DFG's StrengthReduction phase should not reduce Construct into DirectContruct when...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-12-04  Mark Lam  <mark.lam@apple.com>
2
3         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
4         https://bugs.webkit.org/show_bug.cgi?id=192386
5         <rdar://problem/46445516>
6
7         Reviewed by Saam Barati.
8
9         This violates an invariant documented by a RELEASE_ASSERT in operationLinkDirectCall().
10
11         * dfg/DFGStrengthReductionPhase.cpp:
12         (JSC::DFG::StrengthReductionPhase::handleNode):
13
14 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
15
16         [ESNext][BigInt] Support logic operations
17         https://bugs.webkit.org/show_bug.cgi?id=179903
18
19         Reviewed by Yusuke Suzuki.
20
21         We are introducing in this patch the ToBoolean support for JSBigInt.
22         With this change, we can implement the correct behavior of BigInt as
23         operand of logical opertions. During JIT genertion into DFG and FTL,
24         we are using JSBigInt::m_length to verify if the number is 0n or not,
25         following the same approach used by JSString. This is also safe in the case
26         of BigInt, because only 0n has m_length == 0.
27
28         We are not including BigInt speculation into Branch nodes in this
29         patch, but the plan is to implement it in further patches.
30
31         * ftl/FTLAbstractHeapRepository.h:
32         * ftl/FTLLowerDFGToB3.cpp:
33         (JSC::FTL::DFG::LowerDFGToB3::boolify):
34         (JSC::FTL::DFG::LowerDFGToB3::isBigInt):
35         * jit/AssemblyHelpers.cpp:
36         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
37         (JSC::AssemblyHelpers::branchIfValue):
38         * runtime/JSBigInt.cpp:
39         (JSC::JSBigInt::isZero const):
40         (JSC::JSBigInt::offsetOfLength):
41         (JSC::JSBigInt::toBoolean const):
42         (JSC::JSBigInt::isZero): Deleted.
43         * runtime/JSBigInt.h:
44         * runtime/JSCellInlines.h:
45         (JSC::JSCell::toBoolean const):
46         (JSC::JSCell::pureToBoolean const):
47
48 2018-12-04  Devin Rousso  <drousso@apple.com>
49
50         Web Inspector: Audit: tests should support async operations
51         https://bugs.webkit.org/show_bug.cgi?id=192171
52         <rdar://problem/46423562>
53
54         Reviewed by Joseph Pecoraro.
55
56         Add `awaitPromise` command for executing a callback when a Promise gets settled.
57
58         Drive-by: allow `wasThrown` to be optional, instead of expecting it to always have a value.
59
60         * inspector/protocol/Runtime.json:
61
62         * inspector/InjectedScriptSource.js:
63         (InjectedScript.prototype.awaitPromise): Added.
64
65         * inspector/InjectedScript.h:
66         * inspector/InjectedScript.cpp:
67         (Inspector::InjectedScript::evaluate):
68         (Inspector::InjectedScript::awaitPromise): Added.
69         (Inspector::InjectedScript::callFunctionOn):
70         (Inspector::InjectedScript::evaluateOnCallFrame):
71
72         * inspector/InjectedScriptBase.h:
73         * inspector/InjectedScriptBase.cpp:
74         (Inspector::InjectedScriptBase::makeEvalCall):
75         (Inspector::InjectedScriptBase::makeAsyncCall): Added.
76         (Inspector::InjcetedScriptBase::checkCallResult): Added.
77         (Inspector::InjcetedScriptBase::checkAsyncCallResult): Added.
78
79         * inspector/agents/InspectorRuntimeAgent.h:
80         * inspector/agents/InspectorRuntimeAgent.cpp:
81         (Inspector::InspectorRuntimeAgent::evaluate):
82         (Inspector::InspectorRuntimeAgent::awaitPromise):
83         (Inspector::InspectorRuntimeAgent::callFunctionOn):
84
85         * inspector/agents/InspectorDebuggerAgent.cpp:
86         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
87
88 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
89
90         Unreviewed, rolling out r238833.
91
92         Breaks macOS and iOS debug builds.
93
94         Reverted changeset:
95
96         "[ESNext][BigInt] Support logic operations"
97         https://bugs.webkit.org/show_bug.cgi?id=179903
98         https://trac.webkit.org/changeset/238833
99
100 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
101
102         [ESNext][BigInt] Support logic operations
103         https://bugs.webkit.org/show_bug.cgi?id=179903
104
105         Reviewed by Yusuke Suzuki.
106
107         We are introducing in this patch the ToBoolean support for JSBigInt.
108         With this change, we can implement the correct behavior of BigInt as
109         operand of logical opertions. During JIT genertion into DFG and FTL,
110         we are using JSBigInt::m_length to verify if the number is 0n or not,
111         following the same approach used by JSString. This is also safe in the case
112         of BigInt, because only 0n has m_length == 0.
113
114         We are not including BigInt speculation into Branch nodes in this
115         patch, but the plan is to implement it in further patches.
116
117         * ftl/FTLAbstractHeapRepository.h:
118         * ftl/FTLLowerDFGToB3.cpp:
119         (JSC::FTL::DFG::LowerDFGToB3::boolify):
120         (JSC::FTL::DFG::LowerDFGToB3::isBigInt):
121         * jit/AssemblyHelpers.cpp:
122         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
123         (JSC::AssemblyHelpers::branchIfValue):
124         * runtime/JSBigInt.cpp:
125         (JSC::JSBigInt::isZero const):
126         (JSC::JSBigInt::offsetOfLength):
127         (JSC::JSBigInt::toBoolean const):
128         (JSC::JSBigInt::isZero): Deleted.
129         * runtime/JSBigInt.h:
130         * runtime/JSCellInlines.h:
131         (JSC::JSCell::toBoolean const):
132         (JSC::JSCell::pureToBoolean const):
133
134 2018-12-03  Keith Rollin  <krollin@apple.com>
135
136         Add .xcfilelist files
137         https://bugs.webkit.org/show_bug.cgi?id=192082
138         <rdar://problem/46312533>
139
140         Reviewed by Brent Fulgham.
141
142         Add .xcfilelist files for Generate Derived Sources and Generate
143         Unified Sources build phases in Xcode. These are just being staged for
144         now; they'll be added to the Xcode projects later.
145
146         * DerivedSources-input.xcfilelist: Added.
147         * DerivedSources-output.xcfilelist: Added.
148         * UnifiedSources-input.xcfilelist: Added.
149         * UnifiedSources-output.xcfilelist: Added.
150
151 2018-12-03  Mark Lam  <mark.lam@apple.com>
152
153         Fix the bytecode code generator scripts to pretty print BytecodeStructs.h and BytecodeIndices.h.
154         https://bugs.webkit.org/show_bug.cgi?id=192271
155
156         Reviewed by Keith Miller.
157
158         This makes the generated code style compliant and human readable.
159
160         * generator/Argument.rb:
161         * generator/DSL.rb:
162         * generator/Fits.rb:
163         * generator/Metadata.rb:
164         * generator/Opcode.rb:
165
166 2018-12-02  Zalan Bujtas  <zalan@apple.com>
167
168         Add a runtime feature flag for LayoutFormattingContext.
169         https://bugs.webkit.org/show_bug.cgi?id=192280
170
171         Reviewed by Simon Fraser.
172
173         * Configurations/FeatureDefines.xcconfig:
174
175 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
176
177         [ESNext][BigInt] Implement support for "<<" and ">>"
178         https://bugs.webkit.org/show_bug.cgi?id=186233
179
180         Reviewed by Yusuke Suzuki.
181
182         This patch is introducing the support for BigInt into lshift and
183         rshift into LLint and Baseline layers.
184
185         * runtime/CommonSlowPaths.cpp:
186         (JSC::SLOW_PATH_DECL):
187         * runtime/JSBigInt.cpp:
188         (JSC::JSBigInt::createWithLength):
189         (JSC::JSBigInt::leftShift):
190         (JSC::JSBigInt::signedRightShift):
191         (JSC::JSBigInt::leftShiftByAbsolute):
192         (JSC::JSBigInt::rightShiftByAbsolute):
193         (JSC::JSBigInt::rightShiftByMaximum):
194         (JSC::JSBigInt::toShiftAmount):
195         * runtime/JSBigInt.h:
196
197 2018-12-01  Simon Fraser  <simon.fraser@apple.com>
198
199         Heap.h refers to the non-existent HeapStatistics
200         https://bugs.webkit.org/show_bug.cgi?id=187882
201
202         Reviewed by Keith Miller.
203         
204         Just remove the "friend class HeapStatistics".
205
206         * heap/Heap.h:
207
208 2018-11-29  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
209
210         [JSC] Keep TypeMaybeBigInt small
211         https://bugs.webkit.org/show_bug.cgi?id=192203
212
213         Reviewed by Saam Barati.
214
215         As BigInt is being implemented, more and more bytecodes start returning BigInt.
216         It means that ResultType of these bytecodes include TypeMaybeBigInt. However,
217         TypeMaybeBigInt was large number 0x20, leading to wide instruction since ResultType
218         easily becomes larger than 32 (e.g. TypeInt32 | TypeMaybeBigInt == 33).
219
220         This patch sorts the numbers of TypeMaybeXXX based on the frequency of appearance in
221         the code.
222
223         * parser/ResultType.h:
224
225 2018-11-30  Dean Jackson  <dino@apple.com>
226
227         Try to fix Windows build by using strcmp instead of strcasecmp.
228
229         * jsc.cpp:
230         (isMJSFile):
231
232 2018-11-30  Mark Lam  <mark.lam@apple.com>
233
234         Fix the bytecode code generator scripts to pretty print Bytecodes.h.
235         https://bugs.webkit.org/show_bug.cgi?id=192258
236
237         Reviewed by Keith Miller.
238
239         This makes Bytecodes.h more human readable.
240
241         * generator/DSL.rb:
242         * generator/Section.rb:
243
244 2018-11-30  Mark Lam  <mark.lam@apple.com>
245
246         Add the generator directory to the Xcode project.
247         https://bugs.webkit.org/show_bug.cgi?id=192252
248
249         Reviewed by Michael Saboff.
250
251         This is so that we can work with these bytecode class generator files easily in Xcode.
252
253         * JavaScriptCore.xcodeproj/project.pbxproj:
254
255 2018-11-30  Don Olmstead  <don.olmstead@sony.com>
256
257         Rename ENABLE_SUBTLE_CRYPTO to ENABLE_WEB_CRYPTO
258         https://bugs.webkit.org/show_bug.cgi?id=192197
259
260         Reviewed by Jiewen Tan.
261
262         * Configurations/FeatureDefines.xcconfig:
263
264 2018-11-30  Dean Jackson  <dino@apple.com>
265
266         Add first-class support for .mjs files in jsc binary
267         https://bugs.webkit.org/show_bug.cgi?id=192190
268         <rdar://problem/46375715>
269
270         Reviewed by Keith Miller.
271
272         Treat files with a .mjs extension as a module, regardless
273         of whether or not the --module-file argument was given.
274
275         * jsc.cpp:
276         (printUsageStatement): Update usage.
277         (isMJSFile): Helper to look for .mjs extensions.
278         (CommandLine::parseArguments): Pick the appropriate script type.
279
280 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
281
282         [BigInt] Implement ValueBitXor into DFG
283         https://bugs.webkit.org/show_bug.cgi?id=190264
284
285         Reviewed by Yusuke Suzuki.
286
287         This patch is splitting the BitXor node into ArithBitXor and
288         ValueBitXor. This is necessary due the introduction of
289         BigInt, since BitXor operations now can result into Int32 or BigInt.
290         In such case, we use ArithBitXor when operands are Int and fallback to
291         ValueBitXor when operands are anything else. In the case of
292         ValueBitXor, we speculate BigInt when op1 and op2 are predicted as
293         BigInt as well. BigInt specialization consist into call
294         `operationBigIntBitXor` function, that calls JSBigInt::bitXor.
295
296         * bytecode/BytecodeList.rb:
297         * bytecode/CodeBlock.cpp:
298         (JSC::CodeBlock::finishCreation):
299         (JSC::CodeBlock::arithProfileForPC):
300         * bytecode/Opcode.h:
301         (JSC::padOpcodeName):
302         * bytecompiler/BytecodeGenerator.h:
303         * dfg/DFGAbstractInterpreterInlines.h:
304         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
305         * dfg/DFGBackwardsPropagationPhase.cpp:
306         (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
307         (JSC::DFG::BackwardsPropagationPhase::propagate):
308         * dfg/DFGByteCodeParser.cpp:
309         (JSC::DFG::ByteCodeParser::parseBlock):
310         * dfg/DFGClobberize.h:
311         (JSC::DFG::clobberize):
312         * dfg/DFGDoesGC.cpp:
313         (JSC::DFG::doesGC):
314         * dfg/DFGFixupPhase.cpp:
315         (JSC::DFG::FixupPhase::fixupNode):
316         * dfg/DFGNodeType.h:
317         * dfg/DFGOperations.cpp:
318         * dfg/DFGOperations.h:
319         * dfg/DFGPredictionPropagationPhase.cpp:
320         * dfg/DFGSafeToExecute.h:
321         (JSC::DFG::safeToExecute):
322         * dfg/DFGSpeculativeJIT.cpp:
323         (JSC::DFG::SpeculativeJIT::compileValueBitwiseOp):
324         (JSC::DFG::SpeculativeJIT::compileBitwiseOp):
325         * dfg/DFGSpeculativeJIT.h:
326         (JSC::DFG::SpeculativeJIT::bitOp):
327         * dfg/DFGSpeculativeJIT32_64.cpp:
328         (JSC::DFG::SpeculativeJIT::compile):
329         * dfg/DFGSpeculativeJIT64.cpp:
330         (JSC::DFG::SpeculativeJIT::compile):
331         * dfg/DFGStrengthReductionPhase.cpp:
332         (JSC::DFG::StrengthReductionPhase::handleNode):
333         * ftl/FTLCapabilities.cpp:
334         (JSC::FTL::canCompile):
335         * ftl/FTLLowerDFGToB3.cpp:
336         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
337         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitXor):
338         (JSC::FTL::DFG::LowerDFGToB3::compileArithBitXor):
339         (JSC::FTL::DFG::LowerDFGToB3::compileBitXor): Deleted.
340         * jit/JITArithmetic.cpp:
341         (JSC::JIT::emit_op_bitxor):
342         * llint/LowLevelInterpreter32_64.asm:
343         * llint/LowLevelInterpreter64.asm:
344         * runtime/CommonSlowPaths.cpp:
345         (JSC::SLOW_PATH_DECL):
346
347 2018-11-29  Justin Michaud  <justin_michaud@apple.com>
348
349         CSS Painting API should pass 'this' correctly to paint callback, and repaint when properties change.
350         https://bugs.webkit.org/show_bug.cgi?id=191443
351
352         Reviewed by Dean Jackson.
353
354         Export the simpler construct() method for use in WebCore.
355
356         * runtime/ConstructData.h:
357
358 2018-11-28  Mark Lam  <mark.lam@apple.com>
359
360         ENABLE_SEPARATED_WX_HEAP needs to be defined in Platform.h.
361         https://bugs.webkit.org/show_bug.cgi?id=192110
362         <rdar://problem/46317746>
363
364         Reviewed by Saam Barati.
365
366         * config.h:
367
368 2018-11-28  Keith Rollin  <krollin@apple.com>
369
370         Update generate-{derived,unified}-sources scripts to support generating .xcfilelist files
371         https://bugs.webkit.org/show_bug.cgi?id=192031
372         <rdar://problem/46286816>
373
374         Reviewed by Alex Christensen.
375
376         The Generate Derived Sources and Generate Unified Sources build phases
377         in Xcode need to have their inputs and outputs specified. This
378         specification will come in the form of .xcfilelist files that will be
379         attached to these build phases. There is one .xcfilelist file that
380         lists the input file and one that lists the output files. As part of
381         this work, the various generate-{derived,unified}-sources scripts that
382         are executed in these Generate build phases are modified to help in
383         the creation of these .xcfilelist files. In particular, they can now
384         be invoked with command-line parameters. These parameters are then
385         used to alter the normal execution of these scripts, causing them to
386         produce the .xcfilelist files as opposed to actually generating the
387         files that are listed in those files.
388
389         * Scripts/generate-derived-sources.sh:
390         * Scripts/generate-unified-sources.sh:
391
392 2018-11-28  Keith Rollin  <krollin@apple.com>
393
394         Revert print_all_generated_files work in r238008; tighten up target specifications
395         https://bugs.webkit.org/show_bug.cgi?id=192025
396         <rdar://problem/46284301>
397
398         Reviewed by Alex Christensen.
399
400         In r238008, I added a facility for DerivedSources.make makefiles to
401         print out the list of files that they generate. This output was used
402         in the generation of .xcfilelist files used to specify the output of
403         the associated Generate Derived Sources build phases in Xcode. This
404         approach worked, but it meant that people would need to follow a
405         specific convention to keep this mechanism working.
406
407         Instead of continuing this approach, I'm going to implement a new
408         facility based on the output of `make` when passed the -d flag (which
409         prints dependency information). This new mechanism is completely
410         automatic and doesn't need maintainers to follow a convention. To that
411         end, remove most of the work performed in r238008 that supports the
412         print_all_generated_files target.
413
414         At the same time, it's important for the sets of targets and their
415         dependencies to be complete and correct. Therefore, also include
416         changes to bring those up-to-date. As part of that, you'll see
417         prevalent use of a particular technique. Here's an example:
418
419             BYTECODE_FILES = \
420                 Bytecodes.h \
421                 BytecodeIndices.h \
422                 BytecodeStructs.h \
423                 InitBytecodes.asm \
424             #
425             BYTECODE_FILES_PATTERNS = $(subst .,%,$(BYTECODE_FILES))
426
427             all : $(BYTECODE_FILES)
428
429             $(BYTECODE_FILES_PATTERNS): $(wildcard $(JavaScriptCore)/generator/*.rb) $(JavaScriptCore)/bytecode/BytecodeList.rb
430                 ...
431
432         These lines indicate a set of generated files (those specified in
433         BYTECODE_FILES). These files are generated by the BytecodeList.rb
434         tool. But, as opposed to the normal rule where a single foo.output is
435         generated by foo.input plus some additional dependencies, this rule
436         produces multiple output files from a tool whose connection to the
437         output files is not immediately clear. A special approach is needed
438         where a single rule produces multiple output files. The normal way to
439         implement this is to use an .INTERMEDIATE target. However, we used
440         this approach in the past and ran into a problem with it, addressing
441         it with an alternate approach in r210507. The above example shows this
442         approach. The .'s in the list of target files are replaced with %'s,
443         and the result is used as the left side of the dependency rule.
444
445         * DerivedSources.make:
446
447 2018-11-28  Keith Rollin  <krollin@apple.com>
448
449         Remove Postprocess Headers dependencies
450         https://bugs.webkit.org/show_bug.cgi?id=192023
451         <rdar://problem/46283377>
452
453         Reviewed by Mark Lam.
454
455         JavaScriptCore's Xcode Postprocess Headers build phase used to have a
456         dependency on a specific handful of files. In r234227, the script used
457         in this phase (postprocess-headers.sh) was completely rewritten to
458         operate on *all* files in JSC's Public and Private headers directories
459         instead of just this handful. This rewrite makes the previous
460         dependency specification insufficient, leading to incorrect
461         incremental builds if the right files weren't touched. Address this by
462         removing the dependencies completely. This will cause
463         postprocess-headers.sh to always be executed, even when none of its
464         files are touch. Running this script all the time is OK, since it has
465         built-in protections against unnecessarily touching files that haven't
466         changed.
467
468         * JavaScriptCore.xcodeproj/project.pbxproj:
469
470 2018-11-27  Mark Lam  <mark.lam@apple.com>
471
472         ENABLE_FAST_JIT_PERMISSIONS should be false for iosmac.
473         https://bugs.webkit.org/show_bug.cgi?id=192055
474         <rdar://problem/46288783>
475
476         Reviewed by Saam Barati.
477
478         * Configurations/FeatureDefines.xcconfig:
479
480 2018-11-27  Saam barati  <sbarati@apple.com>
481
482         r238510 broke scopes of size zero
483         https://bugs.webkit.org/show_bug.cgi?id=192033
484         <rdar://problem/46281734>
485
486         Reviewed by Keith Miller.
487
488         In r238510, I wrote the loop like this: 
489         `for (ScopeOffset offset { 0 }; offset <= symbolTable->maxScopeOffset(); offset += 1)`
490         
491         This breaks for scopes of size zero because maxScopeOffset() will be UINT_MAX.
492         
493         This patch fixes this by writing the loop as:
494         `for (unsigned offset = 0; offset < symbolTable->scopeSize(); ++offset)`
495
496         * dfg/DFGObjectAllocationSinkingPhase.cpp:
497
498 2018-11-27  Mark Lam  <mark.lam@apple.com>
499
500         ASSERTION FAILED: capacity && isPageAligned(capacity) in JSC::CLoopStack::CLoopStack(JSC::VM&).
501         https://bugs.webkit.org/show_bug.cgi?id=192018
502
503         Reviewed by Saam Barati.
504
505         This assertion failed because the regress-191579.js test was specifying
506         --maxPerThreadStackUsage=400000 i.e. it was running with a stack size that is not
507         page aligned.  Given that the user can specify any arbitrary stack size, and the
508         CLoop stack expects to be page aligned, we'll just round up the requested capacity
509         to the next page alignment.
