[JSC] SharedArrayBufferConstructor and ArrayBufferConstructor should not have their...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] SharedArrayBufferConstructor and ArrayBufferConstructor should not have their own IsoSubspace
4         https://bugs.webkit.org/show_bug.cgi?id=193774
5
6         Reviewed by Mark Lam.
7
8         We put all the instances of InternalFunction and its subclasses in IsoSubspace to make safer from UAF.
9         But since IsoSubspace requires the memory layout of instances is the same, we created different IsoSubspace
10         for subclasses of InternalFunction if sizeof(subclass) != sizeof(InternalFunction). One example is
11         ArrayBufferConstructor and SharedArrayBufferConstructor. But it is too costly to allocate 16KB page just
12         for these two constructor instances. They are only two instances per JSGlobalObject.
13
14         This patch makes sizeof(ArrayBufferConstructor) == sizeof(InternalFunction) so that they can use IsoSubspace
15         of InternalFunction. We introduce JSGenericArrayBufferConstructor, and it takes ArrayBufferSharingMode as
16         its template parameter. We define JSArrayBufferConstructor as JSGenericArrayBufferConstructor<ArrayBufferSharingMode::Default>
17         and JSSharedArrayBufferConstructor as JSGenericArrayBufferConstructor<ArrayBufferSharingMode::Shared> so that
18         we do not need to hold ArrayBufferSharingMode in the field of the constructor. This change removes IsoSubspace
19         for ArrayBufferConstructors, and reduces the memory usage.
20
21         * runtime/JSArrayBufferConstructor.cpp:
22         (JSC::JSGenericArrayBufferConstructor<sharingMode>::JSGenericArrayBufferConstructor):
23         (JSC::JSGenericArrayBufferConstructor<sharingMode>::finishCreation):
24         (JSC::JSGenericArrayBufferConstructor<sharingMode>::constructArrayBuffer):
25         (JSC::JSGenericArrayBufferConstructor<sharingMode>::createStructure):
26         (JSC::JSGenericArrayBufferConstructor<sharingMode>::info):
27         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor): Deleted.
28         (JSC::JSArrayBufferConstructor::finishCreation): Deleted.
29         (JSC::JSArrayBufferConstructor::create): Deleted.
30         (JSC::JSArrayBufferConstructor::createStructure): Deleted.
31         (JSC::constructArrayBuffer): Deleted.
32         * runtime/JSArrayBufferConstructor.h:
33         * runtime/JSGlobalObject.cpp:
34         (JSC::JSGlobalObject::init):
35         * runtime/JSGlobalObject.h:
36         * runtime/VM.cpp:
37         (JSC::VM::VM):
38         * runtime/VM.h:
39
40 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
41
42         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
43         https://bugs.webkit.org/show_bug.cgi?id=190693
44
45         Reviewed by Michael Saboff.
46
47         JITStubRoutine's fields are marked only when JITStubRoutine::m_mayBeExecuting is true.
48         This becomes true when we find the executable address in our conservative roots, which
49         means that we could be executing it right now. This means that object liveness in
50         JITStubRoutine depends on the information gathered in ConservativeRoots. However, our
51         constraints are separated, "Conservative Scan" and "JIT Stub Routines". They can even
52         be executed concurrently, so that "JIT Stub Routines" may miss to mark the actually
53         executing JITStubRoutine because "Conservative Scan" finds it later.
54         When finalizing the GC, we delete the dead JITStubRoutines. At that time, since
55         "Conservative Scan" already finishes, we do not delete some JITStubRoutines which do not
56         mark the depending objects. Then, in the next cycle, we find JITStubRoutines still live,
57         attempt to mark the depending objects, and encounter the dead objects which are collected
58         in the previous cycles.
59
60         This patch removes "JIT Stub Routines" and merge it to "Conservative Scan". Since
61         "Conservative Scan" and "JIT Stub Routines" need to be executed only when the execution
62         happens (ensured by GreyedByExecution and CollectionPhase check), this change is OK for
63         GC stop time.
64
65         * heap/ConservativeRoots.h:
66         (JSC::ConservativeRoots::roots const):
67         (JSC::ConservativeRoots::roots): Deleted.
68         * heap/Heap.cpp:
69         (JSC::Heap::addCoreConstraints):
70         * heap/SlotVisitor.cpp:
71         (JSC::SlotVisitor::append):
72         * heap/SlotVisitor.h:
73         * jit/GCAwareJITStubRoutine.cpp:
74         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
75         * jit/GCAwareJITStubRoutine.h:
76
77 2019-01-24  Saam Barati  <sbarati@apple.com>
78
79         Update ARM64EHash
80         https://bugs.webkit.org/show_bug.cgi?id=193776
81         <rdar://problem/47526457>
82
83         Reviewed by Mark Lam.
84
85         See radar for details.
86
87         * assembler/AssemblerBuffer.h:
88         (JSC::ARM64EHash::update):
89         (JSC::ARM64EHash::finalHash const):
90
91 2019-01-24  Saam Barati  <sbarati@apple.com>
92
93         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
94         https://bugs.webkit.org/show_bug.cgi?id=193751
95         <rdar://problem/47280215>
96
97         Reviewed by Michael Saboff.
98
99         The Object Allocation Sinking phase may move allocations around inside
100         of the program. However, it was not ensuring that it's still possible 
101         to walk the stack at the point in the program that it moved the allocation to.
102         Certain InlineCallFrames rely on data in the stack when taking a stack trace.
103         All allocation sites can do a stack walk (we do a stack walk when we GC).
104         Conservatively, this patch says we're ok to move this allocation if we are
105         moving within the same InlineCallFrame. We could be more precise and do an
106         analysis of stack writes. However, this scenario is so rare that we just
107         take the conservative-and-straight-forward approach of checking that the place
108         we're moving to is the same InlineCallFrame as the allocation site.
109         
110         In general, this issue arises anytime we do any kind of code motion.
111         Interestingly, LICM gets this right. It gets it right because the only
112         InlineCallFrames we can't move out of are the InlineCallFrames that
113         have metadata stored on the stack (callee for closure calls and argument
114         count for varargs calls). LICM doesn't have this issue because it relies
115         on Clobberize for doing its effects analysis. In clobberize, we model every
116         node within an InlineCallFrame that meets the above criteria as reading
117         from those stack fields. Consequently, LICM won't hoist any node in that
118         InlineCallFrame past the beginning of the InlineCallFrame since the IR
119         we generate to set up such an InlineCallFrame contains writes to that
120         stack location.
121
122         * dfg/DFGObjectAllocationSinkingPhase.cpp:
123
124 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
125
126         [JSC] Reenable baseline JIT on mips
127         https://bugs.webkit.org/show_bug.cgi?id=192983
128
129         Reviewed by Mark Lam.
130
131         Use $s0 as metadata register and make sure it's properly saved and
132         restored.
133
134         * jit/GPRInfo.h:
135         * jit/RegisterSet.cpp:
136         (JSC::RegisterSet::vmCalleeSaveRegisters):
137         (JSC::RegisterSet::llintBaselineCalleeSaveRegisters):
138         * llint/LowLevelInterpreter.asm:
139         * offlineasm/mips.rb:
140
141 2019-01-24  Carlos Garcia Campos  <cgarcia@igalia.com>
142
143         [GLIB] Expose JavaScriptCore options in GLib public API
144         https://bugs.webkit.org/show_bug.cgi?id=188742
145
146         Reviewed by Michael Catanzaro.
147
148         Add new API to set, get and iterate JSC options.
149
150         * API/glib/JSCOptions.cpp: Added.
151         (valueFromGValue):
152         (valueToGValue):
153         (jscOptionsSetValue):
154         (jscOptionsGetValue):
155         (jsc_options_set_boolean):
156         (jsc_options_get_boolean):
157         (jsc_options_set_int):
158         (jsc_options_get_int):
159         (jsc_options_set_uint):
160         (jsc_options_get_uint):
161         (jsc_options_set_size):
162         (jsc_options_get_size):
163         (jsc_options_set_double):
164         (jsc_options_get_double):
165         (jsc_options_set_string):
166         (jsc_options_get_string):
167         (jsc_options_set_range_string):
168         (jsc_options_get_range_string):
169         (jscOptionsType):
170         (jsc_options_foreach):
171         (setOptionEntry):
172         (jsc_options_get_option_group):
173         * API/glib/JSCOptions.h: Added.
174         * API/glib/docs/jsc-glib-4.0-sections.txt:
175         * API/glib/docs/jsc-glib-docs.sgml:
176         * API/glib/jsc.h:
177         * GLib.cmake:
178
179 2019-01-23  Mark Lam  <mark.lam@apple.com>
180
181         ARM64E should not ENABLE(SEPARATED_WX_HEAP).
182         https://bugs.webkit.org/show_bug.cgi?id=193744
183         <rdar://problem/46262952>
184
185         Reviewed by Saam Barati.
186
187         * assembler/LinkBuffer.cpp:
188         (JSC::LinkBuffer::copyCompactAndLinkCode):
189
190 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
191
192         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
193         https://bugs.webkit.org/show_bug.cgi?id=193711
194         <rdar://problem/47250262>
195
196         Reviewed by Saam Barati.
197
198         When pruning OSR Availability based on bytecode liveness, we accidentally clear the Availability (making it DeadFlush) instead of
199         making it Availability::unavailable() (Making it ConflictingFlush). In OSRAvailabilityAnalysisPhase, we perform forward analysis.
200         We first clear all the availability of basic blocks DeadFlush, which is an empty set. And then, we set operands in the root block
201         ConflictingFlush. In this forward analysis, DeadFlush is BOTTOM, and ConflictingFlush is TOP. Then, we propagate information by
202         merging availability until we reach to the fixed-point. As an optimization, we perform "pruning" of the availability in the head
203         of the basic blocks. We remove availabilities of operands which are not live in the bytecode liveness at the head of the basic block.
204         The problem is, when removing availabilities, we set DeadFlush for them instead of ConflictingFlush. Basically, it means that we set
205         BOTTOM (an empty set) instead of TOP. Let's consider the following simple example. We have 6 basic blocks, and they are connected
206         as follows.
207
208             BB0 -> BB1 -> BB2 -> BB4
209              |        \        ^
210              v          > BB3 /
211             BB5
212
213         And consider about loc1 in FTL, which is required to be recovered in BB4's OSR exit.
214
215             BB0 does nothing
216                 head: loc1 is dead
217                 tail: loc1 is dead
218
219             BB1 has MovHint @1, loc1
220                 head: loc1 is dead
221                 tail: loc1 is live
222
223             BB2 does nothing
224                 head: loc1 is live
225                 tail: loc1 is live
226
227             BB3 has PutStack @1, loc1
228                 head: loc1 is live
229                 tail: loc1 is live
230
231             BB4 has OSR exit using loc1
232                 head: loc1 is live
233                 tail: loc1 is live (in bytecode)
234
235             BB5 does nothing
236                 head: loc1 is dead
237                 tail: loc1 is dead
238
239         In our OSR Availability analysis, we always prune loc1 result in BB1's head since its head says "loc1 is dead".
240         But at that time, we clear the availability for loc1, which makes it DeadFlush, instead of making it ConflictingFlush.
241
242         So, the flush format of loc1 in each tail of BB is like this.
243
244             BB0
245                 ConflictingFlush (because all the local operands are initialized with ConflictingFlush)
246             BB1
247                 DeadFlush+@1 (pruning clears it)
248             BB2
249                 DeadFlush+@1 (since it is propagated from BB1)
250             BB3
251                 FlushedJSValue+@1 with loc1 (since it has PutStack)
252             BB4
253                 FlushedJSValue+@1 with loc1 (since MERGE(DeadFlush, FlushedJSValue) = FlushedJSValue)
254             BB5
255                 DeadFlush (pruning clears it)
256
257         Then, if we go the path BB0->BB1->BB2->BB4, we read the value from the stack while it is not flushed.
258         The correct fix is making availability "unavailable" when pruning based on bytecode liveness.
259
260         * dfg/DFGAvailabilityMap.cpp:
261         (JSC::DFG::AvailabilityMap::pruneByLiveness): When pruning availability, we first set all the operands Availability::unavailable(),
262         and copy the calculated value from the current availability map.
263         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
264         (JSC::DFG::OSRAvailabilityAnalysisPhase::run): Add logging things for debugging.
265
266 2019-01-23  David Kilzer  <ddkilzer@apple.com>
267
268         [JSC] Duplicate global variables: JSC::opcodeLengths
269         <https://webkit.org/b/193714>
270         <rdar://problem/47340200>
271
272         Reviewed by Mark Lam.
273
274         * bytecode/Opcode.cpp:
275         (JSC::opcodeLengths): Move array implementation here and mark
276         const.
277         * bytecode/Opcode.h:
278         (JSC::opcodeLengths): Change to extern declaration.
279
280 2019-01-23  Carlos Garcia Campos  <cgarcia@igalia.com>
281
282         [GLIB] Remote Inspector: no data displayed
283         https://bugs.webkit.org/show_bug.cgi?id=193569
284
285         Reviewed by Michael Catanzaro.
286
287         Release the remote inspector mutex before using RemoteConnectionToTarget in RemoteInspector::setup() to avoid a
288         deadlock.
289
290         * inspector/remote/glib/RemoteInspectorGlib.cpp:
291         (Inspector::RemoteInspector::receivedSetupMessage):
292         (Inspector::RemoteInspector::setup):
293
294 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
295
296         Unreviewed, fix initial global lexical binding epoch
297         https://bugs.webkit.org/show_bug.cgi?id=193603
298         <rdar://problem/47380869>
299
300         * bytecode/CodeBlock.cpp:
301         (JSC::CodeBlock::finishCreation):
302
303 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
304
305         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
306         https://bugs.webkit.org/show_bug.cgi?id=193709
307         <rdar://problem/47363838>
308
309         Unreviewed, rollout to watch the tests.
310
311         * JavaScriptCore.xcodeproj/project.pbxproj:
312         * dfg/DFGAbstractInterpreterInlines.h:
313         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
314         * dfg/DFGByteCodeParser.cpp:
315         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
316         * dfg/DFGClobberize.h:
317         (JSC::DFG::clobberize):
318         * dfg/DFGDoesGC.cpp:
319         (JSC::DFG::doesGC):
320         * dfg/DFGFixupPhase.cpp:
321         (JSC::DFG::FixupPhase::fixupNode):
322         (JSC::DFG::FixupPhase::fixupObjectToString): Deleted.
323         * dfg/DFGNodeType.h:
324         * dfg/DFGOperations.cpp:
325         * dfg/DFGOperations.h:
326         * dfg/DFGPredictionPropagationPhase.cpp:
327         * dfg/DFGSafeToExecute.h:
328         (JSC::DFG::safeToExecute):
329         * dfg/DFGSpeculativeJIT.cpp:
330         (JSC::DFG::SpeculativeJIT::compileObjectToString): Deleted.
331         * dfg/DFGSpeculativeJIT.h:
332         * dfg/DFGSpeculativeJIT32_64.cpp:
333         (JSC::DFG::SpeculativeJIT::compile):
334         * dfg/DFGSpeculativeJIT64.cpp:
335         (JSC::DFG::SpeculativeJIT::compile):
336         * ftl/FTLAbstractHeapRepository.h:
337         * ftl/FTLCapabilities.cpp:
338         (JSC::FTL::canCompile):
339         * ftl/FTLLowerDFGToB3.cpp:
340         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
341         (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructorOrStringValueOf):
342         (JSC::FTL::DFG::LowerDFGToB3::compileObjectToString): Deleted.
343         * runtime/Intrinsic.cpp:
344         (JSC::intrinsicName):
345         * runtime/Intrinsic.h:
346         * runtime/ObjectPrototype.cpp:
347         (JSC::ObjectPrototype::finishCreation):
348         (JSC::objectProtoFuncToString):
349         * runtime/ObjectPrototype.h:
350         * runtime/ObjectPrototypeInlines.h: Removed.
351         * runtime/StructureRareData.h:
352
353 2019-01-22  Devin Rousso  <drousso@apple.com>
354
355         Web Inspector: expose Audit and Recording versions to the frontend
356         https://bugs.webkit.org/show_bug.cgi?id=193262
357         <rdar://problem/47130684>
358
359         Reviewed by Joseph Pecoraro.
360
361         * inspector/protocol/Audit.json:
362         * inspector/protocol/Recording.json:
363         Add `version` values.
364
365         * inspector/scripts/codegen/models.py:
366         (Protocol.parse_domain):
367         (Domain.__init__):
368         (Domain.version): Added.
369         (Domains):
370
371         * inspector/scripts/codegen/generator.py:
372         (Generator.version_for_domain): Added.
373
374         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
375         (CppProtocolTypesHeaderGenerator.generate_output):
376         (CppProtocolTypesHeaderGenerator._generate_versions): Added.
377
378         * inspector/scripts/codegen/generate_js_backend_commands.py:
379         (JSBackendCommandsGenerator.should_generate_domain):
380         (JSBackendCommandsGenerator.generate_domain):
381
382         * inspector/scripts/tests/generic/version.json: Added.
383         * inspector/scripts/tests/generic/expected/version.json-result: Added.
384
385         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
386         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
387         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
388         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
389         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
390         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
391         * inspector/scripts/tests/generic/expected/enum-values.json-result:
392         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
393         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
394         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
395         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
396         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
397         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
398         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
399         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
400         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
401         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
402         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
403         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
404
405 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
406
407         [JSC] Intl constructors should fit in sizeof(InternalFunction)
408         https://bugs.webkit.org/show_bug.cgi?id=193661
409
410         Reviewed by Mark Lam.
411
412         Previously all the Intl constructors have their own subspace. This is because these constructors have different size from InternalFunction.
413         But it is too costly approach in terms of the memory usage since these constructors are only one per JSGlobalObject. This patch attempts to
414         reduce the memory size consumed by these Intl objects by holding instance structures in IntlObject instead of in each Intl constructors.
415         So that we can make sizeof(Intl constructors) == sizeof(InternalFunction) and drop costly subspaces. Since this patch drops subspaces in VM,
416         it also significantly reduces the sizeof(VM), from 76696 to 74680.
417
418         This patch also includes the preparation for making Intl properties lazy. But currently it is not possible since @Collator reference exists
419         in builtin code.
420
421         * CMakeLists.txt:
422         * DerivedSources.make:
423         * runtime/IntlCollatorConstructor.cpp:
424         (JSC::IntlCollatorConstructor::create):
425         (JSC::IntlCollatorConstructor::finishCreation):
426         (JSC::constructIntlCollator):
427         (JSC::callIntlCollator):
428         (JSC::IntlCollatorConstructor::visitChildren): Deleted.
429         * runtime/IntlCollatorConstructor.h:
430         * runtime/IntlDateTimeFormatConstructor.cpp:
431         (JSC::IntlDateTimeFormatConstructor::create):
432         (JSC::IntlDateTimeFormatConstructor::finishCreation):
433         (JSC::constructIntlDateTimeFormat):
434         (JSC::callIntlDateTimeFormat):
435         (JSC::IntlDateTimeFormatConstructor::visitChildren): Deleted.
436         * runtime/IntlDateTimeFormatConstructor.h:
437         * runtime/IntlNumberFormatConstructor.cpp:
438         (JSC::IntlNumberFormatConstructor::create):
439         (JSC::IntlNumberFormatConstructor::finishCreation):
440         (JSC::constructIntlNumberFormat):
441         (JSC::callIntlNumberFormat):
442         (JSC::IntlNumberFormatConstructor::visitChildren): Deleted.
443         * runtime/IntlNumberFormatConstructor.h:
444         * runtime/IntlObject.cpp:
445         (JSC::createCollatorConstructor):
446         (JSC::createNumberFormatConstructor):
447         (JSC::createDateTimeFormatConstructor):
448         (JSC::createPluralRulesConstructor):
449         (JSC::IntlObject::create):
450         (JSC::IntlObject::finishCreation):
451         (JSC::IntlObject::visitChildren):
452         * runtime/IntlObject.h:
453         * runtime/IntlPluralRulesConstructor.cpp:
454         (JSC::IntlPluralRulesConstructor::create):
455         (JSC::IntlPluralRulesConstructor::finishCreation):
456         (JSC::constructIntlPluralRules):
457         (JSC::IntlPluralRulesConstructor::visitChildren): Deleted.
458         * runtime/IntlPluralRulesConstructor.h:
459         * runtime/JSGlobalObject.cpp:
460         (JSC::JSGlobalObject::init):
461         (JSC::JSGlobalObject::visitChildren):
462         * runtime/JSGlobalObject.h:
463         (JSC::JSGlobalObject::intlObject const):
464         * runtime/VM.cpp:
465         (JSC::VM::VM):
466         * runtime/VM.h:
467
468 2019-01-22  Saam Barati  <sbarati@apple.com>
469
470         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
471
472         * dfg/DFGBackwardsPropagationPhase.cpp:
473         (JSC::DFG::BackwardsPropagationPhase::propagate):
474
475 2019-01-22  Tadeu Zagallo  <tzagallo@apple.com>
476
477         Unreviewed, restore bytecode cache-related JSC options deleted in r240254
478         https://bugs.webkit.org/show_bug.cgi?id=192782
479
480         The JSC options were committed as part of r240210, which got rolled out in
481         r240224. However, the options got re-landed in r240248  and then deleted
482         again in 240254 (immediately before the caching code code landed in 240255)
483
484         * runtime/Options.h:
485
486 2019-01-22  Tadeu Zagallo  <tzagallo@apple.com>
487
488         Cache bytecode to disk
489         https://bugs.webkit.org/show_bug.cgi?id=192782
490         <rdar://problem/46084932>
491
492         Reviewed by Keith Miller.
493
494         Add the logic to serialize and deserialize the new JSC bytecode. For now,
495         the cache is only used for tests.
