrTag.h:
2409
2410 2019-09-03  Devin Rousso  <drousso@apple.com>
2411
2412         REGRESSION (r249078): Flaky crash in com.apple.JavaScriptCore: Inspector::InjectedScriptModule::ensureInjected
2413         https://bugs.webkit.org/show_bug.cgi?id=201201
2414         <rdar://problem/54771560>
2415
2416         Reviewed by Joseph Pecoraro.
2417
2418         * inspector/InjectedScriptSource.js:
2419         (let.InjectedScript.prototype.injectModule):
2420         (let.InjectedScript.prototype._evaluateOn):
2421         (CommandLineAPI):
2422         (let.InjectedScript.prototype.setInspectObject): Deleted.
2423         (let.InjectedScript.prototype.addCommandLineAPIGetter): Deleted.
2424         (let.InjectedScript.prototype.addCommandLineAPIMethod.func.toString): Deleted.
2425         (let.InjectedScript.prototype.addCommandLineAPIMethod): Deleted.
2426         (InjectedScript.CommandLineAPI): Deleted.
2427         Allow injected script "extensions" (e.g. CommandLineAPIModuleSource.js) to modify objects
2428         directly, instead of having them call functions.
2429
2430         * inspector/InjectedScriptModule.cpp:
2431         (Inspector::InjectedScriptModule::ensureInjected):
2432         Make sure to reset `hadException` to `false` before making another call.
2433
2434 2019-09-03  Yusuke Suzuki  <ysuzuki@apple.com>
2435
2436         [JSC] Remove BytecodeGenerator::emitPopScope
2437         https://bugs.webkit.org/show_bug.cgi?id=201395
2438
2439         Reviewed by Saam Barati.
2440
2441         Use emitGetParentScope. And this patch also removes several unnecessary mov bytecode emissions.
2442
2443         * bytecompiler/BytecodeGenerator.cpp:
2444         (JSC::BytecodeGenerator::popLexicalScopeInternal):
2445         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
2446         (JSC::BytecodeGenerator::emitPopWithScope):
2447         (JSC::BytecodeGenerator::emitPopScope): Deleted.
2448         * bytecompiler/BytecodeGenerator.h:
2449
2450 2019-09-01  Yusuke Suzuki  <ysuzuki@apple.com>
2451
2452         [JSC] Merge op_check_traps into op_enter and op_loop_hint
2453         https://bugs.webkit.org/show_bug.cgi?id=201373
2454
2455         Reviewed by Mark Lam.
2456
2457         This patch removes op_check_traps. Previously we were conditionally emitting op_check_traps based on Options and Platform configurations.
2458         But now we are always emitting op_check_traps. So it is not necessary to have separate bytecode as op_check_traps. We can do checking in
2459         op_enter and op_loop_hint.
2460
2461         While this patch moves check_traps implementation to op_enter and op_loop_hint, we keep separate DFG nodes (CheckTraps or InvalidationPoint),
2462         since inserted nodes are different based on configurations and options. And emitting multiple DFG nodes from one bytecode is easy.
2463
2464         We also inline op_enter's slow path's write-barrier emission in LLInt.
2465
2466         * bytecode/BytecodeList.rb:
2467         * bytecode/BytecodeUseDef.h:
2468         (JSC::computeUsesForBytecodeOffset):
2469         (JSC::computeDefsForBytecodeOffset):
2470         * bytecompiler/BytecodeGenerator.cpp:
2471         (JSC::BytecodeGenerator::BytecodeGenerator):
2472         (JSC::BytecodeGenerator::emitLoopHint):
2473         (JSC::BytecodeGenerator::emitCheckTraps): Deleted.
2474         * bytecompiler/BytecodeGenerator.h:
2475         * dfg/DFGByteCodeParser.cpp:
2476         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
2477         (JSC::DFG::ByteCodeParser::parseBlock):
2478         * dfg/DFGCapabilities.cpp:
2479         (JSC::DFG::capabilityLevel):
2480         * jit/JIT.cpp:
2481         (JSC::JIT::privateCompileMainPass):
2482         (JSC::JIT::privateCompileSlowCases):
2483         (JSC::JIT::emitEnterOptimizationCheck): Deleted.
2484         * jit/JIT.h:
2485         * jit/JITOpcodes.cpp:
2486         (JSC::JIT::emit_op_loop_hint):
2487         (JSC::JIT::emitSlow_op_loop_hint):
2488         (JSC::JIT::emit_op_enter):
2489         (JSC::JIT::emitSlow_op_enter):
2490         (JSC::JIT::emit_op_check_traps): Deleted.
2491         (JSC::JIT::emitSlow_op_check_traps): Deleted.
2492         * jit/JITOpcodes32_64.cpp:
2493         (JSC::JIT::emit_op_enter): Deleted.
2494         * llint/LowLevelInterpreter.asm:
2495         * llint/LowLevelInterpreter32_64.asm:
2496         * llint/LowLevelInterpreter64.asm:
2497         * runtime/CommonSlowPaths.cpp:
2498         * runtime/CommonSlowPaths.h:
2499
2500 2019-09-01  Yusuke Suzuki  <ysuzuki@apple.com>
2501
2502         [JSC] Fix testb3 debug failures
2503         https://bugs.webkit.org/show_bug.cgi?id=201382
2504
2505         Reviewed by Mark Lam.
2506
2507         Fix testb3 debug failures due to incorrect types of operations like pointer + int32.
2508
2509         * b3/testb3_8.cpp:
2510         (testByteCopyLoop):
2511         (testByteCopyLoopStartIsLoopDependent):
2512         (testByteCopyLoopBoundIsLoopDependent):
2513
2514 2019-09-01  Mark Lam  <mark.lam@apple.com>
2515
2516         Speculative build fix for ARMv7 and MIPS.
2517         https://bugs.webkit.org/show_bug.cgi?id=201389
2518
2519         Not reviewed.
2520
2521         * bytecode/CodeBlock.cpp:
2522         (JSC::CodeBlock::jettison):
2523
2524 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
2525
2526         [JSC] LLInt op should not emit the same code three times
2527         https://bugs.webkit.org/show_bug.cgi?id=201370
2528
2529         Reviewed by Mark Lam.
2530
2531         LLInt op macro (not llintOp macro) is used to generate some stub code like llint_program_prologue.
2532         But now it generates the same code three times for narrow, wide16, and wide32. We should emit code only once.