510
511         * interpreter/CLoopStack.cpp:
512         (JSC::CLoopStack::CLoopStack):
513
514 2018-11-27  Mark Lam  <mark.lam@apple.com>
515
516         [Re-landing] NaNs read from Wasm code needs to be be purified.
517         https://bugs.webkit.org/show_bug.cgi?id=191056
518         <rdar://problem/45660341>
519
520         Reviewed by Filip Pizlo.
521
522         * wasm/js/WebAssemblyModuleRecord.cpp:
523         (JSC::WebAssemblyModuleRecord::link):
524
525 2018-11-27  Timothy Hatcher  <timothy@apple.com>
526
527         Web Inspector: Add support for forcing color scheme appearance in DOM tree.
528         https://bugs.webkit.org/show_bug.cgi?id=191820
529         rdar://problem/46153172
530
531         Reviewed by Devin Rousso.
532
533         * inspector/protocol/Page.json: Added setForcedAppearance.
534         Also added the defaultAppearanceDidChange event and Appearance enum.
535
536 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
537
538         Unreviewed, rolling out r238509.
539
540         Causes JSC tests to fail on iOS.
541
542         Reverted changeset:
543
544         "NaNs read from Wasm code needs to be be purified."
545         https://bugs.webkit.org/show_bug.cgi?id=191056
546         https://trac.webkit.org/changeset/238509
547
548 2018-11-27  Mark Lam  <mark.lam@apple.com>
549
550         Introducing a ENABLE_SEPARATED_WX_HEAP macro.
551         https://bugs.webkit.org/show_bug.cgi?id=192013
552         <rdar://problem/45494310>
553
554         Reviewed by Keith Miller.
555
556         This makes the code a little more readable.
557
558         I put the definition of ENABLE_SEPARATED_WX_HEAP in JSC's config.h instead of
559         Platform.h because ENABLE_SEPARATED_WX_HEAP is only needed inside JSC.  Also,
560         ENABLE_SEPARATED_WX_HEAP depends on ENABLE(FAST_JIT_PERMISSIONS), which is only
561         defined for JSC.
562
563         * config.h:
564         * jit/ExecutableAllocator.cpp:
565         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
566         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
567         * jit/ExecutableAllocator.h:
568         (JSC::performJITMemcpy):
569         * runtime/Options.cpp:
570         (JSC::recomputeDependentOptions):
571
572 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
573
574         Re-introduce op_bitnot
575         https://bugs.webkit.org/show_bug.cgi?id=190923
576
577         Reviewed by Yusuke Suzuki.
578
579         With the introduction of BigInt as a new type, we can't emit bitwise
580         not as `x ^ -1` anymore, because this is incompatible with the new type.
581         Based on that, this Patch is adding `op_bitnot` as a new operation
582         into LLInt, as well as introducing ArithBitNot node into DFG to support
583         JIT compilation of such opcode. We will use the ValueProfile of this
584         intruction in the future to generate better code when its operand
585         is not Int32.
586
587         * assembler/MacroAssemblerARM64.h:
588         (JSC::MacroAssemblerARM64::not32):
589         * assembler/MacroAssemblerARMv7.h:
590         (JSC::MacroAssemblerARMv7::not32):
591         * assembler/MacroAssemblerMIPS.h:
592         (JSC::MacroAssemblerMIPS::not32):
593         * bytecode/BytecodeList.rb:
594         * bytecode/BytecodeUseDef.h:
595         (JSC::computeUsesForBytecodeOffset):
596         (JSC::computeDefsForBytecodeOffset):
597         * bytecode/CodeBlock.cpp:
598         (JSC::CodeBlock::finishCreation):
599         * bytecode/Opcode.h:
600         (JSC::padOpcodeName):
601         * bytecompiler/BytecodeGenerator.cpp:
602         (JSC::BytecodeGenerator::emitUnaryOp):
603         * bytecompiler/NodesCodegen.cpp:
604         (JSC::UnaryPlusNode::emitBytecode):
605         (JSC::BitwiseNotNode::emitBytecode): Deleted.
606         * dfg/DFGAbstractInterpreterInlines.h:
607         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
608         * dfg/DFGBackwardsPropagationPhase.cpp:
609         (JSC::DFG::BackwardsPropagationPhase::propagate):
610         * dfg/DFGByteCodeParser.cpp:
611         (JSC::DFG::ByteCodeParser::parseBlock):
612         * dfg/DFGCapabilities.cpp:
613         (JSC::DFG::capabilityLevel):
614         * dfg/DFGClobberize.h:
615         (JSC::DFG::clobberize):
616         * dfg/DFGDoesGC.cpp:
617         (JSC::DFG::doesGC):
618         * dfg/DFGFixupPhase.cpp:
619         (JSC::DFG::FixupPhase::fixupNode):
620         * dfg/DFGNodeType.h:
621         * dfg/DFGOperations.cpp:
622         * dfg/DFGOperations.h:
623         * dfg/DFGPredictionPropagationPhase.cpp:
624         * dfg/DFGSafeToExecute.h:
625         (JSC::DFG::safeToExecute):
626         * dfg/DFGSpeculativeJIT.cpp:
627         (JSC::DFG::SpeculativeJIT::compileBitwiseNot):
628         * dfg/DFGSpeculativeJIT.h:
629         * dfg/DFGSpeculativeJIT32_64.cpp:
630         (JSC::DFG::SpeculativeJIT::compile):
631         * dfg/DFGSpeculativeJIT64.cpp:
632         (JSC::DFG::SpeculativeJIT::compile):
633         * ftl/FTLCapabilities.cpp:
634         (JSC::FTL::canCompile):
635         * ftl/FTLLowerDFGToB3.cpp:
636         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
637         (JSC::FTL::DFG::LowerDFGToB3::compileArithBitNot):
638         * jit/JIT.cpp:
639         (JSC::JIT::privateCompileMainPass):
640         (JSC::JIT::privateCompileSlowCases):
641         * jit/JIT.h:
642         * jit/JITArithmetic.cpp:
643         (JSC::JIT::emit_op_bitnot):
644         * llint/LowLevelInterpreter32_64.asm:
645         * llint/LowLevelInterpreter64.asm:
646         * offlineasm/cloop.rb:
647         * parser/NodeConstructors.h:
648         (JSC::BitwiseNotNode::BitwiseNotNode):
649         * parser/Nodes.h:
650         * parser/ResultType.h:
651         (JSC::ResultType::bigIntOrInt32Type):
652         (JSC::ResultType::forBitOp):
653         * runtime/CommonSlowPaths.cpp:
654         (JSC::SLOW_PATH_DECL):
655         * runtime/CommonSlowPaths.h:
656
657 2018-11-26  Saam barati  <sbarati@apple.com>
658
659         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
660         https://bugs.webkit.org/show_bug.cgi?id=191956
661         <rdar://problem/45665806>
662
663         Reviewed by Yusuke Suzuki.
664
665         This is a similar bug to what Keith fixed in r232134. The issue is if we have
666         a program like this:
667         
668         a: JSConstant(jsNumber(0))
669         b: SetLocal(Int32:@a, loc1, FlushedInt32)
670         c: ArrayifyToStructure(Cell:@a)
671         d: Jump(...)
672         
673         At the point in the program right after the Jump, a GetLocal for loc1
674         would return whatever the ArrayifyToStructure resulting type is. This breaks
675         the invariant that a GetLocal must return a value that is a subtype of its
676         FlushFormat. InPlaceAbstractState::endBasicBlock will know if a SetLocal is
677         the final node touching a local slot. If so, it'll see if any nodes later
678         in the block may have refined the type of the value stored in that slot. If
679         so, endBasicBlock() further refines the type to ensure that any GetLocals
680         loading from the same slot will result in having this more refined type.
681         However, we must ensure that this logic only considers types within the
682         hierarchy of the variable access data's FlushFormat, otherwise, we may
683         break the invariant that a GetLocal's type is a subtype of its FlushFormat.
684
685         * dfg/DFGInPlaceAbstractState.cpp:
686         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
687
688 2018-11-26  Saam barati  <sbarati@apple.com>
689
690         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
691         https://bugs.webkit.org/show_bug.cgi?id=191958
692         <rdar://problem/46221877>
693
694         Reviewed by Yusuke Suzuki.
695
696         There may be more entries in an activation than unique variables
697         in a symbol table's hashmap. For example, if you have two parameters
698         to a function, and they both are the same name, and the function
699         uses eval, we'll end up with two scope slots, but only a single
700         entry in the hashmap in the symbol table. Object allocation sinking
701         phase was previously iterating over the hashmap, assuming these
702         values were equivalent. This is wrong in the above case. Instead,
703         we need to iterate over each scope offset.
704
705         * dfg/DFGObjectAllocationSinkingPhase.cpp:
706         * runtime/GenericOffset.h:
707         (JSC::GenericOffset::operator+=):
708         (JSC::GenericOffset::operator-=):
709
710 2018-11-26  Mark Lam  <mark.lam@apple.com>
711
712         NaNs read from Wasm code needs to be be purified.
713         https://bugs.webkit.org/show_bug.cgi?id=191056
714         <rdar://problem/45660341>
715
716         Reviewed by Filip Pizlo.
717
718         * wasm/js/WebAssemblyModuleRecord.cpp:
719         (JSC::WebAssemblyModuleRecord::link):
720
721 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
722
723         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
724         https://bugs.webkit.org/show_bug.cgi?id=191716
725         <rdar://problem/45723878>
726
727         Reviewed by Saam Barati.
728
729         After https://bugs.webkit.org/show_bug.cgi?id=187373, when updating
730         jump targets during generatorification, we only stored the new jump
731         target when it changed. However, the out-of-line jump targets are
732         cleared at the beginning of the pass, so we need to store it
733         unconditionally.
734
735         * bytecode/PreciseJumpTargetsInlines.h:
736         (JSC::extractStoredJumpTargetsForInstruction):
737         (JSC::updateStoredJumpTargetsForInstruction):
738
739 2018-11-23  Wenson Hsieh  <wenson_hsieh@apple.com>
740
741         Enable drag and drop support for iOSMac
742         https://bugs.webkit.org/show_bug.cgi?id=191818
743         <rdar://problem/43907454>
744
745         Reviewed by Dean Jackson.
746
747         * Configurations/FeatureDefines.xcconfig:
748
749 2018-11-22  Mark Lam  <mark.lam@apple.com>
750
751         Make the jsc shell's dumpException() more robust against long exception strings.
752         https://bugs.webkit.org/show_bug.cgi?id=191910
753         <rdar://problem/46212980>
754
755         Reviewed by Michael Saboff.
756
757         This only affects the dumping of the exception string in the jsc shell due to
758         unhandled exceptions or exceptions at shell boot time before any JS code is
759         running.
760
761         * jsc.cpp:
762         (dumpException):
763
764 2018-11-21  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
765
766         [JSC] Drop ARM_TRADITIONAL support in LLInt, baseline JIT, and DFG
767         https://bugs.webkit.org/show_bug.cgi?id=191675
768
769         Reviewed by Mark Lam.
770
771         We no longer maintain ARM_TRADITIONAL LLInt and JIT in JSC. This architecture will use
772         CLoop instead. This patch removes ARM_TRADITIONAL support in LLInt and JIT.
773
774         Discussed in https://lists.webkit.org/pipermail/webkit-dev/2018-October/030220.html.
775
776         * CMakeLists.txt:
777         * JavaScriptCore.xcodeproj/project.pbxproj:
778         * Sources.txt:
779         * assembler/ARMAssembler.cpp: Removed.
780         * assembler/ARMAssembler.h: Removed.
781         * assembler/LinkBuffer.cpp:
782         (JSC::LinkBuffer::linkCode):
783         (JSC::LinkBuffer::dumpCode):
784         * assembler/MacroAssembler.h:
785         (JSC::MacroAssembler::patchableBranch32):
786         * assembler/MacroAssemblerARM.cpp: Removed.
787         * assembler/MacroAssemblerARM.h: Removed.
788         * assembler/PerfLog.cpp:
789         * assembler/PerfLog.h:
790         * assembler/ProbeContext.h:
791         (JSC::Probe::CPUState::pc):
792         (JSC::Probe::CPUState::fp):
793         (JSC::Probe::CPUState::sp):
794         * assembler/testmasm.cpp:
795         (JSC::isPC):
796         (JSC::testProbeModifiesStackPointer):
797         (JSC::testProbeModifiesStackValues):
798         * bytecode/InlineAccess.h:
799         (JSC::InlineAccess::sizeForPropertyAccess):
800         (JSC::InlineAccess::sizeForPropertyReplace):
801         (JSC::InlineAccess::sizeForLengthAccess):
802         * dfg/DFGSpeculativeJIT.h:
803         * disassembler/CapstoneDisassembler.cpp:
804         (JSC::tryToDisassemble):
805         * jit/AssemblyHelpers.cpp:
806         (JSC::AssemblyHelpers::debugCall):
807         * jit/AssemblyHelpers.h:
808         * jit/CCallHelpers.h:
809         (JSC::CCallHelpers::setupArgumentsImpl):
810         (JSC::CCallHelpers::prepareForTailCallSlow):
811         * jit/CallFrameShuffler.cpp:
812         (JSC::CallFrameShuffler::prepareForTailCall):
813         * jit/HostCallReturnValue.cpp:
814         * jit/JITMathIC.h:
815         (JSC::isProfileEmpty):
816         * jit/RegisterSet.cpp:
817         (JSC::RegisterSet::reservedHardwareRegisters):
818         (JSC::RegisterSet::calleeSaveRegisters):
819         (JSC::RegisterSet::llintBaselineCalleeSaveRegisters):
820         (JSC::RegisterSet::dfgCalleeSaveRegisters):
821         * jit/Repatch.cpp:
822         (JSC::forceICFailure):
823         * jit/ThunkGenerators.cpp:
824         (JSC::nativeForGenerator):
825         * llint/LLIntOfflineAsmConfig.h:
826         * llint/LowLevelInterpreter.asm:
827         * llint/LowLevelInterpreter32_64.asm:
828         * offlineasm/arm.rb:
829         * offlineasm/backends.rb:
830         * yarr/YarrJIT.cpp:
831         (JSC::Yarr::YarrGenerator::generateEnter):
832         (JSC::Yarr::YarrGenerator::generateReturn):
833
834 2018-11-21  Saam barati  <sbarati@apple.com>
835
836         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
837         https://bugs.webkit.org/show_bug.cgi?id=191897
838         <rdar://problem/45871998>
839
840         Reviewed by Mark Lam.
841
842         exitOK is a statement about it being legal to exit. mayExit() is about being
843         conservative and returning false only if an OSR exit *could never* happen.
844         mayExit() tries to be as smart as possible to see if it can return false.
845         It can't return false if a runtime exit *could* happen. However, there is
846         code in the compiler where mayExit() returns false (because it uses data
847         generated from AI about type checks being proved), but the code we emit in the
848         compiler backend unconditionally generates an OSR exit, even if that exit may
849         never execute. For example, let's say we have this IR:
850         
851         SomeNode(Boolean:@input)
852         
853         And we always emit code like this as a way of emitting a boolean type check:
854         
855         jump L1 if input == true
856         jump L1 if input == false
857         emit an OSR exit
858         
859         In such a program, when we generate the above OSR exit, in a validationEnabled()
860         build, and if @input is proved to be a boolean, we'll end up crashing because we
861         have the bogus assertion saying !exitOK. This is one reason why things are cleaner
862         if we don't conflate mayExit() with exitOK.
863
864         * dfg/DFGSpeculativeJIT.cpp:
865         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
866
867 2018-11-21  Saam barati  <sbarati@apple.com>
868
869         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
870         https://bugs.webkit.org/show_bug.cgi?id=191895
871         <rdar://problem/46167406>
872
873         Reviewed by Mark Lam.
874
875         We were asserting that the input edge should have type SpecCell but it should
876         really be SpecCellCheck since the type filter for KnownCellUse is SpecCellCheck.
877         
878         This patch cleans up that assertion code by joining a bunch of cases into a
879         single function call which grabs the type filter for the edge UseKind and
880         asserts that the incoming edge meets the type filter criteria.
881
882         * dfg/DFGSpeculativeJIT.cpp:
883         (JSC::DFG::SpeculativeJIT::speculate):
884         * ftl/FTLLowerDFGToB3.cpp:
885         (JSC::FTL::DFG::LowerDFGToB3::speculate):
886
887 2018-11-21  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
888
889         [JSC] Use ProtoCallFrame::numberOfRegisters instead of raw number `4`
890         https://bugs.webkit.org/show_bug.cgi?id=191877
891
892         Reviewed by Sam Weinig.
893
894         Instead of hard-coding `4` into LowLevelInterpreter, use ProtoCallFrame::numberOfRegisters.
895
896         * interpreter/ProtoCallFrame.h:
897         * llint/LowLevelInterpreter32_64.asm:
898         * llint/LowLevelInterpreter64.asm:
899
900 2018-11-21  Mark Lam  <mark.lam@apple.com>
901
902         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
903         https://bugs.webkit.org/show_bug.cgi?id=191776
904         <rdar://problem/46152851>
905
906         Reviewed by Saam Barati.
907
908         * wasm/WasmMemory.cpp:
909         (JSC::Wasm::Memory::tryCreate):
910         - return nullptr if the requested bytes exceed MAX_ARRAY_BUFFER_SIZE.
911           The clients will already do a null check and throw an OutOfMemoryError if needed.
912         (JSC::Wasm::Memory::grow):
913         - throw OOME if newPageCount.bytes() > MAX_ARRAY_BUFFER_SIZE.
914         * wasm/js/WebAssemblyMemoryConstructor.cpp:
915         (JSC::constructJSWebAssemblyMemory):
916         - throw OOME if newPageCount.bytes() > MAX_ARRAY_BUFFER_SIZE.
917
918 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
919
920         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
921         https://bugs.webkit.org/show_bug.cgi?id=190836
922
923         Reviewed by Saam Barati and Yusuke Suzuki.
924
925         In this patch we are creating a new method called `JSBigInt::createWithLengthUnchecked`
926         where we allocate a BigInt trusting the length received as argument.
927         With this additional method, we now check if length passed to
928         `JSBigInt::tryCreateWithLength` is not greater than JSBigInt::maxLength.
929         When the length is greater than JSBigInt::maxLength, we then throw OOM
930         exception.
931         This required us to change the interface of some JSBigInt operations to
932         receive `ExecState*` instead of `VM&`. We changed only operations that
933         can throw because of OOM.
934         We beleive that this approach of throwing instead of finishing the
935         execution abruptly is better because JS programs can catch such
936         exception and handle this issue properly.
937
938         * dfg/DFGOperations.cpp:
939         * jit/JITOperations.cpp:
940         * runtime/CommonSlowPaths.cpp:
941         (JSC::SLOW_PATH_DECL):
942         * runtime/JSBigInt.cpp:
943         (JSC::JSBigInt::createZero):
944         (JSC::JSBigInt::tryCreateWithLength):
945         (JSC::JSBigInt::createWithLengthUnchecked):
946         (JSC::JSBigInt::createFrom):
947         (JSC::JSBigInt::multiply):
948         (JSC::JSBigInt::divide):
949         (JSC::JSBigInt::copy):
950         (JSC::JSBigInt::unaryMinus):
951         (JSC::JSBigInt::remainder):
952         (JSC::JSBigInt::add):
953         (JSC::JSBigInt::sub):
954         (JSC::JSBigInt::bitwiseAnd):
955         (JSC::JSBigInt::bitwiseOr):
956         (JSC::JSBigInt::bitwiseXor):
957         (JSC::JSBigInt::absoluteAdd):
958         (JSC::JSBigInt::absoluteSub):
959         (JSC::JSBigInt::absoluteDivWithDigitDivisor):
960         (JSC::JSBigInt::absoluteDivWithBigIntDivisor):
961         (JSC::JSBigInt::absoluteLeftShiftAlwaysCopy):
962         (JSC::JSBigInt::absoluteBitwiseOp):
963         (JSC::JSBigInt::absoluteAddOne):
964         (JSC::JSBigInt::absoluteSubOne):
965         (JSC::JSBigInt::toStringGeneric):
966         (JSC::JSBigInt::rightTrim):
967         (JSC::JSBigInt::allocateFor):
968         (JSC::JSBigInt::createWithLength): Deleted.