496
497         Each class that can be serialized has a counterpart in CachedTypes, which
498         handles the decoding and encoding. When decoding, the cached objects are
499         mmap'd from disk, but only used for creating instances of the respective
500         in-memory version of each object. Ideally, the mmap'd objects should be
501         used at runtime in the future.
502
503         * CMakeLists.txt:
504         * JavaScriptCore.xcodeproj/project.pbxproj:
505         * Sources.txt:
506         * builtins/BuiltinNames.cpp:
507         (JSC::BuiltinNames::BuiltinNames):
508         * builtins/BuiltinNames.h:
509         * bytecode/CodeBlock.cpp:
510         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
511         * bytecode/CodeBlock.h:
512         * bytecode/HandlerInfo.h:
513         (JSC::UnlinkedHandlerInfo::UnlinkedHandlerInfo):
514         * bytecode/InstructionStream.h:
515         * bytecode/UnlinkedCodeBlock.h:
516         (JSC::UnlinkedCodeBlock::addSetConstant):
517         (JSC::UnlinkedCodeBlock::constantIdentifierSets):
518         * bytecode/UnlinkedEvalCodeBlock.h:
519         * bytecode/UnlinkedFunctionCodeBlock.h:
520         * bytecode/UnlinkedFunctionExecutable.h:
521         * bytecode/UnlinkedGlobalCodeBlock.h:
522         (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock):
523         * bytecode/UnlinkedMetadataTable.h:
524         * bytecode/UnlinkedModuleProgramCodeBlock.h:
525         * bytecode/UnlinkedProgramCodeBlock.h:
526         * interpreter/Interpreter.cpp:
527         * jsc.cpp:
528         (functionQuit):
529         (runJSC):
530         * parser/SourceCode.h:
531         * parser/SourceCodeKey.h:
532         (JSC::SourceCodeKey::operator!= const):
533         * parser/UnlinkedSourceCode.h:
534         * parser/VariableEnvironment.h:
535         * runtime/CachedTypes.cpp: Added.
536         (JSC::Encoder::Allocation::buffer const):
537         (JSC::Encoder::Allocation::offset const):
538         (JSC::Encoder::Allocation::Allocation):
539         (JSC::Encoder::Encoder):
540         (JSC::Encoder::vm):
541         (JSC::Encoder::malloc):
542         (JSC::Encoder::offsetOf):
543         (JSC::Encoder::cachePtr):
544         (JSC::Encoder::offsetForPtr):
545         (JSC::Encoder::release):
546         (JSC::Encoder::Page::Page):
547         (JSC::Encoder::Page::malloc):
548         (JSC::Encoder::Page::buffer const):
549         (JSC::Encoder::Page::size const):
550         (JSC::Encoder::Page::getOffset const):
551         (JSC::Encoder::allocateNewPage):
552         (JSC::Decoder::Decoder):
553         (JSC::Decoder::~Decoder):
554         (JSC::Decoder::vm):
555         (JSC::Decoder::offsetOf):
556         (JSC::Decoder::cacheOffset):
557         (JSC::Decoder::addFinalizer):
558         (JSC::encode):
559         (JSC::decode):
560         (JSC::VariableLengthObject::buffer const):
561         (JSC::VariableLengthObject::allocate):
562         (JSC::CachedPtr::encode):
563         (JSC::CachedPtr::decode const):
564         (JSC::CachedPtr::operator-> const):
565         (JSC::CachedPtr::get const):
566         (JSC::CachedRefPtr::encode):
567         (JSC::CachedRefPtr::decode const):
568         (JSC::CachedWriteBarrier::encode):
569         (JSC::CachedWriteBarrier::decode const):
570         (JSC::CachedVector::encode):
571         (JSC::CachedVector::decode const):
572         (JSC::CachedPair::encode):
573         (JSC::CachedPair::decode const):
574         (JSC::CachedHashMap::encode):
575         (JSC::CachedHashMap::decode const):
576         (JSC::CachedUniquedStringImpl::encode):
577         (JSC::CachedUniquedStringImpl::decode const):
578         (JSC::CachedStringImpl::encode):
579         (JSC::CachedStringImpl::decode const):
580         (JSC::CachedString::encode):
581         (JSC::CachedString::decode const):
582         (JSC::CachedIdentifier::encode):
583         (JSC::CachedIdentifier::decode const):
584         (JSC::CachedOptional::encode):
585         (JSC::CachedOptional::decode const):
586         (JSC::CachedOptional::decodeAsPtr const):
587         (JSC::CachedSimpleJumpTable::encode):
588         (JSC::CachedSimpleJumpTable::decode const):
589         (JSC::CachedStringJumpTable::encode):
590         (JSC::CachedStringJumpTable::decode const):
591         (JSC::CachedCodeBlockRareData::encode):
592         (JSC::CachedCodeBlockRareData::decode const):
593         (JSC::CachedBitVector::encode):
594         (JSC::CachedBitVector::decode const):
595         (JSC::CachedHashSet::encode):
596         (JSC::CachedHashSet::decode const):
597         (JSC::CachedConstantIdentifierSetEntry::encode):
598         (JSC::CachedConstantIdentifierSetEntry::decode const):
599         (JSC::CachedVariableEnvironment::encode):
600         (JSC::CachedVariableEnvironment::decode const):
601         (JSC::CachedArray::encode):
602         (JSC::CachedArray::decode const):
603         (JSC::CachedScopedArgumentsTable::encode):
604         (JSC::CachedScopedArgumentsTable::decode const):
605         (JSC::CachedSymbolTableEntry::encode):
606         (JSC::CachedSymbolTableEntry::decode const):
607         (JSC::CachedSymbolTable::encode):
608         (JSC::CachedSymbolTable::decode const):
609         (JSC::CachedImmutableButterfly::encode):
610         (JSC::CachedImmutableButterfly::decode const):
611         (JSC::CachedRegExp::encode):
612         (JSC::CachedRegExp::decode const):
613         (JSC::CachedTemplateObjectDescriptor::encode):
614         (JSC::CachedTemplateObjectDescriptor::decode const):
615         (JSC::CachedBigInt::encode):
616         (JSC::CachedBigInt::decode const):
617         (JSC::CachedJSValue::encode):
618         (JSC::CachedJSValue::decode const):
619         (JSC::CachedInstructionStream::encode):
620         (JSC::CachedInstructionStream::decode const):
621         (JSC::CachedMetadataTable::encode):
622         (JSC::CachedMetadataTable::decode const):
623         (JSC::CachedSourceOrigin::encode):
624         (JSC::CachedSourceOrigin::decode const):
625         (JSC::CachedTextPosition::encode):
626         (JSC::CachedTextPosition::decode const):
627         (JSC::CachedSourceProviderShape::encode):
628         (JSC::CachedSourceProviderShape::decode const):
629         (JSC::CachedStringSourceProvider::encode):
630         (JSC::CachedStringSourceProvider::decode const):
631         (JSC::CachedWebAssemblySourceProvider::encode):
632         (JSC::CachedWebAssemblySourceProvider::decode const):
633         (JSC::CachedSourceProvider::encode):
634         (JSC::CachedSourceProvider::decode const):
635         (JSC::CachedUnlinkedSourceCodeShape::encode):
636         (JSC::CachedUnlinkedSourceCodeShape::decode const):
637         (JSC::CachedSourceCode::encode):
638         (JSC::CachedSourceCode::decode const):
639         (JSC::CachedFunctionExecutable::firstLineOffset const):
640         (JSC::CachedFunctionExecutable::lineCount const):
641         (JSC::CachedFunctionExecutable::unlinkedFunctionNameStart const):
642         (JSC::CachedFunctionExecutable::unlinkedBodyStartColumn const):
643         (JSC::CachedFunctionExecutable::unlinkedBodyEndColumn const):
644         (JSC::CachedFunctionExecutable::startOffset const):
645         (JSC::CachedFunctionExecutable::sourceLength const):
646         (JSC::CachedFunctionExecutable::parametersStartOffset const):
647         (JSC::CachedFunctionExecutable::typeProfilingStartOffset const):
648         (JSC::CachedFunctionExecutable::typeProfilingEndOffset const):
649         (JSC::CachedFunctionExecutable::parameterCount const):
650         (JSC::CachedFunctionExecutable::features const):
651         (JSC::CachedFunctionExecutable::sourceParseMode const):
652         (JSC::CachedFunctionExecutable::isInStrictContext const):
653         (JSC::CachedFunctionExecutable::hasCapturedVariables const):
654         (JSC::CachedFunctionExecutable::isBuiltinFunction const):
655         (JSC::CachedFunctionExecutable::isBuiltinDefaultClassConstructor const):
656         (JSC::CachedFunctionExecutable::constructAbility const):
657         (JSC::CachedFunctionExecutable::constructorKind const):
658         (JSC::CachedFunctionExecutable::functionMode const):
659         (JSC::CachedFunctionExecutable::scriptMode const):
660         (JSC::CachedFunctionExecutable::superBinding const):
661         (JSC::CachedFunctionExecutable::derivedContextType const):
662         (JSC::CachedFunctionExecutable::name const):
663         (JSC::CachedFunctionExecutable::ecmaName const):
664         (JSC::CachedFunctionExecutable::inferredName const):
665         (JSC::CachedCodeBlock::instructions const):
666         (JSC::CachedCodeBlock::thisRegister const):
667         (JSC::CachedCodeBlock::scopeRegister const):
668         (JSC::CachedCodeBlock::globalObjectRegister const):
669         (JSC::CachedCodeBlock::sourceURLDirective const):
670         (JSC::CachedCodeBlock::sourceMappingURLDirective const):
671         (JSC::CachedCodeBlock::usesEval const):
672         (JSC::CachedCodeBlock::isStrictMode const):
673         (JSC::CachedCodeBlock::isConstructor const):
674         (JSC::CachedCodeBlock::hasCapturedVariables const):
675         (JSC::CachedCodeBlock::isBuiltinFunction const):
676         (JSC::CachedCodeBlock::superBinding const):
677         (JSC::CachedCodeBlock::scriptMode const):
678         (JSC::CachedCodeBlock::isArrowFunctionContext const):
679         (JSC::CachedCodeBlock::isClassContext const):
680         (JSC::CachedCodeBlock::wasCompiledWithDebuggingOpcodes const):
681         (JSC::CachedCodeBlock::constructorKind const):
682         (JSC::CachedCodeBlock::derivedContextType const):
683         (JSC::CachedCodeBlock::evalContextType const):
684         (JSC::CachedCodeBlock::hasTailCalls const):
685         (JSC::CachedCodeBlock::lineCount const):
686         (JSC::CachedCodeBlock::endColumn const):
687         (JSC::CachedCodeBlock::numVars const):
688         (JSC::CachedCodeBlock::numCalleeLocals const):
689         (JSC::CachedCodeBlock::numParameters const):
690         (JSC::CachedCodeBlock::features const):
691         (JSC::CachedCodeBlock::parseMode const):
692         (JSC::CachedCodeBlock::codeType const):
693         (JSC::CachedCodeBlock::rareData const):
694         (JSC::CachedProgramCodeBlock::encode):
695         (JSC::CachedProgramCodeBlock::decode const):
696         (JSC::CachedModuleCodeBlock::encode):
697         (JSC::CachedModuleCodeBlock::decode const):
698         (JSC::CachedEvalCodeBlock::encode):
699         (JSC::CachedEvalCodeBlock::decode const):
700         (JSC::CachedFunctionCodeBlock::encode):
701         (JSC::CachedFunctionCodeBlock::decode const):
702         (JSC::UnlinkedFunctionCodeBlock::UnlinkedFunctionCodeBlock):
703         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
704         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
705         (JSC::UnlinkedProgramCodeBlock::UnlinkedProgramCodeBlock):
706         (JSC::UnlinkedModuleProgramCodeBlock::UnlinkedModuleProgramCodeBlock):
707         (JSC::UnlinkedEvalCodeBlock::UnlinkedEvalCodeBlock):
708         (JSC::CachedFunctionExecutable::encode):
709         (JSC::CachedFunctionExecutable::decode const):
710         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
711         (JSC::CachedCodeBlock<CodeBlockType>::encode):
712         (JSC::CachedSourceCodeKey::encode):
713         (JSC::CachedSourceCodeKey::decode const):
714         (JSC::CacheEntry::encode):
715         (JSC::CacheEntry:: const):
716         (JSC:: const):
717         (JSC::encodeCodeBlock):
718         (JSC::decodeCodeBlockImpl):
719         * runtime/CachedTypes.h: Copied from Source/JavaScriptCore/bytecode/UnlinkedGlobalCodeBlock.h.
720         (JSC::decodeCodeBlock):
721         * runtime/CodeCache.cpp:
722         (JSC::CodeCacheMap::pruneSlowCase):
723         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
724         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
725         (JSC::CodeCache::write):
726         * runtime/CodeCache.h:
727         (JSC::CodeCacheMap::begin):
728         (JSC::CodeCacheMap::end):
729         (JSC::CodeCacheMap::fetchFromDiskImpl):
730         (JSC::CodeCacheMap::findCacheAndUpdateAge):
731         (JSC::writeCodeBlock):
732         * runtime/JSBigInt.cpp:
733         * runtime/JSBigInt.h:
734         * runtime/Options.cpp:
735         (JSC::recomputeDependentOptions):
736         * runtime/RegExp.h:
737         * runtime/ScopedArgumentsTable.h:
738         * runtime/StackFrame.h:
739         * runtime/StructureInlines.h:
740         * runtime/SymbolTable.h:
741
742 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
743
744         [JSC] Invalidate old scope operations using global lexical binding epoch
745         https://bugs.webkit.org/show_bug.cgi?id=193603
746         <rdar://problem/47380869>
747
748         Reviewed by Saam Barati.
749
750         Even if the global lexical binding does not shadow the global property at that time, we need to clear the cached information in
751         scope related operations since we may have a global property previously. Consider the following example,
752
753             foo = 0;
754             function get() { return foo; }
755             print(get()); // 0
756             print(get()); // 0
757             delete globalThis.foo;
758             $.evalScript(`const foo = 42;`);
759             print(get()); // Should be 42, but it returns 0 if the cached information in get() is not cleared.
760
761         To invalidate the cache easily, we introduce global lexical binding epoch. It is bumped every time we introduce a new lexical binding
762         into JSGlobalLexicalEnvironment, since that name could shadow the global property name previously. In op_resolve_scope, we first check
763         the epoch stored in the metadata, and go to slow path if it is not equal to the current epoch. Our slow path code convert the scope
764         operation to the appropriate one even if the resolve type is not UnresolvedProperty type. After updating the resolve type of the bytecode,
765         we update the cached epoch to the current one, so that we can use the cached information as long as we stay in the same epoch.
766
767         In op_get_from_scope and op_put_to_scope, we do not use this epoch since Structure check can do the same thing instead. If op_resolve_type
768         is updated by the epoch, and if it starts returning JSGlobalLexicalEnvironment instead JSGlobalObject, obviously the structure check fails.
769         And in the slow path, we update op_get_from_scope and op_put_to_scope appropriately.
770
771         So, the metadata for scope related bytecodes are eventually updated to the appropriate one. In DFG and FTL, we use the watchpoint based approach.
772         In DFG and FTL, we concurrently attempt to get the watchpoint for the lexical binding and look into it by using `isStillValid()` to avoid
773         infinite compile-and-fail loop.
774
775         When the global lexical binding epoch overflows we iterate all the live CodeBlock and update the op_resolve_scope's epoch. Even if the shadowing
776         happens, it is OK if we bump the epoch, since op_resolve_scope will return JSGlobalLexicalEnvironment instead of JSGlobalObject, and following
777         structure check in op_put_to_scope and op_get_from_scope fail. We do not need to update op_get_from_scope and op_put_to_scope because of the same
778         reason.
779
780         * bytecode/BytecodeList.rb:
781         * bytecode/CodeBlock.cpp:
782         (JSC::CodeBlock::finishCreation):
783         (JSC::CodeBlock::notifyLexicalBindingUpdate):
784         (JSC::CodeBlock::notifyLexicalBindingShadowing): Deleted.
785         * bytecode/CodeBlock.h:
786         * dfg/DFGByteCodeParser.cpp:
787         (JSC::DFG::ByteCodeParser::parseBlock):
788         * dfg/DFGDesiredGlobalProperties.cpp:
789         (JSC::DFG::DesiredGlobalProperties::isStillValidOnMainThread):
790         * dfg/DFGDesiredGlobalProperties.h:
791         * dfg/DFGGraph.cpp:
792         (JSC::DFG::Graph::watchGlobalProperty):
793         * dfg/DFGGraph.h:
794         * dfg/DFGPlan.cpp:
795         (JSC::DFG::Plan::isStillValidOnMainThread):
796         * jit/JITPropertyAccess.cpp:
797         (JSC::JIT::emit_op_resolve_scope):
798         * jit/JITPropertyAccess32_64.cpp:
799         (JSC::JIT::emit_op_resolve_scope):
800         * llint/LowLevelInterpreter32_64.asm:
801         * llint/LowLevelInterpreter64.asm:
802         * runtime/CommonSlowPaths.cpp:
803         (JSC::SLOW_PATH_DECL):
804         * runtime/CommonSlowPaths.h:
805         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
806         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
807         * runtime/JSGlobalObject.cpp:
808         (JSC::JSGlobalObject::bumpGlobalLexicalBindingEpoch):
809         (JSC::JSGlobalObject::getReferencedPropertyWatchpointSet):
810         (JSC::JSGlobalObject::ensureReferencedPropertyWatchpointSet):
811         (JSC::JSGlobalObject::notifyLexicalBindingShadowing): Deleted.
812         * runtime/JSGlobalObject.h:
813         (JSC::JSGlobalObject::globalLexicalBindingEpoch const):
814         (JSC::JSGlobalObject::globalLexicalBindingEpochOffset):
815         (JSC::JSGlobalObject::addressOfGlobalLexicalBindingEpoch):
816         * runtime/Options.cpp:
817         (JSC::correctOptions):
818         (JSC::Options::initialize):
819         (JSC::Options::setOptions):
820         (JSC::Options::setOptionWithoutAlias):
821         * runtime/Options.h:
822         * runtime/ProgramExecutable.cpp:
823         (JSC::ProgramExecutable::initializeGlobalProperties):
824
825 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
826
827         Unreviewed, roll out r240220 due to date-format-xparb regression
828         https://bugs.webkit.org/show_bug.cgi?id=193603
829
830         * bytecode/BytecodeList.rb:
831         * bytecode/CodeBlock.cpp:
832         (JSC::CodeBlock::notifyLexicalBindingShadowing):
833         (JSC::CodeBlock::notifyLexicalBindingUpdate): Deleted.
834         * bytecode/CodeBlock.h:
835         * dfg/DFGByteCodeParser.cpp:
836         (JSC::DFG::ByteCodeParser::parseBlock):
837         * dfg/DFGDesiredGlobalProperties.cpp:
838         (JSC::DFG::DesiredGlobalProperties::isStillValidOnMainThread):
839         * dfg/DFGDesiredGlobalProperties.h:
840         * dfg/DFGGraph.cpp:
841         (JSC::DFG::Graph::watchGlobalProperty): Deleted.
842         * dfg/DFGGraph.h:
843         * dfg/DFGPlan.cpp:
844         (JSC::DFG::Plan::isStillValidOnMainThread):
845         * jit/JITPropertyAccess.cpp:
846         (JSC::JIT::emit_op_resolve_scope):
847         * jit/JITPropertyAccess32_64.cpp:
848         (JSC::JIT::emit_op_resolve_scope):
849         * llint/LowLevelInterpreter32_64.asm:
850         * llint/LowLevelInterpreter64.asm:
851         * runtime/CommonSlowPaths.cpp:
852         (JSC::SLOW_PATH_DECL):
853         * runtime/CommonSlowPaths.h:
854         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
855         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
856         * runtime/JSGlobalObject.cpp:
857         (JSC::JSGlobalObject::notifyLexicalBindingShadowing):
858         (JSC::JSGlobalObject::getReferencedPropertyWatchpointSet):
859         (JSC::JSGlobalObject::ensureReferencedPropertyWatchpointSet):
860         (JSC::JSGlobalObject::bumpGlobalLexicalBindingEpoch): Deleted.
861         * runtime/JSGlobalObject.h:
862         (JSC::JSGlobalObject::globalLexicalBindingEpoch const): Deleted.
863         (JSC::JSGlobalObject::globalLexicalBindingEpochOffset): Deleted.
864         (JSC::JSGlobalObject::addressOfGlobalLexicalBindingEpoch): Deleted.
865         * runtime/Options.cpp:
866         (JSC::Options::initialize):
867         (JSC::Options::setOptions):
868         (JSC::Options::setOptionWithoutAlias):
869         (JSC::correctOptions): Deleted.
870         * runtime/Options.h:
871         * runtime/ProgramExecutable.cpp:
872         (JSC::ProgramExecutable::initializeGlobalProperties):
873
874 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
875
876         [JSC] StrictModeTypeErrorFunction is no longer used
877         https://bugs.webkit.org/show_bug.cgi?id=193662
878
879         Reviewed by Mark Lam.
880
881         StrictModeTypeErrorFunction is no longer used. This patch drops it. Furthermore, it also allows us to drop
882         strictModeTypeErrorFunctionSpace from VM.
883
884         * runtime/Error.cpp:
885         (JSC::StrictModeTypeErrorFunction::destroy): Deleted.
886         * runtime/Error.h:
887         (): Deleted.
