Add an option that exposes functions on the global object to turn on and off the...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2020-05-21  Saam Barati  <sbarati@apple.com>
2
3         Add an option that exposes functions on the global object to turn on and off the sampling profiler and the super sampler
4         https://bugs.webkit.org/show_bug.cgi?id=212178
5
6         Reviewed by Yusuke Suzuki.
7
8         When profiling things like Speedometer inside the browser, it's important to
9         to only enable the super sampler and the sampling profiler around the code
10         that you want profiled. Otherwise, you will be profiling things that aren't
11         relevant to the benchmark score. This patch adds a new option, exposeProfilersOnGlobalObject,
12         which when true, will expose JS functions on the global object that allow
13         enabling/disabling the super sampler and the sampling profiler. This way,
14         we can change the Speedometer source code locally such that these profilers
15         are only sampling code accounted for in the benchmark score.
16
17         * bytecode/SuperSampler.cpp:
18         (JSC::initializeSuperSampler):
19         (JSC::enableSuperSampler):
20         (JSC::disableSuperSampler):
21         * bytecode/SuperSampler.h:
22         * jsc.cpp:
23         (jscmain):
24         * runtime/JSGlobalObject.cpp:
25         (JSC::enableSamplingProfiler):
26         (JSC::disableSamplingProfiler):
27         (JSC::enableSuperSampler):
28         (JSC::disableSuperSampler):
29         (JSC::JSGlobalObject::init):
30         * runtime/OptionsList.h:
31
32 2020-05-21  Yusuke Suzuki  <ysuzuki@apple.com>
33
34         [JSC] Fix 32bit JSBigInt with INT32_MAX < x <= UINT32_MAX
35         https://bugs.webkit.org/show_bug.cgi?id=212193
36
37         Reviewed by Mark Lam.
38
39         In 32bit architecture, we are creating one-length JSBigInt for INT32_MIN <= x <= INT32_MAX, and two-length JSBigInt otherwise.
40         This is wrong since one-length JSBigInt should cover from -UINT32_MAX <= x <= UINT32_MAX.
41
42         This patch fixes the bug and cleans up createFrom(VM&, int64_t). And it also adds JSBigInt::createFrom(VM&, uint64_t) in preparation for [1]
43         Currently, this path is not used while it was used previously because BigIntConstructor starts using JSBigInt::createFrom(VM&, double). But this
44         will be used in [1], and simply the existing implementation is wrong.
45
46         [1]: https://bugs.webkit.org/show_bug.cgi?id=190800
47
48         * runtime/JSBigInt.cpp:
49         (JSC::JSBigInt::createFromImpl):
50         (JSC::JSBigInt::createFrom):
51         * runtime/JSBigInt.h:
52
53 2020-05-21  Paulo Matos  <pmatos@igalia.com>
54
55         Further non-unified build fixes
56         https://bugs.webkit.org/show_bug.cgi?id=212195
57
58         Reviewed by Adrian Perez de Castro.
59
60         * bytecode/InstanceOfStatus.cpp:
61         * heap/MarkedSpace.cpp:
62         * runtime/ObjectInitializationScope.cpp:
63         * runtime/ThrowScope.cpp:
64
65 2020-05-21  Alexey Shvayka  <shvaikalesh@gmail.com>
66
67         Array.prototype.concat is incorrect with objects whose "length" exceeds 2 ** 32 - 1
68         https://bugs.webkit.org/show_bug.cgi?id=212167
69
70         Reviewed by Saam Barati.
71
72         This patch increases "length" limit of Array.prototype.concat result to @MAX_SAFE_INTEGER
73         and changes thrown error to TypeError, aligning JSC with the spec [1], V8, and SpiderMonkey.
74
75         Also, adds missing @MAX_SAFE_INTEGER overflow check in Array.from [2] (we implement similar
76         checks in other methods). SunSpider and microbenchmarks/concat-append-one.js are both neutral.
77
78         [1]: https://tc39.es/ecma262/#sec-array.prototype.concat (steps 5.c.iii, 5.d.ii)
79         [2]: https://tc39.es/ecma262/#sec-array.from (step 5.e.i)
80
81         * builtins/ArrayConstructor.js:
82         (from):
83         * builtins/ArrayPrototype.js:
84         (globalPrivate.concatSlowPath):
85
86 2020-05-20  Michael Saboff  <msaboff@apple.com>
87
88         [Wasm] Limit the size of Wasm function we optimize in OMG mode
89         https://bugs.webkit.org/show_bug.cgi?id=212105
90
91         Reviewed by Filip Pizlo.
92
93         Given that memory grows O(N^2) compiling Wasm code through the OMG path,
94         we can run out of memory when compiling large Wasm functions.  This change adds
95         a limit option, webAssemblyBBQFallbackSize,  When the Wasm function size is
96         equal to or greater than this limit we always compile using BBQ optimization
97         parameters.
98
99         As part of this change, we still go through the OMG loop entry OSR code
100         generation path for functions that are at or above the threshold, but we
101         compile such functions with BBQ compilation optimization levels.
102         Also for Wasm functions at or above  the threashold, we don't tier up to an
103         OMG compiled normal entry function.  Instead we stay with the BBQ compiled version.
104
105         * runtime/OptionsList.h:
106         * wasm/WasmAirIRGenerator.cpp:
107         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
108         * wasm/WasmB3IRGenerator.cpp:
109         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
110         (JSC::Wasm::parseAndCompile):
111         * wasm/WasmCompilationMode.cpp:
112         (JSC::Wasm::wasmFunctionSizeCanBeOMGCompiled):
113         * wasm/WasmCompilationMode.h:
114         * wasm/WasmOperations.cpp:
115         (JSC::Wasm::operationWasmTriggerOSREntryNow):
116
117 2020-05-19  Ross Kirsling  <ross.kirsling@sony.com>
118
119         REGRESSION(r261755): Win/Linux non-unified builds have hundreds of link failures
120         https://bugs.webkit.org/show_bug.cgi?id=212111
121
122         Unreviewed build fix.
123
124         * API/:
125         * bindings/:
126         * bytecode/:
127         * bytecompiler/NodesCodegen.cpp:
128         * debugger/:
129         * dfg/:
130         * heap/:
131         * inspector/:
132         * interpreter/:
133         * jit/:
134         * llint/LLIntEntrypoint.cpp:
135         * parser/:
136         * profiler/:
137         * runtime/:
138         Restore *Inlines.h includes for >300 files,
139         but try to preserve the spirit of the original patch by pruning redundancies along the way.
140
141 2020-05-19  Mark Lam  <mark.lam@apple.com>
142
143         Put PtrTagLookup data structures in Configs for freezing.
144         https://bugs.webkit.org/show_bug.cgi?id=212089
145         <rdar://problem/63401487>
146
147         Reviewed by Robin Morisset.
148
149         PtrTagLookup data structures were always meant to only be initialized once at
150         initialization time and never modified thereafter.  This patch puts them in the
151         Configs for freezing to document and enforce this invariant.
152
153         * runtime/JSCConfig.h:
154         * runtime/JSCPtrTag.cpp:
155         (JSC::initializePtrTagLookup):
156
157 2020-05-19  Youenn Fablet  <youenn@apple.com>
158
159         [ Mac wk1 Debug ] imported/w3c/web-platform-tests/fetch/api/basic/stream-safe-creation.any.html  is flaky crashing with alerts - WTFCrashWithInfo - SC::JSObject::get(JSC::JSGlobalObject*, JSC::PropertyName)
160         https://bugs.webkit.org/show_bug.cgi?id=211923
161         <rdar://problem/63244249>
162
163         Reviewed by Mark Lam.
164
165         * runtime/JSObject.h:
166         (JSC::JSObject::get const):
167         When calling get, a terminate exception might happen if running in workers.
168         Return early in that case. Add an ASSERT that only terminated exceptions can actually happen.
169
170 2020-05-18  Andy Estes  <aestes@apple.com>
171
172         http/tests/ssl/applepay/ApplePayInstallmentConfiguration.https.html fails in public SDK builds
173         https://bugs.webkit.org/show_bug.cgi?id=212000
174         <rdar://problem/63323082>
175
176         Reviewed by Youenn Fablet.
177
178         * Configurations/FeatureDefines.xcconfig:
179
180 2020-05-18  Saam Barati  <sbarati@apple.com>
181
182         Do more speculation that a GetByVal/PutByVal will have an int32 index based on data from ArrayProfile
183         https://bugs.webkit.org/show_bug.cgi?id=211877
184
185         Reviewed by Yusuke Suzuki.
186
187         Before this patch, when a GetByVal or PutByVal had a non int32 prediction for
188         their incoming index, they'd fall completely off the fast path. However, there
189         are programs where an int32 is boxed inside a double, but our notion of
190         predicted types don't fully capture this fact. For example, if we have a double Add
191         to produce an array index, that double Add will predict a full double result,
192         not a SpecAnyIntAsDouble. However, for GetByVal and PutByVal, there is information
193         from ArrayProfile we can use to determine if the incoming value is expected to
194         be in int32 range. The heuristic this patch introduces is:
195         
196         isFullNumberSpeculation(indexSpeculation)
197         && node->arrayMode().isSpecific()
198         && node->arrayMode().isInBounds()
199         && !m_graph.hasExitSite(node->origin.semantic, Overflow) // DoubleAsInt32 will exit with Overflow on failure
200         
201         If these conditions are met, we'll now emit a DoubleAsInt32 conversion node
202         for the index. This puts along the fast path for GetByVal and PutByVal on
203         array accesses where the incoming index is an int32 boxed in a double.
204         
205         To make the above isFullNumberSpeculation check more robust, this patch also
206         makes it so non index double accesses result in marking the array profile as
207         out of bounds. So this means indices greater than max safe index, and also,
208         fractional doubles.
209         
210         
211         This is a 3.75x speedup on microbenchmarks/get-and-put-by-val-double-index-dont-fall-off-a-cliff.js
212
213         * dfg/DFGFixupPhase.cpp:
214         (JSC::DFG::FixupPhase::fixupNode):
215         * jit/JITOperations.cpp:
216         (JSC::getByVal):
217
218 2020-05-18  Yusuke Suzuki  <ysuzuki@apple.com>
219
220         [JSC] BigInt peephole compare should speculate appropriately
221         https://bugs.webkit.org/show_bug.cgi?id=212037
222         <rdar://problem/63346966>
223
224         Reviewed by Saam Barati.
225
226         SpeculativeJIT::nonSpeculativePeepholeBranch missed BigInt speculation. This patch renames it
227         to SpeculativeJIT::genericJSValuePeepholeBranch and adds speculation checks appropriately.
228
229         * dfg/DFGSpeculativeJIT.cpp:
230         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
231         (JSC::DFG::SpeculativeJIT::genericJSValuePeepholeBranch):
232         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): Deleted.
233         * dfg/DFGSpeculativeJIT.h:
234
235 2020-05-18  Keith Miller  <keith_miller@apple.com>
236
237         OSR loop entry to iterator_next generic needs to CheckNotEmpty on m_next
238         https://bugs.webkit.org/show_bug.cgi?id=212001
239
240         Reviewed by Saam Barati.
241
242         If we happen to OSR enter into iterator_next during a for-of loop
243         that has only profiled a generic iterator but is actually running
244         a fast iterator we will incorrectly perform the Call node This
245         could happen if we loop_hint OSR enter the first time have seen a
246         fast iterator. If this happens right now, we generate the following
247         code:
248
249         D@113:<!2:loc15>    GetLocal(Check:Untyped:D@198, JS|MustGen|UseAsOther, Function|Empty, loc13(W~/FlushedJSValue), machine:loc10, R:Stack(loc13),Stack(loc5), bc#46, ExitValid)  predicting Function|Empty
250           0x4913f1806151: mov -0x58(%rbp), %rsi
251         D@114:<!0:->    FilterCallLinkStatus(Check:Untyped:D@113, MustGen, (Function: Object: 0x1053f47e0 with butterfly 0x0 (Structure 0x1053f9260:[0x6dad, Function, {}, NonArray, Proto:0x1050fc248]), StructureID: 28077; Executable: next#Ddkruz:[0x1053c0480->0x1053e4a80, BaselineFunctionCall, 54 (StrictMode)]), R:Stack(loc5), W:SideState, bc#46, ExitValid)
252         D@115:<!6:loc15>    Call(Check:Untyped:D@113, Check:Untyped:D@110, JS|MustGen|VarArgs|UseAsOther, Final, R:World,Stack(loc5), W:Heap, ExitsForExceptions, ClobbersExit, bc#46, ExitValid)  predicting Final
253           0x4913f1806155: mov $0x1, 0x10(%rsp)
254           0x4913f180615d: mov %rax, 0x18(%rsp)
255           0x4913f1806162: mov %rsi, 0x8(%rsp)
256           0x4913f1806167: mov %rax, -0xa0(%rbp)
257           0x4913f180616e: mov $0x0, 0x24(%rbp)
258           0x4913f1806175: mov $0x0, %r11
259           0x4913f180617f: cmp %r11, %rsi
260           0x4913f1806182: jnz 0x4913f1806192
261           0x4913f1806188: call 0x4913f180618d
262           0x4913f180618d: jmp 0x4913f18061ae
263           0x4913f1806192: mov %rsi, %rax
264           0x4913f1806195: mov $0x1050cfcb0, %rdx
265           0x4913f180619f: mov $0x1052fab68, %rcx
266           0x4913f18061a9: call 0x4913f1801680
267           0x4913f18061ae: lea -0xd0(%rbp), %rsp
268         D@116:<!0:->    MovHint(Check:Untyped:D@115, MustGen, tmp0, R:Stack(loc5), W:SideState, ClobbersExit, bc#46, ExitInvalid)
269         D@332:<!0:->    InvalidationPoint(MustGen, R:Stack(loc5), W:SideState, Exits, bc#46, exit: bc#46cp#1, ExitValid)
270         D@335:<!0:->    CheckStructure(Check:Cell:D@115, MustGen, [%B2:Object], R:Stack(loc5),JSCell_structureID, Exits, bc#46, exit: bc#46cp#1, ExitValid)
271           0x4913f18061b5: test %rax, %r15
272           0x4913f18061b8: jnz 0x4913f18068db
273           0x4913f18061be: cmp $0xcaae, (%rax)
274           0x4913f18061c4: jnz 0x4913f18068f1
275
276         Loc13 in this IR is the location of the next function. Since it's
277         nullptr, we will pass the initial fast-path value of 0 and make a
278         garbage call. This is because Call does not know how to handle
279         empty values. Subsequently, we will fail a structure check for the
280         Call's result and OSR exit to the getDone checkpoint. The fix for
281         this is to simply put a CheckNotEmpty at the top of the generic
282         case. 99.9% of the time this check will be eliminated so it
283         doesn't really cost anything.
284
285         * dfg/DFGByteCodeParser.cpp:
286         (JSC::DFG::ByteCodeParser::parseBlock):
287
288 2020-05-17  Yusuke Suzuki  <ysuzuki@apple.com>
289
290         Unreviewed, link fix for our internal Debug build
291
292         * heap/AlignedMemoryAllocator.cpp:
293
294 2020-05-17  Lauro Moura  <lmoura@igalia.com>
295
296         [JSC] Silence unused-but-set-parameter warnings for older compilers
297         https://bugs.webkit.org/show_bug.cgi?id=212006
298
299         Reviewed by Mark Lam.
300
301         GCC up to 9.x will emit unused-but-set-parameter for the sources
302         parameter when NumberOfRegisters is zero (the if block is eliminated)
303         and for destinations when also ASSERT_ENABLED is false.
304
305         * jit/CCallHelpers.h:
306         (JSC::CCallHelpers::setupStubArgs):
307
308 2020-05-16  Yusuke Suzuki  <ysuzuki@apple.com>
309
310         [JSC] Make OutOfMemory error as instance of RangeError
311         https://bugs.webkit.org/show_bug.cgi?id=211952
312
313         Reviewed by Mark Lam.
314
315         The spec sometimes requires "check parameters and throw RangeError" before allocating an object.
316         But we are just allocating an object and throwing an out-of-memory error since wrong parameter will
317         cause out-of-memory. If out-of-memory error is RangeError, then we can keep our current behavior while
318         we can make us spec compliant. And note that out-of-memory error is RangeError in SpiderMonkey and V8.
319
320         This patch makes out-of-memory error as RangeError instead of Error. We also fix @throwOutOfMemoryError
321         in builtin code: the previous thrown errors are not marked as out-of-memory error.
322
323         * bytecode/BytecodeList.rb:
324         * bytecompiler/BytecodeGenerator.cpp:
325         (JSC::BytecodeGenerator::emitThrowStaticError):
326         (JSC::BytecodeGenerator::emitThrowReferenceError):
327         (JSC::BytecodeGenerator::emitThrowTypeError):
328         (JSC::BytecodeGenerator::emitThrowRangeError):
329         (JSC::BytecodeGenerator::emitThrowOutOfMemoryError):
330         * bytecompiler/BytecodeGenerator.h:
331         * bytecompiler/NodesCodegen.cpp:
332         (JSC::RegExpNode::emitBytecode):
333         (JSC::BytecodeIntrinsicNode::emit_intrinsic_throwTypeError):
334         (JSC::BytecodeIntrinsicNode::emit_intrinsic_throwRangeError):
335         * dfg/DFGOperations.cpp:
336         * runtime/CommonSlowPaths.cpp:
337         (JSC::SLOW_PATH_DECL):
338         * runtime/Error.cpp:
339         (JSC::createError):
340         (JSC::createOutOfMemoryError):
341         * runtime/Error.h:
342         * runtime/ErrorType.cpp:
343         (JSC::errorTypeName):
344         (WTF::printInternal):
345         * runtime/ErrorType.h: We introduced ErrorTypeWithExtension separately from ErrorType to keep ErrorType one-on-one to spec-specified error types.
346
347 2020-05-15  Yusuke Suzuki  <ysuzuki@apple.com>
348
349         [JSC] getFunctionRealm should not use recursion
350         https://bugs.webkit.org/show_bug.cgi?id=211965
351         <rdar://problem/63268287>
352
353         Reviewed by Saam Barati.
354
355         This patch avoids using recursion in getFunctionRealm to avoid stack-overflow.
356
357         * runtime/InternalFunction.cpp:
358         (JSC::getFunctionRealm):
359
360 2020-05-15  Keith Miller  <keith_miller@apple.com>
361
362         Unreviewed, fix internal arm64e build.
363
364         * dfg/DFGSpeculativeJIT.cpp:
365
366 2020-05-15  Keith Miller  <keith_miller@apple.com>
367
368         Unreviewed, fix internal fast tls build.
369
370         * jit/AssemblyHelpers.cpp:
371
372 2020-05-15  Ross Kirsling  <ross.kirsling@sony.com>
373
374         [IWYU] Remove unnecessary includes from JSC implementation files
375         https://bugs.webkit.org/show_bug.cgi?id=211867
376
377         Reviewed by Keith Miller.
378
379         * API/:
380         * assembler/:
381         * b3/:
382         * bindings/:
383         * builtins/BuiltinExecutables.cpp:
384         * bytecode/:
385         * bytecompiler/:
386         * debugger/:
387         * dfg/:
388         * disassembler/:
389         * ftl/:
390         * heap/:
391         * inspector/:
392         * interpreter/:
393         * jit/:
394         * jsc.cpp:
395         * llint/:
396         * parser/:
397         * profiler/:
398         * runtime/:
399         * testRegExp.cpp:
400         * tools/:
401         * wasm/:
402         * yarr/:
403
404 2020-05-15  Michael Catanzaro  <mcatanzaro@gnome.org>
405
406         -Wtype-limits warning spam from CCallHelpers.h
407         https://bugs.webkit.org/show_bug.cgi?id=211701
408
409         Reviewed by Darin Adler.
410
411         Skip the problematic loops when TargetSize or NumberOfRegisters is 0 using constexpr if.
412         Solution suggested by Mark Lam.
413
414         * jit/CCallHelpers.h:
415         (JSC::CCallHelpers::setupStubArgs):
416         (JSC::CCallHelpers::clampArrayToSize):
417
418 2020-05-15  Mark Lam  <mark.lam@apple.com>
419
420         Remove debugging dataLogs in LinkBuffer::copyCompactAndLinkCode() for release builds.
421         https://bugs.webkit.org/show_bug.cgi?id=211961
422         <rdar://problem/63264848>
423
424         Reviewed by Keith Miller.
425
426         * assembler/LinkBuffer.cpp:
427         (JSC::LinkBuffer::copyCompactAndLinkCode):
428
429 2020-05-15  Paulo Matos  <pmatos@igalia.com>
430
431         Fix ARM NEON only assert
432         https://bugs.webkit.org/show_bug.cgi?id=211889
433
434         Reviewed by Mark Lam.
435
436         Fix assert that breaks if ARM does not contain NEON extensions -
437         the register d16 is only defined if NEON exists.