2533
2534         * llint/LowLevelInterpreter.asm:
2535
2536 2019-08-30  Mark Lam  <mark.lam@apple.com>
2537
2538         Remove some obsolete statements that have no effect.
2539         https://bugs.webkit.org/show_bug.cgi?id=201357
2540
2541         Reviewed by Saam Barati.
2542
2543         This patch removes 3 statements that look like this:
2544
2545             result->butterfly(); // Ensure that the butterfly is in to-space.
2546
2547         The statement just reads a field and does nothing with it.  This is a no-op
2548         logic-wise, and the comment that accompanies it is obsolete.
2549
2550         * dfg/DFGOperations.cpp:
2551
2552 2019-08-30  Mark Lam  <mark.lam@apple.com>
2553
2554         Fix a bug in SlotVisitor::reportZappedCellAndCrash() and also capture more information.
2555         https://bugs.webkit.org/show_bug.cgi?id=201345
2556
2557         Reviewed by Yusuke Suzuki.
2558
2559         This patch fixes a bug where SlotVisitor::reportZappedCellAndCrash() was using
2560         the wrong pointer for capture the cell headerWord and zapReason.  As a result,
2561         we get junk for those 2 values.
2562
2563         Previously, we were only capturing the upper 32-bits of the cell header slot,
2564         and the lower 32-bit of the next slot in the zapped cell.  We now capture the
2565         full 64-bits of both slots.  If the second slot did not contain a zapReason as we
2566         expect, the upper 32-bits might give us a clue as to what type of value the slot
2567         contains.
2568
2569         This patch also adds capturing of the found MarkedBlock address for the zapped
2570         cell, as well as some state bit values.
2571
2572         * heap/SlotVisitor.cpp:
2573         (JSC::SlotVisitor::reportZappedCellAndCrash):
2574
2575 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
2576
2577         [JSC] Generate new.target register only when it is used
2578         https://bugs.webkit.org/show_bug.cgi?id=201335
2579
2580         Reviewed by Mark Lam.
2581
2582         Since bytecode generator knows whether new.target register can be used, we should emit and use new.target register
2583         only when it is actually required.
2584
2585         * bytecompiler/BytecodeGenerator.cpp:
2586         (JSC::BytecodeGenerator::BytecodeGenerator):
2587         * bytecompiler/BytecodeGenerator.h:
2588         (JSC::BytecodeGenerator::newTarget):
2589         * parser/Nodes.h:
2590         (JSC::ScopeNode::needsNewTargetRegisterForThisScope const):
2591
2592 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
2593
2594         [JSC] DFG ByteCodeParser should not copy JIT-related part of SimpleJumpTable
2595         https://bugs.webkit.org/show_bug.cgi?id=201331
2596
2597         Reviewed by Mark Lam.
2598
2599         SimpleJumpTable's non-JIT part is not changed after CodeBlock is finalized well. On the other hand, JIT related part is allocated on-demand.
2600         For example, ctiOffsets can be grown by Baseline JIT compiler. There is race condition as follows.
2601
2602             1. DFG ByteCodeParser is inlining and copying SimpleJumpTable
2603             2. Baseline JIT compiler is expanding JIT-related part of SimpleJumpTable
2604
2605         Then, (1) reads the broken Vector, and crashes. Since JIT-related part is unnecessary in (1), we should not clone that.
2606         This patch adds CodeBlock::addSwitchJumpTableFromProfiledCodeBlock, which only copies non JIT-related part of the given SimpleJumpTable offered
2607         by profiled CodeBlock.
2608
2609         * bytecode/CodeBlock.h:
2610         (JSC::CodeBlock::addSwitchJumpTableFromProfiledCodeBlock):
2611         * bytecode/JumpTable.h:
2612         (JSC::SimpleJumpTable::cloneNonJITPart const):
2613         (JSC::SimpleJumpTable::clear):
2614         * dfg/DFGByteCodeParser.cpp:
2615         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2616
2617 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
2618
2619         [JSC] DFG inlining CheckBadCell slow path does not assume result VirtualRegister can be invalid
2620         https://bugs.webkit.org/show_bug.cgi?id=201332
2621
2622         Reviewed by Mark Lam.
2623
2624         When inlining setter calls in DFG, result VirtualRegister becomes invalid one. While other call-related DFG code correctly assumes
2625         that `result` may be invalid, only CheckBadCell slow path missed this case. Since this is OSR exit path and VirtualRegister result
2626         does not exist, set BottomValue only when "result" is valid as the other DFG code is doing.
2627
2628         * dfg/DFGByteCodeParser.cpp:
2629         (JSC::DFG::ByteCodeParser::handleInlining):
2630
2631 2019-08-29  Devin Rousso  <drousso@apple.com>
2632
2633         Web Inspector: Debugger: async event listener stack traces should be available in Workers
2634         https://bugs.webkit.org/show_bug.cgi?id=200903
2635
2636         Reviewed by Joseph Pecoraro.
2637
2638         * inspector/agents/InspectorDebuggerAgent.h:
2639         (Inspector::InspectorDebuggerAgent::enabled): Added.