969         * runtime/JSBigInt.h:
970         * runtime/Operations.cpp:
971         (JSC::jsAddSlowCase):
972         * runtime/Operations.h:
973         (JSC::jsSub):
974         (JSC::jsMul):
975
976 2018-11-20  Mark Lam  <mark.lam@apple.com>
977
978         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
979         https://bugs.webkit.org/show_bug.cgi?id=191856
980         <rdar://problem/46089992>
981
982         Reviewed by Yusuke Suzuki.
983
984         The ASSERT(vm.traps().needTrapHandling()) assertion in SignalSender's SigAction
985         function is invalid because we can't be sure that the trap has been handled yet
986         by the time the trap fires.  This is because the main thread may also check traps
987         (in LLInt, baseline JIT and VM runtime code).  There's a race to handle the trap.
988         Hence, the SigAction cannot assume that the trap still needs handling by the time
989         it is executed.  This patch removed the invalid assertion.
990
991         Also renamed m_trapSet to m_condition because it is a AutomaticThreadCondition,
992         and all the ways it is used is as a condvar.  The m_trapSet name doesn't seem
993         appropriate nor meaningful.
994
995         * runtime/VMTraps.cpp:
996         (JSC::VMTraps::tryInstallTrapBreakpoints):
997         - Added a !needTrapHandling() check as an optimization: there's no need to install
998           VMTrap breakpoints if someone already beat us to handling the trap (remember,
999           the main thread is racing against the VMTraps signalling thread to handle the
1000           trap too).  We only need to install the VMTraps breakpoints if we need DFG/FTL
1001           compiled code to deopt so that they can check and handle pending traps.  If the
1002           trap has already been handled, it's better to not deopt any DFG/FTL functions.
1003
1004         (JSC::VMTraps::willDestroyVM):
1005         (JSC::VMTraps::fireTrap):
1006         (JSC::VMTraps::VMTraps):
1007         * runtime/VMTraps.h:
1008
1009 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1010
1011         Enable JIT on ARM/Linux
1012         https://bugs.webkit.org/show_bug.cgi?id=191548
1013
1014         Reviewed by Yusuke Suzuki.
1015
1016         Enable JIT by default on ARMv7/Linux after it was disabled with
1017         recent bytcode format change.
1018
1019         * bytecode/CodeBlock.cpp:
1020         (JSC::CodeBlock::getICStatusMap):
1021         * bytecode/CodeBlock.h:
1022         (JSC::CodeBlock::metadata):
1023         * bytecode/InByIdStatus.cpp:
1024         (JSC::InByIdStatus::computeFor):
1025         * bytecode/Instruction.h:
1026         (JSC::Instruction::cast):
1027         * bytecode/MetadataTable.h:
1028         (JSC::MetadataTable::forEach):
1029         * bytecode/PutByIdStatus.cpp:
1030         (JSC::PutByIdStatus::computeFor):
1031         (JSC::PutByIdStatus::hasExitSite): Deleted.
1032         * bytecode/PutByIdStatus.h:
1033         * dfg/DFGOSRExit.cpp:
1034         (JSC::DFG::reifyInlinedCallFrames):
1035         * dfg/DFGOSRExitCompilerCommon.cpp:
1036         (JSC::DFG::reifyInlinedCallFrames):
1037         * generator/Argument.rb:
1038         * generator/Opcode.rb:
1039         * jit/GPRInfo.h:
1040         * jit/JIT.h:
1041         * jit/JITArithmetic32_64.cpp:
1042         (JSC::JIT::emit_compareAndJump):
1043         (JSC::JIT::emit_compareUnsignedAndJump):
1044         (JSC::JIT::emit_compareUnsigned):
1045         (JSC::JIT::emit_compareAndJumpSlow):
1046         (JSC::JIT::emit_op_unsigned):
1047         (JSC::JIT::emit_op_inc):
1048         (JSC::JIT::emit_op_dec):
1049         (JSC::JIT::emitBinaryDoubleOp):
1050         (JSC::JIT::emit_op_mod):
1051         (JSC::JIT::emitSlow_op_mod):
1052         * jit/JITCall32_64.cpp:
1053         (JSC::JIT::emitPutCallResult):
1054         (JSC::JIT::emit_op_ret):
1055         (JSC::JIT::emitSlow_op_call):
1056         (JSC::JIT::emitSlow_op_tail_call):
1057         (JSC::JIT::emitSlow_op_call_eval):
1058         (JSC::JIT::emitSlow_op_call_varargs):
1059         (JSC::JIT::emitSlow_op_tail_call_varargs):
1060         (JSC::JIT::emitSlow_op_tail_call_forward_arguments):
1061         (JSC::JIT::emitSlow_op_construct_varargs):
1062         (JSC::JIT::emitSlow_op_construct):
1063         (JSC::JIT::emit_op_call):
1064         (JSC::JIT::emit_op_tail_call):
1065         (JSC::JIT::emit_op_call_eval):
1066         (JSC::JIT::emit_op_call_varargs):
1067         (JSC::JIT::emit_op_tail_call_varargs):
1068         (JSC::JIT::emit_op_tail_call_forward_arguments):
1069         (JSC::JIT::emit_op_construct_varargs):
1070         (JSC::JIT::emit_op_construct):
1071         (JSC::JIT::compileSetupFrame):
1072         (JSC::JIT::compileCallEval):
1073         (JSC::JIT::compileCallEvalSlowCase):
1074         (JSC::JIT::compileOpCall):
1075         (JSC::JIT::compileOpCallSlowCase):
1076         (JSC::JIT::compileSetupVarargsFrame): Deleted.
1077         * jit/JITInlines.h:
1078         (JSC::JIT::updateTopCallFrame):
1079         * jit/JITOpcodes.cpp:
1080         (JSC::JIT::emit_op_catch):
1081         (JSC::JIT::emitSlow_op_loop_hint):
1082         * jit/JITOpcodes32_64.cpp:
1083         (JSC::JIT::emit_op_mov):
1084         (JSC::JIT::emit_op_end):
1085         (JSC::JIT::emit_op_jmp):
1086         (JSC::JIT::emit_op_new_object):
1087         (JSC::JIT::emitSlow_op_new_object):
1088         (JSC::JIT::emit_op_overrides_has_instance):
1089         (JSC::JIT::emit_op_instanceof):
1090         (JSC::JIT::emit_op_instanceof_custom):
1091         (JSC::JIT::emitSlow_op_instanceof):
1092         (JSC::JIT::emitSlow_op_instanceof_custom):
1093         (JSC::JIT::emit_op_is_empty):
1094         (JSC::JIT::emit_op_is_undefined):
1095         (JSC::JIT::emit_op_is_boolean):
1096         (JSC::JIT::emit_op_is_number):
1097         (JSC::JIT::emit_op_is_cell_with_type):
1098         (JSC::JIT::emit_op_is_object):
1099         (JSC::JIT::emit_op_to_primitive):
1100         (JSC::JIT::emit_op_set_function_name):
1101         (JSC::JIT::emit_op_not):
1102         (JSC::JIT::emit_op_jfalse):
1103         (JSC::JIT::emit_op_jtrue):
1104         (JSC::JIT::emit_op_jeq_null):
1105         (JSC::JIT::emit_op_jneq_null):
1106         (JSC::JIT::emit_op_jneq_ptr):
1107         (JSC::JIT::emit_op_eq):
1108         (JSC::JIT::emitSlow_op_eq):
1109         (JSC::JIT::emit_op_jeq):
1110         (JSC::JIT::emitSlow_op_jeq):
1111         (JSC::JIT::emit_op_neq):
1112         (JSC::JIT::emitSlow_op_neq):
1113         (JSC::JIT::emit_op_jneq):
1114         (JSC::JIT::emitSlow_op_jneq):
1115         (JSC::JIT::compileOpStrictEq):
1116         (JSC::JIT::emit_op_stricteq):
1117         (JSC::JIT::emit_op_nstricteq):
1118         (JSC::JIT::compileOpStrictEqJump):
1119         (JSC::JIT::emit_op_jstricteq):
1120         (JSC::JIT::emit_op_jnstricteq):
1121         (JSC::JIT::emitSlow_op_jstricteq):
1122         (JSC::JIT::emitSlow_op_jnstricteq):
1123         (JSC::JIT::emit_op_eq_null):
1124         (JSC::JIT::emit_op_neq_null):
1125         (JSC::JIT::emit_op_throw):
1126         (JSC::JIT::emit_op_to_number):
1127         (JSC::JIT::emit_op_to_string):
1128         (JSC::JIT::emit_op_to_object):
1129         (JSC::JIT::emit_op_catch):
1130         (JSC::JIT::emit_op_identity_with_profile):
1131         (JSC::JIT::emit_op_get_parent_scope):
1132         (JSC::JIT::emit_op_switch_imm):
1133         (JSC::JIT::emit_op_switch_char):
1134         (JSC::JIT::emit_op_switch_string):
1135         (JSC::JIT::emit_op_debug):
1136         (JSC::JIT::emit_op_enter):
1137         (JSC::JIT::emit_op_get_scope):
1138         (JSC::JIT::emit_op_create_this):
1139         (JSC::JIT::emit_op_to_this):
1140         (JSC::JIT::emit_op_check_tdz):
1141         (JSC::JIT::emit_op_has_structure_property):
1142         (JSC::JIT::privateCompileHasIndexedProperty):
1143         (JSC::JIT::emit_op_has_indexed_property):
1144         (JSC::JIT::emitSlow_op_has_indexed_property):
1145         (JSC::JIT::emit_op_get_direct_pname):
1146         (JSC::JIT::emit_op_enumerator_structure_pname):
1147         (JSC::JIT::emit_op_enumerator_generic_pname):
1148         (JSC::JIT::emit_op_profile_type):
1149         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
1150         (JSC::JIT::emit_op_log_shadow_chicken_tail):
1151         * jit/JITPropertyAccess32_64.cpp:
1152         (JSC::JIT::emit_op_put_getter_by_id):
1153         (JSC::JIT::emit_op_put_setter_by_id):
1154         (JSC::JIT::emit_op_put_getter_setter_by_id):
1155         (JSC::JIT::emit_op_put_getter_by_val):
1156         (JSC::JIT::emit_op_put_setter_by_val):
1157         (JSC::JIT::emit_op_del_by_id):
1158         (JSC::JIT::emit_op_del_by_val):
1159         (JSC::JIT::emit_op_get_by_val):
1160         (JSC::JIT::emitGetByValWithCachedId):
1161         (JSC::JIT::emitSlow_op_get_by_val):
1162         (JSC::JIT::emit_op_put_by_val_direct):
1163         (JSC::JIT::emit_op_put_by_val):
1164         (JSC::JIT::emitGenericContiguousPutByVal):
1165         (JSC::JIT::emitArrayStoragePutByVal):
1166         (JSC::JIT::emitPutByValWithCachedId):
1167         (JSC::JIT::emitSlow_op_put_by_val):
1168         (JSC::JIT::emit_op_try_get_by_id):
1169         (JSC::JIT::emitSlow_op_try_get_by_id):
1170         (JSC::JIT::emit_op_get_by_id_direct):
1171         (JSC::JIT::emitSlow_op_get_by_id_direct):
1172         (JSC::JIT::emit_op_get_by_id):
1173         (JSC::JIT::emitSlow_op_get_by_id):
1174         (JSC::JIT::emit_op_get_by_id_with_this):
1175         (JSC::JIT::emitSlow_op_get_by_id_with_this):
1176         (JSC::JIT::emit_op_put_by_id):
1177         (JSC::JIT::emitSlow_op_put_by_id):
1178         (JSC::JIT::emit_op_in_by_id):
1179         (JSC::JIT::emitSlow_op_in_by_id):
1180         (JSC::JIT::emit_op_resolve_scope):
1181         (JSC::JIT::emit_op_get_from_scope):
1182         (JSC::JIT::emitSlow_op_get_from_scope):
1183         (JSC::JIT::emit_op_put_to_scope):
1184         (JSC::JIT::emitSlow_op_put_to_scope):
1185         (JSC::JIT::emit_op_get_from_arguments):
1186         (JSC::JIT::emit_op_put_to_arguments):
1187         * jit/RegisterSet.cpp:
1188         (JSC::RegisterSet::vmCalleeSaveRegisters):
1189         * llint/LLIntData.cpp:
1190         (JSC::LLInt::Data::performAssertions):
1191         * llint/LowLevelInterpreter.asm:
1192         * runtime/SamplingProfiler.cpp:
1193         (JSC::tryGetBytecodeIndex):
1194
1195 2018-11-20  Saam barati  <sbarati@apple.com>
1196
1197         Merging an IC variant may lead to the IC status containing overlapping structure sets
1198         https://bugs.webkit.org/show_bug.cgi?id=191869
1199         <rdar://problem/45403453>
1200
1201         Reviewed by Mark Lam.
1202
1203         When merging two IC variant lists, we may end up in a world where we have
1204         overlapping structure sets. We defend against this when we append a new
1205         variant, but we should also defend against it once we merge in a new variant.
1206         
1207         Consider this case with MultiPutByOffset, where we merge two PutByIdStatuses
1208         together, P1 and P2.
1209         
1210         Let's consider these structures:
1211         s1 = {}
1212         s2 = {p: 0}
1213         s3 = {p: 0, p2: 1}
1214         
1215         P1 contains these variants:
1216         Transition: [s1 => s2]
1217         Replace: [s2, s3]
1218         
1219         P2 contains:
1220         Replace: [s2]
1221         
1222         Because of the ordering of the variants, we may end up combining
1223         P2's replace into P1's transition, forming this new list:
1224         Transition: [(s1, s2) => s2]
1225         Replace: [s2, s3]
1226         
1227         Obviously the ideal thing here is to have some ordering when we merge
1228         in variants to choose the most ideal option. It'd be ideal for P2's
1229         Replace to be merged into P1's replace.
1230         
1231         If we notice that this is super important, we can implement some kind
1232         of ordering. None of our tests (until this patch) stress this. This patch
1233         just makes it so we defend against this crazy scenario by falling back
1234         to the slow path gracefully. This prevents us from emitting invalid
1235         IR in FTL->B3 lowering by creating a switch with two case labels being
1236         identical values.
1237
1238         * bytecode/ICStatusUtils.h:
1239         (JSC::appendICStatusVariant):
1240
1241 2018-11-20  Fujii Hironori  <Hironori.Fujii@sony.com>
1242
1243         REGRESSION(r238039) WebCore::JSDOMGlobalObject::createStructure is using JSC::Structure::create without including StructureInlines.h
1244         https://bugs.webkit.org/show_bug.cgi?id=191626
1245         <rdar://problem/46161064>
1246
1247         Unreviewed adding comment for my change r238366.
1248
1249         * runtime/Structure.h: Added a comment for Structure::create.
1250
1251 2018-11-19  Mark Lam  <mark.lam@apple.com>
1252
1253         globalFuncImportModule() should return a promise when it clears exceptions.
1254         https://bugs.webkit.org/show_bug.cgi?id=191792
1255         <rdar://problem/46090763>
1256
1257         Reviewed by Michael Saboff.
1258
1259         If we're clearing the exceptions in a CatchScope, then it means that we've handled
1260         the exception, and is able to proceed in a normal manner.  Hence, we should not
1261         return the empty JSValue in this case: instead, we should return a Promise as
1262         expected by import's API.
1263
1264         The only time when we can't return a promise is when we fail to create a Promise.
1265         In that case, we should be propagating the exception.
1266
1267         Hence, globalFuncImportModule() contains a ThrowScope (for propagating the
1268         exception that arises from failure to create the Promise) wrapping a CatchScope
1269         (for catching any exception that arises from failure to execute the import).
1270
1271         Also fixed similar issues, and some exception check issues in JSModuleLoader and
1272         the jsc shell.
1273
1274         * jsc.cpp:
1275         (GlobalObject::moduleLoaderImportModule):
1276         (GlobalObject::moduleLoaderFetch):
1277         * runtime/JSGlobalObjectFunctions.cpp:
1278         (JSC::globalFuncImportModule):
1279         * runtime/JSModuleLoader.cpp:
1280         (JSC::JSModuleLoader::loadAndEvaluateModule):
1281         (JSC::JSModuleLoader::loadModule):
1282         (JSC::JSModuleLoader::requestImportModule):
1283         (JSC::JSModuleLoader::importModule):
1284         (JSC::JSModuleLoader::resolve):
1285         (JSC::JSModuleLoader::fetch):
1286         (JSC::moduleLoaderParseModule):
1287         (JSC::moduleLoaderResolveSync):
1288
1289 2018-11-19  Alex Christensen  <achristensen@webkit.org>
1290
1291         Add SPI to disable JIT in a WKWebView
1292         https://bugs.webkit.org/show_bug.cgi?id=191822
1293         <rdar://problem/28119360>
1294
1295         Reviewed by Geoffrey Garen.
1296
1297         * jit/ExecutableAllocator.cpp:
1298         (JSC::jitDisabled):
1299         (JSC::allowJIT):
1300         (JSC::ExecutableAllocator::setJITEnabled):
1301         * jit/ExecutableAllocator.h:
1302         (JSC::ExecutableAllocator::setJITEnabled):
1303
1304 2018-11-19  Fujii Hironori  <Hironori.Fujii@sony.com>
1305
1306         [MSVC] X86Assembler.h(108): error C2666: 'WebCore::operator -': 7 overloads have similar conversions
1307         https://bugs.webkit.org/show_bug.cgi?id=189467
1308         <rdar://problem/44290945>
1309
1310         Reviewed by Mark Lam.
1311
1312         This issue has happened several times. And, it seems that it will
1313         take more time for Microsoft to fix the MSVC bug. We need a
1314         effective workaround not to repeat this issue until they fix MSVC.
1315
1316         Remove ": int8_t" of RegisterID only for COMPILER(MSVC).
1317
1318         * assembler/X86Assembler.h: Added JSC_X86_ASM_REGISTER_ID_ENUM_BASE_TYPE macro.
1319
1320 2018-11-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1321
1322         [WebAssembly] I64 arguments / return value check should be moved from callWebAssemblyFunction to JSToWasm wrapper
1323         https://bugs.webkit.org/show_bug.cgi?id=190512
1324
1325         Reviewed by Keith Miller.
1326
1327         This patch moves I64 arguments / return value check from callWebAssemblyFunction to JSToWasm wrapper. Since this
1328         check can be done when compiling the function, we should encode the result into the generated wrapper instead of
1329         checking every time we call callWebAssemblyFunction. This change is also one of the steps removing callWebAssemblyFunction
1330         entirely.
1331
1332         * wasm/WasmExceptionType.h:
1333         * wasm/js/JSToWasm.cpp:
1334         (JSC::Wasm::createJSToWasmWrapper):
1335         * wasm/js/WebAssemblyFunction.cpp:
1336         (JSC::callWebAssemblyFunction):
1337         * wasm/js/WebAssemblyWrapperFunction.cpp:
1338         (JSC::callWebAssemblyWrapperFunction):
1339
1340 2018-11-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1341
1342         Consider removing double load for accessing the instructions from LLInt
1343         https://bugs.webkit.org/show_bug.cgi?id=190932
1344
1345         Reviewed by Mark Lam.
1346
1347         Changing InstructionStream to RefCountedArray like structure involves so much changes
1348         including BytecodeGraph, PreciseJumpTargets etc. Instead, CodeBlock simply hold a raw
1349         pointer to the InstructionStream's data. Since InstructionStream is not changed
1350         anymore, this pointer is valid while CodeBlock is live.
1351
1352         * bytecode/CodeBlock.cpp:
1353         (JSC::CodeBlock::CodeBlock):
1354         * bytecode/CodeBlock.h:
1355         * bytecode/InstructionStream.h:
1356         (JSC::InstructionStream::rawPointer const):
1357         * llint/LowLevelInterpreter.asm:
1358         * llint/LowLevelInterpreter32_64.asm:
1359         * llint/LowLevelInterpreter64.asm:
1360
1361 2018-11-18  Fujii Hironori  <Hironori.Fujii@sony.com>
1362
1363         REGRESSION(r238039) WebCore::JSDOMGlobalObject::createStructure is using JSC::Structure::create without including StructureInlines.h
1364         https://bugs.webkit.org/show_bug.cgi?id=191626
1365
1366         Reviewed by Yusuke Suzuki.
1367
1368         JSC::Structure::create is used everywhere. It should be defined in
1369         Structure.h, not in StructureInlines.h.
1370
1371         * runtime/Structure.h:
1372         (JSC::Structure::create): Moved.
