configSizeToProtect should be 16KB
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2020-03-13  Saam Barati  <sbarati@apple.com>
2
3         configSizeToProtect should be 16KB
4         https://bugs.webkit.org/show_bug.cgi?id=209068
5
6         Reviewed by Keith Miller.
7
8         * runtime/JSCConfig.h:
9
10 2020-03-13  Yusuke Suzuki  <ysuzuki@apple.com>
11
12         Unreviewed, fix JSC / test262 tests
13         https://bugs.webkit.org/show_bug.cgi?id=209033
14         <rdar://problem/58946936>
15
16         Follow-up change for DisallowGC causes crash because CodeBlock is nullptr when function call is non JS calls.
17
18         * interpreter/Interpreter.cpp:
19         (JSC::Interpreter::executeCall):
20         (JSC::Interpreter::executeConstruct):
21
22 2020-03-13  Tadeu Zagallo  <tzagallo@apple.com>
23
24         Missing arithMode for ArithAbs and ArithNegate in DFGClobberize
25         https://bugs.webkit.org/show_bug.cgi?id=208685
26         <rdar://problem/60115088>
27
28         Reviewed by Saam Barati.
29
30         In the pure case of ArithNegate and ArithAbs in DFGClobberize, their PureValues did not include their
31         respective ArithMode. That means that e.g. a CheckOverflow ArithNegate/Abs could be considered equivalent
32         to an Unchecked version of the same node.
33
34         Thanks to Samuel GroƟ of Google Project Zero for identifying this bug.
35
36         * dfg/DFGClobberize.h:
37         (JSC::DFG::clobberize):
38
39 2020-03-13  Myles C. Maxfield  <mmaxfield@apple.com>
40
41         [Cocoa] Push applicationSDKVersion() down from WebCore into WTF
42         https://bugs.webkit.org/show_bug.cgi?id=209030
43
44         Reviewed by Simon Fraser.
45
46         dyld_get_program_sdk_version() gives you the wrong answer in the Web Process (or at least
47         not the answer you actually want). There are already facilities for the UI Process to tell
48         the Web Process what the real value is, but those functions are currently in WebCore,
49         which is inaccessible to WTF. This patch is in preparation for
50         https://bugs.webkit.org/show_bug.cgi?id=208969 which needs to know this information in WTF.
51
52         I also found a few places which were calling dyld_get_program_sdk_version() in JavaScriptCore
53         and WebCore (which is wrong because those libraries exist in the Web Process), and have fixed
54         them up to use applicationSDKVersion() instead.
55
56         * API/JSWrapperMap.mm:
57         (supportsInitMethodConstructors):
58
59 2020-03-13  Yusuke Suzuki  <ysuzuki@apple.com>
60
61         [JSC] Reload CodeBlock or suppress GC while setting up calls
62         https://bugs.webkit.org/show_bug.cgi?id=209033
63         <rdar://problem/58946936>
64
65         Reviewed by Saam Barati.
66
67         The sequence of Interpreter::execute is the following.
68
69             1. Getting CodeBlock from Executable
70             2. Doing a lot of setups
71             3. Setting (1)'s CodeBlock to ProtoFrame
72             4. Calling code through Executable
73
74         During (2), it would be possible that GC happens and it replaces CodeBlock in Executable.
75         Then, when executing JITCode with CodeBlock in (4), we use new JITCode with old CodeBlock.
76
77         In this patch,
78
79         For ProgramExecutable, FunctionExecutable, ModuleProgramExecutable, we ensure that no GC happens
80         after getting CodeBlock by placing DisallowGC. For EvalExecutable, we reload CodeBlock after setting
81         up environment. It is possible that FunctionExecutable* stored in CodeBlock can be different when
82         executing a new CodeBlock, but this is OK since this different does not appear and we do not rely on
83         this: we are touching `name` of FunctionExecutable* which is retrieved from CodeBlock. But this name
84         will not be changed since this is derived from UnlinkedFunctionExecutable which is shared by multiple
85         CodeBlocks. And FunctionExecutable* generation ordering must be the same for every CodeBlock generation
86         from the same UnlinkedCodeBlock.
87
88         * bytecode/CodeBlock.h:
89         (JSC::ScriptExecutable::prepareForExecution):
90         * interpreter/Interpreter.cpp:
91         (JSC::Interpreter::executeProgram):
92         (JSC::Interpreter::executeCall):
93         (JSC::Interpreter::executeConstruct):
94         (JSC::Interpreter::execute):
95         (JSC::Interpreter::executeModuleProgram):
96         * interpreter/InterpreterInlines.h:
97         (JSC::Interpreter::execute):
98         * runtime/DisallowScope.h:
99         (JSC::DisallowScope::disable):
100         * runtime/StringPrototype.cpp:
101
102 2020-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
103
104         [JSC] Delete IC creation should check mayNeedToCheckCell/canCacheDeleteIC regardless of Structure::outOfLineCapacity
105         https://bugs.webkit.org/show_bug.cgi?id=209027
106
107         Reviewed by Saam Barati.
108
109         Delete IC code generation assumes that mayNeedToCheckCell (it is replaced with canCacheDeleteIC) is false
110         while we are looking into this status only if Structure::outOfLineCapacity meets a certain condition. We should avoid
111         create Delete IC when mayNeedToCheckCell/canCacheDeleteIC is true regardless of Structure::outOfLineCapacity
112
113         * bytecode/AccessCase.cpp:
114         (JSC::AccessCase::createDelete):
115         (JSC::AccessCase::generateImpl):
116         * runtime/Structure.h:
117         * runtime/StructureInlines.h:
118         (JSC::Structure::mayHaveIndexingHeader const):
119         (JSC::Structure::canCacheDeleteIC const):
120
121 2020-03-13  Alexey Shvayka  <shvaikalesh@gmail.com>
122
123         Bound functions should pass correct NewTarget value
124         https://bugs.webkit.org/show_bug.cgi?id=209057
125
126         Reviewed by Keith Miller.
127
128         This change implements steps 5-6 of bound function's [[Construct]] method [1],
129         fixing bound function subclasses and aligning JSC with V8 and SpiderMonkey.
130
131         [1]: https://tc39.es/ecma262/#sec-bound-function-exotic-objects-construct-argumentslist-newtarget
132
133         * runtime/JSBoundFunction.cpp:
134         (JSC::boundThisNoArgsFunctionConstruct):
135         (JSC::boundFunctionConstruct):
136
137 2020-03-13  Yusuke Suzuki  <ysuzuki@apple.com>
138
139         Unreviewed, change ASSERT to ASSERT_WITH_SECURITY_IMPLICATION since it is now enabled under ENABLE(SECURITY_ASSERTIONS)
140         https://bugs.webkit.org/show_bug.cgi?id=209041
141         <rdar://problem/59705631>
142
143         * runtime/JSCast.h:
144         (JSC::jsCast):
145
146 2020-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
147
148         Report crashed cell in jsCast in debug builds
149         https://bugs.webkit.org/show_bug.cgi?id=209041
150         <rdar://problem/59705631>
151
152         Reviewed by Mark Lam.
153
154         To collect more information when crashing with jsCast, we attempt to use reportZappedCellAndCrash.
155         If it succeeds, we can get more information in registers. We enable this only for ASSERT_ENABLED
156         build. For non ASSERT_ENABLED, we keep the original assertion since this assertion can be enabled
157         via ENABLE(SECURITY_ASSERTIONS).
158
159         * heap/SlotVisitor.cpp:
160         (JSC::SlotVisitor::appendToMarkStack):
161         (JSC::SlotVisitor::visitChildren):
162         (JSC::SlotVisitor::reportZappedCellAndCrash): Deleted.
163         * heap/SlotVisitor.h:
164         * runtime/JSCast.h:
165         (JSC::jsCast):
166         * runtime/JSCell.cpp:
167         (JSC::reportZappedCellAndCrash):
168         * runtime/JSCell.h:
169
170 2020-03-12  Keith Miller  <keith_miller@apple.com>
171
172         DFG nodes that take a TypedArray's storage need to keepAlive the TypedArray
173         https://bugs.webkit.org/show_bug.cgi?id=209035
174
175         Reviewed by Saam Barati.
176
177         It might be possible to produce a graph where the last reference to a TypedArray
178         is via a GetByVal or PutByVal. Since those nodes don't create any reference to the
179         TypedArray in B3 we may end up not keeping the TypedArray alive until after the
180         storage access.
181
182         * ftl/FTLLowerDFGToB3.cpp:
183         (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
184         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
185         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
186
187 2020-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
188
189         [JSC] Use CacheableIdentifier in ByValInfo
190         https://bugs.webkit.org/show_bug.cgi?id=208978
191
192         Reviewed by Saam Barati.
193
194         CodeBlock::finalizeUnconditionally discards JITData. And this includes ByValInfo, which holds Identifier.
195         However, finalizeUnconditionally is only guaranteeing that the main thread is not working. It can be invoked
196         in the heap thread, and it is not not setting the AtomStringTable for this heap thread. If Identifier destroys
197         AtomStringImpl, which fails to unregister itself from the table.
198
199         In this patch,
200
201             1. We explicitly set nullptr for the current AtomStringTable to catch the bug as soon as possible in GC end phase.
202             2. We use CacheableIdentifier in ByValInfo to avoid destroying Identifier in CodeBlock::finalizeUnconditionally.
203
204         * CMakeLists.txt:
205         * JavaScriptCore.xcodeproj/project.pbxproj:
206         * Sources.txt:
207         * bytecode/ByValInfo.cpp: Added.
208         (JSC::ByValInfo::visitAggregate):
209         * bytecode/ByValInfo.h:
210         * bytecode/CodeBlock.cpp:
211         (JSC::CodeBlock::stronglyVisitStrongReferences):
212         * bytecode/CodeBlock.h:
213         * dfg/DFGByteCodeParser.cpp:
214         (JSC::DFG::ByteCodeParser::handlePutByVal):
215         * heap/Heap.cpp:
216         (JSC::Heap::runEndPhase):
217         * jit/JIT.h:
218         * jit/JITOperations.cpp:
219         * jit/JITPropertyAccess.cpp:
220         (JSC::JIT::emitByValIdentifierCheck):
221         * runtime/CacheableIdentifier.h:
222
223 2020-03-11  Keith Miller  <keith_miller@apple.com>
224
225         Test262-runner should always consider crashes as new failures
226         https://bugs.webkit.org/show_bug.cgi?id=208943
227
228         Reviewed by Yusuke Suzuki.
229
230         BigInt.asUintN() / BigInt.asIntN() should not crash when called even if we have
231         not implemented them yet...
232
233         * runtime/BigIntConstructor.cpp:
234         (JSC::bigIntConstructorFuncAsUintN):
235         (JSC::bigIntConstructorFuncAsIntN):
236
237 2020-03-11  Keith Miller  <keith_miller@apple.com>
238
239         Throws incorrectly a syntax error when declaring a top level catch variable the same as a parameter
240         https://bugs.webkit.org/show_bug.cgi?id=189914
241
242         Reviewed by Saam Barati.
243
244         When we are parsing catch block parameters we should increment the statement depth so we don't think
245         we are trying to shadow top level lexical variables in the same statement depth.
246
247         * parser/Parser.cpp:
248         (JSC::Parser<LexerType>::parseTryStatement):
249
250 2020-03-10  Yusuke Suzuki  <ysuzuki@apple.com>
251
252         [JSC] Fix iso-subspace static_assert for JSJavaScriptCallFramePrototype
253         https://bugs.webkit.org/show_bug.cgi?id=208874
254
255         Reviewed by Saam Barati.
256
257         This static_assert should ensure the condition for JSJavaScriptCallFramePrototype, not for JSInjectedScriptHostPrototype.
258
259         * inspector/JSJavaScriptCallFramePrototype.h:
260
261 2020-03-09  Don Olmstead  <don.olmstead@sony.com>
262
263         Remove obsolete feature flags
264         https://bugs.webkit.org/show_bug.cgi?id=208830
265
266         Reviewed by Alex Christensen.
267
268         Remove ENABLE_CUSTOM_SCHEME_HANDLER and ENABLE_MAC_VIDEO_TOOLBOX since they
269         are no longer used.
270
271         * Configurations/FeatureDefines.xcconfig:
272
273 2020-03-09  Alexey Shvayka  <shvaikalesh@gmail.com>
274
275         @putByValDirect does not perform [[DefineOwnProperty]] correctly
276         https://bugs.webkit.org/show_bug.cgi?id=208708
277
278         Reviewed by Yusuke Suzuki.
279
280         This change adds inSparseIndexingMode() check to canDoFastPutDirectIndex(), fixing slow path
281         of @putByValDirect() to perform [[DefineOwnProperty]] according to spec [1] and aligning JSC
282         with V8 and SpiderMonkey.
283
284         This patch preserves existing behavior for Arguments exotic objects (thus the checks order)
285         and aligns slow path checks in JSObject::putDirectIndexSlowOrBeyondVectorLength
286         with JSObject::defineOwnIndexedProperty.
287
288         JetStream2 benchmark is neutral.
289
290         [1]: https://tc39.es/ecma262/#sec-validateandapplypropertydescriptor
291
292         * runtime/JSObject.cpp:
293         (JSC::canDoFastPutDirectIndex):
294
295 2020-03-09  Antoine Quint  <graouts@apple.com>
296
297         Remove the compile-time flag for Pointer Events
298         https://bugs.webkit.org/show_bug.cgi?id=208821
299         <rdar://problem/60223471>
300
301         Reviewed by Dean Jackson.
302
303         * Configurations/FeatureDefines.xcconfig:
304
305 2020-03-09  Caio Lima  <ticaiolima@gmail.com>
306
307         Tail calls are broken on ARM_THUMB2 and MIPS
308         https://bugs.webkit.org/show_bug.cgi?id=197797
309
310         Reviewed by Yusuke Suzuki.
311
312         `prepareForTailCall` operation expects that header size + parameters
313         size is aligned with stack (alignment is 16-bytes for every architecture).
314         This means that headerSizeInBytes + argumentsIncludingThisInBytes needs
315         to be multiple of 16. This was not being preserved during getter IC code
316         for 32-bits. The code generated was taking in account only
317         headerSizeInRegisters (it is 4 on 32-bits) and argumentsIncludingThis
318         (that is always 1 for getters) and allocating 32-bytes when applying
319         operation `(headerSize + argumentsIncludingThis) * 8 - sizeof(CallerFrameAndPC)`.
320         This results in a stack frame with size of 40 bytes (after we push
321         `lr` and `sp`). Since `prepareForTailCall` expects frames to be
322         16-bytes aligned, it will then calculate the top of such frame
323         considering it is 48 bytes, cloberring values of previous frame and
324         causing unexpected behavior. This patch is fixing how this IC code
325         calculates the stack frame using `roundArgumentCountToAlignFrame(numberOfParameters)`
326         aligning with what we do on code without IC installed.
327         This was not a problem for getter and setter IC on 64-bits because
328         `roundArgumentCountToAlignFrame(1) == 1` and `roundArgumentCountToAlignFrame(2) == 3`
329         while it is `roundArgumentCountToAlignFrame(1) == 2` and
330         `roundArgumentCountToAlignFrame(2) == 2` for MIPS and ARMv7.
331
332         * bytecode/AccessCase.cpp:
333         (JSC::AccessCase::generateImpl):
334
335 2020-03-08  Brady Eidson  <beidson@apple.com>
336
337         Remember completed subranges during incremental PDF loading.
338         https://bugs.webkit.org/show_bug.cgi?id=208785
339
340         Reviewed by Tim Horton.
341
342         Move 'using WTF::Range' from the WTF/Range.h header to these JSC users.
343         
344         The alternative to making these 3 changes was to make over 20 changes up in the WebCore/WebKits
345         to resolve the conflict with WebCore::Range.
346         
347         * b3/B3HeapRange.h:
348         * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
349         * heap/JITStubRoutineSet.h:
350
351 2020-03-07  Alexey Shvayka  <shvaikalesh@gmail.com>
352
353         REGRESSION (r258049): Unchecked JS exception in jsc::Stringifier::toJSON
354         https://bugs.webkit.org/show_bug.cgi?id=208766
355
356         Reviewed by Yusuke Suzuki.
357
358         * runtime/JSONObject.cpp:
359         (JSC::Stringifier::toJSON): Add missing RELEASE_AND_RETURN.
360
361 2020-03-07  Mark Lam  <mark.lam@apple.com>
362
363         Remove bad assertion in FTLLowerDFGToB3's compileDelBy().
364         https://bugs.webkit.org/show_bug.cgi?id=208764
365         <rdar://problem/59940095>
366
367         Reviewed by Keith Miller.
368
369         The assertion ASSERT(base.gpr() != params[2].gpr()) is wrong because it is legal
370         JS to pass in the same value as the base and subscript.  The runtime will handle
371         it properly.
372
373         * ftl/FTLLowerDFGToB3.cpp:
374         (JSC::FTL::DFG::LowerDFGToB3::compileDelBy):
375
376 2020-03-05  Sam Weinig  <weinig@apple.com>
377
378         Move JavaScriptCore related feature defines from FeatureDefines.xcconfig to PlatformEnableCocoa.h
379         https://bugs.webkit.org/show_bug.cgi?id=207436
380         <rdar://problem/59296762>
381
382         Reviewed by Darin Adler.
383
384         * Configurations/FeatureDefines.xcconfig:
385         Remove JSC related defines.
386
387 2020-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
388
389         [JSC] Enable public class fields
390         https://bugs.webkit.org/show_bug.cgi?id=208756
391
392         Reviewed by Mark Lam.
393
394         This patch turns public-class-fields feature on, implemented in r254653.
395         To separate from private-class-fields, this patch renames the flag from useClassFields to usePublicClassFields,
396         and first enable public-class-fields feature.
397
398         * bytecompiler/BytecodeGenerator.cpp:
399         (JSC::BytecodeGenerator::BytecodeGenerator):
400         * bytecompiler/NodesCodegen.cpp:
401         (JSC::FunctionCallValueNode::emitBytecode):
402         * parser/Parser.cpp:
403         (JSC::Parser<LexerType>::parseClass):
404         * runtime/OptionsList.h:
405
406 2020-03-06  Mark Lam  <mark.lam@apple.com>
407
408         Add "AndOrdered" to the names of ordered DoubleConditions.
409         https://bugs.webkit.org/show_bug.cgi?id=208736
410
411         Reviewed by Keith Miller.
412
413         Renamed the following:
414             DoubleEqual ==> DoubleEqualAndOrdered
415             DoubleNotEqual ==> DoubleNotEqualAndOrdered
416             DoubleGreaterThan ==> DoubleGreaterThanAndOrdered
417             DoubleGreaterThanOrEqual ==> DoubleGreaterThanOrEqualAndOrdered
418             DoubleLessThan ==> DoubleLessThanAndOrdered
419             DoubleLessThanOrEqual ==> DoubleLessThanOrEqualAndOrdered
420
421         The comment for these enums in MacroAssemblerARM64.h says:
422             // These conditions will only evaluate to true if the comparison is ordered - i.e. neither operand is NaN.
423
424         Adding "AndOrdered" to their names makes this property explicit.
425
426         From reading the original names, one might intuitively think that these conditions
427         map directly to the C++ double comparisons.  This intuition is incorrect.
428         Consider the DoubleNotEqual case: let's compare 2 doubles, a and b:
429
430             result = (a != b);
431
432         For C++, if either a or b are NaNs, then a != b will actually return true.
433         This is contrary to the behavior documented in the MacroAssemblerARM64.h comment
434         above about how DoubleNotEqual should behave.  In our code, DoubleNotEqual actually
435         means DoubleNotEqualAndOrdered.  The C++ != behavior actually matches our
436         DoubleNotEqualOrUnordered condition instead.
437
438         The tendency to want to associate DoubleNotEqual with the behavior of the C++
439         != operator is precisely why we should give these conditions better names.
440         Adding the "AndOperand" name make the expected behavior explicit in the name, and
441         leave no room for confusion with C++ double comparison semantics.