2640         * inspector/agents/InspectorDebuggerAgent.cpp:
2641         (Inspector::InspectorDebuggerAgent::willDestroyFrontendAndBackend):
2642         (Inspector::InspectorDebuggerAgent::enable):
2643         (Inspector::InspectorDebuggerAgent::disable):
2644         Allow subclasses to extend what it means for the `InspectorDebuggerAgent` to be `enabled`.
2645
2646 2019-08-29  Keith Rollin  <krollin@apple.com>
2647
2648         Update .xcconfig symbols to reflect the current set of past and future product versions.
2649         https://bugs.webkit.org/show_bug.cgi?id=200720
2650         <rdar://problem/54305032>
2651
2652         Reviewed by Alex Christensen.
2653
2654         Remove version symbols related to old OS's we no longer support,
2655         ensure that version symbols are defined for OS's we do support.
2656
2657         * Configurations/Base.xcconfig:
2658         * Configurations/DebugRelease.xcconfig:
2659         * Configurations/Version.xcconfig:
2660
2661 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
2662
2663         [JSC] Repatch should construct CallCases and CasesValue at the same time
2664         https://bugs.webkit.org/show_bug.cgi?id=201325
2665
2666         Reviewed by Saam Barati.
2667
2668         In linkPolymorphicCall, we should create callCases and casesValue at the same time to assert `callCases.size() == casesValue.size()`.
2669         If the call variant is isClosureCall and InternalFunction, we skip adding it to casesValue. So we should not add this variant to callCases too.
2670
2671         * jit/Repatch.cpp:
2672         (JSC::linkPolymorphicCall):
2673
2674 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
2675
2676         [JSC] ObjectAllocationSinkingPhase wrongly deals with always-taken branches during interpretation
2677         https://bugs.webkit.org/show_bug.cgi?id=198650
2678
2679         Reviewed by Saam Barati.
2680
2681         Object Allocation Sinking phase has a lightweight abstract interpreter which interprets DFG nodes related to allocations and properties.
2682         This interpreter is lightweight since it does not track abstract values and conditions as deeply as AI does. It can happen that this
2683         interpreter interpret the control-flow edge that AI proved that is never taken.
2684         AI already knows some control-flow edges are never taken, and based on this information, AI can remove CheckStructure nodes. But
2685         ObjectAllocationSinking phase can trace this never-taken edges and propagate structure information that contradicts to the analysis
2686         done in ObjectAllocationSinking.
2687
2688         Let's see the example.
2689
2690             BB#0
2691                 35: NewObject([%AM:Object])
2692                 ...
2693                 47: Branch(ConstantTrue, T:#1, F:#2)
2694
2695             BB#1 // This basic block is never taken due to @47's jump.
2696                 ...
2697                 71: PutByOffset(@35, @66, id2{a}, 0, W:NamedProperties(2))
2698                 72: PutStructure(@35, %AM:Object -> %Dx:Object, ID:60066)
2699                 ...
2700                 XX: Jump(#2)
2701
2702             BB#2
2703                 ...
2704                 92: CheckStructure(@35, [%Dx:Object])
2705                 93: PutByOffset(@35, @35, id2{a}, 0, W:NamedProperties(2))
2706                 ...
2707
2708         AI removes @92 because AI knows BB#0 only takes BB#1 branch. @35's Structure is always %Dx so @92 is redundant.
2709         AI proved that @71 and @72 are always executed while BB#0 -> BB#2 edge is never taken so that @35 object's structure is proven at @92.
2710         After AI removes @92, ObjectAllocationSinking starts looking into this graph.
2711
2712             BB#0
2713                 35: NewObject([%AM:Object])
2714                 ...
2715                 47: Branch(ConstantTrue, T:#1, F:#2)
2716
2717             BB#1 // This basic block is never taken due to @47's jump.
2718                 ...
2719                 71: PutByOffset(@35, @66, id2{a}, 0, W:NamedProperties(2))
2720                 72: PutStructure(@35, %AM:Object -> %Dx:Object, ID:60066)
2721                 ...
2722                 XX: Jump(#2)
2723
2724             BB#2
2725                 ...
2726                 93: PutByOffset(@35, @35, id2{a}, 0, W:NamedProperties(2))
2727                 ...
2728                 YY: Jump(#3)
2729
2730             BB#3
2731                 ...
2732                 ZZ: <HERE> want to materialize @35's sunk object.
2733
2734         Since AI does not change the @47 Branch to Jump (it is OK anyway), BB#0 -> BB#2 edge remains and ObjectAllocationSinking phase propagates information in
2735         BB#0's %AM structure information to BB#2. ObjectAllocationSinking phase converts @35 to PhantomNewObject, removes PutByOffset and PutStructure, and
2736         insert MaterializeNewObject in @ZZ. At this point, ObjectAllocationSinking lightweight interpreter gets two structures while AI gets one: @35's original
2737         one (%AM) and @72's replaced one (%Dx). Since AI already proved @ZZ only gets %Dx, AI removed @92 CheckStructure. But this is not known to ObjectAllocationSinking
2738         phase's interpretation. So when creating recovery data, MultiPutByOffset includes two structures, %AM and %Dx. This is OK since MultiPutByOffset takes
2739         conservative set of structures and performs switching. But the problem here is that %AM's id2{a} offset is -1 since %AM does not have such a property.