888         * runtime/VM.cpp:
889         (JSC::VM::VM):
890         * runtime/VM.h:
891
892 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
893
894         DoesGC rule is wrong for nodes with BigIntUse
895         https://bugs.webkit.org/show_bug.cgi?id=193652
896
897         Reviewed by Saam Barati.
898
899         Former rule was that ValueOp does not GC. However this is wrong, since
900         these operations can trigger GC and mess up memory management. In the end, this
901         will generate wrong code because we will have wrong GC epoch value during 
902         Store Barrier Insertion phase.
903         We changed this to consider BigIntUse for such nodes and properly return true when
904         they are BigIntUse.
905
906         * dfg/DFGDoesGC.cpp:
907         (JSC::DFG::doesGC):
908
909 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
910
911         [JSC] Lazily initialize JSModuleLoader
912         https://bugs.webkit.org/show_bug.cgi?id=193646
913
914         Reviewed by Keith Miller and Saam Barati.
915
916         Lazily initialize JSModuleLoader so that we do not need to initialize it until we need modules.
917
918         * runtime/JSGlobalObject.cpp:
919         (JSC::JSGlobalObject::init):
920         (JSC::JSGlobalObject::visitChildren):
921         * runtime/JSGlobalObject.h:
922         (JSC::JSGlobalObject::moduleLoader const):
923
924 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
925
926         [JSC] sub op with 0 should be optimized
927         https://bugs.webkit.org/show_bug.cgi?id=190751
928
929         Reviewed by Mark Lam.
930
931         LLInt sometimes emit `subp 0, %rxx`. For example, `maxFrameExtentForSlowPathCall` is 0 in X86_64, ARM64, and ARM64E.
932         So `subp maxFrameExtentForSlowPathCall sp` becomes `subp 0, %rsp`. While `addp 0, %rsp` is removed in offlineasm,
933         sub operation does not have such an optimization. This patch applies the same optimization to sub operation already
934         done in add operation. Since the CPU flags changed in offlineasm's these operations are not considered (if these flags
935         are required, we use special branch operations instead), this optimization is sane.
936
937         One problem is that zero-extension of the 32bit register in 64bit architecture. If the instruction emission is skipped,
938         this won't be happen. Currently, we align our sub to add operation: we skip emission in this case.
939
940         * offlineasm/arm64.rb:
941         * offlineasm/x86.rb:
942
943 2019-01-20  Saam Barati  <sbarati@apple.com>
944
945         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
946         https://bugs.webkit.org/show_bug.cgi?id=193644
947         <rdar://problem/46209745>
948
949         Reviewed by Yusuke Suzuki.
950
951         This patch also makes it so we fail fast when we make this mistake.
952         I've made this mistake more than once.
953
954         * dfg/DFGByteCodeParser.cpp:
955         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
956
957 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
958
959         [JSC] Reduce size of SourceProvider
960         https://bugs.webkit.org/show_bug.cgi?id=193544
961
962         Reviewed by Saam Barati.
963
964         This patch attempts to reduce the dirty memory footprint by the following 3 optimizations.
965
966         1. Reordering the members of SourceProvider to reduce the size. This affects on JSC, and CachedScriptSourceProvider used in WebCore.
967
968         2. Create one SourceProvider for all the builtin code and use substring to create builtin JS functions.
969            This reduces # of SourceProvider created for builtins.
970
971         3. Drop m_validated flag in SourceProvider since nobody uses it. It also deletes dead code in Parser.cpp.
972
973         Unfortunately, MSVC does not accept super long C string literal. So instead, we construct combined string in a form of C array.
974
975         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
976         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
977         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
978         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
979         * Scripts/wkbuiltins/builtins_generate_combined_header.py:
980         (BuiltinsCombinedHeaderGenerator.generate_output):
981         * Scripts/wkbuiltins/builtins_generate_combined_implementation.py:
982         (BuiltinsCombinedImplementationGenerator.generate_output):
983         * Scripts/wkbuiltins/builtins_generate_separate_implementation.py:
984         (BuiltinsSeparateImplementationGenerator.generate_output):
985         * Scripts/wkbuiltins/builtins_generator.py:
986         (BuiltinsGenerator.generate_embedded_code_data_for_function):
987         (BuiltinsGenerator.generate_embedded_code_string_section_for_data):
988         (BuiltinsGenerator.generate_embedded_code_string_section_for_function): Deleted.
989         * builtins/BuiltinExecutables.cpp:
990         (JSC::BuiltinExecutables::BuiltinExecutables):
991         (JSC::JSC_FOREACH_BUILTIN_CODE):
992         (JSC::BuiltinExecutables::createExecutable):
993         * builtins/BuiltinExecutables.h:
994         * parser/Parser.cpp:
995         (JSC::Parser<LexerType>::Parser):
996         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
997         (JSC::Parser<LexerType>::shouldCheckPropertyForUnderscoreProtoDuplicate):
998         (JSC::Parser<LexerType>::parseObjectLiteral):
999         (JSC::Parser<LexerType>::parseUnaryExpression):
1000         * parser/Parser.h:
1001         * parser/SourceCode.h:
1002         * parser/SourceProvider.cpp:
1003         (JSC::SourceProvider::SourceProvider):
1004         * parser/SourceProvider.h:
1005         (JSC::SourceProvider::isValid const): Deleted.
1006         (JSC::SourceProvider::setValid): Deleted.
1007         * runtime/CachedTypes.cpp:
1008         (JSC::CachedSourceProviderShape::encode):
1009         (JSC::CachedSourceProviderShape::decode const):
1010
1011 2019-01-20  Michael Catanzaro  <mcatanzaro@igalia.com>
1012
1013         Unreviewed, fix -Wint-in-bool-context warning
1014         https://bugs.webkit.org/show_bug.cgi?id=193483
1015         <rdar://problem/47280522>
1016
1017         * dfg/DFGFixupPhase.cpp:
1018         (JSC::DFG::FixupPhase::addCheckStructureForOriginalStringObjectUse):
1019
1020 2019-01-20  Saam Barati  <sbarati@apple.com>
1021
1022         Rollout r240210: It broke tests on iOS
1023         https://bugs.webkit.org/show_bug.cgi?id=193640
1024
1025         Unreviewed. ~2650 tests are failing on iOS.
1026
1027         * CMakeLists.txt:
1028         * JavaScriptCore.xcodeproj/project.pbxproj:
1029         * Sources.txt:
1030         * builtins/BuiltinNames.cpp:
1031         (JSC::BuiltinNames::BuiltinNames):
1032         * builtins/BuiltinNames.h:
1033         * bytecode/CodeBlock.cpp:
1034         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
1035         * bytecode/CodeBlock.h:
1036         * bytecode/HandlerInfo.h:
1037         * bytecode/InstructionStream.h:
1038         * bytecode/UnlinkedCodeBlock.h:
1039         (JSC::UnlinkedCodeBlock::addSetConstant):
1040         (JSC::UnlinkedCodeBlock::constantIdentifierSets):
1041         * bytecode/UnlinkedEvalCodeBlock.h:
1042         * bytecode/UnlinkedFunctionCodeBlock.h:
1043         * bytecode/UnlinkedFunctionExecutable.h:
1044         * bytecode/UnlinkedGlobalCodeBlock.h:
1045         (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock):
1046         * bytecode/UnlinkedMetadataTable.h:
1047         * bytecode/UnlinkedModuleProgramCodeBlock.h:
1048         * bytecode/UnlinkedProgramCodeBlock.h:
1049         * interpreter/Interpreter.cpp:
1050         * jsc.cpp:
1051         (functionQuit):
1052         (runJSC):
1053         * parser/SourceCode.h:
1054         * parser/SourceCodeKey.h:
1055         (JSC::SourceCodeKey::operator!= const): Deleted.
1056         * parser/UnlinkedSourceCode.h:
1057         * parser/VariableEnvironment.h:
1058         * runtime/CachedTypes.cpp:
1059         (): Deleted.
1060         (JSC::Encoder::Allocation::buffer const): Deleted.
1061         (JSC::Encoder::Allocation::offset const): Deleted.
1062         (JSC::Encoder::Allocation::Allocation): Deleted.
1063         (JSC::Encoder::Encoder): Deleted.
1064         (JSC::Encoder::vm): Deleted.
1065         (JSC::Encoder::malloc): Deleted.
1066         (JSC::Encoder::offsetOf): Deleted.
1067         (JSC::Encoder::cachePtr): Deleted.
1068         (JSC::Encoder::offsetForPtr): Deleted.
1069         (JSC::Encoder::release): Deleted.
1070         (JSC::Encoder::Page::Page): Deleted.
1071         (JSC::Encoder::Page::malloc): Deleted.
1072         (JSC::Encoder::Page::buffer const): Deleted.
1073         (JSC::Encoder::Page::size const): Deleted.
1074         (JSC::Encoder::Page::getOffset const): Deleted.
1075         (JSC::Encoder::allocateNewPage): Deleted.
1076         (JSC::Decoder::Decoder): Deleted.
1077         (JSC::Decoder::~Decoder): Deleted.
1078         (JSC::Decoder::vm): Deleted.
1079         (JSC::Decoder::offsetOf): Deleted.
1080         (JSC::Decoder::cacheOffset): Deleted.
1081         (JSC::Decoder::addFinalizer): Deleted.
1082         (JSC::encode): Deleted.
1083         (JSC::decode): Deleted.
1084         (JSC::VariableLengthObject::buffer const): Deleted.
1085         (JSC::VariableLengthObject::allocate): Deleted.
1086         (JSC::CachedPtr::encode): Deleted.
1087         (JSC::CachedPtr::decode const): Deleted.
1088         (JSC::CachedPtr::operator-> const): Deleted.
1089         (JSC::CachedPtr::get const): Deleted.
1090         (JSC::CachedRefPtr::encode): Deleted.
1091         (JSC::CachedRefPtr::decode const): Deleted.
1092         (JSC::CachedWriteBarrier::encode): Deleted.
1093         (JSC::CachedWriteBarrier::decode const): Deleted.
1094         (JSC::CachedVector::encode): Deleted.
1095         (JSC::CachedVector::decode const): Deleted.
1096         (JSC::CachedPair::encode): Deleted.
1097         (JSC::CachedPair::decode const): Deleted.
1098         (JSC::CachedHashMap::encode): Deleted.
1099         (JSC::CachedHashMap::decode const): Deleted.
1100         (JSC::CachedUniquedStringImpl::encode): Deleted.
1101         (JSC::CachedUniquedStringImpl::decode const): Deleted.
1102         (JSC::CachedStringImpl::encode): Deleted.
1103         (JSC::CachedStringImpl::decode const): Deleted.
1104         (JSC::CachedString::encode): Deleted.
1105         (JSC::CachedString::decode const): Deleted.
1106         (JSC::CachedIdentifier::encode): Deleted.
1107         (JSC::CachedIdentifier::decode const): Deleted.
1108         (JSC::CachedOptional::encode): Deleted.
1109         (JSC::CachedOptional::decode const): Deleted.
1110         (JSC::CachedOptional::decodeAsPtr const): Deleted.
1111         (JSC::CachedSimpleJumpTable::encode): Deleted.
1112         (JSC::CachedSimpleJumpTable::decode const): Deleted.
1113         (JSC::CachedStringJumpTable::encode): Deleted.
1114         (JSC::CachedStringJumpTable::decode const): Deleted.
1115         (JSC::CachedCodeBlockRareData::encode): Deleted.
1116         (JSC::CachedCodeBlockRareData::decode const): Deleted.
1117         (JSC::CachedBitVector::encode): Deleted.
1118         (JSC::CachedBitVector::decode const): Deleted.
1119         (JSC::CachedHashSet::encode): Deleted.
1120         (JSC::CachedHashSet::decode const): Deleted.
1121         (JSC::CachedConstantIdentifierSetEntry::encode): Deleted.
1122         (JSC::CachedConstantIdentifierSetEntry::decode const): Deleted.
1123         (JSC::CachedVariableEnvironment::encode): Deleted.
1124         (JSC::CachedVariableEnvironment::decode const): Deleted.
1125         (JSC::CachedArray::encode): Deleted.
1126         (JSC::CachedArray::decode const): Deleted.
1127         (JSC::CachedScopedArgumentsTable::encode): Deleted.
1128         (JSC::CachedScopedArgumentsTable::decode const): Deleted.
1129         (JSC::CachedSymbolTableEntry::encode): Deleted.
1130         (JSC::CachedSymbolTableEntry::decode const): Deleted.
1131         (JSC::CachedSymbolTable::encode): Deleted.
1132         (JSC::CachedSymbolTable::decode const): Deleted.
1133         (JSC::CachedImmutableButterfly::encode): Deleted.
1134         (JSC::CachedImmutableButterfly::decode const): Deleted.
1135         (JSC::CachedRegExp::encode): Deleted.
1136         (JSC::CachedRegExp::decode const): Deleted.
1137         (JSC::CachedTemplateObjectDescriptor::encode): Deleted.
1138         (JSC::CachedTemplateObjectDescriptor::decode const): Deleted.
1139         (JSC::CachedBigInt::encode): Deleted.
1140         (JSC::CachedBigInt::decode const): Deleted.
1141         (JSC::CachedJSValue::encode): Deleted.
1142         (JSC::CachedJSValue::decode const): Deleted.
1143         (JSC::CachedInstructionStream::encode): Deleted.
1144         (JSC::CachedInstructionStream::decode const): Deleted.
1145         (JSC::CachedMetadataTable::encode): Deleted.
1146         (JSC::CachedMetadataTable::decode const): Deleted.
1147         (JSC::CachedSourceOrigin::encode): Deleted.
1148         (JSC::CachedSourceOrigin::decode const): Deleted.
1149         (JSC::CachedTextPosition::encode): Deleted.
1150         (JSC::CachedTextPosition::decode const): Deleted.
1151         (JSC::CachedSourceProviderShape::encode): Deleted.
1152         (JSC::CachedSourceProviderShape::decode const): Deleted.
1153         (JSC::CachedStringSourceProvider::encode): Deleted.
1154         (JSC::CachedStringSourceProvider::decode const): Deleted.
1155         (JSC::CachedWebAssemblySourceProvider::encode): Deleted.
1156         (JSC::CachedWebAssemblySourceProvider::decode const): Deleted.
1157         (JSC::CachedSourceProvider::encode): Deleted.
1158         (JSC::CachedSourceProvider::decode const): Deleted.
1159         (JSC::CachedUnlinkedSourceCodeShape::encode): Deleted.
1160         (JSC::CachedUnlinkedSourceCodeShape::decode const): Deleted.
1161         (JSC::CachedSourceCode::encode): Deleted.
1162         (JSC::CachedSourceCode::decode const): Deleted.
1163         (JSC::CachedFunctionExecutable::firstLineOffset const): Deleted.
1164         (JSC::CachedFunctionExecutable::lineCount const): Deleted.
1165         (JSC::CachedFunctionExecutable::unlinkedFunctionNameStart const): Deleted.
1166         (JSC::CachedFunctionExecutable::unlinkedBodyStartColumn const): Deleted.
1167         (JSC::CachedFunctionExecutable::unlinkedBodyEndColumn const): Deleted.
1168         (JSC::CachedFunctionExecutable::startOffset const): Deleted.
1169         (JSC::CachedFunctionExecutable::sourceLength const): Deleted.
1170         (JSC::CachedFunctionExecutable::parametersStartOffset const): Deleted.
1171         (JSC::CachedFunctionExecutable::typeProfilingStartOffset const): Deleted.
1172         (JSC::CachedFunctionExecutable::typeProfilingEndOffset const): Deleted.
1173         (JSC::CachedFunctionExecutable::parameterCount const): Deleted.
1174         (JSC::CachedFunctionExecutable::features const): Deleted.
1175         (JSC::CachedFunctionExecutable::sourceParseMode const): Deleted.
1176         (JSC::CachedFunctionExecutable::isInStrictContext const): Deleted.
1177         (JSC::CachedFunctionExecutable::hasCapturedVariables const): Deleted.
1178         (JSC::CachedFunctionExecutable::isBuiltinFunction const): Deleted.
1179         (JSC::CachedFunctionExecutable::isBuiltinDefaultClassConstructor const): Deleted.
1180         (JSC::CachedFunctionExecutable::constructAbility const): Deleted.
1181         (JSC::CachedFunctionExecutable::constructorKind const): Deleted.
1182         (JSC::CachedFunctionExecutable::functionMode const): Deleted.
1183         (JSC::CachedFunctionExecutable::scriptMode const): Deleted.
1184         (JSC::CachedFunctionExecutable::superBinding const): Deleted.
1185         (JSC::CachedFunctionExecutable::derivedContextType const): Deleted.
1186         (JSC::CachedFunctionExecutable::name const): Deleted.
1187         (JSC::CachedFunctionExecutable::ecmaName const): Deleted.
1188         (JSC::CachedFunctionExecutable::inferredName const): Deleted.
1189         (JSC::CachedCodeBlock::instructions const): Deleted.
1190         (JSC::CachedCodeBlock::thisRegister const): Deleted.
1191         (JSC::CachedCodeBlock::scopeRegister const): Deleted.
1192         (JSC::CachedCodeBlock::globalObjectRegister const): Deleted.
1193         (JSC::CachedCodeBlock::sourceURLDirective const): Deleted.
1194         (JSC::CachedCodeBlock::sourceMappingURLDirective const): Deleted.
1195         (JSC::CachedCodeBlock::usesEval const): Deleted.
1196         (JSC::CachedCodeBlock::isStrictMode const): Deleted.
1197         (JSC::CachedCodeBlock::isConstructor const): Deleted.
1198         (JSC::CachedCodeBlock::hasCapturedVariables const): Deleted.
1199         (JSC::CachedCodeBlock::isBuiltinFunction const): Deleted.
1200         (JSC::CachedCodeBlock::superBinding const): Deleted.
1201         (JSC::CachedCodeBlock::scriptMode const): Deleted.
1202         (JSC::CachedCodeBlock::isArrowFunctionContext const): Deleted.
1203         (JSC::CachedCodeBlock::isClassContext const): Deleted.
1204         (JSC::CachedCodeBlock::wasCompiledWithDebuggingOpcodes const): Deleted.
1205         (JSC::CachedCodeBlock::constructorKind const): Deleted.
1206         (JSC::CachedCodeBlock::derivedContextType const): Deleted.
1207         (JSC::CachedCodeBlock::evalContextType const): Deleted.
1208         (JSC::CachedCodeBlock::hasTailCalls const): Deleted.
1209         (JSC::CachedCodeBlock::lineCount const): Deleted.
1210         (JSC::CachedCodeBlock::endColumn const): Deleted.
1211         (JSC::CachedCodeBlock::numVars const): Deleted.
1212         (JSC::CachedCodeBlock::numCalleeLocals const): Deleted.
1213         (JSC::CachedCodeBlock::numParameters const): Deleted.
1214         (JSC::CachedCodeBlock::features const): Deleted.
1215         (JSC::CachedCodeBlock::parseMode const): Deleted.
1216         (JSC::CachedCodeBlock::codeType const): Deleted.
1217         (JSC::CachedCodeBlock::rareData const): Deleted.
1218         (JSC::CachedProgramCodeBlock::encode): Deleted.
1219         (JSC::CachedProgramCodeBlock::decode const): Deleted.
1220         (JSC::CachedModuleCodeBlock::encode): Deleted.
1221         (JSC::CachedModuleCodeBlock::decode const): Deleted.
1222         (JSC::CachedEvalCodeBlock::encode): Deleted.
1223         (JSC::CachedEvalCodeBlock::decode const): Deleted.
1224         (JSC::CachedFunctionCodeBlock::encode): Deleted.
1225         (JSC::CachedFunctionCodeBlock::decode const): Deleted.
1226         (JSC::UnlinkedFunctionCodeBlock::UnlinkedFunctionCodeBlock): Deleted.
1227         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): Deleted.
1228         (JSC::CachedCodeBlock<CodeBlockType>::decode const): Deleted.
1229         (JSC::UnlinkedProgramCodeBlock::UnlinkedProgramCodeBlock): Deleted.
1230         (JSC::UnlinkedModuleProgramCodeBlock::UnlinkedModuleProgramCodeBlock): Deleted.
1231         (JSC::UnlinkedEvalCodeBlock::UnlinkedEvalCodeBlock): Deleted.
1232         (JSC::CachedFunctionExecutable::encode): Deleted.
1233         (JSC::CachedFunctionExecutable::decode const): Deleted.
1234         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable): Deleted.
1235         (JSC::CachedCodeBlock<CodeBlockType>::encode): Deleted.
1236         (JSC::CachedSourceCodeKey::encode): Deleted.
1237         (JSC::CachedSourceCodeKey::decode const): Deleted.
1238         (JSC::CacheEntry::encode): Deleted.
1239         (JSC::CacheEntry:: const): Deleted.
1240         (JSC:: const): Deleted.
1241         (JSC::encodeCodeBlock): Deleted.
1242         (JSC::decodeCodeBlockImpl): Deleted.
1243         * runtime/CachedTypes.h:
1244         (JSC::decodeCodeBlock): Deleted.
1245         * runtime/CodeCache.cpp:
1246         (JSC::CodeCacheMap::pruneSlowCase):
1247         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
1248         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
1249         (JSC::CodeCache::write): Deleted.
1250         * runtime/CodeCache.h:
1251         (JSC::CodeCacheMap::findCacheAndUpdateAge):
1252         (JSC::CodeCache::clear):
1253         (JSC::CodeCacheMap::begin): Deleted.
1254         (JSC::CodeCacheMap::end): Deleted.
1255         (JSC::CodeCacheMap::fetchFromDiskImpl): Deleted.
1256         (): Deleted.
1257         (JSC::writeCodeBlock): Deleted.