442
443         * assembler/MacroAssembler.cpp:
444         (WTF::printInternal):
445         * assembler/MacroAssembler.h:
446         (JSC::MacroAssembler::invert):
447         * assembler/MacroAssemblerARM64.h:
448         (JSC::MacroAssemblerARM64::moveConditionallyAfterFloatingPointCompare):
449         (JSC::MacroAssemblerARM64::moveDoubleConditionallyAfterFloatingPointCompare):
450         (JSC::MacroAssemblerARM64::jumpAfterFloatingPointCompare):
451         (JSC::MacroAssemblerARM64::floatingPointCompare):
452         * assembler/MacroAssemblerARMv7.h:
453         (JSC::MacroAssemblerARMv7::branchDouble):
454         * assembler/MacroAssemblerMIPS.h:
455         (JSC::MacroAssemblerMIPS::branchDouble):
456         (JSC::MacroAssemblerMIPS::branchDoubleNonZero):
457         * assembler/MacroAssemblerX86Common.h:
458         (JSC::MacroAssemblerX86Common::branchDoubleNonZero):
459         (JSC::MacroAssemblerX86Common::moveConditionallyDouble):
460         (JSC::MacroAssemblerX86Common::invert):
461         (JSC::MacroAssemblerX86Common::floatingPointCompare):
462         (JSC::MacroAssemblerX86Common::jumpAfterFloatingPointCompare):
463         (JSC::MacroAssemblerX86Common::moveConditionallyAfterFloatingPointCompare):
464         * assembler/MacroAssemblerX86_64.h:
465         (JSC::MacroAssemblerX86_64::truncateDoubleToUint64):
466         (JSC::MacroAssemblerX86_64::truncateFloatToUint64):
467         * assembler/testmasm.cpp:
468         (JSC::testCompareDouble):
469         (JSC::testCompareDoubleSameArg):
470         (JSC::testMoveConditionallyFloatingPoint):
471         (JSC::testMoveDoubleConditionallyDouble):
472         (JSC::testMoveDoubleConditionallyDoubleDestSameAsThenCase):
473         (JSC::testMoveDoubleConditionallyDoubleDestSameAsElseCase):
474         (JSC::testMoveDoubleConditionallyFloat):
475         (JSC::testMoveDoubleConditionallyFloatDestSameAsThenCase):
476         (JSC::testMoveDoubleConditionallyFloatDestSameAsElseCase):
477         (JSC::testMoveConditionallyFloatingPointSameArg):
478         (JSC::run):
479         * b3/B3LowerToAir.cpp:
480         * dfg/DFGSpeculativeJIT.cpp:
481         (JSC::DFG::compileClampDoubleToByte):
482         (JSC::DFG::SpeculativeJIT::compileArithRounding):
483         (JSC::DFG::SpeculativeJIT::compileArithMinMax):
484         (JSC::DFG::SpeculativeJIT::compileArithPow):
485         (JSC::DFG::SpeculativeJIT::compileStrictEq):
486         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
487         (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
488         * dfg/DFGSpeculativeJIT32_64.cpp:
489         (JSC::DFG::SpeculativeJIT::compile):
490         * dfg/DFGSpeculativeJIT64.cpp:
491         (JSC::DFG::SpeculativeJIT::compile):
492         * ftl/FTLLowerDFGToB3.cpp:
493         (JSC::FTL::DFG::LowerDFGToB3::compileNumberIsInteger):
494         * jit/AssemblyHelpers.h:
495         (JSC::AssemblyHelpers::branchIfNotNaN):
496         * jit/JITArithmetic.cpp:
497         (JSC::JIT::emitSlow_op_jless):
498         (JSC::JIT::emitSlow_op_jlesseq):
499         (JSC::JIT::emitSlow_op_jgreater):
500         (JSC::JIT::emitSlow_op_jgreatereq):
501         * jit/JITArithmetic32_64.cpp:
502         (JSC::JIT::emitBinaryDoubleOp):
503         * jit/ThunkGenerators.cpp:
504         (JSC::floorThunkGenerator):
505         (JSC::roundThunkGenerator):
506         * wasm/WasmAirIRGenerator.cpp:
507         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Le>):
508         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Lt>):
509         (JSC::Wasm::AirIRGenerator::addFloatingPointMinOrMax):
510         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Gt>):
511         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ge>):
512         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Lt>):
513         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Eq>):
514         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Le>):
515         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ge>):
516         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Eq>):
517         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Gt>):
518
519 2020-03-06  David Kilzer  <ddkilzer@apple.com>
520
521         REGRESSION (r258038): Build failure on Windows 10 bots
522         <https://bugs.webkit.org/show_bug.cgi?id=208731>
523         <rdar://problem/59222568>
524
525         * assembler/testmasm.cpp:
526         (JSC::testCompareDouble):
527         (JSC::testCompareDoubleSameArg):
528         (JSC::testMoveConditionallyFloatingPoint):
529         (JSC::testMoveConditionallyFloatingPointSameArg):
530         - Add RELEASE_ASSERT_NOT_REACHED() statements to try to fix the
531           bots.
532
533 2020-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
534
535         Put remaining fixed-sized cells into IsoSubspace
536         https://bugs.webkit.org/show_bug.cgi?id=208754
537
538         Reviewed by Keith Miller.
539
540         Put remaining fixed-sized cells into IsoSubspace. Now all the fixed-sized cells have their own IsoSubspaces.
541
542         1. JSArray (We need to care about RAMification number, or compensate RAMification regression with improvements).
543         2. Inspector's objects
544         3. All prototype objects have one IsoSubspace since they are plain objects.
545
546         * inspector/JSInjectedScriptHost.cpp:
547         (Inspector::JSInjectedScriptHost::JSInjectedScriptHost):
548         * inspector/JSInjectedScriptHost.h:
549         * inspector/JSInjectedScriptHostPrototype.h:
550         * inspector/JSJavaScriptCallFrame.cpp:
551         (Inspector::JSJavaScriptCallFrame::JSJavaScriptCallFrame):
552         * inspector/JSJavaScriptCallFrame.h:
553         * inspector/JSJavaScriptCallFramePrototype.h:
554         * jsc.cpp:
555         (JSC::Masquerader::subspaceFor):
556         (JSCMemoryFootprint::subspaceFor):
557         * runtime/ArrayIteratorPrototype.h:
558         * runtime/ArrayPrototype.h:
559         * runtime/AsyncFromSyncIteratorPrototype.h:
560         * runtime/AsyncFunctionPrototype.h:
561         * runtime/AsyncGeneratorFunctionPrototype.h:
562         * runtime/AsyncGeneratorPrototype.h:
563         * runtime/AsyncIteratorPrototype.h:
564         * runtime/AtomicsObject.h:
565         * runtime/BigIntPrototype.h:
566         * runtime/ConsoleObject.h:
567         * runtime/DatePrototype.h:
568         * runtime/ErrorPrototype.h:
569         * runtime/ExceptionHelpers.h:
570         * runtime/GeneratorFunctionPrototype.h:
571         * runtime/GeneratorPrototype.h:
572         * runtime/InspectorInstrumentationObject.h:
573         * runtime/IntlCollatorPrototype.h:
574         * runtime/IntlDateTimeFormatPrototype.h:
575         * runtime/IntlNumberFormatPrototype.h:
576         * runtime/IntlObject.h:
577         * runtime/IntlPluralRulesPrototype.h:
578         * runtime/IteratorPrototype.h:
579         * runtime/JSArray.h:
580         (JSC::JSArray::subspaceFor):
581         * runtime/JSArrayBufferPrototype.h:
582         * runtime/JSDataViewPrototype.h:
583         * runtime/JSDestructibleObject.h:
584         (JSC::JSDestructibleObject::subspaceFor): Deleted.
585         * runtime/JSGenericTypedArrayViewPrototype.h:
586         * runtime/JSModuleLoader.h:
587         * runtime/JSONObject.h:
588         * runtime/JSObject.h:
589         * runtime/JSObjectInlines.h:
590         (JSC::JSFinalObject::subspaceFor):
591         (JSC::JSObject::subspaceFor): Deleted.
592         * runtime/JSPromisePrototype.h:
593         (JSC::JSPromisePrototype::subspaceFor):
594         * runtime/JSTypedArrayViewPrototype.h:
595         * runtime/MapIteratorPrototype.h:
596         * runtime/MapPrototype.h:
597         * runtime/MathObject.h:
598         * runtime/NativeErrorPrototype.h:
599         * runtime/ObjectPrototype.h:
600         * runtime/ReflectObject.h:
601         * runtime/RegExpPrototype.h:
602         * runtime/RegExpStringIteratorPrototype.h:
603         * runtime/SetIteratorPrototype.h:
604         * runtime/SetPrototype.h:
605         * runtime/StringIteratorPrototype.h:
606         * runtime/SymbolPrototype.h:
607         * runtime/VM.cpp:
608         (JSC::VM::VM):
609         * runtime/VM.h:
610         * runtime/WeakMapPrototype.h:
611         * runtime/WeakObjectRefPrototype.h:
612         * runtime/WeakSetPrototype.h:
613         * tools/JSDollarVM.cpp:
614         * tools/JSDollarVM.h:
615         * wasm/js/JSWebAssembly.h:
616         * wasm/js/WebAssemblyCompileErrorPrototype.h:
617         * wasm/js/WebAssemblyGlobalPrototype.h:
618         * wasm/js/WebAssemblyInstancePrototype.h:
619         * wasm/js/WebAssemblyLinkErrorPrototype.h:
620         * wasm/js/WebAssemblyMemoryPrototype.h:
621         * wasm/js/WebAssemblyModulePrototype.h:
622         * wasm/js/WebAssemblyRuntimeErrorPrototype.h:
623         * wasm/js/WebAssemblyTablePrototype.h:
624
625 2020-03-06  Alexey Shvayka  <shvaikalesh@gmail.com>
626
627         JSON.stringify should call replacer on deleted properties
628         https://bugs.webkit.org/show_bug.cgi?id=208725
629
630         Reviewed by Ross Kirsling.
631
632         This change removes extra `hasProperty` check from `appendNextProperty` as
633         it does not exist in the spec [1], aligning JSC with V8 and SpiderMonkey.
634
635         This patch also replaces 3 usages of `getPropertySlot` with semantically
636         equivalent (yet more concise) `get` and inlines `toJSONImpl` (this change
637         is performance-neutral).
638
639         [1]: https://tc39.es/ecma262/#sec-serializejsonobject (steps 6, 8.a)
640
641         * runtime/JSONObject.cpp:
642         (JSC::Stringifier::toJSON):
643         (JSC::Stringifier::Holder::appendNextProperty):
644         (JSC::Stringifier::toJSONImpl): Deleted.
645
646 2020-03-06  Mark Lam  <mark.lam@apple.com>
647
648         Fix some issues in the ARM64 moveConditionallyAfterFloatingPointCompare() and moveDoubleConditionallyAfterFloatingPointCompare().
649         https://bugs.webkit.org/show_bug.cgi?id=208731
650         <rdar://problem/59222568>
651
652         Reviewed by Saam Barati.
653
654         Both the ARM64 moveConditionallyAfterFloatingPointCompare() and
655         moveDoubleConditionallyAfterFloatingPointCompare() had the following issues:
656
657         1. For the DoubleNotEqual condition, they fail to set the result register if
658            one or both of the comparison operands is a NaN.
659
660         2. For the DoubleEqualOrUnordered condition, they can clobber the else case
661            input register if one of the comparison operands is a NaN.
662
663         This patch fixes both of these, and exhaustive testmasm test cases for affected
664         MacroAssembler instruction emitters using these functions.
665
666         * assembler/MacroAssemblerARM64.h:
667         (JSC::MacroAssemblerARM64::moveConditionallyAfterFloatingPointCompare):
668         (JSC::MacroAssemblerARM64::moveDoubleConditionallyAfterFloatingPointCompare):
669         * assembler/testmasm.cpp:
670         (JSC::testCompareDouble):
671         (JSC::testCompareDoubleSameArg):
672         (JSC::testMoveConditionallyFloatingPoint):
673         (JSC::testMoveConditionallyDouble2):
674         (JSC::testMoveConditionallyDouble3):
675         (JSC::testMoveConditionallyDouble3DestSameAsThenCase):
676         (JSC::testMoveConditionallyDouble3DestSameAsElseCase):
677         (JSC::testMoveConditionallyFloat2):
678         (JSC::testMoveConditionallyFloat3):
679         (JSC::testMoveConditionallyFloat3DestSameAsThenCase):
680         (JSC::testMoveConditionallyFloat3DestSameAsElseCase):
681         (JSC::testMoveDoubleConditionallyDouble):
682         (JSC::testMoveDoubleConditionallyDoubleDestSameAsThenCase):
683         (JSC::testMoveDoubleConditionallyDoubleDestSameAsElseCase):
684         (JSC::testMoveDoubleConditionallyFloat):
685         (JSC::testMoveDoubleConditionallyFloatDestSameAsThenCase):
686         (JSC::testMoveDoubleConditionallyFloatDestSameAsElseCase):
687         (JSC::testMoveConditionallyFloatingPointSameArg):
688         (JSC::testMoveConditionallyDouble2SameArg):
689         (JSC::testMoveConditionallyDouble3SameArg):
690         (JSC::testMoveConditionallyFloat2SameArg):
691         (JSC::testMoveConditionallyFloat3SameArg):
692         (JSC::testMoveDoubleConditionallyDoubleSameArg):
693         (JSC::testMoveDoubleConditionallyFloatSameArg):
694         (JSC::run):
695
696 2020-03-05  Paulo Matos  <pmatos@igalia.com>
697
698         [JSCOnly] 32-bits warning on memset of JSValue
699         https://bugs.webkit.org/show_bug.cgi?id=204411
700
701         Reviewed by Mark Lam.
702
703         Fixes warning on 32bit builds. This is required because GCC knows
704         it is not safe to use memset on non-POD types and warns against its use.
705
706         * heap/GCMemoryOperations.h:
707         (JSC::gcSafeZeroMemory):
708
709 2020-03-04  Mark Lam  <mark.lam@apple.com>
710
711         Handle an out of memory error while constructing the BytecodeGenerator.
712         https://bugs.webkit.org/show_bug.cgi?id=208622
713         <rdar://problem/59341136>
714
715         Reviewed by Saam Barati.
716
717         Added the ability to handle out of memory errors encountered during the
718         construction of the BytecodeGenerator.  Currently, we only use this for the
719         case where we fail to instantiate a ScopedArgumentsTable.
720
721         * bytecompiler/BytecodeGenerator.cpp:
722         (JSC::BytecodeGenerator::generate):
723         (JSC::BytecodeGenerator::BytecodeGenerator):
724         * bytecompiler/BytecodeGeneratorBase.h:
725         * runtime/ScopedArgumentsTable.cpp:
726         (JSC::ScopedArgumentsTable::tryCreate):
727         * runtime/ScopedArgumentsTable.h:
728         * runtime/SymbolTable.h:
729
730 2020-03-04  Paulo Matos  <pmatos@igalia.com>
731
732         JSC 32bits broken in debug mode by r257399
733         https://bugs.webkit.org/show_bug.cgi?id=208439
734
735         Reviewed by Carlos Alberto Lopez Perez.
736
737         Use uses() method call instead of gpr() on assert to that it
738         works for both 64 and 32 bits.
739
740         * bytecode/AccessCase.cpp:
741         (JSC::AccessCase::generateImpl):
742
743 2020-03-03  Saam Barati  <sbarati@apple.com>
744
745         Refactor FixedVMPoolExecutableAllocator to not have member functions which are really just helper functions
746         https://bugs.webkit.org/show_bug.cgi?id=208537
747
748         Reviewed by Mark Lam.
749
750         There were a few member functions in FixedVMPoolExecutableAllocator that were
751         essentially helper functions. I've factored them out, and made FixedVMPoolExecutableAllocator
752         call them directly. This refactoring is needed when I implement the 1GB
753         executable pool on arm64 since the implementation of that will create split
754         implementations of something like FixedVMPoolExecutableAllocator.
755
756         * jit/ExecutableAllocator.cpp:
757         (JSC::jitWriteThunkGenerator):
758         (JSC::genericWriteToJITRegion):
759         (JSC::initializeSeparatedWXHeaps):
760         (JSC::initializeJITPageReservation):
761         (JSC::ExecutableAllocator::isValid const):
762         (JSC::ExecutableAllocator::underMemoryPressure):
763         (JSC::ExecutableAllocator::memoryPressureMultiplier):
764         (JSC::ExecutableAllocator::allocate):
765         (JSC::ExecutableAllocator::isValidExecutableMemory):
766         (JSC::ExecutableAllocator::getLock const):
767         (JSC::ExecutableAllocator::committedByteCount):
768         (JSC::ExecutableAllocator::dumpProfile):
769         (JSC::startOfFixedExecutableMemoryPoolImpl):
770         (JSC::endOfFixedExecutableMemoryPoolImpl):
771         (JSC::isJITPC):
772
773 2020-03-03  Ross Kirsling  <ross.kirsling@sony.com>
774
775         Introduce JSRemoteInspectorServerStart API for socket-based RWI.
776         https://bugs.webkit.org/show_bug.cgi?id=208349
777
778         Reviewed by Joseph Pecoraro.
779
780         * API/JSRemoteInspectorServer.cpp: Added.
781         (JSRemoteInspectorServerStart):
782         * API/JSRemoteInspectorServer.h: Added.
783         * CMakeLists.txt:
784
785 2020-03-03  Basuke Suzuki  <basuke.suzuki@sony.com>
786
787         [WinCairo][PlayStation] Add interface to get listening port of RemoteInspectorServer
788         https://bugs.webkit.org/show_bug.cgi?id=208391
789
790         Reviewed by Don Olmstead.
791
792         When passing zero as a port argument, system will pick an available port for it.
793         Without this method, client cannot get which port is listening.
794
795         * inspector/remote/socket/RemoteInspectorServer.cpp:
796         (Inspector::RemoteInspectorServer::start):
797         (Inspector::RemoteInspectorServer::getPort):
798         * inspector/remote/socket/RemoteInspectorServer.h:
799
800 2020-03-03  Yusuke Suzuki  <ysuzuki@apple.com>
801
802         [JSC] @hasOwnLengthProperty returns wrong value if "length" is attempted to be modified
803         https://bugs.webkit.org/show_bug.cgi?id=208497
804         <rdar://problem/59913544>
805
806         Reviewed by Mark Lam.
807
808         When "length" of JSFunction is attempted to be modified, we put a flag. And @hasOwnLengthProperty
809         does not correctly use this flag to return a value for the fast path. This affects on "length"
810         property of bound functions. For example,
811
812             function userFunction(a) { }
813             userFunction.length = 20; // This field is read-only. So, it is not changed.
814             userFunction.bind().length; // Should be 1, but it returns 0.
815
816         1. We rename m_hasModifiedLength to m_hasModifiedLengthForNonHostFunction and m_hasModifiedName
817            to m_hasModifiedNameForNonHostFunction since we are not tracking these states for host-functions
818            which can eagerly initialize them.
819         2. We rename areNameAndLengthOriginal to canAssumeNameAndLengthAreOriginal to allow it to return
820            "false" for host functions. If it returns true, we go to the fast path.
821         3. Correctly use canAssumeNameAndLengthAreOriginal information in @hasOwnLengthProperty.
822
823         * runtime/FunctionRareData.cpp:
824         (JSC::FunctionRareData::FunctionRareData):
825         * runtime/FunctionRareData.h:
826         * runtime/JSFunction.cpp:
827         (JSC::JSFunction::put):
828         (JSC::JSFunction::deleteProperty):
829         (JSC::JSFunction::defineOwnProperty):
830         * runtime/JSFunction.h:
831         * runtime/JSFunctionInlines.h:
832         (JSC::JSFunction::canAssumeNameAndLengthAreOriginal):
833         (JSC::JSFunction::areNameAndLengthOriginal): Deleted.
834         * runtime/JSGlobalObject.cpp:
835         (JSC::hasOwnLengthProperty):
836         * tools/JSDollarVM.cpp:
837         (JSC::functionHasOwnLengthProperty):
838
839 2020-03-02  Alan Coon  <alancoon@apple.com>
840
841         Add new Mac target numbers
842         https://bugs.webkit.org/show_bug.cgi?id=208398
843
844         Reviewed by Alexey Proskuryakov.
845
846         * Configurations/Base.xcconfig:
847         * Configurations/DebugRelease.xcconfig:
848         * Configurations/Version.xcconfig:
849         * Configurations/WebKitTargetConditionals.xcconfig:
850
851 2020-03-02  Justin Michaud  <justin_michaud@apple.com>
852
853         Delete by val caching does not keep the subscript alive
854         https://bugs.webkit.org/show_bug.cgi?id=208393
855
856         Reviewed by Yusuke Suzuki.
857
858         Before, the provided test case crashed with asan because we did not keep deleteByVal
859         subscripts alive. This patch changes CacheableIdentifier to make this mistake harder
860         to make again, by making the constructor calls more explicit when CacheableIdentifier
861         will not keep an Identifier alive.
862
863         * jit/JITOperations.cpp:
864         * jit/Repatch.cpp:
865         (JSC::tryCachePutByID):
866         (JSC::tryCacheDeleteBy):
867         (JSC::repatchDeleteBy):
868         (JSC::tryCacheInByID):
869         (JSC::tryCacheInstanceOf):
870         (JSC::tryCacheDelBy): Deleted.
871         (JSC::repatchDelBy): Deleted.
872         * jit/Repatch.h:
873         * runtime/CacheableIdentifier.h:
874         * runtime/CacheableIdentifierInlines.h:
875         (JSC::CacheableIdentifier::createFromIdentifierOwnedByCodeBlock):
876         (JSC::CacheableIdentifier::createFromCell):
877
878 2020-03-02  Paulo Matos  <pmatos@igalia.com>
879
880         Fix JSC 32bit alignment increase gcc warning
881         https://bugs.webkit.org/show_bug.cgi?id=208445
882
883         Reviewed by Yusuke Suzuki.
884
885         Use reinterpret_cast_ptr<>() instead of reinterpret_cast<>() to
886         avoid GCC warning about increase in alignment requirement for cast
887         target type.