2740         So when creating MultiPutByOffset in ObjectAllocationSinking, we accidentally create MultiPutByOffset with -1 offset data, and lowering phase hits the debug
2741         assertion.
2742
2743             187: MultiPutByOffset(@138, @138, id2{a}, <Replace: [%AM:Object], offset = -1, >, <Replace: [%Dx:Object], offset = 0, >)
2744
2745         This bug is harmless since %AM structure comparison never meets at runtime. But we are not considering the case including `-1` offset property in MultiPutByOffset data.
2746         In this patch, we just filter out apparently wrong structures when creating MultiPutByOffset in ObjectAllocationSinking. This is OK since it never comes at runtime.
2747
2748         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2749
2750 2019-08-29  Devin Rousso  <drousso@apple.com>
2751
2752         Web Inspector: DOMDebugger: support event breakpoints in Worker contexts
2753         https://bugs.webkit.org/show_bug.cgi?id=200651
2754
2755         Reviewed by Joseph Pecoraro.
2756
2757         * inspector/protocol/DOMDebugger.json:
2758         Make the domain available in "worker" contexts as well.
2759
2760 2019-08-29  Keith Rollin  <krollin@apple.com>
2761
2762         Remove 32-bit macOS support
2763         https://bugs.webkit.org/show_bug.cgi?id=201282
2764         <rdar://problem/54821667>
2765
2766         Reviewed by Anders Carlsson.
2767
2768         WebKit doesn’t support 32-bit Mac any more, so remove checks and code
2769         for that platform.
2770
2771         * API/JSBase.h:
2772         * runtime/VM.h:
2773
2774 2019-08-29  Keith Rollin  <krollin@apple.com>
2775
2776         Remove support for macOS < 10.13 (part 3)
2777         https://bugs.webkit.org/show_bug.cgi?id=201224
2778         <rdar://problem/54795934>
2779
2780         Reviewed by Darin Adler.
2781
2782         Remove symbols in WebKitTargetConditionals.xcconfig related to macOS
2783         10.13, including WK_MACOS_1013 and WK_MACOS_BEFORE_1013, and suffixes
2784         like _MACOS_SINCE_1013.
2785
2786         * Configurations/WebKitTargetConditionals.xcconfig:
2787
2788 2019-08-29  Mark Lam  <mark.lam@apple.com>
2789
2790         Remove a bad assertion in ByteCodeParser::inlineCall().
2791         https://bugs.webkit.org/show_bug.cgi?id=201292
2792         <rdar://problem/54121659>
2793
2794         Reviewed by Michael Saboff.
2795
2796         In the DFG bytecode parser, we've already computed the inlining cost of a candidate
2797         inlining target, and determine that it is worth inlining before invoking
2798         ByteCodeParser::inlineCall().  However, in ByteCodeParser::inlineCall(), it
2799         recomputes the inlining cost again only for the purpose of asserting that it isn't
2800         too high.
2801
2802         Not consider a badly written test that does the following:
2803
2804             function bar() {
2805                 ...
2806                 foo(); // Call in a hot loop here.
2807                 ...
2808             }
2809
2810             bar(); // <===== foo is inlineable into bar here.
2811             noInline(foo); // <===== Change mind, and make foo not inlineable.
2812             bar();
2813
2814         With this bad test, the following racy scenario can occur:
2815
2816         1. the first invocation of bar() gets hot, and a concurrent compile is kicked off.
2817         2. the compiler thread computes foo()'s inliningCost() and determines that it is
2818            worthy to be inlined, and will imminently call inlineCall().
2819         3. the mutator calls the noInline() test utility on foo(), thereby making it NOT
2820            inlineable.
2821         4. the compiler thread calls inlineCall().  In inlineCall(), it re-computes the
2822            inliningCost for foo() and now finds that it is not inlineable.  An assertion
2823            failure follows.
2824
2825         Technically, the test is in error because noInline() shouldn't be used that way.
2826         However, fuzzers that are not clued into noInline()'s proper usage may generate
2827         code like this.
2828
2829         On the other hand, ByteCodeParser::inlineCall() should not be recomputing that the
2830         inlining cost and asserting on it.  The only reason inlineCall() is invoked is
2831         because it was already previously determined that a target function is inlineable
2832         based on its inlining cost.  Today, in practice, I don't think we have any real
2833         world condition where the mutator can affect the inlining cost of a target
2834         function midway through execution.  So, this assertion isn't a problem if no one
2835         writes a test that abuses noInline().  However, should things change such that the
2836         mutator is able to affect the inlining cost of a target function, then it is
2837         incorrect for the compiler to assume that the inlining cost is immutable.  Once
2838         the compiler decides to inline a function, it should just follow through.
2839
2840         This patch removes this assertion in ByteCodeParser::inlineCall().  It is an
2841         annoyance at best (for fuzzers), and at worst, incorrect if the mutator gains the
2842         ability to affect the inlining cost of a target function.
2843
2844         * dfg/DFGByteCodeParser.cpp:
2845         (JSC::DFG::ByteCodeParser::inlineCall):
2846
2847 2019-08-28  Mark Lam  <mark.lam@apple.com>
2848
2849         DFG/FTL: We should prefetch structures and do a loadLoadFence before doing PrototypeChainIsSane checks.
2850         https://bugs.webkit.org/show_bug.cgi?id=201281
2851         <rdar://problem/54028228>
2852
2853         Reviewed by Yusuke Suzuki and Saam Barati.
2854
2855         This (see title above) is already the preferred idiom used in most places in our
2856         compiler, except for 2: DFG's SpeculativeJIT::compileGetByValOnString() and FTL's
2857         compileStringCharAt().  Consider the following:
2858
2859             bool prototypeChainIsSane = false;
2860             if (globalObject->stringPrototypeChainIsSane()) {
2861                 ...