1258         * runtime/JSBigInt.cpp:
1259         (JSC::JSBigInt::offsetOfData):
1260         (JSC::JSBigInt::dataStorage):
1261         * runtime/JSBigInt.h:
1262         * runtime/Options.cpp:
1263         (JSC::recomputeDependentOptions):
1264         * runtime/Options.h:
1265         * runtime/RegExp.h:
1266         * runtime/ScopedArgumentsTable.h:
1267         * runtime/StackFrame.h:
1268         * runtime/StructureInlines.h:
1269         * runtime/SymbolTable.h:
1270
1271 2019-01-20  Saam Barati  <sbarati@apple.com>
1272
1273         MovHint must merge NodeBytecodeUsesAsValue for its child in backwards propagation
1274         https://bugs.webkit.org/show_bug.cgi?id=186916
1275         <rdar://problem/41396612>
1276
1277         Reviewed by Yusuke Suzuki.
1278
1279         Otherwise, we may not think we care about the non-integral part in
1280         a division (or perhaps overflow in an add, etc). Consider a program
1281         like this:
1282         
1283         ```return a / b```
1284         
1285         That gets compiled to:
1286         ```
1287         a: ArithDiv // We don't check that the remainder is zero here.
1288         b: MovHint(@a)
1289         c: ForceOSRExit
1290         d: Unreachable
1291         ```
1292         
1293         If we don't inform @a that we care about its result in full number
1294         accuracy, it will choose to ignore its non-integral remainder. This
1295         makes sense if *everybody* that all uses of the Div only cared about
1296         the integral part. However, OSR exit is not one of those users. OSR
1297         exit cares about the fractional bits in such a Div.
1298
1299         * dfg/DFGBackwardsPropagationPhase.cpp:
1300         (JSC::DFG::BackwardsPropagationPhase::propagate):
1301
1302 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1303
1304         [JSC] Invalidate old scope operations using global lexical binding epoch
1305         https://bugs.webkit.org/show_bug.cgi?id=193603
1306         <rdar://problem/47380869>
1307
1308         Reviewed by Saam Barati.
1309
1310         Even if the global lexical binding does not shadow the global property at that time, we need to clear the cached information in
1311         scope related operations since we may have a global property previously. Consider the following example,
1312
1313             foo = 0;
1314             function get() { return foo; }
1315             print(get()); // 0
1316             print(get()); // 0
1317             delete globalThis.foo;
1318             $.evalScript(`const foo = 42;`);
1319             print(get()); // Should be 42, but it returns 0 if the cached information in get() is not cleared.
1320
1321         To invalidate the cache easily, we introduce global lexical binding epoch. It is bumped every time we introduce a new lexical binding
1322         into JSGlobalLexicalEnvironment, since that name could shadow the global property name previously. In op_resolve_scope, we first check
1323         the epoch stored in the metadata, and go to slow path if it is not equal to the current epoch. Our slow path code convert the scope
1324         operation to the appropriate one even if the resolve type is not UnresolvedProperty type. After updating the resolve type of the bytecode,
1325         we update the cached epoch to the current one, so that we can use the cached information as long as we stay in the same epoch.
1326
1327         In op_get_from_scope and op_put_to_scope, we do not use this epoch since Structure check can do the same thing instead. If op_resolve_type
1328         is updated by the epoch, and if it starts returning JSGlobalLexicalEnvironment instead JSGlobalObject, obviously the structure check fails.
1329         And in the slow path, we update op_get_from_scope and op_put_to_scope appropriately.
1330
1331         So, the metadata for scope related bytecodes are eventually updated to the appropriate one. In DFG and FTL, we use the watchpoint based approach.
1332         In DFG and FTL, we concurrently attempt to get the watchpoint for the lexical binding and look into it by using `isStillValid()` to avoid
1333         infinite compile-and-fail loop.
1334
1335         When the global lexical binding epoch overflows we iterate all the live CodeBlock and update the op_resolve_scope's epoch. Even if the shadowing
1336         happens, it is OK if we bump the epoch, since op_resolve_scope will return JSGlobalLexicalEnvironment instead of JSGlobalObject, and following
1337         structure check in op_put_to_scope and op_get_from_scope fail. We do not need to update op_get_from_scope and op_put_to_scope because of the same
1338         reason.
1339
1340         * bytecode/BytecodeList.rb:
1341         * bytecode/CodeBlock.cpp:
1342         (JSC::CodeBlock::notifyLexicalBindingUpdate):
1343         (JSC::CodeBlock::notifyLexicalBindingShadowing): Deleted.
1344         * bytecode/CodeBlock.h:
1345         * dfg/DFGByteCodeParser.cpp:
1346         (JSC::DFG::ByteCodeParser::parseBlock):
1347         * dfg/DFGDesiredGlobalProperties.cpp:
1348         (JSC::DFG::DesiredGlobalProperties::isStillValidOnMainThread):
1349         * dfg/DFGDesiredGlobalProperties.h:
1350         * dfg/DFGGraph.cpp:
1351         (JSC::DFG::Graph::watchGlobalProperty):
1352         * dfg/DFGGraph.h:
1353         * dfg/DFGPlan.cpp:
1354         (JSC::DFG::Plan::isStillValidOnMainThread):
1355         * jit/JITPropertyAccess.cpp:
1356         (JSC::JIT::emit_op_resolve_scope):
1357         * jit/JITPropertyAccess32_64.cpp:
1358         (JSC::JIT::emit_op_resolve_scope):
1359         * llint/LowLevelInterpreter32_64.asm:
1360         * llint/LowLevelInterpreter64.asm:
1361         * runtime/CommonSlowPaths.cpp:
1362         (JSC::SLOW_PATH_DECL):
1363         * runtime/CommonSlowPaths.h:
1364         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
1365         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
1366         * runtime/JSGlobalObject.cpp:
1367         (JSC::JSGlobalObject::bumpGlobalLexicalBindingEpoch):
1368         (JSC::JSGlobalObject::getReferencedPropertyWatchpointSet):
1369         (JSC::JSGlobalObject::ensureReferencedPropertyWatchpointSet):
1370         (JSC::JSGlobalObject::notifyLexicalBindingShadowing): Deleted.
1371         * runtime/JSGlobalObject.h:
1372         (JSC::JSGlobalObject::globalLexicalBindingEpoch const):
1373         (JSC::JSGlobalObject::globalLexicalBindingEpochOffset):
1374         (JSC::JSGlobalObject::addressOfGlobalLexicalBindingEpoch):
1375         * runtime/Options.cpp:
1376         (JSC::correctOptions):
1377         (JSC::Options::initialize):
1378         (JSC::Options::setOptions):
1379         (JSC::Options::setOptionWithoutAlias):
1380         * runtime/Options.h:
1381         * runtime/ProgramExecutable.cpp:
1382         (JSC::ProgramExecutable::initializeGlobalProperties):
1383
1384 2019-01-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1385
1386         [JSC] Shrink data structure size in JSC/heap
1387         https://bugs.webkit.org/show_bug.cgi?id=193612
1388
1389         Reviewed by Saam Barati.
1390
1391         This patch reduces the size of data structures in JSC/heap. Basically, we reorder the members to remove paddings.
1392
1393         For Subspace, we drop CellAttributes `m_attributes`. Instead, we use `heapCellType->attributes()`. And we use
1394         FreeList::cellSize() instead of holding m_cellSize in LocalAllocator.
1395
1396         This change reduces the size of JSC::VM too since it includes JSC::Heap. The size of VM becomes from 78208 to 76696.
1397
1398         * heap/BlockDirectory.cpp:
1399         * heap/BlockDirectory.h:
1400         * heap/CollectionScope.h:
1401         * heap/CompleteSubspace.cpp:
1402         (JSC::CompleteSubspace::allocatorForSlow):
1403         * heap/FreeList.h:
1404         (JSC::FreeList::offsetOfCellSize):
1405         (JSC::FreeList::cellSize const):
1406         * heap/Heap.cpp:
1407         (JSC::Heap::Heap):
1408         (JSC::Heap::updateObjectCounts):
1409         (JSC::Heap::addToRememberedSet):
1410         (JSC::Heap::runBeginPhase):
1411         (JSC::Heap::willStartCollection):
1412         (JSC::Heap::pruneStaleEntriesFromWeakGCMaps):
1413         (JSC::Heap::deleteSourceProviderCaches):
1414         (JSC::Heap::notifyIncrementalSweeper):
1415         (JSC::Heap::updateAllocationLimits):
1416         * heap/Heap.h:
1417         * heap/IsoAlignedMemoryAllocator.h:
1418         * heap/LargeAllocation.cpp:
1419         * heap/LocalAllocator.cpp:
1420         (JSC::LocalAllocator::LocalAllocator):
1421         * heap/LocalAllocator.h:
1422         (JSC::LocalAllocator::cellSize const):
1423         (JSC::LocalAllocator::offsetOfCellSize):
1424         * heap/MarkedSpace.cpp:
1425         (JSC::MarkedSpace::MarkedSpace):
1426         * heap/MarkedSpace.h:
1427         * heap/MarkingConstraint.h:
1428         * heap/Subspace.cpp:
1429         (JSC::Subspace::initialize):
1430         * heap/Subspace.h:
1431         (JSC::Subspace::attributes const): Deleted.
1432         * heap/SubspaceInlines.h:
1433         (JSC::Subspace::forEachMarkedCell):
1434         (JSC::Subspace::forEachMarkedCellInParallel):
1435         (JSC::Subspace::forEachLiveCell):
1436         (JSC::Subspace::attributes const):
1437
1438 2019-01-20  Tadeu Zagallo  <tzagallo@apple.com>
1439
1440         Cache bytecode to disk
1441         https://bugs.webkit.org/show_bug.cgi?id=192782
1442         <rdar://problem/46084932>
1443
1444         Reviewed by Keith Miller.
1445
1446         Add the logic to serialize and deserialize the new JSC bytecode. For now,
1447         the cache is only used for tests.
1448
1449         Each class that can be serialized has a counterpart in CachedTypes, which
1450         handles the decoding and encoding. When decoding, the cached objects are
1451         mmap'd from disk, but only used for creating instances of the respective
1452         in-memory version of each object. Ideally, the mmap'd objects should be
1453         used at runtime in the future.
1454
1455         * CMakeLists.txt:
1456         * JavaScriptCore.xcodeproj/project.pbxproj:
1457         * Sources.txt:
1458         * builtins/BuiltinNames.cpp:
1459         (JSC::BuiltinNames::BuiltinNames):
1460         * builtins/BuiltinNames.h:
1461         * bytecode/CodeBlock.cpp:
1462         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
1463         * bytecode/CodeBlock.h:
1464         * bytecode/HandlerInfo.h:
1465         (JSC::UnlinkedHandlerInfo::UnlinkedHandlerInfo):
1466         * bytecode/InstructionStream.h:
1467         * bytecode/UnlinkedCodeBlock.h:
1468         (JSC::UnlinkedCodeBlock::addSetConstant):
1469         (JSC::UnlinkedCodeBlock::constantIdentifierSets):
1470         * bytecode/UnlinkedEvalCodeBlock.h:
1471         * bytecode/UnlinkedFunctionCodeBlock.h:
1472         * bytecode/UnlinkedFunctionExecutable.h:
1473         * bytecode/UnlinkedGlobalCodeBlock.h:
1474         (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock):
1475         * bytecode/UnlinkedMetadataTable.h:
1476         * bytecode/UnlinkedModuleProgramCodeBlock.h:
1477         * bytecode/UnlinkedProgramCodeBlock.h:
1478         * interpreter/Interpreter.cpp:
1479         * jsc.cpp:
1480         (functionQuit):
1481         (runJSC):
1482         * parser/SourceCode.h:
1483         * parser/SourceCodeKey.h:
1484         (JSC::SourceCodeKey::operator!= const):
1485         * parser/UnlinkedSourceCode.h:
1486         * parser/VariableEnvironment.h:
1487         * runtime/CachedTypes.cpp: Added.
1488         (JSC::Encoder::Allocation::buffer const):
1489         (JSC::Encoder::Allocation::offset const):
1490         (JSC::Encoder::Allocation::Allocation):
1491         (JSC::Encoder::Encoder):
1492         (JSC::Encoder::vm):
1493         (JSC::Encoder::malloc):
1494         (JSC::Encoder::offsetOf):
1495         (JSC::Encoder::cachePtr):
1496         (JSC::Encoder::offsetForPtr):
1497         (JSC::Encoder::release):
1498         (JSC::Encoder::Page::Page):
1499         (JSC::Encoder::Page::malloc):
1500         (JSC::Encoder::Page::buffer const):
1501         (JSC::Encoder::Page::size const):
1502         (JSC::Encoder::Page::getOffset const):
1503         (JSC::Encoder::allocateNewPage):
1504         (JSC::Decoder::Decoder):
1505         (JSC::Decoder::~Decoder):
1506         (JSC::Decoder::vm):
1507         (JSC::Decoder::offsetOf):
1508         (JSC::Decoder::cacheOffset):
1509         (JSC::Decoder::addFinalizer):
1510         (JSC::encode):
1511         (JSC::decode):
1512         (JSC::VariableLengthObject::buffer const):
1513         (JSC::VariableLengthObject::allocate):
1514         (JSC::CachedPtr::encode):
1515         (JSC::CachedPtr::decode const):
1516         (JSC::CachedPtr::operator-> const):
1517         (JSC::CachedPtr::get const):
1518         (JSC::CachedRefPtr::encode):
1519         (JSC::CachedRefPtr::decode const):
1520         (JSC::CachedWriteBarrier::encode):
1521         (JSC::CachedWriteBarrier::decode const):
1522         (JSC::CachedVector::encode):
1523         (JSC::CachedVector::decode const):
1524         (JSC::CachedPair::encode):
1525         (JSC::CachedPair::decode const):
1526         (JSC::CachedHashMap::encode):
1527         (JSC::CachedHashMap::decode const):
1528         (JSC::CachedUniquedStringImpl::encode):
1529         (JSC::CachedUniquedStringImpl::decode const):
1530         (JSC::CachedStringImpl::encode):
1531         (JSC::CachedStringImpl::decode const):
1532         (JSC::CachedString::encode):
1533         (JSC::CachedString::decode const):
1534         (JSC::CachedIdentifier::encode):
1535         (JSC::CachedIdentifier::decode const):
1536         (JSC::CachedOptional::encode):
1537         (JSC::CachedOptional::decode const):
1538         (JSC::CachedOptional::decodeAsPtr const):
1539         (JSC::CachedSimpleJumpTable::encode):
1540         (JSC::CachedSimpleJumpTable::decode const):
1541         (JSC::CachedStringJumpTable::encode):
1542         (JSC::CachedStringJumpTable::decode const):
1543         (JSC::CachedCodeBlockRareData::encode):
1544         (JSC::CachedCodeBlockRareData::decode const):
1545         (JSC::CachedBitVector::encode):
1546         (JSC::CachedBitVector::decode const):
1547         (JSC::CachedHashSet::encode):
1548         (JSC::CachedHashSet::decode const):
1549         (JSC::CachedConstantIdentifierSetEntry::encode):
1550         (JSC::CachedConstantIdentifierSetEntry::decode const):
1551         (JSC::CachedVariableEnvironment::encode):
1552         (JSC::CachedVariableEnvironment::decode const):
1553         (JSC::CachedArray::encode):
1554         (JSC::CachedArray::decode const):
1555         (JSC::CachedScopedArgumentsTable::encode):
1556         (JSC::CachedScopedArgumentsTable::decode const):
1557         (JSC::CachedSymbolTableEntry::encode):
1558         (JSC::CachedSymbolTableEntry::decode const):
1559         (JSC::CachedSymbolTable::encode):
1560         (JSC::CachedSymbolTable::decode const):
1561         (JSC::CachedImmutableButterfly::encode):
1562         (JSC::CachedImmutableButterfly::decode const):
1563         (JSC::CachedRegExp::encode):
1564         (JSC::CachedRegExp::decode const):
1565         (JSC::CachedTemplateObjectDescriptor::encode):
1566         (JSC::CachedTemplateObjectDescriptor::decode const):
1567         (JSC::CachedBigInt::encode):
1568         (JSC::CachedBigInt::decode const):
1569         (JSC::CachedJSValue::encode):
1570         (JSC::CachedJSValue::decode const):
1571         (JSC::CachedInstructionStream::encode):
1572         (JSC::CachedInstructionStream::decode const):
1573         (JSC::CachedMetadataTable::encode):
1574         (JSC::CachedMetadataTable::decode const):
1575         (JSC::CachedSourceOrigin::encode):
1576         (JSC::CachedSourceOrigin::decode const):
1577         (JSC::CachedTextPosition::encode):
1578         (JSC::CachedTextPosition::decode const):
1579         (JSC::CachedSourceProviderShape::encode):
1580         (JSC::CachedSourceProviderShape::decode const):
1581         (JSC::CachedStringSourceProvider::encode):
1582         (JSC::CachedStringSourceProvider::decode const):
1583         (JSC::CachedWebAssemblySourceProvider::encode):
1584         (JSC::CachedWebAssemblySourceProvider::decode const):
1585         (JSC::CachedSourceProvider::encode):
1586         (JSC::CachedSourceProvider::decode const):
1587         (JSC::CachedUnlinkedSourceCodeShape::encode):
1588         (JSC::CachedUnlinkedSourceCodeShape::decode const):
1589         (JSC::CachedSourceCode::encode):
1590         (JSC::CachedSourceCode::decode const):
1591         (JSC::CachedFunctionExecutable::firstLineOffset const):
1592         (JSC::CachedFunctionExecutable::lineCount const):
1593         (JSC::CachedFunctionExecutable::unlinkedFunctionNameStart const):
1594         (JSC::CachedFunctionExecutable::unlinkedBodyStartColumn const):
1595         (JSC::CachedFunctionExecutable::unlinkedBodyEndColumn const):
1596         (JSC::CachedFunctionExecutable::startOffset const):
1597         (JSC::CachedFunctionExecutable::sourceLength const):
1598         (JSC::CachedFunctionExecutable::parametersStartOffset const):
1599         (JSC::CachedFunctionExecutable::typeProfilingStartOffset const):
1600         (JSC::CachedFunctionExecutable::typeProfilingEndOffset const):
1601         (JSC::CachedFunctionExecutable::parameterCount const):
1602         (JSC::CachedFunctionExecutable::features const):
1603         (JSC::CachedFunctionExecutable::sourceParseMode const):
1604         (JSC::CachedFunctionExecutable::isInStrictContext const):
1605         (JSC::CachedFunctionExecutable::hasCapturedVariables const):
1606         (JSC::CachedFunctionExecutable::isBuiltinFunction const):
1607         (JSC::CachedFunctionExecutable::isBuiltinDefaultClassConstructor const):
1608         (JSC::CachedFunctionExecutable::constructAbility const):
1609         (JSC::CachedFunctionExecutable::constructorKind const):
1610         (JSC::CachedFunctionExecutable::functionMode const):
1611         (JSC::CachedFunctionExecutable::scriptMode const):
1612         (JSC::CachedFunctionExecutable::superBinding const):
1613         (JSC::CachedFunctionExecutable::derivedContextType const):
1614         (JSC::CachedFunctionExecutable::name const):
1615         (JSC::CachedFunctionExecutable::ecmaName const):
1616         (JSC::CachedFunctionExecutable::inferredName const):
1617         (JSC::CachedCodeBlock::instructions const):
1618         (JSC::CachedCodeBlock::thisRegister const):
1619         (JSC::CachedCodeBlock::scopeRegister const):
1620         (JSC::CachedCodeBlock::globalObjectRegister const):
1621         (JSC::CachedCodeBlock::sourceURLDirective const):
1622         (JSC::CachedCodeBlock::sourceMappingURLDirective const):
1623         (JSC::CachedCodeBlock::usesEval const):
1624         (JSC::CachedCodeBlock::isStrictMode const):
1625         (JSC::CachedCodeBlock::isConstructor const):
1626         (JSC::CachedCodeBlock::hasCapturedVariables const):
1627         (JSC::CachedCodeBlock::isBuiltinFunction const):
1628         (JSC::CachedCodeBlock::superBinding const):
1629         (JSC::CachedCodeBlock::scriptMode const):
1630         (JSC::CachedCodeBlock::isArrowFunctionContext const):
1631         (JSC::CachedCodeBlock::isClassContext const):
1632         (JSC::CachedCodeBlock::wasCompiledWithDebuggingOpcodes const):
1633         (JSC::CachedCodeBlock::constructorKind const):
1634         (JSC::CachedCodeBlock::derivedContextType const):
1635         (JSC::CachedCodeBlock::evalContextType const):
1636         (JSC::CachedCodeBlock::hasTailCalls const):
1637         (JSC::CachedCodeBlock::lineCount const):
1638         (JSC::CachedCodeBlock::endColumn const):
1639         (JSC::CachedCodeBlock::numVars const):
1640         (JSC::CachedCodeBlock::numCalleeLocals const):
1641         (JSC::CachedCodeBlock::numParameters const):
1642         (JSC::CachedCodeBlock::features const):
1643         (JSC::CachedCodeBlock::parseMode const):
1644         (JSC::CachedCodeBlock::codeType const):
1645         (JSC::CachedCodeBlock::rareData const):
1646         (JSC::CachedProgramCodeBlock::encode):
1647         (JSC::CachedProgramCodeBlock::decode const):
1648         (JSC::CachedModuleCodeBlock::encode):
1649         (JSC::CachedModuleCodeBlock::decode const):
1650         (JSC::CachedEvalCodeBlock::encode):
1651         (JSC::CachedEvalCodeBlock::decode const):
1652         (JSC::CachedFunctionCodeBlock::encode):
1653         (JSC::CachedFunctionCodeBlock::decode const):
1654         (JSC::UnlinkedFunctionCodeBlock::UnlinkedFunctionCodeBlock):
1655         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1656         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
1657         (JSC::UnlinkedProgramCodeBlock::UnlinkedProgramCodeBlock):
1658         (JSC::UnlinkedModuleProgramCodeBlock::UnlinkedModuleProgramCodeBlock):
1659         (JSC::UnlinkedEvalCodeBlock::UnlinkedEvalCodeBlock):
1660         (JSC::CachedFunctionExecutable::encode):
1661         (JSC::CachedFunctionExecutable::decode const):
1662         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1663         (JSC::CachedCodeBlock<CodeBlockType>::encode):
1664         (JSC::CachedSourceCodeKey::encode):
1665         (JSC::CachedSourceCodeKey::decode const):
1666         (JSC::CacheEntry::encode):
1667         (JSC::CacheEntry:: const):
1668         (JSC:: const):
1669         (JSC::encodeCodeBlock):
1670         (JSC::decodeCodeBlockImpl):
1671         * runtime/CachedTypes.h: Copied from Source/JavaScriptCore/bytecode/UnlinkedGlobalCodeBlock.h.