888
889         * dfg/DFGOSRExit.cpp:
890         (JSC::DFG::OSRExit::compileExit):
891
892 2020-03-02  Yusuke Suzuki  <ysuzuki@apple.com>
893
894         Unreviewed, fix wrong assertion
895         https://bugs.webkit.org/show_bug.cgi?id=208404
896         <rdar://problem/59956592>
897
898         * runtime/CachedTypes.cpp:
899         (JSC::CachedUniquedStringImplBase::decode const):
900
901 2020-03-01  Charles Turner  <cturner@igalia.com>
902
903         undefined reference to `JSC::ExecutableBase::hasJITCodeForCall() const'
904         https://bugs.webkit.org/show_bug.cgi?id=207890
905
906         Reviewed by Yusuke Suzuki.
907
908         Encountered on arm-buildroot-linux-gnueabihf with GCC 9.2.0.
909
910         * runtime/NativeExecutable.cpp: Inclusion of
911         ExecutableBaseInlines.h resolves the issue for me.
912
913 2020-02-29  Yusuke Suzuki  <ysuzuki@apple.com>
914
915         Remove std::lock_guard
916         https://bugs.webkit.org/show_bug.cgi?id=206451
917
918         Reviewed by Anders Carlsson.
919
920         * API/JSVirtualMachine.mm:
921         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]):
922         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]):
923         * API/glib/JSCVirtualMachine.cpp:
924         (addWrapper):
925         (removeWrapper):
926         * heap/HeapSnapshotBuilder.cpp:
927         (JSC::HeapSnapshotBuilder::analyzeNode):
928         (JSC::HeapSnapshotBuilder::analyzeEdge):
929         (JSC::HeapSnapshotBuilder::analyzePropertyNameEdge):
930         (JSC::HeapSnapshotBuilder::analyzeVariableNameEdge):
931         (JSC::HeapSnapshotBuilder::analyzeIndexEdge):
932         (JSC::HeapSnapshotBuilder::setOpaqueRootReachabilityReasonForCell):
933         * heap/MachineStackMarker.cpp:
934         (JSC::MachineThreads::tryCopyOtherThreadStacks):
935         * runtime/JSRunLoopTimer.cpp:
936         (JSC::JSRunLoopTimer::timerDidFire):
937
938 2020-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
939
940         [JSC] BuiltinNames' HashMap should be small
941         https://bugs.webkit.org/show_bug.cgi?id=208404
942
943         Reviewed by Mark Lam.
944
945         This patch converts public-to-private-name-map from HashMap<RefPtr<UniquedStringImpl>, SymbolImpl*> to HashSet<String> to save half of memory.
946         The key is that private names have the same string content to the public names. We can just query with string content to the HashSet of
947         private names, and we can get private names.
948
949         The problem is that we also have a hack inserting string <-> non-private well-known Symbol mappings into this table. These symbols do not have
950         the same content to the public string. So the above assumption is broken.
951
952         To make the above assumption valid, we have a separate small HashMap which holds string <-> non-private well-known Symbol mappings. Since # of
953         well-known Symbols are only 13, this new HashMap is taking at most 512B for entries, which is much smaller compared to the saved memory by
954         converting HashMap to HashSet for private names (32KB).
955
956         To allow it, we introduce new well-known Symbol identifier syntax to builtin JS, which is "@@iterator" format. If there is two "@", we parse this
957         identifier as a well-known Symbol.
958
959         * builtins/ArrayConstructor.js:
960         (from.wrapper.iterator):
961         (from):
962         (from.wrapper.iteratorSymbol): Deleted.
963         * builtins/ArrayPrototype.js:
964         (globalPrivate.concatSlowPath):
965         (concat):
966         * builtins/BuiltinNames.cpp:
967         (JSC::BuiltinNames::BuiltinNames):
968         (JSC::CharBufferSeacher::hash):
969         (JSC::CharBufferSeacher::equal):
970         (JSC::lookUpPrivateNameImpl):
971         (JSC::lookUpWellKnownSymbolImpl):
972         (JSC::BuiltinNames::lookUpPrivateName const):
973         (JSC::BuiltinNames::lookUpWellKnownSymbol const):
974         * builtins/BuiltinNames.h:
975         (JSC::BuiltinNames::lookUpPrivateName const):
976         (JSC::BuiltinNames::lookUpWellKnownSymbol const):
977         (JSC::BuiltinNames::checkPublicToPrivateMapConsistency):
978         (JSC::BuiltinNames::appendExternalName):
979         (JSC::BuiltinNames::getPublicName const): Deleted.
980         * builtins/GlobalOperations.js:
981         (globalPrivate.speciesConstructor):
982         * builtins/IteratorHelpers.js:
983         (performIteration):
984         * builtins/StringPrototype.js:
985         (match):
986         (matchAll):
987         (intrinsic.StringPrototypeReplaceIntrinsic.replace):
988         (replaceAll):
989         (search):
990         (split):
991         * builtins/TypedArrayConstructor.js:
992         (from.wrapper.iterator):
993         (from):
994         (from.wrapper.iteratorSymbol): Deleted.
995         * builtins/TypedArrayPrototype.js:
996         (globalPrivate.typedArraySpeciesConstructor):
997         (map):
998         (filter):
999         * bytecompiler/NodesCodegen.cpp:
1000         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
1001         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
1002         * parser/Lexer.cpp:
1003         (JSC::Lexer<LChar>::parseIdentifier):
1004         (JSC::Lexer<UChar>::parseIdentifier):
1005         * runtime/CachedTypes.cpp:
1006         (JSC::CachedUniquedStringImplBase::encode):
1007         (JSC::CachedUniquedStringImplBase::decode const):
1008         * runtime/CommonIdentifiers.cpp:
1009         (JSC::CommonIdentifiers::CommonIdentifiers):
1010         (JSC::CommonIdentifiers::lookUpPrivateName const): Deleted.
1011         (JSC::CommonIdentifiers::getPublicName const): Deleted.
1012         * runtime/CommonIdentifiers.h:
1013         * tools/JSDollarVM.cpp:
1014         (JSC::functionGetPrivateProperty):
1015
1016 2020-02-28  Saam Barati  <sbarati@apple.com>
1017
1018         Clean up code with how we choose Gigacage sizes and whether or not to use Wasm fast memory
1019         https://bugs.webkit.org/show_bug.cgi?id=208392
1020
1021         Reviewed by Yusuke Suzuki.
1022
1023         * runtime/OptionsList.h:
1024
1025 2020-02-27  Saam Barati  <sbarati@apple.com>
1026
1027         Fix debug arm64 Wasm tests
1028         https://bugs.webkit.org/show_bug.cgi?id=208362
1029
1030         Reviewed by Yusuke Suzuki.
1031
1032         * wasm/WasmAirIRGenerator.cpp:
1033         (JSC::Wasm::AirIRGenerator::emitChecksForModOrDiv):
1034
1035         We were assuming that "-1" is a valid imm on arm64, but it's not, we need
1036         to use big imm.
1037
1038 2020-02-27  Justin Michaud  <justin_michaud@apple.com>
1039
1040         Poly proto should work with property delete transitions
1041         https://bugs.webkit.org/show_bug.cgi?id=208261
1042
1043         Reviewed by Saam Barati.
1044
1045         This patch fixes a bug where the combination of inline caching
1046         and poly proto cause us to cache a setter call along a prototype chain that 
1047         is no longer the correct setter to call. This is exposed as a result of
1048         https://bugs.webkit.org/show_bug.cgi?id=206430 since DefineOwnProperty used 
1049         to transition to uncacheable dictionary.
1050
1051         The case looks like this:
1052         A - setter for x redefines x
1053         |
1054         B
1055         |
1056         C
1057
1058         We set (new C).x
1059
1060         Right now, we first call A's setter, then we try to figure out what the state of things
1061         were before it was called in order to cache it. We just assume that A's setter still exists, and we cache it
1062         without ever checking, In this patch, we ensure that the property exists and the attributes match in order to prevent crashing. 
1063
1064         In the code, A = target, C = base.
1065
1066         Get is correct because it collects caching information before any calls.
1067
1068         The bug https://bugs.webkit.org/show_bug.cgi?id=208337 tracks the remaining semantic bugs around this code.
1069
1070         * jit/Repatch.cpp:
1071         (JSC::tryCachePutByID):
1072
1073 2020-02-27  Basuke Suzuki  <basuke.suzuki@sony.com>
1074
1075         [WinCairo] Fix RemoteInspector reconnect issue
1076         https://bugs.webkit.org/show_bug.cgi?id=208256
1077
1078         Reviewed by Devin Rousso.
1079
1080         Call target's disconnection sequence asynchronously to avoid deadlock.
1081
1082         * inspector/remote/RemoteConnectionToTarget.cpp:
1083         (Inspector::RemoteConnectionToTarget::close):
1084         * inspector/remote/socket/RemoteInspectorSocketEndpoint.cpp:
1085         (Inspector::RemoteInspectorSocketEndpoint::workerThread):
1086
1087 2020-02-26  Mark Lam  <mark.lam@apple.com>
1088
1089         Enhance JSObjectGetProperty() to mitigate against null object pointers.
1090         https://bugs.webkit.org/show_bug.cgi?id=208275
1091         <rdar://problem/59826325>
1092
1093         Reviewed by Robin Morisset.
1094
1095         * API/JSObjectRef.cpp:
1096         (JSObjectGetProperty):
1097
1098 2020-02-26  Saam Barati  <sbarati@apple.com>
1099
1100         Make testair pass on arm64
1101         https://bugs.webkit.org/show_bug.cgi?id=208258
1102
1103         Reviewed by Tadeu Zagallo.
1104
1105         testElideMoveThenRealloc and testElideSimpleMove were never tested
1106         on arm64. This patch makes those tests work. 
1107         - testElideMoveThenRealloc was using a BitImm that is invalid on arm64
1108         - testElideSimpleMove was testing for the wrong disassembly
1109
1110         * b3/air/testair.cpp:
1111
1112 2020-02-26  Don Olmstead  <don.olmstead@sony.com>
1113
1114         Allow setting of stack sizes for threads
1115         https://bugs.webkit.org/show_bug.cgi?id=208223
1116
1117         Reviewed by Yusuke Suzuki.
1118
1119         Specify ThreadType at the Thread::create callsite.
1120
1121         * heap/Heap.cpp:
1122         (JSC::Heap::notifyIsSafeToCollect):
1123
1124 2020-02-26  Caio Lima  <ticaiolima@gmail.com>
1125
1126         [JSC][MIPS] Adding support to Checkpoints
1127         https://bugs.webkit.org/show_bug.cgi?id=208196
1128
1129         Reviewed by Yusuke Suzuki.
1130
1131         This patch is adding changes to properly support OSR to
1132         checkpoints on MIPS. It required fixes on JIT probe and some
1133         adjustment on Offlineasm to correct generate `$gp` load when executing 
1134         `checkpoint_osr_exit_from_inlined_call_trampoline`.
1135
1136         * assembler/MacroAssemblerMIPS.cpp:
1137
1138         Probe trampoline needs to allocate 16 bytes for 4 arguments to
1139         properly follow C calling conventions. This space is used by callee
1140         when the JSC is compiled with `-O0` flags
1141         (Check "DEFAULT C CALLING CONVENTION (O32)" section on
1142         https://www.mips.com/downloads/mips32-instruction-set-quick-reference-v1-01).
1143
1144         * llint/LowLevelInterpreter.asm:
1145
1146         As we need to do on ARMv7, 64-bits arguments needs to be passed in
1147         register pairs `$a1:$a0` or `$a3:$a2` (little-endian mode). Since `$a0`
1148         contais `CallFrame*`, we need to pass `EncodedJSValue` on `$a3:$a2`
1149         pair.
1150
1151         * offlineasm/mips.rb:
1152
1153         Following the same reason for return locations on OSR to LLInt, we
1154         need to adjust `$gp` using `$ra` instead of `$t9` on
1155         `checkpoint_osr_exit_from_inlined_call_trampoline`, given it is only
1156         reachable through `ret` operations. For detailed explanation, check
1157         ChangeLog of https://trac.webkit.org/changeset/252713.
1158
1159 2020-02-25  Devin Rousso  <drousso@apple.com>
1160
1161         Web Inspector: safari app extension isolated worlds and injected files use the extension's identifier instead of its name
1162         https://bugs.webkit.org/show_bug.cgi?id=206911
1163         <rdar://problem/58026635>
1164
1165         Reviewed by Brian Burg.
1166
1167         * inspector/protocol/Browser.json: Added.
1168         Add a `Browser` agent that can communicate with the inspected page's containing browser. It
1169         lives in the UIProcess alongside the `Target` agent (meaning there should only be one per
1170         debuggable rather than one per target) and as such is not routed through the `Target` agent.
1171
1172         * CMakeLists.txt:
1173         * DerivedSources-input.xcfilelist:
1174         * DerivedSources.make:
1175
1176 2020-02-25  Justin Michaud  <justin_michaud@apple.com>
1177
1178         Inline Cache delete by id/val
1179         https://bugs.webkit.org/show_bug.cgi?id=207522
1180
1181         Reviewed by Keith Miller and Filip Pizlo.
1182
1183         We add inline caching for deleteById/val for baseline only. We also fix a concurrency bug in ICStats used for testing.
1184         We add three new access cases (no inline code is emitted at this time): 
1185         - Delete is a cached delete of an existing property
1186         - DeleteMiss is a delete of a property that does not exist
1187         - DeleteNonConfigurable is a delete of a property that exists, but should not be deleted.
1188         There are no conditions required for these caches, since the structure id must change and the prototype does not matter.
1189         This gives the following microbenchmark results:
1190
1191         delete-property-keeps-cacheable-structure (neutral)
1192         delete-property-inline-cache              definitely 3.9096x faster
1193         delete-property-inline-cache-polymorphic  definitely 1.5239x faster
1194         delete-property-from-prototype-chain      (neutral)
1195
1196         * API/JSCallbackObject.h:
1197         * API/JSCallbackObjectFunctions.h:
1198         (JSC::JSCallbackObject<Parent>::deleteProperty):
1199         (JSC::JSCallbackObject<Parent>::deletePropertyByIndex):
1200         * API/JSObjectRef.cpp:
1201         (JSObjectDeletePropertyForKey):
1202         (JSObjectDeleteProperty):
1203         * CMakeLists.txt:
1204         * JavaScriptCore.xcodeproj/project.pbxproj:
1205         * bytecode/AccessCase.cpp:
1206         (JSC::AccessCase::create):
1207         (JSC::AccessCase::createTransition):
1208         (JSC::AccessCase::createDelete):
1209         (JSC::AccessCase::requiresIdentifierNameMatch const):
1210         (JSC::AccessCase::requiresInt32PropertyCheck const):
1211         (JSC::AccessCase::needsScratchFPR const):
1212         (JSC::AccessCase::forEachDependentCell const):
1213         (JSC::AccessCase::doesCalls const):
1214         (JSC::AccessCase::canReplace const):
1215         (JSC::AccessCase::dump const):
1216         (JSC::AccessCase::propagateTransitions const):
1217         (JSC::AccessCase::generateImpl):
1218         * bytecode/AccessCase.h:
1219         (JSC::AccessCase::structure const):
1220         (JSC::AccessCase::newStructure const):
1221         * bytecode/PolymorphicAccess.cpp:
1222         (WTF::printInternal):
1223         * bytecode/StructureStubInfo.cpp:
1224         (JSC::StructureStubInfo::reset):
1225         * bytecode/StructureStubInfo.h:
1226         * debugger/DebuggerScope.cpp:
1227         (JSC::DebuggerScope::deleteProperty):
1228         * debugger/DebuggerScope.h:
1229         * dfg/DFGFixupPhase.cpp:
1230         (JSC::DFG::FixupPhase::fixupNode):
1231         * dfg/DFGJITCompiler.cpp:
1232         (JSC::DFG::JITCompiler::link):
1233         * dfg/DFGJITCompiler.h:
1234         (JSC::DFG::JITCompiler::addDelById):
1235         (JSC::DFG::JITCompiler::addDelByVal):
1236         * dfg/DFGSpeculativeJIT.cpp:
1237         (JSC::DFG::SpeculativeJIT::compileDeleteById): Deleted.
1238         (JSC::DFG::SpeculativeJIT::compileDeleteByVal): Deleted.
1239         * dfg/DFGSpeculativeJIT32_64.cpp:
1240         (JSC::DFG::SpeculativeJIT::compileDeleteById):
1241         (JSC::DFG::SpeculativeJIT::compileDeleteByVal):
1242         * dfg/DFGSpeculativeJIT64.cpp:
1243         (JSC::DFG::SpeculativeJIT::compileDeleteById):
1244         (JSC::DFG::SpeculativeJIT::compileDeleteByVal):
1245         * ftl/FTLLowerDFGToB3.cpp:
1246         (JSC::FTL::DFG::LowerDFGToB3::compileDelBy):
1247         (JSC::FTL::DFG::LowerDFGToB3::compileDeleteById):
1248         (JSC::FTL::DFG::LowerDFGToB3::compileDeleteByVal):
1249         * jit/ICStats.h:
1250         * jit/JIT.cpp:
1251         (JSC::JIT::privateCompileSlowCases):
1252         (JSC::JIT::link):
1253         * jit/JIT.h:
1254         * jit/JITInlineCacheGenerator.cpp:
1255         (JSC::JITDelByValGenerator::JITDelByValGenerator):
1256         (JSC::JITDelByValGenerator::generateFastPath):
1257         (JSC::JITDelByValGenerator::finalize):
1258         (JSC::JITDelByIdGenerator::JITDelByIdGenerator):
1259         (JSC::JITDelByIdGenerator::generateFastPath):
1260         (JSC::JITDelByIdGenerator::finalize):
1261         * jit/JITInlineCacheGenerator.h:
1262         (JSC::JITDelByValGenerator::JITDelByValGenerator):
1263         (JSC::JITDelByValGenerator::slowPathJump const):
1264         (JSC::JITDelByIdGenerator::JITDelByIdGenerator):
1265         (JSC::JITDelByIdGenerator::slowPathJump const):
1266         * jit/JITOperations.cpp:
1267         * jit/JITOperations.h:
1268         * jit/JITPropertyAccess.cpp:
1269         (JSC::JIT::emit_op_del_by_id):
1270         (JSC::JIT::emitSlow_op_del_by_id):
1271         (JSC::JIT::emit_op_del_by_val):
1272         (JSC::JIT::emitSlow_op_del_by_val):
1273         * jit/JITPropertyAccess32_64.cpp:
1274         (JSC::JIT::emit_op_del_by_id):
1275         (JSC::JIT::emit_op_del_by_val):
1276         (JSC::JIT::emitSlow_op_del_by_val):
1277         (JSC::JIT::emitSlow_op_del_by_id):
1278         * jit/Repatch.cpp:
1279         (JSC::tryCachePutByID):
1280         (JSC::tryCacheDelBy):
1281         (JSC::repatchDelBy):
1282         (JSC::resetPutByID):
1283         (JSC::resetDelBy):
1284         * jit/Repatch.h:
1285         * llint/LLIntSlowPaths.cpp:
1286         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1287         * runtime/CacheableIdentifierInlines.h:
1288         (JSC::CacheableIdentifier::CacheableIdentifier):
1289         * runtime/ClassInfo.h:
1290         * runtime/ClonedArguments.cpp:
1291         (JSC::ClonedArguments::deleteProperty):
1292         * runtime/ClonedArguments.h:
1293         * runtime/CommonSlowPaths.cpp:
1294         (JSC::SLOW_PATH_DECL):
1295         * runtime/DeletePropertySlot.h: Added.