438
439         * assembler/ARMv7Assembler.h:
440         (JSC::RegisterNames::asSingle):
441         (JSC::RegisterNames::asSingleUpper):
442
443 2020-05-14  Saam Barati  <sbarati@apple.com>
444
445         GetByVal and PutByVal runtime operations shouldn't fall off a performance cliff when the property is an integer boxed as a double
446         https://bugs.webkit.org/show_bug.cgi?id=211935
447
448         Reviewed by Yusuke Suzuki and Mark Lam.
449
450         There were parts in the runtime for get_by_val that weren't properly handling
451         ints boxed as doubles along the fast path. This could lead to terrible
452         performance as we could go from double -> string -> int while converting the
453         subscript into a property to access.
454         
455         This patch fixes that, and removes the duplicate code we had throughout the
456         codebase that does this conversion. I'm adding a new functions tryGetAsUint32Index
457         and tryGetAsInt32 which will handle the double to int conversion.
458         
459         This is a 10x speedup on the microbenchmark get-and-put-by-val-double-index-dont-fall-off-a-cliff.js
460
461         * dfg/DFGOperations.cpp:
462         (JSC::DFG::putByValInternal):
463         * jit/JITOperations.cpp:
464         (JSC::getByVal):
465         * jsc.cpp:
466         (functionAsDoubleNumber):
467         * llint/LLIntSlowPaths.cpp:
468         (JSC::LLInt::getByVal):
469         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
470         * runtime/JSCJSValue.h:
471         * runtime/JSCJSValueInlines.h:
472         (JSC::JSValue::tryGetAsUint32Index):
473         (JSC::JSValue::tryGetAsInt32):
474
475 2020-05-14  Devin Rousso  <drousso@apple.com>
476
477         [ESNext] enable logical assignment operators by default
478         https://bugs.webkit.org/show_bug.cgi?id=211921
479
480         Reviewed by Yusuke Suzuki.
481
482         * runtime/OptionsList.h:
483         * parser/Lexer.cpp:
484         (JSC::Lexer<T>::lexWithoutClearingLineTerminator):
485         Remove `useLogicalAssignmentOperators` option.
486
487 2020-05-14  Keith Miller  <keith_miller@apple.com>
488
489         Undecided Arrays shouldn't need to be OriginalArray to covert to GetArrayLength
490         https://bugs.webkit.org/show_bug.cgi?id=211914
491
492         Reviewed by Saam Barati.
493
494         Also, fix a bug that arrayModesThatPassFiltering() can't handle
495         Undecided arrays. Because we can now emit a CheckArray on
496         Undecided AI will try to figure out what types flow out of the
497         check. Since Undecided was unhandled by filtering, AI will assume
498         bottom is the only possible value and the DFG/FTL will insert a
499         breakpoint, causing a crash.
500
501         * dfg/DFGArrayMode.cpp:
502         (JSC::DFG::ArrayMode::refine const):
503         * dfg/DFGArrayMode.h:
504         (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
505
506 2020-05-14  Keith Miller  <keith_miller@apple.com>
507
508         GetArrayLength should be "blessed" during Fixup phase in the DFG
509         https://bugs.webkit.org/show_bug.cgi?id=211540
510
511         Reviewed by Saam Barati.
512
513         If we got an ArrayMode during bytecode parsing for-of that expects
514         to be configured during Fixup, then right now we will crash on
515         GetArrayLength. This fixes GetArrayLength to properly call
516         blessArrayOperation and fixes clobberize to know that
517         GetArrayLength could have a ForceExit ArrayMode briefly before
518         being cleaned up.
519
520         When blessing GetArrayLength we can now produce CheckArrays that
521         have an AnyTypedArray ArrayMode::Type. So this patch expands
522         CheckArray to properly handle that. To help with this we expand
523         branchIfType to have a starting JSType and an optional ending
524         JSType. Additionally, to prevent extra checks AI has been taught
525         to fold more ArrayModes so we should almost always avoid new
526         runtime checks.
527
528         Lastly, make sure that Undecided Arrays don't fall back to generic
529         because GetArrayLength can't be converted to...
530         GetArrayLenth. Also, GetArrayLength would previously pass it's own
531         speculation for the speculation of the index, which logically
532         doesn't make sense. So this patch adds a new constant, which is
533         SpecInt32Only, that can be passed if a DFG node doesn't have an
534         index.
535
536         * assembler/testmasm.cpp:
537         (JSC::testBranchIfType):
538         (JSC::testBranchIfNotType):
539         (JSC::run):
540         * dfg/DFGArrayMode.cpp:
541         (JSC::DFG::canBecomeGetArrayLength):
542         * dfg/DFGArrayMode.h:
543         * dfg/DFGClobberize.h:
544         (JSC::DFG::clobberize):
545         * dfg/DFGFixupPhase.cpp:
546         (JSC::DFG::FixupPhase::fixupNode):
547         (JSC::DFG::FixupPhase::blessArrayOperation):
548         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
549         * dfg/DFGSpeculativeJIT.cpp:
550         (JSC::DFG::SpeculativeJIT::checkArray):
551         * ftl/FTLLowerDFGToB3.cpp:
552         (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForCheckArray):
553         * jit/AssemblyHelpers.h:
554         (JSC::AssemblyHelpers::branchIfType):
555         (JSC::AssemblyHelpers::branchIfNotType):
556         * runtime/JSType.h:
557
558 2020-05-13  Keith Miller  <keith_miller@apple.com>
559
560         iteration bytecodes need to handle osr exiting from inlined getter frames
561         https://bugs.webkit.org/show_bug.cgi?id=211873
562
563         Reviewed by Saam Barati.
564
565         * llint/LLIntSlowPaths.cpp:
566         (JSC::LLInt::slow_path_checkpoint_osr_exit_from_inlined_call):
567
568 2020-05-13  Devin Rousso  <drousso@apple.com>
569
570         Web Inspector: rename CSS.StyleSheetOrigin.Regular to CSS.StyleSheetOrigin.Author to match the spec
571         https://bugs.webkit.org/show_bug.cgi?id=211827
572
573         Reviewed by Timothy Hatcher.
574
575         * inspector/protocol/CSS.json:
576
577 2020-05-13  Yusuke Suzuki  <ysuzuki@apple.com>
578
579         JSDOMWindowBase m_windowCloseWatchpoints must be Ref<>
580         https://bugs.webkit.org/show_bug.cgi?id=211844
581
582         Reviewed by Mark Lam.
583
584         * bytecode/Watchpoint.cpp:
585         (JSC::InlineWatchpointSet::inflateSlow):
586         * bytecode/Watchpoint.h:
587         * runtime/JSGlobalObject.cpp:
588         (JSC::JSGlobalObject::JSGlobalObject):
589         * runtime/Structure.cpp:
590         (JSC::Structure::ensurePropertyReplacementWatchpointSet):
591         * runtime/SymbolTable.cpp:
592         (JSC::SymbolTableEntry::prepareToWatch):
593         * runtime/VM.cpp:
594         (JSC::VM::ensureWatchpointSetForImpureProperty):
595
596 2020-05-13  Caio Lima  <ticaiolima@gmail.com>
597
598         Making 32-bits JIT build without Unified Build system
599         https://bugs.webkit.org/show_bug.cgi?id=211853
600
601         Reviewed by Adrian Perez de Castro.
602
603         This patch is moving some templates to allow non-unified builds on
604         32-bits JIT configurations.
605         Those templates were from JITArithmetic32_64 and JITPropertyAccess32_64.
606
607         * jit/JITArithmetic.cpp:
608         (JSC::JIT::emit_compareAndJump):
609         (JSC::JIT::emit_compareUnsignedAndJump):
610         (JSC::JIT::emit_compareUnsigned):
611         (JSC::JIT::emit_compareAndJumpSlow):
612         (JSC::JIT::emitBinaryDoubleOp):
613         * jit/JITArithmetic32_64.cpp:
614         (JSC::JIT::emit_compareAndJump): Deleted.
615         (JSC::JIT::emit_compareUnsignedAndJump): Deleted.
616         (JSC::JIT::emit_compareUnsigned): Deleted.
617         (JSC::JIT::emit_compareAndJumpSlow): Deleted.
618         (JSC::JIT::emitBinaryDoubleOp): Deleted.
619         * jit/JITOpcodes32_64.cpp:
620         * jit/JITPropertyAccess.cpp:
621         (JSC::JIT::emitPutByValWithCachedId):
622         * jit/JITPropertyAccess32_64.cpp:
623         (JSC::JIT::emitPutByValWithCachedId): Deleted.
624
625 2020-05-13  Caio Lima  <ticaiolima@gmail.com>
626
627         [JSC] Support delete by val/id IC on 32-bits
628         https://bugs.webkit.org/show_bug.cgi?id=208207
629
630         Reviewed by Saam Barati.
631
632         This patch implements DeleteById and DeleteByVal IC on 32-bits JIT. It
633         includes both Baseline and DFG changes.
634
635         * dfg/DFGFixupPhase.cpp:
636         (JSC::DFG::FixupPhase::fixupNode):
637         * dfg/DFGSpeculativeJIT.cpp:
638         (JSC::DFG::SpeculativeJIT::compileDeleteById):
639         (JSC::DFG::SpeculativeJIT::compileDeleteByVal):
640         * dfg/DFGSpeculativeJIT32_64.cpp:
641         (JSC::DFG::SpeculativeJIT::compileDeleteById): Deleted.
642         (JSC::DFG::SpeculativeJIT::compileDeleteByVal): Deleted.
643         * dfg/DFGSpeculativeJIT64.cpp:
644         (JSC::DFG::SpeculativeJIT::compileDeleteById): Deleted.
645         (JSC::DFG::SpeculativeJIT::compileDeleteByVal): Deleted.
646         * ftl/FTLLowerDFGToB3.cpp:
647         (JSC::FTL::DFG::LowerDFGToB3::compileDelBy):
648         * jit/JITInlineCacheGenerator.cpp:
649         (JSC::JITDelByValGenerator::JITDelByValGenerator):
650         (JSC::JITDelByIdGenerator::JITDelByIdGenerator):
651         * jit/JITInlineCacheGenerator.h:
652         * jit/JITPropertyAccess.cpp:
653         (JSC::JIT::emit_op_del_by_id):
654         (JSC::JIT::emit_op_del_by_val):
655         * jit/JITPropertyAccess32_64.cpp:
656         (JSC::JIT::emit_op_del_by_id):
657         (JSC::JIT::emit_op_del_by_val):
658         (JSC::JIT::emitSlow_op_del_by_val):
659         (JSC::JIT::emitSlow_op_del_by_id):
660
661 2020-05-13  Saam Barati  <sbarati@apple.com>
662
663         MovHint can see an arguments object be MovHinted to a Tmp
664         https://bugs.webkit.org/show_bug.cgi?id=211820
665         <rdar://problem/62882158>
666
667         Reviewed by Keith Miller.
668
669         We had an assert that it wasn't possible to have a MovHint from an arguments
670         object to a Tmp. However, this is possible with for-of. There is nothing
671         about the current algorithm that is specific to only VirtualRegisters. The
672         algorithm also works over Tmps. So I've generalized the algorithm to just work
673         over Operand.
674
675         * dfg/DFGVarargsForwardingPhase.cpp:
676
677 2020-05-13  Alexey Shvayka  <shvaikalesh@gmail.com>
678
679         Move @isConstructor checks from fast paths of Array.from and Array.of
680         https://bugs.webkit.org/show_bug.cgi?id=211805
681
682         Reviewed by Keith Miller.
683
684         This semantically equivalent change advances provided Array.{from,of} microbenchmarks by ~60%. 
685
686         Also, this patch removes @isConstructor check from @newPromiseCapabilitySlow (that is heavily
687         used by Promise subclasses) since it comes right before [[Construct]], its message doesn't add
688         more clarity, and constructability of its argument was likely checked by @speciesConstructor.
689
690         * builtins/ArrayConstructor.js:
691         (of):
692         (from):
693         * builtins/PromiseOperations.js:
694         (globalPrivate.newPromiseCapabilitySlow):
695
696 2020-05-12  Alexey Shvayka  <shvaikalesh@gmail.com>
697
698         Implement @isConstructor bytecode intrinsic and bytecode for that
699         https://bugs.webkit.org/show_bug.cgi?id=144093
700
701         Reviewed by Keith Miller.
702
703         This change replaces @isConstructor link-time-constant with bytecode intrinsic and utilizes it
704         in ClassExprNode::emitBytecode() according to the spec [1], aligning JSC with V8 and SpiderMonkey.
705
706         Before this patch, we checked if "prototype" of superclass is an object, which is incorrect for
707         generators and bound non-constructor functions with own "prototype".
708
709         OpIsConstructor's fast path can't be easily compiled, and it's not a hot code anyway, so instead
710         we reduce code bloat by just calling slow ops from DFG and FTL (if we bail out, we slow down all
711         @isConstructor call sites). This advances microbenchmarks/is-constructor.js by ~35%.
712
713         [1]: https://tc39.es/ecma262/#sec-runtime-semantics-classdefinitionevaluation (step 5.f)
714
715         * JavaScriptCore.xcodeproj/project.pbxproj:
716         * Sources.txt:
717         * builtins/BuiltinNames.h:
718         * bytecode/BytecodeIntrinsicRegistry.h:
719         * bytecode/BytecodeList.rb:
720         * bytecode/BytecodeUseDef.cpp:
721         (JSC::computeUsesForBytecodeIndexImpl):
722         (JSC::computeDefsForBytecodeIndexImpl):
723         * bytecompiler/BytecodeGenerator.cpp:
724         (JSC::BytecodeGenerator::emitIsConstructor):
725         * bytecompiler/BytecodeGenerator.h:
726         * bytecompiler/NodesCodegen.cpp:
727         (JSC::ClassExprNode::emitBytecode):
728         * dfg/DFGAbstractInterpreterInlines.h:
729         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
730         * dfg/DFGByteCodeParser.cpp:
731         (JSC::DFG::ByteCodeParser::parseBlock):
732         * dfg/DFGCapabilities.cpp:
733         (JSC::DFG::capabilityLevel):
734         * dfg/DFGClobberize.h:
735         (JSC::DFG::clobberize):
736         * dfg/DFGDoesGC.cpp:
737         (JSC::DFG::doesGC):
738         * dfg/DFGFixupPhase.cpp:
739         (JSC::DFG::FixupPhase::fixupNode):
740         * dfg/DFGHeapLocation.cpp:
741         (WTF::printInternal):
742         * dfg/DFGHeapLocation.h:
743         * dfg/DFGNodeType.h:
744         * dfg/DFGOperations.cpp:
745         * dfg/DFGOperations.h:
746         * dfg/DFGPredictionPropagationPhase.cpp:
747         * dfg/DFGSafeToExecute.h:
748         (JSC::DFG::safeToExecute):
749         * dfg/DFGSpeculativeJIT.cpp:
750         (JSC::DFG::SpeculativeJIT::compileIsConstructor):
751         * dfg/DFGSpeculativeJIT.h:
752         * dfg/DFGSpeculativeJIT32_64.cpp:
753         (JSC::DFG::SpeculativeJIT::compile):
754         * dfg/DFGSpeculativeJIT64.cpp:
755         (JSC::DFG::SpeculativeJIT::compile):
756         * ftl/FTLCapabilities.cpp:
757         (JSC::FTL::canCompile):
758         * ftl/FTLLowerDFGToB3.cpp:
759         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
760         (JSC::FTL::DFG::LowerDFGToB3::compileIsConstructor):
761         * jit/JIT.cpp:
762         (JSC::JIT::privateCompileMainPass):
763         * llint/LowLevelInterpreter.asm:
764         * runtime/CommonSlowPaths.cpp:
765         (JSC::SLOW_PATH_DECL):
766         * runtime/CommonSlowPaths.h:
767         * runtime/ECMAScriptSpecInternalFunctions.cpp: Removed.
768         * runtime/ECMAScriptSpecInternalFunctions.h: Removed.
769         * runtime/JSGlobalObject.cpp:
770         (JSC::JSGlobalObject::init):
771
772 2020-05-12  Robin Morisset  <rmorisset@apple.com>
773
774         Exception check for OOM is a bit too late in JSBigInt::exponentiate.
775         https://bugs.webkit.org/show_bug.cgi?id=211823
776
777         Reviewed by Mark Lam.
778
779         We were doing multiplyImpl(...).payload.asHeapBigInt(), but multiplyImpl can return a null payload if it causes an exception.
780         So we must first check whether an exception was raised, and only if not can we do asHeapBigInt.
781
782         * runtime/JSBigInt.cpp:
783         (JSC::JSBigInt::exponentiateImpl):
784
785 2020-05-12  Saam Barati  <sbarati@apple.com>
786
787         handling of Check in VarargsForwardingPhase is too pessimistic
788         https://bugs.webkit.org/show_bug.cgi?id=211810
789
790         Reviewed by Keith Miller and Filip Pizlo.
791
792         We were treating a check, even if it wasn't on the sink candidate,
793         as if it could escape the candidate. That's wrong. Only checks on the
794         candidate have the escaping ability.
795
796         * dfg/DFGVarargsForwardingPhase.cpp:
797
798 2020-05-12  Keith Miller  <keith_miller@apple.com>
799
800         The bottom value set for m_value in iterator_next should be materialized after a done getter
801         https://bugs.webkit.org/show_bug.cgi?id=211811
802
803         Reviewed by Saam Barati.
804
805         Right now, if the done getter contains control flow, then we will
806         have the bottom value in a different block from the
807         MovHint/SetLocal and we will fail to validate.
808
809         * dfg/DFGByteCodeParser.cpp:
810         (JSC::DFG::ByteCodeParser::parseBlock):
811
812 2020-05-12  Ross Kirsling  <ross.kirsling@sony.com>
813
814         Fix existing usage of final/override/virtual in JSC and WTF
815         https://bugs.webkit.org/show_bug.cgi?id=211772
816
817         Reviewed by Darin Adler.
818
819         * API/JSAPIWrapperObject.mm:
820         * API/JSManagedValue.mm:
821         * API/JSScriptSourceProvider.h:
822         * API/ObjCCallbackFunction.mm:
823         * API/glib/JSAPIWrapperGlobalObject.cpp:
824         * API/glib/JSAPIWrapperObjectGLib.cpp:
825         * API/glib/JSCWeakValue.cpp:
826         * bytecode/AccessCaseSnippetParams.cpp:
827         * bytecode/AccessCaseSnippetParams.h:
828         * bytecode/CodeBlock.cpp:
829         * bytecode/StructureStubClearingWatchpoint.h:
830         * bytecode/VariableWriteFireDetail.h:
831         * bytecode/Watchpoint.h:
832         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.h:
833         * dfg/DFGArrayifySlowPathGenerator.h:
834         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
835         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
836         * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
837         * dfg/DFGSlowPathGenerator.h:
838         * dfg/DFGSnippetParams.h:
839         * dfg/DFGWorklist.cpp:
840         * ftl/FTLSnippetParams.h:
841         * heap/BlockDirectory.cpp:
842         * heap/EdenGCActivityCallback.h:
843         * heap/FullGCActivityCallback.h:
844         * heap/Heap.cpp:
845         * heap/Heap.h:
846         * heap/IncrementalSweeper.h:
847         * heap/IsoCellSet.cpp:
848         * heap/IsoCellSetInlines.h:
849         * heap/IsoHeapCellType.h:
850         * heap/IsoInlinedHeapCellType.h:
851         * heap/ParallelSourceAdapter.h:
852         * heap/StopIfNecessaryTimer.h:
853         * heap/Subspace.cpp:
854         * heap/SubspaceInlines.h:
855         * inspector/InjectedScript.h:
856         * inspector/JSGlobalObjectConsoleClient.h:
857         * inspector/JSGlobalObjectInspectorController.h:
858         * inspector/JSGlobalObjectScriptDebugServer.h:
859         * inspector/JSInjectedScriptHost.cpp:
860         * inspector/agents/InspectorAgent.h:
861         * inspector/agents/InspectorScriptProfilerAgent.h:
862         * inspector/agents/InspectorTargetAgent.h:
863         * inspector/agents/JSGlobalObjectAuditAgent.h:
864         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
865         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
866         * inspector/augmentable/AlternateDispatchableAgent.h:
867         * inspector/remote/RemoteConnectionToTarget.h:
868         * inspector/remote/RemoteInspector.h:
869         * inspector/remote/socket/RemoteInspectorServer.h:
870         * inspector/scripts/codegen/cpp_generator_templates.py:
871         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
872         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
873         * inspector/scripts/tests/generic/expected/command-targetType-matching-domain-debuggableType.json-result:
874         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
875         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
876         * inspector/scripts/tests/generic/expected/domain-debuggableTypes.json-result:
877         * inspector/scripts/tests/generic/expected/domain-targetType-matching-domain-debuggableType.json-result:
878         * inspector/scripts/tests/generic/expected/domain-targetTypes.json-result:
879         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
880         * inspector/scripts/tests/generic/expected/enum-values.json-result:
881         * inspector/scripts/tests/generic/expected/event-targetType-matching-domain-debuggableType.json-result:
882         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
883         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
884         * jit/JITWorklist.cpp:
885         * parser/Nodes.h:
886         * parser/SourceProvider.h:
887         * runtime/DataView.h:
888         * runtime/DoublePredictionFuzzerAgent.h:
889         * runtime/FileBasedFuzzerAgent.h:
890         * runtime/GenericTypedArrayView.h:
891         * runtime/JSMicrotask.cpp:
892         * runtime/NarrowingNumberPredictionFuzzerAgent.h:
893         * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h:
894         * runtime/PredictionFileCreatingFuzzerAgent.h:
895         * runtime/PromiseTimer.h:
896         * runtime/RandomizingFuzzerAgent.h:
897         * runtime/RegExpCache.h:
898         * runtime/Structure.cpp:
899         * runtime/StructureRareData.cpp:
900         * runtime/VMTraps.cpp:
901         * runtime/WideningNumberPredictionFuzzerAgent.h:
902         * tools/JSDollarVM.cpp:
903         * wasm/WasmBBQPlan.h:
904         * wasm/WasmCallee.h:
905         * wasm/WasmLLIntPlan.h:
906         * wasm/WasmOMGForOSREntryPlan.h:
907         * wasm/WasmOMGPlan.h:
908         * wasm/WasmWorklist.cpp:
909         * yarr/YarrJIT.cpp:
910
911 2020-05-12  Ross Kirsling  <ross.kirsling@sony.com>
912
913         [clang-tidy] Run modernize-use-override over JSC, then ensure as much as possible is final