2862                 m_graph.registerAndWatchStructureTransition(globalObject->stringPrototype()->structure(vm()));
2863                 m_graph.registerAndWatchStructureTransition(globalObject->objectPrototype()->structure(vm()));
2864
2865                 prototypeChainIsSane = globalObject->stringPrototypeChainIsSane();
2866             }
2867
2868         What's essential for correctness here is that the stringPrototype and objectPrototype
2869         structures be loaded before the loads in the second stringPrototypeChainIsSane()
2870         check.  Without a loadLoadFence before the second stringPrototypeChainIsSane()
2871         check, we can't guarantee that.  Elsewhere in the compiler, the preferred idiom
2872         for doing this right is to pre-load the structures first, do a loadLoadFence, and
2873         then do the IsSane check just once after e.g.
2874
2875             Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure(m_vm);
2876             Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure(m_vm);
2877
2878             if (arrayPrototypeStructure->transitionWatchpointSetIsStillValid() // has loadLoadFences.
2879                 && objectPrototypeStructure->transitionWatchpointSetIsStillValid() // has loadLoadFences.
2880                 && globalObject->arrayPrototypeChainIsSane()) {
2881
2882                 m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
2883                 m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
2884                 ...
2885             }
2886
2887         This patch changes DFG's SpeculativeJIT::compileGetByValOnString() and FTL's
2888         compileStringCharAt() to follow the same idiom.
2889
2890         We also fix a bad assertion in Structure::storedPrototype() and
2891         Structure::storedPrototypeObject().  The assertion is only correct when those
2892         methods are called from the mutator thread.  The assertion has been updated to
2893         only check its test condition if the current thread is the mutator thread.
2894
2895         * dfg/DFGSpeculativeJIT.cpp:
2896         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
2897         * ftl/FTLLowerDFGToB3.cpp:
2898         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
2899         * runtime/StructureInlines.h:
2900         (JSC::Structure::storedPrototype const):
2901         (JSC::Structure::storedPrototypeObject const):
2902
2903 2019-08-28  Mark Lam  <mark.lam@apple.com>
2904
2905         Placate exception check validation in DFG's operationHasGenericProperty().
2906         https://bugs.webkit.org/show_bug.cgi?id=201245
2907         <rdar://problem/54777512>
2908
2909         Reviewed by Robin Morisset.
2910
2911         * dfg/DFGOperations.cpp:
2912
2913 2019-08-28  Ross Kirsling  <ross.kirsling@sony.com>
2914
2915         Unreviewed. Restabilize non-unified build.
2916
2917         * runtime/PropertySlot.h:
2918
2919 2019-08-28  Mark Lam  <mark.lam@apple.com>
2920
2921         Wasm's AirIRGenerator::addLocal() and B3IRGenerator::addLocal() are doing unnecessary overflow checks.
2922         https://bugs.webkit.org/show_bug.cgi?id=201006
2923         <rdar://problem/52053991>
2924
2925         Reviewed by Yusuke Suzuki.
2926
2927         We already ensured that it is not possible to overflow in Wasm::FunctionParser's
2928         parse().  It is unnecessary and misleading to do those overflow checks in
2929         AirIRGenerator and B3IRGenerator.  The only check that is necessary is that
2930         m_locals.tryReserveCapacity() is successful, otherwise, we have an out of memory
2931         situation.
2932
2933         This patch changes these unnecessary checks to assertions instead.
2934
2935         * wasm/WasmAirIRGenerator.cpp:
2936         (JSC::Wasm::AirIRGenerator::addLocal):
2937         * wasm/WasmB3IRGenerator.cpp:
2938         (JSC::Wasm::B3IRGenerator::addLocal):
2939         * wasm/WasmValidate.cpp:
2940         (JSC::Wasm::Validate::addLocal):
2941
2942 2019-08-28  Keith Rollin  <krollin@apple.com>
2943
2944         Remove support for macOS < 10.13 (part 2)
2945         https://bugs.webkit.org/show_bug.cgi?id=201197
2946         <rdar://problem/54759985>
2947
2948         Update conditionals that reference WK_MACOS_1013 and suffixes like
2949         _MACOS_SINCE_1013, assuming that we're always building on 10.13 or
2950         later and that these conditionals are always True or False.
2951
2952         See Bug 200694 for earlier changes in this area.
2953
2954         Reviewed by Darin Adler.
2955
2956         * Configurations/FeatureDefines.xcconfig:
2957
2958 2019-08-28  Mark Lam  <mark.lam@apple.com>
2959
2960         Gardening: Rebase test results after r249175.
2961         https://bugs.webkit.org/show_bug.cgi?id=201172
2962
2963         Not reviewed.
2964
2965         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
2966         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
2967         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
2968         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
2969         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
2970         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
2971         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
2972
2973 2019-08-27  Michael Saboff  <msaboff@apple.com>
2974
2975         Update PACCage changes for builds without Gigacage, but with signed pointers
2976         https://bugs.webkit.org/show_bug.cgi?id=201202
2977
2978         Reviewed by Saam Barati.
2979
2980         Factored out the untagging of pointers and added that to both the Gigacage enabled
2981         and disabled code paths.  Did this for the LLInt as well as the JITs.
2982
2983         * JavaScriptCore.xcodeproj/project.pbxproj: Added arm64e.rb to offlineasm file list.