1296         (JSC::DeletePropertySlot::DeletePropertySlot):
1297         (JSC::DeletePropertySlot::setConfigurableMiss):
1298         (JSC::DeletePropertySlot::setNonconfigurable):
1299         (JSC::DeletePropertySlot::setHit):
1300         (JSC::DeletePropertySlot::isCacheableDelete const):
1301         (JSC::DeletePropertySlot::isDeleteHit const):
1302         (JSC::DeletePropertySlot::isConfigurableDeleteMiss const):
1303         (JSC::DeletePropertySlot::isNonconfigurable const):
1304         (JSC::DeletePropertySlot::cachedOffset const):
1305         (JSC::DeletePropertySlot::disableCaching):
1306         (JSC::DeletePropertySlot::isCacheable const):
1307         * runtime/ErrorConstructor.cpp:
1308         (JSC::ErrorConstructor::deleteProperty):
1309         * runtime/ErrorConstructor.h:
1310         * runtime/ErrorInstance.cpp:
1311         (JSC::ErrorInstance::deleteProperty):
1312         * runtime/ErrorInstance.h:
1313         * runtime/GenericArguments.h:
1314         * runtime/GenericArgumentsInlines.h:
1315         (JSC::GenericArguments<Type>::put):
1316         (JSC::GenericArguments<Type>::deleteProperty):
1317         * runtime/GetterSetter.h:
1318         * runtime/JSArray.cpp:
1319         (JSC::JSArray::deleteProperty):
1320         * runtime/JSArray.h:
1321         * runtime/JSCJSValue.h:
1322         * runtime/JSCell.cpp:
1323         (JSC::JSCell::deleteProperty):
1324         * runtime/JSCell.h:
1325         * runtime/JSDataView.cpp:
1326         (JSC::JSDataView::deleteProperty):
1327         * runtime/JSDataView.h:
1328         * runtime/JSFunction.cpp:
1329         (JSC::JSFunction::deleteProperty):
1330         * runtime/JSFunction.h:
1331         * runtime/JSGenericTypedArrayView.h:
1332         * runtime/JSGenericTypedArrayViewInlines.h:
1333         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
1334         (JSC::JSGenericTypedArrayView<Adaptor>::deletePropertyByIndex):
1335         * runtime/JSGlobalObject.cpp:
1336         (JSC::JSGlobalObject::addFunction):
1337         * runtime/JSLexicalEnvironment.cpp:
1338         (JSC::JSLexicalEnvironment::deleteProperty):
1339         * runtime/JSLexicalEnvironment.h:
1340         * runtime/JSModuleEnvironment.cpp:
1341         (JSC::JSModuleEnvironment::deleteProperty):
1342         * runtime/JSModuleEnvironment.h:
1343         * runtime/JSModuleNamespaceObject.cpp:
1344         (JSC::JSModuleNamespaceObject::deleteProperty):
1345         * runtime/JSModuleNamespaceObject.h:
1346         * runtime/JSONObject.cpp:
1347         (JSC::Walker::walk):
1348         * runtime/JSObject.cpp:
1349         (JSC::JSObject::deleteProperty):
1350         (JSC::JSObject::deletePropertyByIndex):
1351         (JSC::validateAndApplyPropertyDescriptor):
1352         * runtime/JSObject.h:
1353         * runtime/JSProxy.cpp:
1354         (JSC::JSProxy::deleteProperty):
1355         * runtime/JSProxy.h:
1356         * runtime/JSSymbolTableObject.cpp:
1357         (JSC::JSSymbolTableObject::deleteProperty):
1358         * runtime/JSSymbolTableObject.h:
1359         * runtime/ProxyObject.cpp:
1360         (JSC::ProxyObject::deleteProperty):
1361         * runtime/ProxyObject.h:
1362         * runtime/RegExpObject.cpp:
1363         (JSC::RegExpObject::deleteProperty):
1364         * runtime/RegExpObject.h:
1365         * runtime/StrictEvalActivation.cpp:
1366         (JSC::StrictEvalActivation::deleteProperty):
1367         * runtime/StrictEvalActivation.h:
1368         * runtime/StringObject.cpp:
1369         (JSC::StringObject::deleteProperty):
1370         * runtime/StringObject.h:
1371         * runtime/Structure.cpp:
1372         (JSC::Structure::removePropertyTransition):
1373         (JSC::Structure::removePropertyTransitionFromExistingStructureImpl):
1374         (JSC::Structure::removePropertyTransitionFromExistingStructure):
1375         (JSC::Structure::removePropertyTransitionFromExistingStructureConcurrently):
1376         (JSC::Structure::removeNewPropertyTransition):
1377         (JSC::Structure::dump const):
1378         * runtime/Structure.h:
1379         * runtime/StructureInlines.h:
1380         (JSC::Structure::hasIndexingHeader const):
1381         (JSC::Structure::mayHaveIndexingHeader const):
1382         * tools/JSDollarVM.cpp:
1383         (JSC::functionHasOwnLengthProperty):
1384         (JSC::JSDollarVM::finishCreation):
1385
1386 2020-02-24  Yusuke Suzuki  <ysuzuki@apple.com>
1387
1388         [WTF] Attach WARN_UNUSED_RETURN to makeScopeExit and fix existing wrong usage
1389         https://bugs.webkit.org/show_bug.cgi?id=208162
1390
1391         Reviewed by Robin Morisset.
1392
1393         * parser/Parser.cpp:
1394         (JSC::Parser<LexerType>::parseUnaryExpression):
1395
1396 2020-02-24  Keith Miller  <keith_miller@apple.com>
1397
1398         LLInt should fast path for jtrue/false on Symbols and Objects
1399         https://bugs.webkit.org/show_bug.cgi?id=208151
1400
1401         Reviewed by Yusuke Suzuki.
1402
1403         64-bit interpreter can fast path the case where an object or symbol
1404         is passed to a jtrue or jfalse opcode. This is because these values
1405         are always truthy.
1406
1407         Also, fix some weird indentation in LowLevelInterpreter.asm.
1408
1409         * llint/LowLevelInterpreter.asm:
1410         * llint/LowLevelInterpreter32_64.asm:
1411         * llint/LowLevelInterpreter64.asm:
1412         * runtime/JSType.h:
1413
1414 2020-02-24  Caio Lima  <ticaiolima@gmail.com>
1415
1416         [JSC] 32-bits debug build broken after r257212
1417         https://bugs.webkit.org/show_bug.cgi?id=208149
1418
1419         Reviewed by Yusuke Suzuki.
1420
1421         Changing `Structure::setCachedPrototypeChain` to use
1422         `m_cachedPrototypeChainOrRareData.setMayBeNull`, since `chain` may be
1423         null.
1424
1425         * runtime/StructureInlines.h:
1426         (JSC::Structure::setCachedPrototypeChain):
1427
1428 2020-02-24  Yusuke Suzuki  <ysuzuki@apple.com>
1429
1430         Unreviewed, fix watchOS build
1431         https://bugs.webkit.org/show_bug.cgi?id=207827
1432
1433         While watchOS does not use FTL at all, it still compiles.
1434
1435         * ftl/FTLLowerDFGToB3.cpp:
1436         (JSC::FTL::DFG::LowerDFGToB3::compileObjectKeys):
1437         (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
1438         (JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject):
1439         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1440         (JSC::FTL::DFG::LowerDFGToB3::loadStructureClassInfo):
1441         (JSC::FTL::DFG::LowerDFGToB3::loadStructureCachedPrototypeChainOrRareData):
1442
1443 2020-02-24  Yusuke Suzuki  <ysuzuki@apple.com>
1444
1445         Unreviewed, build fix for 32bit pointer architectures
1446         https://bugs.webkit.org/show_bug.cgi?id=207827
1447
1448         * runtime/Structure.h:
1449
1450 2020-02-23  Yusuke Suzuki  <ysuzuki@apple.com>
1451
1452         [JSC] Shrink Structure
1453         https://bugs.webkit.org/show_bug.cgi?id=207827
1454
1455         Reviewed by Saam Barati.
1456
1457         This patch shrinks sizeof(Structure) from 112 to 96 (16 bytes) in architectures using 64 bit pointers.
1458         Structure is one of the most frequently allocated JSCell in JSC. So it is worth doing
1459         all the sort of bit hacks to make it compact as much as possible.
1460
1461             1. Put outOfLineTypeFlags, maxOffset and transitionOffset into highest bits of m_propertyTableUnsafe,
1462                m_cachedPrototypeChain, m_classInfo, and m_transitionPropertyName. Do not use PackedPtr here since
1463                some of them are concurrently accessed by GC.
1464             2. Put m_inlineCapacity into lower 8 bits of m_propertyHash.
1465             3. Remove m_lock, and use Structure::cellLock() instead.
1466             4. Remove m_cachedPrototypeChain clearing from the concurrent collector since it is dead code, it was old code.
1467                We were setting m_cachedPrototypeChain only if Structure is for JSObject. Clearing happened only if it was not
1468                a Structure for JSObject.
1469             5. Previous Structure is held as StructureID m_previous. And m_previousOrRareData becomes m_cachedPrototypeChainOrRareData.
1470
1471         Many pairs are using CompactPointerTuple to make code clean.
1472         Combining all of the above techniques saves us 16 bytes.
1473
1474         * bytecode/AccessCase.cpp:
1475         (JSC::AccessCase::create):
1476         (JSC::AccessCase::propagateTransitions const):
1477         * bytecode/AccessCase.h:
1478         (JSC::AccessCase::structure const):
1479         * dfg/DFGSpeculativeJIT.cpp:
1480         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
1481         (JSC::DFG::SpeculativeJIT::compileObjectKeys):
1482         (JSC::DFG::SpeculativeJIT::compileCreateThis):
1483         (JSC::DFG::SpeculativeJIT::compileCreatePromise):
1484         (JSC::DFG::SpeculativeJIT::compileCreateInternalFieldObject):
1485         * ftl/FTLAbstractHeapRepository.h:
1486         * ftl/FTLLowerDFGToB3.cpp:
1487         (JSC::FTL::DFG::LowerDFGToB3::compileObjectKeys):
1488         (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
1489         (JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject):
1490         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1491         * jit/AssemblyHelpers.h:
1492         (JSC::AssemblyHelpers::emitLoadClassInfoFromStructure):
1493         * jit/JITOpcodes.cpp:
1494         (JSC::JIT::emit_op_create_this):
1495         * jit/JITOpcodes32_64.cpp:
1496         (JSC::JIT::emit_op_create_this):
1497         * jit/Repatch.cpp:
1498         (JSC::tryCachePutByID):
1499         * llint/LLIntSlowPaths.cpp:
1500         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1501         * runtime/ClonedArguments.cpp:
1502         (JSC::ClonedArguments::createStructure):
1503         * runtime/ConcurrentJSLock.h:
1504         (JSC::ConcurrentJSLockerBase::ConcurrentJSLockerBase):
1505         (JSC::GCSafeConcurrentJSLockerImpl::GCSafeConcurrentJSLockerImpl):
1506         (JSC::GCSafeConcurrentJSLockerImpl::~GCSafeConcurrentJSLockerImpl):
1507         (JSC::ConcurrentJSLockerImpl::ConcurrentJSLockerImpl):
1508         (JSC::GCSafeConcurrentJSLocker::GCSafeConcurrentJSLocker): Deleted.
1509         (JSC::GCSafeConcurrentJSLocker::~GCSafeConcurrentJSLocker): Deleted.
1510         (JSC::ConcurrentJSLocker::ConcurrentJSLocker): Deleted.
1511         * runtime/JSCell.h:
1512         * runtime/JSObject.cpp:
1513         (JSC::JSObject::deleteProperty):
1514         (JSC::JSObject::shiftButterflyAfterFlattening):
1515         * runtime/JSObject.h:
1516         (JSC::JSObject::getDirectConcurrently const):
1517         * runtime/JSObjectInlines.h:
1518         (JSC::JSObject::prepareToPutDirectWithoutTransition):
1519         * runtime/JSType.cpp:
1520         (WTF::printInternal):
1521         * runtime/JSType.h:
1522         * runtime/Structure.cpp:
1523         (JSC::StructureTransitionTable::contains const):
1524         (JSC::StructureTransitionTable::get const):
1525         (JSC::StructureTransitionTable::add):
1526         (JSC::Structure::dumpStatistics):
1527         (JSC::Structure::Structure):
1528         (JSC::Structure::create):
1529         (JSC::Structure::findStructuresAndMapForMaterialization):
1530         (JSC::Structure::materializePropertyTable):
1531         (JSC::Structure::addPropertyTransitionToExistingStructureImpl):
1532         (JSC::Structure::addPropertyTransitionToExistingStructureConcurrently):
1533         (JSC::Structure::addNewPropertyTransition):
1534         (JSC::Structure::removeNewPropertyTransition):
1535         (JSC::Structure::changePrototypeTransition):
1536         (JSC::Structure::attributeChangeTransition):
1537         (JSC::Structure::toDictionaryTransition):
1538         (JSC::Structure::takePropertyTableOrCloneIfPinned):
1539         (JSC::Structure::nonPropertyTransitionSlow):
1540         (JSC::Structure::flattenDictionaryStructure):
1541         (JSC::Structure::pin):
1542         (JSC::Structure::pinForCaching):
1543         (JSC::Structure::allocateRareData):
1544         (JSC::Structure::ensurePropertyReplacementWatchpointSet):
1545         (JSC::Structure::copyPropertyTableForPinning):
1546         (JSC::Structure::add):
1547         (JSC::Structure::remove):
1548         (JSC::Structure::visitChildren):
1549         (JSC::Structure::canCachePropertyNameEnumerator const):
1550         * runtime/Structure.h:
1551         * runtime/StructureInlines.h:
1552         (JSC::Structure::get):
1553         (JSC::Structure::ruleOutUnseenProperty const):
1554         (JSC::Structure::seenProperties const):
1555         (JSC::Structure::addPropertyHashAndSeenProperty):
1556         (JSC::Structure::forEachPropertyConcurrently):
1557         (JSC::Structure::transitivelyTransitionedFrom):
1558         (JSC::Structure::cachedPrototypeChain const):
1559         (JSC::Structure::setCachedPrototypeChain):
1560         (JSC::Structure::prototypeChain const):
1561         (JSC::Structure::propertyReplacementWatchpointSet):
1562         (JSC::Structure::checkOffsetConsistency const):
1563         (JSC::Structure::add):
1564         (JSC::Structure::remove):
1565         (JSC::Structure::removePropertyWithoutTransition):
1566         (JSC::Structure::setPropertyTable):
1567         (JSC::Structure::clearPropertyTable):
1568         (JSC::Structure::setOutOfLineTypeFlags):
1569         (JSC::Structure::setInlineCapacity):
1570         (JSC::Structure::setClassInfo):
1571         (JSC::Structure::setPreviousID):
1572         (JSC::Structure::clearPreviousID):
1573         * runtime/StructureRareData.cpp:
1574         (JSC::StructureRareData::createStructure):
1575         (JSC::StructureRareData::create):
1576         (JSC::StructureRareData::StructureRareData):
1577         (JSC::StructureRareData::visitChildren):
1578         * runtime/StructureRareData.h:
1579         * runtime/StructureRareDataInlines.h:
1580         (JSC::StructureRareData::setCachedPrototypeChain):
1581         (JSC::StructureRareData::setPreviousID): Deleted.
1582         (JSC::StructureRareData::clearPreviousID): Deleted.
1583         * tools/JSDollarVM.cpp:
1584         (JSC::JSDollarVMHelper::functionGetStructureTransitionList):
1585         * wasm/js/WebAssemblyFunction.cpp:
1586         (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
1587
1588 2020-02-20  Mark Lam  <mark.lam@apple.com>
1589
1590         Make support for bytecode caching more robust against file corruption.
1591         https://bugs.webkit.org/show_bug.cgi?id=207972
1592         <rdar://problem/59260595>
1593
1594         Reviewed by Yusuke Suzuki.
1595
1596         If a bytecode cache file is corrupted, we currently will always crash every time
1597         we try to read it (in perpetuity as long as the corrupted cache file continues to
1598         exist on disk).  To guard against this, we'll harden the bytecode caching mechanism
1599         as follows:
1600
1601         1. Modify the writeCache operation to always write the cache file in a transactional
1602            manner i.e. we'll first write to a .tmp file, and then rename the .tmp file to
1603            the cache file only if the entire file has been written in completeness.
1604
1605            This ensures that we won't get corrupted cache files due to interrupted writes.
1606
1607         2. Modify the writeCache operation to also compute a SHA1 hash of the cache file
1608            and append the hash at end of the file.  Modify the readCache operation to
1609            first authenticate the SHA1 hash before allowing the cache file to be used.
1610            If the hash does not match, the file is bad, and we'll just delete it.
1611
1612            This ensures that we won't be crashing while decoding a corrupted cache file.
1613
1614         Manually tested with the following scenarios and ensuring that the client recovers
1615         with no crashes:
1616
1617         1. no cache file on disk.
1618         2. a 0-sized cache file on a disk.
1619         3. a truncated cache file on disk.
1620         4. a corrupted cache file on disk.
1621         5. an uncorrupted cache file on disk.
1622
1623         Also added some static_asserts in CachedTypes.cpp to document some invariants that
1624         the pre-existing code is dependent on.
1625
1626         * API/JSScript.mm:
1627         (-[JSScript readCache]):
1628         (-[JSScript writeCache:]):
1629         * runtime/CachedTypes.cpp:
1630
1631 2020-02-19  Ross Kirsling  <ross.kirsling@sony.com>
1632
1633         Computed Properties with increment sometimes produces incorrect results
1634         https://bugs.webkit.org/show_bug.cgi?id=170934
1635
1636         Reviewed by Yusuke Suzuki.
1637
1638         When the key and value of a computed property each have side effects, the eval order should be key-before-value.
1639         Not only have we had this backwards, we've also been giving them both the same target register.
1640
1641         * bytecompiler/NodesCodegen.cpp:
1642         (JSC::PropertyListNode::emitPutConstantProperty):
1643
1644 2020-02-19  Keith Miller  <keith_miller@apple.com>
1645
1646         Disable Wasm reference types by default
1647         https://bugs.webkit.org/show_bug.cgi?id=207952
1648
1649         Reviewed by Mark Lam.
1650
1651         * runtime/OptionsList.h:
1652
1653 2020-02-19  Stephan Szabo  <stephan.szabo@sony.com>
1654
1655         [PlayStation] Get jsc test wrappers using find_package
1656         https://bugs.webkit.org/show_bug.cgi?id=207914
1657
1658         Reviewed by Ross Kirsling.
1659
1660         * shell/PlatformPlayStation.cmake:
1661
1662 2020-02-18  Keith Miller  <keith_miller@apple.com>
1663
1664         Add an os_log PrintStream
1665         https://bugs.webkit.org/show_bug.cgi?id=207898
1666
1667         Reviewed by Mark Lam.
1668
1669         Add jsc option to write dataLogs to os_log.
1670
1671         * runtime/Options.cpp:
1672         (JSC::Options::initialize):
1673         * runtime/OptionsList.h:
1674
1675 2020-02-18  Paulo Matos  <pmatos@igalia.com>
1676
1677         Fix order (in MIPS) under which CS-registers are saved/restored
1678         https://bugs.webkit.org/show_bug.cgi?id=207752
1679
1680         Reviewed by Keith Miller.
1681
1682         This has been causing several segfaults on MIPS with JIT enabled
1683         because during an OSR to baseline, the order in which LLInt was
1684         saving the registers was not in sync with the way baseline was
1685         restoring them.
1686
1687         * llint/LowLevelInterpreter.asm:
1688
1689 2020-02-18  Ross Kirsling  <ross.kirsling@sony.com>
1690
1691         [JSC] Computed function properties compute their keys twice
1692         https://bugs.webkit.org/show_bug.cgi?id=207297
1693
1694         Reviewed by Keith Miller.
1695
1696         If a pseudo-String is used as the key of a computed function property,
1697         any side effects from resolving the string value occur in duplicate.
1698
1699         The cause has two parts:
1700           - We aren't ensuring that the string value is resolved before doing SetFunctionName and PutByVal.
1701           - Our implementation of SetFunctionName (https://tc39.es/ecma262/#sec-setfunctionname)
1702             calls toString on a non-symbol argument, instead of assuming the type is a string.
1703
1704         * bytecompiler/BytecodeGenerator.cpp:
1705         (JSC::BytecodeGenerator::shouldSetFunctionName): Added.
1706         (JSC::BytecodeGenerator::emitSetFunctionName): Added.
1707         (JSC::BytecodeGenerator::emitSetFunctionNameIfNeededImpl): Deleted.
1708         (JSC::BytecodeGenerator::emitSetFunctionNameIfNeeded): Deleted.
1709         * bytecompiler/BytecodeGenerator.h:
1710         Split the "if needed" logic out into its own function.
1711
1712         * bytecompiler/NodesCodegen.cpp:
1713         (JSC::PropertyListNode::emitBytecode):
1714         (JSC::PropertyListNode::emitPutConstantProperty):
1715         (JSC::DefineFieldNode::emitBytecode):
1716         Never emit OpSetFunctionName for a name of unknown type.
1717         (But also, don't perform a needless ToPropertyKey for non-function computed property keys.)
1718
1719         * runtime/JSFunction.cpp:
1720         (JSC::JSFunction::setFunctionName):
1721         Don't call toString, assert isString.
1722
1723 2020-02-17  Yusuke Suzuki  <ysuzuki@apple.com>
1724
1725         [JSC] JITThunk should be HashSet<Weak<NativeExecutable>> with appropriate GC weakness handling
1726         https://bugs.webkit.org/show_bug.cgi?id=207715
1727
1728         Reviewed by Darin Adler.
1729
1730         This patch refines JITThunks GC-aware Weak hash map for NativeExecutable. Previously, we have
1731         HashMap<std::tuple<TaggedNativeFunction, TaggedNativeFunction, String>, Weak<NativeExecutable>> table.
1732         But this is not good because the first tuple's information is already in NativeExecutable.
1733         But we were using this design since Weak<NativeExecutable> can be nullified because of Weak<>. If this
1734         happens, we could have invalid Entry in HashMap which does not have corresponding values. This will
1735         cause crash when rehasing requires hash code for this entry.
1736
1737         But this HashMap is very bad in terms of memory usage. Each entry has 32 bytes, and this table gets enough
1738         large. We identified that this table is consuming much memory in Membuster. So it is worth designing
1739         carefully crafted data structure which only holds Weak<NativeExecutable> by leveraging the deep interaction
1740         with our GC implementation.
1741
1742         This patch implements new design of JITThunks, which uses HashSet<Weak<NativeExecutable>> and carefully crafted
1743         HashTraits / KeyTraits to handle Weak<> well.
1744
1745         1. Each Weak should have finalizer, and this finalizer should remove dead Weak<NativeExecutable> from HashSet.
1746
1747             This is ensuring that all the keys in HashSet is, even if Weak<> is saying it is Dead, it still has an way
1748             to access content of NativeExecutable if the content is not a JS objects. For example, we can get function
1749             pointer from dead Weak<NativeExecutable> if it is not yet finalized. Since we remove all finalized Weak<>
1750             from the table, this finalizer mechanism allows us to access function pointers etc. from Weak<NativeExecutable>
1751             so long as it is held in this table.
1752
1753         2. Getting NativeExecutable* from JITThunks should have special protocol.
1754
1755             When getting NativeExecutable* from JITThunks, we do the following,
1756
1757             1. First, we check we have an Entry in JITThunks. If it does not exist, we should insert it anyway.
1758                 1.1. If it exists, we should check whether this Weak<NativeExecutable> is dead or not. It is possible that
1759                      dead one is still in the table because "dead" does not mean that it is "finalized". Until finalizing happens (and
1760                      it can be delayed by incremental-sweeper), Weak<NativeExecutable> can be dead but still accessible. So the table
1761                      is still holding dead one. If we get dead one, we should insert a new one.
1762                 1.2. If it is not dead, we return it.