914         https://bugs.webkit.org/show_bug.cgi?id=211743
915
916         Reviewed by Saam Barati.
917
918         * API/JSScriptRef.cpp:
919         * b3/B3ArgumentRegValue.h:
920         * b3/B3AtomicValue.h:
921         * b3/B3CCallValue.h:
922         * b3/B3CheckSpecial.h:
923         * b3/B3CheckValue.h:
924         * b3/B3Const32Value.h:
925         * b3/B3Const64Value.h:
926         * b3/B3ConstDoubleValue.h:
927         * b3/B3ConstFloatValue.h:
928         * b3/B3DataSection.h:
929         * b3/B3ExtractValue.h:
930         * b3/B3FenceValue.h:
931         * b3/B3MemoryValue.h:
932         * b3/B3PatchpointSpecial.h:
933         * b3/B3PatchpointValue.h:
934         * b3/B3SlotBaseValue.h:
935         * b3/B3StackmapSpecial.h:
936         * b3/B3StackmapValue.h:
937         * b3/B3SwitchValue.h:
938         * b3/B3UpsilonValue.h:
939         * b3/B3VariableValue.h:
940         * b3/B3WasmAddressValue.h:
941         * b3/B3WasmBoundsCheckValue.h:
942         * b3/air/AirCCallSpecial.h:
943         * b3/air/AirPrintSpecial.h:
944         * bytecode/BytecodeDumper.h:
945         * bytecode/GetterSetterAccessCase.h:
946         * bytecode/InstanceOfAccessCase.h:
947         * bytecode/IntrinsicGetterAccessCase.h:
948         * bytecode/ModuleNamespaceAccessCase.h:
949         * bytecode/ProxyableAccessCase.h:
950         * bytecode/Watchpoint.h:
951         * dfg/DFGFailedFinalizer.h:
952         * dfg/DFGGraph.h:
953         * dfg/DFGJITCode.h:
954         * dfg/DFGJITFinalizer.h:
955         * dfg/DFGToFTLDeferredCompilationCallback.h:
956         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h:
957         * ftl/FTLForOSREntryJITCode.h:
958         * ftl/FTLJITCode.h:
959         * ftl/FTLJITFinalizer.h:
960         * heap/CompleteSubspace.h:
961         * heap/FastMallocAlignedMemoryAllocator.h:
962         * heap/GigacageAlignedMemoryAllocator.h:
963         * heap/HeapSnapshotBuilder.h:
964         * heap/IsoAlignedMemoryAllocator.h:
965         * heap/IsoSubspace.h:
966         * heap/IsoSubspacePerVM.cpp:
967         * heap/IsoSubspacePerVM.h:
968         * heap/MarkStackMergingConstraint.h:
969         * heap/SimpleMarkingConstraint.h:
970         * heap/SpaceTimeMutatorScheduler.h:
971         * heap/StochasticSpaceTimeMutatorScheduler.h:
972         * heap/SynchronousStopTheWorldMutatorScheduler.h:
973         * jit/GCAwareJITStubRoutine.h:
974         * jit/JITCode.h:
975         * jit/JITThunks.h:
976         * jit/JITToDFGDeferredCompilationCallback.h:
977         * jit/PolymorphicCallStubRoutine.h:
978         * jsc.cpp:
979         * parser/Lexer.cpp: Address warning.
980         * runtime/JSDestructibleObjectHeapCellType.h:
981         * runtime/SimpleTypedArrayController.h:
982         * runtime/Structure.h:
983         * runtime/WeakGCMap.h:
984         * wasm/WasmEntryPlan.h:
985
986 2020-05-12  Michael Catanzaro  <mcatanzaro@gnome.org>
987
988         -Wsign-compare warnings in FTLLowerDFGToB3.cpp and DFGSpeculativeJIT.cpp
989         https://bugs.webkit.org/show_bug.cgi?id=211783
990
991         Reviewed by Darin Adler.
992
993         This fixes -Wsign-compare warnings introduced in r260331.
994
995         * dfg/DFGSpeculativeJIT.cpp:
996         (JSC::DFG::SpeculativeJIT::compileValueBitNot):
997         * ftl/FTLLowerDFGToB3.cpp:
998         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitNot):
999
1000 2020-05-12  Truitt Savell  <tsavell@apple.com>
1001
1002         Unreviewed, reverting r261542.
1003
1004         Broke internal builds
1005
1006         Reverted changeset:
1007
1008         "[clang-tidy] Run modernize-use-override over JSC, then ensure
1009         as much as possible is final"
1010         https://bugs.webkit.org/show_bug.cgi?id=211743
1011         https://trac.webkit.org/changeset/261542
1012
1013 2020-05-12  Mark Lam  <mark.lam@apple.com>
1014
1015         Wasm::enableFastMemory() was called too late.
1016         https://bugs.webkit.org/show_bug.cgi?id=211773
1017
1018         Reviewed by Yusuke Suzuki.
1019
1020         If Wasm fast memory is to be enabled, we should just do it in initializeThreading()
1021         just like for all the other signal handlers that need to be initialized for JSC.
1022         This simplifies its initialization and ensures that it is done in a timely manner
1023         before Configs are frozen.
1024
1025         * jsc.cpp:
1026         (jscmain):
1027         * runtime/InitializeThreading.cpp:
1028         (JSC::initializeThreading):
1029
1030 2020-05-11  Darin Adler  <darin@apple.com>
1031
1032         Fix problems caught by replacing WTF::Optional with std::optional
1033         https://bugs.webkit.org/show_bug.cgi?id=211703
1034
1035         Reviewed by Chris Dumez.
1036
1037         * runtime/MachineContext.h:
1038         (JSC::MachineContext::instructionPointer): Use explcit makeOptional here,
1039         to work around the fact that MacroAssemblerCodePtr uses an unusual technique
1040         to disable conversions to everything except bool.
1041
1042 2020-05-11  Yoshiaki JITSUKAWA  <yoshiaki.jitsukawa@sony.com>
1043
1044         Fix build errors after r260992
1045         https://bugs.webkit.org/show_bug.cgi?id=211756
1046
1047         Reviewed by Darin Adler.
1048
1049         Add JSC namespace specifier to NonIntrinsic and PropertyAttribute
1050         in the macros in JSObject.h since those can be used outside of
1051         or without introducing JSC namespace. 
1052         * runtime/JSObject.h:
1053
1054 2020-05-11  Ross Kirsling  <ross.kirsling@sony.com>
1055
1056         [clang-tidy] Run modernize-use-override over JSC, then ensure as much as possible is final
1057         https://bugs.webkit.org/show_bug.cgi?id=211743
1058
1059         Reviewed by Saam Barati.
1060
1061         * API/JSScriptRef.cpp:
1062         * b3/B3ArgumentRegValue.h:
1063         * b3/B3AtomicValue.h:
1064         * b3/B3CCallValue.h:
1065         * b3/B3CheckSpecial.h:
1066         * b3/B3CheckValue.h:
1067         * b3/B3Const32Value.h:
1068         * b3/B3Const64Value.h:
1069         * b3/B3ConstDoubleValue.h:
1070         * b3/B3ConstFloatValue.h:
1071         * b3/B3DataSection.h:
1072         * b3/B3ExtractValue.h:
1073         * b3/B3FenceValue.h:
1074         * b3/B3MemoryValue.h:
1075         * b3/B3PatchpointSpecial.h:
1076         * b3/B3PatchpointValue.h:
1077         * b3/B3SlotBaseValue.h:
1078         * b3/B3StackmapSpecial.h:
1079         * b3/B3StackmapValue.h:
1080         * b3/B3SwitchValue.h:
1081         * b3/B3UpsilonValue.h:
1082         * b3/B3VariableValue.h:
1083         * b3/B3WasmAddressValue.h:
1084         * b3/B3WasmBoundsCheckValue.h:
1085         * b3/air/AirCCallSpecial.h:
1086         * b3/air/AirPrintSpecial.h:
1087         * bytecode/BytecodeDumper.h:
1088         * bytecode/GetterSetterAccessCase.h:
1089         * bytecode/InstanceOfAccessCase.h:
1090         * bytecode/IntrinsicGetterAccessCase.h:
1091         * bytecode/ModuleNamespaceAccessCase.h:
1092         * bytecode/ProxyableAccessCase.h:
1093         * bytecode/Watchpoint.h:
1094         * dfg/DFGFailedFinalizer.h:
1095         * dfg/DFGGraph.h:
1096         * dfg/DFGJITCode.h:
1097         * dfg/DFGJITFinalizer.h:
1098         * dfg/DFGToFTLDeferredCompilationCallback.h:
1099         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h:
1100         * ftl/FTLForOSREntryJITCode.h:
1101         * ftl/FTLJITCode.h:
1102         * ftl/FTLJITFinalizer.h:
1103         * heap/CompleteSubspace.h:
1104         * heap/FastMallocAlignedMemoryAllocator.h:
1105         * heap/GigacageAlignedMemoryAllocator.h:
1106         * heap/HeapSnapshotBuilder.h:
1107         * heap/IsoAlignedMemoryAllocator.h:
1108         * heap/IsoSubspace.h:
1109         * heap/IsoSubspacePerVM.cpp:
1110         * heap/IsoSubspacePerVM.h:
1111         * heap/MarkStackMergingConstraint.h:
1112         * heap/SimpleMarkingConstraint.h:
1113         * heap/SpaceTimeMutatorScheduler.h:
1114         * heap/StochasticSpaceTimeMutatorScheduler.h:
1115         * heap/SynchronousStopTheWorldMutatorScheduler.h:
1116         * jit/GCAwareJITStubRoutine.h:
1117         * jit/JITCode.h:
1118         * jit/JITThunks.h:
1119         * jit/JITToDFGDeferredCompilationCallback.h:
1120         * jit/PolymorphicCallStubRoutine.h:
1121         * jsc.cpp:
1122         * parser/Lexer.cpp: Address warning.
1123         * runtime/JSDestructibleObjectHeapCellType.h:
1124         * runtime/SimpleTypedArrayController.h:
1125         * runtime/Structure.h:
1126         * runtime/WeakGCMap.h:
1127         * wasm/WasmEntryPlan.h:
1128
1129 2020-05-11  Mark Lam  <mark.lam@apple.com>
1130
1131         Introduce WTF::Config and put Signal.cpp's init-once globals in it.
1132         https://bugs.webkit.org/show_bug.cgi?id=211729
1133         <rdar://problem/62938878>
1134
1135         Reviewed by Keith Miller and Saam Barati.
1136
1137         1. Initialize VMTraps' signals early now that we'll be freezing signals at the end
1138            of the first VM initialization.
1139
1140         2. Move the !initializeThreadingHasBeenCalled RELEASE_ASSERT in initializeThreading()
1141            to the bottom of the function.  This way, we'll also catch bugs which may cause
1142            us to jump into the middle of the function.
1143
1144            Added a compilerFence there to ensure that the RELEASE_ASSERT is only executed
1145            after all initialization is done.  This guarantees that it will only be executed
1146            at the end.
1147
1148         3. Call WTF::Config::permanentlyFreeze() from JSC::Config::permanentlyFreeze()
1149            for obvious reasons: freezing one should freeze the other.
1150
1151         * runtime/InitializeThreading.cpp:
1152         (JSC::initializeThreading):
1153         * runtime/JSCConfig.cpp:
1154         (JSC::Config::permanentlyFreeze):
1155         * runtime/VMTraps.cpp:
1156         (JSC::VMTraps::initializeSignals):
1157         * runtime/VMTraps.h:
1158
1159 2020-05-11  Keith Miller  <keith_miller@apple.com>
1160
1161         Remove unused BytecodeKills.h
1162         https://bugs.webkit.org/show_bug.cgi?id=211753
1163
1164         Reviewed by Yusuke Suzuki.
1165
1166         No one uses this class anymore, we should get rid of it.
1167
1168         * JavaScriptCore.xcodeproj/project.pbxproj:
1169         * bytecode/BytecodeKills.h: Removed.
1170         * bytecode/BytecodeLivenessAnalysis.cpp:
1171         (JSC::BytecodeLivenessAnalysis::computeKills): Deleted.
1172         * bytecode/BytecodeLivenessAnalysis.h:
1173         * dfg/DFGGraph.cpp:
1174         (JSC::DFG::Graph::killsFor): Deleted.
1175         * dfg/DFGGraph.h:
1176
1177 2020-05-10  Ross Kirsling  <ross.kirsling@sony.com>
1178
1179         [clang-tidy] Run modernize-use-nullptr over JSC
1180         https://bugs.webkit.org/show_bug.cgi?id=211706
1181
1182         Reviewed by Darin Adler.
1183
1184         * API/APICallbackFunction.h:
1185         * API/JSAPIGlobalObject.h:
1186         * API/JSBase.cpp:
1187         * API/JSCallbackObjectFunctions.h:
1188         * API/JSClassRef.cpp:
1189         * API/JSContextRef.cpp:
1190         * API/JSObjectRef.cpp:
1191         * API/JSScriptRef.cpp:
1192         * API/JSValueRef.cpp:
1193         * API/JSWeakObjectMapRefPrivate.cpp:
1194         * API/tests/ExecutionTimeLimitTest.cpp:
1195         * API/tests/PingPongStackOverflowTest.cpp:
1196         * assembler/AbstractMacroAssembler.h:
1197         * assembler/CPU.cpp:
1198         * bytecode/CodeBlock.cpp:
1199         * bytecode/DeleteByIdVariant.cpp:
1200         * bytecode/GetByIdVariant.cpp:
1201         * bytecode/InByIdVariant.cpp:
1202         * bytecode/InlineCallFrame.cpp:
1203         * bytecode/LazyOperandValueProfile.cpp:
1204         * bytecode/PutByIdVariant.cpp:
1205         * bytecode/ValueProfile.h:
1206         * bytecode/ValueRecovery.cpp:
1207         * bytecompiler/BytecodeGenerator.h:
1208         * bytecompiler/NodesCodegen.cpp:
1209         * debugger/DebuggerScope.h:
1210         * dfg/DFGAbstractValue.cpp:
1211         * dfg/DFGAdjacencyList.h:
1212         * dfg/DFGArgumentPosition.h:
1213         * dfg/DFGArrayifySlowPathGenerator.h:
1214         * dfg/DFGAvailability.h:
1215         * dfg/DFGByteCodeParser.cpp:
1216         * dfg/DFGCFGSimplificationPhase.cpp:
1217         * dfg/DFGCPSRethreadingPhase.cpp:
1218         * dfg/DFGCompilationKey.h:
1219         * dfg/DFGConstantFoldingPhase.cpp:
1220         * dfg/DFGDisassembler.cpp:
1221         * dfg/DFGDoubleFormatState.h:
1222         * dfg/DFGEdge.h:
1223         * dfg/DFGFixupPhase.cpp:
1224         * dfg/DFGFrozenValue.cpp:
1225         * dfg/DFGGenerationInfo.h:
1226         * dfg/DFGGraph.h:
1227         * dfg/DFGInPlaceAbstractState.cpp:
1228         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1229         * dfg/DFGLazyJSValue.cpp:
1230         * dfg/DFGNode.h:
1231         * dfg/DFGOSREntrypointCreationPhase.cpp:
1232         * dfg/DFGOSRExit.cpp:
1233         * dfg/DFGOperations.cpp:
1234         * dfg/DFGSilentRegisterSavePlan.h:
1235         * dfg/DFGSpeculativeJIT.cpp:
1236         * dfg/DFGSpeculativeJIT.h:
1237         * dfg/DFGSpeculativeJIT64.cpp:
1238         * dfg/DFGStructureAbstractValue.cpp:
1239         * dfg/DFGTransition.cpp:
1240         * dfg/DFGTypeCheckHoistingPhase.cpp:
1241         * dfg/DFGWorklist.cpp:
1242         * ftl/FTLAbstractHeapRepository.h:
1243         * ftl/FTLAvailableRecovery.h:
1244         * ftl/FTLExitValue.cpp:
1245         * ftl/FTLFormattedValue.h:
1246         * ftl/FTLJITCode.cpp:
1247         * ftl/FTLLink.cpp:
1248         * ftl/FTLLowerDFGToB3.cpp:
1249         * ftl/FTLLoweredNodeValue.h:
1250         * ftl/FTLOSREntry.cpp:
1251         * ftl/FTLOSRExitCompiler.cpp:
1252         * ftl/FTLTypedPointer.h:
1253         * ftl/FTLValueFromBlock.h:
1254         * ftl/FTLValueRange.h:
1255         * heap/GCSegmentedArray.h:
1256         * heap/Handle.h:
1257         * heap/HandleSet.h:
1258         * heap/HandleTypes.h:
1259         * heap/HeapSnapshotBuilder.cpp:
1260         * heap/MarkedBlockInlines.h:
1261         * heap/Strong.h:
1262         * heap/WeakImpl.h:
1263         * heap/WeakInlines.h:
1264         * heap/WeakSet.cpp:
1265         * heap/WeakSet.h:
1266         * interpreter/CallFrame.cpp:
1267         * interpreter/CallFrame.h:
1268         * interpreter/Interpreter.cpp:
1269         * interpreter/ProtoCallFrame.h:
1270         * interpreter/StackVisitor.cpp:
1271         * interpreter/StackVisitor.h:
1272         * jit/AssemblyHelpers.h:
1273         * jit/CCallHelpers.h:
1274         * jit/JITCode.cpp:
1275         * jit/JITOperations.cpp:
1276         * jit/Repatch.cpp:
1277         * jit/ThunkGenerators.cpp:
1278         * jsc.cpp:
1279         * llint/LLIntSlowPaths.cpp:
1280         * parser/ASTBuilder.h:
1281         * parser/Lexer.cpp:
1282         * parser/Lexer.h:
1283         * parser/Nodes.cpp:
1284         * parser/Nodes.h:
1285         * parser/Parser.cpp:
1286         * parser/Parser.h:
1287         * parser/ParserArena.cpp:
1288         * parser/ParserArena.h:
1289         * parser/ParserFunctionInfo.h:
1290         * parser/SyntaxChecker.h:
1291         * parser/UnlinkedSourceCode.h:
1292         * profiler/ProfilerBytecodeSequence.cpp:
1293         * profiler/ProfilerCompilation.cpp:
1294         * profiler/ProfilerDatabase.cpp:
1295         * profiler/ProfilerOSRExitSite.cpp:
1296         * profiler/ProfilerOriginStack.cpp:
1297         * runtime/ArgList.h:
1298         * runtime/ArrayPrototype.cpp:
1299         * runtime/ClonedArguments.cpp:
1300         * runtime/CommonSlowPaths.cpp:
1301         * runtime/Completion.h:
1302         * runtime/DataView.h:
1303         * runtime/DatePrototype.cpp:
1304         * runtime/DirectEvalExecutable.cpp:
1305         * runtime/DumpContext.cpp:
1306         * runtime/FunctionExecutable.cpp:
1307         * runtime/IndirectEvalExecutable.cpp:
1308         * runtime/JSArray.cpp:
1309         * runtime/JSArrayBufferView.cpp:
1310         * runtime/JSCJSValue.cpp:
1311         * runtime/JSCJSValueInlines.h:
1312         * runtime/JSCell.cpp:
1313         * runtime/JSDataView.cpp:
1314         * runtime/JSDestructibleObject.h:
1315         * runtime/JSFunction.cpp:
1316         * runtime/JSGlobalObject.cpp:
1317         * runtime/JSGlobalObject.h:
1318         * runtime/JSONObject.cpp:
1319         * runtime/JSObject.cpp:
1320         * runtime/JSObject.h:
1321         * runtime/JSScope.cpp:
1322         * runtime/JSScope.h:
1323         * runtime/LiteralParser.cpp:
1324         * runtime/OptionsList.h:
1325         * runtime/PropertyDescriptor.cpp:
1326         * runtime/PropertyMapHashTable.h:
1327         * runtime/PropertySlot.h:
1328         * runtime/PutPropertySlot.h:
1329         * runtime/RegExpMatchesArray.h:
1330         * runtime/RegExpPrototype.cpp:
1331         * runtime/StringPrototype.cpp:
1332         * runtime/Structure.cpp:
1333         * runtime/Structure.h:
1334         * runtime/TestRunnerUtils.cpp:
1335         * runtime/TypedArrayType.cpp:
1336         * runtime/VM.cpp:
1337         * runtime/Watchdog.cpp:
1338         * runtime/Watchdog.h:
1339         * runtime/WriteBarrier.h:
1340         * testRegExp.cpp:
1341         * tools/JSDollarVM.cpp:
1342         * wasm/WasmSlowPaths.cpp:
1343         * yarr/RegularExpression.h:
1344         * yarr/YarrInterpreter.cpp:
1345         * yarr/YarrJIT.cpp:
1346         * yarr/YarrJIT.h:
1347         * yarr/YarrPattern.cpp:
1348         * yarr/YarrPattern.h:
1349
1350 2020-05-09  Ross Kirsling  <ross.kirsling@sony.com>
1351
1352         Fix build errors and warnings for non-unified JSCOnly
1353         https://bugs.webkit.org/show_bug.cgi?id=211655
1354
1355         Reviewed by Darin Adler and Yusuke Suzuki.
1356
1357         * bytecode/BytecodeDumper.cpp:
1358         (JSC::isConstantRegisterIndex): Deleted.