2984         * dfg/DFGSpeculativeJIT.cpp:
2985         (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
2986         * ftl/FTLLowerDFGToB3.cpp:
2987         (JSC::FTL::DFG::LowerDFGToB3::caged):
2988         * llint/LowLevelInterpreter64.asm:
2989
2990 2019-08-27  Mark Lam  <mark.lam@apple.com>
2991
2992         Refactor to use VM& instead of VM* at as many places as possible.
2993         https://bugs.webkit.org/show_bug.cgi?id=201172
2994
2995         Reviewed by Yusuke Suzuki.
2996
2997         Using VM& documents more clearly that the VM pointer is expected to never be null
2998         in most cases.  There are a few places where it can be null (e.g JSLock, and
2999         DFG::Plan).  Those will be left using a VM*.
3000
3001         Also converted some uses of ExecState* to using VM& instead since the ExecState*
3002         is only there to fetch the VM pointer.  Doing this also reduces the number of
3003         times we have to compute VM* from ExecState*.
3004
3005         This patch is not exhaustive in converting to use VM&, but applies the change to
3006         many commonly used pieces of code for a start.
3007
3008         Also fixed a missing exception check in JSString::toIdentifier() and
3009         JSValue::toPropertyKey() exposed by this patch.
3010
3011         * API/APICast.h:
3012         (toJS):
3013         * API/JSAPIGlobalObject.mm:
3014         (JSC::JSAPIGlobalObject::moduleLoaderResolve):
3015         (JSC::JSAPIGlobalObject::moduleLoaderImportModule):
3016         (JSC::JSAPIGlobalObject::moduleLoaderFetch):
3017         (JSC::JSAPIGlobalObject::moduleLoaderCreateImportMetaProperties):
3018         (JSC::JSAPIGlobalObject::loadAndEvaluateJSScriptModule):
3019         * API/JSCallbackConstructor.cpp:
3020         (JSC::JSCallbackConstructor::finishCreation):
3021         * API/JSCallbackObjectFunctions.h:
3022         (JSC::JSCallbackObject<Parent>::asCallbackObject):
3023         (JSC::JSCallbackObject<Parent>::~JSCallbackObject):
3024         (JSC::JSCallbackObject<Parent>::getOwnPropertySlotByIndex):
3025         (JSC::JSCallbackObject<Parent>::putByIndex):
3026         (JSC::JSCallbackObject<Parent>::deletePropertyByIndex):
3027         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
3028         * API/JSContext.mm:
3029         (-[JSContext dependencyIdentifiersForModuleJSScript:]):
3030         * API/JSObjectRef.cpp:
3031         (JSObjectMakeFunction):
3032         (classInfoPrivate):
3033         (JSObjectGetPrivate):
3034         (JSObjectSetPrivate):
3035         (JSObjectCopyPropertyNames):
3036         (JSPropertyNameAccumulatorAddName):
3037         (JSObjectGetProxyTarget):
3038         * API/JSScriptRef.cpp:
3039         (parseScript):
3040         * API/JSValueRef.cpp:
3041         (JSValueMakeString):
3042         * API/OpaqueJSString.cpp:
3043         (OpaqueJSString::identifier const):
3044         * API/glib/JSCContext.cpp:
3045         (jsc_context_check_syntax):
3046         * KeywordLookupGenerator.py:
3047         (Trie.printSubTreeAsC):
3048         * Scripts/wkbuiltins/builtins_generate_wrapper_header.py:
3049         (BuiltinsWrapperHeaderGenerator.generate_constructor):
3050         * Scripts/wkbuiltins/builtins_templates.py:
3051         * bindings/ScriptFunctionCall.cpp:
3052         (Deprecated::ScriptCallArgumentHandler::appendArgument):
3053         (Deprecated::ScriptFunctionCall::call):
3054         * bindings/ScriptValue.cpp:
3055         (Inspector::jsToInspectorValue):
3056         * builtins/BuiltinExecutables.cpp:
3057         (JSC::BuiltinExecutables::createExecutable):
3058         * builtins/BuiltinNames.cpp:
3059         (JSC::BuiltinNames::BuiltinNames):
3060         * builtins/BuiltinNames.h:
3061         (JSC::BuiltinNames::getPublicName const):
3062         * bytecode/BytecodeDumper.cpp:
3063         (JSC::BytecodeDumper<Block>::vm const):
3064         * bytecode/BytecodeDumper.h:
3065         * bytecode/BytecodeGeneratorification.cpp:
3066         (JSC::BytecodeGeneratorification::BytecodeGeneratorification):
3067         (JSC::BytecodeGeneratorification::storageForGeneratorLocal):
3068         (JSC::BytecodeGeneratorification::run):
3069         * bytecode/BytecodeIntrinsicRegistry.cpp:
3070         (JSC::BytecodeIntrinsicRegistry::sentinelMapBucketValue):
3071         (JSC::BytecodeIntrinsicRegistry::sentinelSetBucketValue):
3072         * bytecode/CallVariant.h:
3073         (JSC::CallVariant::internalFunction const):
3074         (JSC::CallVariant::function const):
3075         (JSC::CallVariant::isClosureCall const):
3076         (JSC::CallVariant::executable const):
3077         (JSC::CallVariant::functionExecutable const):
3078         (JSC::CallVariant::nativeExecutable const):
3079         * bytecode/CodeBlock.cpp:
3080         (JSC::CodeBlock::dumpSource):
3081         (JSC::CodeBlock::CodeBlock):
3082         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
3083         (JSC::CodeBlock::setNumParameters):
3084         (JSC::CodeBlock::finalizeBaselineJITInlineCaches):
3085         (JSC::CodeBlock::unlinkIncomingCalls):
3086         (JSC::CodeBlock::replacement):
3087         (JSC::CodeBlock::computeCapabilityLevel):
3088         (JSC::CodeBlock::noticeIncomingCall):
3089         (JSC::CodeBlock::nameForRegister):
3090         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
3091         * bytecode/CodeBlock.h:
3092         (JSC::CodeBlock::vm const):