1763             2. Second, we create a new NativeExecutable and insert it. In that case, it is possible that the table already has Weak<NativeExecutable>,
1764                but it is dead. In that case, we need to explicitly replace it with newly created one since old one is holding old content. If we
1765                replaced, finalizer of Weak<> will not be invoked since it immediately deallocates Weak<>. So, it does not happen that this newly
1766                inserted NativeExecutable* is removed by the finalizer registered by the old Weak<>.
1767
1768         This change makes memory usage of JITThunks table 1/4.
1769
1770         * heap/Weak.cpp:
1771         (JSC::weakClearSlowCase):
1772         * heap/Weak.h:
1773         (JSC::Weak::Weak):
1774         (JSC::Weak::isHashTableEmptyValue const):
1775         (JSC::Weak::unsafeImpl const):
1776         (WTF::HashTraits<JSC::Weak<T>>::isEmptyValue):
1777         * heap/WeakInlines.h:
1778         (JSC::Weak<T>::Weak):
1779         * jit/JITThunks.cpp:
1780         (JSC::JITThunks::JITThunks):
1781         (JSC::JITThunks::WeakNativeExecutableHash::hash):
1782         (JSC::JITThunks::WeakNativeExecutableHash::equal):
1783         (JSC::JITThunks::HostKeySearcher::hash):
1784         (JSC::JITThunks::HostKeySearcher::equal):
1785         (JSC::JITThunks::NativeExecutableTranslator::hash):
1786         (JSC::JITThunks::NativeExecutableTranslator::equal):
1787         (JSC::JITThunks::NativeExecutableTranslator::translate):
1788         (JSC::JITThunks::finalize):
1789         (JSC::JITThunks::hostFunctionStub):
1790         (JSC::JITThunks::clearHostFunctionStubs): Deleted.
1791         * jit/JITThunks.h:
1792         * runtime/NativeExecutable.h:
1793         * tools/JSDollarVM.cpp:
1794         (JSC::functionGCSweepAsynchronously):
1795         (JSC::functionCreateEmptyFunctionWithName):
1796         (JSC::JSDollarVM::finishCreation):
1797
1798 2020-02-17  Tadeu Zagallo  <tzagallo@apple.com>
1799
1800         [Wasm] REGRESSION(r256665): Wasm->JS call IC needs to save memory size register
1801         https://bugs.webkit.org/show_bug.cgi?id=207849
1802
1803         Reviewed by Mark Lam.
1804
1805         When generating the call IC, we should select the callee saves using BoundsChecking mode in order
1806         to obey to the calling conventions described in r256665. Currently, we won't restore the memory size
1807         register when calling the Wasm LLInt through the call IC.
1808
1809         * wasm/js/WebAssemblyFunction.cpp:
1810         (JSC::WebAssemblyFunction::calleeSaves const):
1811
1812 2020-02-17  Per Arne Vollan  <pvollan@apple.com>
1813
1814         Mach lookup to com.apple.webinspector should not be allowed in WebKit's WebContent process
1815         https://bugs.webkit.org/show_bug.cgi?id=203214
1816
1817         Reviewed by Brent Fulgham.
1818
1819         Add static flag in RemoteInspector to indicate whether a sandbox extension is needed. The remote inspector will only be
1820         started if the sandbox extension is not needed. Only the WebContent process will need a sandbox extension, since this
1821         patch removes mach access to 'com.apple.webinspector' for this process. Also add name and domain for the
1822         'Enable Remote Inspector' setting, since this will be used in the UI process.
1823
1824         * inspector/remote/RemoteInspector.cpp:
1825         * inspector/remote/RemoteInspector.h:
1826         * inspector/remote/RemoteInspectorConstants.h:
1827         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
1828         (Inspector::RemoteInspector::singleton):
1829
1830 2020-02-16  Fujii Hironori  <Hironori.Fujii@sony.com>
1831
1832         Remove remaining WTF_EXPORT and WTF_IMPORT by replacing them with WTF_EXPORT_DECLARATION and WTF_IMPORT_DECLARATION
1833         https://bugs.webkit.org/show_bug.cgi?id=207746
1834
1835         Reviewed by Don Olmstead.
1836
1837         * runtime/JSExportMacros.h:
1838
1839 2020-02-16  Paulo Matos  <pmatos@igalia.com>
1840
1841         Remove nonArgGPR1 for ARMv7 and ARM64 (unused)
1842         https://bugs.webkit.org/show_bug.cgi?id=207753
1843
1844         Reviewed by Darin Adler.
1845
1846         Cleanup commit - nonArgGPR1 is unused for both ARMv7
1847         and ARM64.
1848
1849         * jit/GPRInfo.h:
1850
1851 2020-02-14  Tadeu Zagallo  <tzagallo@apple.com> and Michael Saboff  <msaboff@apple.com>
1852
1853         [WASM] Wasm interpreter's calling convention doesn't match Wasm JIT's convention.
1854         https://bugs.webkit.org/show_bug.cgi?id=207727
1855
1856         Reviewed by Mark Lam.
1857
1858         The Wasm JIT has unusual calling conventions, which were further complicated by the addition
1859         of the interpreter, and the interpreter did not correctly follow these conventions (by incorrectly
1860         saving and restoring the callee save registers used for the memory base and size). Here's a summary
1861         of the calling convention:
1862
1863         - When entering Wasm from JS, the wrapper must:
1864             - Preserve the base and size when entering LLInt regardless of the mode. (Prior to this
1865               patch we only preserved the base in Signaling mode)
1866             - Preserve the memory base in either mode, and the size for BoundsChecking.
1867         - Both tiers must preserve every *other* register they use. e.g. the LLInt must preserve PB
1868           and wasmInstance, but must *not* preserve memoryBase and memorySize.
1869         - Changes to memoryBase and memorySize are visible to the caller. This means that:
1870             - Intra-module calls can assume these registers are up-to-date even if the memory was
1871               resized. The only exception here is if the LLInt calls a signaling JIT, in which case
1872               the JIT will not update the size register, since it won't be using it.
1873             - Inter-module and JS calls require the caller to reload these registers. These calls may
1874               result in memory changes (e.g. the callee may call memory.grow).
1875             - A Signaling JIT caller must be aware that the LLInt may trash the size register, since
1876               it always bounds checks.
1877
1878         * llint/WebAssembly.asm:
1879         * wasm/WasmAirIRGenerator.cpp:
1880         (JSC::Wasm::AirIRGenerator::addCall):
1881         * wasm/WasmB3IRGenerator.cpp:
1882         (JSC::Wasm::B3IRGenerator::addCall):
1883         * wasm/WasmCallee.cpp:
1884         (JSC::Wasm::LLIntCallee::calleeSaveRegisters):
1885         * wasm/WasmCallingConvention.h:
1886         * wasm/WasmLLIntPlan.cpp:
1887         (JSC::Wasm::LLIntPlan::didCompleteCompilation):
1888         * wasm/WasmMemoryInformation.cpp:
1889         (JSC::Wasm::PinnedRegisterInfo::get):
1890         (JSC::Wasm::getPinnedRegisters): Deleted.
1891
1892 2020-02-13  Stephan Szabo  <stephan.szabo@sony.com>
1893
1894         [PlayStation] Make special udis86 C file handling only happen for Visual Studio
1895         https://bugs.webkit.org/show_bug.cgi?id=207729
1896
1897         Reviewed by Don Olmstead.
1898
1899         * PlatformPlayStation.cmake:
1900
1901 2020-02-13  Caio Lima  <ticaiolima@gmail.com>
1902
1903         [ESNext][BigInt] We don't support BigInt literal as PropertyName
1904         https://bugs.webkit.org/show_bug.cgi?id=206888
1905
1906         Reviewed by Ross Kirsling.
1907
1908         According to spec (https://tc39.es/ecma262/#prod-PropertyName),
1909         BigInt literals are valid property names. Given that, we should not
1910         throw a SyntaxError when using BigInt literals on destructuring
1911         pattern, method declaration, object literals, etc.
1912         This patch is adding BigInt literal as a valid syntax to PropertyName.
1913
1914         * parser/Parser.cpp:
1915         (JSC::Parser<LexerType>::parseDestructuringPattern):
1916         (JSC::Parser<LexerType>::parseClass):
1917         (JSC::Parser<LexerType>::parseInstanceFieldInitializerSourceElements):
1918         (JSC::Parser<LexerType>::parseProperty):
1919         (JSC::Parser<LexerType>::parseGetterSetter):
1920         * parser/ParserArena.cpp:
1921         (JSC::IdentifierArena::makeBigIntDecimalIdentifier):
1922         * parser/ParserArena.h:
1923
1924 2020-02-12  Mark Lam  <mark.lam@apple.com>
1925
1926         Add options for debugging WASM code.
1927         https://bugs.webkit.org/show_bug.cgi?id=207677
1928         <rdar://problem/59411390>
1929
1930         Reviewed by Yusuke Suzuki.
1931
1932         Specifically ...
1933
1934             JSC_useBBQJIT                            - allows the BBQ JIT to be used if true
1935             JSC_useOMGJIT                            - allows the OMG JIT to be used if true
1936             JSC_useWasmLLIntPrologueOSR              - allows prologue OSR from Wasm LLInt if true
1937             JSC_useWasmLLIntLoopOSR                  - allows loop OSR from Wasm LLInt if true
1938             JSC_useWasmLLIntEpilogueOSR              - allows epilogue OSR from Wasm LLInt if true
1939             JSC_wasmFunctionIndexRangeToCompile=N:M  - wasm function index range to allow compilation on, e.g. 1:100
1940
1941         * JavaScriptCore.xcodeproj/project.pbxproj:
1942         * runtime/Options.cpp:
1943         (JSC::Options::ensureOptionsAreCoherent):
1944         * runtime/OptionsList.h:
1945         * wasm/WasmBBQPlan.cpp:
1946         (JSC::Wasm::BBQPlan::BBQPlan):
1947         * wasm/WasmOMGForOSREntryPlan.cpp:
1948         (JSC::Wasm::OMGForOSREntryPlan::OMGForOSREntryPlan):
1949         * wasm/WasmOMGPlan.cpp:
1950         (JSC::Wasm::OMGPlan::OMGPlan):
1951         * wasm/WasmOperations.cpp:
1952         (JSC::Wasm::shouldJIT):
1953         (JSC::Wasm::operationWasmTriggerOSREntryNow):
1954         (JSC::Wasm::operationWasmTriggerTierUpNow):
1955         * wasm/WasmSlowPaths.cpp:
1956         (JSC::LLInt::shouldJIT):
1957         (JSC::LLInt::WASM_SLOW_PATH_DECL):
1958
1959 2020-02-12  Yusuke Suzuki  <ysuzuki@apple.com>
1960
1961         [JSC] Compact JITCodeMap by storing BytecodeIndex and CodeLocation separately
1962         https://bugs.webkit.org/show_bug.cgi?id=207673
1963
1964         Reviewed by Mark Lam.
1965
1966         While BytecodeIndex is 4 bytes, CodeLocation is 8 bytes. So the tuple of them "JITCodeMap::Entry"
1967         becomes 16 bytes because it adds 4 bytes padding. We should store BytecodeIndex and CodeLocation separately
1968         to avoid this padding.
1969
1970         This patch introduces JITCodeMapBuilder. We use this to build JITCodeMap data structure as a immutable final result.
1971
1972         * jit/JIT.cpp:
1973         (JSC::JIT::link):
1974         * jit/JITCodeMap.h:
1975         (JSC::JITCodeMap::JITCodeMap):
1976         (JSC::JITCodeMap::find const):
1977         (JSC::JITCodeMap::operator bool const):
1978         (JSC::JITCodeMap::codeLocations const):
1979         (JSC::JITCodeMap::indexes const):
1980         (JSC::JITCodeMapBuilder::append):
1981         (JSC::JITCodeMapBuilder::finalize):
1982         (JSC::JITCodeMap::Entry::Entry): Deleted.
1983         (JSC::JITCodeMap::Entry::bytecodeIndex const): Deleted.
1984         (JSC::JITCodeMap::Entry::codeLocation): Deleted.
1985         (JSC::JITCodeMap::append): Deleted.
1986         (JSC::JITCodeMap::finish): Deleted.
1987
1988 2020-02-12  Pavel Feldman  <pavel.feldman@gmail.com>
1989
1990         Web Inspector: encode binary web socket frames using base64
1991         https://bugs.webkit.org/show_bug.cgi?id=207448
1992         
1993         Previous representation of binary frames is lossy using fromUTF8WithLatin1Fallback,
1994         this patch consistently encodes binary data using base64.
1995
1996         Reviewed by Timothy Hatcher.
1997
1998         * inspector/protocol/Network.json:
1999
2000 2020-02-12  Simon Fraser  <simon.fraser@apple.com>
2001
2002         Remove CSS_DEVICE_ADAPTATION
2003         https://bugs.webkit.org/show_bug.cgi?id=203479
2004
2005         Reviewed by Tim Horton.
2006
2007         CSS Working Group resolved to remove @viewport <https://github.com/w3c/csswg-drafts/issues/4766>,
2008         so remove the code.
2009
2010         * Configurations/FeatureDefines.xcconfig:
2011
2012 2020-02-12  Yusuke Suzuki  <ysuzuki@apple.com>
2013
2014         [JSC] Compact StructureTransitionTable
2015         https://bugs.webkit.org/show_bug.cgi?id=207616
2016
2017         Reviewed by Mark Lam.
2018
2019         Some of StructureTransitionTable are shown as very large HashMap and we can compact it by encoding key.
2020         We leverage 48bit pointers and 8byte alignment of UniquedStringImpl* to encode other parameters into it.
2021
2022         * runtime/Structure.cpp:
2023         (JSC::StructureTransitionTable::contains const):
2024         (JSC::StructureTransitionTable::get const):
2025         (JSC::StructureTransitionTable::add):
2026         * runtime/Structure.h:
2027         * runtime/StructureTransitionTable.h:
2028         (JSC::StructureTransitionTable::Hash::Key::Key):
2029         (JSC::StructureTransitionTable::Hash::Key::isHashTableDeletedValue const):
2030         (JSC::StructureTransitionTable::Hash::Key::impl const):
2031         (JSC::StructureTransitionTable::Hash::Key::isAddition const):
2032         (JSC::StructureTransitionTable::Hash::Key::attributes const):
2033         (JSC::StructureTransitionTable::Hash::Key::operator==):
2034         (JSC::StructureTransitionTable::Hash::Key::operator!=):
2035         (JSC::StructureTransitionTable::Hash::hash):
2036         (JSC::StructureTransitionTable::Hash::equal):
2037
2038 2020-02-12  Yusuke Suzuki  <ysuzuki@apple.com>
2039
2040         [JSC] Make RegExpCache small
2041         https://bugs.webkit.org/show_bug.cgi?id=207619
2042
2043         Reviewed by Mark Lam.
2044
2045         We can compact RegExpKey by using PackedRefPtr, so that we can shrink memory consumption of RegExpCache.
2046
2047         * runtime/RegExpKey.h:
2048
2049 2020-02-10  Mark Lam  <mark.lam@apple.com>
2050
2051         Placate exception check validator in GenericArguments<Type>::put().
2052         https://bugs.webkit.org/show_bug.cgi?id=207485
2053         <rdar://problem/59302535>
2054
2055         Reviewed by Robin Morisset.
2056
2057         * runtime/GenericArgumentsInlines.h:
2058         (JSC::GenericArguments<Type>::put):
2059
2060 2020-02-10  Mark Lam  <mark.lam@apple.com>
2061
2062         Missing exception check in GenericArguments<Type>::deletePropertyByIndex().
2063         https://bugs.webkit.org/show_bug.cgi?id=207483
2064         <rdar://problem/59302616>
2065
2066         Reviewed by Yusuke Suzuki.
2067
2068         * runtime/GenericArgumentsInlines.h:
2069         (JSC::GenericArguments<Type>::deletePropertyByIndex):
2070
2071 2020-02-10  Truitt Savell  <tsavell@apple.com>
2072
2073         Unreviewed, rolling out r256091.
2074
2075         Broke internal builds
2076
2077         Reverted changeset:
2078
2079         "Move trivial definitions from FeatureDefines.xcconfig to
2080         PlatformEnableCocoa.h"
2081         https://bugs.webkit.org/show_bug.cgi?id=207155
2082         https://trac.webkit.org/changeset/256091
2083
2084 2020-02-10  Truitt Savell  <tsavell@apple.com>
2085
2086         Unreviewed, rolling out r256103.
2087
2088         This patch is blocking the rollout of r256091
2089
2090         Reverted changeset:
2091
2092         "Move JavaScriptCore related feature defines from
2093         FeatureDefines.xcconfig to PlatformEnableCocoa.h"
2094         https://bugs.webkit.org/show_bug.cgi?id=207436
2095         https://trac.webkit.org/changeset/256103
2096
2097 2020-02-09  Keith Rollin  <krollin@apple.com>
2098
2099         Re-enable LTO for ARM builds
2100         https://bugs.webkit.org/show_bug.cgi?id=207402
2101         <rdar://problem/49190767>
2102
2103         Reviewed by Sam Weinig.
2104
2105         Bug 190758 re-enabled LTO for Production builds for x86-family CPUs.
2106         Enabling it for ARM was left out due to a compiler issue. That issue
2107         has been fixed, and so now we can re-enable LTO for ARM.
2108
2109         * Configurations/Base.xcconfig:
2110
2111 2020-02-08  Sam Weinig  <weinig@apple.com>
2112
2113         Move JavaScriptCore related feature defines from FeatureDefines.xcconfig to PlatformEnableCocoa.h
2114         https://bugs.webkit.org/show_bug.cgi?id=207436
2115
2116         Reviewed by Tim Horton.
2117
2118         * Configurations/FeatureDefines.xcconfig:
2119         Remove ENABLE_FAST_JIT_PERMISSIONS and ENABLE_FTL_JIT.
2120
2121 2020-02-08  Sam Weinig  <weinig@apple.com>
2122
2123         Move trivial definitions from FeatureDefines.xcconfig to PlatformEnableCocoa.h
2124         https://bugs.webkit.org/show_bug.cgi?id=207155
2125
2126         Reviewed by Tim Horton.
2127         
2128         Move all trivial definitions (just ENABLE_FOO = ENABLE_FOO; or ENABLE_BAR = ;)
2129         from the FeatureDefines.xcconfigs to PlatformEnableCocoa.h, ensuring each one
2130         also has a default value in PlatformEnable.h
2131
2132         To support the move, DerivedSources.make has been updated to generate the list
2133         of ENABLE_* features by directly from preprocessing Platform.h, rather than 
2134         just getting the partial list from the xcconfig file.
2135
2136         * Configurations/FeatureDefines.xcconfig:
2137         * DerivedSources.make:
2138
2139 2020-02-07  Robin Morisset  <rmorisset@apple.com>
2140
2141         Throw OutOfMemory exception instead of crashing if DirectArguments/ScopedArguments can't be created
2142         https://bugs.webkit.org/show_bug.cgi?id=207423
2143
2144         Reviewed by Mark Lam.
2145
2146         AllocationFailureMode::Assert is problematic because fuzzers keep producing spurious error reports when they generate code that tries allocating infinite amount of memory.
2147         The right approach is to use AllocationFailureMode::ReturnNull, and throw a JS exception upon receiving null.
2148
2149         In this patch I fixed two functions that were using AllocationFailureMode::Assert:
2150             DirectArguments::DirectArguments::overrideThings
2151             GenericArguments<Type>::initModifiedArgumentsDescriptor
2152
2153         No test added, because the only test we have is highly non-deterministic/flaky (only triggers about 10 to 20% of the time even before the fix).
2154
2155         * runtime/DirectArguments.h:
2156         * runtime/GenericArguments.h:
2157         * runtime/GenericArgumentsInlines.h:
2158         (JSC::GenericArguments<Type>::deletePropertyByIndex):
2159         (JSC::GenericArguments<Type>::defineOwnProperty):
2160         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
2161         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptorIfNecessary):
2162         (JSC::GenericArguments<Type>::setModifiedArgumentDescriptor):
2163         * runtime/ScopedArguments.h:
2164
2165 2020-02-07  Ryan Haddad  <ryanhaddad@apple.com>
2166
2167         Unreviewed, rolling out r256051.
2168
2169         Broke internal builds.
2170
2171         Reverted changeset:
2172
2173         "Move trivial definitions from FeatureDefines.xcconfig to
2174         PlatformEnableCocoa.h"
2175         https://bugs.webkit.org/show_bug.cgi?id=207155
2176         https://trac.webkit.org/changeset/256051
2177
2178 2020-02-07  Sam Weinig  <weinig@apple.com>
2179
2180         Move trivial definitions from FeatureDefines.xcconfig to PlatformEnableCocoa.h
2181         https://bugs.webkit.org/show_bug.cgi?id=207155
2182
2183         Reviewed by Tim Horton.
2184         
2185         Move all trivial definitions (just ENABLE_FOO = ENABLE_FOO; or ENABLE_BAR = ;)
2186         from the FeatureDefines.xcconfigs to PlatformEnableCocoa.h, ensuring each one
2187         also has a default value in PlatformEnable.h
2188
2189         To support the move, DerivedSources.make has been updated to generate the list
2190         of ENABLE_* features by directly from preprocessing Platform.h, rather than 
2191         just getting the partial list from the xcconfig file.
2192
2193         * Configurations/FeatureDefines.xcconfig:
2194         * DerivedSources.make:
2195
2196 2020-02-07  Yusuke Suzuki  <ysuzuki@apple.com>
2197
2198         [JSC] CodeBlock::shrinkToFit should shrink m_constantRegisters and m_constantsSourceCodeRepresentation in 64bit architectures
2199         https://bugs.webkit.org/show_bug.cgi?id=207356
2200
2201         Reviewed by Mark Lam.
2202
2203         Only 32bit architectures are using m_constantRegisters's address. 64bit architectures are not relying on m_constantRegisters's address.