1359         Remove unused function.
1360
1361         * llint/LLIntEntrypoint.cpp:
1362         * llint/LLIntThunks.cpp:
1363         * llint/LLIntThunks.h:
1364         * runtime/AggregateErrorConstructor.cpp:
1365         * runtime/AggregateErrorPrototype.cpp:
1366         * wasm/js/WebAssemblyFunction.cpp:
1367         Fix includes.
1368
1369         * tools/JSDollarVM.cpp:
1370         Deal with "unused constant" warnings for needsDestruction.
1371
1372         * wasm/WasmLLIntPlan.cpp:
1373         * wasm/WasmSignature.cpp:
1374         Remove unused constants.
1375
1376 2020-05-08  Darin Adler  <darin@apple.com>
1377
1378         Streamline MarkupAccumulator to improve efficiency a bit
1379         https://bugs.webkit.org/show_bug.cgi?id=211656
1380
1381         Reviewed by Anders Carlsson.
1382
1383         * b3/air/AirFixPartialRegisterStalls.h: Fix spelling of "explicitly".
1384
1385 2020-05-08  Alexey Shvayka  <shvaikalesh@gmail.com>
1386
1387         Array.prototype.concat fast path checks should not be observable
1388         https://bugs.webkit.org/show_bug.cgi?id=211643
1389
1390         Reviewed by Ross Kirsling.
1391
1392         This change utilizes @tryGetByIdWithWellKnownSymbol intrinsic to make
1393         off the spec Symbol.isConcatSpreadable lookups unobservable to userland code,
1394         aligning JSC with V8 and SpiderMonkey.
1395
1396         Since @tryGetById uses PropertySlot::getPureResult(), which returns `null`
1397         for Proxy [[Get]] traps and JS getters (covered by stress/try-get-by-id.js),
1398         we can safely compare its result `undefined`. Also, this allows us to remove
1399         @isProxyObject check as Proxy argument is never a fast path anyway.
1400
1401         This patch is neutral on microbenchmarks/concat-append-one.js.
1402
1403         * builtins/ArrayPrototype.js:
1404         (concat):
1405
1406 2020-05-07  Michael Catanzaro  <mcatanzaro@gnome.org>
1407
1408         Simplify preprocessor guards in GCMemoryOperations.h
1409         https://bugs.webkit.org/show_bug.cgi?id=211588
1410
1411         Reviewed by Darin Adler.
1412
1413         If we adjust the guards a bit, then we don't need to repeat the fallback path.
1414
1415         * heap/GCMemoryOperations.h:
1416         (JSC::gcSafeMemmove):
1417         (JSC::gcSafeZeroMemory):
1418
1419 2020-05-07  Mark Lam  <mark.lam@apple.com>
1420
1421         Give the DFG and FTL WorkList threads more stack space on ASAN builds.
1422         https://bugs.webkit.org/show_bug.cgi?id=211535
1423         <rdar://problem/62947884>
1424
1425         Reviewed by Geoffrey Garen.
1426
1427         * dfg/DFGWorklist.cpp:
1428         (JSC::DFG::Worklist::ThreadBody::ThreadBody):
1429         - Mark the AutomaticThread as ThreadType::Compiler.
1430
1431 2020-05-07  Daniel Kolesa  <daniel@octaforge.org>
1432
1433         REGRESSION(r251875): Crash in JSC::StructureIDTable::get on ppc64le: gcSafeMemcpy broken on JSVALUE64 platforms other than x86_64 and aarch64
1434         https://bugs.webkit.org/show_bug.cgi?id=210685
1435
1436         Reviewed by Michael Catanzaro.
1437
1438         Fix gcSafeMemcpy on non-x86_64/aarch64 64-bit architectures.
1439
1440         We were hitting an incorrect x86_64 assertion on values larger than
1441         mediumCutoff on JSVALUE64 architectures other than x86_64 and aarch64,
1442         as the control flow is wrong.
1443
1444         * heap/GCMemoryOperations.h:
1445         (JSC::gcSafeMemcpy):
1446
1447 2020-05-07  Mark Lam  <mark.lam@apple.com>
1448
1449         Add stack checks to the DFG and FTL bytecode parser.
1450         https://bugs.webkit.org/show_bug.cgi?id=211547
1451         <rdar://problem/62958880>
1452
1453         Reviewed by Yusuke Suzuki.
1454
1455         Inlining can cause some level of recursion of the DFG bytecode parser.  We should
1456         do a stack check at each inlining check before recursing.  If a stack overflow
1457         appears to be imminent, then just refuse to inline, and therefore, don't recurse
1458         deeper into the parser.
1459
1460         This issue is more noticeable on ASan debug builds where stack frames can be
1461         humongous.
1462
1463         Removed the SUPPRESS_ASAN on cloberrize() and the associated comment from r260692.
1464         It was a mis-diagnosis.  The stack checks are what we need.
1465
1466         * dfg/DFGByteCodeParser.cpp:
1467         (JSC::DFG::ByteCodeParser::handleVarargsInlining):
1468         (JSC::DFG::ByteCodeParser::handleInlining):
1469         * dfg/DFGClobberize.h:
1470         (JSC::DFG::clobberize):
1471         * dfg/DFGGraph.h:
1472
1473 2020-05-07  Darin Adler  <darin@apple.com>
1474
1475         REGRESSION (r261257): Lifetime problem with upconverted characters in toLocaleCase
1476         https://bugs.webkit.org/show_bug.cgi?id=211580
1477         rdar://62980449
1478
1479         Reviewed by Yusuke Suzuki.
1480
1481         The problem comes from the fact that callBufferProducingFunction is moving the same
1482         arguments multiple times. At the moment, this works around the only practical
1483         problem with that, but later it should be fixed in callBufferProducingFunction.
1484
1485         * runtime/IntlDateTimeFormat.cpp:
1486         (JSC::IntlDateTimeFormat::initializeDateTimeFormat): Work around mistakes in how
1487         callBufferProducingFunction works with arguments by calling get() explicitly on the
1488         result of upconvertedCharacters. Later we could fix callBufferProducingFunction to
1489         be safer, but for now this solves the problem.
1490         * runtime/StringPrototype.cpp:
1491         (JSC::toLocaleCase): Ditto.
1492
1493 2020-05-07  Keith Miller  <keith_miller@apple.com>
1494
1495         Fix ArrayMode nodes after r261260
1496         https://bugs.webkit.org/show_bug.cgi?id=211543
1497
1498         Reviewed by Yusuke Suzuki.
1499
1500         I accidentally ran tests with a release build rather than
1501         release+assert when uploading r261260. This patch skips the
1502         CheckArray node in the ArrayMode clobbersTop() logic before
1503         Fixup. And also marks a GetArrayLength in the TypedArray
1504         intrsinics as ExitOK.
1505
1506         This patch also relands r261260.
1507
1508         * dfg/DFGByteCodeParser.cpp:
1509         (JSC::DFG::ByteCodeParser::handleIntrinsicGetter):
1510         * dfg/DFGClobberize.h:
1511         (JSC::DFG::clobberize):
1512
1513 2020-05-07  Ryan Haddad  <ryanhaddad@apple.com>
1514
1515         Unreviewed, reverting r261260.
1516
1517         Caused 26 JSC test failures
1518
1519         Reverted changeset:
1520
1521         "DFG ByVal nodes with ArrayModes should clobberTop until Fixup
1522         phase runs."
1523         https://bugs.webkit.org/show_bug.cgi?id=211531
1524         https://trac.webkit.org/changeset/261260
1525
1526 2020-05-07  Mark Lam  <mark.lam@apple.com>
1527
1528         Fix broken exceptionFuzz tests.
1529         https://bugs.webkit.org/show_bug.cgi?id=211550
1530
1531         Reviewed by Yusuke Suzuki.
1532
1533         Remove the bad and now unused utility function to set Options::useExceptionFuzz().
1534
1535         * tools/JSDollarVM.cpp:
1536         (JSC::JSDollarVM::finishCreation):
1537         (JSC::functionEnableExceptionFuzz): Deleted.
1538
1539 2020-05-06  Keith Miller  <keith_miller@apple.com>
1540
1541         DFG ByVal nodes with ArrayModes should clobberTop until Fixup phase runs.
1542         https://bugs.webkit.org/show_bug.cgi?id=211531
1543
1544         Reviewed by Yusuke Suzuki.
1545
1546         When parsing bytecode we may pick a relatively constrained
1547         ArrayMode based on our profiling. Some of these modes may not
1548         clobber exit state.  However, Fixup sometimes wants to widen this
1549         to a more generic mode based on other data. This causes us to
1550         think it was valid to exit immediately after the
1551         GetByVal/HasIndexedProperty, which would be wrong with the wider
1552         ArrayMode. We may also incorrectly insert invalidition points
1553         if clobberize gives us the wrong data.
1554
1555         To fix this clobberize should say All ByVal nodes clobberTop()
1556         until after fixup. Additionally, this patch adds an assertion that
1557         nodes don't go from not clobbering exit state to clobbering exit
1558         state during fixup.
1559
1560         * dfg/DFGClobberize.h:
1561         (JSC::DFG::clobberize):
1562         * dfg/DFGFixupPhase.cpp:
1563         (JSC::DFG::FixupPhase::fixupNode):
1564         (JSC::DFG::performFixup):
1565         * dfg/DFGGraph.h:
1566
1567 2020-05-06  Darin Adler  <darin@apple.com>
1568
1569         Make a helper for the pattern of ICU functions that may need to be called twice to populate a buffer
1570         https://bugs.webkit.org/show_bug.cgi?id=211499
1571
1572         Reviewed by Ross Kirsling.
1573
1574         * runtime/IntlDateTimeFormat.cpp:
1575         (JSC::defaultTimeZone): Use callBufferProducingFunction.
1576         (JSC::canonicalizeTimeZoneName): Ditto.
1577         (JSC::IntlDateTimeFormat::initializeDateTimeFormat): Ditto.
1578         (JSC::IntlDateTimeFormat::format const): Ditto.
1579         (JSC::IntlDateTimeFormat::formatToParts const): Ditto.
1580         * runtime/IntlLocale.cpp:
1581         (JSC::LocaleIDBuilder::toCanonical): Ditto.
1582         (JSC::IntlLocale::language): Ditto.
1583         (JSC::IntlLocale::script): Ditto.
1584         (JSC::IntlLocale::region): Ditto.
1585         * runtime/IntlNumberFormat.cpp:
1586         (JSC::IntlNumberFormat::format const): Ditto.
1587         (JSC::IntlNumberFormat::formatToParts const): Ditto.
1588         * runtime/IntlObject.cpp:
1589         (JSC::languageTagForLocaleID): Ditto.
1590         * runtime/IntlRelativeTimeFormat.cpp:
1591         (JSC::IntlRelativeTimeFormat::formatInternal const): Ditto.
1592         (JSC::IntlRelativeTimeFormat::formatToParts const): Ditto.
1593         * runtime/StringPrototype.cpp:
1594         (JSC::toLocaleCase): Ditto.
1595
1596 2020-05-06  Devin Rousso  <drousso@apple.com>
1597
1598         ASSERT_WITH_MESSAGE(m_isOwnedByMainThread == isMainThread()) when web inspecting
1599         https://bugs.webkit.org/show_bug.cgi?id=203638
1600         <rdar://problem/56761893>
1601
1602         Reviewed by Brian Burg.
1603
1604         Mark the `InspectorEnvironment::executionStopwatch` abstract function as `const` and have it
1605         return a `Stopwatch&` instead of a `RefPtr<Stopwatch>&` as callers assume that it exists.
1606         By not using a `RefPtr`, an additional `copyRef` can be avoided.
1607
1608         * inspector/InspectorEnvironment.h:
1609
1610         * inspector/JSGlobalObjectInspectorController.h:
1611         * inspector/JSGlobalObjectInspectorController.cpp:
1612         (Inspector::JSGlobalObjectInspectorController::executionStopwatch const): Added.
1613         (Inspector::JSGlobalObjectInspectorController::executionStopwatch): Deleted.
1614
1615         * inspector/agents/InspectorDebuggerAgent.cpp:
1616         (Inspector::InspectorDebuggerAgent::didPause):
1617         (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
1618         (Inspector::InspectorDebuggerAgent::didContinue):
1619         * inspector/agents/InspectorHeapAgent.cpp:
1620         (Inspector::InspectorHeapAgent::snapshot):
1621         (Inspector::InspectorHeapAgent::willGarbageCollect):
1622         (Inspector::InspectorHeapAgent::didGarbageCollect):
1623         * inspector/agents/InspectorScriptProfilerAgent.cpp:
1624         (Inspector::InspectorScriptProfilerAgent::startTracking):
1625         (Inspector::InspectorScriptProfilerAgent::willEvaluateScript):
1626         (Inspector::InspectorScriptProfilerAgent::didEvaluateScript):
1627         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
1628         * runtime/SamplingProfiler.h:
1629         * runtime/SamplingProfiler.cpp:
1630         (JSC::SamplingProfiler::SamplingProfiler):
1631         * runtime/VM.h:
1632         * runtime/VM.cpp:
1633         (JSC::VM::ensureSamplingProfiler):
1634
1635 2020-05-05  Ross Kirsling  <ross.kirsling@sony.com>
1636
1637         [ECMA-402] Implement Intl.Locale
1638         https://bugs.webkit.org/show_bug.cgi?id=209772
1639
1640         Reviewed by Darin Adler and Saam Barati.
1641
1642         This patch implements the recent ECMA-402 feature Intl.Locale.
1643
1644         This is effectively a wrapper class for all the pieces of uloc.h that ECMA-402 cares about.
1645         (If we used the C++ API, there's a LocaleBuilder that would make this much easier, but in sticking to the C API,
1646         it's basically an object that has an ICU localeID as data and uloc_* functions as methods / getters.
1647         Furthermore, there's no way to modify said data, so every method / getter can be lazy and cache its result.)
1648
1649         Usage example:
1650           >>> locale = new Intl.Locale('ja', { region: 'JP', calendar: 'japanese', numeric: false })
1651           "ja-JP-u-ca-japanese-kn-false"
1652           >>> locale.baseName
1653           "ja-JP"
1654
1655         Intl.Locale can be used anywhere that Intl APIs accept locale strings as input parameters,
1656         and is moreover hoped to be the class by which future Web APIs will handle the current locale.
1657
1658         This feature is runtime-guarded by the `useIntlLocale` option.
1659
1660         * CMakeLists.txt:
1661         * DerivedSources-input.xcfilelist:
1662         * DerivedSources-output.xcfilelist:
1663         * DerivedSources.make:
1664         * JavaScriptCore.xcodeproj/project.pbxproj:
1665         * Sources.txt:
1666         * runtime/CommonIdentifiers.h:
1667         * runtime/IntlLocale.cpp: Added.
1668         * runtime/IntlLocale.h: Added.
1669         * runtime/IntlLocaleConstructor.cpp: Added.
1670         * runtime/IntlLocaleConstructor.h: Added.
1671         * runtime/IntlLocalePrototype.cpp: Added.
1672         * runtime/IntlLocalePrototype.h: Added.
1673         * runtime/IntlObject.cpp:
1674         (JSC::IntlObject::finishCreation):
1675         (JSC::localeIDBufferForLanguageTag): Added.
1676         (JSC::languageTagForLocaleID): Renamed from JSC::convertICULocaleToBCP47LanguageTag.
1677         (JSC::intlAvailableLocales):
1678         (JSC::intlCollatorAvailableLocales):
1679         (JSC::canonicalizeLanguageTag):
1680         (JSC::canonicalizeLocaleList):
1681         (JSC::defaultLocale):
1682         * runtime/IntlObject.h:
1683         * runtime/JSGlobalObject.cpp:
1684         (JSC::JSGlobalObject::init):
1685         (JSC::JSGlobalObject::visitChildren):
1686         * runtime/JSGlobalObject.h:
1687         (JSC::JSGlobalObject::collatorStructure):
1688         (JSC::JSGlobalObject::numberFormatStructure):
1689         (JSC::JSGlobalObject::localeStructure):
1690         * runtime/OptionsList.h:
1691         * runtime/VM.cpp:
1692         (JSC::VM::VM):
1693         * runtime/VM.h:
1694
1695 2020-05-05  Keith Miller  <keith_miller@apple.com>
1696
1697         clobberize validator should use branchTest8 directly.
1698         https://bugs.webkit.org/show_bug.cgi?id=211469
1699
1700         Reviewed by Yusuke Suzuki.
1701
1702         * dfg/DFGSpeculativeJIT.cpp:
1703         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1704
1705 2020-05-05  Yusuke Suzuki  <ysuzuki@apple.com>
1706
1707         [JSC] Implement BigInt.asIntN and BigInt.asUintN
1708         https://bugs.webkit.org/show_bug.cgi?id=181144
1709
1710         Reviewed by Darin Adler.
1711
1712         This patch implements BigInt.asIntN[1] and BigInt.asUintN[2] features.
1713         As the same to the other BigInt runtime C++ code, we port V8 code to JSC to implement both.
1714
1715         BigInt.asIntN is `static_cast<intN_t>(BigInt value)` and BigInt.asUintN is `static_cast<uintN_t>(BigInt value)`.
1716         They are getting slice of N bits from two's complement representation of the given BigInt. The difference between
1717         asIntN and asUintN is asIntN renders MSB as a sign.
1718
1719         This patch is once rolled out due to ARM64_32 build failure, which is caused by the existing bug[3]. Relanding it
1720         since it is now fixed.
1721
1722         [1]: https://tc39.es/ecma262/#sec-bigint.asintn
1723         [2]: https://tc39.es/ecma262/#sec-bigint.asuintn
1724         [3]: https://trac.webkit.org/changeset/261174/webkit
1725
1726         * runtime/BigIntConstructor.cpp:
1727         (JSC::toBigInt):
1728         (JSC::bigIntConstructorFuncAsUintN):
1729         (JSC::bigIntConstructorFuncAsIntN):
1730         * runtime/JSBigInt.cpp:
1731         (JSC::zeroImpl):
1732         (JSC::JSBigInt::divideImpl):
1733         (JSC::JSBigInt::unaryMinusImpl):
1734         (JSC::JSBigInt::remainderImpl):
1735         (JSC::JSBigInt::digitDiv):
1736         (JSC::JSBigInt::absoluteSub):
1737         (JSC::JSBigInt::asIntNImpl):
1738         (JSC::JSBigInt::asUintNImpl):
1739         (JSC::JSBigInt::truncateToNBits):
1740         (JSC::JSBigInt::truncateAndSubFromPowerOfTwo):
1741         (JSC::JSBigInt::asIntN):
1742         (JSC::JSBigInt::asUintN):
1743         * runtime/JSBigInt.h:
1744
1745 2020-05-05  Ross Kirsling  <ross.kirsling@sony.com>
1746
1747         [Intl] Alphabetize extension keys and correctly mark const methods
1748         https://bugs.webkit.org/show_bug.cgi?id=211359
1749
1750         Reviewed by Darin Adler.
1751
1752         Two cleanup items for Intl classes:
1753
1754         1. Ensure `resolvedOptions().locale` returns relevant extension keys in alphabetical order.
1755            ICU does this for us via Intl.getCanonicalLocales / Intl.*.supportedLocalesOf but not via ResolveLocale.
1756            However, we don't need to do any sorting in ResolveLocale; we can just pre-alphabetize relevantExtensionKeys.
1757            (See also https://github.com/tc39/ecma402/pull/433.)
1758
1759         2. Ensure Intl classes are marking const methods correctly.