1373         * runtime/StructureInlines.h: Moved JSC::Structure::create.
1374
1375 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1376
1377         Unreviewed, rolling in the rest of r237254
1378         https://bugs.webkit.org/show_bug.cgi?id=190340
1379
1380         * parser/ParserModes.h:
1381         * parser/ParserTokens.h:
1382         (JSC::JSTextPosition::JSTextPosition):
1383         (JSC::JSTokenLocation::JSTokenLocation): Deleted.
1384         * runtime/CodeCache.cpp:
1385         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
1386         * runtime/FunctionConstructor.cpp:
1387         (JSC::constructFunctionSkippingEvalEnabledCheck):
1388
1389 2018-11-17  Devin Rousso  <drousso@apple.com>
1390
1391         Web Inspector: Network: add button to show system certificate dialog
1392         https://bugs.webkit.org/show_bug.cgi?id=191458
1393         <rdar://problem/45977019>
1394
1395         Reviewed by Joseph Pecoraro.
1396
1397         * inspector/protocol/Network.json:
1398         Add `getSerializedCertificate` command.
1399
1400 2018-11-17  Dominik Infuehr  <dinfuehr@igalia.com>
1401
1402         Fix build with disabled DFG/FTL
1403         https://bugs.webkit.org/show_bug.cgi?id=191256
1404
1405         Reviewed by Yusuke Suzuki.
1406
1407         Fix compilation errors and warnings with both DFG and FTL
1408         disabled at compile-time.
1409
1410         * bytecode/CodeBlock.cpp:
1411         (JSC::CodeBlock::getICStatusMap):
1412         * bytecode/InByIdStatus.cpp:
1413         (JSC::InByIdStatus::computeFor):
1414         * bytecode/PutByIdStatus.cpp:
1415         (JSC::PutByIdStatus::computeFor):
1416         (JSC::PutByIdStatus::hasExitSite): Deleted.
1417         * bytecode/PutByIdStatus.h:
1418         * jit/JITOpcodes.cpp:
1419         (JSC::JIT::emit_op_catch):
1420
1421 2018-11-16  Joseph Pecoraro  <pecoraro@apple.com>
1422
1423         Web Inspector: Keep Web Inspector window alive across process swaps (PSON) (Local Inspector)
1424         https://bugs.webkit.org/show_bug.cgi?id=191740
1425         <rdar://problem/45470897>
1426
1427         Reviewed by Timothy Hatcher.
1428
1429         * inspector/InspectorFrontendChannel.h:
1430         Expose EnumTraits for ConnectionType for WebKit IPC messages.
1431
1432 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1433
1434         All users of ArrayBuffer should agree on the same max size
1435         https://bugs.webkit.org/show_bug.cgi?id=191771
1436
1437         Reviewed by Mark Lam.
1438
1439         Array buffers cannot be larger than 0x7fffffff, because otherwise loading typedArray.length in the DFG/FTL would produce
1440         a uint32 or would require a signedness check, neither of which sounds reasonable. It's better to just bound their max size
1441         instead.
1442
1443         * runtime/ArrayBuffer.cpp:
1444         (JSC::ArrayBufferContents::ArrayBufferContents):
1445         (JSC::ArrayBufferContents::tryAllocate):
1446         (JSC::ArrayBufferContents::transferTo):
1447         (JSC::ArrayBufferContents::copyTo):
1448         (JSC::ArrayBufferContents::shareWith):
1449         * runtime/ArrayBuffer.h:
1450         * wasm/WasmMemory.cpp:
1451         (JSC::Wasm::Memory::tryCreate):
1452         (JSC::Wasm::Memory::grow):
1453         * wasm/WasmPageCount.h:
1454
1455 2018-11-16  Saam Barati  <sbarati@apple.com>
1456
1457         KnownCellUse should also have SpecCellCheck as its type filter
1458         https://bugs.webkit.org/show_bug.cgi?id=191729
1459         <rdar://problem/45872852>
1460
1461         Reviewed by Filip Pizlo.
1462
1463         We write transformations in the compiler like this where we emit edges with
1464         KnownCellUse if we know we're inserting code at a point where we're dominated
1465         by a Cell check:
1466         
1467         a: SomeValue
1468         b: Something(Cell:@a)
1469         c: SomethingElse(@b)
1470         d: CheckNotEmpty(@a)
1471         
1472         =>
1473         
1474         a: SomeValue
1475         b: Something(Cell:@a)
1476         e: RandomOtherThing(KnownCellUse:@a)
1477         c: SomethingElse(@b)
1478         d: CheckNotEmpty(@a)
1479         
1480         However, doing this used to lead to subtly incorrect programs since KnownCellUse
1481         did not allow the empty value to flow through it. We used to end up incorrectly
1482         deleting @d in the above program. We fix this, we make KnownCellUse allow the empty
1483         value to flow through.
1484
1485         * dfg/DFGUseKind.h:
1486         (JSC::DFG::typeFilterFor):
1487
1488 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
1489
1490         Fix assertion failure on BytecodeGenerator::recordOpcode
1491         https://bugs.webkit.org/show_bug.cgi?id=191724
1492         <rdar://problem/45724395>
1493
1494         Reviewed by Saam Barati.
1495
1496         Since https://bugs.webkit.org/show_bug.cgi?id=187373, we were not
1497         restoring m_lastInstruction after patching the bytecode when
1498         finalizing StructureForInContexts, only m_lastOpcodeID, which led to
1499         the assertion failure.
1500
1501         * bytecompiler/BytecodeGenerator.cpp:
1502         (JSC::StructureForInContext::finalize):
1503
1504 2018-11-15  Mark Lam  <mark.lam@apple.com>
1505
1506         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
1507         https://bugs.webkit.org/show_bug.cgi?id=191730
1508         <rdar://problem/46048517>
1509
1510         Reviewed by Saam Barati.
1511
1512         According to the spec https://www.ecma-international.org/ecma-262/9.0/index.html#sec-regexp.prototype-@@match,
1513         the RegExp match results are filled in using the spec's CreateDataProperty()
1514         function which does not consult the prototype for setters.  JSArray:push()
1515         consults the prototype for setters.  We should be using putDirectIndex() instead.
1516
1517         * runtime/RegExpObjectInlines.h:
1518         (JSC::collectMatches):
1519
1520 2018-11-15  Mark Lam  <mark.lam@apple.com>
1521
1522         RegExp operations should not take fast patch if lastIndex is not numeric.
1523         https://bugs.webkit.org/show_bug.cgi?id=191731
1524         <rdar://problem/46017305>
1525
1526         Reviewed by Saam Barati.
1527
1528         This is because if lastIndex is an object with a valueOf() method, it can execute
1529         arbitrary code which may have side effects, and side effects are not permitted by
1530         the RegExp fast paths.
1531
1532         * builtins/RegExpPrototype.js:
1533         (globalPrivate.hasObservableSideEffectsForRegExpMatch):
1534         (overriddenName.string_appeared_here.search):
1535         (globalPrivate.hasObservableSideEffectsForRegExpSplit):
1536         (intrinsic.RegExpTestIntrinsic.test):
1537         * builtins/StringPrototype.js:
1538         (globalPrivate.hasObservableSideEffectsForStringReplace):
1539
1540 2018-11-15  Keith Rollin  <krollin@apple.com>
1541
1542         Delete old .xcfilelist files
1543         https://bugs.webkit.org/show_bug.cgi?id=191669
1544         <rdar://problem/46081994>
1545
1546         Reviewed by Chris Dumez.
1547
1548         .xcfilelist files were created and added to the Xcode project files in
1549         https://trac.webkit.org/changeset/238008/webkit. However, they caused
1550         build issues and they were removed from the Xcode projects in
1551         https://trac.webkit.org/changeset/238055/webkit. This check-in removes
1552         the files from the repository altogether. They'll ultimately be
1553         replaced with new files with names that indicate whether the
1554         associated files are inputs to the Run Script phase or are files
1555         created by the Run Script phase.
1556
1557         * DerivedSources.xcfilelist: Removed.
1558         * UnifiedSources.xcfilelist: Removed.
1559
1560 2018-11-14  Keith Rollin  <krollin@apple.com>
1561
1562         Move scripts for Derived and Unified Sources to external files
1563         https://bugs.webkit.org/show_bug.cgi?id=191670
1564         <rdar://problem/46082278>
1565
1566         Reviewed by Keith Miller.
1567
1568         Move the scripts in the Generate Derived Sources and Generate Unified
1569         Sources Run Script phases from the Xcode projects to external shell
1570         script files. Then invoke those scripts from the Run Script phases.
1571         This refactoring is being performed to support later work that will
1572         invoke these scripts in other contexts.
1573
1574         The scripts were maintained as-is when making the move. I did a little
1575         reformatting and added 'set -e' to the top of each file, but that's
1576         it.
1577
1578         * JavaScriptCore.xcodeproj/project.pbxproj:
1579         * Scripts/generate-derived-sources.sh: Added.
1580         * Scripts/generate-unified-sources.sh: Added.
1581
1582 2018-11-14  Joseph Pecoraro  <pecoraro@apple.com>
1583
1584         Web Inspector: Pass Inspector::FrontendChannel as a reference connect/disconnect methods
1585         https://bugs.webkit.org/show_bug.cgi?id=191612
1586
1587         Reviewed by Matt Baker.
1588
1589         * inspector/InspectorFrontendRouter.cpp:
1590         (Inspector::FrontendRouter::connectFrontend):
1591         (Inspector::FrontendRouter::disconnectFrontend):
1592         * inspector/InspectorFrontendRouter.h:
1593         * inspector/JSGlobalObjectInspectorController.cpp:
1594         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
1595         (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
1596         * inspector/JSGlobalObjectInspectorController.h:
1597         * inspector/remote/RemoteControllableTarget.h:
1598         * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:
1599         (Inspector::RemoteConnectionToTarget::setup):
1600         (Inspector::RemoteConnectionToTarget::close):
1601         * inspector/remote/glib/RemoteConnectionToTargetGlib.cpp:
1602         (Inspector::RemoteConnectionToTarget::setup):
1603         (Inspector::RemoteConnectionToTarget::close):
1604         * runtime/JSGlobalObjectDebuggable.cpp:
1605         (JSC::JSGlobalObjectDebuggable::connect):
1606         (JSC::JSGlobalObjectDebuggable::disconnect):
1607         * runtime/JSGlobalObjectDebuggable.h:
1608
1609 2018-11-14  Joseph Pecoraro  <pecoraro@apple.com>
1610
1611         Web Inspector: Keep Web Inspector window alive across process swaps (PSON) (Remote Inspector)
1612         https://bugs.webkit.org/show_bug.cgi?id=191494
1613         <rdar://problem/45469854>
1614
1615         Reviewed by Devin Rousso.
1616
1617         * CMakeLists.txt:
1618         * DerivedSources.make:
1619         * JavaScriptCore.xcodeproj/project.pbxproj:
1620         * Sources.txt:
1621         New domain and resources.
1622
1623         * inspector/protocol/Target.json: Added.
1624         New protocol domain, modeled after Worker.json, to allow for
1625         multiplexing between different targets.
1626
1627         * inspector/InspectorTarget.h:
1628         Each target will instantiate an InspectorTarget and must
1629         provide an identifier, type, and means of connecting/disconnecting
1630         to a frontend channel.
1631
1632         * inspector/agents/InspectorTargetAgent.cpp: Added.
1633         (Inspector::InspectorTargetAgent::InspectorTargetAgent):
1634         (Inspector::InspectorTargetAgent::didCreateFrontendAndBackend):
1635         (Inspector::InspectorTargetAgent::willDestroyFrontendAndBackend):
1636         (Inspector::InspectorTargetAgent::exists):
1637         (Inspector::InspectorTargetAgent::initialized):
1638         (Inspector::InspectorTargetAgent::sendMessageToTarget):
1639         (Inspector::InspectorTargetAgent::sendMessageFromTargetToFrontend):
1640         (Inspector::targetTypeToProtocolType):
1641         (Inspector::buildTargetInfoObject):
1642         (Inspector::InspectorTargetAgent::targetCreated):
1643         (Inspector::InspectorTargetAgent::targetTerminated):
1644         (Inspector::InspectorTargetAgent::connectToTargets):
1645         (Inspector::InspectorTargetAgent::disconnectFromTargets):
1646         * inspector/agents/InspectorTargetAgent.h: Added.
1647         TargetAgent holds a list of targets, and connects/disconnects to each
1648         of the targets when a frontend connects/disconnects.
1649
1650         * inspector/scripts/codegen/generator.py:
1651         Better enum casing of ServiceWorker.
1652
1653 2018-11-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1654
1655         Unreviewed, rolling in CodeCache in r237254
1656         https://bugs.webkit.org/show_bug.cgi?id=190340
1657
1658         Land the CodeCache part without adding an additional hash value.
1659
1660         * bytecode/UnlinkedFunctionExecutable.cpp:
1661         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
1662         * bytecode/UnlinkedFunctionExecutable.h:
1663         * parser/SourceCodeKey.h:
1664         (JSC::SourceCodeKey::SourceCodeKey):
1665         (JSC::SourceCodeKey::operator== const):
1666         * runtime/CodeCache.cpp:
1667         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
1668         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
1669         * runtime/CodeCache.h:
1670         * runtime/FunctionConstructor.cpp:
1671         (JSC::constructFunctionSkippingEvalEnabledCheck):
1672         * runtime/FunctionExecutable.cpp:
1673         (JSC::FunctionExecutable::fromGlobalCode):
1674         * runtime/FunctionExecutable.h:
1675
1676 2018-11-13  Saam Barati  <sbarati@apple.com>
1677
1678         ProxyObject should check for VMInquiry and return early before throwing a stack overflow exception
1679         https://bugs.webkit.org/show_bug.cgi?id=191601
1680
1681         Reviewed by Mark Lam.
1682
1683         This doesn't fix any bugs today, but it may reduce future bugs. It was
1684         always weird that ProxyObject::getOwnPropertySlot with VMInquiry might
1685         throw a stack overflow error instead of just returning false like it
1686         normally does when VMInquiry is passed in.
1687
1688         * runtime/ProxyObject.cpp:
1689         (JSC::ProxyObject::getOwnPropertySlotCommon):
1690
1691 2018-11-13  Saam Barati  <sbarati@apple.com>
1692
1693         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
1694         https://bugs.webkit.org/show_bug.cgi?id=191600
1695
1696         Reviewed by Mark Lam.
1697
1698         processLogEntries will call into calculatedClassName, which will clear
1699         any exceptions it encounters (it assumes that they're stack overflow exceptions).
1700         However, this code may be called when an exception is already pending on the 
1701         VM (e.g, when we throw an exception in the DFG, we compile an OSR exit
1702         offramp, which may compile a baseline codeblock, which will process
1703         the type profiler log). To get around this, processLogEntires should stash
1704         away and re-apply any pending exceptions.
1705
1706         * dfg/DFGDriver.cpp:
1707         (JSC::DFG::compileImpl):
1708         * dfg/DFGOperations.cpp:
1709         * inspector/agents/InspectorRuntimeAgent.cpp:
1710         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1711         * jit/JIT.cpp:
1712         (JSC::JIT::doMainThreadPreparationBeforeCompile):
1713         * jit/JITOperations.cpp:
1714         * runtime/CommonSlowPaths.cpp:
1715         (JSC::SLOW_PATH_DECL):
1716         * runtime/TypeProfilerLog.cpp:
1717         (JSC::TypeProfilerLog::processLogEntries):
1718         * runtime/TypeProfilerLog.h:
1719         * runtime/VM.cpp:
1720         (JSC::VM::dumpTypeProfilerData):
1721         * runtime/VM.h:
1722         (JSC::VM::DeferExceptionScope::DeferExceptionScope):
1723         * tools/JSDollarVM.cpp:
1724         (JSC::functionFindTypeForExpression):
1725         (JSC::functionReturnTypeFor):
1726
1727 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
1728
1729         Unreviewed, rolling out r238132.
1730
1731         The test added with this change is timing out on Debug JSC
1732         bots.
1733
1734         Reverted changeset:
1735
1736         "[BigInt] JSBigInt::createWithLength should throw when length
1737         is greater than JSBigInt::maxLength"
1738         https://bugs.webkit.org/show_bug.cgi?id=190836
1739         https://trac.webkit.org/changeset/238132
1740
1741 2018-11-12  Mark Lam  <mark.lam@apple.com>
1742
1743         Add OOM detection to StringPrototype's substituteBackreferences().
1744         https://bugs.webkit.org/show_bug.cgi?id=191563
1745         <rdar://problem/45720428>
1746
1747         Reviewed by Saam Barati.
1748
1749         * dfg/DFGStrengthReductionPhase.cpp:
1750         (JSC::DFG::StrengthReductionPhase::handleNode):
1751         * runtime/StringPrototype.cpp:
1752         (JSC::substituteBackreferencesSlow):
1753         (JSC::substituteBackreferencesInline):
1754         (JSC::substituteBackreferences):
1755         (JSC::replaceUsingRegExpSearch):
1756         (JSC::replaceUsingStringSearch):
1757         * runtime/StringPrototype.h:
1758
1759 2018-11-13  Mark Lam  <mark.lam@apple.com>
1760
1761         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
1762         https://bugs.webkit.org/show_bug.cgi?id=191579
1763         <rdar://problem/45942472>
1764
1765         Reviewed by Saam Barati.
1766
1767         Both of these functions do a lot of work.  It would be good for the topCallFrame
1768         to be correct should we need to throw an exception.
1769
1770         For example, we've observed the following crash trace:
1771
1772           * frame #0: WTFCrash() at Assertions.cpp:253
1773             frame #1: ...