2204         This patches fixes the thing so that CodeBlock::shrinkToFit will shrink m_constantRegisters and m_constantsSourceCodeRepresentation
2205         regardless of whether this is EarlyShrink or not. We also move DFG/FTL's LateShrink call to the place after calling DFGCommon reallyAdd
2206         since they can add more constant registers.
2207
2208         Relanding it by fixing dead-lock.
2209
2210         * bytecode/CodeBlock.cpp:
2211         (JSC::CodeBlock::shrinkToFit):
2212         * bytecode/CodeBlock.h:
2213         * dfg/DFGJITCompiler.cpp:
2214         (JSC::DFG::JITCompiler::compile):
2215         (JSC::DFG::JITCompiler::compileFunction):
2216         * dfg/DFGJITFinalizer.cpp:
2217         (JSC::DFG::JITFinalizer::finalizeCommon):
2218         * dfg/DFGPlan.cpp:
2219         (JSC::DFG::Plan::compileInThreadImpl):
2220         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
2221         * jit/JIT.cpp:
2222         (JSC::JIT::link):
2223         * jit/JIT.h:
2224         * jit/JITInlines.h:
2225         (JSC::JIT::emitLoadDouble):
2226         (JSC::JIT::emitLoadInt32ToDouble): Deleted.
2227
2228 2020-02-06  Robin Morisset  <rmorisset@apple.com>
2229
2230         Most of B3 and Air does not need to include CCallHelpers.h
2231         https://bugs.webkit.org/show_bug.cgi?id=206975
2232
2233         Reviewed by Mark Lam.
2234
2235         They only do to use CCallHelpers::Jump or CCallHelpers::Label.
2236         But CCallHelpers inherit those from MacroAssembler. And MacroAssembler.h is dramatically cheaper to include (since CCallHelpers includes AssemblyHelpers which includes CodeBlock.h which includes roughly the entire runtime).
2237
2238         * b3/B3CheckSpecial.cpp:
2239         * b3/B3CheckSpecial.h:
2240         * b3/B3LowerMacros.cpp:
2241         * b3/B3PatchpointSpecial.cpp:
2242         (JSC::B3::PatchpointSpecial::generate):
2243         * b3/B3PatchpointSpecial.h:
2244         * b3/B3StackmapGenerationParams.cpp:
2245         (JSC::B3::StackmapGenerationParams::successorLabels const):
2246         * b3/B3StackmapGenerationParams.h:
2247         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.h:
2248         * b3/air/AirCCallSpecial.cpp:
2249         * b3/air/AirCCallSpecial.h:
2250         * b3/air/AirCode.cpp:
2251         * b3/air/AirCode.h:
2252         (JSC::B3::Air::Code::entrypointLabel const):
2253         * b3/air/AirCustom.cpp:
2254         (JSC::B3::Air::CCallCustom::generate):
2255         (JSC::B3::Air::ShuffleCustom::generate):
2256         (JSC::B3::Air::WasmBoundsCheckCustom::generate):
2257         * b3/air/AirCustom.h:
2258         (JSC::B3::Air::PatchCustom::generate):
2259         (JSC::B3::Air::EntrySwitchCustom::generate):
2260         * b3/air/AirDisassembler.cpp:
2261         (JSC::B3::Air::Disassembler::addInst):
2262         * b3/air/AirDisassembler.h:
2263         * b3/air/AirGenerationContext.h:
2264         * b3/air/AirInst.h:
2265         * b3/air/AirPrintSpecial.cpp:
2266         (JSC::B3::Air::PrintSpecial::generate):
2267         * b3/air/AirPrintSpecial.h:
2268         * b3/air/AirSpecial.h:
2269         * b3/air/AirValidate.cpp:
2270         * b3/air/opcode_generator.rb:
2271
2272 2020-02-06  Commit Queue  <commit-queue@webkit.org>
2273
2274         Unreviewed, rolling out r255987.
2275         https://bugs.webkit.org/show_bug.cgi?id=207369
2276
2277         JSTests failures (Requested by yusukesuzuki on #webkit).
2278
2279         Reverted changeset:
2280
2281         "[JSC] CodeBlock::shrinkToFit should shrink
2282         m_constantRegisters and m_constantsSourceCodeRepresentation in
2283         64bit architectures"
2284         https://bugs.webkit.org/show_bug.cgi?id=207356
2285         https://trac.webkit.org/changeset/255987
2286
2287 2020-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
2288
2289         [JSC] CodeBlock::shrinkToFit should shrink m_constantRegisters and m_constantsSourceCodeRepresentation in 64bit architectures
2290         https://bugs.webkit.org/show_bug.cgi?id=207356
2291
2292         Reviewed by Mark Lam.
2293
2294         Only 32bit architectures are using m_constantRegisters's address. 64bit architectures are not relying on m_constantRegisters's address.
2295         This patches fixes the thing so that CodeBlock::shrinkToFit will shrink m_constantRegisters and m_constantsSourceCodeRepresentation
2296         regardless of whether this is EarlyShrink or not. We also move DFG/FTL's LateShrink call to the place after calling DFGCommon reallyAdd
2297         since they can add more constant registers.
2298
2299         * bytecode/CodeBlock.cpp:
2300         (JSC::CodeBlock::shrinkToFit):
2301         * bytecode/CodeBlock.h:
2302         * dfg/DFGJITCompiler.cpp:
2303         (JSC::DFG::JITCompiler::compile):
2304         (JSC::DFG::JITCompiler::compileFunction):
2305         * dfg/DFGJITFinalizer.cpp:
2306         (JSC::DFG::JITFinalizer::finalizeCommon):
2307         * dfg/DFGPlan.cpp:
2308         (JSC::DFG::Plan::compileInThreadImpl):
2309         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
2310         * jit/JIT.cpp:
2311         (JSC::JIT::link):
2312         * jit/JIT.h:
2313         * jit/JITInlines.h:
2314         (JSC::JIT::emitLoadDouble):
2315         (JSC::JIT::emitLoadInt32ToDouble): Deleted.
2316
2317 2020-02-05  Don Olmstead  <don.olmstead@sony.com>
2318
2319         [PlayStation] Build a shared JavaScriptCore
2320         https://bugs.webkit.org/show_bug.cgi?id=198446
2321
2322         Reviewed by Fujii Hironori.
2323
2324         Add TARGET_OBJECTS for bmalloc and WTF so JavaScriptCore links. Add bmalloc and
2325         WTF compile definitions so exports are exposed.
2326
2327         * PlatformPlayStation.cmake:
2328
2329 2020-02-05  Justin Michaud  <justin_michaud@apple.com>
2330
2331         Deleting a property should not turn structures into uncacheable dictionaries
2332         https://bugs.webkit.org/show_bug.cgi?id=206430
2333
2334         Reviewed by Yusuke Suzuki.
2335
2336         Right now, deleteProperty/removePropertyTransition causes a structure transition to uncacheable dictionary. Instead, we should allow it to transition to a new regular structure like adding a property does. This means that we have to:
2337
2338         1) Break the assumption that structure transition offsets increase monotonically
2339
2340         We add a new flag to tell that a structure has deleted its property, and update materializePropertyTable to use it.
2341
2342         2) Add a new transition map and transition kind for deletes
2343
2344         We cache the delete transition. We will not transition back to a previous structure if you add then immediately remove a property.
2345
2346         3) Find some heuristic for when we should actually transition to uncacheable dictionary.
2347
2348         Since deleting properties is expected to be rare, we just walk the structure list and count its size on removal. 
2349
2350         This patch also fixes a related bug in addProperty, where we did not use a GCSafeConcurrentJSLocker, and adds an option to trigger the bug. Finally, we add some helper methods to dollarVM to test.
2351
2352         This gives a 24x speedup on delete-property-keeps-cacheable-structure.js, and is neutral on delete-property-from-prototype-chain.js (which was already generating code using the inline cache).
2353
2354         * heap/HeapInlines.h:
2355         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
2356         * runtime/JSObject.cpp:
2357         (JSC::JSObject::deleteProperty):
2358         * runtime/OptionsList.h:
2359         * runtime/PropertyMapHashTable.h:
2360         (JSC::PropertyTable::get):
2361         (JSC::PropertyTable::add):
2362         (JSC::PropertyTable::addDeletedOffset):
2363         (JSC::PropertyTable::reinsert):
2364         * runtime/Structure.cpp:
2365         (JSC::StructureTransitionTable::contains const):
2366         (JSC::StructureTransitionTable::get const):
2367         (JSC::StructureTransitionTable::add):
2368         (JSC::Structure::Structure):
2369         (JSC::Structure::materializePropertyTable):
2370         (JSC::Structure::addNewPropertyTransition):
2371         (JSC::Structure::removePropertyTransition):
2372         (JSC::Structure::removePropertyTransitionFromExistingStructure):
2373         (JSC::Structure::removeNewPropertyTransition):
2374         (JSC::Structure::toUncacheableDictionaryTransition):
2375         (JSC::Structure::remove):
2376         (JSC::Structure::visitChildren):
2377         * runtime/Structure.h:
2378         * runtime/StructureInlines.h:
2379         (JSC::Structure::forEachPropertyConcurrently):
2380         (JSC::Structure::add):
2381         (JSC::Structure::remove):
2382         (JSC::Structure::removePropertyWithoutTransition):
2383         * runtime/StructureTransitionTable.h:
2384         (JSC::StructureTransitionTable::Hash::hash):
2385         * tools/JSDollarVM.cpp:
2386         (JSC::JSDollarVMHelper::functionGetStructureTransitionList):
2387         (JSC::functionGetConcurrently):
2388         (JSC::JSDollarVM::finishCreation):
2389
2390 2020-02-05  Devin Rousso  <drousso@apple.com>
2391
2392         Web Inspector: Sources: add a special breakpoint for controlling whether `debugger` statements pause
2393         https://bugs.webkit.org/show_bug.cgi?id=206818
2394
2395         Reviewed by Timothy Hatcher.
2396
2397         * inspector/protocol/Debugger.json:
2398         * inspector/agents/InspectorDebuggerAgent.h:
2399         * inspector/agents/InspectorDebuggerAgent.cpp:
2400         (Inspector::InspectorDebuggerAgent::setPauseOnDebuggerStatements): Added.
2401
2402         * bytecompiler/NodesCodegen.cpp:
2403         (JSC::DebuggerStatementNode::emitBytecode):
2404         * bytecode/CodeBlock.cpp:
2405         (JSC::CodeBlock::finishCreation):
2406         * bytecode/UnlinkedCodeBlock.cpp:
2407         (JSC::dumpLineColumnEntry):
2408         * interpreter/Interpreter.h:
2409         * interpreter/Interpreter.cpp:
2410         (JSC::Interpreter::debug):
2411         (WTF::printInternal):
2412         * debugger/Debugger.h:
2413         (JSC::Debugger::setPauseOnDebuggerStatements): Added.
2414         * debugger/Debugger.cpp:
2415         (JSC::Debugger::didReachDebuggerStatement): Added.
2416         (JSC::Debugger::didReachBreakpoint): Deleted.
2417         Replace `DebugHookType::DidReachBreakpoint` with `DebugHookType::DidReachDebuggerStatement`,
2418         as it is only actually used for `debugger;` statements, not breakpoints.
2419
2420 2020-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2421
2422         [JSC] Structure::setMaxOffset and setTransitionOffset are racy
2423         https://bugs.webkit.org/show_bug.cgi?id=207249
2424
2425         Reviewed by Mark Lam.
2426
2427         We hit crash in JSTests/stress/array-slice-osr-exit-2.js. The situation is following.
2428
2429             1. The mutator thread (A) is working.
2430             2. The concurrent collector (B) is working.
2431             3. A attempts to set m_maxOffset in StructureRareData by allocating it. First, A sets Structure::m_maxOffset to useRareDataFlag.
2432             3. B is in JSObject::visitButterflyImpl, and executing Structure::maxOffset().
2433             4. B detects that m_maxOffset is useRareDataFlag.
2434             5. B attempts to load rareData, but this is not a StructureRareData since A is just now setting up StructureRareData.
2435             6. B crashes.
2436
2437         Set useRareDataFlag after StructureRareData is set. Ensuring this store-order by using storeStoreFence.
2438
2439         * runtime/Structure.h:
2440
2441 2020-02-04  Adrian Perez de Castro  <aperez@igalia.com>
2442
2443         Non-unified build fixes early February 2020 edition
2444         https://bugs.webkit.org/show_bug.cgi?id=207227
2445
2446         Reviewed by Don Olmstead.
2447
2448         * bytecode/PolyProtoAccessChain.h: Add missing inclusions of StructureIDTable.h and VM.h
2449
2450 2020-02-04  Alex Christensen  <achristensen@webkit.org>
2451
2452         Fix Mac CMake build
2453         https://bugs.webkit.org/show_bug.cgi?id=207231
2454
2455         * PlatformMac.cmake:
2456
2457 2020-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2458
2459         [JSC] Use PackedRefPtr in UnlinkedCodeBlock
2460         https://bugs.webkit.org/show_bug.cgi?id=207229
2461
2462         Reviewed by Mark Lam.
2463
2464         Use PackedRefPtr in UnlinkedCodeBlock to compact it from 168 to 160, which saves 16 bytes (10%) per UnlinkedCodeBlock since
2465         we have 16 bytes alignment for GC cells.
2466
2467         * bytecode/UnlinkedCodeBlock.h:
2468         (JSC::UnlinkedCodeBlock::sourceURLDirective const):
2469         (JSC::UnlinkedCodeBlock::sourceMappingURLDirective const):
2470         (JSC::UnlinkedCodeBlock::setSourceURLDirective):
2471         (JSC::UnlinkedCodeBlock::setSourceMappingURLDirective):
2472         * runtime/CachedTypes.cpp:
2473         (JSC::CachedCodeBlock::sourceURLDirective const):
2474         (JSC::CachedCodeBlock::sourceMappingURLDirective const):
2475         (JSC::CachedCodeBlock<CodeBlockType>::encode):
2476         * runtime/CodeCache.cpp:
2477         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
2478
2479 2020-02-04  Alexey Shvayka  <shvaikalesh@gmail.com>
2480
2481         Quantifiers after lookahead assertions should be syntax errors in Unicode patterns only
2482         https://bugs.webkit.org/show_bug.cgi?id=206988
2483
2484         Reviewed by Darin Adler and Ross Kirsling.
2485
2486         This change adds SyntaxError for quantifiable assertions in Unicode patterns,
2487         aligning JSC with V8 and SpiderMonkey.
2488
2489         Grammar: https://tc39.es/ecma262/#prod-annexB-Term
2490         (/u flag precludes the use of QuantifiableAssertion)
2491
2492         Return value of parseParenthesesEnd() now matches with parseEscape() and
2493         parseAtomEscape().
2494
2495         * yarr/YarrParser.h:
2496         (JSC::Yarr::Parser::parseParenthesesBegin):
2497         (JSC::Yarr::Parser::parseParenthesesEnd):
2498         (JSC::Yarr::Parser::parseTokens):
2499
2500 2020-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2501
2502         [JSC] Introduce UnlinkedCodeBlockGenerator and reduce sizeof(UnlinkedCodeBlock)
2503         https://bugs.webkit.org/show_bug.cgi?id=207087
2504
2505         Reviewed by Tadeu Zagallo.
2506
2507         While UnlinkedCodeBlock is immutable once it is created from BytecodeGenerator, it has many mutable Vectors.
2508         This is because we are using UnlinkedCodeBlock as a builder of UnlinkedCodeBlock itself too in BytecodeGenerator.
2509         Since Vector takes 16 bytes to allow efficient expansions, it is nice if we can use RefCountedArray instead when
2510         we know this Vector is immutable.
2511
2512         In this patch, we introduce UnlinkedCodeBlockGenerator wrapper. BytecodeGenerator, BytecodeRewriter, BytecodeDumper,
2513         and BytecodeGeneratorification interact with UnlinkedCodeBlockGenerator instead of UnlinkedCodeBlock. And UnlinkedCodeBlockGenerator
2514         will generate the finalized UnlinkedCodeBlock. This design allows us to use RefCountedArray for data in UnlinkedCodeBlock,
2515         which is (1) smaller and (2) doing shrinkToFit operation when creating it from Vector.
2516
2517         This patch reduces sizeof(UnlinkedCodeBlock) from 256 to 168, 88 bytes reduction.
2518
2519         * JavaScriptCore.xcodeproj/project.pbxproj:
2520         * Sources.txt:
2521         * bytecode/BytecodeBasicBlock.cpp:
2522         (JSC::BytecodeBasicBlock::compute):
2523         * bytecode/BytecodeBasicBlock.h:
2524         * bytecode/BytecodeDumper.cpp:
2525         * bytecode/BytecodeGeneratorification.cpp:
2526         (JSC::BytecodeGeneratorification::BytecodeGeneratorification):
2527         (JSC::GeneratorLivenessAnalysis::run):
2528         (JSC::BytecodeGeneratorification::run):
2529         (JSC::performGeneratorification):
2530         * bytecode/BytecodeGeneratorification.h:
2531         * bytecode/BytecodeRewriter.h:
2532         (JSC::BytecodeRewriter::BytecodeRewriter):
2533         * bytecode/CodeBlock.cpp:
2534         (JSC::CodeBlock::finishCreation):
2535         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
2536         (JSC::CodeBlock::setConstantRegisters):
2537         (JSC::CodeBlock::handlerForIndex):
2538         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
2539         * bytecode/CodeBlock.h:
2540         (JSC::CodeBlock::numberOfSwitchJumpTables const):
2541         (JSC::CodeBlock::numberOfStringSwitchJumpTables const):
2542         (JSC::CodeBlock::addSwitchJumpTable): Deleted.
2543         (JSC::CodeBlock::addStringSwitchJumpTable): Deleted.
2544         * bytecode/HandlerInfo.h:
2545         (JSC::HandlerInfoBase::handlerForIndex):
2546         * bytecode/JumpTable.h:
2547         (JSC::SimpleJumpTable::add): Deleted.
2548         * bytecode/PreciseJumpTargets.cpp:
2549         (JSC::computePreciseJumpTargets):
2550         (JSC::recomputePreciseJumpTargets):
2551         (JSC::findJumpTargetsForInstruction):
2552         * bytecode/PreciseJumpTargets.h:
2553         * bytecode/UnlinkedCodeBlock.cpp:
2554         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2555         (JSC::UnlinkedCodeBlock::visitChildren):
2556         (JSC::UnlinkedCodeBlock::dumpExpressionRangeInfo):
2557         (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeIndex const):
2558         (JSC::UnlinkedCodeBlock::handlerForIndex):
2559         (JSC::UnlinkedCodeBlock::addExpressionInfo): Deleted.
2560         (JSC::UnlinkedCodeBlock::addTypeProfilerExpressionInfo): Deleted.
2561         (JSC::UnlinkedCodeBlock::setInstructions): Deleted.
2562         (JSC::UnlinkedCodeBlock::applyModification): Deleted.
2563         (JSC::UnlinkedCodeBlock::shrinkToFit): Deleted.
2564         (JSC::UnlinkedCodeBlock::addOutOfLineJumpTarget): Deleted.
2565         * bytecode/UnlinkedCodeBlock.h:
2566         (JSC::UnlinkedCodeBlock::expressionInfo):
2567         (JSC::UnlinkedCodeBlock::setNumParameters):
2568         (JSC::UnlinkedCodeBlock::numberOfIdentifiers const):
2569         (JSC::UnlinkedCodeBlock::identifiers const):
2570         (JSC::UnlinkedCodeBlock::bitVector):
2571         (JSC::UnlinkedCodeBlock::constantRegisters):
2572         (JSC::UnlinkedCodeBlock::constantsSourceCodeRepresentation):
2573         (JSC::UnlinkedCodeBlock::constantIdentifierSets):
2574         (JSC::UnlinkedCodeBlock::numberOfJumpTargets const):
2575         (JSC::UnlinkedCodeBlock::numberOfSwitchJumpTables const):
2576         (JSC::UnlinkedCodeBlock::numberOfStringSwitchJumpTables const):
2577         (JSC::UnlinkedCodeBlock::numberOfFunctionDecls):
2578         (JSC::UnlinkedCodeBlock::numberOfExceptionHandlers const):
2579         (JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets const):
2580         (JSC::UnlinkedCodeBlock::createRareDataIfNecessary):
2581         (JSC::UnlinkedCodeBlock::addParameter): Deleted.
2582         (JSC::UnlinkedCodeBlock::addIdentifier): Deleted.
2583         (JSC::UnlinkedCodeBlock::addBitVector): Deleted.
2584         (JSC::UnlinkedCodeBlock::addSetConstant): Deleted.
2585         (JSC::UnlinkedCodeBlock::addConstant): Deleted.
2586         (JSC::UnlinkedCodeBlock::addJumpTarget): Deleted.
2587         (JSC::UnlinkedCodeBlock::addSwitchJumpTable): Deleted.
2588         (JSC::UnlinkedCodeBlock::addStringSwitchJumpTable): Deleted.
2589         (JSC::UnlinkedCodeBlock::addFunctionDecl): Deleted.
2590         (JSC::UnlinkedCodeBlock::addFunctionExpr): Deleted.
2591         (JSC::UnlinkedCodeBlock::addExceptionHandler): Deleted.