1672         (JSC::decodeCodeBlock):
1673         * runtime/CodeCache.cpp:
1674         (JSC::CodeCacheMap::pruneSlowCase):
1675         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
1676         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
1677         (JSC::CodeCache::write):
1678         * runtime/CodeCache.h:
1679         (JSC::CodeCacheMap::begin):
1680         (JSC::CodeCacheMap::end):
1681         (JSC::CodeCacheMap::fetchFromDiskImpl):
1682         (JSC::CodeCacheMap::findCacheAndUpdateAge):
1683         (JSC::writeCodeBlock):
1684         * runtime/JSBigInt.cpp:
1685         * runtime/JSBigInt.h:
1686         * runtime/Options.cpp:
1687         (JSC::recomputeDependentOptions):
1688         * runtime/Options.h:
1689         * runtime/RegExp.h:
1690         * runtime/ScopedArgumentsTable.h:
1691         * runtime/StackFrame.h:
1692         * runtime/StructureInlines.h:
1693         * runtime/SymbolTable.h:
1694
1695 2019-01-20  Antoine Quint  <graouts@apple.com>
1696
1697         Add a POINTER_EVENTS feature flag
1698         https://bugs.webkit.org/show_bug.cgi?id=193577
1699         <rdar://problem/47408511>
1700
1701         Unreviewed. Also enable Pointer Events for iosmac.
1702
1703         * Configurations/FeatureDefines.xcconfig:
1704
1705 2019-01-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1706
1707         [JSC] Reorder JSSegmentedVariableObject member for preparation of JSGlobalObject memory reduction
1708         https://bugs.webkit.org/show_bug.cgi?id=193609
1709
1710         Reviewed by Sam Weinig.
1711
1712         Basically, we should order the members in large => small order not to add paddings.
1713
1714         * runtime/JSSegmentedVariableObject.h:
1715
1716 2019-01-19  Antoine Quint  <graouts@apple.com>
1717
1718         Add a POINTER_EVENTS feature flag
1719         https://bugs.webkit.org/show_bug.cgi?id=193577
1720
1721         Reviewed by Dean Jackson.
1722
1723         * Configurations/FeatureDefines.xcconfig:
1724
1725 2019-01-18  Keith Miller  <keith_miller@apple.com>
1726
1727         JSScript API should only take ascii files.
1728         https://bugs.webkit.org/show_bug.cgi?id=193420
1729
1730         Reviewed by Saam Barati.
1731
1732         This patch leaves the UTF8 method for binary compatablity, which
1733         will be removed later.
1734
1735         * API/JSScript.h:
1736         * API/JSScript.mm:
1737         (fillBufferWithContentsOfFile):
1738         (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
1739         (+[JSScript scriptFromUTF8File:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
1740         * API/tests/testapi.mm:
1741         (-[JSContextFileLoaderDelegate context:fetchModuleForIdentifier:withResolveHandler:andRejectHandler:]):
1742
1743 2019-01-18  David Kilzer  <ddkilzer@apple.com>
1744
1745         Follow-up: Gigacages should start allocations from a slide
1746         <https://bugs.webkit.org/show_bug.cgi?id=193523>
1747         <rdar://problem/44958707>
1748
1749         * ftl/FTLLowerDFGToB3.cpp:
1750         (JSC::FTL::DFG::LowerDFGToB3::caged): Add UNUSED_PARAM(kind) to
1751         fix the build.
1752
1753 2019-01-18  Jer Noble  <jer.noble@apple.com>
1754
1755         SDK_VARIANT build destinations should be separate from non-SDK_VARIANT builds
1756         https://bugs.webkit.org/show_bug.cgi?id=189553
1757
1758         Reviewed by Tim Horton.
1759
1760         * Configurations/Base.xcconfig:
1761         * Configurations/SDKVariant.xcconfig: Added.
1762
1763 2019-01-18  Keith Miller  <keith_miller@apple.com>
1764
1765         Gigacages should start allocations from a slide
1766         https://bugs.webkit.org/show_bug.cgi?id=193523
1767
1768         Reviewed by Mark Lam.
1769
1770         This patch changes some macros into constants since macros are the
1771         devil.
1772
1773         * ftl/FTLLowerDFGToB3.cpp:
1774         (JSC::FTL::DFG::LowerDFGToB3::caged):
1775         * llint/LowLevelInterpreter64.asm:
1776
1777 2019-01-18  Matt Lewis  <jlewis3@apple.com>
1778
1779         Unreviewed, rolling out r240160.
1780
1781         This broke multiple internal builds.
1782
1783         Reverted changeset:
1784
1785         "Gigacages should start allocations from a slide"
1786         https://bugs.webkit.org/show_bug.cgi?id=193523
1787         https://trac.webkit.org/changeset/240160
1788
1789 2019-01-18  Keith Miller  <keith_miller@apple.com>
1790
1791         Gigacages should start allocations from a slide
1792         https://bugs.webkit.org/show_bug.cgi?id=193523
1793
1794         Reviewed by Mark Lam.
1795
1796         This patch changes some macros into constants since macros are the
1797         devil.
1798
1799         * llint/LowLevelInterpreter64.asm:
1800
1801 2019-01-17  Mark Lam  <mark.lam@apple.com>
1802
1803         Audit bytecode fields and ensure that LLInt instructions for accessing them are appropriate.
1804         https://bugs.webkit.org/show_bug.cgi?id=193557
1805         <rdar://problem/47369125>
1806
1807         Reviewed by Yusuke Suzuki.
1808
1809         1. Rename some bytecode fields so that it's easier to discern whether the LLInt
1810            is accessing them the right way:
1811            - distinguish between targetVirtualRegister and targetLabel.
1812            - name all StructureID fields as structureID (oldStructureID, newStructureID)
1813              instead of structure (oldStructure, newStructure).
1814
1815         2. Use bitwise_cast in struct Fits when sizeof(T) == size.
1816            This prevents potential undefined behavior issues arising from doing
1817            assignments with reinterpret_cast'ed pointers.
1818
1819         3. Make Special::Pointer an unsigned type (previously int).
1820            Make ResolveType an unsigned type (previously int).
1821
1822         4. In LowLevelInterpreter*.asm:
1823
1824            - rename the op macro argument to opcodeName or opcodeStruct respectively.
1825              This makes it clearer which argument type the macro is working with.
1826
1827            - rename the name macro argument to opcodeName.
1828
1829            - fix operator types to match the field type being accessed.  The following
1830              may have resulted in bugs before:
1831
1832              1. The following should be read with getu() instead of get() because they
1833                 are unsigned ints:
1834                     OpSwitchImm::m_tableIndex
1835                     OpSwitchChar::m_tableIndex
1836                     OpGetFromArguments::m_index
1837                     OpPutToArguments::m_index
1838                     OpGetRestLength::m_numParametersToSkip
1839
1840                 OpJneqPtr::m_specialPointer should also be read with getu() though this
1841                 wasn't a bug because it was previously an int by default, and is only
1842                 changed to an unsigned int in this patch.
1843
1844              2.The following should be read with loadi (not loadp) because they are of
1845                unsigned type (not a pointer):
1846                     OpResolveScope::Metadata::m_resolveType
1847                     CodeBlock::m_numParameters (see prepareForTailCall)
1848
1849              3. OpPutToScope::Metadata::m_operand should be read with loadp (not loadis)
1850                 because it is a uintptr_t.
1851
1852              4. The following should be read with loadi (not loadis) because they are
1853                 unsigned ints:
1854                     OpNegate::Metadata::m_arithProfile + ArithProfile::m_bits
1855                     OpPutById::Metadata::m_oldStructureID
1856                     OpPutToScope::Metadata::m_getPutInfo + GetPutInfo::m_operand
1857
1858                 These may not have manifested in bugs because the operations that follow
1859                 the load are 32-bit instructions which ignore the high word.
1860
1861         5. Give class GetPutInfo a default constructor so that we can use bitwise_cast
1862            on it.  Also befriend LLIntOffsetsExtractor so that we can take the offset of
1863            m_operand in it.
1864
1865         * bytecode/ArithProfile.h:
1866         * bytecode/BytecodeList.rb:
1867         * bytecode/BytecodeUseDef.h:
1868         (JSC::computeUsesForBytecodeOffset):
1869         (JSC::computeDefsForBytecodeOffset):
1870         * bytecode/CodeBlock.cpp:
1871         (JSC::CodeBlock::propagateTransitions):
1872         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1873         * bytecode/Fits.h:
1874         * bytecode/GetByIdMetadata.h:
1875         * bytecode/GetByIdStatus.cpp:
1876         (JSC::GetByIdStatus::computeFromLLInt):
1877         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
1878         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::clearLLIntGetByIdCache):
1879         * bytecode/PreciseJumpTargetsInlines.h:
1880         (JSC::jumpTargetForInstruction):
1881         (JSC::updateStoredJumpTargetsForInstruction):
1882         * bytecode/PutByIdStatus.cpp:
1883         (JSC::PutByIdStatus::computeFromLLInt):
1884         * bytecode/SpecialPointer.h:
1885         * bytecompiler/BytecodeGenerator.cpp:
1886         (JSC::Label::setLocation):
1887         * dfg/DFGByteCodeParser.cpp:
1888         (JSC::DFG::ByteCodeParser::parseBlock):
1889         * jit/JITArithmetic.cpp:
1890         (JSC::JIT::emit_compareAndJump):
1891         (JSC::JIT::emit_compareUnsignedAndJump):
1892         (JSC::JIT::emit_compareAndJumpSlow):
1893         * jit/JITArithmetic32_64.cpp:
1894         (JSC::JIT::emit_compareAndJump):
1895         (JSC::JIT::emit_compareUnsignedAndJump):
1896         (JSC::JIT::emit_compareAndJumpSlow):
1897         (JSC::JIT::emitBinaryDoubleOp):
1898         * jit/JITOpcodes.cpp:
1899         (JSC::JIT::emit_op_jmp):
1900         (JSC::JIT::emit_op_jfalse):
1901         (JSC::JIT::emit_op_jeq_null):
1902         (JSC::JIT::emit_op_jneq_null):
1903         (JSC::JIT::emit_op_jneq_ptr):
1904         (JSC::JIT::emit_op_jeq):
1905         (JSC::JIT::emit_op_jtrue):
1906         (JSC::JIT::emit_op_jneq):
1907         (JSC::JIT::compileOpStrictEqJump):
1908         (JSC::JIT::emitSlow_op_jstricteq):
1909         (JSC::JIT::emitSlow_op_jnstricteq):
1910         (JSC::JIT::emit_op_check_tdz):
1911         (JSC::JIT::emitSlow_op_jeq):
1912         (JSC::JIT::emitSlow_op_jneq):
1913         (JSC::JIT::emit_op_profile_type):
1914         * jit/JITOpcodes32_64.cpp:
1915         (JSC::JIT::emit_op_jmp):
1916         (JSC::JIT::emit_op_jfalse):
1917         (JSC::JIT::emit_op_jtrue):
1918         (JSC::JIT::emit_op_jeq_null):
1919         (JSC::JIT::emit_op_jneq_null):
1920         (JSC::JIT::emit_op_jneq_ptr):
1921         (JSC::JIT::emit_op_jeq):
1922         (JSC::JIT::emitSlow_op_jeq):
1923         (JSC::JIT::emit_op_jneq):
1924         (JSC::JIT::emitSlow_op_jneq):
1925         (JSC::JIT::compileOpStrictEqJump):
1926         (JSC::JIT::emitSlow_op_jstricteq):
1927         (JSC::JIT::emitSlow_op_jnstricteq):
1928         (JSC::JIT::emit_op_check_tdz):
1929         (JSC::JIT::emit_op_profile_type):
1930         * llint/LLIntSlowPaths.cpp:
1931         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1932         (JSC::LLInt::setupGetByIdPrototypeCache):
1933         * llint/LowLevelInterpreter.asm:
1934         * llint/LowLevelInterpreter32_64.asm:
1935         * llint/LowLevelInterpreter64.asm:
1936         * runtime/CommonSlowPaths.cpp:
1937         * runtime/GetPutInfo.h:
1938
1939 2019-01-17  Truitt Savell  <tsavell@apple.com>
1940
1941         Unreviewed, rolling out r240124.
1942
1943         This commit broke an internal build.
1944
1945         Reverted changeset:
1946
1947         "SDK_VARIANT build destinations should be separate from non-
1948         SDK_VARIANT builds"
1949         https://bugs.webkit.org/show_bug.cgi?id=189553
1950         https://trac.webkit.org/changeset/240124
1951
1952 2019-01-17  Jer Noble  <jer.noble@apple.com>
1953
1954         SDK_VARIANT build destinations should be separate from non-SDK_VARIANT builds
1955         https://bugs.webkit.org/show_bug.cgi?id=189553
1956
1957         Reviewed by Tim Horton.
1958
1959         * Configurations/Base.xcconfig:
1960         * Configurations/SDKVariant.xcconfig: Added.
1961
1962 2019-01-17  Saam barati  <sbarati@apple.com>
1963
1964         StringObjectUse should not be a structure check for the original string object structure
1965         https://bugs.webkit.org/show_bug.cgi?id=193483
1966         <rdar://problem/47280522>
1967
1968         Reviewed by Yusuke Suzuki.
1969
1970         Prior to this patch, the use kind for StringObjectUse implied that we
1971         do a StructureCheck on the input operand for the *original* StringObject
1972         structure. This is generally not how we use UseKinds, so it's no surprise
1973         that this is buggy. A UseKind should map to a set of SpeculatedTypes, not an
1974         actual set of structures. This patch changes the meaning of StringObjectUse
1975         to mean an object where jsDynamicCast<StringObject*> would succeed.
1976         
1977         This patch also fixes a bug that was caused by the old and weird usage of the
1978         UseKind to mean StructureCheck. Consider a program like this:
1979         ```
1980         S1 = Original StringObject structure
1981         S2 = Original StringObject structure with the field "f" added
1982         
1983         a: GetLocal()
1984         b: CheckStructure(@a, {S2})
1985         c: ToString(StringObject:@a)
1986         ```
1987         
1988         According to AI, in the above program, we would exit at @c, since
1989         StringObject:@a implies a structure check of {S1}, and the intersection
1990         of {S1} and {S2} is {}. So, we'd convert the program to be:
1991         ```
1992         a: GetLocal()
1993         b: CheckStructure(@a, {S2})
1994         c: Check(StringObject:@a)
1995         d: Unreachable
1996         ```
1997         
1998         However, AI would set the proof status of the StringObject:@a edge
1999         to be proven, since the SpeculatedType for @a is SpecStringObject.
2000         This was incorrect of AI to do because the SpeculatedType itself
2001         didn't capture the full power of StringObjectUse. However, having
2002         a UseKind mean CheckStructure is weird precisely because what AI was
2003         doing is a natural fit to how we typically we think about UseKinds.
2004         
2005         So the above program would then incorrectly be converted to this, and
2006         we'd crash when reaching the Unreachable node:
2007         ```
2008         a: GetLocal()
2009         b: CheckStructure(@a, {S2})
2010         d: Unreachable
2011         ```
2012         
2013         This patch makes it so that StringObjectUse just means that the object that
2014         filters through a StringObjectUse check must !!jsDynamicCast<StringObject*>.
2015         This is now in line with all other UseKinds. It also lets us simplify a bunch
2016         of other code that had weird checks for the StringObjectUse UseKind.
2017         
2018         This patch also makes it so that anywhere where we used to rely on
2019         StringObjectUse implying a structure check we actually emit an explicit
2020         CheckStructure node.
2021
2022         * JavaScriptCore.xcodeproj/project.pbxproj:
2023         * bytecode/ExitKind.cpp:
2024         (JSC::exitKindToString):
2025         * bytecode/ExitKind.h:
2026         * dfg/DFGAbstractInterpreterInlines.h:
2027         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2028         * dfg/DFGCSEPhase.cpp:
2029         * dfg/DFGClobberize.h:
2030         (JSC::DFG::clobberize):
2031         * dfg/DFGEdgeUsesStructure.h: Removed.
2032         * dfg/DFGFixupPhase.cpp:
2033         (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion):
2034         (JSC::DFG::FixupPhase::addCheckStructureForOriginalStringObjectUse):
2035         (JSC::DFG::FixupPhase::fixupToPrimitive):
2036         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
2037         (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
2038         (JSC::DFG::FixupPhase::isStringObjectUse): Deleted.
2039         * dfg/DFGGraph.cpp:
2040         (JSC::DFG::Graph::canOptimizeStringObjectAccess):
2041         * dfg/DFGMayExit.cpp:
2042         * dfg/DFGSpeculativeJIT.cpp:
2043         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOrStringValueOf):
2044         (JSC::DFG::SpeculativeJIT::speculateStringObject):
2045         (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
2046         * dfg/DFGSpeculativeJIT.h:
2047         (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure): Deleted.
2048         * dfg/DFGUseKind.h:
2049         (JSC::DFG::alreadyChecked):
2050         (JSC::DFG::usesStructure): Deleted.
2051         * ftl/FTLLowerDFGToB3.cpp:
2052         (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructorOrStringValueOf):
2053         (JSC::FTL::DFG::LowerDFGToB3::speculateStringObject):
2054         (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrStringObject):
2055         (JSC::FTL::DFG::LowerDFGToB3::speculateStringObjectForCell):
2056         (JSC::FTL::DFG::LowerDFGToB3::speculateStringObjectForStructureID): Deleted.
2057         * runtime/JSType.cpp:
2058         (WTF::printInternal):
2059         * runtime/JSType.h:
2060         * runtime/StringObject.h:
2061         (JSC::StringObject::createStructure):
2062         * runtime/StringPrototype.h:
2063
2064 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2065
2066         [JSC] Add generateHeapSnapshotForGCDebugging function to dump GCDebugging data
2067         https://bugs.webkit.org/show_bug.cgi?id=193526
2068
2069         Reviewed by Michael Saboff.
2070
2071         This patch adds generateHeapSnapshotForGCDebugging to JSC shell to dump heap snapshot JSON string with GCDebugging option.
2072         GCDebuggingSnapshot mode is slightly different from InspectorSnapshot in terms of both the output data and the behavior.
2073         It always takes full snapshot, and it reports internal data too. This is useful to view the live heap objects after running
2074         the code. Also, generateHeapSnapshotForGCDebugging returns String instead of parsing it to JSObject internally by calling
2075         JSON.parse. If we convert the String to bunch of objects by using JSON.parse, it is difficult to call generateHeapSnapshotForGCDebugging
2076         multiple times for debugging. Currently, it only generates a large string, which is easily distinguishable in the heap inspector tool.
2077
2078         * jsc.cpp:
2079         (GlobalObject::finishCreation):
2080         (functionGenerateHeapSnapshotForGCDebugging):
2081
2082 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2083
2084         [JSC] ToThis omission in DFGByteCodeParser is wrong
2085         https://bugs.webkit.org/show_bug.cgi?id=193513
2086         <rdar://problem/45842236>
2087
2088         Reviewed by Saam Barati.
2089
2090         DFGByteCodeParser omitted ToThis node when we have `ToThis(ToThis(value))`. This semantics is wrong if ToThis has different semantics
2091         in the sloppy mode and the strict mode. If we convert `ToThisInSloppyMode(ToThisInStrictMode(boolean))` to `ToThisInStrictMode(boolean)`,
2092         we get boolean instead of BooleanObject.
2093
2094         This optimization is introduced more than 7 years ago, and from that, we have several optimizations that can remove such ToThis nodes
2095         in BytecodeParser, AI, and Fixup. Furthermore, this optimization is simply wrong since `toThis()` function of JSCell can be defined
2096         as they want. Before ensuring all the toThis function is safe, we should not fold `ToThis(ToThis(value))` => `ToThis(value)`.
2097         This patch just removes the problematic optimization. The performance numbers look neutral.
2098
2099         * dfg/DFGAbstractInterpreterInlines.h:
2100         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2101         * dfg/DFGByteCodeParser.cpp:
2102         (JSC::DFG::ByteCodeParser::parseBlock):
2103
2104 2019-01-16  Mark Lam  <mark.lam@apple.com>
2105
2106         Refactor new bytecode structs so that the fields are prefixed with "m_".
2107         https://bugs.webkit.org/show_bug.cgi?id=193467
2108
2109         Reviewed by Saam Barati and Tadeu Zagallo.
2110
2111         This makes it easier to do a manual audit of type correctness of the LLInt
2112         instructions used to access these fields.  Without this change, it would be
2113         difficult (and error prone) to distinguish the difference between field names and
2114         macro variables.  This audit will be done after this patch lands.