1774             frame #2: JSC::StructureIDTable::get(this=0x00006040000162f0, structureID=1874583248) at StructureIDTable.h:129
1775             frame #3: JSC::VM::getStructure(this=0x0000604000016210, id=4022066896) at VM.h:705
1776             frame #4: JSC::JSCell::structure(this=0x00007ffeefbbde30, vm=0x0000604000016210) const at JSCellInlines.h:125
1777             frame #5: JSC::JSCell::classInfo(this=0x00007ffeefbbde30, vm=0x0000604000016210) const at JSCellInlines.h:335
1778             frame #6: JSC::JSCell::inherits(this=0x00007ffeefbbde30, vm=0x0000604000016210, info=0x0000000105eaf020) const at JSCellInlines.h:302
1779             frame #7: JSC::JSObject* JSC::jsCast<JSC::JSObject*, JSC::JSCell>(from=0x00007ffeefbbde30) at JSCast.h:36
1780             frame #8: JSC::asObject(cell=0x00007ffeefbbde30) at JSObject.h:1299
1781             frame #9: JSC::asObject(value=JSValue @ 0x00007ffeefbba380) at JSObject.h:1304
1782             frame #10: JSC::Register::object(this=0x00007ffeefbbdd58) const at JSObject.h:1514
1783             frame #11: JSC::ExecState::jsCallee(this=0x00007ffeefbbdd40) const at CallFrame.h:107
1784             frame #12: JSC::ExecState::isStackOverflowFrame(this=0x00007ffeefbbdd40) const at CallFrameInlines.h:36
1785             frame #13: JSC::StackVisitor::StackVisitor(this=0x00007ffeefbba860, startFrame=0x00007ffeefbbdd40, vm=0x0000631000000800) at StackVisitor.cpp:52
1786             frame #14: JSC::StackVisitor::StackVisitor(this=0x00007ffeefbba860, startFrame=0x00007ffeefbbdd40, vm=0x0000631000000800) at StackVisitor.cpp:41
1787             frame #15: void JSC::StackVisitor::visit<(JSC::StackVisitor::EmptyEntryFrameAction)0, JSC::Interpreter::getStackTrace(JSC::JSCell*, WTF::Vector<JSC::StackFrame, 0ul, WTF::CrashOnOverflow, 16ul>&, unsigned long, unsigned long)::$_3>(startFrame=0x00007ffeefbbdd40, vm=0x0000631000000800, functor=0x00007ffeefbbaa60)::$_3 const&) at StackVisitor.h:147
1788             frame #16: JSC::Interpreter::getStackTrace(this=0x0000602000005db0, owner=0x000062d00020cbe0, results=0x00006020000249d0, framesToSkip=0, maxStackSize=1) at Interpreter.cpp:437
1789             frame #17: JSC::getStackTrace(exec=0x000062d00002c048, vm=0x0000631000000800, obj=0x000062d00020cbe0, useCurrentFrame=true) at Error.cpp:170
1790             frame #18: JSC::ErrorInstance::finishCreation(this=0x000062d00020cbe0, exec=0x000062d00002c048, vm=0x0000631000000800, message=0x00007ffeefbbb800, useCurrentFrame=true) at ErrorInstance.cpp:119
1791             frame #19: JSC::ErrorInstance::create(exec=0x000062d00002c048, vm=0x0000631000000800, structure=0x000062d0000f5730, message=0x00007ffeefbbb800, appender=0x0000000000000000, type=TypeNothing, useCurrentFrame=true)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred), JSC::RuntimeType, bool) at ErrorInstance.h:49
1792             frame #20: JSC::createRangeError(exec=0x000062d00002c048, globalObject=0x000062d00002c000, message=0x00007ffeefbbb800, appender=0x0000000000000000)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred)) at Error.cpp:68
1793             frame #21: JSC::createRangeError(exec=0x000062d00002c048, globalObject=0x000062d00002c000, message=0x00007ffeefbbb800) at Error.cpp:316
1794             frame #22: JSC::createStackOverflowError(exec=0x000062d00002c048, globalObject=0x000062d00002c000) at ExceptionHelpers.cpp:77
1795             frame #23: JSC::createStackOverflowError(exec=0x000062d00002c048) at ExceptionHelpers.cpp:72
1796             frame #24: JSC::throwStackOverflowError(exec=0x000062d00002c048, scope=0x00007ffeefbbbaa0) at ExceptionHelpers.cpp:335
1797             frame #25: JSC::ProxyObject::getOwnPropertySlotCommon(this=0x000062d000200e40, exec=0x000062d00002c048, propertyName=PropertyName @ 0x00007ffeefbbba80, slot=0x00007ffeefbbc720) at ProxyObject.cpp:372
1798             frame #26: JSC::ProxyObject::getOwnPropertySlot(object=0x000062d000200e40, exec=0x000062d00002c048, propertyName=PropertyName @ 0x00007ffeefbbbd40, slot=0x00007ffeefbbc720) at ProxyObject.cpp:395
1799             frame #27: JSC::JSObject::getNonIndexPropertySlot(this=0x000062d000200e40, exec=0x000062d00002c048, propertyName=PropertyName @ 0x00007ffeefbbbea0, slot=0x00007ffeefbbc720) at JSObjectInlines.h:150
1800             frame #28: bool JSC::JSObject::getPropertySlot<false>(this=0x000062d000200e40, exec=0x000062d00002c048, propertyName=PropertyName @ 0x00007ffeefbbc320, slot=0x00007ffeefbbc720) at JSObject.h:1424
1801             frame #29: JSC::JSObject::calculatedClassName(object=0x000062d000200e40) at JSObject.cpp:535
1802             frame #30: JSC::Structure::toStructureShape(this=0x000062d000007410, value=JSValue @ 0x00007ffeefbbcae0, sawPolyProtoStructure=0x00007ffeefbbcf60) at Structure.cpp:1142
1803             frame #31: JSC::TypeProfilerLog::processLogEntries(this=0x000060400000a950, reason=0x00007ffeefbbd5c0) at TypeProfilerLog.cpp:89
1804             frame #32: JSC::JIT::doMainThreadPreparationBeforeCompile(this=0x0000619000034da0) at JIT.cpp:951
1805             frame #33: JSC::JITWorklist::Plan::Plan(this=0x0000619000034d80, codeBlock=0x000062d0001d88c0, loopOSREntryBytecodeOffset=0) at JITWorklist.cpp:43
1806             frame #34: JSC::JITWorklist::Plan::Plan(this=0x0000619000034d80, codeBlock=0x000062d0001d88c0, loopOSREntryBytecodeOffset=0) at JITWorklist.cpp:42
1807             frame #35: JSC::JITWorklist::compileLater(this=0x0000616000001b80, codeBlock=0x000062d0001d88c0, loopOSREntryBytecodeOffset=0) at JITWorklist.cpp:256
1808             frame #36: JSC::LLInt::jitCompileAndSetHeuristics(codeBlock=0x000062d0001d88c0, exec=0x00007ffeefbbde30, loopOSREntryBytecodeOffset=0) at LLIntSlowPaths.cpp:391
1809             frame #37: llint_replace(exec=0x00007ffeefbbde30, pc=0x00006040000161ba) at LLIntSlowPaths.cpp:516
1810             frame #38: llint_entry at LowLevelInterpreter64.asm:98
1811             frame #39: vmEntryToJavaScript at LowLevelInterpreter64.asm:296
1812             ...
1813
1814         This crash occurred because StackVisitor was seeing an invalid topCallFrame while
1815         trying to capture the Error stack while throwing a StackOverflowError below
1816         llint_replace.  While in this specific example, it is questionable whether we
1817         should be executing JS code below TypeProfilerLog::processLogEntries(), it is
1818         correct to have set the topCallFrame in llint_replace.  We do this by calling
1819         LLINT_BEGIN_NO_SET_PC() at the top of llint_replace.
1820
1821         We also do the same for llint_osr.
1822         
1823         Note: both of these LLInt slow path functions are called with a fully initialized
1824         CallFrame.  Hence, there's no issue with setting topCallFrame to their CallFrames
1825         for these functions.
1826
1827         * llint/LLIntSlowPaths.cpp:
1828         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1829
1830 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
1831
1832         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1833         https://bugs.webkit.org/show_bug.cgi?id=190836
1834
1835         Reviewed by Saam Barati.
1836
1837         In this patch we are creating a new method called `JSBigInt::createWithLengthUnchecked`
1838         where we allocate a BigInt trusting the length received as argument.
1839         With this additional method, we now check if length passed to
1840         `JSBigInt::createWithLength` is not greater than JSBigInt::maxLength.
1841         When the length is greater than maxLength, we then throw OOM
1842         exception.
1843         This required change the interface of some JSBigInt operations to
1844         receive `ExecState*` instead of `VM&`. We changed only operations that
1845         can throw because of OOM.
1846         We beleive that this approach of throwing instead of finishing the
1847         execution abruptly is better because JS programs can catch such
1848         exception and handle this issue properly.
1849
1850         * dfg/DFGOperations.cpp:
1851         * jit/JITOperations.cpp:
1852         * runtime/CommonSlowPaths.cpp:
1853         (JSC::SLOW_PATH_DECL):
1854         * runtime/JSBigInt.cpp:
1855         (JSC::JSBigInt::createZero):
1856         (JSC::JSBigInt::tryCreateWithLength):
1857         (JSC::JSBigInt::createWithLengthUnchecked):
1858         (JSC::JSBigInt::createFrom):
1859         (JSC::JSBigInt::multiply):
1860         (JSC::JSBigInt::divide):
1861         (JSC::JSBigInt::copy):
1862         (JSC::JSBigInt::unaryMinus):
1863         (JSC::JSBigInt::remainder):
1864         (JSC::JSBigInt::add):
1865         (JSC::JSBigInt::sub):
1866         (JSC::JSBigInt::bitwiseAnd):
1867         (JSC::JSBigInt::bitwiseOr):
1868         (JSC::JSBigInt::bitwiseXor):
1869         (JSC::JSBigInt::absoluteAdd):
1870         (JSC::JSBigInt::absoluteSub):
1871         (JSC::JSBigInt::absoluteDivWithDigitDivisor):
1872         (JSC::JSBigInt::absoluteDivWithBigIntDivisor):
1873         (JSC::JSBigInt::absoluteLeftShiftAlwaysCopy):
1874         (JSC::JSBigInt::absoluteBitwiseOp):
1875         (JSC::JSBigInt::absoluteAddOne):
1876         (JSC::JSBigInt::absoluteSubOne):
1877         (JSC::JSBigInt::toStringGeneric):
1878         (JSC::JSBigInt::rightTrim):
1879         (JSC::JSBigInt::allocateFor):
1880         (JSC::JSBigInt::createWithLength): Deleted.
1881         * runtime/JSBigInt.h:
1882         * runtime/Operations.cpp:
1883         (JSC::jsAddSlowCase):
1884         * runtime/Operations.h:
1885         (JSC::jsSub):
1886         (JSC::jsMul):
1887
1888 2018-11-12  Devin Rousso  <drousso@apple.com>
1889
1890         Web Inspector: Network: show secure certificate details per-request
1891         https://bugs.webkit.org/show_bug.cgi?id=191447
1892         <rdar://problem/30019476>
1893
1894         Reviewed by Joseph Pecoraro.
1895
1896         Add Security domain to hold security related protocol types.
1897
1898         * CMakeLists.txt:
1899         * DerivedSources.make:
1900         * inspector/protocol/Network.json:
1901         * inspector/protocol/Security.json: Added.
1902         * inspector/scripts/codegen/objc_generator.py:
1903         (ObjCGenerator):
1904
1905 2018-11-12  Saam barati  <sbarati@apple.com>
1906
1907         Unreviewed. Rollout 238026: It caused ~8% JetStream 2 regressions on some iOS devices
1908         https://bugs.webkit.org/show_bug.cgi?id=191555
1909
1910         * bytecode/UnlinkedFunctionExecutable.cpp:
1911         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
1912         * bytecode/UnlinkedFunctionExecutable.h:
1913         * parser/SourceCodeKey.h:
1914         (JSC::SourceCodeKey::SourceCodeKey):
1915         (JSC::SourceCodeKey::operator== const):
1916         * runtime/CodeCache.cpp:
1917         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
1918         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
1919         * runtime/CodeCache.h:
1920         * runtime/FunctionConstructor.cpp:
1921         (JSC::constructFunctionSkippingEvalEnabledCheck):
1922         * runtime/FunctionExecutable.cpp:
1923         (JSC::FunctionExecutable::fromGlobalCode):
1924         * runtime/FunctionExecutable.h:
1925
1926 2018-11-11  Benjamin Poulain  <benjamin@webkit.org>
1927
1928         Fix a fixme: rename wtfObjcMsgSend to wtfObjCMsgSend
1929         https://bugs.webkit.org/show_bug.cgi?id=191492
1930
1931         Reviewed by Alex Christensen.
1932
1933         Rename file.
1934
1935         * API/JSValue.mm:
1936
1937 2018-11-10  Benjamin Poulain  <benjamin@webkit.org>
1938
1939         Fix a fixme: rename wtfObjcMsgSend to wtfObjCMsgSend
1940         https://bugs.webkit.org/show_bug.cgi?id=191492
1941
1942         Reviewed by Alex Christensen.
1943
1944         * API/JSValue.mm:
1945
1946 2018-11-10  Michael Catanzaro  <mcatanzaro@igalia.com>
1947
1948         Unreviewed, silence -Wunused-variable warning
1949
1950         * bytecode/Opcode.h:
1951         (JSC::padOpcodeName):
1952
1953 2018-11-09  Keith Rollin  <krollin@apple.com>
1954
1955         Unreviewed build fix after https://bugs.webkit.org/show_bug.cgi?id=191324
1956
1957         Remove the use of .xcfilelists until their side-effects are better
1958         understood.
1959
1960         * JavaScriptCore.xcodeproj/project.pbxproj:
1961
1962 2018-11-09  Keith Miller  <keith_miller@apple.com>
1963
1964         LLInt VectorSizeOffset should be based on offset extraction
1965         https://bugs.webkit.org/show_bug.cgi?id=191468
1966
1967         Reviewed by Yusuke Suzuki.
1968
1969         This patch also adds some usings to LLIntOffsetsExtractor that
1970         make it possible to use the bare names of Vector/RefCountedArray
1971         in offsets extraction.
1972
1973         * llint/LLIntOffsetsExtractor.cpp:
1974         * llint/LowLevelInterpreter.asm:
1975
1976 2018-11-09  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1977
1978         Unreviewed, rolling in CodeCache in r237254
1979         https://bugs.webkit.org/show_bug.cgi?id=190340
1980
1981         Land the CodeCache part, which uses DefaultHash<>::Hash instead of computeHash.
1982
1983         * bytecode/UnlinkedFunctionExecutable.cpp:
1984         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
1985         * bytecode/UnlinkedFunctionExecutable.h:
1986         * parser/SourceCodeKey.h:
1987         (JSC::SourceCodeKey::SourceCodeKey):
1988         (JSC::SourceCodeKey::operator== const):
1989         * runtime/CodeCache.cpp:
1990         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
1991         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
1992         * runtime/CodeCache.h:
1993         * runtime/FunctionConstructor.cpp:
1994         (JSC::constructFunctionSkippingEvalEnabledCheck):
1995         * runtime/FunctionExecutable.cpp:
1996         (JSC::FunctionExecutable::fromGlobalCode):
1997         * runtime/FunctionExecutable.h:
1998
1999 2018-11-08  Keith Miller  <keith_miller@apple.com>
2000
2001         put_by_val opcodes need to add the number tag as a 64-bit register
2002         https://bugs.webkit.org/show_bug.cgi?id=191456
2003
2004         Reviewed by Saam Barati.
2005
2006         Previously the LLInt would add it as a pointer sized value. That is
2007         wrong if pointer size is less 64-bits.
2008
2009         * llint/LowLevelInterpreter64.asm:
2010
2011 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2012
2013         [JSC] isStrWhiteSpace seems redundant with Lexer<UChar>::isWhiteSpace
2014         https://bugs.webkit.org/show_bug.cgi?id=191439
2015
2016         Reviewed by Saam Barati.
2017
2018         * CMakeLists.txt:
2019         * runtime/ParseInt.h:
2020         (JSC::isStrWhiteSpace):
2021         Define isStrWhiteSpace in terms of isWhiteSpace and isLineTerminator.
2022
2023 2018-11-08  Michael Saboff  <msaboff@apple.com>
2024
2025         Options::useRegExpJIT() should use jitEnabledByDefault() just like useJIT()
2026         https://bugs.webkit.org/show_bug.cgi?id=191444
2027
2028         Reviewed by Saam Barati.
2029
2030         * runtime/Options.h:
2031
2032 2018-11-08  Fujii Hironori  <Hironori.Fujii@sony.com>
2033
2034         [Win] UDis86Disassembler.cpp: warning: format specifies type 'unsigned long' but the argument has type 'uintptr_t' (aka 'unsigned long long')
2035         https://bugs.webkit.org/show_bug.cgi?id=191416
2036
2037         Reviewed by Saam Barati.
2038
2039         * disassembler/UDis86Disassembler.cpp:
2040         (JSC::tryToDisassembleWithUDis86): Use PRIxPTR for uintptr_t.
2041
2042 2018-11-08  Keith Rollin  <krollin@apple.com>
2043
2044         Create .xcfilelist files
2045         https://bugs.webkit.org/show_bug.cgi?id=191324
2046         <rdar://problem/45852819>
2047
2048         Reviewed by Alex Christensen.
2049
2050         As part of preparing for enabling XCBuild, create and use .xcfilelist
2051         files. These files are using during Run Script build phases in an
2052         Xcode project. If a Run Script build phase produces new files that are
2053         used later as inputs to subsequent build phases, XCBuild needs to know
2054         about these files. These files can be either specified in an "output
2055         files" section of the Run Script phase editor, or in .xcfilelist files
2056         that are associated with the Run Script build phase.
2057
2058         This patch takes the second approach. It consists of three sets of changes:
2059
2060         - Modify the DerivedSources.make files to have a
2061           'print_all_generated_files" target that produces a list of the files
2062           they create.
2063
2064         - Create a shell script that produces .xcfilelist files from the
2065           output of the previous step, as well as for the files created in the
2066           Generate Unified Sources build steps.
2067
2068         - Add the new .xcfilelist files to the associated projects.
2069
2070         Note that, with these changes, the Xcode workspace and projects can no
2071         longer be fully loaded into Xcode 9. Xcode will attempt to load the
2072         projects that have .xcfilelist files associated with them, but will
2073         fail and display a placeholder for those projects instead. It's
2074         expected that all developers are using Xcode 10 by now and that not
2075         being able to load into Xcode 9 is not a practical issue. Keep in mind
2076         that this is strictly an IDE issue, and that the projects can still be
2077         built with `xcodebuild`.
2078
2079         Also note that the shell script that creates the .xcfilelist files can
2080         also be used to verify that the set of files that's currently checked
2081         in is up-to-date. This checking can be used as part of a check-in hook
2082         or part of check-webkit-style to sooner catch cases where the
2083         .xcfilelist files need to be regenerated.
2084
2085         * DerivedSources.make:
2086         * DerivedSources.xcfilelist: Added.
2087         * JavaScriptCore.xcodeproj/project.pbxproj:
2088         * UnifiedSources.xcfilelist: Added.
2089
2090 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2091
2092         U+180E is no longer a whitespace character
2093         https://bugs.webkit.org/show_bug.cgi?id=191415
2094
2095         Reviewed by Saam Barati.
2096
2097         Mongolian Vowel Separator stopped being a valid whitespace character as of ES2016.
2098         (https://github.com/tc39/ecma262/pull/300)
2099
2100         * parser/Lexer.h:
2101         (JSC::Lexer<UChar>::isWhiteSpace):
2102         * runtime/ParseInt.h:
2103         (JSC::isStrWhiteSpace):
2104         * yarr/create_regex_tables:
2105
2106 2018-11-08  Keith Miller  <keith_miller@apple.com>
2107
2108         jitEnabledByDefault() should be on useJIT not useBaselineJIT
2109         https://bugs.webkit.org/show_bug.cgi?id=191434
2110
2111         Reviewed by Saam Barati.
2112
2113         * runtime/Options.h:
2114
2115 2018-11-08  Joseph Pecoraro  <pecoraro@apple.com>
2116
2117         Web Inspector: Restrict domains at the target level instead of only at the window level
2118         https://bugs.webkit.org/show_bug.cgi?id=191344
2119
2120         Reviewed by Devin Rousso.
2121
2122         * inspector/protocol/Console.json:
2123         * inspector/protocol/Debugger.json:
2124         * inspector/protocol/Heap.json:
2125         * inspector/protocol/Runtime.json:
2126         Remove workerSupported as it is now no longer necessary. It is implied
2127         by availability being empty (meaning it is supported everywhere).
2128
2129         * inspector/protocol/Inspector.json:
2130         * inspector/protocol/ScriptProfiler.json:
2131         Restrict to "javascript" and "web" debuggables, not available in workers.
2132
2133         * inspector/protocol/Worker.json:
2134         Cleanup, remove empty types list.
2135         
2136         * inspector/protocol/Recording.json:
2137         Cleanup, only expose this in the "web" domain for now.
2138
2139         * inspector/scripts/codegen/generate_js_backend_commands.py:
2140         (JSBackendCommandsGenerator.generate_domain):
2141         * inspector/scripts/codegen/models.py:
2142         (Protocol.parse_domain):
2143         Allow a list of debuggable types. Add "worker" even though it is unused
2144         since that is a type we would want to allow or consider.
2145
2146         (Domain.__init__):
2147         (Domains):
2148         Remove now unnecessary workerSupported code.
2149         Allow availability on a domain with only types.
2150
2151         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result: Removed.
2152         * inspector/scripts/tests/generic/worker-supported-domains.json: Removed.
2153
2154 2018-11-07  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2155
2156         Consider removing double load for accessing the MetadataTable from LLInt
2157         https://bugs.webkit.org/show_bug.cgi?id=190933
2158
2159         Reviewed by Keith Miller.
2160
2161         This patch removes double load for accesses to MetadataTable from LLInt.
2162         MetadataTable is now specially RefCounted class, which has interesting memory layout.
2163         When refcount becomes 0, MetadataTable asks UnlinkedMetadataTable to destroy itself.
2164
2165         * bytecode/CodeBlock.cpp:
2166         (JSC::CodeBlock::finishCreation):
2167         (JSC::CodeBlock::estimatedSize):
2168         (JSC::CodeBlock::visitChildren):
2169         * bytecode/CodeBlock.h:
2170         (JSC::CodeBlock::metadata):
2171         * bytecode/CodeBlockInlines.h:
2172         (JSC::CodeBlock::forEachValueProfile):
2173         (JSC::CodeBlock::forEachArrayProfile):
2174         (JSC::CodeBlock::forEachArrayAllocationProfile):
2175         (JSC::CodeBlock::forEachObjectAllocationProfile):
2176         (JSC::CodeBlock::forEachLLIntCallLinkInfo):
2177         * bytecode/MetadataTable.cpp:
2178         (JSC::MetadataTable::MetadataTable):
2179         (JSC::MetadataTable::~MetadataTable):
2180         (JSC::MetadataTable::sizeInBytes):
2181         * bytecode/MetadataTable.h:
2182         (JSC::MetadataTable::get):
2183         (JSC::MetadataTable::forEach):
2184         (JSC::MetadataTable::ref const):
2185         (JSC::MetadataTable::deref const):
2186         (JSC::MetadataTable::refCount const):
2187         (JSC::MetadataTable::hasOneRef const):
2188         (JSC::MetadataTable::buffer):
2189         (JSC::MetadataTable::linkingData const):
2190         (JSC::MetadataTable::getImpl):
2191         * bytecode/UnlinkedMetadataTable.h:
2192         (JSC::UnlinkedMetadataTable::buffer const):
2193         * bytecode/UnlinkedMetadataTableInlines.h:
2194         (JSC::UnlinkedMetadataTable::UnlinkedMetadataTable):
2195         (JSC::UnlinkedMetadataTable::~UnlinkedMetadataTable):
2196         (JSC::UnlinkedMetadataTable::addEntry):
2197         (JSC::UnlinkedMetadataTable::sizeInBytes):
2198         (JSC::UnlinkedMetadataTable::finalize):
2199         (JSC::UnlinkedMetadataTable::link):
2200         (JSC::UnlinkedMetadataTable::unlink):
2201         * llint/LowLevelInterpreter.asm:
2202         * llint/LowLevelInterpreter32_64.asm:
2203
2204 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2205
2206         [BigInt] Add support to BigInt into ValueAdd
2207         https://bugs.webkit.org/show_bug.cgi?id=186177
2208
2209         Reviewed by Keith Miller.
2210
2211         We are adding a very primitive specialization case of BigInts into ValueAdd.
2212         When compiling a speculated version of this node to BigInt, we are currently
2213         calling 'operationAddBigInt', a function that expects only BigInts as
2214         parameter and effectly add numbers using JSBigInt::add. To properly
2215         speculate BigInt operands, we changed ArithProfile to observe when
2216         its result is a BigInt. With this new observation, we are able to identify
2217         when ValueAdd results into a String or BigInt.