3093         (JSC::CodeBlock::numberOfArgumentValueProfiles):
3094         (JSC::CodeBlock::valueProfileForArgument):
3095         * bytecode/DeferredSourceDump.cpp:
3096         (JSC::DeferredSourceDump::DeferredSourceDump):
3097         * bytecode/EvalCodeBlock.h:
3098         * bytecode/FunctionCodeBlock.h:
3099         * bytecode/GetByIdStatus.cpp:
3100         (JSC::GetByIdStatus::computeFromLLInt):
3101         * bytecode/GlobalCodeBlock.h:
3102         (JSC::GlobalCodeBlock::GlobalCodeBlock):
3103         * bytecode/ModuleProgramCodeBlock.h:
3104         * bytecode/ObjectAllocationProfileInlines.h:
3105         (JSC::ObjectAllocationProfileBase<Derived>::possibleDefaultPropertyCount):
3106         * bytecode/PolyProtoAccessChain.cpp:
3107         (JSC::PolyProtoAccessChain::create):
3108         * bytecode/ProgramCodeBlock.h:
3109         * bytecode/PropertyCondition.cpp:
3110         (JSC::PropertyCondition::isWatchableWhenValid const):
3111         * bytecode/PutByIdStatus.cpp:
3112         (JSC::PutByIdStatus::computeFromLLInt):
3113         * bytecode/StructureStubInfo.cpp:
3114         (JSC::StructureStubInfo::initGetByIdSelf):
3115         (JSC::StructureStubInfo::initPutByIdReplace):
3116         (JSC::StructureStubInfo::initInByIdSelf):
3117         (JSC::StructureStubInfo::addAccessCase):
3118         (JSC::StructureStubInfo::visitWeakReferences):
3119         * bytecode/UnlinkedCodeBlock.cpp:
3120         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
3121         * bytecode/UnlinkedCodeBlock.h:
3122         (JSC::UnlinkedCodeBlock::addSetConstant):
3123         (JSC::UnlinkedCodeBlock::addConstant):
3124         (JSC::UnlinkedCodeBlock::addFunctionDecl):
3125         (JSC::UnlinkedCodeBlock::addFunctionExpr):
3126         * bytecode/UnlinkedEvalCodeBlock.h:
3127         * bytecode/UnlinkedFunctionCodeBlock.h:
3128         * bytecode/UnlinkedFunctionExecutable.cpp:
3129         (JSC::generateUnlinkedFunctionCodeBlock):
3130         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3131         * bytecode/UnlinkedFunctionExecutable.h:
3132         * bytecode/UnlinkedGlobalCodeBlock.h:
3133         (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock):
3134         * bytecode/UnlinkedModuleProgramCodeBlock.h:
3135         * bytecode/UnlinkedProgramCodeBlock.h:
3136         * bytecompiler/BytecodeGenerator.cpp:
3137         (JSC::BytecodeGenerator::BytecodeGenerator):
3138         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
3139         (JSC::BytecodeGenerator::emitDirectPutById):
3140         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
3141         (JSC::BytecodeGenerator::addBigIntConstant):
3142         (JSC::BytecodeGenerator::addTemplateObjectConstant):
3143         (JSC::BytecodeGenerator::emitNewDefaultConstructor):
3144         (JSC::BytecodeGenerator::emitSetFunctionNameIfNeeded):
3145         * bytecompiler/BytecodeGenerator.h:
3146         (JSC::BytecodeGenerator::vm const):
3147         (JSC::BytecodeGenerator::propertyNames const):
3148         (JSC::BytecodeGenerator::emitNodeInTailPosition):
3149         (JSC::BytecodeGenerator::emitDefineClassElements):
3150         (JSC::BytecodeGenerator::emitNodeInConditionContext):
3151         * bytecompiler/NodesCodegen.cpp:
3152         (JSC::RegExpNode::emitBytecode):
3153         (JSC::ArrayNode::emitBytecode):
3154         (JSC::FunctionCallResolveNode::emitBytecode):
3155         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
3156         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
3157         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toObject):
3158         (JSC::InstanceOfNode::emitBytecode):
3159         * debugger/Debugger.cpp:
3160         * debugger/DebuggerParseData.cpp:
3161         (JSC::gatherDebuggerParseData):
3162         * debugger/DebuggerScope.cpp:
3163         (JSC::DebuggerScope::next):
3164         (JSC::DebuggerScope::name const):
3165         (JSC::DebuggerScope::location const):
3166         * dfg/DFGDesiredIdentifiers.cpp:
3167         (JSC::DFG::DesiredIdentifiers::reallyAdd):
3168         * dfg/DFGDesiredWatchpoints.cpp:
3169         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
3170         (JSC::DFG::AdaptiveStructureWatchpointAdaptor::add):
3171         * dfg/DFGFrozenValue.h:
3172         (JSC::DFG::FrozenValue::FrozenValue):
3173         * dfg/DFGGraph.cpp:
3174         (JSC::DFG::Graph::canOptimizeStringObjectAccess):
3175         * dfg/DFGJITCompiler.cpp:
3176         (JSC::DFG::JITCompiler::linkOSRExits):
3177         (JSC::DFG::JITCompiler::compileExceptionHandlers):
3178         (JSC::DFG::JITCompiler::link):
3179         (JSC::DFG::emitStackOverflowCheck):
3180         (JSC::DFG::JITCompiler::compileFunction):
3181         (JSC::DFG::JITCompiler::exceptionCheck):
3182         (JSC::DFG::JITCompiler::makeCatchOSREntryBuffer):
3183         * dfg/DFGJITCompiler.h:
3184         (JSC::DFG::JITCompiler::exceptionCheckWithCallFrameRollback):
3185         (JSC::DFG::JITCompiler::fastExceptionCheck):
3186         (JSC::DFG::JITCompiler::vm):
3187         * dfg/DFGLazyJSValue.cpp:
3188         (JSC::DFG::LazyJSValue::getValue const):
3189         (JSC::DFG::LazyJSValue::emit const):
3190         * dfg/DFGOSREntry.cpp:
3191         (JSC::DFG::prepareOSREntry):
3192         * dfg/DFGOSRExit.cpp:
3193         (JSC::DFG::OSRExit::compileOSRExit):