1760
1761         * runtime/IntlCollator.cpp:
1762         (JSC::IntlCollator::sortLocaleData):
1763         (JSC::IntlCollator::searchLocaleData):
1764         (JSC::IntlCollator::compareStrings const): Add const specifier.
1765         (JSC::IntlCollator::resolvedOptions const): Add const specifier.
1766         * runtime/IntlCollator.h:
1767         * runtime/IntlDateTimeFormat.cpp:
1768         (JSC::IntlDateTimeFormat::localeData):
1769         (JSC::IntlDateTimeFormat::resolvedOptions const): Add const specifier.
1770         (JSC::IntlDateTimeFormat::format const): Add const specifier.
1771         (JSC::IntlDateTimeFormat::formatToParts const): Add const specifier.
1772         * runtime/IntlDateTimeFormat.h:
1773         * runtime/IntlNumberFormat.cpp:
1774         (JSC::IntlNumberFormat::format const): Add const specifier.
1775         (JSC::IntlNumberFormat::resolvedOptions const): Add const specifier.
1776         (JSC::IntlNumberFormat::formatToParts const): Add const specifier.
1777         * runtime/IntlNumberFormat.h:
1778         * runtime/IntlPluralRules.cpp:
1779         (JSC::IntlPluralRules::resolvedOptions const): Add const specifier.
1780         (JSC::IntlPluralRules::select const): Add const specifier.
1781         * runtime/IntlPluralRules.h:
1782         * runtime/IntlRelativeTimeFormat.cpp:
1783         (JSC::IntlRelativeTimeFormat::resolvedOptions const): Add const specifier.
1784         (JSC::IntlRelativeTimeFormat::formatInternal const): Add const specifier.
1785         (JSC::IntlRelativeTimeFormat::format const): Add const specifier.
1786         (JSC::IntlRelativeTimeFormat::formatToParts const): Add const specifier.
1787         * runtime/IntlRelativeTimeFormat.h:
1788
1789 2020-05-05  Keith Miller  <keith_miller@apple.com>
1790
1791         Add Clobberize validator for clobber top.
1792         https://bugs.webkit.org/show_bug.cgi?id=209432
1793
1794         Reviewed by Yusuke Suzuki.
1795
1796         * assembler/MacroAssemblerARMv7.h:
1797         (JSC::MacroAssemblerARMv7::scratchRegister):
1798         * assembler/MacroAssemblerMIPS.h:
1799         (JSC::MacroAssemblerMIPS::scratchRegister):
1800         * dfg/DFGClobberize.h:
1801         (JSC::DFG::clobberize):
1802         * dfg/DFGSpeculativeJIT.cpp:
1803         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1804         * dfg/DFGSpeculativeJIT64.cpp:
1805         * ftl/FTLLowerDFGToB3.cpp:
1806         (JSC::FTL::DFG::LowerDFGToB3::lower):
1807         (JSC::FTL::DFG::LowerDFGToB3::compileBlock):
1808         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1809         * interpreter/Interpreter.cpp:
1810         (JSC::eval):
1811         (JSC::Interpreter::executeProgram):
1812         (JSC::Interpreter::executeCall):
1813         (JSC::Interpreter::executeConstruct):
1814         (JSC::Interpreter::execute):
1815         (JSC::Interpreter::executeModuleProgram):
1816         * jit/JITCodeInlines.h:
1817         (JSC::JITCode::execute):
1818         * llint/LLIntThunks.h:
1819         (JSC::vmEntryToWasm):
1820         * runtime/OptionsList.h:
1821         * runtime/VM.h:
1822
1823 2020-05-05  Mark Lam  <mark.lam@apple.com>
1824
1825         Allow Bitmap to use up to a UCPURegister word size for internal bit storage.
1826         https://bugs.webkit.org/show_bug.cgi?id=211328
1827         <rdar://problem/62755865>
1828
1829         Reviewed by Yusuke Suzuki.
1830
1831         * assembler/CPU.h:
1832
1833 2020-05-05  Keith Miller  <keith_miller@apple.com>
1834
1835         iterator_open should remap the symbolIterator argument correctly when inlined.
1836         https://bugs.webkit.org/show_bug.cgi?id=211308
1837         <rdar://problem/62287877>
1838
1839         Reviewed by Mark Lam.
1840
1841         * dfg/DFGByteCodeParser.cpp:
1842         (JSC::DFG::ByteCodeParser::parseBlock):
1843
1844 2020-05-05  Yusuke Suzuki  <ysuzuki@apple.com>
1845
1846         [JSC] JSBigInt::maxLengthBits and JSBigInt::maxLength are wrong
1847         https://bugs.webkit.org/show_bug.cgi?id=211445
1848
1849         Reviewed by Mark Lam.
1850
1851         JSBigInt::maxLengthBits and JSBigInt::maxLength definitions are wrong.
1852
1853         1. We are defining maxLength and maxLengthBits as an unrelated value to each other. This is wrong.
1854            maxLength should be defined as maxLengthBits / (sizeof(Digit) * bitsPerByte).
1855         2. We use `sizeof(void*)` and assume that `sizeof(Digit) == sizeof(void*)`. This is wrong in ARM64_32 environment
1856            where Digit size is sizeof(uint64_t) while the pointer size is sizeof(uint32_t). This causes compile errors in ARM64_32
1857            when the code is using these values with static_assert.
1858
1859         * runtime/JSBigInt.h:
1860
1861 2020-05-05  Yusuke Suzuki  <ysuzuki@apple.com>
1862
1863         Unreviewed, reverting r261156.
1864
1865         Break ARM64_32 build due to existing bug
1866
1867         Reverted changeset:
1868
1869         "[JSC] Implement BigInt.asIntN and BigInt.asUintN"
1870         https://bugs.webkit.org/show_bug.cgi?id=181144
1871         https://trac.webkit.org/changeset/261156
1872
1873 2020-05-05  Alexey Shvayka  <shvaikalesh@gmail.com>
1874
1875         Object.prototype.toString is not spec-perfect
1876         https://bugs.webkit.org/show_bug.cgi?id=199138
1877
1878         Reviewed by Darin Adler and Keith Miller.
1879
1880         Before ES6, Object.prototype.toString relied only on internal [[Class]] slot. Starting with ES6,
1881         Object.prototype.toString checks for a handful of internal slots, mimicing [[Class]], to ensure
1882         backwards compatibility for pre-ES6 instances. Newly-added built-ins provide @@toStringTag for
1883         the method to use.
1884
1885         Before this change, Object.prototype.toString in JSC relied on className() a.k.a [[Class]] for
1886         all instances. For (almost all) new built-ins, it was overriden by toStringName() returning
1887         "Object", while @@toStringTag was set to correct value. This is quite an error-prone approach
1888         and observable spec discrepancy if @@toStringTag is deleted or set to a non-string.
1889
1890         This change eliminates the above-mentioned discrepancy and fixes Object.prototype.toString
1891         to return "[object Function]" for callable Proxy objects, aligning JSC with the spec [1], V8,
1892         and SpiderMonkey.
1893
1894         For Object.prototype.toString to work through DebuggerScope and JSProxy, we perform all checks
1895         in JSObject::toStringName(). Given that isArray() may throw a TypeError [2], we invoke
1896         toStringName() before @@toStringTag lookup to accomodate revoked Proxy case.
1897
1898         Also, this patch defines @@toStringTag for WebAssembly namespace object (to match Chrome),
1899         JSC shell, and ConsoleObject.
1900
1901         [1]: https://tc39.es/ecma262/#sec-object.prototype.tostring
1902         [2]: https://tc39.es/ecma262/#sec-isarray (step 3.a)
1903
1904         * jsc.cpp:
1905         * runtime/BigIntObject.cpp:
1906         (JSC::BigIntObject::toStringName): Deleted.
1907         * runtime/BigIntObject.h:
1908         * runtime/BooleanObject.cpp:
1909         (JSC::BooleanObject::toStringName):
1910         * runtime/BooleanObject.h:
1911         * runtime/ConsoleObject.cpp:
1912         (JSC::ConsoleObject::finishCreation):
1913         * runtime/DateInstance.cpp:
1914         (JSC::DateInstance::toStringName):
1915         * runtime/DateInstance.h:
1916         * runtime/ErrorInstance.cpp:
1917         (JSC::ErrorInstance::toStringName):
1918         * runtime/ErrorInstance.h:
1919         * runtime/JSArrayBufferView.cpp:
1920         (JSC::JSArrayBufferView::toStringName): Deleted.
1921         * runtime/JSArrayBufferView.h:
1922         * runtime/JSMap.cpp:
1923         (JSC::JSMap::toStringName): Deleted.
1924         * runtime/JSMap.h:
1925         * runtime/JSObject.cpp:
1926         (JSC::JSObject::toStringName):
1927         * runtime/JSSet.cpp:
1928         (JSC::JSSet::toStringName): Deleted.
1929         * runtime/JSSet.h:
1930         * runtime/JSWeakMap.cpp:
1931         (JSC::JSWeakMap::toStringName): Deleted.
1932         * runtime/JSWeakMap.h:
1933         * runtime/JSWeakObjectRef.cpp:
1934         (JSC::JSWeakObjectRef::toStringName): Deleted.
1935         * runtime/JSWeakObjectRef.h:
1936         * runtime/JSWeakSet.cpp:
1937         (JSC::JSWeakSet::toStringName): Deleted.
1938         * runtime/JSWeakSet.h:
1939         * runtime/NumberObject.cpp:
1940         (JSC::NumberObject::toStringName):
1941         * runtime/NumberObject.h:
1942         * runtime/ObjectPrototype.cpp:
1943         (JSC::objectProtoFuncToString):
1944         * runtime/ProxyObject.cpp:
1945         (JSC::ProxyObject::toStringName): Deleted.
1946         * runtime/ProxyObject.h:
1947         * runtime/RegExpObject.cpp:
1948         (JSC::RegExpObject::toStringName):
1949         * runtime/RegExpObject.h:
1950         * runtime/StringObject.cpp:
1951         (JSC::StringObject::toStringName):
1952         * runtime/StringObject.h:
1953         * runtime/SymbolObject.cpp:
1954         (JSC::SymbolObject::toStringName): Deleted.
1955         * runtime/SymbolObject.h:
1956         * wasm/js/JSWebAssembly.cpp:
1957         (JSC::JSWebAssembly::finishCreation):
1958
1959 2020-05-04  Yusuke Suzuki  <ysuzuki@apple.com>
1960
1961         [JSC] Implement BigInt.asIntN and BigInt.asUintN
1962         https://bugs.webkit.org/show_bug.cgi?id=181144
1963
1964         Reviewed by Darin Adler.
1965
1966         This patch implements BigInt.asIntN[1] and BigInt.asUintN[2] features.
1967         As the same to the other BigInt runtime C++ code, we port V8 code to JSC to implement both.
1968
1969         BigInt.asIntN is `static_cast<intN_t>(BigInt value)` and BigInt.asUintN is `static_cast<uintN_t>(BigInt value)`.
1970         They are getting slice of N bits from two's complement representation of the given BigInt. The difference between
1971         asIntN and asUintN is asIntN renders MSB as a sign.
1972
1973         [1]: https://tc39.es/ecma262/#sec-bigint.asintn
1974         [2]: https://tc39.es/ecma262/#sec-bigint.asuintn
1975
1976         * runtime/BigIntConstructor.cpp:
1977         (JSC::toBigInt):
1978         (JSC::bigIntConstructorFuncAsUintN):
1979         (JSC::bigIntConstructorFuncAsIntN):
1980         * runtime/JSBigInt.cpp:
1981         (JSC::JSBigInt::zeroImpl):
1982         (JSC::JSBigInt::divideImpl):
1983         (JSC::JSBigInt::unaryMinusImpl):
1984         (JSC::JSBigInt::remainderImpl):
1985         (JSC::JSBigInt::digitDiv):
1986         (JSC::JSBigInt::asIntNImpl):
1987         (JSC::JSBigInt::asUintNImpl):
1988         (JSC::JSBigInt::truncateToNBits):
1989         (JSC::JSBigInt::truncateAndSubFromPowerOfTwo):
1990         (JSC::JSBigInt::asIntN):
1991         (JSC::JSBigInt::asUintN):
1992         * runtime/JSBigInt.h:
1993
1994 2020-05-04  Yusuke Suzuki  <ysuzuki@apple.com>
1995
1996         [JSC] DFG NotCellUse is used without considering about BigInt32
1997         https://bugs.webkit.org/show_bug.cgi?id=211395
1998
1999         Reviewed by Saam Barati.
2000
2001         When we see CompareXXX(BigInt32, Double), we are emitting CompareXXX(DoubleRep(BigInt:NotCellUse), Double). But this has two problems.
2002
2003         1. We should emit CompareXXX(UntypedUse, UntypedUse) in this case.
2004         2. DoubleRep(NotCellUse) does not support converting BigInt32 to double. Since DoubleRep's semantics is for ToNumber, it should not
2005            accept BigInt32 since it should throw an error. However, DoubleRep currently assumes that NotCellUse value can be converted to double
2006            without any errors.
2007
2008         To keep DoubleRep's semantics ToNumber, we replace NotCellUse with NotCellNorBigIntUse, which rejects BigInt32. This patch also uses NotCellNorBigIntUse
2009         for ValueToInt32 because of the same reason.
2010
2011         For CompareXXX and CompareEq nodes, we can optimize it if we introduce new DoubleRepAcceptingBigInt32 DFG node which can convert BigInt32 to Double, since
2012         CompareXXX and CompareEq are not requiring toNumber semantics. This should be done in a separate bug https://bugs.webkit.org/show_bug.cgi?id=211407.
2013
2014         * bytecode/SpeculatedType.h:
2015         (JSC::isNotCellNorBigIntSpeculation):
2016         * dfg/DFGAbstractInterpreterInlines.h:
2017         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2018         * dfg/DFGFixupPhase.cpp:
2019         (JSC::DFG::FixupPhase::fixupNode):
2020         (JSC::DFG::FixupPhase::fixIntConvertingEdge):
2021         (JSC::DFG::FixupPhase::fixupChecksInBlock):
2022         * dfg/DFGNode.h:
2023         (JSC::DFG::Node::shouldSpeculateNotCellNorBigInt):
2024         * dfg/DFGSafeToExecute.h:
2025         (JSC::DFG::SafeToExecuteEdge::operator()):
2026         * dfg/DFGSpeculativeJIT.cpp:
2027         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
2028         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
2029         (JSC::DFG::SpeculativeJIT::speculateNotCellNorBigInt):
2030         (JSC::DFG::SpeculativeJIT::speculate):
2031         * dfg/DFGSpeculativeJIT.h:
2032         * dfg/DFGUseKind.cpp:
2033         (WTF::printInternal):
2034         * dfg/DFGUseKind.h:
2035         (JSC::DFG::typeFilterFor):
2036         (JSC::DFG::checkMayCrashIfInputIsEmpty):
2037         * ftl/FTLCapabilities.cpp:
2038         (JSC::FTL::canCompile):
2039         * ftl/FTLLowerDFGToB3.cpp:
2040         (JSC::FTL::DFG::LowerDFGToB3::compileDoubleRep):
2041         (JSC::FTL::DFG::LowerDFGToB3::compileValueToInt32):
2042         (JSC::FTL::DFG::LowerDFGToB3::numberOrNotCellNorBigIntToInt32):
2043         (JSC::FTL::DFG::LowerDFGToB3::speculate):
2044         (JSC::FTL::DFG::LowerDFGToB3::speculateNotCellNorBigInt):
2045         (JSC::FTL::DFG::LowerDFGToB3::numberOrNotCellToInt32): Deleted.
2046
2047 2020-05-04  Yusuke Suzuki  <ysuzuki@apple.com>
2048
2049         [JSC] Add @@toStringTag to WebAssembly.Global
2050         https://bugs.webkit.org/show_bug.cgi?id=211372
2051
2052         Reviewed by Sam Weinig.
2053
2054         As r260992 did for the other wasm prototypes, we should put @@toStringTag to WebAssembly.Global's prototype too.
2055
2056         * wasm/js/WebAssemblyGlobalPrototype.cpp:
2057         (JSC::WebAssemblyGlobalPrototype::finishCreation):
2058
2059 2020-05-04  Devin Rousso  <drousso@apple.com>
2060
2061         Web Inspector: Worker: should use the name of the worker if it exists
2062         https://bugs.webkit.org/show_bug.cgi?id=211244
2063
2064         Reviewed by Brian Burg.
2065
2066         * inspector/protocol/Worker.json:
2067         Include the `name` in `Worker.workerCreated`.
2068
2069 2020-05-04  Devin Rousso  <drousso@apple.com>
2070
2071         Web Inspector: provide a way for inspector to turn on/off ITP debug mode and AdClickAttribution debug mode
2072         https://bugs.webkit.org/show_bug.cgi?id=209763
2073
2074         Reviewed by Brian Burg.
2075
2076         * inspector/protocol/Page.json:
2077         Add new enum values to `Page.Setting`:
2078          - `AdClickAttributionDebugModeEnabled`
2079          - `ITPDebugModeEnabled`
2080
2081 2020-05-03  Maciej Stachowiak  <mjs@apple.com>
2082
2083         Remove no longer needed WebKitAdditions include for JavaScriptCorePrefix.h
2084         https://bugs.webkit.org/show_bug.cgi?id=211357
2085
2086         Reviewed by Mark Lam.
2087
2088         * JavaScriptCorePrefix.h:
2089
2090 2020-05-02  Mark Lam  <mark.lam@apple.com>
2091
2092         Gardening: rolling out r261050 and r261051.
2093         https://bugs.webkit.org/show_bug.cgi?id=211328
2094         <rdar://problem/62755865>
2095
2096         Not reviewed.
2097
2098         * assembler/CPU.h:
2099
2100 2020-05-01  Mark Lam  <mark.lam@apple.com>
2101
2102         Allow Bitmap to use up to a UCPURegister word size for internal bit storage.
2103         https://bugs.webkit.org/show_bug.cgi?id=211328
2104         <rdar://problem/62755865>
2105
2106         Reviewed by Yusuke Suzuki.
2107
2108         * assembler/CPU.h:
2109
2110 2020-05-01  Saam Barati  <sbarati@apple.com>
2111
2112         Have a thread local cache for the Wasm LLInt bytecode buffer
2113         https://bugs.webkit.org/show_bug.cgi?id=211317
2114
2115         Reviewed by Filip Pizlo and Mark Lam.
2116
2117         One of the main things slowing down Wasm compile times is the banging
2118         on bmalloc's global heap lock. This patch makes it so for the bytecode
2119         instruction buffer, we keep a thread local cache with latest capacity
2120         the thread needed to compile. This makes it so that in the average case,
2121         we only do one malloc at the end of a compile to memcpy the final result.
2122         
2123         We clear these thread local caches when the WasmWorklist's automatic threads
2124         underlying machine thread is destroyed.
2125         
2126         This is a 15% speedup in zen garden compile times on a 16-core Mac Pro.
2127         This is a 4-5% speedup in zen garden compile times on a 6-core MBP.
2128
2129         * bytecode/InstructionStream.h:
2130         (JSC::InstructionStreamWriter::setInstructionBuffer):
2131         (JSC::InstructionStreamWriter::finalize):
2132         * wasm/WasmLLIntGenerator.cpp:
2133         (JSC::Wasm::threadSpecificBuffer):
2134         (JSC::Wasm::clearLLIntThreadSpecificCache):
2135         (JSC::Wasm::LLIntGenerator::LLIntGenerator):
2136         (JSC::Wasm::LLIntGenerator::finalize):
2137         * wasm/WasmLLIntGenerator.h:
2138         * wasm/WasmWorklist.cpp:
2139
2140 2020-05-01  Per Arne Vollan  <pvollan@apple.com>
2141
2142         [Win] Fix AppleWin build
2143         https://bugs.webkit.org/show_bug.cgi?id=211324
2144
2145         Reviewed by Don Olmstead.
2146
2147         Check if target WTF_CopyHeaders exists before using it.
2148
2149         * CMakeLists.txt:
2150
2151 2020-05-01  Don Olmstead  <don.olmstead@sony.com>
2152
2153         [GTK] Add additional exports to support hidden visibility
2154         https://bugs.webkit.org/show_bug.cgi?id=211246
2155
2156         Reviewed by Michael Catanzaro.
2157
2158         * API/glib/JSCContextPrivate.h:
2159         * API/glib/JSCValuePrivate.h:
2160         * inspector/remote/glib/RemoteInspectorServer.h:
2161         * inspector/remote/glib/RemoteInspectorUtils.h:
2162
2163 2020-05-01  Don Olmstead  <don.olmstead@sony.com>
2164
2165         Use export macros on all platforms
2166         https://bugs.webkit.org/show_bug.cgi?id=211293
2167
2168         Reviewed by Michael Catanzaro.
2169
2170         Allow overriding of JS_EXPORT_PRIVATE if desired otherwise use the defaults.
2171
2172         * runtime/JSExportMacros.h:
2173
2174 2020-05-01  Saam Barati  <sbarati@apple.com>
2175
2176         Unreviewed. Non-speculative build fix for watchOS build.
2177
2178         * runtime/ArrayPrototype.cpp:
2179         (JSC::shift):
2180         (JSC::unshift):
2181         (JSC::arrayProtoFuncToLocaleString):
2182         (JSC::arrayProtoFuncReverse):
2183         (JSC::arrayProtoFuncSlice):
2184         (JSC::arrayProtoFuncSplice):
2185         * runtime/JSONObject.cpp:
2186         (JSC::Stringifier::Stringifier):
2187
2188 2020-05-01  Saam Barati  <sbarati@apple.com>
2189
2190         Unreviewed. Speculative build fix for watchOS build.
2191
2192         * runtime/ArrayPrototype.cpp:
2193         (JSC::shift):
2194
2195 2020-05-01  Alexey Shvayka  <shvaikalesh@gmail.com>
2196
2197         [WebIDL] Interface prototype objects should define @@toStringTag
2198         https://bugs.webkit.org/show_bug.cgi?id=211020
2199
2200         Unreviewed follow-up to r260992.
2201
2202         * runtime/JSArrayBufferPrototype.cpp:
2203         (JSC::JSArrayBufferPrototype::finishCreation): Revert change in attempt to fix ARMv7 test.