2218
2219         Here are some numbers for this specialization running
2220         microbenchmarks:
2221
2222         big-int-simple-add                   21.5411+-1.1096  ^  15.3502+-0.7027  ^ definitely 1.4033x faster
2223         big-int-add-prediction-propagation   13.7762+-0.5578  ^  10.8117+-0.5330  ^ definitely 1.2742x faster
2224
2225         * bytecode/ArithProfile.cpp:
2226         (JSC::ArithProfile::emitObserveResult):
2227         (JSC::ArithProfile::shouldEmitSetNonNumeric const):
2228         (JSC::ArithProfile::shouldEmitSetBigInt const):
2229         (JSC::ArithProfile::emitSetNonNumeric const):
2230         (JSC::ArithProfile::emitSetBigInt const):
2231         (WTF::printInternal):
2232         (JSC::ArithProfile::shouldEmitSetNonNumber const): Deleted.
2233         (JSC::ArithProfile::emitSetNonNumber const): Deleted.
2234         * bytecode/ArithProfile.h:
2235         (JSC::ArithProfile::observedUnaryInt):
2236         (JSC::ArithProfile::observedUnaryNumber):
2237         (JSC::ArithProfile::observedBinaryIntInt):
2238         (JSC::ArithProfile::observedBinaryNumberInt):
2239         (JSC::ArithProfile::observedBinaryIntNumber):
2240         (JSC::ArithProfile::observedBinaryNumberNumber):
2241         (JSC::ArithProfile::didObserveNonInt32 const):
2242         (JSC::ArithProfile::didObserveNonNumeric const):
2243         (JSC::ArithProfile::didObserveBigInt const):
2244         (JSC::ArithProfile::setObservedNonNumeric):
2245         (JSC::ArithProfile::setObservedBigInt):
2246         (JSC::ArithProfile::observeResult):
2247         (JSC::ArithProfile::didObserveNonNumber const): Deleted.
2248         (JSC::ArithProfile::setObservedNonNumber): Deleted.
2249         * dfg/DFGByteCodeParser.cpp:
2250         (JSC::DFG::ByteCodeParser::makeSafe):
2251         * dfg/DFGFixupPhase.cpp:
2252         (JSC::DFG::FixupPhase::fixupNode):
2253         * dfg/DFGNode.h:
2254         (JSC::DFG::Node::mayHaveNonNumericResult):
2255         (JSC::DFG::Node::mayHaveBigIntResult):
2256         (JSC::DFG::Node::mayHaveNonNumberResult): Deleted.
2257         * dfg/DFGNodeFlags.cpp:
2258         (JSC::DFG::dumpNodeFlags):
2259         * dfg/DFGNodeFlags.h:
2260         * dfg/DFGOperations.cpp:
2261         * dfg/DFGOperations.h:
2262         * dfg/DFGPredictionPropagationPhase.cpp:
2263         * dfg/DFGSpeculativeJIT.cpp:
2264         (JSC::DFG::SpeculativeJIT::compileValueAdd):
2265         * ftl/FTLLowerDFGToB3.cpp:
2266         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
2267         * runtime/CommonSlowPaths.cpp:
2268         (JSC::updateArithProfileForUnaryArithOp):
2269         (JSC::updateArithProfileForBinaryArithOp):
2270
2271 2018-11-07  Joseph Pecoraro  <pecoraro@apple.com>
2272
2273         Web Inspector: Fix "Javascript" => "JavaScript" enum in protocol generated objects
2274         https://bugs.webkit.org/show_bug.cgi?id=191340
2275
2276         Reviewed by Devin Rousso.
2277
2278         * inspector/ConsoleMessage.cpp:
2279         (Inspector::messageSourceValue):
2280         Use new enum name.
2281
2282         * inspector/scripts/codegen/generator.py:
2283         Correct the casing of "JavaScript".
2284
2285 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2286
2287         Align wide opcodes in the instruction stream
2288         https://bugs.webkit.org/show_bug.cgi?id=191254
2289
2290         Reviewed by Keith Miller.
2291
2292         Pad the bytecode with nops to ensure that wide opcodes are 4-byte
2293         aligned on platforms that don't like unaligned memory access.
2294
2295         For that, add a new type to represent jump targets, BoundLabel, which
2296         delays computing the offset in case we need to emit nops for padding.
2297         Extra padding is also emitted before op_yield and at the of each
2298         BytecodeWriter fragment, to ensure that the bytecode remains aligned
2299         after the rewriting.
2300
2301         As a side effect, we can longer guarantee that the point immediately
2302         before emitting an opcode is the start of that opcode, since nops
2303         might be emitted in between if the opcode needs to be wide. To fix
2304         that, we only take the offset of opcodes after they have been emitted,
2305         using `m_lastInstruction.offset()`.
2306
2307         * bytecode/BytecodeDumper.h:
2308         (JSC::BytecodeDumper::dumpValue):
2309         * bytecode/BytecodeGeneratorification.cpp:
2310         (JSC::BytecodeGeneratorification::run):
2311         * bytecode/BytecodeList.rb:
2312         * bytecode/BytecodeRewriter.h:
2313         (JSC::BytecodeRewriter::Fragment::align):
2314         (JSC::BytecodeRewriter::insertFragmentBefore):
2315         (JSC::BytecodeRewriter::insertFragmentAfter):
2316         * bytecode/Fits.h:
2317         * bytecode/InstructionStream.h:
2318         (JSC::InstructionStreamWriter::ref):
2319         * bytecode/PreciseJumpTargetsInlines.h:
2320         (JSC::updateStoredJumpTargetsForInstruction):
2321         * bytecompiler/BytecodeGenerator.cpp:
2322         (JSC::Label::setLocation):
2323         (JSC::BoundLabel::target):
2324         (JSC::BoundLabel::saveTarget):
2325         (JSC::BoundLabel::commitTarget):
2326         (JSC::BytecodeGenerator::generate):
2327         (JSC::BytecodeGenerator::recordOpcode):
2328         (JSC::BytecodeGenerator::alignWideOpcode):
2329         (JSC::BytecodeGenerator::emitProfileControlFlow):
2330         (JSC::BytecodeGenerator::emitResolveScope):
2331         (JSC::BytecodeGenerator::emitGetFromScope):
2332         (JSC::BytecodeGenerator::emitPutToScope):
2333         (JSC::BytecodeGenerator::emitGetById):
2334         (JSC::BytecodeGenerator::emitDirectGetById):
2335         (JSC::BytecodeGenerator::emitPutById):
2336         (JSC::BytecodeGenerator::emitDirectPutById):
2337         (JSC::BytecodeGenerator::emitGetByVal):
2338         (JSC::BytecodeGenerator::emitCreateThis):
2339         (JSC::BytecodeGenerator::beginSwitch):
2340         (JSC::BytecodeGenerator::endSwitch):
2341         (JSC::BytecodeGenerator::emitRequireObjectCoercible):
2342         (JSC::BytecodeGenerator::emitYieldPoint):
2343         (JSC::BytecodeGenerator::emitToThis):
2344         (JSC::Label::bind): Deleted.
2345         * bytecompiler/BytecodeGenerator.h:
2346         (JSC::BytecodeGenerator::recordOpcode): Deleted.
2347         * bytecompiler/Label.h:
2348         (JSC::BoundLabel::BoundLabel):
2349         (JSC::BoundLabel::operator int):
2350         (JSC::Label::bind):
2351         * generator/Opcode.rb:
2352
2353 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2354
2355         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2356         https://bugs.webkit.org/show_bug.cgi?id=191184
2357
2358         Reviewed by Saam Barati.
2359
2360         Fix API test on CLoop: we can only disable the LLInt when the JIT is enabled.
2361
2362         * API/tests/PingPongStackOverflowTest.cpp:
2363         (testPingPongStackOverflow):
2364
2365 2018-11-06  Justin Fan  <justin_fan@apple.com>
2366
2367         [WebGPU] Experimental prototype for WebGPURenderPipeline and WebGPUSwapChain
2368         https://bugs.webkit.org/show_bug.cgi?id=191291
2369
2370         Reviewed by Myles Maxfield.
2371
2372         Properly disable WEBGPU on all non-Metal platforms for now.
2373
2374         * Configurations/FeatureDefines.xcconfig:
2375
2376 2018-11-06  Keith Rollin  <krollin@apple.com>
2377
2378         Adjust handling of Include paths that need quoting
2379         https://bugs.webkit.org/show_bug.cgi?id=191314
2380         <rdar://problem/45849143>
2381
2382         Reviewed by Dan Bernstein.
2383
2384         There are several places in the JavaScriptCore Xcode project where the
2385         paths defined in HEADER_SEARCH_PATHS are quoted. That is, the
2386         definitions look like:
2387
2388             HEADER_SEARCH_PATHS = (
2389                 "\"${BUILT_PRODUCTS_DIR}/DerivedSources/JavaScriptCore\"",
2390                 "\"${BUILT_PRODUCTS_DIR}/LLIntOffsets/${ARCHS}\"",
2391                 "\"$(JAVASCRIPTCORE_FRAMEWORKS_DIR)/JavaScriptCore.framework/PrivateHeaders\"",
2392                 "$(inherited)",
2393             );
2394
2395         The idea here is presumably to have the resulting $(CPP) command have
2396         -I options where the associated paths are themselves quoted,
2397         protecting against space characters in the paths.
2398
2399         This approach to quote management can break under Xcode 9. If
2400         .xcfilelist files are added to the project, the 'objectVersion' value
2401         in the Xcode project file is changed from 46 to 51. If a project with
2402         objectVersion=51 is presented to Xcode 9 (as can happen when we build
2403         for older OS's), it produces build lines where the quotes are escaped,
2404         thereby becoming part of the path. The build then fails because a
2405         search for a file normally found in a directory called "Foo" will be
2406         looked for in "\"Foo\"", which doesn't exist.
2407
2408         Simply removing the escaped quotes from the HEADER_SEARCH_PATHS
2409         definition doesn't work, leading to paths that need quoting due to
2410         space characters but that don't get this quoting (the part of the path
2411         after the space appears to simply go missing).
2412
2413         Removing the escaped quotes from the HEADER_SEARCH_PATHS and moving
2414         the definitions to the .xcconfig fixes this problem.
2415
2416         * Configurations/ToolExecutable.xcconfig:
2417         * JavaScriptCore.xcodeproj/project.pbxproj:
2418
2419 2018-11-06  Michael Saboff  <msaboff@apple.com>
2420
2421         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2422         https://bugs.webkit.org/show_bug.cgi?id=191271
2423
2424         Reviewed by Saam Barati.
2425
2426         Fixed use of ThrowScope my adding release() calls.  Found a few places where we needed
2427         RETURN_IF_EXCEPTION().  After some code inspections determined that we need to cover the
2428         exception bubbling for String.match() with a global RegExp as well as String.replace()
2429         and String.search().
2430
2431         * runtime/RegExpObjectInlines.h:
2432         (JSC::RegExpObject::matchInline):
2433         (JSC::collectMatches):
2434         * runtime/RegExpPrototype.cpp:
2435         (JSC::regExpProtoFuncSearchFast):
2436         * runtime/StringPrototype.cpp:
2437         (JSC::removeUsingRegExpSearch):
2438         (JSC::replaceUsingRegExpSearch):
2439
2440 2018-11-05  Don Olmstead  <don.olmstead@sony.com>
2441
2442         Fix typos in closing ENABLE guards
2443         https://bugs.webkit.org/show_bug.cgi?id=191273
2444
2445         Reviewed by Keith Miller.
2446
2447         * ftl/FTLForOSREntryJITCode.h:
2448         * ftl/FTLJITCode.h:
2449         * jsc.cpp:
2450         * wasm/WasmMemoryInformation.h:
2451         * wasm/WasmPageCount.h:
2452
2453 2018-11-05  Keith Miller  <keith_miller@apple.com>
2454
2455         Make static_asserts in APICast into bitwise_cast
2456         https://bugs.webkit.org/show_bug.cgi?id=191272
2457
2458         Reviewed by Filip Pizlo.
2459
2460         * API/APICast.h:
2461         (toJS):
2462         (toJSForGC):
2463         (toRef):
2464
2465 2018-11-05  Dominik Infuehr  <dinfuehr@igalia.com>
2466
2467         Enable LLInt on ARMv7/Linux
2468         https://bugs.webkit.org/show_bug.cgi?id=191190
2469
2470         Reviewed by Yusuke Suzuki.
2471
2472         After enabling the new bytecode format in r237547, C_LOOP was
2473         forced on all 32-bit platforms. Now enable LLInt again on
2474         ARMv7-Thumb2/Linux.
2475
2476         This adds a callee-saved register in ARMv7/Linux for the metadataTable and
2477         stores/restores it on LLInt function calls. It also introduces the globaladdr-
2478         instruction for the ARM-offlineasm to access the opcode-table.
2479
2480         * jit/GPRInfo.h:
2481         * jit/RegisterSet.cpp:
2482         (JSC::RegisterSet::llintBaselineCalleeSaveRegisters):
2483         * llint/LowLevelInterpreter.asm:
2484         * llint/LowLevelInterpreter32_64.asm:
2485         * offlineasm/arm.rb:
2486         * offlineasm/asm.rb:
2487         * offlineasm/instructions.rb:
2488
2489 2018-11-05  Fujii Hironori  <Hironori.Fujii@sony.com>
2490
2491         [Win][Clang][JSC] JIT::is64BitType reports "warning: explicit specialization cannot have a storage class"
2492         https://bugs.webkit.org/show_bug.cgi?id=191146
2493
2494         Reviewed by Yusuke Suzuki.
2495
2496         * jit/JIT.h: Changed is64BitType from a template class method to a
2497         template inner class.
2498
2499 2018-11-02  Keith Miller  <keith_miller@apple.com>
2500
2501         Assert JSValues can fit into a pointer when API casting
2502         https://bugs.webkit.org/show_bug.cgi?id=191220
2503
2504         Reviewed by Michael Saboff.
2505
2506         * API/APICast.h:
2507         (toJS):
2508         (toJSForGC):
2509         (toRef):
2510
2511 2018-11-02  Michael Saboff  <msaboff@apple.com>
2512
2513         Rolling in r237753 with unreviewed build fix.
2514
2515         Fixed issues with DECLARE_THROW_SCOPE placement.
2516
2517 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2518
2519         Unreviewed, rolling out r237753.
2520
2521         Introduced JSC test failures
2522
2523         Reverted changeset:
2524
2525         "Running out of stack space not properly handled in
2526         RegExp::compile() and its callers"
2527         https://bugs.webkit.org/show_bug.cgi?id=191206
2528         https://trac.webkit.org/changeset/237753
2529
2530 2018-11-02  Michael Saboff  <msaboff@apple.com>
2531
2532         Running out of stack space not properly handled in RegExp::compile() and its callers
2533         https://bugs.webkit.org/show_bug.cgi?id=191206
2534
2535         Reviewed by Filip Pizlo.
2536
2537         Eliminated two RELEASE_ASSERT_NOT_REACHED() for errors returned by Yarr parsing code.  Bubbled those errors
2538         up to where they are turned into the appropriate exceptions in matchInline().  If the errors are not due
2539         to syntax, we reset the RegExp state in case the parsing is tried with a smaller stack.
2540
2541         * runtime/RegExp.cpp:
2542         (JSC::RegExp::compile):
2543         (JSC::RegExp::compileMatchOnly):
2544         * runtime/RegExp.h:
2545         * runtime/RegExpInlines.h:
2546         (JSC::RegExp::compileIfNecessary):
2547         (JSC::RegExp::matchInline):
2548         (JSC::RegExp::compileIfNecessaryMatchOnly):
2549         * runtime/RegExpObjectInlines.h:
2550         (JSC::RegExpObject::execInline):
2551         * yarr/YarrErrorCode.h:
2552         (JSC::Yarr::hasHardError):
2553
2554 2018-11-02  Keith Miller  <keith_miller@apple.com>
2555
2556         API should use wrapper object if address is 32-bit
2557         https://bugs.webkit.org/show_bug.cgi?id=191203
2558
2559         Reviewed by Filip Pizlo.
2560
2561         * API/APICast.h:
2562         (toJS):
2563         (toJSForGC):
2564         (toRef):
2565
2566 2018-11-02  Tadeu Zagallo  <tzagallo@apple.com>
2567
2568         Metadata should not be copyable
2569         https://bugs.webkit.org/show_bug.cgi?id=191193
2570
2571         Reviewed by Keith Miller.
2572
2573         We should only ever hold references to the entry in the metadata table.
2574
2575         * bytecode/CodeBlock.cpp:
2576         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2577         * dfg/DFGByteCodeParser.cpp:
2578         (JSC::DFG::ByteCodeParser::parseBlock):
2579         * generator/Metadata.rb:
2580
2581 2018-11-02  Tadeu Zagallo  <tzagallo@apple.com>
2582
2583         REGRESSION(r237547): Exception handlers should be aware of wide opcodes when JIT is disabled
2584         https://bugs.webkit.org/show_bug.cgi?id=191175
2585
2586         Reviewed by Keith Miller.
2587
2588         https://bugs.webkit.org/show_bug.cgi?id=191108 did not handle the case where JIT is not enabled
2589
2590         * jit/JITExceptions.cpp:
2591         (JSC::genericUnwind):
2592         * llint/LLIntData.h:
2593         (JSC::LLInt::getWideCodePtr):
2594
2595 2018-11-01  Fujii Hironori  <Hironori.Fujii@sony.com>
2596
2597         Rename <wtf/unicode/UTF8.h> to <wtf/unicode/UTF8Conversion.h> in order to avoid conflicting with ICU's unicode/utf8.h
2598         https://bugs.webkit.org/show_bug.cgi?id=189693
2599
2600         Reviewed by Yusuke Suzuki.
2601
2602         * API/JSClassRef.cpp: Replaced <wtf/unicode/UTF8.h> with <wtf/unicode/UTF8Conversion.h>.
2603         * API/JSStringRef.cpp: Ditto.
2604         * runtime/JSGlobalObjectFunctions.cpp: Ditto.
2605         * wasm/WasmParser.h: Ditto.
2606
2607 2018-11-01  Keith Miller  <keith_miller@apple.com>
2608
2609         Unreviewed, JavaScriptCore should only guarantee to produce a
2610         modulemap if we are building for iOSMac.
2611
2612         * Configurations/JavaScriptCore.xcconfig:
2613
2614 2018-10-31  Devin Rousso  <drousso@apple.com>
2615
2616         Web Inspector: Canvas: create a setting for auto-recording newly created contexts
2617         https://bugs.webkit.org/show_bug.cgi?id=190856
2618
2619         Reviewed by Brian Burg.
2620
2621         * inspector/protocol/Canvas.json:
2622         Add `setRecordingAutoCaptureFrameCount` command for setting the number of frames to record
2623         immediately after a context is created.