2115
2116         * bytecode/BytecodeGeneratorification.cpp:
2117         (JSC::BytecodeGeneratorification::BytecodeGeneratorification):
2118         * bytecode/BytecodeUseDef.h:
2119         (JSC::computeUsesForBytecodeOffset):
2120         * bytecode/CallLinkStatus.cpp:
2121         (JSC::CallLinkStatus::computeFromLLInt):
2122         * bytecode/CodeBlock.cpp:
2123         (JSC::CodeBlock::finishCreation):
2124         (JSC::CodeBlock::propagateTransitions):
2125         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2126         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffset):
2127         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
2128         (JSC::CodeBlock::getArrayProfile):
2129         (JSC::CodeBlock::notifyLexicalBindingShadowing):
2130         (JSC::CodeBlock::tryGetValueProfileForBytecodeOffset):
2131         (JSC::CodeBlock::arithProfileForPC):
2132         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
2133         * bytecode/CodeBlockInlines.h:
2134         (JSC::CodeBlock::forEachValueProfile):
2135         (JSC::CodeBlock::forEachArrayProfile):
2136         (JSC::CodeBlock::forEachArrayAllocationProfile):
2137         (JSC::CodeBlock::forEachObjectAllocationProfile):
2138         (JSC::CodeBlock::forEachLLIntCallLinkInfo):
2139         * bytecode/GetByIdStatus.cpp:
2140         (JSC::GetByIdStatus::computeFromLLInt):
2141         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
2142         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::clearLLIntGetByIdCache):
2143         * bytecode/PreciseJumpTargetsInlines.h:
2144         (JSC::jumpTargetForInstruction):
2145         (JSC::extractStoredJumpTargetsForInstruction):
2146         (JSC::updateStoredJumpTargetsForInstruction):
2147         * bytecode/PutByIdStatus.cpp:
2148         (JSC::PutByIdStatus::computeFromLLInt):
2149         * bytecode/UnlinkedCodeBlock.cpp:
2150         (JSC::dumpLineColumnEntry):
2151         * bytecompiler/BytecodeGenerator.cpp:
2152         (JSC::BytecodeGenerator::fuseCompareAndJump):
2153         (JSC::BytecodeGenerator::fuseTestAndJmp):
2154         (JSC::BytecodeGenerator::emitEqualityOp):
2155         (JSC::BytecodeGenerator::endSwitch):
2156         (JSC::StructureForInContext::finalize):
2157         * dfg/DFGByteCodeParser.cpp:
2158         (JSC::DFG::ByteCodeParser::handleCall):
2159         (JSC::DFG::ByteCodeParser::handleVarargsCall):
2160         (JSC::DFG::ByteCodeParser::parseGetById):
2161         (JSC::DFG::ByteCodeParser::parseBlock):
2162         (JSC::DFG::ByteCodeParser::handlePutByVal):
2163         (JSC::DFG::ByteCodeParser::handlePutAccessorById):
2164         (JSC::DFG::ByteCodeParser::handlePutAccessorByVal):
2165         (JSC::DFG::ByteCodeParser::handleNewFunc):
2166         (JSC::DFG::ByteCodeParser::handleNewFuncExp):
2167         * dfg/DFGOSREntry.cpp:
2168         (JSC::DFG::prepareCatchOSREntry):
2169         * ftl/FTLOperations.cpp:
2170         (JSC::FTL::operationMaterializeObjectInOSR):
2171         * generator/Argument.rb:
2172         * generator/Metadata.rb:
2173         * generator/Opcode.rb:
2174         * jit/JIT.h:
2175         * jit/JITArithmetic.cpp:
2176         (JSC::JIT::emit_op_unsigned):
2177         (JSC::JIT::emit_compareAndJump):
2178         (JSC::JIT::emit_compareUnsignedAndJump):
2179         (JSC::JIT::emit_compareUnsigned):
2180         (JSC::JIT::emit_compareAndJumpSlow):
2181         (JSC::JIT::emit_op_inc):
2182         (JSC::JIT::emit_op_dec):
2183         (JSC::JIT::emit_op_mod):
2184         (JSC::JIT::emit_op_negate):
2185         (JSC::JIT::emitBitBinaryOpFastPath):
2186         (JSC::JIT::emit_op_bitnot):
2187         (JSC::JIT::emitRightShiftFastPath):
2188         (JSC::JIT::emit_op_add):
2189         (JSC::JIT::emitMathICFast):
2190         (JSC::JIT::emitMathICSlow):
2191         (JSC::JIT::emit_op_div):
2192         (JSC::JIT::emit_op_mul):
2193         (JSC::JIT::emit_op_sub):
2194         * jit/JITArithmetic32_64.cpp:
2195         (JSC::JIT::emit_compareAndJump):
2196         (JSC::JIT::emit_compareUnsignedAndJump):
2197         (JSC::JIT::emit_compareUnsigned):
2198         (JSC::JIT::emit_compareAndJumpSlow):
2199         (JSC::JIT::emit_op_unsigned):
2200         (JSC::JIT::emit_op_inc):
2201         (JSC::JIT::emit_op_dec):
2202         (JSC::JIT::emitBinaryDoubleOp):
2203         (JSC::JIT::emit_op_mod):
2204         * jit/JITCall.cpp:
2205         (JSC::JIT::emitPutCallResult):
2206         (JSC::JIT::compileSetupFrame):
2207         (JSC::JIT::compileCallEvalSlowCase):
2208         (JSC::JIT::compileTailCall):
2209         (JSC::JIT::compileOpCall):
2210         * jit/JITCall32_64.cpp:
2211         (JSC::JIT::emitPutCallResult):
2212         (JSC::JIT::emit_op_ret):
2213         (JSC::JIT::compileSetupFrame):
2214         (JSC::JIT::compileCallEvalSlowCase):
2215         (JSC::JIT::compileOpCall):
2216         * jit/JITInlines.h:
2217         (JSC::JIT::emitValueProfilingSiteIfProfiledOpcode):
2218         (JSC::JIT::emitValueProfilingSite):
2219         (JSC::JIT::copiedGetPutInfo):
2220         (JSC::JIT::copiedArithProfile):
2221         * jit/JITOpcodes.cpp:
2222         (JSC::JIT::emit_op_mov):
2223         (JSC::JIT::emit_op_end):
2224         (JSC::JIT::emit_op_jmp):
2225         (JSC::JIT::emit_op_new_object):
2226         (JSC::JIT::emitSlow_op_new_object):
2227         (JSC::JIT::emit_op_overrides_has_instance):
2228         (JSC::JIT::emit_op_instanceof):
2229         (JSC::JIT::emitSlow_op_instanceof):
2230         (JSC::JIT::emit_op_is_empty):
2231         (JSC::JIT::emit_op_is_undefined):
2232         (JSC::JIT::emit_op_is_undefined_or_null):
2233         (JSC::JIT::emit_op_is_boolean):
2234         (JSC::JIT::emit_op_is_number):
2235         (JSC::JIT::emit_op_is_cell_with_type):
2236         (JSC::JIT::emit_op_is_object):
2237         (JSC::JIT::emit_op_ret):
2238         (JSC::JIT::emit_op_to_primitive):
2239         (JSC::JIT::emit_op_set_function_name):
2240         (JSC::JIT::emit_op_not):
2241         (JSC::JIT::emit_op_jfalse):
2242         (JSC::JIT::emit_op_jeq_null):
2243         (JSC::JIT::emit_op_jneq_null):
2244         (JSC::JIT::emit_op_jneq_ptr):
2245         (JSC::JIT::emit_op_eq):
2246         (JSC::JIT::emit_op_jeq):
2247         (JSC::JIT::emit_op_jtrue):
2248         (JSC::JIT::emit_op_neq):
2249         (JSC::JIT::emit_op_jneq):
2250         (JSC::JIT::emit_op_throw):
2251         (JSC::JIT::compileOpStrictEq):
2252         (JSC::JIT::compileOpStrictEqJump):
2253         (JSC::JIT::emitSlow_op_jstricteq):
2254         (JSC::JIT::emitSlow_op_jnstricteq):
2255         (JSC::JIT::emit_op_to_number):
2256         (JSC::JIT::emit_op_to_string):
2257         (JSC::JIT::emit_op_to_object):
2258         (JSC::JIT::emit_op_catch):
2259         (JSC::JIT::emit_op_get_parent_scope):
2260         (JSC::JIT::emit_op_switch_imm):
2261         (JSC::JIT::emit_op_switch_char):
2262         (JSC::JIT::emit_op_switch_string):
2263         (JSC::JIT::emit_op_debug):
2264         (JSC::JIT::emit_op_eq_null):
2265         (JSC::JIT::emit_op_neq_null):
2266         (JSC::JIT::emit_op_get_scope):
2267         (JSC::JIT::emit_op_to_this):
2268         (JSC::JIT::emit_op_create_this):
2269         (JSC::JIT::emit_op_check_tdz):
2270         (JSC::JIT::emitSlow_op_eq):
2271         (JSC::JIT::emitSlow_op_neq):
2272         (JSC::JIT::emitSlow_op_jeq):
2273         (JSC::JIT::emitSlow_op_jneq):
2274         (JSC::JIT::emitSlow_op_instanceof_custom):
2275         (JSC::JIT::emit_op_new_regexp):
2276         (JSC::JIT::emitNewFuncCommon):
2277         (JSC::JIT::emitNewFuncExprCommon):
2278         (JSC::JIT::emit_op_new_array):
2279         (JSC::JIT::emit_op_new_array_with_size):
2280         (JSC::JIT::emit_op_has_structure_property):
2281         (JSC::JIT::emit_op_has_indexed_property):
2282         (JSC::JIT::emitSlow_op_has_indexed_property):
2283         (JSC::JIT::emit_op_get_direct_pname):
2284         (JSC::JIT::emit_op_enumerator_structure_pname):
2285         (JSC::JIT::emit_op_enumerator_generic_pname):
2286         (JSC::JIT::emit_op_profile_type):
2287         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
2288         (JSC::JIT::emit_op_log_shadow_chicken_tail):
2289         (JSC::JIT::emit_op_profile_control_flow):
2290         (JSC::JIT::emit_op_argument_count):
2291         (JSC::JIT::emit_op_get_rest_length):
2292         (JSC::JIT::emit_op_get_argument):
2293         * jit/JITOpcodes32_64.cpp:
2294         (JSC::JIT::emit_op_mov):
2295         (JSC::JIT::emit_op_end):
2296         (JSC::JIT::emit_op_jmp):
2297         (JSC::JIT::emit_op_new_object):
2298         (JSC::JIT::emitSlow_op_new_object):
2299         (JSC::JIT::emit_op_overrides_has_instance):
2300         (JSC::JIT::emit_op_instanceof):
2301         (JSC::JIT::emitSlow_op_instanceof):
2302         (JSC::JIT::emitSlow_op_instanceof_custom):
2303         (JSC::JIT::emit_op_is_empty):
2304         (JSC::JIT::emit_op_is_undefined):
2305         (JSC::JIT::emit_op_is_undefined_or_null):
2306         (JSC::JIT::emit_op_is_boolean):
2307         (JSC::JIT::emit_op_is_number):
2308         (JSC::JIT::emit_op_is_cell_with_type):
2309         (JSC::JIT::emit_op_is_object):
2310         (JSC::JIT::emit_op_to_primitive):
2311         (JSC::JIT::emit_op_set_function_name):
2312         (JSC::JIT::emit_op_not):
2313         (JSC::JIT::emit_op_jfalse):
2314         (JSC::JIT::emit_op_jtrue):
2315         (JSC::JIT::emit_op_jeq_null):
2316         (JSC::JIT::emit_op_jneq_null):
2317         (JSC::JIT::emit_op_jneq_ptr):
2318         (JSC::JIT::emit_op_eq):
2319         (JSC::JIT::emitSlow_op_eq):
2320         (JSC::JIT::emit_op_jeq):
2321         (JSC::JIT::emitSlow_op_jeq):
2322         (JSC::JIT::emit_op_neq):
2323         (JSC::JIT::emitSlow_op_neq):
2324         (JSC::JIT::emit_op_jneq):
2325         (JSC::JIT::emitSlow_op_jneq):
2326         (JSC::JIT::compileOpStrictEq):
2327         (JSC::JIT::compileOpStrictEqJump):
2328         (JSC::JIT::emitSlow_op_jstricteq):
2329         (JSC::JIT::emitSlow_op_jnstricteq):
2330         (JSC::JIT::emit_op_eq_null):
2331         (JSC::JIT::emit_op_neq_null):
2332         (JSC::JIT::emit_op_throw):
2333         (JSC::JIT::emit_op_to_number):
2334         (JSC::JIT::emit_op_to_string):
2335         (JSC::JIT::emit_op_to_object):
2336         (JSC::JIT::emit_op_catch):
2337         (JSC::JIT::emit_op_get_parent_scope):
2338         (JSC::JIT::emit_op_switch_imm):
2339         (JSC::JIT::emit_op_switch_char):
2340         (JSC::JIT::emit_op_switch_string):
2341         (JSC::JIT::emit_op_debug):
2342         (JSC::JIT::emit_op_get_scope):
2343         (JSC::JIT::emit_op_create_this):
2344         (JSC::JIT::emit_op_to_this):
2345         (JSC::JIT::emit_op_check_tdz):
2346         (JSC::JIT::emit_op_has_structure_property):
2347         (JSC::JIT::emit_op_has_indexed_property):
2348         (JSC::JIT::emitSlow_op_has_indexed_property):
2349         (JSC::JIT::emit_op_get_direct_pname):
2350         (JSC::JIT::emit_op_enumerator_structure_pname):
2351         (JSC::JIT::emit_op_enumerator_generic_pname):
2352         (JSC::JIT::emit_op_profile_type):
2353         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
2354         (JSC::JIT::emit_op_log_shadow_chicken_tail):
2355         * jit/JITOperations.cpp:
2356         * jit/JITPropertyAccess.cpp:
2357         (JSC::JIT::emit_op_get_by_val):
2358         (JSC::JIT::emitGetByValWithCachedId):
2359         (JSC::JIT::emitSlow_op_get_by_val):
2360         (JSC::JIT::emit_op_put_by_val):
2361         (JSC::JIT::emitGenericContiguousPutByVal):
2362         (JSC::JIT::emitArrayStoragePutByVal):
2363         (JSC::JIT::emitPutByValWithCachedId):
2364         (JSC::JIT::emitSlow_op_put_by_val):
2365         (JSC::JIT::emit_op_put_getter_by_id):
2366         (JSC::JIT::emit_op_put_setter_by_id):
2367         (JSC::JIT::emit_op_put_getter_setter_by_id):
2368         (JSC::JIT::emit_op_put_getter_by_val):
2369         (JSC::JIT::emit_op_put_setter_by_val):
2370         (JSC::JIT::emit_op_del_by_id):
2371         (JSC::JIT::emit_op_del_by_val):
2372         (JSC::JIT::emit_op_try_get_by_id):
2373         (JSC::JIT::emitSlow_op_try_get_by_id):
2374         (JSC::JIT::emit_op_get_by_id_direct):
2375         (JSC::JIT::emitSlow_op_get_by_id_direct):
2376         (JSC::JIT::emit_op_get_by_id):
2377         (JSC::JIT::emit_op_get_by_id_with_this):
2378         (JSC::JIT::emitSlow_op_get_by_id):
2379         (JSC::JIT::emitSlow_op_get_by_id_with_this):
2380         (JSC::JIT::emit_op_put_by_id):
2381         (JSC::JIT::emitSlow_op_put_by_id):
2382         (JSC::JIT::emit_op_in_by_id):
2383         (JSC::JIT::emitSlow_op_in_by_id):
2384         (JSC::JIT::emit_op_resolve_scope):
2385         (JSC::JIT::emit_op_get_from_scope):
2386         (JSC::JIT::emitSlow_op_get_from_scope):
2387         (JSC::JIT::emit_op_put_to_scope):
2388         (JSC::JIT::emit_op_get_from_arguments):
2389         (JSC::JIT::emit_op_put_to_arguments):
2390         (JSC::JIT::emitIntTypedArrayPutByVal):
2391         (JSC::JIT::emitFloatTypedArrayPutByVal):
2392         * jit/JITPropertyAccess32_64.cpp:
2393         (JSC::JIT::emit_op_put_getter_by_id):
2394         (JSC::JIT::emit_op_put_setter_by_id):
2395         (JSC::JIT::emit_op_put_getter_setter_by_id):
2396         (JSC::JIT::emit_op_put_getter_by_val):
2397         (JSC::JIT::emit_op_put_setter_by_val):
2398         (JSC::JIT::emit_op_del_by_id):
2399         (JSC::JIT::emit_op_del_by_val):
2400         (JSC::JIT::emit_op_get_by_val):
2401         (JSC::JIT::emitGetByValWithCachedId):
2402         (JSC::JIT::emitSlow_op_get_by_val):
2403         (JSC::JIT::emit_op_put_by_val):
2404         (JSC::JIT::emitGenericContiguousPutByVal):
2405         (JSC::JIT::emitArrayStoragePutByVal):
2406         (JSC::JIT::emitPutByValWithCachedId):
2407         (JSC::JIT::emitSlow_op_put_by_val):
2408         (JSC::JIT::emit_op_try_get_by_id):
2409         (JSC::JIT::emitSlow_op_try_get_by_id):
2410         (JSC::JIT::emit_op_get_by_id_direct):
2411         (JSC::JIT::emitSlow_op_get_by_id_direct):
2412         (JSC::JIT::emit_op_get_by_id):
2413         (JSC::JIT::emitSlow_op_get_by_id):
2414         (JSC::JIT::emit_op_get_by_id_with_this):
2415         (JSC::JIT::emitSlow_op_get_by_id_with_this):
2416         (JSC::JIT::emit_op_put_by_id):
2417         (JSC::JIT::emitSlow_op_put_by_id):
2418         (JSC::JIT::emit_op_in_by_id):
2419         (JSC::JIT::emitSlow_op_in_by_id):
2420         (JSC::JIT::emit_op_resolve_scope):
2421         (JSC::JIT::emit_op_get_from_scope):
2422         (JSC::JIT::emitSlow_op_get_from_scope):
2423         (JSC::JIT::emit_op_put_to_scope):
2424         (JSC::JIT::emit_op_get_from_arguments):
2425         (JSC::JIT::emit_op_put_to_arguments):
2426         * llint/LLIntSlowPaths.cpp:
2427         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2428         (JSC::LLInt::setupGetByIdPrototypeCache):
2429         (JSC::LLInt::getByVal):
2430         (JSC::LLInt::genericCall):
2431         (JSC::LLInt::varargsSetup):
2432         (JSC::LLInt::commonCallEval):
2433         * llint/LowLevelInterpreter.asm:
2434         * llint/LowLevelInterpreter32_64.asm:
2435         * llint/LowLevelInterpreter64.asm:
2436         * runtime/CommonSlowPaths.cpp:
2437         (JSC::SLOW_PATH_DECL):
2438         (JSC::updateArithProfileForUnaryArithOp):
2439         * runtime/CommonSlowPaths.h:
2440         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
2441         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
2442
2443 2019-01-15  Mark Lam  <mark.lam@apple.com>
2444
2445         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
2446         https://bugs.webkit.org/show_bug.cgi?id=193423
2447         <rdar://problem/46209355>
2448
2449         Reviewed by Saam Barati.
2450
2451         JSFunction::canUseAllocationProfile() should return false for most builtins
2452         because the majority of them have no prototype property.  The only exception to
2453         this is the few builtin functions that are explicitly used as constructors.
2454
2455         For these builtin constructors, JSFunction::canUseAllocationProfile() should also
2456         return false if the prototype property is a getter or custom getter because
2457         getting the prototype would then be effectful.
2458
2459         * dfg/DFGOperations.cpp:
2460         * runtime/CommonSlowPaths.cpp:
2461         (JSC::SLOW_PATH_DECL):
2462         * runtime/JSFunctionInlines.h:
2463         (JSC::JSFunction::canUseAllocationProfile):
2464         * runtime/PropertySlot.h:
2465
2466 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2467
2468         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
2469         https://bugs.webkit.org/show_bug.cgi?id=193438
2470         <rdar://problem/45581249>
2471
2472         Reviewed by Saam Barati and Keith Miller.
2473
2474         GetByVal(Array::String) emits Check(String) before that. But AI can broaden type constraint in the second run.
2475         After the first run removes Check(String), it would happen that AI starts saying the type of 1st child is not String.
2476         To claim that it *is* a String type, we should use KnownStringUse here.
2477
2478         * dfg/DFGFixupPhase.cpp:
2479         (JSC::DFG::FixupPhase::fixupNode): StringCharAt and GetByVal(Array::String) share the underlying compiler code. We should
2480         change StringUse => KnownStringUse for StringCharAt too. And StringCharAt and StringCharCodeAt potentially have the same
2481         problem. This patch fixes it too.
2482         * dfg/DFGSSALoweringPhase.cpp:
2483         (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
2484         * ftl/FTLLowerDFGToB3.cpp:
2485         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
2486         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
2487
2488 2019-01-15  Saam Barati  <sbarati@apple.com>
2489
2490         Try ripping out inferred types because it might be a performance improvement
2491         https://bugs.webkit.org/show_bug.cgi?id=190906
2492
2493         Reviewed by Yusuke Suzuki.
2494
2495         This patch removes inferred types from JSC. Initial evidence shows that
2496         this might be around a ~1% speedup on Speedometer2 and JetStream2.