2204
2205 2020-05-01  David Kilzer  <ddkilzer@apple.com>
2206
2207         JSC::PropertySlot::m_attributes is uninitialized in constructor
2208         <https://webkit.org/b/211267>
2209
2210         Reviewed by Mark Lam.
2211
2212         * runtime/PropertySlot.h:
2213         (JSC::PropertySlot::PropertySlot):
2214         - Initialize m_attributes and m_additionalData, and make use of
2215           default initializers.
2216
2217 2020-05-01  Alexey Shvayka  <shvaikalesh@gmail.com>
2218
2219         [WebIDL] Interface prototype objects should define @@toStringTag
2220         https://bugs.webkit.org/show_bug.cgi?id=211020
2221
2222         Reviewed by Darin Adler.
2223
2224         WebIDL spec was recently updated [1] to define @@toStringTag on interface prototype objects.
2225         This change aligns WebIDL with ECMA-262 built-ins and Blink's behavior. Gecko have also
2226         expressed implementation commitment.
2227
2228         This patch implements the spec change, making `X.prototype.toString()` return "[object X]"
2229         instead of "[object XPrototype]", where X is WebIDL interface. This behavior is proven to
2230         be web compatible (shipping in Chrome since Q2 2016) and matches class strings of iterator
2231         prototype objects [2] introduced in r253855.
2232
2233         We define @@toStringTag for all WebAssembly interfaces but Error subclasses since they
2234         are not defined using WebIDL [3].
2235
2236         This change also introduces JSC_TO_STRING_TAG_WITHOUT_TRANSITION() macro that sets up
2237         @@toStringTag using ClassInfo to avoid extra strings creation, ensuring `className` equality
2238         between prototype and instance classes (fixing a few discrepancies), as well as correct
2239         descriptors. It also ensures using faster jsNontrivialString() and relieves from putting
2240         more code into CodeGeneratorJS.pm.
2241
2242         [1]: https://github.com/heycam/webidl/pull/357
2243         [2]: https://heycam.github.io/webidl/#es-iterator-prototype-object
2244         [3]: https://webassembly.github.io/spec/js-api/#error-objects
2245
2246         Tests: imported/w3c/web-platform-tests/wasm/jsapi/instance/toString.any.js
2247                imported/w3c/web-platform-tests/wasm/jsapi/memory/toString.any.js
2248                imported/w3c/web-platform-tests/wasm/jsapi/module/toString.any.js
2249                imported/w3c/web-platform-tests/wasm/jsapi/table/toString.any.js
2250
2251         * runtime/ArrayIteratorPrototype.cpp:
2252         (JSC::ArrayIteratorPrototype::finishCreation):
2253         * runtime/AsyncFunctionPrototype.cpp:
2254         (JSC::AsyncFunctionPrototype::finishCreation):
2255         * runtime/AsyncGeneratorFunctionPrototype.cpp:
2256         (JSC::AsyncGeneratorFunctionPrototype::finishCreation):
2257         * runtime/AsyncGeneratorPrototype.cpp:
2258         (JSC::AsyncGeneratorPrototype::finishCreation):
2259         * runtime/BigIntPrototype.cpp:
2260         (JSC::BigIntPrototype::finishCreation):
2261         * runtime/GeneratorFunctionPrototype.cpp:
2262         (JSC::GeneratorFunctionPrototype::finishCreation):
2263         * runtime/GeneratorPrototype.cpp:
2264         (JSC::GeneratorPrototype::finishCreation):
2265         * runtime/IntlCollatorPrototype.cpp:
2266         (JSC::IntlCollatorPrototype::finishCreation):
2267         * runtime/IntlDateTimeFormatPrototype.cpp:
2268         (JSC::IntlDateTimeFormatPrototype::finishCreation):
2269         * runtime/IntlNumberFormatPrototype.cpp:
2270         (JSC::IntlNumberFormatPrototype::finishCreation):
2271         * runtime/IntlPluralRulesPrototype.cpp:
2272         (JSC::IntlPluralRulesPrototype::finishCreation):
2273         * runtime/IntlRelativeTimeFormatPrototype.cpp:
2274         (JSC::IntlRelativeTimeFormatPrototype::finishCreation):
2275         * runtime/JSArrayBufferPrototype.cpp:
2276         (JSC::JSArrayBufferPrototype::finishCreation):
2277         * runtime/JSDataViewPrototype.cpp:
2278         (JSC::JSDataViewPrototype::finishCreation):
2279         * runtime/JSONObject.cpp:
2280         (JSC::JSONObject::finishCreation):
2281         * runtime/JSObject.h:
2282         * runtime/JSPromisePrototype.cpp:
2283         (JSC::JSPromisePrototype::finishCreation):
2284         * runtime/MapIteratorPrototype.cpp:
2285         (JSC::MapIteratorPrototype::finishCreation):
2286         * runtime/MapPrototype.cpp:
2287         (JSC::MapPrototype::finishCreation):
2288         * runtime/MathObject.cpp:
2289         (JSC::MathObject::finishCreation):
2290         * runtime/RegExpStringIteratorPrototype.cpp:
2291         (JSC::RegExpStringIteratorPrototype::finishCreation):
2292         * runtime/SetIteratorPrototype.cpp:
2293         (JSC::SetIteratorPrototype::finishCreation):
2294         * runtime/SetPrototype.cpp:
2295         (JSC::SetPrototype::finishCreation):
2296         * runtime/StringIteratorPrototype.cpp:
2297         (JSC::StringIteratorPrototype::finishCreation):
2298         * runtime/SymbolPrototype.cpp:
2299         (JSC::SymbolPrototype::finishCreation):
2300         * runtime/WeakMapPrototype.cpp:
2301         (JSC::WeakMapPrototype::finishCreation):
2302         * runtime/WeakObjectRefPrototype.cpp:
2303         (JSC::WeakObjectRefPrototype::finishCreation):
2304         * runtime/WeakSetPrototype.cpp:
2305         (JSC::WeakSetPrototype::finishCreation):
2306         * wasm/js/WebAssemblyInstancePrototype.cpp:
2307         (JSC::WebAssemblyInstancePrototype::finishCreation):
2308         * wasm/js/WebAssemblyMemoryPrototype.cpp:
2309         (JSC::WebAssemblyMemoryPrototype::finishCreation):
2310         * wasm/js/WebAssemblyModulePrototype.cpp:
2311         (JSC::WebAssemblyModulePrototype::finishCreation):
2312         * wasm/js/WebAssemblyTablePrototype.cpp:
2313         (JSC::WebAssemblyTablePrototype::finishCreation):
2314
2315 2020-05-01  Saam Barati  <sbarati@apple.com>
2316
2317         We can't cast toLength result to unsigned
2318         https://bugs.webkit.org/show_bug.cgi?id=211205
2319         <rdar://problem/62625562>
2320
2321         Reviewed by Yusuke Suzuki.
2322
2323         toLength, according to the spec, returns a 53-bit integer. In our
2324         implementation, we return a double. However, there were many callsites
2325         that did something like:
2326         ```
2327         unsigned length = toLength(obj);
2328         ```
2329         
2330         This is bad for a few reasons:
2331         - Casting to unsigned from double is undefined behavior when the integer
2332         is greater than UINT_MAX. In practice, this means that we'd have different
2333         engine behavior depending on what architecture we'd be running on. For
2334         example, if the length were UINT_MAX + 1, on x86, we'd treat the
2335         length as zero. On arm64, we'd treat it as UINT_MAX. Both are wrong.
2336         - We weren't spec compliant. We were just ignoring that these numbers could
2337         be 53-bit integers.
2338         
2339         This patch addresses each bad use of the undefined behavior, and by doing so,
2340         makes us more spec compliant.
2341
2342         * dfg/DFGOperations.cpp:
2343         * jit/JITOperations.cpp:
2344         (JSC::getByVal):
2345         * runtime/ArrayPrototype.cpp:
2346         (JSC::getProperty):
2347         (JSC::setLength):
2348         (JSC::argumentClampedIndexFromStartOrEnd):
2349         (JSC::shift):
2350         (JSC::unshift):
2351         (JSC::arrayProtoFuncToLocaleString):
2352         (JSC::arrayProtoFuncPop):
2353         (JSC::arrayProtoFuncPush):
2354         (JSC::arrayProtoFuncReverse):
2355         (JSC::arrayProtoFuncShift):
2356         (JSC::arrayProtoFuncSlice):
2357         (JSC::arrayProtoFuncSplice):
2358         (JSC::arrayProtoFuncUnShift):
2359         (JSC::fastIndexOf):
2360         (JSC::arrayProtoFuncIndexOf):
2361         (JSC::arrayProtoFuncLastIndexOf):
2362         * runtime/Identifier.h:
2363         (JSC::Identifier::from):
2364         * runtime/IntlObject.cpp:
2365         (JSC::canonicalizeLocaleList):
2366         * runtime/JSONObject.cpp:
2367         (JSC::Stringifier::Stringifier):
2368         (JSC::Stringifier::Holder::appendNextProperty):
2369         (JSC::Walker::walk):
2370         * runtime/JSObject.cpp:
2371         (JSC::JSObject::hasProperty const):
2372         * runtime/JSObject.h:
2373         (JSC::JSObject::putByIndexInline):
2374         (JSC::JSObject::putDirectIndex):
2375         (JSC::JSObject::canGetIndexQuickly const):
2376         (JSC::JSObject::tryGetIndexQuickly const):
2377         * runtime/JSObjectInlines.h:
2378         (JSC::JSObject::getPropertySlot):
2379         (JSC::JSObject::deleteProperty):
2380         (JSC::JSObject::get const):
2381         * runtime/PropertySlot.h:
2382         (JSC::PropertySlot::getValue const):
2383         * tools/JSDollarVM.cpp:
2384         (JSC::functionSetUserPreferredLanguages):
2385
2386 2020-04-30  Ross Kirsling  <ross.kirsling@sony.com>
2387
2388         TriState should be an enum class and use "Indeterminate" instead of "Mixed"
2389         https://bugs.webkit.org/show_bug.cgi?id=211268
2390
2391         Reviewed by Mark Lam.
2392
2393         * b3/B3Const32Value.cpp:
2394         (JSC::B3::Const32Value::equalConstant const):
2395         (JSC::B3::Const32Value::notEqualConstant const):
2396         (JSC::B3::Const32Value::lessThanConstant const):
2397         (JSC::B3::Const32Value::greaterThanConstant const):
2398         (JSC::B3::Const32Value::lessEqualConstant const):
2399         (JSC::B3::Const32Value::greaterEqualConstant const):
2400         (JSC::B3::Const32Value::aboveConstant const):
2401         (JSC::B3::Const32Value::belowConstant const):
2402         (JSC::B3::Const32Value::aboveEqualConstant const):
2403         (JSC::B3::Const32Value::belowEqualConstant const):
2404         * b3/B3Const64Value.cpp:
2405         (JSC::B3::Const64Value::equalConstant const):
2406         (JSC::B3::Const64Value::notEqualConstant const):
2407         (JSC::B3::Const64Value::lessThanConstant const):
2408         (JSC::B3::Const64Value::greaterThanConstant const):
2409         (JSC::B3::Const64Value::lessEqualConstant const):
2410         (JSC::B3::Const64Value::greaterEqualConstant const):
2411         (JSC::B3::Const64Value::aboveConstant const):
2412         (JSC::B3::Const64Value::belowConstant const):
2413         (JSC::B3::Const64Value::aboveEqualConstant const):
2414         (JSC::B3::Const64Value::belowEqualConstant const):
2415         * b3/B3ConstDoubleValue.cpp:
2416         (JSC::B3::ConstDoubleValue::equalConstant const):
2417         (JSC::B3::ConstDoubleValue::notEqualConstant const):
2418         (JSC::B3::ConstDoubleValue::lessThanConstant const):
2419         (JSC::B3::ConstDoubleValue::greaterThanConstant const):
2420         (JSC::B3::ConstDoubleValue::lessEqualConstant const):
2421         (JSC::B3::ConstDoubleValue::greaterEqualConstant const):
2422         (JSC::B3::ConstDoubleValue::equalOrUnorderedConstant const):
2423         * b3/B3ConstFloatValue.cpp:
2424         (JSC::B3::ConstFloatValue::equalConstant const):
2425         (JSC::B3::ConstFloatValue::notEqualConstant const):
2426         (JSC::B3::ConstFloatValue::lessThanConstant const):
2427         (JSC::B3::ConstFloatValue::greaterThanConstant const):
2428         (JSC::B3::ConstFloatValue::lessEqualConstant const):
2429         (JSC::B3::ConstFloatValue::greaterEqualConstant const):
2430         (JSC::B3::ConstFloatValue::equalOrUnorderedConstant const):
2431         * b3/B3Procedure.cpp:
2432         (JSC::B3::Procedure::addBoolConstant):
2433         * b3/B3Procedure.h:
2434         * b3/B3ReduceStrength.cpp:
2435         * b3/B3Value.cpp:
2436         (JSC::B3::Value::equalConstant const):
2437         (JSC::B3::Value::notEqualConstant const):
2438         (JSC::B3::Value::lessThanConstant const):
2439         (JSC::B3::Value::greaterThanConstant const):
2440         (JSC::B3::Value::lessEqualConstant const):
2441         (JSC::B3::Value::greaterEqualConstant const):
2442         (JSC::B3::Value::aboveConstant const):
2443         (JSC::B3::Value::belowConstant const):
2444         (JSC::B3::Value::aboveEqualConstant const):
2445         (JSC::B3::Value::belowEqualConstant const):
2446         (JSC::B3::Value::equalOrUnorderedConstant const):
2447         (JSC::B3::Value::asTriState const):
2448         * b3/B3Value.h:
2449         * bytecode/CodeBlock.cpp:
2450         (JSC::CodeBlock::~CodeBlock):
2451         (JSC::CodeBlock::thresholdForJIT):
2452         * bytecode/UnlinkedCodeBlock.cpp:
2453         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2454         * bytecode/UnlinkedFunctionExecutable.cpp:
2455         (JSC::UnlinkedFunctionExecutable::visitChildren):
2456         * bytecompiler/NodesCodegen.cpp:
2457         (JSC::ConstantNode::emitBytecodeInConditionContext):
2458         (JSC::BinaryOpNode::emitBytecodeInConditionContext):
2459         (JSC::BinaryOpNode::tryFoldToBranch):
2460         * dfg/DFGByteCodeParser.cpp:
2461         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2462         * dfg/DFGCFGSimplificationPhase.cpp:
2463         (JSC::DFG::CFGSimplificationPhase::run):
2464         * dfg/DFGLazyJSValue.cpp:
2465         (JSC::DFG::equalToSingleCharacter):
2466         (JSC::DFG::equalToStringImpl):
2467         (JSC::DFG::LazyJSValue::strictEqual const):
2468         * dfg/DFGSpeculativeJIT64.cpp:
2469         (JSC::DFG::SpeculativeJIT::compile):
2470         * ftl/FTLLowerDFGToB3.cpp:
2471         (JSC::FTL::DFG::LowerDFGToB3::compileDataViewGet):
2472         (JSC::FTL::DFG::LowerDFGToB3::compileDataViewSet):
2473         * ftl/FTLOutput.cpp:
2474         (JSC::FTL::Output::equal):
2475         (JSC::FTL::Output::notEqual):
2476         (JSC::FTL::Output::above):
2477         (JSC::FTL::Output::aboveOrEqual):
2478         (JSC::FTL::Output::below):
2479         (JSC::FTL::Output::belowOrEqual):
2480         (JSC::FTL::Output::greaterThan):
2481         (JSC::FTL::Output::greaterThanOrEqual):
2482         (JSC::FTL::Output::lessThan):
2483         (JSC::FTL::Output::lessThanOrEqual):
2484         * jit/JITOperations.cpp:
2485         * runtime/CachedTypes.cpp:
2486         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2487         * runtime/DefinePropertyAttributes.h:
2488         (JSC::DefinePropertyAttributes::DefinePropertyAttributes):
2489         (JSC::DefinePropertyAttributes::hasWritable const):
2490         (JSC::DefinePropertyAttributes::writable const):
2491         (JSC::DefinePropertyAttributes::hasConfigurable const):
2492         (JSC::DefinePropertyAttributes::configurable const):
2493         (JSC::DefinePropertyAttributes::hasEnumerable const):
2494         (JSC::DefinePropertyAttributes::enumerable const):
2495         (JSC::DefinePropertyAttributes::setWritable):
2496         (JSC::DefinePropertyAttributes::setConfigurable):
2497         (JSC::DefinePropertyAttributes::setEnumerable):
2498         * runtime/IntlCollator.cpp:
2499         (JSC::IntlCollator::initializeCollator):
2500         * runtime/IntlDateTimeFormat.cpp:
2501         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2502         * runtime/IntlNumberFormat.cpp:
2503         (JSC::IntlNumberFormat::initializeNumberFormat):
2504         * runtime/IntlObject.cpp:
2505         (JSC::intlBooleanOption):
2506         * runtime/JSCJSValueInlines.h:
2507         (JSC::JSValue::pureStrictEqual):
2508         (JSC::JSValue::pureToBoolean const):
2509         * runtime/JSCellInlines.h:
2510         (JSC::JSCell::pureToBoolean const):
2511
2512 2020-04-30  Ross Kirsling  <ross.kirsling@sony.com>
2513
2514         [JSC] intlBooleanOption should return TriState instead of taking an out param
2515         https://bugs.webkit.org/show_bug.cgi?id=211256
2516
2517         Reviewed by Darin Adler and Mark Lam.
2518
2519         Boolean options for Intl constructors can have default values of true, false, or undefined.
2520         To handle the undefined case, intlBooleanOption currently has a `bool& usesFallback` param;
2521         we should have the return type simply be a TriState instead.
2522
2523         * runtime/IntlCollator.cpp:
2524         (JSC::IntlCollator::initializeCollator):
2525         * runtime/IntlDateTimeFormat.cpp:
2526         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2527         * runtime/IntlNumberFormat.cpp:
2528         (JSC::IntlNumberFormat::initializeNumberFormat):
2529         * runtime/IntlObject.cpp:
2530         (JSC::intlBooleanOption):
2531         * runtime/IntlObject.h:
2532
2533 2020-04-30  Devin Rousso  <drousso@apple.com>
2534
2535         WebKit.WebContent process crashes when web developer tools are opened in Safari
2536         https://bugs.webkit.org/show_bug.cgi?id=210794
2537         <rdar://problem/62214651>
2538
2539         Reviewed by Brian Burg.
2540
2541         * inspector/InjectedScriptManager.cpp:
2542         (Inspector::InjectedScriptManager::injectedScriptFor):
2543         Don't crash if a `TerminatedExecutionError` is thrown.
2544
2545         * inspector/InjectedScriptBase.cpp:
2546         (Inspector::InjectedScriptBase::makeCall):
2547         Report the actual error message. Check that the result has a value before attempting to make
2548         a `JSON::Value` out of it.
2549
2550 2020-04-29  Ross Kirsling  <ross.kirsling@sony.com>
2551
2552         Ensure Intl classes don't have naming conflicts with unified builds
2553         https://bugs.webkit.org/show_bug.cgi?id=211213
2554
2555         Reviewed by Yusuke Suzuki.
2556
2557         Each Intl class usually has an array named relevantExtensionsKeys and a function named localeData.
2558         This can result in redefinition errors when unified builds put two of them into the same translation unit. 
2559         Some are already guarding against this with an internal namespace while others are not.
2560
2561         As a uniform approach, this patch makes each localeData function a static method and
2562         puts each relevantExtensionsKeys array (as well as any constants for its indices) into an internal namespace.
2563
2564         Furthermore, since three different classes are defining an identical UFieldPositionIteratorDeleter,
2565         this patch consolidates them into one definition in IntlObject.
2566
2567         * runtime/IntlCollator.cpp:
2568         (JSC::IntlCollator::sortLocaleData): Renamed from JSC::sortLocaleData.
2569         (JSC::IntlCollator::searchLocaleData): Renamed from JSC::searchLocaleData.