2624
2625         * inspector/protocol/Recording.json:
2626         Add `creation` value for `Initiator` enum.
2627
2628 2018-10-31  Devin Rousso  <drousso@apple.com>
2629
2630         Web Inspector: display low-power enter/exit events in Timelines and Network node waterfalls
2631         https://bugs.webkit.org/show_bug.cgi?id=190641
2632         <rdar://problem/45319049>
2633
2634         Reviewed by Joseph Pecoraro.
2635
2636         * inspector/protocol/DOM.json:
2637         Add `videoLowPowerChanged` event that is fired when `InspectorDOMAgent` is able to determine
2638         whether a video element's low power state has changed.
2639
2640 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2641
2642         Adjust inlining threshold for new bytecode format
2643         https://bugs.webkit.org/show_bug.cgi?id=191115
2644
2645         Reviewed by Saam Barati.
2646
2647         The new format reduced the number of operands for many opcodes, which
2648         changed inlining decisions and impacted performance negatively.
2649
2650         * runtime/Options.h:
2651
2652 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2653
2654         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2655         https://bugs.webkit.org/show_bug.cgi?id=191108
2656         <rdar://problem/45690700>
2657
2658         Reviewed by Saam Barati.
2659
2660         When linking the handler, we need to check whether the target op_catch is
2661         wide or narrow in order to chose the right code pointer for the handler.
2662
2663         * bytecode/CodeBlock.cpp:
2664         (JSC::CodeBlock::finishCreation):
2665
2666 2018-10-31  Dominik Infuehr  <dinfuehr@igalia.com>
2667
2668         Align entries in metadata table
2669         https://bugs.webkit.org/show_bug.cgi?id=191062
2670
2671         Reviewed by Filip Pizlo.
2672
2673         Entries in the metadata table need to be aligned on some 32-bit
2674         architectures.
2675
2676         * bytecode/MetadataTable.h:
2677         (JSC::MetadataTable::forEach):
2678         * bytecode/Opcode.cpp:
2679         (JSC::metadataAlignment):
2680         * bytecode/Opcode.h:
2681         * bytecode/UnlinkedMetadataTableInlines.h:
2682         (JSC::UnlinkedMetadataTable::finalize):
2683         * generator/Section.rb:
2684
2685 2018-10-31  Jim Mason  <jmason@ibinx.com>
2686
2687         Static global 'fastHandlerInstalled' conditionally declared in WasmFaultSignalHandler.cpp
2688         https://bugs.webkit.org/show_bug.cgi?id=191063
2689
2690         Reviewed by Yusuke Suzuki.
2691
2692         * wasm/WasmFaultSignalHandler.cpp:
2693
2694 2018-10-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2695
2696         [JSC][LLInt] Compact LLInt ASM code by removing unnecessary instructions
2697         https://bugs.webkit.org/show_bug.cgi?id=191092
2698
2699         Reviewed by Saam Barati.
2700
2701         Looking through LLIntAssembly.h, we can find several inefficiencies. This patch fixes the
2702         following things to tighten LLInt ASM code.
2703
2704         1. Remove unnecessary load instructions. Use jmp with BaseIndex directly.
2705         2. Introduce strength reduction for mul instructions in offlineasm layer. This is now critical
2706         since mul instruction is executed in `metadata` operation in LLInt. If the given immediate is
2707         a power of two, we convert it to lshift instruction.
2708
2709         * llint/LowLevelInterpreter32_64.asm:
2710         * llint/LowLevelInterpreter64.asm:
2711         * offlineasm/arm64.rb:
2712         * offlineasm/instructions.rb:
2713         * offlineasm/x86.rb:
2714
2715 2018-10-30  Don Olmstead  <don.olmstead@sony.com>
2716
2717         [PlayStation] Enable JavaScriptCore
2718         https://bugs.webkit.org/show_bug.cgi?id=191072
2719
2720         Reviewed by Brent Fulgham.
2721
2722         Add platform files for the PlayStation port.
2723
2724         * PlatformPlayStation.cmake: Added.
2725
2726 2018-10-30  Alexey Proskuryakov  <ap@apple.com>
2727
2728         Clean up some obsolete MAX_ALLOWED macros
2729         https://bugs.webkit.org/show_bug.cgi?id=190916
2730
2731         Reviewed by Tim Horton.
2732
2733         * API/JSManagedValue.mm:
2734         * API/JSVirtualMachine.mm:
2735         * API/JSWrapperMap.mm:
2736
2737 2018-10-30  Ross Kirsling  <ross.kirsling@sony.com>
2738
2739         useProbeOSRExit causes failures for Win64 DFG JIT
2740         https://bugs.webkit.org/show_bug.cgi?id=190656
2741
2742         Reviewed by Keith Miller.
2743
2744         * assembler/ProbeContext.cpp:
2745         (JSC::Probe::executeProbe):
2746         If lowWatermark is expected to equal lowWatermarkFromVisitingDirtyPages *regardless* of the input param,
2747         then let's just call lowWatermarkFromVisitingDirtyPages instead.
2748
2749         * dfg/DFGOSRExit.cpp:
2750         (JSC::DFG::OSRExit::executeOSRExit):
2751         The result of VariableEventStream::reconstruct appears to be inappropriate for direct use as a stack pointer offset;
2752         mimic the non-probe case and use requiredRegisterCountForExit from DFGCommonData instead.
2753         (Also, stop redundantly setting the stack pointer twice in a row.)
2754
2755 2018-10-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2756
2757         "Unreviewed, partial rolling in r237254"
2758         https://bugs.webkit.org/show_bug.cgi?id=190340
2759
2760         This only adds Parser.{cpp,h}. And it is not used in this patch.
2761         It examines that the regression is related to exact Parser changes.
2762
2763         * parser/Parser.cpp:
2764         (JSC::Parser<LexerType>::parseInner):
2765         (JSC::Parser<LexerType>::parseSingleFunction):
2766         (JSC::Parser<LexerType>::parseFunctionInfo):
2767         (JSC::Parser<LexerType>::parseFunctionDeclaration):
2768         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
2769         * parser/Parser.h:
2770         (JSC::Parser<LexerType>::parse):
2771         (JSC::parse):
2772         (JSC::parseFunctionForFunctionConstructor):
2773
2774 2018-10-29  Mark Lam  <mark.lam@apple.com>
2775
2776         Correctly detect string overflow when using the 'Function' constructor.
2777         https://bugs.webkit.org/show_bug.cgi?id=184883
2778         <rdar://problem/36320331>
2779
2780         Reviewed by Saam Barati.
2781
2782         Added StringBuilder::hasOverflowed() checks, and throwing OutOfMemoryErrors if
2783         we detect an overflow.
2784
2785         * runtime/FunctionConstructor.cpp:
2786         (JSC::constructFunctionSkippingEvalEnabledCheck):
2787         * runtime/JSGlobalObjectFunctions.cpp:
2788         (JSC::encode):
2789         (JSC::decode):
2790         * runtime/JSONObject.cpp:
2791         (JSC::Stringifier::stringify):
2792         (JSC::Stringifier::appendStringifiedValue):
2793
2794 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2795
2796         Unreviewed, fix JSC on arm64e after r237547
2797         https://bugs.webkit.org/show_bug.cgi?id=187373
2798
2799         Unreviewed.
2800
2801         Remove unused move guarded by POINTER_PROFILING that was trashing the
2802         metadata on arm64e.
2803
2804         * llint/LowLevelInterpreter64.asm:
2805
2806 2018-10-29  Keith Miller  <keith_miller@apple.com>
2807
2808         JSC should explicitly list its modulemap file
2809         https://bugs.webkit.org/show_bug.cgi?id=191032
2810
2811         Reviewed by Saam Barati.
2812
2813         The automagically generated module map file for JSC will
2814         include headers where they may not work out of the box.
2815         This patch makes it so we now export the same modulemap
2816         that used to be provided via the legacy system.
2817
2818         * Configurations/JavaScriptCore.xcconfig:
2819         * JavaScriptCore.modulemap: Added.
2820         * JavaScriptCore.xcodeproj/project.pbxproj:
2821
2822 2018-10-29  Tim Horton  <timothy_horton@apple.com>
2823
2824         Modernize WebKit nibs and lprojs for localization's sake
2825         https://bugs.webkit.org/show_bug.cgi?id=190911
2826         <rdar://problem/45349466>
2827
2828         Reviewed by Dan Bernstein.
2829
2830         * JavaScriptCore.xcodeproj/project.pbxproj:
2831         English->en
2832
2833 2018-10-29  Commit Queue  <commit-queue@webkit.org>
2834
2835         Unreviewed, rolling out r237492.
2836         https://bugs.webkit.org/show_bug.cgi?id=191035
2837
2838         "It regresses JetStream 2 by 5% on some iOS devices"
2839         (Requested by saamyjoon on #webkit).
2840
2841         Reverted changeset:
2842
2843         "Unreviewed, partial rolling in r237254"
2844         https://bugs.webkit.org/show_bug.cgi?id=190340
2845         https://trac.webkit.org/changeset/237492
2846
2847 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2848
2849         Add support for GetStack FlushedDouble
2850         https://bugs.webkit.org/show_bug.cgi?id=191012
2851         <rdar://problem/45265141>
2852
2853         Reviewed by Saam Barati.
2854
2855         LowerDFGToB3::compileGetStack assumed that we would not emit GetStack
2856         for doubles, but it turns out it may arise from the PutStack sinking
2857         phase: if we sink a PutStack into a successor block, other predecessors
2858         will emit a GetStack followed by a Upsilon.
2859
2860         * ftl/FTLLowerDFGToB3.cpp:
2861         (JSC::FTL::DFG::LowerDFGToB3::compileGetStack):
2862
2863 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2864
2865         New bytecode format for JSC
2866         https://bugs.webkit.org/show_bug.cgi?id=187373
2867         <rdar://problem/44186758>
2868
2869         Reviewed by Filip Pizlo.
2870
2871         Replace unlinked and linked bytecode with a new immutable bytecode that does not embed
2872         any addresses. Instructions can be encoded as narrow (1-byte operands) or wide (4-byte
2873         operands) and might contain an extra operand, the metadataID. The metadataID is used to
2874         access the instruction's mutable data in a side table in the CodeBlock (the MetadataTable).
2875
2876         Bytecodes now must be structs declared in the new BytecodeList.rb. All bytecodes give names
2877         and types to all its operands. Additionally, reading a bytecode from the instruction stream
2878         requires decoding the whole bytecode, i.e. it's no longer possible to access arbitrary
2879         operands directly from the stream.
2880
2881
2882         * CMakeLists.txt:
2883         * DerivedSources.make:
2884         * JavaScriptCore.xcodeproj/project.pbxproj:
2885         * Sources.txt:
2886         * assembler/MacroAssemblerCodeRef.h:
2887         (JSC::ReturnAddressPtr::ReturnAddressPtr):
2888         (JSC::ReturnAddressPtr::value const):
2889         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
2890         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
2891         * bytecode/ArithProfile.h:
2892         (JSC::ArithProfile::ArithProfile):
2893         * bytecode/ArrayAllocationProfile.h:
2894         (JSC::ArrayAllocationProfile::ArrayAllocationProfile):
2895         * bytecode/ArrayProfile.h:
2896         * bytecode/BytecodeBasicBlock.cpp:
2897         (JSC::isJumpTarget):
2898         (JSC::BytecodeBasicBlock::computeImpl):
2899         (JSC::BytecodeBasicBlock::compute):
2900         * bytecode/BytecodeBasicBlock.h:
2901         (JSC::BytecodeBasicBlock::leaderOffset const):
2902         (JSC::BytecodeBasicBlock::totalLength const):
2903         (JSC::BytecodeBasicBlock::offsets const):
2904         (JSC::BytecodeBasicBlock::BytecodeBasicBlock):
2905         (JSC::BytecodeBasicBlock::addLength):
2906         * bytecode/BytecodeDumper.cpp:
2907         (JSC::BytecodeDumper<Block>::printLocationAndOp):
2908         (JSC::BytecodeDumper<Block>::dumpBytecode):
2909         (JSC::BytecodeDumper<Block>::dumpIdentifiers):
2910         (JSC::BytecodeDumper<Block>::dumpConstants):
2911         (JSC::BytecodeDumper<Block>::dumpExceptionHandlers):
2912         (JSC::BytecodeDumper<Block>::dumpSwitchJumpTables):
2913         (JSC::BytecodeDumper<Block>::dumpStringSwitchJumpTables):
2914         (JSC::BytecodeDumper<Block>::dumpBlock):
2915         * bytecode/BytecodeDumper.h:
2916         (JSC::BytecodeDumper::dumpOperand):
2917         (JSC::BytecodeDumper::dumpValue):
2918         (JSC::BytecodeDumper::BytecodeDumper):
2919         (JSC::BytecodeDumper::block const):
2920         * bytecode/BytecodeGeneratorification.cpp:
2921         (JSC::BytecodeGeneratorification::BytecodeGeneratorification):
2922         (JSC::BytecodeGeneratorification::enterPoint const):
2923         (JSC::BytecodeGeneratorification::instructions const):
2924         (JSC::GeneratorLivenessAnalysis::run):
2925         (JSC::BytecodeGeneratorification::run):
2926         (JSC::performGeneratorification):
2927         * bytecode/BytecodeGeneratorification.h:
2928         * bytecode/BytecodeGraph.h:
2929         (JSC::BytecodeGraph::blockContainsBytecodeOffset):
2930         (JSC::BytecodeGraph::findBasicBlockForBytecodeOffset):
2931         (JSC::BytecodeGraph::findBasicBlockWithLeaderOffset):
2932         (JSC::BytecodeGraph::BytecodeGraph):
2933         * bytecode/BytecodeKills.h:
2934         * bytecode/BytecodeList.json: Removed.
2935         * bytecode/BytecodeList.rb: Added.
2936         * bytecode/BytecodeLivenessAnalysis.cpp:
2937         (JSC::BytecodeLivenessAnalysis::dumpResults):
2938         * bytecode/BytecodeLivenessAnalysis.h:
2939         * bytecode/BytecodeLivenessAnalysisInlines.h:
2940         (JSC::isValidRegisterForLiveness):
2941         (JSC::BytecodeLivenessPropagation::stepOverInstruction):
2942         * bytecode/BytecodeRewriter.cpp:
2943         (JSC::BytecodeRewriter::applyModification):
2944         (JSC::BytecodeRewriter::execute):
2945         (JSC::BytecodeRewriter::adjustJumpTargetsInFragment):
2946         (JSC::BytecodeRewriter::insertImpl):
2947         (JSC::BytecodeRewriter::adjustJumpTarget):
2948         (JSC::BytecodeRewriter::adjustJumpTargets):
2949         * bytecode/BytecodeRewriter.h:
2950         (JSC::BytecodeRewriter::InsertionPoint::InsertionPoint):
2951         (JSC::BytecodeRewriter::Fragment::Fragment):
2952         (JSC::BytecodeRewriter::Fragment::appendInstruction):
2953         (JSC::BytecodeRewriter::BytecodeRewriter):
2954         (JSC::BytecodeRewriter::insertFragmentBefore):
2955         (JSC::BytecodeRewriter::insertFragmentAfter):
2956         (JSC::BytecodeRewriter::removeBytecode):
2957         (JSC::BytecodeRewriter::adjustAbsoluteOffset):
2958         (JSC::BytecodeRewriter::adjustJumpTarget):
2959         * bytecode/BytecodeUseDef.h:
2960         (JSC::computeUsesForBytecodeOffset):
2961         (JSC::computeDefsForBytecodeOffset):
2962         * bytecode/CallLinkStatus.cpp:
2963         (JSC::CallLinkStatus::computeFromLLInt):
2964         * bytecode/CodeBlock.cpp:
2965         (JSC::CodeBlock::dumpBytecode):
2966         (JSC::CodeBlock::CodeBlock):
2967         (JSC::CodeBlock::finishCreation):
2968         (JSC::CodeBlock::estimatedSize):
2969         (JSC::CodeBlock::visitChildren):
2970         (JSC::CodeBlock::propagateTransitions):
2971         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2972         (JSC::CodeBlock::addJITAddIC):
2973         (JSC::CodeBlock::addJITMulIC):
2974         (JSC::CodeBlock::addJITSubIC):
2975         (JSC::CodeBlock::addJITNegIC):
2976         (JSC::CodeBlock::stronglyVisitStrongReferences):
2977         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffset):
2978         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
2979         (JSC::CodeBlock::hasOpDebugForLineAndColumn):
2980         (JSC::CodeBlock::getArrayProfile):
2981         (JSC::CodeBlock::updateAllArrayPredictions):
2982         (JSC::CodeBlock::predictedMachineCodeSize):
2983         (JSC::CodeBlock::tryGetValueProfileForBytecodeOffset):
2984         (JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):
2985         (JSC::CodeBlock::valueProfileForBytecodeOffset):
2986         (JSC::CodeBlock::validate):
2987         (JSC::CodeBlock::outOfLineJumpOffset):
2988         (JSC::CodeBlock::outOfLineJumpTarget):
2989         (JSC::CodeBlock::arithProfileForBytecodeOffset):
2990         (JSC::CodeBlock::arithProfileForPC):
2991         (JSC::CodeBlock::couldTakeSpecialFastCase):
2992         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
2993         * bytecode/CodeBlock.h:
2994         (JSC::CodeBlock::addMathIC):
2995         (JSC::CodeBlock::outOfLineJumpOffset):
2996         (JSC::CodeBlock::bytecodeOffset):
2997         (JSC::CodeBlock::instructions const):
2998         (JSC::CodeBlock::instructionCount const):
2999         (JSC::CodeBlock::llintBaselineCalleeSaveSpaceAsVirtualRegisters):
3000         (JSC::CodeBlock::metadata):
3001         (JSC::CodeBlock::metadataSizeInBytes):
3002         (JSC::CodeBlock::numberOfNonArgumentValueProfiles):
3003         (JSC::CodeBlock::totalNumberOfValueProfiles):
3004         * bytecode/CodeBlockInlines.h: Added.
3005         (JSC::CodeBlock::forEachValueProfile):
3006         (JSC::CodeBlock::forEachArrayProfile):
3007         (JSC::CodeBlock::forEachArrayAllocationProfile):
3008         (JSC::CodeBlock::forEachObjectAllocationProfile):
3009         (JSC::CodeBlock::forEachLLIntCallLinkInfo):
3010         * bytecode/Fits.h: Added.
3011         * bytecode/GetByIdMetadata.h: Copied from Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h.
3012         * bytecode/GetByIdStatus.cpp:
3013         (JSC::GetByIdStatus::computeFromLLInt):
3014         * bytecode/Instruction.h:
3015         (JSC::Instruction::Instruction):
3016         (JSC::Instruction::Impl::opcodeID const):
3017         (JSC::Instruction::opcodeID const):
3018         (JSC::Instruction::name const):
3019         (JSC::Instruction::isWide const):
3020         (JSC::Instruction::size const):
3021         (JSC::Instruction::is const):
3022         (JSC::Instruction::as const):
3023         (JSC::Instruction::cast):
3024         (JSC::Instruction::cast const):
3025         (JSC::Instruction::narrow const):
3026         (JSC::Instruction::wide const):
3027         * bytecode/InstructionStream.cpp: Copied from Source/JavaScriptCore/bytecode/SpecialPointer.cpp.
3028         (JSC::InstructionStream::InstructionStream):
3029         (JSC::InstructionStream::sizeInBytes const):
3030         * bytecode/InstructionStream.h: Added.
3031         (JSC::InstructionStream::BaseRef::BaseRef):
3032         (JSC::InstructionStream::BaseRef::operator=):
3033         (JSC::InstructionStream::BaseRef::operator-> const):
3034         (JSC::InstructionStream::BaseRef::ptr const):
3035         (JSC::InstructionStream::BaseRef::operator!= const):
3036         (JSC::InstructionStream::BaseRef::next const):
3037         (JSC::InstructionStream::BaseRef::offset const):
3038         (JSC::InstructionStream::BaseRef::isValid const):
3039         (JSC::InstructionStream::BaseRef::unwrap const):
3040         (JSC::InstructionStream::MutableRef::freeze const):
3041         (JSC::InstructionStream::MutableRef::operator->):
3042         (JSC::InstructionStream::MutableRef::ptr):
3043         (JSC::InstructionStream::MutableRef::operator Ref):
3044         (JSC::InstructionStream::MutableRef::unwrap):
3045         (JSC::InstructionStream::iterator::operator*):
3046         (JSC::InstructionStream::iterator::operator++):
3047         (JSC::InstructionStream::begin const):
3048         (JSC::InstructionStream::end const):
3049         (JSC::InstructionStream::at const):
3050         (JSC::InstructionStream::size const):
3051         (JSC::InstructionStreamWriter::InstructionStreamWriter):
3052         (JSC::InstructionStreamWriter::ref):
3053         (JSC::InstructionStreamWriter::seek):
3054         (JSC::InstructionStreamWriter::position):
3055         (JSC::InstructionStreamWriter::write):
3056         (JSC::InstructionStreamWriter::rewind):
3057         (JSC::InstructionStreamWriter::finalize):
3058         (JSC::InstructionStreamWriter::swap):
3059         (JSC::InstructionStreamWriter::iterator::operator*):
3060         (JSC::InstructionStreamWriter::iterator::operator++):
3061         (JSC::InstructionStreamWriter::begin):
3062         (JSC::InstructionStreamWriter::end):
3063         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
3064         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::LLIntPrototypeLoadAdaptiveStructureWatchpoint):
3065         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
3066         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::clearLLIntGetByIdCache):
3067         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
3068         * bytecode/MetadataTable.cpp: Copied from Source/JavaScriptCore/bytecode/SpecialPointer.cpp.
3069         (JSC::MetadataTable::MetadataTable):
3070         (JSC::DeallocTable::withOpcodeType):
3071         (JSC::MetadataTable::~MetadataTable):
3072         (JSC::MetadataTable::sizeInBytes):
3073         * bytecode/MetadataTable.h: Copied from Source/JavaScriptCore/runtime/Watchdog.h.
3074         (JSC::MetadataTable::get):
3075         (JSC::MetadataTable::forEach):
3076         (JSC::MetadataTable::getImpl):
3077         * bytecode/Opcode.cpp:
3078         (JSC::metadataSize):
3079         * bytecode/Opcode.h:
3080         (JSC::padOpcodeName):
3081         * bytecode/OpcodeInlines.h:
3082         (JSC::isOpcodeShape):
3083         (JSC::getOpcodeType):
3084         * bytecode/OpcodeSize.h: Copied from Source/JavaScriptCore/bytecode/SpecialPointer.cpp.
3085         * bytecode/PreciseJumpTargets.cpp:
3086         (JSC::getJumpTargetsForInstruction):
3087         (JSC::computePreciseJumpTargetsInternal):
3088         (JSC::computePreciseJumpTargets):
3089         (JSC::recomputePreciseJumpTargets):
3090         (JSC::findJumpTargetsForInstruction):
3091         * bytecode/PreciseJumpTargets.h:
3092         * bytecode/PreciseJumpTargetsInlines.h:
3093         (JSC::jumpTargetForInstruction):
3094         (JSC::extractStoredJumpTargetsForInstruction):
3095         (JSC::updateStoredJumpTargetsForInstruction):
3096         * bytecode/PutByIdStatus.cpp:
3097         (JSC::PutByIdStatus::computeFromLLInt):
3098         * bytecode/SpecialPointer.cpp:
3099         (WTF::printInternal):
3100         * bytecode/SpecialPointer.h:
3101         * bytecode/UnlinkedCodeBlock.cpp:
3102         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
3103         (JSC::UnlinkedCodeBlock::visitChildren):
3104         (JSC::UnlinkedCodeBlock::estimatedSize):
3105         (JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset):
3106         (JSC::dumpLineColumnEntry):
3107         (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset const):
3108         (JSC::UnlinkedCodeBlock::setInstructions):
3109         (JSC::UnlinkedCodeBlock::instructions const):
3110         (JSC::UnlinkedCodeBlock::applyModification):
3111         (JSC::UnlinkedCodeBlock::addOutOfLineJumpTarget):
3112         (JSC::UnlinkedCodeBlock::outOfLineJumpOffset):
3113         * bytecode/UnlinkedCodeBlock.h:
3114         (JSC::UnlinkedCodeBlock::addPropertyAccessInstruction):
3115         (JSC::UnlinkedCodeBlock::propertyAccessInstructions const):
3116         (JSC::UnlinkedCodeBlock::addOpProfileControlFlowBytecodeOffset):
3117         (JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets const):
3118         (JSC::UnlinkedCodeBlock::metadata):
3119         (JSC::UnlinkedCodeBlock::metadataSizeInBytes):
3120         (JSC::UnlinkedCodeBlock::outOfLineJumpOffset):
3121         (JSC::UnlinkedCodeBlock::replaceOutOfLineJumpTargets):
3122         * bytecode/UnlinkedInstructionStream.cpp: Removed.
3123         * bytecode/UnlinkedInstructionStream.h: Removed.
3124         * bytecode/UnlinkedMetadataTable.h: Copied from Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h.
3125         * bytecode/UnlinkedMetadataTableInlines.h: Added.
3126         (JSC::UnlinkedMetadataTable::UnlinkedMetadataTable):
3127         (JSC::UnlinkedMetadataTable::~UnlinkedMetadataTable):
3128         (JSC::UnlinkedMetadataTable::addEntry):
3129         (JSC::UnlinkedMetadataTable::sizeInBytes):
3130         (JSC::UnlinkedMetadataTable::finalize):
3131         (JSC::UnlinkedMetadataTable::link):
3132         (JSC::UnlinkedMetadataTable::unlink):
3133         * bytecode/VirtualRegister.cpp:
3134         (JSC::VirtualRegister::VirtualRegister):
3135         * bytecode/VirtualRegister.h:
3136         * bytecompiler/BytecodeGenerator.cpp:
3137         (JSC::Label::setLocation):
3138         (JSC::Label::bind):
3139         (JSC::BytecodeGenerator::generate):
3140         (JSC::BytecodeGenerator::BytecodeGenerator):
3141         (JSC::BytecodeGenerator::initializeVarLexicalEnvironment):
3142         (JSC::BytecodeGenerator::emitEnter):
3143         (JSC::BytecodeGenerator::emitLoopHint):
3144         (JSC::BytecodeGenerator::emitJump):
3145         (JSC::BytecodeGenerator::emitCheckTraps):
3146         (JSC::BytecodeGenerator::rewind):
3147         (JSC::BytecodeGenerator::fuseCompareAndJump):
3148         (JSC::BytecodeGenerator::fuseTestAndJmp):
3149         (JSC::BytecodeGenerator::emitJumpIfTrue):
3150         (JSC::BytecodeGenerator::emitJumpIfFalse):
3151         (JSC::BytecodeGenerator::emitJumpIfNotFunctionCall):
3152         (JSC::BytecodeGenerator::emitJumpIfNotFunctionApply):
3153         (JSC::BytecodeGenerator::moveLinkTimeConstant):
3154         (JSC::BytecodeGenerator::moveEmptyValue):
3155         (JSC::BytecodeGenerator::emitMove):
3156         (JSC::BytecodeGenerator::emitUnaryOp):
3157         (JSC::BytecodeGenerator::emitBinaryOp):
3158         (JSC::BytecodeGenerator::emitToObject):
3159         (JSC::BytecodeGenerator::emitToNumber):
3160         (JSC::BytecodeGenerator::emitToString):
3161         (JSC::BytecodeGenerator::emitTypeOf):
3162         (JSC::BytecodeGenerator::emitInc):
3163         (JSC::BytecodeGenerator::emitDec):
3164         (JSC::BytecodeGenerator::emitEqualityOp):
3165         (JSC::BytecodeGenerator::emitProfileType):
3166         (JSC::BytecodeGenerator::emitProfileControlFlow):
3167         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
3168         (JSC::BytecodeGenerator::emitResolveScopeForHoistingFuncDeclInEval):
3169         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
3170         (JSC::BytecodeGenerator::emitOverridesHasInstance):
3171         (JSC::BytecodeGenerator::emitResolveScope):
3172         (JSC::BytecodeGenerator::emitGetFromScope):
3173         (JSC::BytecodeGenerator::emitPutToScope):
3174         (JSC::BytecodeGenerator::emitInstanceOf):
3175         (JSC::BytecodeGenerator::emitInstanceOfCustom):
3176         (JSC::BytecodeGenerator::emitInByVal):
3177         (JSC::BytecodeGenerator::emitInById):
3178         (JSC::BytecodeGenerator::emitTryGetById):
3179         (JSC::BytecodeGenerator::emitGetById):
3180         (JSC::BytecodeGenerator::emitDirectGetById):
3181         (JSC::BytecodeGenerator::emitPutById):
3182         (JSC::BytecodeGenerator::emitDirectPutById):
3183         (JSC::BytecodeGenerator::emitPutGetterById):
3184         (JSC::BytecodeGenerator::emitPutSetterById):
3185         (JSC::BytecodeGenerator::emitPutGetterSetter):
3186         (JSC::BytecodeGenerator::emitPutGetterByVal):
3187         (JSC::BytecodeGenerator::emitPutSetterByVal):
3188         (JSC::BytecodeGenerator::emitDeleteById):
3189         (JSC::BytecodeGenerator::emitGetByVal):
3190         (JSC::BytecodeGenerator::emitPutByVal):
3191         (JSC::BytecodeGenerator::emitDirectPutByVal):
3192         (JSC::BytecodeGenerator::emitDeleteByVal):
3193         (JSC::BytecodeGenerator::emitSuperSamplerBegin):
3194         (JSC::BytecodeGenerator::emitSuperSamplerEnd):
3195         (JSC::BytecodeGenerator::emitIdWithProfile):
3196         (JSC::BytecodeGenerator::emitUnreachable):
3197         (JSC::BytecodeGenerator::emitGetArgument):
3198         (JSC::BytecodeGenerator::emitCreateThis):
3199         (JSC::BytecodeGenerator::emitTDZCheck):
3200         (JSC::BytecodeGenerator::emitNewObject):
3201         (JSC::BytecodeGenerator::emitNewArrayBuffer):
3202         (JSC::BytecodeGenerator::emitNewArray):
3203         (JSC::BytecodeGenerator::emitNewArrayWithSpread):
3204         (JSC::BytecodeGenerator::emitNewArrayWithSize):
3205         (JSC::BytecodeGenerator::emitNewRegExp):
3206         (JSC::BytecodeGenerator::emitNewFunctionExpressionCommon):
3207         (JSC::BytecodeGenerator::emitNewDefaultConstructor):
3208         (JSC::BytecodeGenerator::emitNewFunction):
3209         (JSC::BytecodeGenerator::emitSetFunctionNameIfNeeded):
3210         (JSC::BytecodeGenerator::emitCall):
3211         (JSC::BytecodeGenerator::emitCallInTailPosition):
3212         (JSC::BytecodeGenerator::emitCallEval):
3213         (JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
3214         (JSC::BytecodeGenerator::emitCallVarargs):
3215         (JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
3216         (JSC::BytecodeGenerator::emitConstructVarargs):
3217         (JSC::BytecodeGenerator::emitCallForwardArgumentsInTailPosition):
3218         (JSC::BytecodeGenerator::emitLogShadowChickenPrologueIfNecessary):
3219         (JSC::BytecodeGenerator::emitLogShadowChickenTailIfNecessary):
3220         (JSC::BytecodeGenerator::emitCallDefineProperty):
3221         (JSC::BytecodeGenerator::emitReturn):
3222         (JSC::BytecodeGenerator::emitEnd):
3223         (JSC::BytecodeGenerator::emitConstruct):
3224         (JSC::BytecodeGenerator::emitStrcat):
3225         (JSC::BytecodeGenerator::emitToPrimitive):
3226         (JSC::BytecodeGenerator::emitGetScope):
3227         (JSC::BytecodeGenerator::emitPushWithScope):
3228         (JSC::BytecodeGenerator::emitGetParentScope):
3229         (JSC::BytecodeGenerator::emitDebugHook):
3230         (JSC::BytecodeGenerator::emitCatch):
3231         (JSC::BytecodeGenerator::emitThrow):
3232         (JSC::BytecodeGenerator::emitArgumentCount):
3233         (JSC::BytecodeGenerator::emitThrowStaticError):
3234         (JSC::BytecodeGenerator::beginSwitch):
3235         (JSC::prepareJumpTableForSwitch):
3236         (JSC::prepareJumpTableForStringSwitch):
3237         (JSC::BytecodeGenerator::endSwitch):
3238         (JSC::BytecodeGenerator::emitGetEnumerableLength):
3239         (JSC::BytecodeGenerator::emitHasGenericProperty):
3240         (JSC::BytecodeGenerator::emitHasIndexedProperty):
3241         (JSC::BytecodeGenerator::emitHasStructureProperty):
3242         (JSC::BytecodeGenerator::emitGetPropertyEnumerator):
3243         (JSC::BytecodeGenerator::emitEnumeratorStructurePropertyName):
3244         (JSC::BytecodeGenerator::emitEnumeratorGenericPropertyName):
3245         (JSC::BytecodeGenerator::emitToIndexString):
3246         (JSC::BytecodeGenerator::emitIsCellWithType):
3247         (JSC::BytecodeGenerator::emitIsObject):
3248         (JSC::BytecodeGenerator::emitIsNumber):
3249         (JSC::BytecodeGenerator::emitIsUndefined):
3250         (JSC::BytecodeGenerator::emitIsEmpty):
3251         (JSC::BytecodeGenerator::emitRestParameter):
3252         (JSC::BytecodeGenerator::emitRequireObjectCoercible):
3253         (JSC::BytecodeGenerator::emitYieldPoint):
3254         (JSC::BytecodeGenerator::emitYield):
3255         (JSC::BytecodeGenerator::emitGetAsyncIterator):
3256         (JSC::BytecodeGenerator::emitDelegateYield):
3257         (JSC::BytecodeGenerator::emitFinallyCompletion):
3258         (JSC::BytecodeGenerator::emitJumpIf):
3259         (JSC::ForInContext::finalize):
3260         (JSC::StructureForInContext::finalize):
3261         (JSC::IndexedForInContext::finalize):
3262         (JSC::StaticPropertyAnalysis::record):
3263         (JSC::BytecodeGenerator::emitToThis):
3264         * bytecompiler/BytecodeGenerator.h:
3265         (JSC::StructureForInContext::addGetInst):
3266         (JSC::BytecodeGenerator::recordOpcode):
3267         (JSC::BytecodeGenerator::addMetadataFor):
3268         (JSC::BytecodeGenerator::emitUnaryOp):
3269         (JSC::BytecodeGenerator::kill):
3270         (JSC::BytecodeGenerator::instructions const):
3271         (JSC::BytecodeGenerator::write):
3272         (JSC::BytecodeGenerator::withWriter):
3273         * bytecompiler/Label.h:
3274         (JSC::Label::Label):
3275         (JSC::Label::bind):
3276         * bytecompiler/NodesCodegen.cpp:
3277         (JSC::ArrayNode::emitBytecode):
3278         (JSC::BytecodeIntrinsicNode::emit_intrinsic_argumentCount):
3279         (JSC::ApplyFunctionCallDotNode::emitBytecode):
3280         (JSC::BitwiseNotNode::emitBytecode):
3281         (JSC::BinaryOpNode::emitBytecode):
3282         (JSC::EqualNode::emitBytecode):
3283         (JSC::StrictEqualNode::emitBytecode):
3284         (JSC::emitReadModifyAssignment):
3285         (JSC::ForInNode::emitBytecode):
3286         (JSC::CaseBlockNode::emitBytecodeForBlock):
3287         (JSC::FunctionNode::emitBytecode):
3288         (JSC::ClassExprNode::emitBytecode):
3289         * bytecompiler/ProfileTypeBytecodeFlag.cpp: Copied from Source/JavaScriptCore/bytecode/VirtualRegister.cpp.
3290         (WTF::printInternal):
3291         * bytecompiler/ProfileTypeBytecodeFlag.h: Copied from Source/JavaScriptCore/bytecode/SpecialPointer.cpp.
3292         * bytecompiler/RegisterID.h:
3293         * bytecompiler/StaticPropertyAnalysis.h:
3294         (JSC::StaticPropertyAnalysis::create):
3295         (JSC::StaticPropertyAnalysis::StaticPropertyAnalysis):
3296         * bytecompiler/StaticPropertyAnalyzer.h:
3297         (JSC::StaticPropertyAnalyzer::createThis):
3298         (JSC::StaticPropertyAnalyzer::newObject):
3299         (JSC::StaticPropertyAnalyzer::putById):
3300         (JSC::StaticPropertyAnalyzer::mov):
3301         (JSC::StaticPropertyAnalyzer::kill):
3302         * dfg/DFGByteCodeParser.cpp:
3303         (JSC::DFG::ByteCodeParser::addCall):
3304         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
3305         (JSC::DFG::ByteCodeParser::getArrayMode):
3306         (JSC::DFG::ByteCodeParser::handleCall):
3307         (JSC::DFG::ByteCodeParser::handleVarargsCall):
3308         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
3309         (JSC::DFG::ByteCodeParser::inlineCall):
3310         (JSC::DFG::ByteCodeParser::handleCallVariant):
3311         (JSC::DFG::ByteCodeParser::handleVarargsInlining):
3312         (JSC::DFG::ByteCodeParser::handleInlining):
3313         (JSC::DFG::ByteCodeParser::handleMinMax):
3314         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3315         (JSC::DFG::ByteCodeParser::handleDOMJITCall):
3316         (JSC::DFG::ByteCodeParser::handleIntrinsicGetter):
3317         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
3318         (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad):
3319         (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
3320         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
3321         (JSC::DFG::ByteCodeParser::handleGetById):
3322         (JSC::DFG::ByteCodeParser::handlePutById):
3323         (JSC::DFG::ByteCodeParser::parseGetById):
3324         (JSC::DFG::ByteCodeParser::parseBlock):
3325         (JSC::DFG::ByteCodeParser::parseCodeBlock):
3326         (JSC::DFG::ByteCodeParser::handlePutByVal):
3327         (JSC::DFG::ByteCodeParser::handlePutAccessorById):
3328         (JSC::DFG::ByteCodeParser::handlePutAccessorByVal):
3329         (JSC::DFG::ByteCodeParser::handleNewFunc):
3330         (JSC::DFG::ByteCodeParser::handleNewFuncExp):
3331         (JSC::DFG::ByteCodeParser::parse):
3332         * dfg/DFGCapabilities.cpp:
3333         (JSC::DFG::capabilityLevel):
3334         * dfg/DFGCapabilities.h:
3335         (JSC::DFG::capabilityLevel):
3336         * dfg/DFGOSREntry.cpp:
3337         (JSC::DFG::prepareCatchOSREntry):
3338         * dfg/DFGSpeculativeJIT.cpp:
3339         (JSC::DFG::SpeculativeJIT::compileValueAdd):
3340         (JSC::DFG::SpeculativeJIT::compileValueSub):
3341         (JSC::DFG::SpeculativeJIT::compileValueNegate):
3342         (JSC::DFG::SpeculativeJIT::compileArithMul):
3343         * ftl/FTLLowerDFGToB3.cpp:
3344         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
3345         (JSC::FTL::DFG::LowerDFGToB3::compileValueSub):
3346         (JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC):
3347         (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC):
3348         (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
3349         (JSC::FTL::DFG::LowerDFGToB3::compileArithMul):
3350         (JSC::FTL::DFG::LowerDFGToB3::compileValueNegate):
3351         * ftl/FTLOperations.cpp:
3352         (JSC::FTL::operationMaterializeObjectInOSR):
3353         * generate-bytecode-files: Removed.
3354         * generator/Argument.rb: Added.
3355         * generator/Assertion.rb: Added.
3356         * generator/DSL.rb: Added.
3357         * generator/Fits.rb: Added.
3358         * generator/GeneratedFile.rb: Added.
3359         * generator/Metadata.rb: Added.
3360         * generator/Opcode.rb: Added.
3361         * generator/OpcodeGroup.rb: Added.
3362         * generator/Options.rb: Added.
3363         * generator/Section.rb: Added.
3364         * generator/Template.rb: Added.
3365         * generator/Type.rb: Added.
3366         * generator/main.rb: Added.
3367         * interpreter/AbstractPC.h:
3368         * interpreter/CallFrame.cpp:
3369         (JSC::CallFrame::currentVPC const):
3370         (JSC::CallFrame::setCurrentVPC):
3371         * interpreter/CallFrame.h:
3372         (JSC::CallSiteIndex::CallSiteIndex):
3373         (JSC::ExecState::setReturnPC):
3374         * interpreter/Interpreter.cpp:
3375         (WTF::printInternal):
3376         * interpreter/Interpreter.h:
3377         * interpreter/InterpreterInlines.h:
3378         * interpreter/StackVisitor.cpp:
3379         (JSC::StackVisitor::Frame::dump const):
3380         * interpreter/VMEntryRecord.h:
3381         * jit/JIT.cpp:
3382         (JSC::JIT::JIT):
3383         (JSC::JIT::emitSlowCaseCall):
3384         (JSC::JIT::privateCompileMainPass):
3385         (JSC::JIT::privateCompileSlowCases):
3386         (JSC::JIT::compileWithoutLinking):
3387         (JSC::JIT::link):
3388         * jit/JIT.h:
3389         * jit/JITArithmetic.cpp:
3390         (JSC::JIT::emit_op_jless):