2497
2498         * JavaScriptCore.xcodeproj/project.pbxproj:
2499         * Sources.txt:
2500         * bytecode/AccessCase.cpp:
2501         (JSC::AccessCase::generateImpl):
2502         * bytecode/Fits.h:
2503         * bytecode/PutByIdFlags.cpp:
2504         (WTF::printInternal):
2505         * bytecode/PutByIdFlags.h:
2506         * bytecode/PutByIdStatus.cpp:
2507         (JSC::PutByIdStatus::computeFromLLInt):
2508         (JSC::PutByIdStatus::computeForStubInfo):
2509         (JSC::PutByIdStatus::computeFor):
2510         * bytecode/PutByIdVariant.cpp:
2511         (JSC::PutByIdVariant::operator=):
2512         (JSC::PutByIdVariant::replace):
2513         (JSC::PutByIdVariant::transition):
2514         (JSC::PutByIdVariant::setter):
2515         (JSC::PutByIdVariant::attemptToMerge):
2516         (JSC::PutByIdVariant::dumpInContext const):
2517         * bytecode/PutByIdVariant.h:
2518         (JSC::PutByIdVariant::requiredType const): Deleted.
2519         * dfg/DFGAbstractInterpreterInlines.h:
2520         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2521         * dfg/DFGAbstractValue.cpp:
2522         (JSC::DFG::AbstractValue::isType const): Deleted.
2523         * dfg/DFGAbstractValue.h:
2524         * dfg/DFGByteCodeParser.cpp:
2525         (JSC::DFG::ByteCodeParser::handleGetByOffset):
2526         (JSC::DFG::ByteCodeParser::handlePutByOffset):
2527         (JSC::DFG::ByteCodeParser::load):
2528         (JSC::DFG::ByteCodeParser::store):
2529         (JSC::DFG::ByteCodeParser::handlePutById):
2530         (JSC::DFG::ByteCodeParser::parseBlock):
2531         * dfg/DFGConstantFoldingPhase.cpp:
2532         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2533         (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
2534         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
2535         * dfg/DFGDesiredInferredType.h: Removed.
2536         * dfg/DFGDesiredWatchpoints.cpp:
2537         (JSC::DFG::DesiredWatchpoints::reallyAdd):
2538         (JSC::DFG::DesiredWatchpoints::areStillValid const):
2539         (JSC::DFG::DesiredWatchpoints::dumpInContext const):
2540         (JSC::DFG::InferredTypeAdaptor::add): Deleted.
2541         * dfg/DFGDesiredWatchpoints.h:
2542         (JSC::DFG::DesiredWatchpoints::isWatched):
2543         (JSC::DFG::InferredTypeAdaptor::hasBeenInvalidated): Deleted.
2544         (JSC::DFG::InferredTypeAdaptor::dumpInContext): Deleted.
2545         * dfg/DFGFixupPhase.cpp:
2546         (JSC::DFG::FixupPhase::fixupNode):
2547         * dfg/DFGGraph.cpp:
2548         (JSC::DFG::Graph::dump):
2549         (JSC::DFG::Graph::inferredValueForProperty):
2550         (JSC::DFG::Graph::inferredTypeFor): Deleted.
2551         * dfg/DFGGraph.h:
2552         (JSC::DFG::Graph::registerInferredType): Deleted.
2553         (JSC::DFG::Graph::inferredTypeForProperty): Deleted.
2554         * dfg/DFGInferredTypeCheck.cpp: Removed.
2555         * dfg/DFGInferredTypeCheck.h: Removed.
2556         * dfg/DFGNode.h:
2557         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2558         * dfg/DFGSafeToExecute.h:
2559         (JSC::DFG::safeToExecute):
2560         * ftl/FTLLowerDFGToB3.cpp:
2561         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
2562         (JSC::FTL::DFG::LowerDFGToB3::checkInferredType): Deleted.
2563         * generator/DSL.rb:
2564         * heap/Heap.cpp:
2565         (JSC::Heap::finalizeUnconditionalFinalizers):
2566         * jit/AssemblyHelpers.cpp:
2567         (JSC::AssemblyHelpers::branchIfNotType): Deleted.
2568         * jit/AssemblyHelpers.h:
2569         * jit/Repatch.cpp:
2570         (JSC::tryCachePutByID):
2571         * llint/LLIntOffsetsExtractor.cpp:
2572         * llint/LLIntSlowPaths.cpp:
2573         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2574         * llint/LowLevelInterpreter.asm:
2575         * llint/LowLevelInterpreter32_64.asm:
2576         * llint/LowLevelInterpreter64.asm:
2577         * runtime/InferredStructure.cpp:
2578         (JSC::InferredStructure::InferredStructure): Deleted.
2579         * runtime/InferredStructure.h:
2580         (): Deleted.
2581         * runtime/InferredStructureWatchpoint.cpp:
2582         (JSC::InferredStructureWatchpoint::fireInternal): Deleted.
2583         * runtime/InferredType.cpp: Removed.
2584         * runtime/InferredType.h: Removed.
2585         * runtime/InferredTypeInlines.h: Removed.
2586         * runtime/InferredTypeTable.cpp: Removed.
2587         * runtime/InferredTypeTable.h: Removed.
2588         * runtime/JSObjectInlines.h:
2589         (JSC::JSObject::putDirectInternal):
2590         * runtime/Structure.cpp:
2591         (JSC::Structure::materializePropertyTable):
2592         (JSC::Structure::addNewPropertyTransition):
2593         (JSC::Structure::removePropertyTransition):
2594         (JSC::Structure::willStoreValueSlow):
2595         (JSC::Structure::visitChildren):
2596         * runtime/Structure.h:
2597         (JSC::PropertyMapEntry::PropertyMapEntry):
2598         * runtime/StructureInlines.h:
2599         (JSC::Structure::get):
2600         * runtime/VM.cpp:
2601         (JSC::VM::VM):
2602         * runtime/VM.h:
2603
2604 2019-01-15  Tomas Popela  <tpopela@redhat.com>
2605
2606         Unreviewed: Fix the -Wformat compiler warnings
2607
2608         * jsc.cpp:
2609         (jscmain):
2610
2611 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
2612
2613         DFGByteCodeParser rules for bitwise operations should consider type of their operands
2614         https://bugs.webkit.org/show_bug.cgi?id=192966
2615
2616         Reviewed by Yusuke Suzuki.
2617
2618         This patch is changing the logic how we lower bitwise operations, to
2619         consider only the type of input nodes and fix them during FixupPhase,
2620         if necessary. We are also changing the prediction propagation rules
2621         for ValueBitOp to use `getHeapPrediction()`. 
2622
2623         * dfg/DFGBackwardsPropagationPhase.cpp:
2624         (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
2625         (JSC::DFG::BackwardsPropagationPhase::propagate):
2626         * dfg/DFGByteCodeParser.cpp:
2627         (JSC::DFG::ByteCodeParser::parseBlock):
2628         * dfg/DFGFixupPhase.cpp:
2629         (JSC::DFG::FixupPhase::fixupNode):
2630         * dfg/DFGNode.h:
2631         (JSC::DFG::Node::hasInt32Result):
2632         (JSC::DFG::Node::hasNumberOrAnyIntResult):
2633         (JSC::DFG::Node::hasHeapPrediction):
2634         * dfg/DFGPredictionPropagationPhase.cpp:
2635
2636 2019-01-15  Joseph Pecoraro  <pecoraro@apple.com>
2637
2638         Web Inspector: Generate the DOMDebugger domain for Augmenting Agents (ObjC protocol)
2639         https://bugs.webkit.org/show_bug.cgi?id=193409
2640         <rdar://problem/44349411>
2641
2642         Reviewed by Devin Rousso.
2643
2644         * inspector/scripts/codegen/objc_generator.py:
2645         (ObjCGenerator):
2646         Generate DOMDebugger domain ObjC interfaces.
2647
2648 2019-01-15  Devin Rousso  <drousso@apple.com>
2649
2650         Web Inspector: Audit: create new IDL type for exposing special functionality in test context
2651         https://bugs.webkit.org/show_bug.cgi?id=193149
2652         <rdar://problem/46801218>
2653
2654         Reviewed by Joseph Pecoraro.
2655
2656         Create a new `AuditAgent` (and various subclasses for different inspection targets)
2657
2658         * inspector/protocol/Audit.json: Added.
2659         Add a `run` command that is a simpler version of `Runtime.evaluate`, except that it expects
2660         a function string instead of an arbitrary JavaScript expression.
2661         Add `setup` and `teardown` commands that create a JavaScript object that will be passed in
2662         to the test as an argument. Keep this object alive so that tests can add to the object and
2663         have later tests use what was added.
2664
2665         * inspector/agents/InspectorAuditAgent.h: Added.
2666         * inspector/agents/InspectorAuditAgent.cpp: Added.
2667         (Inspector::InspectorAuditAgent::InspectorAuditAgent):
2668         (Inspector::InspectorAuditAgent::didCreateFrontendAndBackend):
2669         (Inspector::InspectorAuditAgent::willDestroyFrontendAndBackend):
2670         (Inspector::InspectorAuditAgent::setup):
2671         (Inspector::InspectorAuditAgent::run):
2672         (Inspector::InspectorAuditAgent::teardown):
2673         (Inspector::InspectorAuditAgent::hasActiveAudit):
2674         (Inspector::InspectorAuditAgent::populateAuditObject):
2675
2676         * inspector/agents/JSGlobalObjectAuditAgent.h: Added.
2677         * inspector/agents/JSGlobalObjectAuditAgent.cpp: Added.
2678         (Inspector::JSGlobalObjectAuditAgent::JSGlobalObjectAuditAgent):
2679         (Inspector::JSGlobalObjectAuditAgent::injectedScriptForEval):
2680
2681         * inspector/JSGlobalObjectInspectorController.h:
2682         * inspector/JSGlobalObjectInspectorController.cpp:
2683         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2684         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
2685         (Inspector::JSGlobalObjectInspectorController::jsAgentContext): Added.
2686         (Inspector::JSGlobalObjectInspectorController::createLazyAgents): Added.
2687
2688         * inspector/InjectedScript.h:
2689         * inspector/InjectedScript.cpp:
2690         (Inspector::InjectedScript::execute): Added.
2691         (Inspector::InjectedScript::arrayFromVector): Added.
2692         Create a version of `evaluate` that accepts a list of values to be passed in as arguments
2693         to the function that was created by the `eval` of the given `functionString`.
2694
2695         * inspector/InjectedScriptSource.js:
2696         (InjectedScript.prototype.execute): Added.
2697         (InjectedScript.prototype.evaluate):
2698         (InjectedScript.prototype.evaluateOnCallFrame):
2699         (InjectedScript.prototype._evaluateAndWrap):
2700         (InjectedScript.prototype._wrapAndSaveCall): Added.
2701         (InjectedScript.prototype._wrapCall): Added.
2702         (InjectedScript.prototype._evaluateOn):
2703         Refactor the `eval` and `saveResult` logic to allow for more flexibility for other callers.
2704
2705         * CMakeLists.txt:
2706         * DerivedSources-input.xcfilelist:
2707         * DerivedSources.make:
2708         * JavaScriptCore.xcodeproj/project.pbxproj:
2709         * Sources.txt:
2710         * UnifiedSources-input.xcfilelist:
2711
2712 2019-01-14  Michael Saboff  <msaboff@apple.com>
2713
2714         Add option to JSC to dump memory footprint on script completion
2715         https://bugs.webkit.org/show_bug.cgi?id=193422
2716
2717         Reviewed by Mark Lam.
2718
2719         Added the --footprint option to dump peak and current memory usage.  This uses the same
2720         OS calls added in r2362362.
2721
2722         * jsc.cpp:
2723         (printUsageStatement):
2724         (CommandLine::parseArguments):
2725         (jscmain):
2726
2727 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2728
2729         [JSC] AI should check the given constant's array type when folding GetByVal into constant
2730         https://bugs.webkit.org/show_bug.cgi?id=193413
2731         <rdar://problem/46092389>
2732
2733         Reviewed by Keith Miller.
2734
2735         If GetByVal's DFG::ArrayMode's type is Array::Double, we expect that the result of GetByVal is Double, since we already performed CheckStructure or CheckArray
2736         to ensure this array type. But this assumption on the given value becomes wrong in AI, since CheckStructure may not perform filtering. And the proven AbstractValue
2737         in GetByVal would not be expected one.
2738
2739         We have the graph before performing constant folding.
2740
2741         53:<!0:->     GetLocal(Check:Untyped:@77, JS|MustGen|UseAsOther, Array, arg2(C<Array>/FlushedCell), R:Stack(7), bc#37, ExitValid)  predicting Array
2742         54:< 1:->     JSConstant(JS|PureNum|UseAsOther|UseAsInt|ReallyWantsInt, BoolInt32, Int32: 0, bc#37, ExitValid)
2743         93:<!0:->     CheckStructure(Cell:@53, MustGen, [%C7:Array], R:JSCell_structureID, Exits, bc#37, ExitValid)
2744         94:< 1:->     GetButterfly(Check:Cell:@53, Storage|PureInt, R:JSObject_butterfly, Exits, bc#37, ExitValid)
2745         55:<!0:->     GetByVal(Check:KnownCell:@53, Check:Int32:@54, Check:Untyped:@94, Double|MustGen|VarArgs|PureInt, AnyIntAsDouble|NonIntAsdouble, Double+OriginalCopyOnWriteArray+SaneChain+AsIs+Read, R:Butterfly_publicLength,IndexedDoubleProperties, Exits, bc#37, ExitValid)  predicting StringIdent|NonIntAsdouble
2746
2747         And 53 is converted to JSConstant in the constant folding. It leads to constant folding attempt in GetByVal.
2748
2749         53:< 1:->     JSConstant(JS|UseAsOther, Array, Weak:Object: 0x117fb4370 with butterfly 0x8000e4050 (Structure %BV:Array), StructureID: 104, bc#37, ExitValid)
2750         54:< 1:->     JSConstant(JS|PureNum|UseAsOther|UseAsInt|ReallyWantsInt, BoolInt32, Int32: 0, bc#37, ExitValid)
2751         93:<!0:->     CheckStructure(Cell:@53, MustGen, [%C7:Array], R:JSCell_structureID, Exits, bc#37, ExitValid)
2752         94:< 1:->     GetButterfly(Check:Cell:@53, Storage|PureInt, R:JSObject_butterfly, Exits, bc#37, ExitValid)
2753         55:<!0:->     GetByVal(Check:KnownCell:@53, Check:Int32:@54, Check:Untyped:@94, Double|MustGen|VarArgs|PureInt, AnyIntAsDouble|NonIntAsdouble, Double+OriginalCopyOnWriteArray+SaneChain+AsIs+Read, R:Butterfly_publicLength,IndexedDoubleProperties, Exits, bc#37, ExitValid)  predicting StringIdent|NonIntAsdouble
2754
2755         GetByVal gets constant Array from @53, and attempt to perform constant folding by leverating CoW state: if the given array's butterfly is CoW and we performed CoW array check for this GetByVal, the array would not be changed as long as the check works.
2756         However, CheckStructure for @53 does not filter anything at AI. So, if @53 is CopyOnWrite | Contiguous array (not CopyOnWrite | Double array!), GetByVal will get a JSValue. But it does not meet the requirement of GetByVal since it has Double Array mode, and says it returns Double.
2757         Here, CheckStructure is valid because structure of the constant object would be changed. What we should do is additional CoW & ArrayShape check in GetByVal when folding since this node leverages CoW's interesting feature,
2758         "If CoW array check (CheckStructure etc.) is emitted by GetByVal's DFG::ArrayMode, the content is not changed from the creation!".
2759
2760         This patch adds ArrayShape check in addition to CoW status check in GetByVal.
2761
2762         Unfortunately, this crash is very flaky. In the above case, if @53 stays GetLocal after the constant folding phase, this issue does not occur. We can see this crash in r238109, but it is really hard to reproduce it in the current ToT.
2763         I verified this fix works in r238109 with the attached test.
2764
2765         * dfg/DFGAbstractInterpreterInlines.h:
2766         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2767         * dfg/DFGAbstractValue.cpp:
2768         (JSC::DFG::AbstractValue::fixTypeForRepresentation):
2769
2770 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
2771
2772         [BigInt] Literal parsing is crashing when used inside a Object Literal
2773         https://bugs.webkit.org/show_bug.cgi?id=193404
2774
2775         Reviewed by Yusuke Suzuki.
2776
2777         Former implementation was relying into token.m_data.radix after the
2778         call of `next()` into Parser.cpp. This is not safe because next
2779         clobbers token.m_data.radix in some cases (e.g is CLOSEBRACE).
2780         Now we get radix value before calling `next()` into parser and store
2781         in a local variable.
2782
2783         * parser/Parser.cpp:
2784         (JSC::Parser<LexerType>::parsePrimaryExpression):
2785
2786 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2787
2788         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
2789         https://bugs.webkit.org/show_bug.cgi?id=193372
2790
2791         Reviewed by Saam Barati.
2792
2793         When RegisteredStructureSet is filtered with AbstractValue, we use structure, SpeculationType, and ArrayModes.
2794         However, we use asArrayModes() function with IndexingMode to compute the ArrayModes in AbstractValue. This is
2795         wrong since this discards TypedArray ArrayModes. As a result, if RegisteredStructureSet with TypedArrays is
2796         filtered with ArrayModes of AbstractValue populated from TypedArrays, we filter all the structures out since
2797         AbstractValue's ArrayModes become NonArray, which is wrong with the TypedArrays' ArrayModes. This leads to
2798         incorrect FTL code generation with MultiGetByOffset etc. nodes because,
2799
2800         1. AI think that this MultiGetByOffset never succeeds since all the values of RegisteredStructureSet are filtered out by the AbstractValue.
2801         2. AI says the state of MultiGetByOffset is invalid since AI think it never succeeds.
2802         3. So subsequent code becomes FTL crash code since AI think the execution should do OSR exit.
2803         4. Then, FTL emits the code for MultiGetByOffset, and emits crash after that.
2804         5. But in reality, the incoming value can match to the one of the RegisteredStructureSet value since (1)'s structures are incorrectly filtered by the incorrect ArrayModes.
2805         6. Then, the execution goes on, and falls into the FTL crash.
2806
2807         This patch fixes the incorrect ArrayModes calculation by the following changes
2808
2809         1. Rename asArrayModes to asArrayModesIgnoringTypedArrays.
2810         2. Fix incorrect asArrayModesIgnoringTypedArrays use in our code. Use arrayModesFromStructure instead.
2811         3. Fix OSR exit code which stores incorrect ArrayModes to the profiles.
2812
2813         * bytecode/ArrayProfile.cpp:
2814         (JSC::dumpArrayModes):
2815         (JSC::ArrayProfile::computeUpdatedPrediction):
2816         * bytecode/ArrayProfile.h:
2817         (JSC::asArrayModesIgnoringTypedArrays):
2818         (JSC::arrayModesFromStructure):
2819         (JSC::arrayModesIncludeIgnoringTypedArrays):
2820         (JSC::shouldUseSlowPutArrayStorage):
2821         (JSC::shouldUseFastArrayStorage):
2822         (JSC::shouldUseContiguous):
2823         (JSC::shouldUseDouble):
2824         (JSC::shouldUseInt32):
2825         (JSC::asArrayModes): Deleted.
2826         (JSC::arrayModeFromStructure): Deleted.
2827         (JSC::arrayModesInclude): Deleted.
2828         * dfg/DFGAbstractValue.cpp:
2829         (JSC::DFG::AbstractValue::observeTransitions):
2830         (JSC::DFG::AbstractValue::set):
2831         (JSC::DFG::AbstractValue::mergeOSREntryValue):
2832         (JSC::DFG::AbstractValue::contains const):
2833         * dfg/DFGAbstractValue.h:
2834         (JSC::DFG::AbstractValue::observeTransition):
2835         (JSC::DFG::AbstractValue::validate const):
2836         (JSC::DFG::AbstractValue::observeIndexingTypeTransition):
2837         * dfg/DFGArrayMode.cpp:
2838         (JSC::DFG::ArrayMode::fromObserved):
2839         (JSC::DFG::ArrayMode::alreadyChecked const):
2840         * dfg/DFGArrayMode.h:
2841         (JSC::DFG::ArrayMode::structureWouldPassArrayModeFiltering):
2842         (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
2843         (JSC::DFG::ArrayMode::arrayModesWithIndexingShape const):
2844         * dfg/DFGOSRExit.cpp:
2845         (JSC::DFG::OSRExit::executeOSRExit):
2846         (JSC::DFG::OSRExit::compileExit):
2847         * dfg/DFGRegisteredStructureSet.cpp:
2848         (JSC::DFG::RegisteredStructureSet::filterArrayModes):
2849         (JSC::DFG::RegisteredStructureSet::arrayModesFromStructures const):
2850         * ftl/FTLOSRExitCompiler.cpp:
2851         (JSC::FTL::compileStub):
2852         * jit/JITInlines.h:
2853         (JSC::JIT::chooseArrayMode):
2854         (JSC::arrayProfileSaw): Deleted.
2855         * runtime/JSType.h:
2856         (JSC::isTypedArrayType):
2857
2858 2019-01-14  Mark Lam  <mark.lam@apple.com>
2859
2860         Re-enable ability to build --cloop builds.
2861         https://bugs.webkit.org/show_bug.cgi?id=192955
2862         <rdar://problem/46882363>
2863
2864         Reviewed by Saam barati and Keith Miller.
2865
2866         * Configurations/FeatureDefines.xcconfig:
2867
2868 2019-01-14  Mark Lam  <mark.lam@apple.com>
2869
2870         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
2871         https://bugs.webkit.org/show_bug.cgi?id=193402
2872         <rdar://problem/46012309>
2873
2874         Reviewed by Keith Miller.
2875
2876         The CLoop builds via build-jsc were previously completely disabled after our
2877         change to enable ASM LLInt build without the JIT.  As a result, JSC tests have
2878         regressed on CLoop builds.  The CLoop builds and tests will be re-enabled when
2879         the fix for https://bugs.webkit.org/show_bug.cgi?id=192955 lands.  This patch
2880         fixes all the regressions (and some old bugs) so that the CLoop test bots won't
2881         be red when CLoop build gets re-enabled.
2882
2883         In this patch, we do the following:
2884
2885         1. Change CLoopStack::grow() to set the new CLoop stack top at the maximum
2886            allocated capacity (after discounting the reserved zone) as opposed to setting
2887            it only at the level that the client requested.
2888
2889            This fixes a small performance bug that I happened to noticed when I was
2890            debugging a stack issue.  It does not affect correctness.
2891
2892         2. In LowLevelInterpreter32_64.asm:
2893
2894            1. Fix loadConstantOrVariableTag() to use subi for computing the constant
2895               index because the VirtualRegister offset and FirstConstantRegisterIndex
2896               values it is operating on are both signed ints.  This is just to be
2897               pedantic.  The previous use of subu will still produce a correct value.
2898
2899            2. Fix llintOpWithReturn() to use getu (instead of get) for reading
2900               OpIsCellWithType::type because it is of type JSType, which is a uint8_t.
2901
2902            3. Fix llintOpWithMetadata() to use loadis for loading
2903               OpGetById::Metadata::modeMetadata.protoLoadMode.cachedOffset[t5] because it
2904               is of type PropertyOffset, which is a signed int.
2905
2906            4. Fix commonCallOp() to use getu for loading fields argv and argc because they
2907               are  of type unsigned for OpCall, OpConstruct, and OpTailCall, which are the
2908               clients of commonCallOp.
2909
2910            5. Fix llintOpWithMetadata() and getClosureVar() to use loadp for loading
2911               OpGetFromScope::Metadata::operand because it is of type uintptr_t.
2912
2913         3. In LowLevelInterpreter64.asm:
2914
2915            1. Fix llintOpWithReturn() to use getu for reading OpIsCellWithType::type
2916               because it is of type JSType, which is a uint8_t.
2917
2918            2. Fix llintOpWithMetadata() to use loadi for loading
2919               OpGetById::Metadata::modeMetadata.protoLoadMode.structure[t2] because it is
2920               of type StructureID, which is a uint32_t.
2921
2922               Fix llintOpWithMetadata() to use loadis for loading
2923               OpGetById::Metadata::modeMetadata.protoLoadMode.cachedOffset[t2] because it
2924               is of type PropertyOffset, which is a signed int.
2925
2926            3. commonOp() should reload the metadataTable for op_catch because unlike
2927               for the ASM LLInt, the exception unwinding code is not able to restore
2928               "callee saved registers" for the CLoop interpreter because the CLoop uses
2929               pseudo-registers (see the CLoopRegister class).
2930
2931               This was the source of many exotic Cloop failures after the bytecode format
2932               change (which introduced the metadataTable callee saved register).  Hence,
2933               we fix it by reloading metadataTable's value on re-entry via op_catch for
2934               exception handling.  We already take care of restoring it in op_ret.
2935
2936            4. Fix llintOpWithMetadata() and getClosureVar() to use loadp for loading
2937               OpGetFromScope::Metadata::operand because it is of type uintptr_t.
2938
2939         4. In LowLevelInterpreter.asm:
2940
2941            Fix metadata() to use loadi for loading metadataTable offsets because they are
2942            of type unsigned.  This was also a source of many exotic CLoop test failures.
2943
2944         5. Change CLoopRegister into a class with a uintptr_t as its storage element.
2945            Previously, we were using a union to convert between various value types that
2946            we would store in this pseudo-register.  This method of type conversion is
2947            undefined behavior according to the C++ spec.  As a result, the C++ compiler
2948            may choose to elide some CLoop statements, thereby resulting in some exotic
2949            bugs.
2950
2951            We fix this by now always using accessor methods and assignment operators to
2952            ensure that we use bitwise_cast to do the type conversions.  Since bitwise_cast
2953            uses a memcpy, this ensures that there's no undefined behavior, and that CLoop
2954            statements won't get elided willy-nilly by the compiler.
2955
2956            Ditto for the CloopDobleRegisters.
2957
2958            Similarly, use bitwise_cast for ints2Double() and double2Ints() utility
2959            functions.
2960
2961            Also use bitwise_cast (instead of reinterpret_cast) for the CLoop CAST macro.
2962
2963         6. Fix cloop.rb to use the new CLoopRegister and CLoopDoubleRegister classes.
2964
2965            Add a clLValue accessor for offlineasm operand types to distinguish
2966            LValue use of the operands from RValue uses.
2967
2968            Replace the use of clearHighWord() with simply casting to uint32_t.  This is
2969            more efficient for the C++ compiler (and help speed up debug build runs).
2970
2971            Also fix 32-bit arithmetic operations to only set the lower 32-bit value of
2972            the pseudo registers.  This fixes some CLoop JSC test failures.
2973
2974         This patch has been manually tested with the JSC tests on the following builds:
2975         64bit X86 ASM LLLint (without JIT), 64bit and 32bit X86 CLoop, and ARMv7 Cloop.
2976
2977         * interpreter/CLoopStack.cpp:
2978         (JSC::CLoopStack::grow):
2979         * llint/LowLevelInterpreter.asm:
2980         * llint/LowLevelInterpreter.cpp:
2981         (JSC::CLoopRegister::i const):
2982         (JSC::CLoopRegister::u const):
2983         (JSC::CLoopRegister::i32 const):
2984         (JSC::CLoopRegister::u32 const):
2985         (JSC::CLoopRegister::i8 const):
2986         (JSC::CLoopRegister::u8 const):
2987         (JSC::CLoopRegister::ip const):
2988         (JSC::CLoopRegister::i8p const):
2989         (JSC::CLoopRegister::vp const):
2990         (JSC::CLoopRegister::cvp const):
2991         (JSC::CLoopRegister::callFrame const):
2992         (JSC::CLoopRegister::execState const):
2993         (JSC::CLoopRegister::instruction const):
2994         (JSC::CLoopRegister::vm const):
2995         (JSC::CLoopRegister::cell const):
2996         (JSC::CLoopRegister::protoCallFrame const):
2997         (JSC::CLoopRegister::nativeFunc const):
2998         (JSC::CLoopRegister::i64 const):
2999         (JSC::CLoopRegister::u64 const):
3000         (JSC::CLoopRegister::encodedJSValue const):
3001         (JSC::CLoopRegister::opcode const):
3002         (JSC::CLoopRegister::operator ExecState*):
3003         (JSC::CLoopRegister::operator const Instruction*):
3004         (JSC::CLoopRegister::operator JSCell*):
3005         (JSC::CLoopRegister::operator ProtoCallFrame*):
3006         (JSC::CLoopRegister::operator Register*):
3007         (JSC::CLoopRegister::operator VM*):
3008         (JSC::CLoopRegister::operator=):
3009         (JSC::CLoopRegister::bitsAsDouble const):
3010         (JSC::CLoopRegister::bitsAsInt64 const):
3011         (JSC::CLoopDoubleRegister::operator T const):
3012         (JSC::CLoopDoubleRegister::d const):
3013         (JSC::CLoopDoubleRegister::bitsAsInt64 const):
3014         (JSC::CLoopDoubleRegister::operator=):
3015         (JSC::LLInt::ints2Double):
3016         (JSC::LLInt::double2Ints):
3017         (JSC::LLInt::decodeResult):
3018         (JSC::CLoop::execute):
3019         (JSC::LLInt::Ints2Double): Deleted.
3020         (JSC::LLInt::Double2Ints): Deleted.
3021         (JSC::CLoopRegister::CLoopRegister): Deleted.
3022         (JSC::CLoopRegister::clearHighWord): Deleted.
3023         * llint/LowLevelInterpreter32_64.asm:
3024         * llint/LowLevelInterpreter64.asm:
3025         * offlineasm/cloop.rb:
3026
3027 2019-01-14  Keith Miller  <keith_miller@apple.com>
3028
3029         JSC should have a module loader API
3030         https://bugs.webkit.org/show_bug.cgi?id=191121
3031
3032         Reviewed by Michael Saboff.
3033
3034         This patch adds a new delegate to JSContext that is called to fetch
3035         any resolved module. The resolution of a module identifier is computed
3036         as if it were a URL on the web with the caveat that it must be a file URL.
3037
3038         A new class JSScript has also been added that is similar to JSScriptRef.
3039         Right now all JSScripts are copied into memory. In the future we should
3040         mmap the provided file into memory so the OS can evict it to disk under
3041         pressure. Additionally, the API does not make use of the code signing path
3042         nor the bytecode caching path, which we will add in subsequent patches.
3043
3044         Lastly, a couple of new convenience methods have been added. C API
3045         conversion, can now toRef a JSValue with just a vm rather than
3046         requiring an ExecState. Secondly, there is now a call wrapper that
3047         does not require CallData and CallType since many places don't
3048         care about this.
3049
3050         * API/APICast.h:
3051         (toRef):
3052         * API/JSAPIGlobalObject.cpp: Copied from Source/JavaScriptCore/API/JSVirtualMachineInternal.h.
3053         * API/JSAPIGlobalObject.h: Added.
3054         (JSC::JSAPIGlobalObject::create):
3055         (JSC::JSAPIGlobalObject::createStructure):
3056         (JSC::JSAPIGlobalObject::JSAPIGlobalObject):
3057         * API/JSAPIGlobalObject.mm: Added.
3058         (JSC::JSAPIGlobalObject::moduleLoaderResolve):
3059         (JSC::JSAPIGlobalObject::moduleLoaderImportModule):
3060         (JSC::JSAPIGlobalObject::moduleLoaderFetch):
3061         (JSC::JSAPIGlobalObject::moduleLoaderCreateImportMetaProperties):
3062         * API/JSAPIValueWrapper.h:
3063         (JSC::jsAPIValueWrapper): Deleted.
3064         * API/JSContext.h:
3065         * API/JSContext.mm:
3066         (-[JSContext moduleLoaderDelegate]):
3067         (-[JSContext setModuleLoaderDelegate:]):
3068         * API/JSContextInternal.h:
3069         * API/JSContextPrivate.h:
3070         * API/JSContextRef.cpp:
3071         (JSGlobalContextCreateInGroup):
3072         * API/JSScript.h: Added.
3073         * API/JSScript.mm: Added.
3074         (+[JSScript scriptWithSource:inVirtualMachine:]):
3075         (fillBufferWithContentsOfFile):
3076         (+[JSScript scriptFromUTF8File:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
3077         (getJSScriptSourceCode):
3078         * API/JSScriptInternal.h: Copied from Source/JavaScriptCore/API/JSVirtualMachineInternal.h.
3079         * API/JSValueInternal.h:
3080         * API/JSVirtualMachineInternal.h:
3081         * API/tests/testapi.mm:
3082         (+[JSContextFetchDelegate contextWithBlockForFetch:]):
3083         (-[JSContextFetchDelegate context:fetchModuleForIdentifier:withResolveHandler:andRejectHandler:]):
3084         (checkModuleCodeRan):
3085         (checkModuleWasRejected):
3086         (testFetch):
3087         (testFetchWithTwoCycle):
3088         (testFetchWithThreeCycle):
3089         (testLoaderResolvesAbsoluteScriptURL):
3090         (testLoaderRejectsNilScriptURL):
3091         (testLoaderRejectsFailedFetch):
3092         (testImportModuleTwice):
3093         (+[JSContextFileLoaderDelegate newContext]):
3094         (resolvePathToScripts):
3095         (-[JSContextFileLoaderDelegate context:fetchModuleForIdentifier:withResolveHandler:andRejectHandler:]):
3096         (testLoadBasicFile):
3097         (testObjectiveCAPI):
3098         * API/tests/testapiScripts/basic.js: Copied from Source/JavaScriptCore/API/JSVirtualMachineInternal.h.
3099         * JavaScriptCore.xcodeproj/project.pbxproj:
3100         * Sources.txt:
3101         * SourcesCocoa.txt:
3102         * config.h:
3103         * postprocess-headers.sh:
3104         * runtime/CallData.cpp:
3105         (JSC::call):
3106         * runtime/CallData.h:
3107         * runtime/Completion.cpp:
3108         (JSC::loadAndEvaluateModule):
3109         * runtime/Completion.h:
3110         * runtime/JSCast.h:
3111         (JSC::jsSecureCast):
3112         * runtime/JSGlobalObject.cpp:
3113         (JSC::createProxyProperty):
3114
3115 2019-01-14  Dominik Infuehr  <dinfuehr@igalia.com>
3116
3117         Fix property access on ARM with the baseline JIT
3118         https://bugs.webkit.org/show_bug.cgi?id=193393
3119
3120         Reviewed by Yusuke Suzuki.
3121
3122         Code was still using currentInstruction[4] to access the instruction's metadata.
3123         Updated to use metadata.getPutInfo and metadata.resolveType.
3124
3125         * jit/JITPropertyAccess32_64.cpp:
3126         (JSC::JIT::emit_op_resolve_scope):
3127         (JSC::JIT::emit_op_get_from_scope):
3128         (JSC::JIT::emit_op_put_to_scope):
3129
3130 2019-01-12  Timothy Hatcher  <timothy@apple.com>
3131
3132         Have prefers-color-scheme: light always match on macOS versions before Mojave.
3133         https://bugs.webkit.org/show_bug.cgi?id=191655
3134         rdar://problem/46074680
3135
3136         Reviewed by Megan Gardner.
3137
3138         * Configurations/FeatureDefines.xcconfig: ENABLE_DARK_MODE_CSS_macosx for all OS versions.
3139
3140 2019-01-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3141
3142         Unreviewed, fix scope check assertions
3143         https://bugs.webkit.org/show_bug.cgi?id=193308
3144
3145         * bytecode/CodeBlock.cpp:
3146         (JSC::CodeBlock::notifyLexicalBindingShadowing):
3147         * runtime/JSGlobalObject.cpp:
3148         (JSC::JSGlobalObject::notifyLexicalBindingShadowing):
3149         * runtime/ProgramExecutable.cpp:
3150         (JSC::ProgramExecutable::initializeGlobalProperties):
3151
3152 2019-01-11  John Wilander  <wilander@apple.com>
3153
3154         Compile out Web API Statistics Collection
3155         https://bugs.webkit.org/show_bug.cgi?id=193370
3156         <rdar://problem/45388584>
3157
3158         Reviewed by Brent Fulgham.
3159
3160         * Configurations/FeatureDefines.xcconfig:
3161             Defined ENABLE_WEB_API_STATISTICS, off by default.
3162
3163 2019-01-11  Saam barati  <sbarati@apple.com>
3164
3165         DFG combined liveness can be wrong for terminal basic blocks
3166         https://bugs.webkit.org/show_bug.cgi?id=193304
3167         <rdar://problem/45268632>
3168
3169         Reviewed by Yusuke Suzuki.
3170
3171         If a block doesn't have any successors, it can't rely on the typical
3172         backwards liveness propagation that CombinedLiveness was doing. The phase
3173         first got what was live in bytecode and IR at the heads of each block. Then
3174         for each block, it made the live at tail the union of the live at head for
3175         each successor. For a terminal block though, this could be wrong. We could
3176         end up saying nothing is live even though many things may be live in bytecode.
3177         We must account for what's bytecode live at the end of the block. Consider a
3178         block that ends with:
3179         ```
3180         ForceOSRExit
3181         Unreachable
3182         ```
3183         
3184         Things may definitely be live in bytecode at the tail. However, we'll
3185         report nothing as being alive. This probably subtly breaks many analyses,
3186         but we have a test case of it breaking the interference analysis that
3187         the ArgumentsEliminationPhase performs.
3188
3189         * dfg/DFGBasicBlock.h:
3190         (JSC::DFG::BasicBlock::last const):
3191         * dfg/DFGCombinedLiveness.cpp:
3192         (JSC::DFG::addBytecodeLiveness):
3193         (JSC::DFG::liveNodesAtHead):
3194         (JSC::DFG::CombinedLiveness::CombinedLiveness):
3195         * dfg/DFGCombinedLiveness.h:
3196
3197 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3198
3199         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
3200         https://bugs.webkit.org/show_bug.cgi?id=193308
3201         <rdar://problem/45546542>
3202
3203         Reviewed by Saam Barati.
3204
3205         Previously, we assumed that lexical bindings in JSGlobalLexicalEnvironment cannot shadow existing global properties.
3206         However, it is wrong. According to the spec, we can shadow global properties if a property's attribute is configurable = true.
3207         For example, we execute two scripts.
3208
3209         script1.js
3210
3211             bar = 42;
3212             function load() { return bar; }
3213             print(bar); // 42
3214             print(load()); // 42
3215
3216         script2.js
3217
3218             let bar = 0; // This lexical binding can shadow the global.bar defined in script1.js
3219             print(bar); // 0
3220             print(load()); // 0
3221
3222         In JSC, we cache GlobalProperty resolve type and its associated information in op_resolve_type, op_get_from_scope, and op_put_to_scope.
3223         They attempt to load a property from JSGlobalObject directly. However, once the newly added lexical binding starts shadowing this, our existing instructions
3224         become invalid since they do not respect JSGlobalLexicalEnvironment.
3225
3226         In this patch, we fix this issue by introducing the following mechanisms.
3227
3228         1. We have a HashMap<property name, watchpoint set> in JSGlobalObject. DFG and FTL create a watchpoint set with the property name if the generated code
3229         depends on GlobalProperty condition of op_resolve_scope etc. These watchpoint will be fired when the shadowing happens, so that our generated DFG and FTL
3230         code will be invalidated if it depends on the condition which is no longer valid.
3231
3232         2. When we detect shadowing, we iterate all the live CodeBlocks which globalObject is the target one. And we rewrite instructions in them from GlobalProperty
3233         to GlobalLexicalVar (or Dynamic precisely). So, the subsequent LLInt code just works well. "Dynamic" conversion happens when your op_put_to_scope attempts to
3234         put a value onto a const lexical binding. This fails and it should throw a type error.
3235
3236         3. GlobalProperty scope operations in Baseline JIT start checking ResolveType in metadata, and emit code for GlobalProperty and GlobalLexicalVar. Once the rewrite
3237         happens, baseline JIT continues working because it checks the rewritten metadata's ResolveType.
3238
3239         We use this mechanism (which is similar to haveABadTime() thing) because,
3240
3241         1. Shadowing should be super rare. Before r214145, we made these cases as SytaxError. Thus, before r214145, this type of code cannot be executed in WebKit.
3242         And the number of the live CodeBlocks for the given JSGlobalObject should be small. This supports introducing rather simple (but not so efficient) mechanism
3243         instead of the complicated one.
3244
3245         2. Rewriting instructions immediately forces GlobalProperty => GlobalLexicalVar / Dynamic conversion in all the possible CodeBlock. This allows us to avoid
3246         compilation failure loop in DFG and FTL: DFG and FTL codes are invalidated by the watchpoint, but we may attempt to compile the code with the invalidated watchpoint
3247         and GlobalProperty status if we do not rewrite it. One possible other implementation is having and checking a counter in instruction, and every time we introduce
3248         a new shadow binding, bump the counter. And eventually executed instruction will go to the slow path and rewrite itself. However, this way leaves the not-executed-again-yet
3249         instructions as is, and DFG and FTL repeatedly fail to compile if we just watch the invalidated watchpoint for that. Rewriting all the existing GlobalProperty immediately
3250         avoids this situation easily.
3251
3252         * JavaScriptCore.xcodeproj/project.pbxproj:
3253         * Sources.txt:
3254         * bytecode/CodeBlock.cpp:
3255         (JSC::CodeBlock::notifyLexicalBindingShadowing):
3256         * bytecode/CodeBlock.h:
3257         (JSC::CodeBlock::scriptMode const):
3258         * bytecode/Watchpoint.h:
3259         (JSC::WatchpointSet::create):
3260         * dfg/DFGByteCodeParser.cpp:
3261         (JSC::DFG::ByteCodeParser::parseBlock):
3262         * dfg/DFGDesiredGlobalProperties.cpp: Added.
3263         (JSC::DFG::DesiredGlobalProperties::isStillValidOnMainThread):
3264         (JSC::DFG::DesiredGlobalProperties::reallyAdd):
3265         * dfg/DFGDesiredGlobalProperties.h: Added.
3266         (JSC::DFG::DesiredGlobalProperties::addLazily):
3267         We need this DesiredGlobalProperties mechanism since we do not want to ref() the UniquedStringImpl in DFG and FTL thread.
3268         We keep JSGlobalObject* and identifierNumber, and materialize WatchpointSets for each JSGlobalObject's property referenced
3269         from DFG and FTL and inject CodeBlock jettison watchpoints in the main thread.
3270         * dfg/DFGDesiredGlobalProperty.h: Added.
3271         (JSC::DFG::DesiredGlobalProperty::DesiredGlobalProperty):
3272         (JSC::DFG::DesiredGlobalProperty::globalObject const):
3273         (JSC::DFG::DesiredGlobalProperty::identifierNumber const):
3274         (JSC::DFG::DesiredGlobalProperty::operator== const):
3275         (JSC::DFG::DesiredGlobalProperty::operator!= const):
3276         (JSC::DFG::DesiredGlobalProperty::isHashTableDeletedValue const):
3277         (JSC::DFG::DesiredGlobalProperty::hash const):
3278         (JSC::DFG::DesiredGlobalProperty::dumpInContext const):
3279         (JSC::DFG::DesiredGlobalProperty::dump const):
3280         (JSC::DFG::DesiredGlobalPropertyHash::hash):
3281         (JSC::DFG::DesiredGlobalPropertyHash::equal):
3282         * dfg/DFGGraph.h:
3283         (JSC::DFG::Graph::globalProperties):
3284         * dfg/DFGPlan.cpp:
3285         (JSC::DFG::Plan::reallyAdd):
3286         (JSC::DFG::Plan::isStillValidOnMainThread):
3287         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
3288         (JSC::DFG::Plan::cancel):