2570         (JSC::IntlCollator::initializeCollator):
2571         * runtime/IntlCollator.h:
2572         * runtime/IntlDateTimeFormat.cpp:
2573         (JSC::IntlDateTimeFormat::localeData): Renamed from JSC::IntlDTFInternal::localeData.
2574         (JSC::toDateTimeOptionsAnyDate): Renamed from JSC::IntlDTFInternal::toDateTimeOptionsAnyDate.
2575         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2576         (JSC::UFieldPositionIteratorDeleter::operator() const): Deleted.
2577         * runtime/IntlDateTimeFormat.h:
2578         * runtime/IntlNumberFormat.cpp:
2579         (JSC::IntlNumberFormat::localeData): Renamed from JSC::IntlNFInternal::localeData.
2580         (JSC::IntlNumberFormat::initializeNumberFormat):
2581         (JSC::UFieldPositionIteratorDeleter::operator() const): Deleted.
2582         * runtime/IntlNumberFormat.h:
2583         * runtime/IntlObject.cpp:
2584         (JSC::UFieldPositionIteratorDeleter::operator() const): Added.
2585         * runtime/IntlObject.h:
2586         * runtime/IntlPluralRules.cpp:
2587         (JSC::IntlPluralRules::localeData): Renamed from JSC::localeData.
2588         * runtime/IntlPluralRules.h:
2589         * runtime/IntlRelativeTimeFormat.cpp:
2590         (JSC::IntlRelativeTimeFormat::localeData): Renamed from JSC::localeData.
2591         (JSC::IntlRelativeTimeFormat::initializeRelativeTimeFormat):
2592         (JSC::UFieldPositionIteratorDeleter::operator() const): Deleted.
2593         * runtime/IntlRelativeTimeFormat.h:
2594
2595 2020-04-29  Ross Kirsling  <ross.kirsling@sony.com>
2596
2597         Unreviewed follow-up to r260848.
2598         LowerDFGToB3 has its own isFunction which should NOT have been renamed.
2599
2600         * ftl/FTLLowerDFGToB3.cpp:
2601         (JSC::FTL::DFG::LowerDFGToB3::compileCreateThis):
2602         (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
2603         (JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject):
2604         (JSC::FTL::DFG::LowerDFGToB3::compileIsObjectOrNull):
2605         (JSC::FTL::DFG::LowerDFGToB3::compileIsFunction):
2606         (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf):
2607         (JSC::FTL::DFG::LowerDFGToB3::isFunction): Renamed from isCallable.
2608
2609 2020-04-29  Alexey Shvayka  <shvaikalesh@gmail.com>
2610
2611         AsyncFromSyncIterator methods should not pass absent values
2612         https://bugs.webkit.org/show_bug.cgi?id=211147
2613
2614         Reviewed by Ross Kirsling.
2615
2616         This patch implements minor spec change [1] to match async and sync iteration
2617         from the perspective of userland `next` and `return` iterator methods.
2618         `throw` method always receives an argument, yet we align with others to be
2619         consistent and future-proof.
2620
2621         This change is already implemented in SpiderMonkey.
2622
2623         [1]: https://github.com/tc39/ecma262/pull/1776
2624
2625         * builtins/AsyncFromSyncIteratorPrototype.js:
2626
2627 2020-04-29  Mark Lam  <mark.lam@apple.com>
2628
2629         Freezing of Gigacage and JSC Configs should be thread safe.
2630         https://bugs.webkit.org/show_bug.cgi?id=211201
2631         <rdar://problem/62597619>
2632
2633         Reviewed by Yusuke Suzuki.
2634
2635         If a client creates multiple VM instances in different threads concurrently, the
2636         following race can occur:
2637
2638         Config::permanentlyFreeze() contains the following code:
2639
2640             if (!g_jscConfig.isPermanentlyFrozen)         // Point P1
2641                 g_jscConfig.isPermanentlyFrozen = true;   // Point P2
2642
2643         Let's say there are 2 threads T1 and T2.
2644
2645         1. T1 creates a VM and gets to point P1, and sees that g_jscConfig.isPermanentlyFrozen is not set.
2646            T1 is about to execute P2 when it gets pre-empted.
2647
2648         2. T2 creates a VM and gets to point P1, and sees that g_jscConfig.isPermanentlyFrozen is not set.
2649            T2 proceeds to point P2 and sets g_jscConfig.isPermanentlyFrozen to true.
2650            T2 goes on to freeze the Config and makes it not writable.
2651
2652         3. T1 gets to run again, and proceeds to point P2.
2653            T1 tries to set g_jscConfig.isPermanentlyFrozen to true.
2654            But because the Config has been frozen against writes, the write to
2655            g_jscConfig.isPermanentlyFrozen results in a crash.
2656
2657         This is a classic TOCTOU bug.  The fix is simply to ensure that only one thread
2658         can enter Config::permanentlyFreeze() at a time.
2659
2660         Ditto for Gigacage::permanentlyFreezeGigacageConfig().
2661
2662         * runtime/JSCConfig.cpp:
2663         (JSC::Config::permanentlyFreeze):
2664
2665 2020-04-29  Yusuke Suzuki  <ysuzuki@apple.com>
2666
2667         [JSC] JSStringJoiner is missing BigInt handling
2668         https://bugs.webkit.org/show_bug.cgi?id=211174
2669
2670         Reviewed by Mark Lam.
2671
2672         JSStringJoiner missed handling of BigInt (specifically BigInt32) and appending empty string incorrectly.
2673         In debug build, assertion hits. We should support BigInt in JSStringJoiner.
2674
2675         * runtime/JSStringJoiner.h:
2676         (JSC::JSStringJoiner::appendWithoutSideEffects):
2677
2678 2020-04-29  Saam Barati  <sbarati@apple.com>
2679
2680         U_STRING_NOT_TERMINATED_WARNING ICU must be handled when using the output buffer as a C string
2681         https://bugs.webkit.org/show_bug.cgi?id=211142
2682         <rdar://problem/62530860>
2683
2684         Reviewed by Darin Adler.
2685
2686         * runtime/IntlDateTimeFormat.cpp:
2687         (JSC::defaultTimeZone):
2688         (JSC::canonicalizeTimeZoneName):
2689         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2690         (JSC::IntlDateTimeFormat::format):
2691         (JSC::IntlDateTimeFormat::formatToParts):
2692         * runtime/IntlNumberFormat.cpp:
2693         (JSC::IntlNumberFormat::format):
2694         (JSC::IntlNumberFormat::formatToParts):
2695         * runtime/IntlObject.cpp:
2696         (JSC::convertICULocaleToBCP47LanguageTag):
2697         (JSC::canonicalizeLanguageTag):
2698         * runtime/IntlRelativeTimeFormat.cpp:
2699         (JSC::IntlRelativeTimeFormat::formatInternal):
2700         (JSC::IntlRelativeTimeFormat::formatToParts):
2701         * runtime/StringPrototype.cpp:
2702         (JSC::toLocaleCase):
2703         (JSC::normalize):
2704
2705 2020-04-28  Saam Barati  <sbarati@apple.com>
2706
2707         Unreviewed. Fix 32-bit build.
2708
2709         * runtime/JSBigInt.cpp:
2710         (JSC::JSBigInt::createFrom):
2711         (JSC::Int32BigIntImpl::digit):
2712
2713 2020-04-28  Commit Queue  <commit-queue@webkit.org>
2714
2715         Unreviewed, reverting r260876 and r260877.
2716         https://bugs.webkit.org/show_bug.cgi?id=211165
2717
2718         Broke build (Requested by yusukesuzuki on #webkit).
2719
2720         Reverted changesets:
2721
2722         "Unreviewed, build fix on watchOS"
2723         https://bugs.webkit.org/show_bug.cgi?id=210978
2724         https://trac.webkit.org/changeset/260876
2725
2726         "Unreviewed, speculative build fix on watchOS part 2"
2727         https://bugs.webkit.org/show_bug.cgi?id=210978
2728         https://trac.webkit.org/changeset/260877
2729
2730 2020-04-28  Yusuke Suzuki  <ysuzuki@apple.com>
2731
2732         Unreviewed, speculative build fix on watchOS part 2
2733         https://bugs.webkit.org/show_bug.cgi?id=210978
2734
2735         * runtime/JSBigInt.cpp:
2736         (JSC::JSBigInt::createFrom):
2737         (JSC::Int32BigIntImpl::digit):
2738         * runtime/JSBigInt.h:
2739
2740 2020-04-28  Yusuke Suzuki  <ysuzuki@apple.com>
2741
2742         Unreviewed, build fix on watchOS
2743         https://bugs.webkit.org/show_bug.cgi?id=210978
2744
2745         * runtime/JSBigInt.cpp:
2746         (JSC::JSBigInt::createFrom):
2747         (JSC::Int32BigIntImpl::digit):
2748         * runtime/JSBigInt.h:
2749
2750 2020-04-28  Yusuke Suzuki  <ysuzuki@apple.com>
2751
2752         [JSC] BigInt constructor should accept larger integers than safe-integers
2753         https://bugs.webkit.org/show_bug.cgi?id=210755
2754
2755         Reviewed by Darin Adler.
2756
2757         While our implementation of BigInt constructor only accepts safe integers, it should accept all integers.
2758         This patch implements it by creating JSBigInt::createFrom(double). We port double bit processing part from
2759         V8 as the same to the other part of JSBigInt.
2760
2761         * runtime/BigIntConstructor.cpp:
2762         (JSC::callBigIntConstructor):
2763         * runtime/JSBigInt.cpp:
2764         (JSC::JSBigInt::createFrom):
2765         * runtime/JSBigInt.h:
2766         * runtime/MathCommon.h:
2767         (JSC::isInteger):
2768         (JSC::isSafeInteger):
2769         * runtime/NumberConstructor.cpp:
2770         (JSC::numberConstructorFuncIsSafeInteger):
2771         * runtime/NumberConstructor.h:
2772
2773 2020-04-28  Ross Kirsling  <ross.kirsling@sony.com>
2774
2775         [JSC] Align upon the name isCallable instead of isFunction
2776         https://bugs.webkit.org/show_bug.cgi?id=211140
2777
2778         Reviewed by Darin Adler.
2779
2780         Follow-up to r260722. Usage is now cleanly separated between isFunction / getCallData,
2781         but the name isCallable is still clearer than isFunction so let's flip that after all.
2782
2783         * API/JSContextRef.cpp:
2784         (JSGlobalContextSetUnhandledRejectionCallback):
2785         * API/JSObjectRef.cpp:
2786         (JSObjectIsFunction):
2787         * dfg/DFGOperations.cpp:
2788         * ftl/FTLLowerDFGToB3.cpp:
2789         (JSC::FTL::DFG::LowerDFGToB3::compileCreateThis):
2790         (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
2791         (JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject):
2792         (JSC::FTL::DFG::LowerDFGToB3::compileIsObjectOrNull):
2793         (JSC::FTL::DFG::LowerDFGToB3::compileIsFunction):
2794         (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf):
2795         (JSC::FTL::DFG::LowerDFGToB3::isCallable):
2796         (JSC::FTL::DFG::LowerDFGToB3::isFunction): Deleted.
2797         * ftl/FTLOperations.cpp:
2798         (JSC::FTL::operationTypeOfObjectAsTypeofType):
2799         * jsc.cpp:
2800         (functionSetUnhandledRejectionCallback):
2801         * runtime/CommonSlowPaths.cpp:
2802         (JSC::SLOW_PATH_DECL):
2803         * runtime/ExceptionHelpers.cpp:
2804         (JSC::errorDescriptionForValue):
2805         * runtime/FunctionPrototype.cpp:
2806         (JSC::functionProtoFuncToString):
2807         * runtime/InternalFunction.cpp:
2808         (JSC::getFunctionRealm):
2809         * runtime/JSCJSValue.h:
2810         * runtime/JSCJSValueInlines.h:
2811         (JSC::JSValue::isCallable const):
2812         (JSC::JSValue::isFunction const): Deleted.
2813         * runtime/JSCell.h:
2814         * runtime/JSCellInlines.h:
2815         (JSC::JSCell::isCallable):
2816         (JSC::JSCell::isFunction): Deleted.
2817         * runtime/JSONObject.cpp:
2818         (JSC::Stringifier::appendStringifiedValue):
2819         * runtime/ObjectConstructor.cpp:
2820         (JSC::toPropertyDescriptor):
2821         * runtime/ObjectPrototype.cpp:
2822         (JSC::objectProtoFuncDefineGetter):
2823         (JSC::objectProtoFuncDefineSetter):
2824         * runtime/Operations.cpp:
2825         (JSC::jsTypeStringForValue):
2826         (JSC::jsIsObjectTypeOrNull):
2827         * runtime/ProxyObject.cpp:
2828         (JSC::ProxyObject::structureForTarget):
2829         (JSC::ProxyObject::finishCreation):
2830         * runtime/RuntimeType.cpp:
2831         (JSC::runtimeTypeForValue):
2832         * tools/JSDollarVM.cpp:
2833         (JSC::functionCallWithStackSize):
2834         (JSC::functionFindTypeForExpression):
2835         (JSC::functionReturnTypeFor):
2836         (JSC::functionHasBasicBlockExecuted):
2837         (JSC::functionBasicBlockExecutionCount):
2838         * wasm/WasmInstance.cpp:
2839         (JSC::Wasm::Instance::setFunctionWrapper):
2840         * wasm/WasmOperations.cpp:
2841         (JSC::Wasm::operationIterateResults):
2842         (JSC::Wasm::operationWasmRefFunc):
2843         * wasm/js/WebAssemblyModuleRecord.cpp:
2844         (JSC::WebAssemblyModuleRecord::link):
2845         * wasm/js/WebAssemblyWrapperFunction.cpp:
2846         (JSC::WebAssemblyWrapperFunction::finishCreation):
2847
2848 2020-04-28  Yusuke Suzuki  <ysuzuki@apple.com>
2849
2850         [JSC] NumberConstructor should accept BigInt
2851         https://bugs.webkit.org/show_bug.cgi?id=210835
2852
2853         Reviewed by Mark Lam.
2854
2855         This patch fixes our Number constructor behavior to accept BigInt. According to the spec[1],
2856         Number constructor should accept BigInt and should generate numbers from that.
2857
2858         We port V8's BigInt to double conversion code as we did for the other HeapBigInt runtime functions.
2859
2860         And we introduce CallNumberConstructor DFG node and handle Number constructor call with BigInt correctly
2861         in DFG and FTL. Previously we were emitting ToNumber DFG node for Number constructor. But this is wrong
2862         now since ToNumber does not accept BigInt and throws an error, and Number constructor should not use
2863         ToNumber to implement its implementation. So we should introduce slightly different semantics: CallNumberConstructor
2864         as we introduced CallStringConstructor in addition to ToString DFG node. And we add appropriate BigInt32 path
2865         to emit efficient CallNumberConstructor machine code.
2866
2867         [1]: https://tc39.es/ecma262/#sec-number-constructor-number-value
2868
2869         * dfg/DFGAbstractInterpreterInlines.h:
2870         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2871         * dfg/DFGBackwardsPropagationPhase.cpp:
2872         (JSC::DFG::BackwardsPropagationPhase::propagate):
2873         * dfg/DFGByteCodeParser.cpp:
2874         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2875         * dfg/DFGClobberize.h:
2876         (JSC::DFG::clobberize):
2877         * dfg/DFGConstantFoldingPhase.cpp:
2878         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2879         * dfg/DFGDoesGC.cpp:
2880         (JSC::DFG::doesGC):
2881         * dfg/DFGFixupPhase.cpp:
2882         (JSC::DFG::FixupPhase::fixupNode):
2883         (JSC::DFG::FixupPhase::fixupToNumberOrToNumericOrCallNumberConstructor):
2884         (JSC::DFG::FixupPhase::fixupToNumeric): Deleted.
2885         (JSC::DFG::FixupPhase::fixupToNumber): Deleted.
2886         * dfg/DFGNode.h:
2887         (JSC::DFG::Node::hasHeapPrediction):
2888         * dfg/DFGNodeType.h:
2889         * dfg/DFGOperations.cpp:
2890         * dfg/DFGOperations.h:
2891         * dfg/DFGPredictionPropagationPhase.cpp:
2892         * dfg/DFGSafeToExecute.h:
2893         (JSC::DFG::safeToExecute):
2894         * dfg/DFGSpeculativeJIT.cpp:
2895         (JSC::DFG::SpeculativeJIT::compileToNumeric):
2896         (JSC::DFG::SpeculativeJIT::compileCallNumberConstructor):
2897         * dfg/DFGSpeculativeJIT.h:
2898         * dfg/DFGSpeculativeJIT32_64.cpp:
2899         (JSC::DFG::SpeculativeJIT::compile):
2900         * dfg/DFGSpeculativeJIT64.cpp:
2901         (JSC::DFG::SpeculativeJIT::compile):
2902         * ftl/FTLCapabilities.cpp:
2903         (JSC::FTL::canCompile):
2904         * ftl/FTLLowerDFGToB3.cpp:
2905         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2906         (JSC::FTL::DFG::LowerDFGToB3::compileCallNumberConstructor):
2907         * runtime/JSBigInt.cpp:
2908         (JSC::JSBigInt::decideRounding):
2909         (JSC::JSBigInt::toNumberHeap):
2910         * runtime/JSBigInt.h:
2911         * runtime/NumberConstructor.cpp:
2912         (JSC::constructNumberConstructor):
2913         (JSC::callNumberConstructor):
2914
2915 2020-04-27  Yusuke Suzuki  <ysuzuki@apple.com>
2916
2917         [JSC] Throw OutOfMemoryError instead of RangeError if BigInt is too big
2918         https://bugs.webkit.org/show_bug.cgi?id=211111
2919
2920         Reviewed by Saam Barati.
2921
2922         Currently, we are throwing a RangeError if we detect that JSBigInt becomes too large. But this is not consistent with our JSString's policy.
2923         We should throw OutOfMemoryError in this case. This also makes DFG simple since DFG allows throwing OutOfMemoryError in any places which node
2924         is even removed.
2925
2926         * dfg/DFGFixupPhase.cpp:
2927         (JSC::DFG::FixupPhase::fixupNode):
2928         * runtime/ExceptionHelpers.cpp:
2929         (JSC::throwOutOfMemoryError):
2930         * runtime/ExceptionHelpers.h:
2931         * runtime/JSBigInt.cpp:
2932         (JSC::JSBigInt::tryCreateWithLength):
2933         (JSC::JSBigInt::exponentiateHeap):
2934         (JSC::JSBigInt::leftShiftByAbsolute):
2935         (JSC::JSBigInt::allocateFor):
2936
2937 2020-04-27  Saam Barati  <sbarati@apple.com>
2938
2939         BigInt math runtime shouldn't convert BigInt32 input operands to a heap cell when doing math
2940         https://bugs.webkit.org/show_bug.cgi?id=210978
2941
2942         Reviewed by Yusuke Suzuki.
2943
2944         This patch adds support in the runtime for doing alomst all BigInt math
2945         operations on the inputs either being Int32, HeapBigInt, or a mixing
2946         of both. Before, if we detected a binary operation on an Int32 and a
2947         HeapBigInt, this would lead us to convert the Int32 operand into a HeapBigInt.
2948         
2949         This is especially bad because we'd repeat this for all math ops. For example,
2950         if x is a BigInt32, and all rhs are a HeapBigInt, we'd repeatedly convert x
2951         to a HeapBigInt for each operation:
2952         ```
2953         x + y
2954         x * y
2955         x - y
2956         x >> y
2957         x << y
2958         etc
2959         ```
2960         
2961         To teach the runtime how to operate both over a BigInt32 and a HeapBigInt, I
2962         templatized the runtime math operations to work both over BigInt32 and
2963         HeapBigInt wrapper classes that expose the same interface.
2964         
2965         This is a ~28% speedup on microbenchmarks/sunspider-sha1-big-int.js
2966
2967         * ftl/FTLLowerDFGToB3.cpp:
2968         (JSC::FTL::DFG::LowerDFGToB3::compare):
2969         * jit/JITOperations.cpp:
2970         * runtime/CommonSlowPaths.cpp:
2971         (JSC::SLOW_PATH_DECL):
2972         * runtime/JSBigInt.cpp:
2973         (JSC::HeapBigIntImpl::HeapBigIntImpl):
2974         (JSC::HeapBigIntImpl::isZero):
2975         (JSC::HeapBigIntImpl::sign):
2976         (JSC::HeapBigIntImpl::length):
2977         (JSC::HeapBigIntImpl::digit):
2978         (JSC::HeapBigIntImpl::toHeapBigInt):
2979         (JSC::Int32BigIntImpl::Int32BigIntImpl):
2980         (JSC::Int32BigIntImpl::isZero):
2981         (JSC::Int32BigIntImpl::sign):
2982         (JSC::Int32BigIntImpl::length):
2983         (JSC::Int32BigIntImpl::digit):
2984         (JSC::Int32BigIntImpl::toHeapBigInt):
2985         (JSC::JSBigInt::ImplResult::ImplResult):
2986         (JSC::tryConvertToBigInt32):
2987         (JSC::JSBigInt::inplaceMultiplyAdd):
2988         (JSC::JSBigInt::exponentiateImpl):
2989         (JSC::JSBigInt::exponentiate):
2990         (JSC::JSBigInt::multiplyImpl):
2991         (JSC::JSBigInt::multiply):
2992         (JSC::JSBigInt::divideImpl):
2993         (JSC::JSBigInt::divide):
2994         (JSC::JSBigInt::copy):
2995         (JSC::JSBigInt::unaryMinusImpl):
2996         (JSC::JSBigInt::unaryMinus):
2997         (JSC::JSBigInt::remainderImpl):
2998         (JSC::JSBigInt::remainder):
2999         (JSC::JSBigInt::incImpl):
3000         (JSC::JSBigInt::inc):
3001         (JSC::JSBigInt::decImpl):
3002         (JSC::JSBigInt::dec):
3003         (JSC::JSBigInt::addImpl):
3004         (JSC::JSBigInt::add):
3005         (JSC::JSBigInt::subImpl):
3006         (JSC::JSBigInt::sub):
3007         (JSC::JSBigInt::bitwiseAndImpl):
3008         (JSC::JSBigInt::bitwiseAnd):
3009         (JSC::JSBigInt::bitwiseOrImpl):
3010         (JSC::JSBigInt::bitwiseOr):
3011         (JSC::JSBigInt::bitwiseXorImpl):
3012         (JSC::JSBigInt::bitwiseXor):
3013         (JSC::JSBigInt::leftShiftImpl):
3014         (JSC::JSBigInt::leftShift):
3015         (JSC::JSBigInt::leftShiftSlow):
3016         (JSC::JSBigInt::signedRightShiftImpl):
3017         (JSC::JSBigInt::signedRightShift):
3018         (JSC::JSBigInt::bitwiseNotImpl):
3019         (JSC::JSBigInt::bitwiseNot):
3020         (JSC::JSBigInt::internalMultiplyAdd):
3021         (JSC::JSBigInt::multiplyAccumulate):
3022         (JSC::JSBigInt::absoluteCompare):
3023         (JSC::JSBigInt::compareImpl):
3024         (JSC::JSBigInt::compare):
3025         (JSC::JSBigInt::absoluteAdd):
3026         (JSC::JSBigInt::absoluteSub):
3027         (JSC::JSBigInt::absoluteDivWithDigitDivisor):
3028         (JSC::JSBigInt::absoluteDivWithBigIntDivisor):
3029         (JSC::JSBigInt::absoluteLeftShiftAlwaysCopy):
3030         (JSC::JSBigInt::absoluteBitwiseOp):
3031         (JSC::JSBigInt::absoluteAnd):
3032         (JSC::JSBigInt::absoluteOr):
3033         (JSC::JSBigInt::absoluteAndNot):
3034         (JSC::JSBigInt::absoluteXor):
3035         (JSC::JSBigInt::absoluteAddOne):
3036         (JSC::JSBigInt::absoluteSubOne):
3037         (JSC::JSBigInt::leftShiftByAbsolute):
3038         (JSC::JSBigInt::rightShiftByAbsolute):
3039         (JSC::JSBigInt::rightShiftByMaximum):
3040         (JSC::JSBigInt::toStringGeneric):
3041         (JSC::JSBigInt::toShiftAmount):
3042         (JSC::JSBigInt::exponentiateHeap): Deleted.
3043         (JSC::JSBigInt::multiplyHeap): Deleted.
3044         (JSC::JSBigInt::divideHeap): Deleted.
3045         (JSC::JSBigInt::unaryMinusHeap): Deleted.
3046         (JSC::JSBigInt::remainderHeap): Deleted.
3047         (JSC::JSBigInt::incHeap): Deleted.
3048         (JSC::JSBigInt::decHeap): Deleted.
3049         (JSC::JSBigInt::addHeap): Deleted.
3050         (JSC::JSBigInt::subHeap): Deleted.
3051         (JSC::JSBigInt::bitwiseAndHeap): Deleted.
3052         (JSC::JSBigInt::bitwiseOrHeap): Deleted.
3053         (JSC::JSBigInt::bitwiseXorHeap): Deleted.
3054         (JSC::JSBigInt::leftShiftHeap): Deleted.
3055         (JSC::JSBigInt::signedRightShiftHeap): Deleted.
3056         (JSC::JSBigInt::bitwiseNotHeap): Deleted.
3057         (JSC::JSBigInt::compareToInt32): Deleted.
3058         * runtime/JSBigInt.h:
3059         * runtime/Operations.cpp:
3060         (JSC::jsAddSlowCase):
3061         * runtime/Operations.h:
3062         (JSC::compareBigInt):
3063         (JSC::compareBigInt32ToOtherPrimitive):
3064         (JSC::arithmeticBinaryOp):
3065         (JSC::jsSub):
3066         (JSC::jsMul):
3067         (JSC::jsDiv):
3068         (JSC::jsRemainder):
3069         (JSC::jsPow):
3070         (JSC::jsInc):
3071         (JSC::jsDec):
3072         (JSC::jsBitwiseNot):
3073         (JSC::shift):
3074         (JSC::jsLShift):
3075         (JSC::jsRShift):
3076         (JSC::bitwiseBinaryOp):
3077         (JSC::jsBitwiseAnd):
3078         (JSC::jsBitwiseOr):
3079         (JSC::jsBitwiseXor):
3080
3081 2020-04-27  Yusuke Suzuki  <ysuzuki@apple.com>
3082
3083         [JSC] >>> should call ToNumeric
3084         https://bugs.webkit.org/show_bug.cgi?id=211065
3085
3086         Reviewed by Ross Kirsling.
3087
3088         While BigInt does not support >>> operator, >>> operator should call ToNumeric (in this case, toBigIntOrInt32) for both before throwing an error.
3089         We call toBigIntOrInt32 for both operands, and throw an error. And after that, casting int32_t to uint32_t to perform >>> operator. This is correct
3090         since the only difference between toUint32 and toInt32 is casting int32_t result to uint32_t.
3091
3092         * dfg/DFGOperations.cpp:
3093         * runtime/CommonSlowPaths.cpp:
3094         (JSC::SLOW_PATH_DECL):
3095         * runtime/Operations.h:
3096         (JSC::shift):
3097         (JSC::jsURShift):
3098
3099 2020-04-27  Keith Miller  <keith_miller@apple.com>
3100
3101         OSR Exit compiler should know and print the exiting DFG node's index
3102         https://bugs.webkit.org/show_bug.cgi?id=210998
3103
3104         Reviewed by Mark Lam.
3105
3106         The only interesting thing here is that we set the node to index 0 if there is no node.
3107         AFAICT, we only don't have a node when we are checking arguments.
3108
3109         * dfg/DFGOSRExit.cpp:
3110         (JSC::DFG::OSRExit::OSRExit):
3111         (JSC::DFG::operationCompileOSRExit):
3112         * dfg/DFGOSRExitBase.h:
3113         (JSC::DFG::OSRExitBase::OSRExitBase):
3114         * ftl/FTLLowerDFGToB3.cpp:
3115         (JSC::FTL::DFG::LowerDFGToB3::compileInvalidationPoint):
3116         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
3117         (JSC::FTL::DFG::LowerDFGToB3::blessSpeculation):
3118         * ftl/FTLOSRExit.cpp:
3119         (JSC::FTL::OSRExitDescriptor::emitOSRExit):
3120         (JSC::FTL::OSRExitDescriptor::emitOSRExitLater):
3121         (JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle):
3122         (JSC::FTL::OSRExit::OSRExit):
3123         * ftl/FTLOSRExit.h:
3124         * ftl/FTLOSRExitCompiler.cpp:
3125         (JSC::FTL::compileStub):
3126
3127 2020-04-27  Saam Barati  <sbarati@apple.com>
3128
3129         compilePeepHoleBigInt32Branch needs to handle all conditions
3130         https://bugs.webkit.org/show_bug.cgi?id=211096
3131         <rdar://problem/62469971>
3132
3133         Reviewed by Yusuke Suzuki.
3134
3135         We were falling through to the generic path for all conditions which
3136         weren't Equal/NotEqual. The generic path does not do speculation, so
3137         it was leading to potential miscompiles because we omitted a type check.
3138         Defining compilePeepHoleBigInt32Branch for other conditions is trivial,
3139         so this patch just implements that.
3140
3141         This failure is caught by microbenchmarks/sunspider-sha1-big-int.js
3142
3143         * dfg/DFGSpeculativeJIT.cpp:
3144         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
3145         * dfg/DFGSpeculativeJIT64.cpp:
3146         (JSC::DFG::SpeculativeJIT::compilePeepHoleBigInt32Branch):
3147
3148 2020-04-27  Jason Lawrence  <lawrence.j@apple.com>
3149
3150         Unreviewed, reverting r260772.
3151
3152         This commit caused tests to start failing internally.
3153
3154         Reverted changeset:
3155
3156         "OSR Exit compiler should know and print the exiting DFG
3157         node's index"
3158         https://bugs.webkit.org/show_bug.cgi?id=210998
3159         https://trac.webkit.org/changeset/260772
3160
3161 2020-04-27  Yusuke Suzuki  <ysuzuki@apple.com>
3162
3163         [JSC] Add $vm.assertEnabled() to suppress Debug crash expected tests in release+assert build
3164         https://bugs.webkit.org/show_bug.cgi?id=211089
3165
3166         Reviewed by Keith Miller.
3167
3168         Expose ASSERT_ENABLED condition to the shell to control crash expected tests.
3169
3170         * tools/JSDollarVM.cpp:
3171         (JSC::functionAssertEnabled):
3172         (JSC::JSDollarVM::finishCreation):
3173
3174 2020-04-27  Keith Miller  <keith_miller@apple.com>
3175
3176         OSR Exit compiler should know and print the exiting DFG node's index
3177         https://bugs.webkit.org/show_bug.cgi?id=210998
3178
3179         Reviewed by Mark Lam.
3180
3181         The only interesting thing here is that we set the node to index 0 if there is no node.
3182         AFAICT, we only don't have a node when we are checking arguments.
3183
3184         * dfg/DFGOSRExit.cpp:
3185         (JSC::DFG::OSRExit::OSRExit):
3186         (JSC::DFG::operationCompileOSRExit):
3187         * dfg/DFGOSRExitBase.h:
3188         (JSC::DFG::OSRExitBase::OSRExitBase):
3189         * ftl/FTLLowerDFGToB3.cpp:
3190         (JSC::FTL::DFG::LowerDFGToB3::compileInvalidationPoint):
3191         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
3192         (JSC::FTL::DFG::LowerDFGToB3::blessSpeculation):
3193         * ftl/FTLOSRExit.cpp:
3194         (JSC::FTL::OSRExitDescriptor::emitOSRExit):
3195         (JSC::FTL::OSRExitDescriptor::emitOSRExitLater):
3196         (JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle):
3197         (JSC::FTL::OSRExit::OSRExit):
3198         * ftl/FTLOSRExit.h:
3199         * ftl/FTLOSRExitCompiler.cpp:
3200         (JSC::FTL::compileStub):
3201
3202 2020-04-27  Ross Kirsling  <ross.kirsling@sony.com>
3203
3204         [JSC] CallData/ConstructData should include CallType/ConstructType
3205         https://bugs.webkit.org/show_bug.cgi?id=211059
3206
3207         Reviewed by Darin Adler.
3208
3209         getCallData/getConstructData return a CallType/ConstructType and have a CallData/ConstructData out param,
3210         and then *both* of these are passed side-by-side to `call`/`construct`, which all seems a bit silly.
3211
3212         This patch merges CallType/ConstructType into CallData/ConstructData such that getCallData/getConstructData
3213         no longer need an out param and `call`/`construct` require one less overt parameter.
3214
3215         In so doing, it also:
3216         - removes ConstructData entirely as it's an exact duplicate of CallData
3217         - renames enum value Host to Native in alignment with CallData's union
3218
3219         * API/JSCallbackConstructor.cpp:
3220         (JSC::JSCallbackConstructor::getConstructData):
3221         * API/JSCallbackConstructor.h:
3222         * API/JSCallbackObject.h:
3223         * API/JSCallbackObjectFunctions.h:
3224         (JSC::JSCallbackObject<Parent>::getConstructData):
3225         (JSC::JSCallbackObject<Parent>::getCallData):
3226         * API/JSObjectRef.cpp:
3227         (JSObjectCallAsFunction):
3228         (JSObjectCallAsConstructor):
3229         * bindings/ScriptFunctionCall.cpp:
3230         (Deprecated::ScriptFunctionCall::call):
3231         * bindings/ScriptFunctionCall.h:
3232         * dfg/DFGOperations.cpp:
3233         * inspector/InjectedScriptManager.cpp:
3234         (Inspector::InjectedScriptManager::createInjectedScript):
3235         * inspector/InspectorEnvironment.h:
3236         * interpreter/Interpreter.cpp:
3237         (JSC::Interpreter::executeProgram):
3238         (JSC::Interpreter::executeCall):
3239         (JSC::Interpreter::executeConstruct):
3240         * interpreter/Interpreter.h:
3241         * jit/JITOperations.cpp:
3242         * jsc.cpp:
3243         (functionDollarAgentReceiveBroadcast):
3244         * llint/LLIntSlowPaths.cpp:
3245         (JSC::LLInt::handleHostCall):
3246         * runtime/ArrayPrototype.cpp:
3247         (JSC::arrayProtoFuncToString):
3248         (JSC::arrayProtoFuncToLocaleString):
3249         * runtime/CallData.cpp:
3250         (JSC::call):
3251         (JSC::profiledCall):
3252         * runtime/CallData.h:
3253         * runtime/ClassInfo.h:
3254         * runtime/CommonSlowPaths.cpp:
3255         (JSC::SLOW_PATH_DECL):
3256         * runtime/ConstructData.cpp:
3257         (JSC::construct):
3258         (JSC::profiledConstruct):
3259         * runtime/ConstructData.h:
3260         (JSC::construct):
3261         (JSC::profiledConstruct):
3262         (): Deleted.
3263         * runtime/DatePrototype.cpp:
3264         (JSC::dateProtoFuncToJSON):
3265         * runtime/GetterSetter.cpp:
3266         (JSC::callGetter):
3267         (JSC::callSetter):
3268         * runtime/InternalFunction.cpp:
3269         (JSC::InternalFunction::getCallData):
3270         (JSC::InternalFunction::getConstructData):
3271         * runtime/InternalFunction.h:
3272         * runtime/IteratorOperations.cpp:
3273         (JSC::iteratorNext):
3274         (JSC::iteratorClose):
3275         (JSC::hasIteratorMethod):
3276         (JSC::iteratorMethod):
3277         (JSC::iteratorForIterable):
3278         * runtime/JSBoundFunction.cpp:
3279         (JSC::boundThisNoArgsFunctionCall):
3280         (JSC::boundFunctionCall):
3281         (JSC::boundThisNoArgsFunctionConstruct):
3282         (JSC::boundFunctionConstruct):
3283         * runtime/JSCJSValue.h:
3284         * runtime/JSCell.cpp:
3285         (JSC::JSCell::getCallData):
3286         (JSC::JSCell::getConstructData):
3287         * runtime/JSCell.h:
3288         * runtime/JSCellInlines.h:
3289         (JSC::JSCell::isFunction):
3290         (JSC::JSCell::isConstructor):
3291         * runtime/JSFunction.cpp:
3292         (JSC::JSFunction::getCallData):
3293         (JSC::JSFunction::getConstructData):
3294         * runtime/JSFunction.h:
3295         * runtime/JSInternalPromise.cpp:
3296         (JSC::JSInternalPromise::then):
3297         * runtime/JSMicrotask.cpp:
3298         (JSC::JSMicrotask::run):
3299         * runtime/JSModuleLoader.cpp:
3300         (JSC::JSModuleLoader::dependencyKeysIfEvaluated):
3301         (JSC::JSModuleLoader::provideFetch):
3302         (JSC::JSModuleLoader::loadAndEvaluateModule):
3303         (JSC::JSModuleLoader::loadModule):
3304         (JSC::JSModuleLoader::linkAndEvaluateModule):
3305         (JSC::JSModuleLoader::requestImportModule):
3306         * runtime/JSONObject.cpp:
3307         (JSC::Stringifier::isCallableReplacer const):
3308         (JSC::Stringifier::Stringifier):
3309         (JSC::Stringifier::toJSON):
3310         (JSC::Stringifier::appendStringifiedValue):
3311         (JSC::Walker::Walker):
3312         (JSC::Walker::callReviver):
3313         (JSC::JSONProtoFuncParse):
3314         * runtime/JSObject.cpp:
3315         (JSC::ordinarySetSlow):
3316         (JSC::callToPrimitiveFunction):
3317         (JSC::JSObject::hasInstance):
3318         (JSC::JSObject::getMethod):
3319         * runtime/JSObject.h:
3320         * runtime/JSObjectInlines.h:
3321         (JSC::getCallData):
3322         (JSC::getConstructData):
3323         * runtime/JSPromise.cpp:
3324         (JSC::JSPromise::createDeferredData):
3325         (JSC::JSPromise::resolvedPromise):
3326         (JSC::callFunction):
3327         * runtime/MapConstructor.cpp:
3328         (JSC::constructMap):
3329         * runtime/ObjectPrototype.cpp:
3330         (JSC::objectProtoFuncToLocaleString):
3331         * runtime/ProxyObject.cpp:
3332         (JSC::performProxyGet):
3333         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
3334         (JSC::ProxyObject::performHasProperty):
3335         (JSC::ProxyObject::performPut):
3336         (JSC::performProxyCall):
3337         (JSC::ProxyObject::getCallData):
3338         (JSC::performProxyConstruct):
3339         (JSC::ProxyObject::getConstructData):
3340         (JSC::ProxyObject::performDelete):
3341         (JSC::ProxyObject::performPreventExtensions):
3342         (JSC::ProxyObject::performIsExtensible):
3343         (JSC::ProxyObject::performDefineOwnProperty):
3344         (JSC::ProxyObject::performGetOwnPropertyNames):
3345         (JSC::ProxyObject::performSetPrototype):
3346         (JSC::ProxyObject::performGetPrototype):
3347         * runtime/ProxyObject.h:
3348         * runtime/ReflectObject.cpp:
3349         (JSC::reflectObjectConstruct):
3350         * runtime/SamplingProfiler.cpp:
3351         (JSC::SamplingProfiler::processUnverifiedStackTraces):
3352         * runtime/SetConstructor.cpp:
3353         (JSC::constructSet):
3354         * runtime/StringPrototype.cpp:
3355         (JSC::replaceUsingRegExpSearch):
3356         (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
3357         (JSC::operationStringProtoFuncReplaceRegExpString):
3358         (JSC::replaceUsingStringSearch):
3359         * runtime/VM.cpp:
3360         (JSC::VM::callPromiseRejectionCallback):
3361         * runtime/WeakMapConstructor.cpp:
3362         (JSC::constructWeakMap):
3363         * runtime/WeakSetConstructor.cpp:
3364         (JSC::constructWeakSet):
3365         * tools/JSDollarVM.cpp:
3366         (JSC::callWithStackSizeProbeFunction):
3367         * wasm/js/WebAssemblyModuleRecord.cpp:
3368         (JSC::WebAssemblyModuleRecord::evaluate):
3369         * wasm/js/WebAssemblyWrapperFunction.cpp:
3370         (JSC::callWebAssemblyWrapperFunction):
3371
3372 2020-04-26  Ross Kirsling  <ross.kirsling@sony.com>
3373
3374         [JSC] Clearly distinguish isConstructor from getConstructData
3375         https://bugs.webkit.org/show_bug.cgi?id=211053
3376
3377         Reviewed by Sam Weinig.
3378
3379         Follow-up to r260722. Remove the isConstructor overload that duplicates getConstructData
3380         and clearly distinguish the usage of these two functions.
3381
3382         * runtime/JSCJSValue.h:
3383         * runtime/JSCJSValueInlines.h:
3384         * runtime/JSCell.h:
3385         * runtime/JSCellInlines.h:
3386         (JSC::JSCell::isConstructor):
3387         Remove isConstructor overload.
3388
3389         * runtime/JSBoundFunction.cpp:
3390         (JSC::JSBoundFunction::create):
3391         Don't use getConstructData if you don't need ConstructData.
3392
3393         * runtime/ReflectObject.cpp:
3394         (JSC::reflectObjectConstruct):
3395         Use getConstructData if you need ConstructData.
3396
3397         * API/JSObjectRef.cpp:
3398         (JSObjectIsFunction):
3399         Use isFunction (leftover spot from last patch).
3400
3401 2020-04-26  Alexey Shvayka  <shvaikalesh@gmail.com>
3402
3403         Symbol should have [[Construct]] internal method
3404         https://bugs.webkit.org/show_bug.cgi?id=211050
3405
3406         Reviewed by Yusuke Suzuki.
3407
3408         This change introduces constructSymbol() method, which unconditionally throws
3409         a TypeError, since its presence