2592         (JSC::UnlinkedCodeBlock::addOpProfileControlFlowBytecodeOffset): Deleted.
2593         (JSC::UnlinkedCodeBlock::replaceOutOfLineJumpTargets): Deleted.
2594         * bytecode/UnlinkedCodeBlockGenerator.cpp: Added.
2595         (JSC::UnlinkedCodeBlockGenerator::getLineAndColumn const):
2596         (JSC::UnlinkedCodeBlockGenerator::addExpressionInfo):
2597         (JSC::UnlinkedCodeBlockGenerator::addTypeProfilerExpressionInfo):
2598         (JSC::UnlinkedCodeBlockGenerator::finalize):
2599         (JSC::UnlinkedCodeBlockGenerator::handlerForBytecodeIndex):
2600         (JSC::UnlinkedCodeBlockGenerator::handlerForIndex):
2601         (JSC::UnlinkedCodeBlockGenerator::applyModification):
2602         (JSC::UnlinkedCodeBlockGenerator::addOutOfLineJumpTarget):
2603         (JSC::UnlinkedCodeBlockGenerator::outOfLineJumpOffset):
2604         (JSC::UnlinkedCodeBlockGenerator::dump const):
2605         * bytecode/UnlinkedCodeBlockGenerator.h: Added.
2606         (JSC::UnlinkedCodeBlockGenerator::UnlinkedCodeBlockGenerator):
2607         (JSC::UnlinkedCodeBlockGenerator::vm):
2608         (JSC::UnlinkedCodeBlockGenerator::isConstructor const):
2609         (JSC::UnlinkedCodeBlockGenerator::constructorKind const):
2610         (JSC::UnlinkedCodeBlockGenerator::superBinding const):
2611         (JSC::UnlinkedCodeBlockGenerator::scriptMode const):
2612         (JSC::UnlinkedCodeBlockGenerator::needsClassFieldInitializer const):
2613         (JSC::UnlinkedCodeBlockGenerator::isStrictMode const):
2614         (JSC::UnlinkedCodeBlockGenerator::usesEval const):
2615         (JSC::UnlinkedCodeBlockGenerator::parseMode const):
2616         (JSC::UnlinkedCodeBlockGenerator::isArrowFunction):
2617         (JSC::UnlinkedCodeBlockGenerator::derivedContextType const):
2618         (JSC::UnlinkedCodeBlockGenerator::evalContextType const):
2619         (JSC::UnlinkedCodeBlockGenerator::isArrowFunctionContext const):
2620         (JSC::UnlinkedCodeBlockGenerator::isClassContext const):
2621         (JSC::UnlinkedCodeBlockGenerator::numCalleeLocals const):
2622         (JSC::UnlinkedCodeBlockGenerator::numVars const):
2623         (JSC::UnlinkedCodeBlockGenerator::numParameters const):
2624         (JSC::UnlinkedCodeBlockGenerator::thisRegister const):
2625         (JSC::UnlinkedCodeBlockGenerator::scopeRegister const):
2626         (JSC::UnlinkedCodeBlockGenerator::wasCompiledWithDebuggingOpcodes const):
2627         (JSC::UnlinkedCodeBlockGenerator::hasCheckpoints const):
2628         (JSC::UnlinkedCodeBlockGenerator::hasTailCalls const):
2629         (JSC::UnlinkedCodeBlockGenerator::setHasCheckpoints):
2630         (JSC::UnlinkedCodeBlockGenerator::setHasTailCalls):
2631         (JSC::UnlinkedCodeBlockGenerator::setNumCalleeLocals):
2632         (JSC::UnlinkedCodeBlockGenerator::setNumVars):
2633         (JSC::UnlinkedCodeBlockGenerator::setThisRegister):
2634         (JSC::UnlinkedCodeBlockGenerator::setScopeRegister):
2635         (JSC::UnlinkedCodeBlockGenerator::setNumParameters):
2636         (JSC::UnlinkedCodeBlockGenerator::metadata):
2637         (JSC::UnlinkedCodeBlockGenerator::addOpProfileControlFlowBytecodeOffset):
2638         (JSC::UnlinkedCodeBlockGenerator::numberOfJumpTargets const):
2639         (JSC::UnlinkedCodeBlockGenerator::addJumpTarget):
2640         (JSC::UnlinkedCodeBlockGenerator::jumpTarget const):
2641         (JSC::UnlinkedCodeBlockGenerator::lastJumpTarget const):
2642         (JSC::UnlinkedCodeBlockGenerator::numberOfSwitchJumpTables const):
2643         (JSC::UnlinkedCodeBlockGenerator::addSwitchJumpTable):
2644         (JSC::UnlinkedCodeBlockGenerator::switchJumpTable):
2645         (JSC::UnlinkedCodeBlockGenerator::numberOfStringSwitchJumpTables const):
2646         (JSC::UnlinkedCodeBlockGenerator::addStringSwitchJumpTable):
2647         (JSC::UnlinkedCodeBlockGenerator::stringSwitchJumpTable):
2648         (JSC::UnlinkedCodeBlockGenerator::numberOfExceptionHandlers const):
2649         (JSC::UnlinkedCodeBlockGenerator::exceptionHandler):
2650         (JSC::UnlinkedCodeBlockGenerator::addExceptionHandler):
2651         (JSC::UnlinkedCodeBlockGenerator::bitVector):
2652         (JSC::UnlinkedCodeBlockGenerator::addBitVector):
2653         (JSC::UnlinkedCodeBlockGenerator::numberOfConstantIdentifierSets const):
2654         (JSC::UnlinkedCodeBlockGenerator::constantIdentifierSets):
2655         (JSC::UnlinkedCodeBlockGenerator::addSetConstant):
2656         (JSC::UnlinkedCodeBlockGenerator::constantRegister const):
2657         (JSC::UnlinkedCodeBlockGenerator::constantRegisters):
2658         (JSC::UnlinkedCodeBlockGenerator::getConstant const):
2659         (JSC::UnlinkedCodeBlockGenerator::constantsSourceCodeRepresentation):
2660         (JSC::UnlinkedCodeBlockGenerator::addConstant):
2661         (JSC::UnlinkedCodeBlockGenerator::addFunctionDecl):
2662         (JSC::UnlinkedCodeBlockGenerator::addFunctionExpr):
2663         (JSC::UnlinkedCodeBlockGenerator::numberOfIdentifiers const):
2664         (JSC::UnlinkedCodeBlockGenerator::identifier const):
2665         (JSC::UnlinkedCodeBlockGenerator::addIdentifier):
2666         (JSC::UnlinkedCodeBlockGenerator::outOfLineJumpOffset):
2667         (JSC::UnlinkedCodeBlockGenerator::replaceOutOfLineJumpTargets):
2668         (JSC::UnlinkedCodeBlockGenerator::metadataSizeInBytes):
2669         * bytecompiler/BytecodeGenerator.cpp:
2670         (JSC::BytecodeGenerator::generate):
2671         (JSC::BytecodeGenerator::BytecodeGenerator):
2672         (JSC::BytecodeGenerator::initializeNextParameter):
2673         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
2674         (JSC::prepareJumpTableForSwitch):
2675         (JSC::ForInContext::finalize):
2676         (JSC::StructureForInContext::finalize):
2677         (JSC::IndexedForInContext::finalize):
2678         * bytecompiler/BytecodeGenerator.h:
2679         * bytecompiler/BytecodeGeneratorBaseInlines.h:
2680         (JSC::BytecodeGeneratorBase<Traits>::newRegister):
2681         (JSC::BytecodeGeneratorBase<Traits>::addVar):
2682         * runtime/CachedTypes.cpp:
2683         (JSC::CachedVector::encode):
2684         (JSC::CachedVector::decode const):
2685         * wasm/WasmFunctionCodeBlock.h:
2686         (JSC::Wasm::FunctionCodeBlock::setNumVars):
2687         (JSC::Wasm::FunctionCodeBlock::setNumCalleeLocals):
2688
2689 2020-02-04  Devin Rousso  <drousso@apple.com>
2690
2691         Web Inspector: REGRESSION(r248287): Console: function objects saved to a $n will be invoked instead of just referenced when evaluating in the Console
2692         https://bugs.webkit.org/show_bug.cgi?id=207180
2693         <rdar://problem/58860268>
2694
2695         Reviewed by Joseph Pecoraro.
2696
2697         * inspector/InjectedScriptSource.js:
2698         (CommandLineAPI):
2699         Instead of deciding whether to wrap the value given for a `$n` getter based on if the value
2700         is already a function, always wrap getter values in a function so that if the value being
2701         stored in the getter is already a function, it isn't used as the callback for the getter and
2702         therefore invoked when the getter is referenced.
2703
2704 2020-02-03  Yusuke Suzuki  <ysuzuki@apple.com>
2705
2706         [JSC] Use PackedPtr for VariableEnvironment
2707         https://bugs.webkit.org/show_bug.cgi?id=207172
2708
2709         Reviewed by Mark Lam.
2710
2711         Since VariableEnvironment's KeyValue is key: pointer + value: 2 byte, using PackedPtr can make it 8 bytes, 50% reduction.
2712
2713         * parser/VariableEnvironment.h:
2714         * runtime/CachedTypes.cpp:
2715         (JSC::CachedRefPtr::encode):
2716         (JSC::CachedRefPtr::decode const): CachedTypes should handle PackedPtr too since VariableEnvironment starts using it.
2717
2718 2020-02-03  Alexey Shvayka  <shvaikalesh@gmail.com>
2719
2720         \0 identity escapes should be syntax errors in Unicode patterns only
2721         https://bugs.webkit.org/show_bug.cgi?id=207114
2722
2723         Reviewed by Darin Adler.
2724
2725         This change adds a separate check for null character because `strchr`
2726         always returns a non-null pointer when called with '\0' as second argument.
2727
2728         Grammar: https://tc39.es/ecma262/#prod-annexB-IdentityEscape
2729         (/u flag precludes the use of SourceCharacterIdentityEscape)
2730
2731         * yarr/YarrParser.h:
2732         (JSC::Yarr::Parser::isIdentityEscapeAnError):
2733
2734 2020-02-01  Alexey Shvayka  <shvaikalesh@gmail.com>
2735
2736         Non-alphabetical \c escapes should be syntax errors in Unicode patterns only
2737         https://bugs.webkit.org/show_bug.cgi?id=207091
2738
2739         Reviewed by Darin Adler.
2740
2741         This change adds SyntaxError for non-alphabetical and identity \c escapes
2742         in Unicode patterns, aligning JSC with V8 and SpiderMonkey.
2743
2744         Grammar: https://tc39.es/ecma262/#prod-annexB-ClassEscape
2745         (/u flag precludes the use of ClassControlLetter)
2746
2747         * yarr/YarrErrorCode.cpp:
2748         (JSC::Yarr::errorMessage):
2749         (JSC::Yarr::errorToThrow):
2750         * yarr/YarrErrorCode.h:
2751         * yarr/YarrParser.h:
2752         (JSC::Yarr::Parser::parseEscape):
2753
2754 2020-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2755
2756         [JSC] Hold StructureID instead of Structure* in PolyProtoAccessChain and DFG::CommonData
2757         https://bugs.webkit.org/show_bug.cgi?id=207086
2758
2759         Reviewed by Mark Lam.
2760
2761         PolyProtoAccessChain and DFG::CommonData are kept alive so long as associated AccessCase / DFG/FTL CodeBlock
2762         is alive. They hold Vector<Structure*> / Vector<WriteBarrier<Structure*>>, but access frequency is low. And
2763         We should hold Vector<StructureID> instead to cut 50% of the size.
2764
2765         * bytecode/AccessCase.cpp:
2766         (JSC::AccessCase::commit):
2767         (JSC::AccessCase::forEachDependentCell const):
2768         (JSC::AccessCase::doesCalls const):
2769         (JSC::AccessCase::visitWeak const):
2770         (JSC::AccessCase::propagateTransitions const):
2771         (JSC::AccessCase::generateWithGuard):
2772         * bytecode/AccessCase.h:
2773         * bytecode/CodeBlock.cpp:
2774         (JSC::CodeBlock::propagateTransitions):
2775         (JSC::CodeBlock::determineLiveness):
2776         (JSC::CodeBlock::stronglyVisitWeakReferences):
2777         * bytecode/GetByStatus.cpp:
2778         (JSC::GetByStatus::computeForStubInfoWithoutExitSiteFeedback):
2779         * bytecode/InByIdStatus.cpp:
2780         (JSC::InByIdStatus::computeFor):
2781         (JSC::InByIdStatus::computeForStubInfo):
2782         (JSC::InByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
2783         * bytecode/InByIdStatus.h:
2784         * bytecode/InstanceOfStatus.cpp:
2785         (JSC::InstanceOfStatus::computeFor):
2786         (JSC::InstanceOfStatus::computeForStubInfo):
2787         * bytecode/InstanceOfStatus.h:
2788         * bytecode/PolyProtoAccessChain.cpp:
2789         (JSC::PolyProtoAccessChain::create):
2790         (JSC::PolyProtoAccessChain::needImpurePropertyWatchpoint const):
2791         (JSC::PolyProtoAccessChain::dump const):
2792         * bytecode/PolyProtoAccessChain.h:
2793         (JSC::PolyProtoAccessChain::chain const):
2794         (JSC::PolyProtoAccessChain::forEach const):
2795         (JSC::PolyProtoAccessChain::slotBaseStructure const):
2796         (JSC::PolyProtoAccessChain:: const): Deleted.
2797         * bytecode/PolymorphicAccess.cpp:
2798         (JSC::PolymorphicAccess::regenerate):
2799         * bytecode/PutByIdStatus.cpp:
2800         (JSC::PutByIdStatus::computeForStubInfo):
2801         * bytecode/StructureStubInfo.cpp:
2802         (JSC::StructureStubInfo::summary const):
2803         (JSC::StructureStubInfo::summary):
2804         * bytecode/StructureStubInfo.h:
2805         * dfg/DFGCommonData.h:
2806         * dfg/DFGDesiredWeakReferences.cpp:
2807         (JSC::DFG::DesiredWeakReferences::reallyAdd):
2808         * dfg/DFGPlan.cpp:
2809         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
2810         * jit/Repatch.cpp:
2811         (JSC::tryCacheGetBy):
2812         (JSC::tryCachePutByID):
2813         (JSC::tryCacheInByID):
2814
2815 2020-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2816
2817         [JSC] ShrinkToFit some vectors kept by JIT data structures
2818         https://bugs.webkit.org/show_bug.cgi?id=207085
2819
2820         Reviewed by Mark Lam.
2821
2822         1. We are allocating RareCaseProfile by using SegmentedVector since JIT code is directly accessing to RareCaseProfile*. But when creating RareCaseProfile, we can know
2823            how many RareCaseProfiles should we create: RareCaseProfile is created per slow paths of Baseline JIT bytecode. Since we already scan bytecode for the main paths,
2824            we can count it and use this number when creating RareCaseProfile.
2825         2. Vectors held by PolymorphicAccess and PolymorphicCallStubRoutine should be kept small by calling shrinkToFit.
2826
2827         * bytecode/CodeBlock.cpp:
2828         (JSC::CodeBlock::setRareCaseProfiles):
2829         (JSC::CodeBlock::shrinkToFit):
2830         (JSC::CodeBlock::addRareCaseProfile): Deleted.
2831         * bytecode/CodeBlock.h:
2832         * bytecode/PolyProtoAccessChain.cpp:
2833         (JSC::PolyProtoAccessChain::create):
2834         * bytecode/PolymorphicAccess.cpp:
2835         (JSC::PolymorphicAccess::regenerate):
2836         * bytecode/ValueProfile.h:
2837         (JSC::RareCaseProfile::RareCaseProfile):
2838         * jit/JIT.cpp:
2839         (JSC::JIT::privateCompileMainPass):
2840         (JSC::JIT::privateCompileSlowCases):
2841         * jit/JIT.h:
2842         * jit/PolymorphicCallStubRoutine.cpp:
2843         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
2844
2845 2020-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2846
2847         [JSC] DFG::CommonData::shrinkToFit called before DFG::Plan::reallyAdd is called
2848         https://bugs.webkit.org/show_bug.cgi?id=207083
2849
2850         Reviewed by Mark Lam.
2851
2852         We are calling DFG::CommonData::shrinkToFit, but calling this too early: we execute
2853         DFG::Plan::reallyAdd(DFG::CommonData*) after that, and this adds many entries to
2854         DFG::CommonData*. We should call DFG::CommonData::shrinkToFit after calling DFG::Plan::reallyAdd.
2855
2856         To implement it, we make DFG::JITCode::shrinkToFit virtual function in JSC::JITCode. Then, we
2857         can also implement FTL::JITCode::shrinkToFit which was previously not implemented.
2858
2859         * dfg/DFGJITCode.cpp:
2860         (JSC::DFG::JITCode::shrinkToFit):
2861         * dfg/DFGJITCode.h:
2862         * dfg/DFGJITCompiler.cpp:
2863         (JSC::DFG::JITCompiler::compile):
2864         (JSC::DFG::JITCompiler::compileFunction):
2865         * dfg/DFGPlan.cpp:
2866         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
2867         * ftl/FTLJITCode.cpp:
2868         (JSC::FTL::JITCode::shrinkToFit):
2869         * ftl/FTLJITCode.h:
2870         * jit/JITCode.cpp:
2871         (JSC::JITCode::shrinkToFit):
2872         * jit/JITCode.h:
2873
2874 2020-01-31  Saam Barati  <sbarati@apple.com>
2875
2876         GetButterfly should check if the input value is an object in safe to execute
2877         https://bugs.webkit.org/show_bug.cgi?id=207082
2878
2879         Reviewed by Mark Lam.
2880
2881         We can only hoist GetButterfly when we know the incoming value is an object.
2882         We might want to reconsider making GetButterfly use ObjectUse as its edge
2883         kind, but that's out of the scope of this patch. Currently, we use CellUse
2884         for GetButterfly node's child1.
2885
2886         * dfg/DFGSafeToExecute.h:
2887         (JSC::DFG::safeToExecute):
2888
2889 2020-01-31  Saam Barati  <sbarati@apple.com>
2890
2891         safe to execute should return false when we know code won't be moved
2892         https://bugs.webkit.org/show_bug.cgi?id=207074
2893
2894         Reviewed by Yusuke Suzuki.
2895
2896         We use safeToExecute to determine inside LICM whether it's safe to execute
2897         a node somewhere else in the program. We were returning true for nodes
2898         we knew would never be moved, because they were effectful. Things like Call
2899         and GetById. This patch makes those nodes return false now, since we want
2900         to make it easier to audit the nodes that return true. This makes that audit
2901         easier, since it gets rid of the obvious things that will never be hoisted.
2902
2903         * dfg/DFGSafeToExecute.h:
2904         (JSC::DFG::safeToExecute):
2905
2906 2020-01-31  Saam Barati  <sbarati@apple.com>
2907
2908         GetGetterSetterByOffset and GetGetter/GetSetter are not always safe to execute
2909         https://bugs.webkit.org/show_bug.cgi?id=206805
2910         <rdar://problem/58898161>
2911
2912         Reviewed by Yusuke Suzuki.
2913
2914         This patch fixes two bugs. The first is GetGetterSetterByOffset. Previously,
2915         we were just checking that we could load the value safely. However, because
2916         GetGetterSetterByOffset returns a GetterSetter object, we can only safely
2917         move this node into a context where it's guaranteed that the offset loaded
2918         will return a GetterSetter.
2919         
2920         The second fix is GetGetter/GetSetter were both always marked as safe to execute.
2921         However, they're only safe to execute when the incoming value to load from
2922         is a GetterSetter object.
2923
2924         * dfg/DFGSafeToExecute.h:
2925         (JSC::DFG::safeToExecute):
2926
2927 2020-01-31  Alexey Shvayka  <shvaikalesh@gmail.com>
2928
2929         Unmatched ] or } brackets should be syntax errors in Unicode patterns only
2930         https://bugs.webkit.org/show_bug.cgi?id=207023
2931
2932         Reviewed by Darin Adler.
2933
2934         This change adds SyntaxError for Unicode patterns, aligning JSC with
2935         V8 and SpiderMonkey.
2936
2937         Grammar: https://tc39.es/ecma262/#prod-annexB-Term
2938         (/u flag precludes the use of ExtendedAtom and thus ExtendedPatternCharacter)
2939
2940         * yarr/YarrErrorCode.cpp:
2941         (JSC::Yarr::errorMessage):
2942         (JSC::Yarr::errorToThrow):
2943         * yarr/YarrErrorCode.h:
2944         * yarr/YarrParser.h:
2945         (JSC::Yarr::Parser::parseTokens):
2946
2947 2020-01-31  Don Olmstead  <don.olmstead@sony.com>
2948
2949         [CMake] Add _PRIVATE_LIBRARIES to framework
2950         https://bugs.webkit.org/show_bug.cgi?id=207004
2951
2952         Reviewed by Konstantin Tokarev.
2953
2954         Move uses of PRIVATE within _LIBRARIES to _PRIVATE_LIBRARIES. Any _LIBRARIES appended
2955         afterwards will have that visibility set erroneously.
2956
2957         * PlatformFTW.cmake:
2958
2959 2020-01-30  Mark Lam  <mark.lam@apple.com>
2960
2961         Some improvements to DFG and FTL dumps to improve readability and searchability.
2962         https://bugs.webkit.org/show_bug.cgi?id=207024
2963
2964         Reviewed by Saam Barati.
2965
2966         This patch applies the following changes:
2967
2968         1. Prefix Air and B2 dumps with a tierName prefix.
2969            The tierName prefix strings are as follows:
2970
2971                "FTL ", "DFG ", "b3  ", "Air ", "asm "
2972
2973            The choice to use a lowercase "b3" and "asm" with upper case "Air" is
2974            deliberate because I found this combination to be easier to read and scan as
2975            prefixes of the dump lines.  See dump samples below.
2976
2977         2. Make DFG node IDs consistently expressed as D@<node index> e.g. D@104.
2978            The definition of the node will be the id followed by a colon e.g. D@104:
2979            This makes it easy to search references to this node anywhere in the dump.
2980
2981            Make B3 nodes expressed as b@<node index> e.g. b@542.
2982            This also makes it searchable since there's now no ambiguity between b@542 and
2983            D@542.
2984
2985            The choice to use a lowercase "b" and an uppercase "D" is intentional because
2986            "b@542" and "d@542" looks too similar, and I prefer to not use too much
2987            uppercase.  Plus this makes the node consistent in capitalization with the
2988            tierName prefixes above of "b3  " and "DFG " respectively.
2989
2990         Here's a sample of what the dumps now look like:
2991
2992         DFG graph dump:
2993         <code>
2994             ...
2995                  6 55:   <-- foo#DFndCW:<0x62d0000b8140, bc#65, Call, known callee: Object: 0x62d000035920 with butterfly 0x0 (Structure %AN:Function), StructureID: 12711, numArgs+this = 1, numFixup = 0, stackOffset = -16 (loc0 maps to loc16)>
2996               3  6 55:   D@79:< 3:->    ArithAdd(Int32:Kill:D@95, Int32:D@42, Int32|PureNum|UseAsOther, Int32, CheckOverflow, Exits, bc#71, ExitValid)
2997               4  6 55:    D@3:<!0:->    KillStack(MustGen, loc7, W:Stack(loc7), ClobbersExit, bc#71, ExitInvalid)
2998               5  6 55:   D@85:<!0:->    MovHint(Check:Untyped:D@79, MustGen, loc7, W:SideState, ClobbersExit, bc#71, ExitInvalid)
2999               6  6 55:  D@102:< 1:->    CompareLess(Int32:D@79, Int32:D@89, Boolean|UseAsOther, Bool, Exits, bc#74, ExitValid)
3000               7  6 55:  D@104:<!0:->    Branch(KnownBoolean:Kill:D@102, MustGen, T:#1/w:10.000000, F:#7/w:1.000000, W:SideState, bc#74, ExitInvalid)
3001             ...
3002         </code>
3003
3004         B3 graph dump:
3005         <code>
3006             ...
3007             b3  BB#14: ; frequency = 10.000000
3008             b3    Predecessors: #13
3009             b3      Int32 b@531 = CheckAdd(b@10:WarmAny, $1(b@1):WarmAny, b@64:ColdAny, b@10:ColdAny, generator = 0x606000022e80, earlyClobbered = [], lateClobbered = [], usedRegisters = [], ExitsSideways|Reads:Top, D@79)
3010             b3      Int32 b@539 = LessThan(b@531, $100(b@578), D@102)
3011             b3      Void b@542 = Branch(b@539, Terminal, D@104)
3012             b3    Successors: Then:#2, Else:#15
3013             ...
3014         </code>
3015
3016         Air graph dump:
3017         <code>
3018             ...
3019             Air BB#5: ; frequency = 10.000000
3020             Air   Predecessors: #4
3021             Air     Move -96(%rbp), %rax, b@531
3022             Air     Patch &BranchAdd32(3,ForceLateUseUnlessRecoverable)3, Overflow, $1, %rax, -104(%rbp), -96(%rbp), b@531
3023             Air     Branch32 LessThan, %rax, $100, b@542
3024             Air   Successors: #1, #6
3025             ...
3026         </code>
3027
3028         FTL disassembly dump:
3029         <code>
3030             ...
3031             Air BB#5: ; frequency = 10.000000
3032             Air   Predecessors: #4
3033             DFG       D@42:< 2:->   JSConstant(JS|PureInt, Int32, Int32: 1, bc#0, ExitInvalid)
3034             DFG       D@79:< 3:->   ArithAdd(Int32:Kill:D@95, Int32:D@42, Int32|PureNum|UseAsOther, Int32, CheckOverflow, Exits, bc#71, ExitValid)
3035             b3            Int32 b@1 = Const32(1)
3036             b3            Int32 b@531 = CheckAdd(b@10:WarmAny, $1(b@1):WarmAny, b@64:ColdAny, b@10:ColdAny, generator = 0x606000022e80, earlyClobbered = [], lateClobbered = [], usedRegisters = [%rax, %rbx, %rbp, %r12], ExitsSideways|Reads:Top, D@79)
3037             Air               Move -96(%rbp), %rax, b@531
3038             asm                   0x4576b9c04712: mov -0x60(%rbp), %rax
3039             Air               Patch &BranchAdd32(3,ForceLateUseUnlessRecoverable)3, Overflow, $1, %rax, -104(%rbp), -96(%rbp), b@531
3040             asm                   0x4576b9c04716: inc %eax
3041             asm                   0x4576b9c04718: jo 0x4576b9c04861
3042             DFG       D@89:< 1:->   JSConstant(JS|PureNum|UseAsOther, NonBoolInt32, Int32: 100, bc#0, ExitInvalid)
3043             DFG      D@102:< 1:->   CompareLess(Int32:D@79, Int32:D@89, Boolean|UseAsOther, Bool, Exits, bc#74, ExitValid)
3044             DFG      D@104:<!0:->   Branch(KnownBoolean:Kill:D@102, MustGen, T:#1/w:10.000000, F:#7/w:1.000000, W:SideState, bc#74, ExitInvalid)
3045             b3            Int32 b@578 = Const32(100, D@89)
3046             b3            Int32 b@539 = LessThan(b@531, $100(b@578), D@102)
3047             b3            Void b@542 = Branch(b@539, Terminal, D@104)
3048             Air               Branch32 LessThan, %rax, $100, b@542
3049             asm                   0x4576b9c0471e: cmp $0x64, %eax
3050             asm                   0x4576b9c04721: jl 0x4576b9c0462f
3051             Air   Successors: #1, #6
3052             ...
3053         </code>
3054
3055         * b3/B3BasicBlock.cpp:
3056         (JSC::B3::BasicBlock::deepDump const):
3057         * b3/B3Common.cpp:
3058         * b3/B3Common.h:
3059         * b3/B3Generate.cpp:
3060         (JSC::B3::generateToAir):
3061         * b3/B3Procedure.cpp:
3062         (JSC::B3::Procedure::dump const):
3063         * b3/B3Value.cpp:
3064         * b3/air/AirBasicBlock.cpp:
3065         (JSC::B3::Air::BasicBlock::deepDump const):
3066         (JSC::B3::Air::BasicBlock::dumpHeader const):
3067         (JSC::B3::Air::BasicBlock::dumpFooter const):
3068         * b3/air/AirCode.cpp:
3069         (JSC::B3::Air::Code::dump const):
3070         * b3/air/AirCode.h:
3071         * b3/air/AirDisassembler.cpp:
3072         (JSC::B3::Air::Disassembler::dump):
3073         * b3/air/AirGenerate.cpp:
3074         (JSC::B3::Air::prepareForGeneration):
3075         * dfg/DFGCommon.cpp:
3076         * dfg/DFGCommon.h:
3077         * dfg/DFGGraph.cpp:
3078         (JSC::DFG::Graph::dump):
3079         (JSC::DFG::Graph::dumpBlockHeader):
3080         * dfg/DFGNode.cpp:
3081         (WTF::printInternal):
3082         * ftl/FTLCompile.cpp:
3083         (JSC::FTL::compile):
3084         * ftl/FTLCompile.h:
3085         * ftl/FTLState.cpp:
3086         (JSC::FTL::State::State):
3087
3088 2020-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
3089
3090         [WTF] Remove PackedIntVector
3091         https://bugs.webkit.org/show_bug.cgi?id=207018
3092
3093         Reviewed by Mark Lam.
3094
3095         * bytecode/BytecodeBasicBlock.h:
3096
3097 2020-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
3098
3099         [JSC] Remove unnecessary allocations in BytecodeBasicBlock
3100         https://bugs.webkit.org/show_bug.cgi?id=206986
3101
3102         Reviewed by Mark Lam.
3103
3104         We know that BytecodeBasicBlock itself takes 2MB in Gmail. And each BytecodeBasicBlock has Vector<unsigned>
3105         and Vector<BytecodeBasicBlock*>.
3106
3107         BytecodeBasicBlock holds all the offset per bytecode as unsigned in m_offsets. But this offset is
3108         only used when reverse iterating a bytecode in a BytecodeBasicBlock. We can hold a length of each
3109         bytecode instead, which is much smaller (unsigned v.s. uint8_t).
3110
3111         Since each BytecodeBasicBlock has index, we should hold successors in Vector<unsigned> instead of Vector<BytecodeBasicBlock*>.
3112
3113         We are also allocating BytecodeBasicBlock in makeUnique<> and having them in Vector<std::unique_ptr<BytecodeBasicBlock>>.
3114         But this is not necessary since only BytecodeBasicBlock::compute can modify this vector. We should generate Vector<BytecodeBasicBlock>
3115         from BytecodeBasicBlock::compute.
3116
3117         We are also planning purging BytecodeBasicBlock in UnlinkedCodeBlock if it is not used so much. But this will be done in a separate patch.
3118
3119         * bytecode/BytecodeBasicBlock.cpp:
3120         (JSC::BytecodeBasicBlock::BytecodeBasicBlock):
3121         (JSC::BytecodeBasicBlock::addLength):
3122         (JSC::BytecodeBasicBlock::shrinkToFit):
3123         (JSC::BytecodeBasicBlock::computeImpl):
3124         (JSC::BytecodeBasicBlock::compute):
3125         * bytecode/BytecodeBasicBlock.h:
3126         (JSC::BytecodeBasicBlock::delta const):
3127         (JSC::BytecodeBasicBlock::successors const):
3128         (JSC::BytecodeBasicBlock::operator bool const):
3129         (JSC::BytecodeBasicBlock::addSuccessor):
3130         (JSC::BytecodeBasicBlock::offsets const): Deleted.
3131         (JSC::BytecodeBasicBlock:: const): Deleted.
3132         (JSC::BytecodeBasicBlock::BytecodeBasicBlock): Deleted.
3133         (JSC::BytecodeBasicBlock::addLength): Deleted.
3134         * bytecode/BytecodeGeneratorification.cpp:
3135         (JSC::BytecodeGeneratorification::BytecodeGeneratorification):
3136         * bytecode/BytecodeGraph.h:
3137         (JSC::BytecodeGraph::blockContainsBytecodeOffset):
3138         (JSC::BytecodeGraph::findBasicBlockForBytecodeOffset):
3139         (JSC::BytecodeGraph::findBasicBlockWithLeaderOffset):
3140         (JSC::BytecodeGraph::at const):
3141         (JSC::BytecodeGraph::operator[] const):
3142         (JSC::BytecodeGraph::begin):
3143         (JSC::BytecodeGraph::end):
3144         (JSC::BytecodeGraph::first):
3145         (JSC::BytecodeGraph::last):
3146         (JSC::BytecodeGraph::BytecodeGraph):
3147         (JSC::BytecodeGraph::begin const): Deleted.
3148         (JSC::BytecodeGraph::end const): Deleted.
3149         * bytecode/BytecodeLivenessAnalysis.cpp:
3150         (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeIndex):
3151         (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
3152         (JSC::BytecodeLivenessAnalysis::computeKills):
3153         (JSC::BytecodeLivenessAnalysis::dumpResults):
3154         * bytecode/BytecodeLivenessAnalysis.h:
3155         * bytecode/BytecodeLivenessAnalysisInlines.h:
3156         (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBytecodeIndex):
3157         (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBlock):
3158         (JSC::BytecodeLivenessPropagation::getLivenessInfoAtBytecodeIndex):
3159         (JSC::BytecodeLivenessPropagation::runLivenessFixpoint):
3160         * bytecode/InstructionStream.h:
3161         (JSC::InstructionStream::MutableRef::operator-> const):
3162         (JSC::InstructionStream::MutableRef::ptr const):
3163         (JSC::InstructionStream::MutableRef::unwrap const):
3164         * bytecode/Opcode.h:
3165         * generator/Section.rb:
3166         * jit/JIT.cpp:
3167         (JSC::JIT::privateCompileMainPass):
3168         * llint/LLIntData.cpp:
3169         (JSC::LLInt::initialize):
3170         * llint/LowLevelInterpreter.cpp:
3171         (JSC::CLoop::execute):
3172
3173 2020-01-30  Alexey Shvayka  <shvaikalesh@gmail.com>
3174
3175         Incomplete braced quantifiers should be banned in Unicode patterns only
3176         https://bugs.webkit.org/show_bug.cgi?id=206776
3177
3178         Reviewed by Darin Adler.
3179
3180         This change adds SyntaxError for Unicode patterns, aligning JSC with
3181         V8 and SpiderMonkey, and also capitalizes "Unicode" in error messages.
3182
3183         Grammar: https://tc39.es/ecma262/#prod-annexB-Term
3184         (/u flag precludes the use of ExtendedAtom and thus InvalidBracedQuantifier)
3185
3186         * yarr/YarrErrorCode.cpp:
3187         (JSC::Yarr::errorMessage):
3188         (JSC::Yarr::errorToThrow):
3189         * yarr/YarrErrorCode.h:
3190         * yarr/YarrParser.h:
3191         (JSC::Yarr::Parser::parseTokens):
3192
3193 2020-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
3194
3195         [JSC] Make SourceProviderCacheItem small
3196         https://bugs.webkit.org/show_bug.cgi?id=206987
3197
3198         Reviewed by Mark Lam.
3199
3200         We know this becomes very large when parsing a large script, and it is noticeable in some of RAMification tests.
3201         We should use PackedPtr to shrink size of SourceProviderCacheItem.
3202
3203         * parser/Parser.h:
3204         (JSC::Scope::restoreFromSourceProviderCache):
3205         * parser/SourceProviderCacheItem.h:
3206         (JSC::SourceProviderCacheItem::usedVariables const):
3207         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
3208
3209 2020-01-30  Keith Miller  <keith_miller@apple.com>
3210
3211         Parser needs to restore unary stack state when backtracking
3212         https://bugs.webkit.org/show_bug.cgi?id=206972
3213
3214         Reviewed by Saam Barati.
3215
3216         Previously we would try to parse possibly stale unary operator
3217         stack entries after backtracking from a parse error.  This would
3218         cause us to think one token was a different token while reparsing
3219         after backtracking. Additionally, this patch fixes an issue where
3220         the syntax checker would think assignment expressions were resolve
3221         expressions. Intrestingly, this was not tested in test262.
3222
3223         Lastly, I tried adding some assertions to improve help diagnose
3224         when our source text locations are incorrect.
3225
3226         * bytecompiler/BytecodeGenerator.h:
3227         (JSC::BytecodeGenerator::emitExpressionInfo):
3228         * bytecompiler/NodesCodegen.cpp:
3229         (JSC::ThisNode::emitBytecode):
3230         (JSC::ResolveNode::emitBytecode):
3231         (JSC::EmptyVarExpression::emitBytecode):
3232         (JSC::EmptyLetExpression::emitBytecode):
3233         (JSC::ForInNode::emitLoopHeader):
3234         (JSC::ForOfNode::emitBytecode):
3235         (JSC::DefineFieldNode::emitBytecode):
3236         * parser/ASTBuilder.h:
3237         (JSC::ASTBuilder::unaryTokenStackDepth const):
3238         (JSC::ASTBuilder::setUnaryTokenStackDepth):
3239         * parser/Lexer.cpp:
3240         (JSC::Lexer<T>::Lexer):
3241         * parser/Lexer.h:
3242         (JSC::Lexer::setLineNumber):
3243         * parser/Nodes.cpp:
3244         (JSC::FunctionMetadataNode::operator== const):
3245         * parser/Nodes.h:
3246         (JSC::ThrowableExpressionData::ThrowableExpressionData):
3247         (JSC::ThrowableExpressionData::setExceptionSourceCode):
3248         (JSC::ThrowableExpressionData::checkConsistency const):
3249         * parser/Parser.cpp:
3250         (JSC::Parser<LexerType>::isArrowFunctionParameters):
3251         (JSC::Parser<LexerType>::parseSourceElements):
3252         (JSC::Parser<LexerType>::parseModuleSourceElements):
3253         (JSC::Parser<LexerType>::parseStatementListItem):
3254         (JSC::Parser<LexerType>::parseAssignmentElement):
3255         (JSC::Parser<LexerType>::parseForStatement):
3256         (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement):
3257         (JSC::Parser<LexerType>::parseFunctionInfo):
3258         (JSC::Parser<LexerType>::parseClass):
3259         (JSC::Parser<LexerType>::parseExportDeclaration):
3260         (JSC::Parser<LexerType>::parseAssignmentExpression):
3261         (JSC::Parser<LexerType>::parseYieldExpression):
3262         (JSC::Parser<LexerType>::parseProperty):
3263         (JSC::Parser<LexerType>::parseMemberExpression):
3264         (JSC::Parser<LexerType>::parseUnaryExpression):
3265         * parser/Parser.h:
3266         (JSC::Parser::lexCurrentTokenAgainUnderCurrentContext):
3267         (JSC::Parser::internalSaveParserState):
3268         (JSC::Parser::restoreParserState):
3269         (JSC::Parser::internalSaveState):
3270         (JSC::Parser::swapSavePointForError):
3271         (JSC::Parser::createSavePoint):
3272         (JSC::Parser::internalRestoreState):
3273         (JSC::Parser::restoreSavePointWithError):
3274         (JSC::Parser::restoreSavePoint):
3275         (JSC::Parser::createSavePointForError): Deleted.
3276         * parser/ParserTokens.h:
3277         (JSC::JSTextPosition::JSTextPosition):
3278         (JSC::JSTextPosition::checkConsistency):
3279         * parser/SyntaxChecker.h:
3280         (JSC::SyntaxChecker::operatorStackPop):
3281
3282 2020-01-29  Mark Lam  <mark.lam@apple.com>
3283
3284         Fix bad assertion in InternalFunctionAllocationProfile::createAllocationStructureFromBase().
3285         https://bugs.webkit.org/show_bug.cgi?id=206981
3286         <rdar://problem/58985736>
3287
3288         Reviewed by Keith Miller.
3289
3290         InternalFunctionAllocationProfile::createAllocationStructureFromBase() is only
3291         called from FunctionRareData::createInternalFunctionAllocationStructureFromBase(),
3292         which in turn is only called from InternalFunction::createSubclassStructureSlow().
3293
3294         InternalFunction::createSubclassStructureSlow() only allows a call to
3295         FunctionRareData::createInternalFunctionAllocationStructureFromBase() under
3296         certain conditions.  One of these conditions is that the baseGlobalObject is
3297         different than the newTarget's globalObject.
3298
3299         InternalFunctionAllocationProfile::createAllocationStructureFromBase() has an
3300         ASSERT on the same set of conditions, with one ommission: the one above.  This
3301         patch fixes the ASSERT by adding the missing condition to match the check in
3302         InternalFunction::createSubclassStructureSlow().
3303
3304         * bytecode/InternalFunctionAllocationProfile.h:
3305         (JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase):
3306
3307 2020-01-29  Robin Morisset  <rmorisset@apple.com>
3308
3309         Remove Options::enableSpectreMitigations
3310         https://bugs.webkit.org/show_bug.cgi?id=193885
3311
3312         Reviewed by Saam Barati.
3313
3314         From what I remember we decided to remove the spectre-specific mitigations we had tried (in favor of things like process-per-origin).
3315         I don't think anyone is using the SpectreGadget we had added for experiments either.
3316         So this patch removes the following three options, and all the code that depended on them:
3317         - enableSpectreMitigations (was true, only used in one place)
3318         - enableSpectreGadgets (was false)
3319         - zeroStackFrame (was false, and was an experiment about Spectre variant 4 if I remember correctly)
3320
3321         * b3/air/AirCode.cpp:
3322         (JSC::B3::Air::defaultPrologueGenerator):
3323         * dfg/DFGJITCompiler.cpp:
3324         (JSC::DFG::JITCompiler::compile):
3325         (JSC::DFG::JITCompiler::compileFunction):
3326         * dfg/DFGSpeculativeJIT.cpp:
3327         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
3328         * ftl/FTLLowerDFGToB3.cpp:
3329         (JSC::FTL::DFG::LowerDFGToB3::lower):
3330         * jit/AssemblyHelpers.h:
3331         * jit/JIT.cpp:
3332         (JSC::JIT::compileWithoutLinking):
3333         * runtime/OptionsList.h:
3334         * wasm/WasmB3IRGenerator.cpp:
3335         (JSC::Wasm::B3IRGenerator::addCallIndirect):
3336         * yarr/YarrJIT.cpp:
3337         (JSC::Yarr::YarrGenerator::initCallFrame):
3338
3339 2020-01-29  Devin Rousso  <drousso@apple.com>
3340
3341         Web Inspector: add instrumentation for showing existing Web Animations
3342         https://bugs.webkit.org/show_bug.cgi?id=205434
3343         <rdar://problem/28328087>
3344
3345         Reviewed by Brian Burg.
3346
3347         * inspector/protocol/Animation.json:
3348         Add types/