3194         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
3195         * dfg/DFGOSRExitCompilerCommon.h:
3196         (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
3197         * dfg/DFGOperations.cpp:
3198         (JSC::DFG::newTypedArrayWithSize):
3199         (JSC::DFG::binaryOp):
3200         (JSC::DFG::bitwiseBinaryOp):
3201         * dfg/DFGPlan.cpp:
3202         (JSC::DFG::Plan::Plan):
3203         * dfg/DFGSpeculativeJIT.cpp:
3204         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
3205         (JSC::DFG::SpeculativeJIT::compileStringSlice):
3206         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
3207         (JSC::DFG::SpeculativeJIT::compileCheckTraps):
3208         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
3209         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
3210         (JSC::DFG::SpeculativeJIT::compileStringZeroLength):
3211         (JSC::DFG::SpeculativeJIT::compileLogicalNotStringOrOther):
3212         (JSC::DFG::SpeculativeJIT::emitStringBranch):
3213         (JSC::DFG::SpeculativeJIT::emitStringOrOtherBranch):
3214         (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
3215         (JSC::DFG::SpeculativeJIT::compileGetGlobalObject):
3216         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
3217         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
3218         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
3219         (JSC::DFG::SpeculativeJIT::compileSpread):
3220         (JSC::DFG::SpeculativeJIT::compileNewArray):
3221         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
3222         (JSC::DFG::SpeculativeJIT::compileArraySlice):
3223         (JSC::DFG::SpeculativeJIT::compileArrayPush):
3224         (JSC::DFG::SpeculativeJIT::compileTypeOf):
3225         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
3226         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
3227         (JSC::DFG::SpeculativeJIT::compileNukeStructureAndSetButterfly):
3228         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
3229         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
3230         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
3231         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
3232         (JSC::DFG::SpeculativeJIT::compileNewRegexp):
3233         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
3234         (JSC::DFG::SpeculativeJIT::compileStringReplace):
3235         (JSC::DFG::SpeculativeJIT::compileMaterializeNewObject):
3236         (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
3237         (JSC::DFG::SpeculativeJIT::compileGetMapBucketNext):
3238         (JSC::DFG::SpeculativeJIT::compileObjectKeys):
3239         (JSC::DFG::SpeculativeJIT::compileCreateThis):
3240         (JSC::DFG::SpeculativeJIT::compileNewObject):
3241         (JSC::DFG::SpeculativeJIT::compileLogShadowChickenPrologue):
3242         (JSC::DFG::SpeculativeJIT::compileLogShadowChickenTail):
3243         (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf):
3244         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
3245         (JSC::DFG::SpeculativeJIT::compileProfileType):
3246         (JSC::DFG::SpeculativeJIT::compileMakeRope):
3247         * dfg/DFGSpeculativeJIT.h:
3248         (JSC::DFG::SpeculativeJIT::vm):
3249         (JSC::DFG::SpeculativeJIT::prepareForExternalCall):
3250         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
3251         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
3252         (JSC::DFG::SpeculativeJIT::emitAllocateVariableSizedJSObject):
3253         (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
3254         * dfg/DFGSpeculativeJIT32_64.cpp:
3255         (JSC::DFG::SpeculativeJIT::emitCall):
3256         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
3257         (JSC::DFG::SpeculativeJIT::emitBranch):
3258         (JSC::DFG::SpeculativeJIT::compile):
3259         * dfg/DFGSpeculativeJIT64.cpp:
3260         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
3261         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
3262         (JSC::DFG::SpeculativeJIT::emitCall):
3263         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
3264         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
3265         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
3266         (JSC::DFG::SpeculativeJIT::emitBranch):
3267         (JSC::DFG::SpeculativeJIT::compile):
3268         * dfg/DFGThunks.cpp:
3269         (JSC::DFG::osrExitThunkGenerator):
3270         (JSC::DFG::osrExitGenerationThunkGenerator):
3271         (JSC::DFG::osrEntryThunkGenerator):
3272         * dfg/DFGThunks.h:
3273         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
3274         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
3275         * dfg/DFGWorklist.cpp:
3276         (JSC::DFG::Worklist::visitWeakReferences):
3277         * dynbench.cpp:
3278         (main):
3279         * ftl/FTLLowerDFGToB3.cpp:
3280         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
3281         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
3282         (JSC::FTL::DFG::LowerDFGToB3::boolify):
3283         * ftl/FTLThunks.cpp:
3284         (JSC::FTL::genericGenerationThunkGenerator):
3285         (JSC::FTL::osrExitGenerationThunkGenerator):
3286         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
3287         * ftl/FTLThunks.h:
3288         * heap/CellContainer.h: