Non-unified build fixes, late September 2020 edition
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2020-09-25  Adrian Perez de Castro  <aperez@igalia.com>
2
3         Non-unified build fixes, late September 2020 edition
4         https://bugs.webkit.org/show_bug.cgi?id=216950
5
6         Unreviewed build fix.
7
8         * inspector/agents/InspectorConsoleAgent.cpp: Add missing ScriptArguments.h include.
9
10 2020-09-24  Ross Kirsling  <ross.kirsling@sony.com>
11
12         %TypedArray%.prototype.toLocaleString must make conscious use of @toString
13         https://bugs.webkit.org/show_bug.cgi?id=216956
14
15         Reviewed by Yusuke Suzuki.
16
17         A fascinating bug: if we override Number.prototype.toLocaleString to return { valueOf() { ... } },
18         then we can observe our %TypedArray%.prototype.toLocaleString resolving its element values in the wrong order.
19
20         * builtins/TypedArrayPrototype.js:
21         (toLocaleString):
22         Wrap the toLocaleString call for each element in @toString(), as the spec indicates.
23
24 2020-09-24  Ross Kirsling  <ross.kirsling@sony.com>
25
26         %TypedArray%.prototype.sort must throw if comparator is defined and uncallable
27         https://bugs.webkit.org/show_bug.cgi?id=216952
28
29         Reviewed by Yusuke Suzuki.
30
31         * builtins/TypedArrayPrototype.js:
32         (sort):
33
34 2020-09-24  Ross Kirsling  <ross.kirsling@sony.com>
35
36         %TypedArray% methods should perform TypedArraySpeciesCreate correctly
37         https://bugs.webkit.org/show_bug.cgi?id=216938
38
39         Reviewed by Yusuke Suzuki.
40
41         map, filter, and slice are obliged to throw when:
42         1. this.constructor is defined but not an object
43         2. the species constructor produces a valid typed array which is shorter than the expected length
44
45         * builtins/TypedArrayPrototype.js:
46         (map):
47         (filter):
48         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
49         (JSC::genericTypedArrayViewProtoFuncSlice):
50
51 2020-09-24  Basuke Suzuki  <basuke.suzuki@sony.com>
52
53         [PlayStation] Stop raising SIGPIPE when client side of RemoteInspector dies
54         https://bugs.webkit.org/show_bug.cgi?id=216805
55
56         Reviewed by Don Olmstead.
57
58         When communication is stopped caused by peer crash or non-polite close, SIGPIPE will be
59         raised on BSD (and maybe on Linux). We prefer to handle those events by returning error.
60
61         On Windows, there's no such fancy feature from the beginning.
62
63         * inspector/remote/socket/posix/RemoteInspectorSocketPOSIX.cpp:
64         (Inspector::Socket::read):
65         (Inspector::Socket::write):
66
67 2020-09-24  Angelos Oikonomopoulos  <angelos@igalia.com>
68
69         [MIPS] Broken build after r267371
70         https://bugs.webkit.org/show_bug.cgi?id=216893
71
72         Reviewed by Adrian Perez de Castro.
73
74         This addresses two issues.
75
76         First, the fix in https://bugs.webkit.org/show_bug.cgi?id=216772 was not
77         getting exercised, because the LabelReference offset was always zero.
78
79         The reason the offset was zero is that LabelReference.mapChildren would discard
80         the offset when generating a new LabelReference to wrap the Label returned by
81         the code block it yielded to.
82
83         The reason this was only an issue on MIPS is because only MIPS was using the
84         result of calls to LabelReference.mapChildren (in its lowering phase,
85         assignRegistersToTemporaries -> replaceTemporariesWithRegisters ->
86         mapChildren). Other archs, e.g. X86_64 only call mapChildren in earlier phases
87         (specifically, subsequent to a call to isASTErroneous), in which the new
88         LabelReferences returned by mapChildren are later discarded. Even though ARM
89         32/64 contains indirect calls to mapChildren, those are made after the
90         arm{,64}LowerLabelReferences transformation which doesn't leave any
91         LabelReference nodes around for .mapChildren to be called on.
92
93         So this is not an issue for architectures other than MIPS because
94         (a) AddImmediates.fold correctly constructs a LabelReference with an offset by
95         calling LabelReference.plusOffset and
96         (b) they don't call (and therefore don't use the result of)
97         LabelReference.mapChildren in their lowering code.
98
99         Second, the code we generate needs to look up the /label/ in the GOT, not the
100         computed address. After the lookup, we simply need to add the offset.
101
102         * offlineasm/ast.rb:
103         * offlineasm/mips.rb:
104
105 2020-09-24  Ross Kirsling  <ross.kirsling@sony.com>
106
107         %TypedArray%.prototype.fill must only evaluate its argument once
108         https://bugs.webkit.org/show_bug.cgi?id=216912
109
110         Reviewed by Yusuke Suzuki.
111
112         Currently, we evaluate the argument in `typedArray.fill({ valueOf() { ... } })` once per filled element,
113         but it should only be evaluated once in total.
114
115         * builtins/TypedArrayPrototype.js:
116         (fill):
117
118 2020-09-23  Ross Kirsling  <ross.kirsling@sony.com>
119
120         %ArrayIteratorPrototype%.next must check for detached buffers
121         https://bugs.webkit.org/show_bug.cgi?id=216904
122
123         Reviewed by Yusuke Suzuki.
124
125         Per https://tc39.es/ecma262/#sec-%arrayiteratorprototype%.next:
126           8. If a has a [[TypedArrayName]] internal slot, then
127             a. If IsDetachedBuffer(a.[[ViewedArrayBuffer]]) is true, throw a TypeError exception.
128
129         * builtins/ArrayIteratorPrototype.js:
130         (next):
131         * builtins/BuiltinNames.h:
132         * bytecode/LinkTimeConstant.h:
133         * runtime/JSGlobalObject.cpp:
134         (JSC::JSGlobalObject::init):
135         * runtime/JSTypedArrayViewPrototype.cpp:
136         (JSC::typedArrayViewPrivateFuncIsNeutered):
137         * runtime/JSTypedArrayViewPrototype.h:
138
139 2020-09-23  Yusuke Suzuki  <ysuzuki@apple.com>
140
141         [JSC] Simply some of template-specialized host functions by defining each function
142         https://bugs.webkit.org/show_bug.cgi?id=216907
143
144         Reviewed by Saam Barati.
145
146         This makes automatically-registering these functions in JIT-caging easy.
147
148         * API/APICallbackFunction.h:
149         (JSC::APICallbackFunction::callImpl):
150         (JSC::APICallbackFunction::constructImpl):
151         (JSC::APICallbackFunction::call): Deleted.
152         (JSC::APICallbackFunction::construct): Deleted.
153         * API/JSCallbackConstructor.cpp:
154         (JSC::constructJSCallbackConstructor):
155         (JSC::JSCallbackConstructor::getConstructData):
156         * API/JSCallbackFunction.cpp:
157         (JSC::callJSCallbackFunction):
158         (JSC::JSCallbackFunction::JSCallbackFunction):
159         * API/ObjCCallbackFunction.mm:
160         (JSC::callObjCCallbackFunction):
161         (JSC::constructObjCCallbackFunction):
162         (JSC::ObjCCallbackFunction::ObjCCallbackFunction):
163         * API/glib/JSCCallbackFunction.cpp:
164         (JSC::callJSCCallbackFunction):
165         (JSC::constructJSCCallbackFunction):
166         (JSC::JSCCallbackFunction::JSCCallbackFunction):
167         * dfg/DFGOperations.h:
168         * jit/JITOperations.cpp:
169         * jit/JITOperations.h:
170         * jsc.cpp:
171         (accessorMakeMasquerader):
172         * runtime/JSArrayBufferConstructor.cpp:
173         (JSC::JSGenericArrayBufferConstructor<sharingMode>::JSGenericArrayBufferConstructor):
174         (JSC::JSGenericArrayBufferConstructor<sharingMode>::constructImpl):
175         (JSC::constructArrayBuffer):
176         (JSC::constructSharedArrayBuffer):
177         (JSC::JSGenericArrayBufferConstructor<sharingMode>::constructArrayBuffer): Deleted.
178         * runtime/JSArrayBufferConstructor.h:
179         * runtime/JSCustomGetterSetterFunction.cpp:
180         (JSC::customGetterSetterFunctionCall):
181         (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall): Deleted.
182         * runtime/JSCustomGetterSetterFunction.h:
183         * runtime/NativeErrorConstructor.cpp:
184         (JSC::NativeErrorConstructor<errorType>::constructImpl):
185         (JSC::NativeErrorConstructor<errorType>::callImpl):
186         (JSC::callEvalError):
187         (JSC::constructEvalError):
188         (JSC::callRangeError):
189         (JSC::constructRangeError):
190         (JSC::callReferenceError):
191         (JSC::constructReferenceError):
192         (JSC::callSyntaxError):
193         (JSC::constructSyntaxError):
194         (JSC::callTypeError):
195         (JSC::constructTypeError):
196         (JSC::callURIError):
197         (JSC::constructURIError):
198         (JSC::callFunction):
199         (JSC::constructFunction):
200         (JSC::NativeErrorConstructor<errorType>::NativeErrorConstructor):
201         (JSC::NativeErrorConstructorBase::finishCreation):
202         (JSC::NativeErrorConstructor<errorType>::constructNativeErrorConstructor): Deleted.
203         (JSC::NativeErrorConstructor<errorType>::callNativeErrorConstructor): Deleted.
204         * runtime/NativeErrorConstructor.h:
205         * runtime/RegExpConstructor.cpp:
206         (JSC::regExpConstructorDollarImpl):
207         (JSC::regExpConstructorDollar1):
208         (JSC::regExpConstructorDollar2):
209         (JSC::regExpConstructorDollar3):
210         (JSC::regExpConstructorDollar4):
211         (JSC::regExpConstructorDollar5):
212         (JSC::regExpConstructorDollar6):
213         (JSC::regExpConstructorDollar7):
214         (JSC::regExpConstructorDollar8):
215         (JSC::regExpConstructorDollar9):
216         (JSC::regExpConstructorInput):
217         (JSC::regExpConstructorMultiline):
218         (JSC::regExpConstructorLastMatch):
219         (JSC::regExpConstructorLastParen):
220         (JSC::regExpConstructorLeftContext):
221         (JSC::regExpConstructorRightContext):
222         (JSC::setRegExpConstructorInput):
223         (JSC::setRegExpConstructorMultiline):
224         (JSC::regExpConstructorDollar): Deleted.
225         * tools/JSDollarVM.cpp:
226
227 2020-09-23  Alexey Shvayka  <shvaikalesh@gmail.com>
228
229         Update Array.prototype.sort to be consistent with tightened spec
230         https://bugs.webkit.org/show_bug.cgi?id=202582
231
232         Reviewed by Yusuke Suzuki and Keith Miller.
233
234         This patch implements the spec change [1] that reduces amount of cases resulting
235         in an implementation-defined sort order, aligning JSC with V8 and SpiderMonkey.
236
237         To achieve this, we collect all existing non-undefined receiver elements to a
238         temporary array, sort it, and write back sorted items, followed by `undefined`
239         values and holes.
240
241         This change is proven to be web-compatible (shipping since Chrome 76) and neutral
242         on peak memory consumption in the wild.
243
244         Although we can unobservably detect sparse receivers, we can't avoid creating a
245         temporary array for common case since userland comparators may throw; string
246         sorting won't measurably benefit from this, only increasing code complexity.
247
248         This change uses @putByValDirect unless the spec requires [[Set]], avoids using
249         closure variables, and adds a few drive-by optimizations, resulting in ~22%
250         faster string sorting and 13% speed-up for userland comparators.
251         Dromaeo/jslib is neutral.
252
253         [1]: https://github.com/tc39/ecma262/pull/1585
254
255         * builtins/ArrayPrototype.js:
256         (sort.stringComparator):
257         Optimization #1: replace char-by-char comparison loop with > operator, aligning
258         JSC with V8 and SpiderMonkey. This semantically equivalent change alone is a ~15%
259         progression for string sort.
260
261         (sort.compact):
262         (sort.commit):
263         Optimization #2: copy large non-numeric arrays in a loop rather than @appendMemcpy.
264         Using the latter unconditionally regresses provided microbenchmarks.
265
266         (sort.merge):
267         Optimization #3: replace `typeof` check and negation with strict equality.
268
269         (sort.mergeSort):
270         Optimization #4: always return sorted array instead of copying, even if it's the buffer.
271         Tweak: create the buffer with correct length.
272
273         (sort.bucketSort):
274         Optimization #5: avoid emitting 2 extra get_by_val ops by saving bucket lookup to a variable.
275         Tweak: create new bucket via array literal.
276
277         (sort): Fix typo in error message.
278         (sort.compactSparse): Deleted.
279         (sort.compactSlow): Deleted.
280         (sort.comparatorSort): Deleted.
281         (sort.stringSort): Deleted.
282         * runtime/ObjectConstructor.cpp:
283         (JSC::ObjectConstructor::finishCreation):
284         Remove @Object.@getPrototypeOf as it's now unused and we have @getPrototypeOf intrinsic anyway.
285
286 2020-09-23  Yusuke Suzuki  <ysuzuki@apple.com>
287
288         [JSC] Intl spec update: handle awkward rounding behavior
289         https://bugs.webkit.org/show_bug.cgi?id=216760
290
291         Reviewed by Ross Kirsling.
292
293         This patch supports new spec change of "handle awkward rounding behavior"[1].
294         This changes minimumFractionDigits / maximumFractionDigits calculation when the specified ones are less than currency-digits.
295
296         [1]: https://github.com/tc39/ecma402/pull/471
297
298         * runtime/CommonIdentifiers.h:
299         * runtime/IntlNumberFormat.cpp:
300         (JSC::IntlNumberFormat::resolvedOptions const):
301         * runtime/IntlNumberFormatInlines.h:
302         (JSC::setNumberFormatDigitOptions):
303         * runtime/IntlPluralRules.cpp:
304         (JSC::IntlPluralRules::resolvedOptions const):
305
306 2020-09-23  Caio Lima  <ticaiolima@gmail.com>
307
308         [JSC][ESNext] Create a new opcode to handle private fields store/define
309         https://bugs.webkit.org/show_bug.cgi?id=213372
310
311         Reviewed by Yusuke Suzuki.
312
313         This patch is adding a new opcode to handle private field storage.
314         Before this change, we were using `put_by_val_direct` and including
315         the information of `PutKind` into `PutByValFlags`. We initially decided
316         to use `put_by_val_direct` to take advantage of all IC mechanism already
317         implemented for this instruction, however the semantics of private field
318         is different enough to complicate the understanding of
319         `put_by_val_direct`.
320
321         The new instruction is called `put_private_name` and has as its operands
322         `baseObject` where the put is going to be placed, the `property`
323         that's going to be installed (it is always a private symbol of a
324         private field), the `value` we are going to store and the
325         `PrivateFieldPutKind` that can be `Define` or `Set`.
326         The difference of each `PrivateFieldPutKind` is the following:
327         
328         - Define: It defines a new private field. If this field is already
329         present, it throws a `TypeError`.
330         - Set: It sets the value of a private field. If the field is not
331         present at the moment of set, it throws a `TypeError`.
332
333         This patch includes support of IC for all tiers. For DFG and FTL, we
334         are only emmiting IC when we are able to emit `CheckConstant`
335         for subscript identifier during Bytecode parsing. We are adding a new
336         DFG node called `PutPrivateNameById` that handles such cases when we
337         have constant identifiers.
338         We are also adding a new DFG node `PutPrivateName` that handles generic
339         case of `put_private_name`. The strategy used to compile
340         `put_private_name` is very similar with what we are using with
341         `put_by_val[_direct]`. We first try to compile it as `[Multi]PutByOffset`
342         using profiled information from LLInt and Baseline execution. If it
343         is not possible, we then emit `PutPrivateName[ById]` node. We get another
344         chance to transform `PutPrivateNameById` into `PutByOffset` if we can prove
345         its structure set at constant folding phase.
346
347         * CMakeLists.txt:
348         * JavaScriptCore.xcodeproj/project.pbxproj:
349         * Sources.txt:
350         * bytecode/BytecodeList.rb:
351         * bytecode/BytecodeUseDef.cpp:
352         (JSC::computeUsesForBytecodeIndexImpl):
353         (JSC::computeDefsForBytecodeIndexImpl):
354         * bytecode/CodeBlock.cpp:
355         (JSC::CodeBlock::finishCreation):
356         (JSC::CodeBlock::propagateTransitions):
357         (JSC::CodeBlock::finalizeLLIntInlineCaches):
358         * bytecode/Fits.h:
359         * bytecode/PutByIdStatus.cpp:
360         (JSC::PutByIdStatus::computeFromLLInt):
361         (JSC::PutByIdStatus::computeFor):
362         * bytecode/PutByIdStatus.h:
363         * bytecode/PutByValFlags.cpp: Removed.
364         * bytecode/PutByValFlags.h: Removed.
365         * bytecode/PutKind.h:
366         (): Deleted.
367         * bytecompiler/BytecodeGenerator.cpp:
368         (JSC::BytecodeGenerator::emitDirectPutByVal):
369         (JSC::BytecodeGenerator::emitDefinePrivateField):
370         (JSC::BytecodeGenerator::emitPrivateFieldPut):
371         * dfg/DFGAbstractInterpreterInlines.h:
372         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
373         * dfg/DFGByteCodeParser.cpp:
374         (JSC::DFG::ByteCodeParser::handlePutPrivateNameById):
375         (JSC::DFG::ByteCodeParser::parseBlock):
376         (JSC::DFG::ByteCodeParser::handlePutByVal):
377         (JSC::DFG::ecmaMode): Deleted.
378         (JSC::DFG::ecmaMode<OpPutByValDirect>): Deleted.
379         * dfg/DFGCapabilities.cpp:
380         (JSC::DFG::capabilityLevel):
381         * dfg/DFGClobberize.h:
382         (JSC::DFG::clobberize):
383         * dfg/DFGConstantFoldingPhase.cpp:
384         (JSC::DFG::ConstantFoldingPhase::foldConstants):
385         (JSC::DFG::ConstantFoldingPhase::tryFoldAsPutByOffset):
386         * dfg/DFGDoesGC.cpp:
387         (JSC::DFG::doesGC):
388         * dfg/DFGFixupPhase.cpp:
389         (JSC::DFG::FixupPhase::fixupNode):
390         * dfg/DFGNode.h:
391         (JSC::DFG::Node::convertToPutByOffset):
392         (JSC::DFG::Node::convertToMultiPutByOffset):
393         (JSC::DFG::Node::hasCacheableIdentifier):
394         (JSC::DFG::Node::hasPrivateFieldPutKind):
395         (JSC::DFG::Node::privateFieldPutKind):
396         * dfg/DFGNodeType.h:
397         * dfg/DFGOpInfo.h:
398         (JSC::DFG::OpInfo::OpInfo):
399         * dfg/DFGPredictionPropagationPhase.cpp:
400         * dfg/DFGSafeToExecute.h:
401         (JSC::DFG::safeToExecute):
402         * dfg/DFGSpeculativeJIT.cpp:
403         (JSC::DFG::SpeculativeJIT::compilePutPrivateName):
404         (JSC::DFG::SpeculativeJIT::compilePutPrivateNameById):
405         (JSC::DFG::SpeculativeJIT::compilePutByIdFlush):
406         (JSC::DFG::SpeculativeJIT::compilePutById):
407         (JSC::DFG::SpeculativeJIT::compilePutByIdDirect):
408         (JSC::DFG::SpeculativeJIT::cachedPutById):
409         * dfg/DFGSpeculativeJIT.h:
410         * dfg/DFGSpeculativeJIT32_64.cpp:
411         (JSC::DFG::SpeculativeJIT::compile):
412         * dfg/DFGSpeculativeJIT64.cpp:
413         (JSC::DFG::SpeculativeJIT::compile):
414         * dfg/DFGStoreBarrierInsertionPhase.cpp:
415         * ftl/FTLCapabilities.cpp:
416         (JSC::FTL::canCompile):
417         * ftl/FTLLowerDFGToB3.cpp:
418         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
419         (JSC::FTL::DFG::LowerDFGToB3::compilePutPrivateNameById):
420         (JSC::FTL::DFG::LowerDFGToB3::compilePutPrivateName):
421         (JSC::FTL::DFG::LowerDFGToB3::cachedPutById):
422         (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
423         * generator/DSL.rb:
424         * jit/JIT.cpp:
425         (JSC::JIT::privateCompileMainPass):
426         (JSC::JIT::privateCompileSlowCases):
427         (JSC::JIT::link):
428         * jit/JIT.h:
429         (JSC::ByValCompilationInfo::ByValCompilationInfo):
430         * jit/JITInlineCacheGenerator.cpp:
431         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
432         (JSC::JITPutByIdGenerator::slowPathFunction):
433         * jit/JITInlineCacheGenerator.h:
434         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
435         * jit/JITInlines.h:
436         (JSC::JIT::ecmaMode<OpPutPrivateName>):
437         (JSC::JIT::ecmaMode<OpPutByValDirect>): Deleted.
438         (JSC::JIT::privateFieldAccessKind): Deleted.
439         (JSC::JIT::privateFieldAccessKind<OpPutByValDirect>): Deleted.
440         * jit/JITOperations.cpp:
441         (JSC::setPrivateField):
442         (JSC::putPrivateField): Deleted.
443         * jit/JITOperations.h:
444         * jit/JITPropertyAccess.cpp:
445         (JSC::JIT::emitPutByValWithCachedId):
446         (JSC::JIT::emitSlow_op_put_by_val):
447         (JSC::JIT::emit_op_put_private_name):
448         (JSC::JIT::emitSlow_op_put_private_name):
449         (JSC::JIT::emit_op_put_by_id):
450         (JSC::JIT::emitPutPrivateNameWithCachedId):
451         (JSC::JIT::privateCompilePutPrivateNameWithCachedId):
452         (JSC::JIT::privateCompilePutByValWithCachedId):
453         * jit/JITPropertyAccess32_64.cpp:
454         (JSC::JIT::emit_op_put_private_name):
455         (JSC::JIT::emitSlow_op_put_private_name):
456         (JSC::JIT::emit_op_put_by_id):
457         * jit/Repatch.cpp:
458         (JSC::appropriateGenericPutByIdFunction):
459         (JSC::appropriateOptimizingPutByIdFunction):
460         (JSC::tryCachePutByID):
461         (JSC::resetPutByID):
462         * llint/LLIntOffsetsExtractor.cpp:
463         * llint/LLIntSlowPaths.cpp:
464         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
465         * llint/LLIntSlowPaths.h:
466         * llint/LowLevelInterpreter32_64.asm:
467         * llint/LowLevelInterpreter64.asm:
468         * runtime/JSObject.h:
469         * runtime/JSObjectInlines.h:
470         (JSC::JSObject::setPrivateField):
471         (JSC::JSObject::putPrivateField): Deleted.
472         * runtime/PrivateFieldPutKind.cpp: Added.
473         (JSC::PrivateFieldPutKind::dump const):
474         * runtime/PrivateFieldPutKind.h: Added.
475         (JSC::PrivateFieldPutKind::fromByte):
476         (JSC::PrivateFieldPutKind::none):
477         (JSC::PrivateFieldPutKind::set):
478         (JSC::PrivateFieldPutKind::define):
479         (JSC::PrivateFieldPutKind::isNone const):
480         (JSC::PrivateFieldPutKind::isSet const):
481         (JSC::PrivateFieldPutKind::isDefine const):
482         (JSC::PrivateFieldPutKind::value const):
483         (JSC::PrivateFieldPutKind::PrivateFieldPutKind):
484
485 2020-09-22  Yusuke Suzuki  <ysuzuki@apple.com>
486
487         [JSC] Enable Intl.DateTimeFormat dayPeriod
488         https://bugs.webkit.org/show_bug.cgi?id=216845
489
490         Reviewed by Mark Lam.
491
492         Since we already have consensus, let's enable it.
493         For now, we keep this flag since it is possible that something
494         happens before the change is integrated into the spec.
495
496         * runtime/OptionsList.h:
497
498 2020-09-22  HyeockJin Kim  <kherootz@gmail.com>
499
500         Coerce computed property before adding to |excludedList|
501         https://bugs.webkit.org/show_bug.cgi?id=216437
502
503         Reviewed by Yusuke Suzuki.
504
505         * bytecompiler/NodesCodegen.cpp:
506         (JSC::ObjectPatternNode::bindValue const):
507
508 2020-09-21  Paulo Matos  <pmatos@igalia.com>
509
510         Fix MIPS leai,leap when offset is nonzero
511         https://bugs.webkit.org/show_bug.cgi?id=216772
512
513         Reviewed by Mark Lam.
514
515         Fix required by change from webkit#216685
516         * offlineasm/mips.rb:
517
518 2020-09-21  Yusuke Suzuki  <ysuzuki@apple.com>
519
520         [JSC] BigInt should work with Map / Set
521         https://bugs.webkit.org/show_bug.cgi?id=216667
522
523         Reviewed by Robin Morisset.
524
525         This patch makes BigInt supported in Map / Set.
526
527         1. In NormalizeMapKey, we always attempt to convert HeapBigInt to BigInt32 (if supported). So we ensure that,
528             normalized BigInt has one unique form for BigInt32 range. This allows us to use hashing for BigInt32 bit pattern directly.
529         2. In MapHash, for BigInt32, we directly has the JSValue bits. For HeapBigInt, we calculate hash via Hasher.
530         3. In GetMapBucket, we consider HeapBigInt case correctly.
531
532         * dfg/DFGAbstractInterpreterInlines.h:
533         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
534         * dfg/DFGConstantFoldingPhase.cpp:
535         (JSC::DFG::ConstantFoldingPhase::foldConstants):
536         * dfg/DFGDoesGC.cpp:
537         (JSC::DFG::doesGC):
538         * dfg/DFGFixupPhase.cpp:
539         (JSC::DFG::FixupPhase::fixupNode):
540         (JSC::DFG::FixupPhase::fixupNormalizeMapKey):
541         * dfg/DFGOperations.cpp:
542         * dfg/DFGOperations.h:
543         * dfg/DFGSpeculativeJIT.cpp:
544         (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
545         * dfg/DFGSpeculativeJIT64.cpp:
546         (JSC::DFG::SpeculativeJIT::compile):
547         * ftl/FTLLowerDFGToB3.cpp:
548         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
549         (JSC::FTL::DFG::LowerDFGToB3::compileNormalizeMapKey):
550         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
551         * runtime/HashMapImpl.h:
552         (JSC::normalizeMapKey):
553         (JSC::jsMapHash):
554         (JSC::concurrentJSMapHash):
555         * runtime/JSBigInt.cpp:
556         (JSC::JSBigInt::concurrentHash):
557         * runtime/JSBigInt.h:
558         (JSC::tryConvertToBigInt32):
559
560 2020-09-21  Mark Lam  <mark.lam@apple.com>
561
562         Move some LLInt globals into JSC::Config.
563         https://bugs.webkit.org/show_bug.cgi?id=216685
564         rdar://68964544
565
566         Reviewed by Keith Miller.
567
568         1. Moved the following into g_jscConfig:
569
570            Data::s_exceptionInstructions ==> g_jscConfig.llint.exceptionInstructions
571            Data::s_wasmExceptionInstructions ==> g_jscConfig.llint.wasmExceptionInstructions
572            g_opcodeMap ==> g_jscConfig.llint.opcodeMap
573            g_opcodeMapWide16 ==> g_jscConfig.llint.opcodeMapWide16
574            g_opcodeMapWide32 ==> g_jscConfig.llint.opcodeMapWide32
575
576         2. Fixed cloop.rb so that it can take an offset for the leap offlineasm instruction.
577         3. Fixed x86.rb so that it can take an offset for the leap offlineasm instruction.
578         4. Fixed arm.rb so that it can take an offset for the leap offlineasm instruction.
579
580            Note: arm64.rb already does this right.
581
582         5. Added JSC::Config::singleton() to return a reference to g_jscConfig.
583            This is useful when debugging with lldb since g_jscConfig is not an actual
584            label, but is a macro that computes the address of the Config record.
585
586         This patch has been smoke tested on arm64e, x86_64, and cloop (on x86_64 and armv7k).
587
588         * llint/LLIntData.cpp:
589         (JSC::LLInt::LLIntInitializeAssertScope::LLIntInitializeAssertScope):
590         (JSC::LLInt::LLIntInitializeAssertScope::~LLIntInitializeAssertScope):
591         (JSC::LLInt::LLIntInitializeAssertScope::assertInitializationIsAllowed):
592         (JSC::LLInt::initialize):
593         * llint/LLIntData.h:
594         (JSC::LLInt::exceptionInstructions):
595         (JSC::LLInt::wasmExceptionInstructions):
596         (JSC::LLInt::opcodeMap):
597         (JSC::LLInt::opcodeMapWide16):
598         (JSC::LLInt::opcodeMapWide32):
599         (JSC::LLInt::getOpcode):
600         (JSC::LLInt::getOpcodeWide16):
601         (JSC::LLInt::getOpcodeWide32):
602         * llint/LowLevelInterpreter.asm:
603         * llint/LowLevelInterpreter.cpp:
604         * llint/LowLevelInterpreter64.asm:
605         * llint/WebAssembly.asm:
606         * offlineasm/arm.rb:
607         * offlineasm/cloop.rb:
608         * offlineasm/x86.rb:
609         * runtime/JSCConfig.cpp:
610         (JSC::Config::singleton):
611         * runtime/JSCConfig.h:
612
613 2020-09-21  Basuke Suzuki  <basuke.suzuki@sony.com>
614
615         [WinCairo][PlayStation] Support different instances of listener client.
616         https://bugs.webkit.org/show_bug.cgi?id=216733
617
618         Reviewed by Don Olmstead.
619
620         Currently RemoteInspectorSocketEndpoint support one client instance for all
621         listeners. This patch allows listeners to create its own listener client on
622         accept timing.
623
624         * inspector/remote/RemoteControllableTarget.h:
625         * inspector/remote/RemoteInspector.h:
626         * inspector/remote/socket/RemoteInspectorConnectionClient.cpp:
627         (Inspector::RemoteInspectorConnectionClient::didReceive):
628         * inspector/remote/socket/RemoteInspectorConnectionClient.h:
629         * inspector/remote/socket/RemoteInspectorServer.cpp:
630         (Inspector::RemoteInspectorServer::start):
631         (Inspector::RemoteInspectorServer::doAccept):
632         * inspector/remote/socket/RemoteInspectorServer.h:
633         * inspector/remote/socket/RemoteInspectorSocket.cpp:
634         (Inspector::RemoteInspector::didClose):
635         * inspector/remote/socket/RemoteInspectorSocket.h:
636         * inspector/remote/socket/RemoteInspectorSocketEndpoint.cpp:
637         (Inspector::RemoteInspectorSocketEndpoint::RemoteInspectorSocketEndpoint):
638         (Inspector::RemoteInspectorSocketEndpoint::~RemoteInspectorSocketEndpoint):
639         (Inspector::RemoteInspectorSocketEndpoint::listenInet):
640         (Inspector::RemoteInspectorSocketEndpoint::workerThread):
641         (Inspector::RemoteInspectorSocketEndpoint::generateConnectionID):
642         (Inspector::RemoteInspectorSocketEndpoint::createClient):
643         (Inspector::RemoteInspectorSocketEndpoint::disconnect):
644         (Inspector::RemoteInspectorSocketEndpoint::createListener):
645         (Inspector::RemoteInspectorSocketEndpoint::invalidateClient):
646         (Inspector::RemoteInspectorSocketEndpoint::invalidateListener):
647         (Inspector::RemoteInspectorSocketEndpoint::getPort const):
648         (Inspector::RemoteInspectorSocketEndpoint::recvIfEnabled):
649         (Inspector::RemoteInspectorSocketEndpoint::sendIfEnabled):
650         (Inspector::RemoteInspectorSocketEndpoint::send):
651         (Inspector::RemoteInspectorSocketEndpoint::acceptInetSocketIfEnabled):
652         * inspector/remote/socket/RemoteInspectorSocketEndpoint.h:
653
654 2020-09-21  Keith Miller  <keith_miller@apple.com>
655
656         Functions should consistently enumerate length before name
657         https://bugs.webkit.org/show_bug.cgi?id=216789
658
659         Reviewed by Yusuke Suzuki.
660
661         In https://github.com/tc39/ecma262/pull/2116, which has been
662         approved to be merged into the main JS spec, it's expected that
663         all functions should have their length property enumerated before
664         the name property. To ensure this invariant, this patch moves the
665         length set into InternalFunction::finishCreation.
666
667         There are no new tests since tests will be added to test262 when
668         the spec PR is merged. Adding tests to stress just means we will
669         have the same test twice, which seems like a waste.
670
671         * API/JSCallbackFunction.cpp:
672         (JSC::JSCallbackFunction::finishCreation):
673         * API/ObjCCallbackFunction.mm:
674         (JSC::ObjCCallbackFunction::create):
675         * API/glib/JSCCallbackFunction.cpp:
676         (JSC::JSCCallbackFunction::create):
677         * runtime/AggregateErrorConstructor.cpp:
678         (JSC::AggregateErrorConstructor::finishCreation):
679         * runtime/ArrayConstructor.cpp:
680         (JSC::ArrayConstructor::finishCreation):
681         * runtime/AsyncFunctionConstructor.cpp:
682         (JSC::AsyncFunctionConstructor::finishCreation):
683         * runtime/AsyncGeneratorFunctionConstructor.cpp:
684         (JSC::AsyncGeneratorFunctionConstructor::finishCreation):
685         * runtime/BigIntConstructor.cpp:
686         (JSC::BigIntConstructor::finishCreation):
687         * runtime/BooleanConstructor.cpp:
688         (JSC::BooleanConstructor::finishCreation):
689         * runtime/DateConstructor.cpp:
690         (JSC::DateConstructor::finishCreation):
691         * runtime/ErrorConstructor.cpp:
692         (JSC::ErrorConstructor::finishCreation):
693         * runtime/FinalizationRegistryConstructor.cpp:
694         (JSC::FinalizationRegistryConstructor::finishCreation):
695         * runtime/FunctionConstructor.cpp:
696         (JSC::FunctionConstructor::finishCreation):
697         * runtime/FunctionPrototype.cpp:
698         (JSC::FunctionPrototype::finishCreation):
699         * runtime/GeneratorFunctionConstructor.cpp:
700         (JSC::GeneratorFunctionConstructor::finishCreation):
701         * runtime/InternalFunction.cpp:
702         (JSC::InternalFunction::finishCreation):
703         (JSC::InternalFunction::createFunctionThatMasqueradesAsUndefined):
704         * runtime/InternalFunction.h:
705         * runtime/IntlCollatorConstructor.cpp:
706         (JSC::IntlCollatorConstructor::finishCreation):
707         * runtime/IntlDateTimeFormatConstructor.cpp:
708         (JSC::IntlDateTimeFormatConstructor::finishCreation):
709         * runtime/IntlDisplayNamesConstructor.cpp:
710         (JSC::IntlDisplayNamesConstructor::finishCreation):
711         * runtime/IntlLocaleConstructor.cpp:
712         (JSC::IntlLocaleConstructor::finishCreation):
713         * runtime/IntlNumberFormatConstructor.cpp:
714         (JSC::IntlNumberFormatConstructor::finishCreation):
715         * runtime/IntlPluralRulesConstructor.cpp:
716         (JSC::IntlPluralRulesConstructor::finishCreation):
717         * runtime/IntlRelativeTimeFormatConstructor.cpp:
718         (JSC::IntlRelativeTimeFormatConstructor::finishCreation):
719         * runtime/IntlSegmenterConstructor.cpp:
720         (JSC::IntlSegmenterConstructor::finishCreation):
721         * runtime/JSArrayBufferConstructor.cpp:
722         (JSC::JSGenericArrayBufferConstructor<sharingMode>::finishCreation):
723         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
724         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation):
725         * runtime/JSTypedArrayViewConstructor.cpp:
726         (JSC::JSTypedArrayViewConstructor::finishCreation):
727         * runtime/MapConstructor.cpp:
728         (JSC::MapConstructor::finishCreation):
729         * runtime/NativeErrorConstructor.cpp:
730         (JSC::NativeErrorConstructorBase::finishCreation):
731         * runtime/NullGetterFunction.h:
732         * runtime/NullSetterFunction.h:
733         * runtime/NumberConstructor.cpp:
734         (JSC::NumberConstructor::finishCreation):
735         * runtime/ObjectConstructor.cpp:
736         (JSC::ObjectConstructor::finishCreation):
737         * runtime/ProxyConstructor.cpp:
738         (JSC::ProxyConstructor::finishCreation):
739         * runtime/ProxyRevoke.cpp:
740         (JSC::ProxyRevoke::finishCreation):
741         * runtime/RegExpConstructor.cpp:
742         (JSC::RegExpConstructor::finishCreation):
743         * runtime/SetConstructor.cpp:
744         (JSC::SetConstructor::finishCreation):
745         * runtime/StringConstructor.cpp:
746         (JSC::StringConstructor::finishCreation):
747         * runtime/SymbolConstructor.cpp:
748         (JSC::SymbolConstructor::finishCreation):
749         * runtime/WeakMapConstructor.cpp:
750         (JSC::WeakMapConstructor::finishCreation):
751         * runtime/WeakObjectRefConstructor.cpp:
752         (JSC::WeakObjectRefConstructor::finishCreation):
753         * runtime/WeakSetConstructor.cpp:
754         (JSC::WeakSetConstructor::finishCreation):
755         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
756         (JSC::WebAssemblyCompileErrorConstructor::finishCreation):
757         * wasm/js/WebAssemblyGlobalConstructor.cpp:
758         (JSC::WebAssemblyGlobalConstructor::finishCreation):
759         * wasm/js/WebAssemblyInstanceConstructor.cpp:
760         (JSC::WebAssemblyInstanceConstructor::finishCreation):
761         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
762         (JSC::WebAssemblyLinkErrorConstructor::finishCreation):
763         * wasm/js/WebAssemblyMemoryConstructor.cpp:
764         (JSC::WebAssemblyMemoryConstructor::finishCreation):
765         * wasm/js/WebAssemblyModuleConstructor.cpp:
766         (JSC::WebAssemblyModuleConstructor::finishCreation):
767         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
768         (JSC::WebAssemblyRuntimeErrorConstructor::finishCreation):
769         * wasm/js/WebAssemblyTableConstructor.cpp:
770         (JSC::WebAssemblyTableConstructor::finishCreation):
771
772 2020-09-21  Yusuke Suzuki  <ysuzuki@apple.com>
773
774         [JSC] Proxy should be trapped if base value is primitive
775         https://bugs.webkit.org/show_bug.cgi?id=216764
776
777         Reviewed by Darin Adler.
778
779         While we have special care in JSObject::putInline etc., we missed it in JSValue::putToPrimitive.
780         So, if proxy exists in the prototype chain for the primitive values (e.g. StringPrototype -> Proxy chain),
781         we miss the Proxy trap. We should have ProxyObject special check in JSValue::putToPrimitive too.
782
783         * runtime/JSCJSValue.cpp:
784         (JSC::JSValue::putToPrimitive):
785
786 2020-09-20  Yusuke Suzuki  <ysuzuki@apple.com>
787
788         [JSC] Drop Options::useBigInt
789         https://bugs.webkit.org/show_bug.cgi?id=216743
790
791         Reviewed by Darin Adler.
792
793         Now BigInt is shipped. Let's just remove Options::useBigInt.
794
795         * bytecompiler/BytecodeGenerator.cpp:
796         (JSC::BytecodeGenerator::emitEqualityOpImpl):
797         * parser/Lexer.cpp:
798         (JSC::Lexer<T>::parseHex):
799         (JSC::Lexer<T>::parseBinary):
800         (JSC::Lexer<T>::parseOctal):
801         (JSC::Lexer<T>::parseDecimal):
802         * runtime/JSGlobalObject.h:
803         * runtime/OptionsList.h:
804
805 2020-09-20  Yusuke Suzuki  <ysuzuki@apple.com>
806
807         Unreviewed, use RELEASE_AND_RETURN to suppress exception verification failure
808         https://bugs.webkit.org/show_bug.cgi?id=216686
809         <rdar://problem/69157632>
810
811         * runtime/JSModuleNamespaceObject.cpp:
812         (JSC::JSModuleNamespaceObject::defineOwnProperty):
813
814 2020-09-18  Yusuke Suzuki  <ysuzuki@apple.com>
815
816         [JSC] Generator declaration should not be allowed in single statement context
817         https://bugs.webkit.org/show_bug.cgi?id=216720
818
819         Reviewed by Ross Kirsling.
820
821         Generator declaration in single statement context (like the following code) should be syntax error.
822         We already made async function / async generator function syntax error. We should apply the same rule
823         to generator declaration too.
824
825             if (false)
826                 function * gen() { }
827
828         * parser/Parser.cpp:
829         (JSC::Parser<LexerType>::parseSingleFunction):
830         (JSC::Parser<LexerType>::parseStatement):
831         (JSC::Parser<LexerType>::parseFunctionDeclarationStatement):
832         (JSC::Parser<LexerType>::parseFunctionDeclaration):
833         (JSC::Parser<LexerType>::parseExportDeclaration):
834         * parser/Parser.h:
835
836 2020-09-18  Yusuke Suzuki  <ysuzuki@apple.com>
837
838         [JSC] PreciseAllocation's isNewlyAllocated flag should be propagated from isMarked at GC begin phase to make isLive correct
839         https://bugs.webkit.org/show_bug.cgi?id=216717
840
841         Reviewed by Mark Lam.
842
843         When starting full GC, at beginMarking, PreciseAllocation's mark bit is cleared to be usable for upcoming marking.
844         However, this means that HeapCell::isLive will see this object as dead until it is marked.
845         Let's consider that this object is not newly allocated one. Then, its isNewlyAllocated is false. And now mark bit
846         is also cleared. Since PreciseAllocation::isLive is isNewlyAllocated || isMarked, then it looks dead, while it is live.
847         This confuses HeapCell:isLive function and makes some of watchpoints perform wrong decisions (e.g. this condition is
848         no longer valid, let's just discard it).
849         At the beginning of full collection, we should propagate the old mark bit to isNewlyAllocated so that it looks live
850         during marking. This is similar trick to MarkedBlock::aboutToMark.
851
852         * heap/PreciseAllocation.cpp:
853         (JSC::PreciseAllocation::flip):
854
855 2020-09-18  Saam Barati  <sbarati@apple.com>
856
857         console APIs shouldn't crash making a string that's too long for a console warning when using user provided labels
858         https://bugs.webkit.org/show_bug.cgi?id=216709
859         <rdar://problem/68275357>
860
861         Reviewed by Mark Lam and Devin Rousso.
862
863         Various console APIs send warnings when a label can't be found. These warnings
864         include the label itself. If this label has a long enough length, when we make
865         these warning strings, we can crash, because we exceed max string length.
866         This patch fixes this by truncating the label everywhere it's used if it
867         exceeds a length of 10000.
868
869         * inspector/JSGlobalObjectConsoleClient.cpp:
870         (Inspector::JSGlobalObjectConsoleClient::profile):
871         * inspector/ScriptArguments.h:
872         * inspector/agents/InspectorConsoleAgent.cpp:
873         (Inspector::InspectorConsoleAgent::startTiming):
874         (Inspector::InspectorConsoleAgent::logTiming):
875         (Inspector::InspectorConsoleAgent::stopTiming):
876         (Inspector::InspectorConsoleAgent::count):
877         (Inspector::InspectorConsoleAgent::countReset):
878
879 2020-09-18  Keith Miller  <keith_miller@apple.com>
880
881         DFG should ensure there are PhantomLocals for the taken block of op_jneq_ptr
882         https://bugs.webkit.org/show_bug.cgi?id=216669
883
884         Reviewed by Saam Barati.
885
886         Right now, if there is a local that is live on the taken branch but dead on
887         not-taken branch then nothing will preserve it for OSR exit. This patch simply
888         adds a PhantomLocal for each live operand for the first bytecode of the taken block.
889
890         * dfg/DFGByteCodeParser.cpp:
891         (JSC::DFG::ByteCodeParser::parseBlock):
892
893 2020-09-18  Paulo Matos  <pmatos@igalia.com>
894
895         Unified build fixes from ARMv7 build failures
896         https://bugs.webkit.org/show_bug.cgi?id=216698
897
898         Reviewed by Adrian Perez de Castro.
899
900         * llint/LLIntThunks.cpp:
901         * runtime/FileBasedFuzzerAgent.cpp:
902         * runtime/FunctionExecutableDump.cpp:
903         * runtime/NativeExecutable.cpp:
904         * runtime/WeakMapImpl.cpp:
905
906 2020-09-17  Mark Lam  <mark.lam@apple.com>
907
908         Use OS_CONSTANT(EFFECTIVE_ADDRESS_WIDTH) in speculationFromCell()'s isSanePointer().
909         https://bugs.webkit.org/show_bug.cgi?id=216638
910
911         Reviewed by Saam Barati.
912
913         We should be using OS_CONSTANT(EFFECTIVE_ADDRESS_WIDTH) instead of assuming the
914         width of the pointer address bits.
915
916         * bytecode/SpeculatedType.cpp:
917         (JSC::isSanePointer):
918
919 2020-09-17  Devin Rousso  <drousso@apple.com>
920
921         Web Inspector: REGRESSION(r266885): fix open source build
922         https://bugs.webkit.org/show_bug.cgi?id=216675
923
924         Reviewed by Timothy Hatcher.
925
926         Add back methods used by `WebInspector.framework`.
927
928         * inspector/InspectorBackendDispatcher.cpp:
929         (Inspector::BackendDispatcher::getInteger): Added.
930         (Inspector::BackendDispatcher::getDouble): Added.
931         (Inspector::BackendDispatcher::getString): Added.
932
933 2020-09-17  Tadeu Zagallo  <tzagallo@apple.com>
934
935         Inconsistent loop exit assertion in B3ReduceLoopStrength
936         https://bugs.webkit.org/show_bug.cgi?id=216274
937         <rdar://problem/68513573>
938
939         Reviewed by Keith Miller.
940
941         On B3ReduceLoopStrength, we first calculate where the loop exits to, and ensure there's only
942         one exit target. Later on, we compute how many places within the loop exit to that single exit
943         target. Currently, we assume that having a single target implies that we'll only ever have one
944         exit point, which is incorrect. To fix it, instead of asserting there should only be one exit
945         point, we just bail if we find more than one.
946
947         * b3/B3ReduceLoopStrength.cpp:
948         (JSC::B3::ReduceLoopStrength::reduceByteCopyLoopsToMemcpy):
949
950 2020-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
951
952         [JSC] Async generator default-export is not handled
953         https://bugs.webkit.org/show_bug.cgi?id=216643
954
955         Reviewed by Ross Kirsling.
956
957         `export default async function * test() { }` syntax should be correctly handled.
958         This patch adds the code retrieving "test" name from the above declaration correctly.
959
960         * parser/Parser.cpp:
961         (JSC::Parser<LexerType>::parseExportDeclaration):
962
963 2020-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
964
965         [JSC] Update JSModuleNamespaceObject::defineOwnProperty
966         https://bugs.webkit.org/show_bug.cgi?id=216640
967
968         Reviewed by Ross Kirsling.
969
970         This patch implements spec update of JSModuleNamespaceObject::defineOwnProperty.
971         We implement https://tc39.es/ecma262/#sec-module-namespace-exotic-objects-defineownproperty-p-desc precisely.
972
973         * runtime/JSModuleNamespaceObject.cpp:
974         (JSC::JSModuleNamespaceObject::getOwnPropertySlotCommon):
975         (JSC::JSModuleNamespaceObject::deleteProperty):
976         (JSC::JSModuleNamespaceObject::getOwnPropertyNames):
977         (JSC::JSModuleNamespaceObject::defineOwnProperty):
978
979 2020-09-17  Mark Lam  <mark.lam@apple.com>
980
981         Add some pointer sanity checks to speculationFromCell().
982         https://bugs.webkit.org/show_bug.cgi?id=216638
983         rdar://23226333
984
985         Reviewed by Yusuke Suzuki.
986
987         Add some sanity checks to mitigate against some potential pointer corruptions
988         from profiling data.  The goal here is not to exhaustively filter out all possible
989         bad pointers, but simply to filter out as many as possible to reduce crashes from
990         such bad pointers, and to do so with the least possible performance impact.
991
992         It is OK to do such filtering here because we're only trying to compute a
993         SpeculatedType from the pointer.  If the pointer is bad, we can just return
994         SpecNone indicating that we don't have any info to speculate on.
995
996         * bytecode/SpeculatedType.cpp:
997         (JSC::isSanePointer):
998         (JSC::speculationFromCell):
999         * runtime/StructureIDTable.h:
1000         (JSC::StructureIDTable::tryGet):
1001         * runtime/VM.h:
1002         (JSC::VM::tryGetStructure):
1003
1004 2020-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
1005
1006         Support export namespace `export * as ns`
1007         https://bugs.webkit.org/show_bug.cgi?id=214379
1008
1009         Reviewed by Ross Kirsling.
1010
1011         This patch supports `export * as ns from "module"` syntax. If it is used, we expose "module"'s namespace object as "ns".
1012         For each module environment, we create *namespace* (starNamespace) private symbol scope variable. And we fill it later
1013         with module namespace object. This way allows us to use module namespace object IC and super fast imported module binding
1014         lookup though environment variable lookup mechanism.
1015
1016         * builtins/BuiltinNames.h:
1017         * bytecompiler/BytecodeGenerator.cpp:
1018         (JSC::BytecodeGenerator::BytecodeGenerator):
1019         * parser/NodesAnalyzeModule.cpp:
1020         (JSC::ExportNamedDeclarationNode::analyzeModule):
1021         * parser/Parser.cpp:
1022         (JSC::Parser<LexerType>::parseExportDeclaration):
1023         * runtime/AbstractModuleRecord.cpp:
1024         (JSC::AbstractModuleRecord::ExportEntry::createNamespace):
1025         (JSC::AbstractModuleRecord::resolveExportImpl):
1026         (JSC::AbstractModuleRecord::getModuleNamespace):
1027         (JSC::AbstractModuleRecord::setModuleEnvironment):
1028         (JSC::AbstractModuleRecord::dump):
1029         * runtime/AbstractModuleRecord.h:
1030         * runtime/CommonIdentifiers.h:
1031         * runtime/JSFunction.cpp:
1032         (JSC::JSFunction::name):
1033         (JSC::JSFunction::reifyName):
1034         * runtime/JSModuleNamespaceObject.cpp:
1035         (JSC::JSModuleNamespaceObject::getOwnPropertySlotCommon):
1036         * runtime/JSModuleRecord.cpp:
1037         (JSC::JSModuleRecord::instantiateDeclarations):
1038         (JSC::JSModuleRecord::evaluate):
1039         * wasm/js/JSWebAssemblyModule.cpp:
1040         (JSC::JSWebAssemblyModule::finishCreation):
1041         * wasm/js/WebAssemblyModuleRecord.cpp:
1042         (JSC::WebAssemblyModuleRecord::link):
1043
1044 2020-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
1045
1046         [JSC] Optimize Promise#finally by avoiding creating multiple environments
1047         https://bugs.webkit.org/show_bug.cgi?id=216637
1048
1049         Reviewed by Ross Kirsling.
1050
1051         Let's just create functions inside Promise#finally. This avoids creating
1052         multiple lexical environments that are captured by each function.
1053
1054         * builtins/PromisePrototype.js:
1055         (finally):
1056         (globalPrivate.getThenFinally): Deleted.
1057         (globalPrivate.getCatchFinally): Deleted.
1058
1059 2020-09-16  Saam Barati  <sbarati@apple.com>
1060
1061         Don't IC a null custom accessor/value setter
1062         https://bugs.webkit.org/show_bug.cgi?id=216620
1063         <rdar://problem/68976066>
1064
1065         Reviewed by Mark Lam.
1066
1067         Our runtime allows CustomGetterSetter objects setter field to not contain an
1068         actual C function to call. In such a scenario, the runtime just does nothing
1069         except return false to the ::put code (which may result in throwing an
1070         exception in strict mode code). 
1071         
1072         However, our IC code never considered whether this function could be nullptr.
1073         The fix here is simple: don't IC such custom accessor/value setters.
1074
1075         * runtime/PutPropertySlot.h:
1076         (JSC::PutPropertySlot::isCacheableCustom const):
1077
1078 2020-09-16  Philippe Normand  <pnormand@igalia.com>
1079
1080         [Flatpak SDK][WPE] Launching the remote inspector kills MB
1081         https://bugs.webkit.org/show_bug.cgi?id=213899
1082
1083         Reviewed by Adrian Perez de Castro.
1084
1085         Load inspector resources from developer build artefacts, when the inspector server is
1086         running in this configuration. Fall back to system libraries loading mechanism otherwise.
1087
1088         * inspector/remote/glib/RemoteInspectorUtils.cpp:
1089         (Inspector::backendCommands):
1090
1091 2020-09-16  Adrian Perez de Castro  <aperez@igalia.com>
1092
1093         Non-unified build fixes, early September 2020 edition
1094         https://bugs.webkit.org/show_bug.cgi?id=216599
1095
1096         Unreviewed build fix.
1097
1098         Largely based on a patch by Lauro Moura <lmoura@igalia.com>
1099
1100         * runtime/IntlCache.cpp: Add missing wtf/Vector.h include.
1101         * runtime/IntlCache.h: Add missing wtf/text/CString.h include.
1102         * runtime/IntlNumberFormatPrototype.cpp: Replace IntlNumberFormat.h
1103         include with IntlNumberFormatInlines.h to fix linking.
1104
1105 2020-09-15  Saam Barati  <sbarati@apple.com>
1106
1107         JSImmutableButterfly::get needs to return jsDoubleNumber for double arrays
1108         https://bugs.webkit.org/show_bug.cgi?id=216589
1109         <rdar://problem/68061245>
1110
1111         Reviewed by Yusuke Suzuki.
1112
1113         We are using JSImmutableButterfly::get in AI to constant fold GetByVal,
1114         but we were failing to always return a boxed double value for double loads.
1115         We were calling jsNumber instead of jsDooubleNumber. This is in contrast to
1116         the runtime, which always returns a double boxed value. This would lead AI
1117         to disagree with the runtime, and miscompile code.
1118
1119         * runtime/JSImmutableButterfly.h:
1120         (JSC::JSImmutableButterfly::get const):
1121
1122 2020-09-15  Yusuke Suzuki  <ysuzuki@apple.com>
1123
1124         [JSC] Cache UDateTimePatternGenerator
1125         https://bugs.webkit.org/show_bug.cgi?id=213454
1126
1127         Reviewed by Ross Kirsling.
1128
1129         ICU udatpg_open function is particularly slow. As a result, 80~% of time is used by this function when calling Date#toLocaleString.
1130         We should have last-used cache in VM, which covers major cases like, "One locale (possibly default locale) is used and continuously
1131         use toLocaleString with that locale".
1132
1133         This significantly improves toLocaleString / toLocaleDateString / toLocaleTimeString performance.
1134
1135                                                    ToT                     Patched
1136
1137             date-to-locale-string           392.0092+-0.6811     ^     87.3196+-3.1598        ^ definitely 4.4894x faster
1138             date-to-locale-date-string      377.9117+-7.8701     ^     70.4155+-3.6661        ^ definitely 5.3669x faster
1139             date-to-locale-time-string      373.1970+-3.0142     ^     67.3790+-2.8952        ^ definitely 5.5388x faster
1140
1141
1142         * JavaScriptCore.xcodeproj/project.pbxproj:
1143         * Sources.txt:
1144         * runtime/IntlCache.cpp: Added.
1145         (JSC::IntlCache::cacheSharedPatternGenerator):
1146         (JSC::IntlCache::getBestDateTimePattern):
1147         * runtime/IntlCache.h: Added.
1148         (JSC::IntlCache::getSharedPatternGenerator):
1149         * runtime/IntlDateTimeFormat.cpp:
1150         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1151         * runtime/VM.cpp:
1152         (JSC::VM::VM):
1153         * runtime/VM.h:
1154         (JSC::VM::intlCache):
1155
1156 2020-09-15  HyeockJin Kim  <kherootz@gmail.com>
1157
1158         Check whether the iterator is callable in spread
1159         https://bugs.webkit.org/show_bug.cgi?id=215974
1160
1161         Reviewed by Darin Adler.
1162
1163         * builtins/IteratorHelpers.js:
1164         (performIteration):
1165
1166 2020-09-15  Tadeu Zagallo  <tzagallo@apple.com>
1167
1168         Object allocation sinking forgets escaped nodes when structure changes
1169         https://bugs.webkit.org/show_bug.cgi?id=216214
1170         <rdar://problem/68518460>
1171
1172         Reviewed by Saam Barati.
1173
1174         Consider the following program:
1175             bb0:
1176                 a: NewObject
1177                 b: CreateActivation()
1178                 _: Branch(bb2, bb1)
1179             bb1:
1180                 _: PutByOffset(a, 'x', 42)
1181                 _: PutStrucute(a, {x: 0})
1182                 _: Branch(bb2, bb1)
1183             bb2:
1184                 _: CheckStructure(a, {x: 0})
1185                 _: PutClosureVar(b, 0, Kill:a)
1186                 _: Branch(bb3, bb2)
1187             bb3:
1188                 c: GetClosureVar(b, 0)
1189                 _: PutByOffset(global, 'y', c)
1190                 _: Return
1191
1192         Due to the order we visit the program, we'll visit bb2 before bb1. The first time we visit bb2, heapAtHead will be:
1193             #@a: ObjectAllocation({})
1194             #@b: ActivationAllocation()
1195             @a => #@a
1196             @b => #@b
1197
1198         Now CheckStructure would always fail, so it will escape @a and heapAtTail will be:
1199             #@a: EscapedAllocation()
1200             #@b: ActivationAllocation()
1201             @a => #@a
1202             @b => #@b
1203
1204         And after pruning:
1205             #@b: ActivationAllocation()
1206             @b => #@b
1207
1208         Now, we'll visit bb3 and then bb1. When we visit bb1 we'll set the structure {x: 0} for the #@a and eventually visit bb2 again. This time around CheckStructure will no longer escape @a, since the allocation has the right structure, and heapAtTail will be:
1209             #@a: ObjectAllocation({x: 0})
1210             #@b: ActivationAllocation(0: #@a)
1211             @b => #@b
1212
1213         However, we now have to merge into bb3, which has heapAtHead:
1214             #@b: ActivationAllocation()
1215             @b => #@b
1216
1217         Since we can't add the extra field to the activation, we'll end up escaping @a at the edge and therefore pruning #@b, which will leave the heap for bb3 unchanged.
1218         That's a problem, since PutClosureVar didn't see the escaped object, but GetClosureVar thinks it's escaped. The materialization for @a will be placed after the
1219         PutClosureVar, at end of bb2, when the node is already dead. When computing the SSA defs, the PutByOffset at bb3 will then see @a (which at this point will be a
1220         PhantomNewObject) instead of its materialization.
1221
1222         The issue happens because we don't allow allocations to add extra fields while merging, but we do allow adding new structures. This results in different decisions
1223         being made about what escapes in CheckStructure and MultiGetByOffset. To avoid this problem, we track two sets of structures: structures and structuresForMaterialization.
1224         The first is used for checks and should never grow while the second is used for materialization and is allowed to grow.
1225
1226         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1227
1228 2020-09-15  Saam Barati  <sbarati@apple.com>
1229
1230         CustomFunctionEquivalence PropertyCondition needs to check if the structure has the property
1231         https://bugs.webkit.org/show_bug.cgi?id=216575
1232         <rdar://problem/68286930>
1233
1234         Reviewed by Yusuke Suzuki.
1235
1236         The CustomFunctionEquivalence PropertyCondition would only return false to
1237         isStillValidAssumingImpurePropertyWatchpoint if the Structure's static
1238         property table was reified or if the static property table did not contain the
1239         property. However, this missed the obvious case of where we store to this
1240         property in normal object storage without reifying the static property table.
1241         The fix here is simple: we first check if the Structure's property table
1242         has this property, and if so, return false.
1243         
1244         This patch also renames CustomFunctionEquivalence to HasStaticProperty to
1245         better capture what we're doing.
1246
1247         * bytecode/ObjectPropertyCondition.h:
1248         (JSC::ObjectPropertyCondition::hasStaticProperty):
1249         (JSC::ObjectPropertyCondition::customFunctionEquivalence): Deleted.
1250         * bytecode/ObjectPropertyConditionSet.cpp:
1251         (JSC::ObjectPropertyConditionSet::hasOneSlotBaseCondition const):
1252         (JSC::ObjectPropertyConditionSet::slotBaseCondition const):
1253         (JSC::generateConditionsForPrototypePropertyHitCustom):
1254         * bytecode/PropertyCondition.cpp:
1255         (JSC::PropertyCondition::dumpInContext const):
1256         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
1257         (JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint const):
1258         (JSC::PropertyCondition::isStillValid const):
1259         (JSC::PropertyCondition::isWatchableWhenValid const):
1260         (WTF::printInternal):
1261         * bytecode/PropertyCondition.h:
1262         (JSC::PropertyCondition::hasStaticProperty):
1263         (JSC::PropertyCondition::hash const):
1264         (JSC::PropertyCondition::operator== const):
1265         (JSC::PropertyCondition::customFunctionEquivalence): Deleted.
1266         * tools/JSDollarVM.cpp:
1267         (JSC::functionCreateStaticCustomValue):
1268         (JSC::JSDollarVM::finishCreation):
1269
1270 2020-09-15  Yusuke Suzuki  <ysuzuki@apple.com>
1271
1272         [JSC] Apply Intl.DateTimeFormat hour-cycle correctly when timeStyle is used
1273         https://bugs.webkit.org/show_bug.cgi?id=216521
1274
1275         Reviewed by Ross Kirsling.
1276
1277         When specifying timeStyle in Intl.DateTimeFormat, we need to check that the generated format also follows to the hourCycle / hour12 options
1278         specified in the constructor. Because dayPeriod can be included automatically, just replacing symbols after generating a pattern can dump strange result.
1279         For example, the generated one is something like "02:12:47 PM Coordinated Universal Time". And we adjust the pattern to make it "14:12:47 PM Coordinated Universal Time"
1280         when hourCycle H23 / H24 is specified. But this looks strange since dayPeriod "PM" should not exist when using H23 / H24.
1281
1282         In this patch, we revise our hour-cycle handling in Intl.DateTimeFormat. We align our behavior to SpiderMonkey's one[1] rather than the spec's one: when hour12 is specified,
1283         we will just use 'H' or 'h' skeleton and do not enforce hour-cycle after generating pattern in hour12 case. If hour12 is not specified, then we use 'h' or 'H' skeleton
1284         symbols based on hour-cycle, and later we modify the pattern based on hour-cycle. If both are not offered, we use 'j' which allows ICU to pick preferable one.
1285         This is slightly different behavior to the spec (hcDefault etc.) but the spec's behavior can cause a bit surprising result[2,3], and SpiderMonkey like behavior will be
1286         integrated into the spec eventually[4].
1287
1288         [1]: https://github.com/tc39/ecma402/issues/402#issuecomment-623628320
1289         [2]: https://github.com/tc39/ecma402/issues/402
1290         [3]: https://bugs.chromium.org/p/chromium/issues/detail?id=1045791
1291         [4]: https://github.com/tc39/ecma402/pull/436
1292
1293         * runtime/IntlDateTimeFormat.cpp:
1294         (JSC::IntlDateTimeFormat::setFormatsFromPattern):
1295         (JSC::IntlDateTimeFormat::parseHourCycle):
1296         (JSC::IntlDateTimeFormat::hourCycleFromPattern):
1297         (JSC::IntlDateTimeFormat::replaceHourCycleInSkeleton):
1298         (JSC::IntlDateTimeFormat::replaceHourCycleInPattern):
1299         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1300         (JSC::IntlDateTimeFormat::hourCycleString):
1301         (JSC::IntlDateTimeFormat::resolvedOptions const):
1302         (JSC::IntlDateTimeFormat::createDateIntervalFormatIfNecessary):
1303         * runtime/IntlDateTimeFormat.h:
1304
1305 2020-09-14  Yusuke Suzuki  <ysuzuki@apple.com>
1306
1307         [JSC] Intl.Collator should take collation option
1308         https://bugs.webkit.org/show_bug.cgi?id=216529
1309
1310         Reviewed by Ross Kirsling.
1311
1312         This patch adds "collation" option to Intl.Collator. We are already getting consensus[1], and will be integrated into the spec.
1313         Previously, passing "collation" is only available through "-u-co-" unicode extension in the passed locale. The proposal exposes
1314         collation option as an option to Intl.Collator so that we can set it easily.
1315         "collation" is used only when "usage" is "sort". "search" usage will filter out collation options since "search" itself is one of
1316         the "collation" option.
1317
1318         [1]: https://github.com/tc39/ecma402/pull/459
1319
1320         * runtime/IntlCollator.cpp:
1321         (JSC::IntlCollator::sortLocaleData):
1322         (JSC::IntlCollator::initializeCollator):
1323
1324 2020-09-15  Joonghun Park  <jh718.park@samsung.com>
1325
1326         Unreviewed. Remove the build warning below since r228533.
1327         warning: ‘%40s’ directive argument is null [-Wformat-overflow=]
1328
1329         Since gcc which has version >= 9 is stricter about passing null string
1330         pointers to printf-like functions, add null string pointer check
1331         to fix the warning proactively.
1332
1333         * jsc.cpp:
1334         (runJSC):
1335
1336 2020-09-14  Keith Miller  <keith_miller@apple.com>
1337
1338         BytecodeParser should GetLocal op_ret's value even if it's unused by the caller
1339         https://bugs.webkit.org/show_bug.cgi?id=216506
1340
1341         Reviewed by Mark Lam.
1342
1343         We have to unconditionally GetLocal operands each bytecode claims to use
1344         regardless of true liveness. This is important to keep OSRAvailability simple.
1345         However, op_ret would only GetLocal the return value if we knew the value
1346         was going to be used by an inline caller.
1347
1348         * dfg/DFGByteCodeParser.cpp:
1349         (JSC::DFG::ByteCodeParser::parseBlock):
1350
1351 2020-09-14  Alexey Shvayka  <shvaikalesh@gmail.com>
1352
1353         Proxy's "ownKeys" trap result should not be sorted
1354         https://bugs.webkit.org/show_bug.cgi?id=216227
1355
1356         Reviewed by Yusuke Suzuki.
1357
1358         Given that we can't know whether ownPropertyKeys() received property names from
1359         userland Proxy's "ownKeys" trap, this patch moves symbols after strings sorting [1]
1360         to Structure::getPropertyNamesFromStructure(), aligning observed property order
1361         (via Proxy's "getOwnPropertyDescriptor" trap) with V8 and SpiderMonkey.
1362
1363         Also, removes sorting logic duplication in objectConstructorAssign().
1364
1365         This change is neutral on provided Reflect.ownKeys microbenchmark. Although property
1366         name collection besides PropertyNameMode::StringsAndSymbols cases is unaffected,
1367         Object.{keys,getOwnPropertySymbols} microbenchmarks regress by 6-12% due to
1368         increased Structure::getPropertyNamesFromStructure() code size.
1369
1370         [1]: https://tc39.es/ecma262/#sec-ordinaryownpropertykeys (steps 3-4)
1371
1372         * runtime/ObjectConstructor.cpp:
1373         (JSC::objectConstructorAssign):
1374         (JSC::ownPropertyKeys):
1375         * runtime/Structure.cpp:
1376         (JSC::Structure::getPropertyNamesFromStructure):
1377
1378 2020-09-14  Alexey Shvayka  <shvaikalesh@gmail.com>
1379
1380         ArraySetLength should coerce [[Value]] before descriptor validation
1381         https://bugs.webkit.org/show_bug.cgi?id=158791
1382
1383         Reviewed by Darin Adler.
1384
1385         This patch:
1386
1387         1. Moves [[Value]] coercion before descriptor validation as per spec [1],
1388            which fixes ASSERT() failure and aligns JSC with V8 & SpiderMonkey.
1389
1390         2. Prevents JSArray::setLengthWithArrayStorage() from throwing if the length
1391            is unchanged, even if it's read-only [2].
1392
1393         3. Refactors JSArray::defineOwnProperty() leveraging #2 to always perform
1394            setLength(), which greatly reduces the number of checks, branches,
1395            and setLengthWritable() calls.
1396
1397         Following the ArraySetLength spec steps precisely [1] would result in
1398         more difficult-to-follow code because descriptor validation [2] is inlined
1399         and [[Delete]] failures are handled in setLength().
1400
1401         This change is performance-neutral as it doesn't affect JSArray::put(),
1402         which was vetted to be spec-correct and is covered by test262 suite.
1403
1404         [1]: https://tc39.es/ecma262/#sec-arraysetlength (steps 3-4)
1405         [2]: https://tc39.es/ecma262/#sec-validateandapplypropertydescriptor (step 7.a.ii)
1406
1407         * runtime/JSArray.cpp:
1408         (JSC::JSArray::defineOwnProperty):
1409         (JSC::JSArray::setLengthWithArrayStorage):
1410
1411 2020-09-14  Saam Barati  <sbarati@apple.com>
1412
1413         Remove bogus asserts in FTLLower that assume programs are compiled with sensible speculations
1414         https://bugs.webkit.org/show_bug.cgi?id=216485
1415         <rdar://problem/68562804>
1416
1417         Reviewed by Keith Miller.
1418
1419         We had an assert inside lowCell that if a value was not part of the JSValue
1420         hashmap of values, then the type must not conform to being a cell. However,
1421         consider a program like this:
1422         
1423         ```
1424         x = ArithAdd(i32, i32) <-- x is an i32 here
1425         if (b) {
1426             Check(Cell:@x)
1427             ArrayifyToStructure(@x, thingy)
1428         }
1429         <-- HERE
1430         ```
1431         
1432         @x will live in FTLLower's i32 hashmap, but because of the AI rule for
1433         ArrayifyToStructure, it will also have SpecCell in its type. This is totally
1434         valid, and asserting that this isn't possible is wrong. (Obviously the above
1435         speculation is stupid, as we will always exit at the Check, but it's valid IR.)
1436         
1437         This patch removes this assertion from lowCell, and removes similar assertions
1438         from other low* functions.
1439
1440         * ftl/FTLLowerDFGToB3.cpp:
1441         (JSC::FTL::DFG::LowerDFGToB3::lowInt32):
1442         (JSC::FTL::DFG::LowerDFGToB3::lowInt52):
1443         (JSC::FTL::DFG::LowerDFGToB3::lowCell):
1444         (JSC::FTL::DFG::LowerDFGToB3::lowBoolean):
1445         (JSC::FTL::DFG::LowerDFGToB3::lowDouble):
1446
1447 2020-09-14  Alexey Shvayka  <shvaikalesh@gmail.com>
1448
1449         Make a few built-in methods throw if called as top-level functions
1450         https://bugs.webkit.org/show_bug.cgi?id=216467
1451
1452         Reviewed by Darin Adler.
1453
1454         Non-strict userland functions substitute undefined & null `this` values
1455         with the global object [1], while built-in functions do not [2].
1456
1457         This patch adds 5 missing toThis(globalObject, ECMAMode::strict()) calls,
1458         preventing built-in methods from being called as top-level functions:
1459
1460         ```
1461         let {toString} = Error.prototype;
1462         toString(); // now throws TypeError
1463         ```
1464
1465         Aligns JSC with V8 and SpiderMonkey.
1466         This change is performance-neutral due to DFG inlining of OpToThis.
1467         All other callFrame->thisValue() usages were vetted to be spec-correct.
1468
1469         [1]: https://tc39.es/ecma262/#sec-ordinarycallbindthis (step 6.a.iii)
1470         [2]: https://tc39.es/ecma262/#sec-built-in-function-objects-call-thisargument-argumentslist (step 10)
1471
1472         * runtime/ArrayPrototype.cpp:
1473         (JSC::createArrayIteratorObject):
1474         * runtime/DatePrototype.cpp:
1475         (JSC::dateProtoFuncToPrimitiveSymbol):
1476         (JSC::dateProtoFuncToJSON):
1477         * runtime/ErrorPrototype.cpp:
1478         (JSC::errorProtoFuncToString):
1479         * runtime/RegExpPrototype.cpp:
1480         (JSC::regExpProtoFuncToString):
1481
1482 2020-09-14  Devin Rousso  <drousso@apple.com>
1483
1484         Web Inspector: REGRESSION(r266885): dyld: Symbol not found: __ZN9Inspector17BackendDispatcher12sendResponseElON3WTF6RefPtrINS1_8JSONImpl6ObjectENS1_13DumbPtrTraitsIS4_EEEEb
1485         https://bugs.webkit.org/show_bug.cgi?id=216486
1486
1487         Reviewed by Joseph Pecoraro.
1488
1489         * inspector/InspectorBackendDispatcher.h:
1490         * inspector/InspectorBackendDispatcher.cpp:
1491         (Inspector::BackendDispatcher::sendResponse):
1492         Add back overloads removed in r266885 so that the symbols exist.
1493
1494 2020-09-14  Saam Barati  <sbarati@apple.com>
1495
1496         Don't assume byte code operands are uint32 JSValues
1497         https://bugs.webkit.org/show_bug.cgi?id=216386
1498
1499         Reviewed by Yusuke Suzuki.
1500
1501         The slow path for enumerator_generic_pname was assuming that its input index operand
1502         would always be a UInt32 JSValue boxed as int32. However, this assumption isn't true
1503         because that value can have double format in the DFG, and remain in that format when
1504         we exit from the DFG to baseline/LLInt code.
1505         
1506         This was found via the widening number fuzzing agent.
1507         
1508         I also audited two more places that seem like they suffer from the same issue,
1509         and also switched them to using the asUInt32AsAnyInt function:
1510         - enumerator_structure_pname
1511         - create_rest
1512
1513         * runtime/CommonSlowPaths.cpp:
1514         (JSC::SLOW_PATH_DECL):
1515
1516 2020-09-11  Yusuke Suzuki  <ysuzuki@apple.com>
1517
1518         [JSC] Canonicalize "true" unicode extension type value to ""
1519         https://bugs.webkit.org/show_bug.cgi?id=216224
1520
1521         Reviewed by Ross Kirsling.
1522
1523         Unicode Technical Standard #35 defines that unicode extension type's "true" should be converged to "".
1524         This patch implements it by extracting unicode extension subtags and replacing "true" to "".
1525
1526         * runtime/IntlLocale.cpp:
1527         (JSC::LocaleIDBuilder::toCanonical):
1528         (JSC::IntlLocale::keywordValue const):
1529         (JSC::IntlLocale::calendar):
1530         (JSC::IntlLocale::caseFirst):
1531         (JSC::IntlLocale::collation):
1532         (JSC::IntlLocale::hourCycle):
1533         (JSC::IntlLocale::numberingSystem):
1534         (JSC::IntlLocale::numeric):
1535         * runtime/IntlLocale.h:
1536         * runtime/IntlLocalePrototype.cpp:
1537         (JSC::IntlLocalePrototypeGetterCalendar):
1538         (JSC::IntlLocalePrototypeGetterCaseFirst):
1539         (JSC::IntlLocalePrototypeGetterCollation):
1540         (JSC::IntlLocalePrototypeGetterHourCycle):
1541         (JSC::IntlLocalePrototypeGetterNumberingSystem):
1542         * runtime/IntlObject.cpp:
1543         (JSC::unicodeExtensionSubTags):
1544         (JSC::canonicalizeUnicodeExtensionsAfterICULocaleCanonicalization):
1545         (JSC::languageTagForLocaleID):
1546         (JSC::resolveLocale):
1547         * runtime/IntlObject.h:
1548         * runtime/IntlObjectInlines.h:
1549         (JSC::computeTwoCharacters16Code):
1550         * runtime/StringPrototype.cpp:
1551         (JSC::computeTwoCharacters16Code): Deleted.
1552
1553 2020-09-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1554
1555         [JSC] attribute-change transition should not pin Structure
1556         https://bugs.webkit.org/show_bug.cgi?id=215528
1557
1558         Reviewed by Saam Barati.
1559
1560         This patch avoids using pin in attribute-change transition. To achieve this, attribute-change transition is now fully supported
1561         transition chain in forEachPropertyConcurrently etc.: we can retrieve properties with changed attributes correctly via traversing
1562         transition chain. And we also support attribute-change transition in materializePropertyTable, so we do not need to pin structure.
1563
1564         The design largely mimics existing removePropertyTransition and addPropertyTransition. This patch also adds `hasBeenDictionary()`
1565         check before adding structure to the transition so that we can avoid adding unnecessary structure entry to the transition table.
1566
1567         * bytecode/AccessCase.cpp:
1568         (JSC::AccessCase::generateImpl):
1569         * dfg/DFGClobberize.h:
1570         (JSC::DFG::clobberize):
1571         * ftl/FTLLowerDFGToB3.cpp:
1572         (JSC::FTL::DFG::LowerDFGToB3::compilePutStructure):
1573         * jit/Repatch.cpp:
1574         (JSC::tryCacheDeleteBy):
1575         * runtime/Structure.cpp:
1576         (JSC::Structure::materializePropertyTable):
1577         (JSC::Structure::addPropertyTransitionToExistingStructureImpl):
1578         (JSC::Structure::addPropertyTransition):
1579         (JSC::Structure::addNewPropertyTransition):
1580         (JSC::Structure::removePropertyTransitionFromExistingStructureImpl):
1581         (JSC::Structure::removeNewPropertyTransition):
1582         (JSC::Structure::attributeChangeTransitionToExistingStructure):
1583         (JSC::Structure::attributeChangeTransition):
1584         (JSC::Structure::nonPropertyTransitionSlow):
1585         (JSC::Structure::attributeChange):
1586         * runtime/Structure.h:
1587         * runtime/StructureInlines.h:
1588         (JSC::Structure::forEachPropertyConcurrently):
1589         (JSC::Structure::attributeChange):
1590         (JSC::Structure::attributeChangeWithoutTransition):
1591         * tools/JSDollarVM.cpp:
1592         (JSC::JSDollarVMHelper::functionGetStructureTransitionList):
1593
1594 2020-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
1595
1596         [JSC] customGetterSetterFunctionCall should have proper exception checking
1597         https://bugs.webkit.org/show_bug.cgi?id=216391
1598         <rdar://problem/68631643>
1599
1600         Reviewed by Mark Lam.
1601
1602         Add appropriate exception checking to customGetterSetterFunctionCall.
1603
1604         * runtime/JSCustomGetterSetterFunction.cpp:
1605         (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
1606
1607 2020-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
1608
1609         [JSC] Add exception checks to JSCallbackObject
1610         https://bugs.webkit.org/show_bug.cgi?id=216384
1611         <rdar://problem/68632190>
1612
1613         Reviewed by Saam Barati.
1614
1615         This patch adds necessary exception checks to JSCallbackObject to suppress exception verifier crash in Debug build.
1616
1617         * API/JSCallbackObjectFunctions.h:
1618         (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
1619         (JSC::JSCallbackObject<Parent>::defaultValue):
1620         (JSC::JSCallbackObject<Parent>::put):
1621         (JSC::JSCallbackObject<Parent>::putByIndex):
1622         (JSC::JSCallbackObject<Parent>::deleteProperty):
1623         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
1624
1625 2020-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
1626
1627         [JSC] agent start function should move isolated copy of source
1628         https://bugs.webkit.org/show_bug.cgi?id=216383
1629         <rdar://problem/66371008>
1630
1631         Reviewed by Saam Barati.
1632
1633         We are calling `isolatedCopy()` and setting it to variable in caller thread. And we are copying it to the thread.
1634         This means that ref-count will happen in caller thread and callee thread, this is wrong.
1635         We should pass isolatedCopy string directly to the callee thread.
1636
1637         * jsc.cpp:
1638         (functionDollarAgentStart):
1639
1640 2020-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
1641
1642         [JSC] unshift / shift should take structure lock
1643         https://bugs.webkit.org/show_bug.cgi?id=216378
1644         <rdar://problem/68496096>
1645
1646         Reviewed by Mark Lam.
1647
1648         When unshifting / shifting butterfly, we need to move property storage values too.
1649         If property storage values are moved while concurrent JIT compiler is accessing it, it could include garbage value.
1650
1651         For example, concurrent JIT compiler is accessing [2] property storage.
1652
1653                             1          2         3
1654                        [ JSValue ][ JSValue ][ Header ]
1655
1656         But unshift moved it like this.
1657
1658                             1          2         3
1659             [ JSValue ][ JSValue ][ Header ]
1660
1661         Since butterfly pointer held by JSObject is not updated yet, concurrent JIT compiler will read [ Header ] as JSValue and crash.
1662         In this patch, we take structure lock when shifting existing butterfly since this affect on property storage. Since JSObject::getDirectConcurrently
1663         takes a structure lock, this locking prevents concurrent compilers from getting an invalid value.
1664
1665         * runtime/JSArray.cpp:
1666         (JSC::JSArray::unshiftCountSlowCase):
1667         (JSC::JSArray::shiftCountWithArrayStorage):
1668         (JSC::JSArray::unshiftCountWithArrayStorage):
1669
1670 2020-09-10  Joonghun Park  <jh718.park@samsung.com>
1671
1672         Unreviewed. Remove the build warning below since r266885.
1673         warning: redundant move in return statement [-Wredundant-move]
1674
1675         Because return statement already returns rvalue reference,
1676         we don't need WTFMove at return.
1677
1678         * inspector/agents/InspectorRuntimeAgent.cpp:
1679         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1680         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
1681
1682 2020-09-10  Alexey Shvayka  <shvaikalesh@gmail.com>
1683
1684         Promise.prototype.finally should perform PromiseResolve
1685         https://bugs.webkit.org/show_bug.cgi?id=176006
1686
1687         Reviewed by Yusuke Suzuki.
1688
1689         This patch extracts @promiseResolve global private function and utilizes it in
1690         Promise.prototype.finally then/catch functions [1] to avoid creating an extra
1691         Promise Capability. Aligns JSC with V8 and SpiderMonkey.
1692
1693         [1]: https://tc39.es/ecma262/#sec-thenfinallyfunctions (step 7)
1694
1695         * builtins/PromiseConstructor.js:
1696         (resolve):
1697         * builtins/PromiseOperations.js:
1698         (globalPrivate.promiseResolve):
1699         * builtins/PromisePrototype.js:
1700         (globalPrivate.getThenFinally):
1701         (globalPrivate.getCatchFinally):
1702
1703 2020-09-10  Devin Rousso  <drousso@apple.com>
1704
1705         Web Inspector: modernize generated backend protocol code
1706         https://bugs.webkit.org/show_bug.cgi?id=216302
1707         <rdar://problem/68547649>
1708
1709         Reviewed by Brian Burg.
1710
1711         Previously, the inspector protocol was expressed in code in a somewhat confusing way:
1712          - the error string was the first argument
1713          - required parameters were `T` or `const T&`
1714          - optional parameters were `const T*`
1715          - enum parameters were the underlying type requiring the backend dispatcher handler to
1716            process it instead of it being preprocessed
1717          - required returns were `T&`
1718          - optional returns were `T*`
1719         This doesn't really make for easy/obvious reading of code since the order of arguments is
1720         not weird (e.g. error string first), and that there are references/pointers to primitive
1721         types.
1722
1723         This patch cleans up the generated inspector protocol code to be:
1724          - required parameters are `T` or `Ref<T>&&`
1725          - optional parameters are `Optional<T>&&` or `RefPtr<T>&&`
1726          - enum parameters are preprocessed and passed to the backend dispatcher handler if valid
1727          - synchronous commands return `Expected<X, ErrorString>` using the same types/rules above
1728            where `X` is either a single return or a `std::tuple` of multiple returns
1729
1730         The one exception to the above is `String`, which is already a tri-state of `nullString()`,
1731         `emptyString()`, and something set, so there's no need to use `Optional<String>`.
1732
1733         Also use `Protocol` objects/`typedefs` wherever possible to further relate the protocol
1734         JSON and the actual backend dispatcher handler implementation.
1735
1736         * inspector/scripts/codegen/generator.py:
1737         (Generator.generate_includes_from_entries):
1738         * inspector/scripts/codegen/cpp_generator_templates.py:
1739         * inspector/scripts/codegen/cpp_generator.py:
1740         (CppGenerator.helpers_namespace):
1741         (CppGenerator.cpp_getter_method_for_type):
1742         (CppGenerator.cpp_setter_method_for_type):
1743         (CppGenerator.cpp_protocol_type_for_type):
1744         (CppGenerator.cpp_type_for_type_member_argument): Added.
1745         (CppGenerator.cpp_type_for_command_parameter): Added.
1746         (CppGenerator.cpp_type_for_command_return_declaration): Added.
1747         (CppGenerator.cpp_type_for_command_return_argument): Added.
1748         (CppGenerator.cpp_type_for_event_parameter): Added.
1749         (CppGenerator.cpp_type_for_enum): Added.
1750         (CppGenerator.should_move_argument): Added.
1751         (CppGenerator.should_release_argument): Added.
1752         (CppGenerator.should_dereference_argument): Added.
1753         (CppGenerator.cpp_protocol_type_for_type_member): Deleted.
1754         (CppGenerator.cpp_type_for_unchecked_formal_in_parameter): Deleted.
1755         (CppGenerator.cpp_type_for_checked_formal_event_parameter): Deleted.
1756         (CppGenerator.cpp_type_for_type_member): Deleted.
1757         (CppGenerator.cpp_type_for_type_with_name): Deleted.
1758         (CppGenerator.cpp_type_for_formal_out_parameter): Deleted.
1759         (CppGenerator.cpp_type_for_formal_async_parameter): Deleted.
1760         (CppGenerator.cpp_type_for_stack_in_parameter): Deleted.
1761         (CppGenerator.cpp_type_for_stack_out_parameter): Deleted.
1762         (CppGenerator.cpp_assertion_method_for_type_member): Deleted.
1763         (CppGenerator.cpp_assertion_method_for_type_member.assertion_method_for_type): Deleted.
1764         (CppGenerator.should_use_wrapper_for_return_type): Deleted.
1765         (CppGenerator.should_use_references_for_type): Deleted.
1766         (CppGenerator.should_pass_by_copy_for_return_type): Deleted.
1767         * inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py:
1768         (CppAlternateBackendDispatcherHeaderGenerator._generate_secondary_header_includes):
1769         (CppAlternateBackendDispatcherHeaderGenerator._generate_handler_declaration_for_command):
1770         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
1771         (CppBackendDispatcherHeaderGenerator.generate_output):
1772         (CppBackendDispatcherHeaderGenerator._generate_secondary_header_includes):
1773         (CppBackendDispatcherHeaderGenerator._generate_handler_declarations_for_domain):
1774         (CppBackendDispatcherHeaderGenerator._generate_handler_declaration_for_command):
1775         (CppBackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command):
1776         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
1777         (CppBackendDispatcherHeaderGenerator._generate_anonymous_enum_for_parameter): Deleted.
1778         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
1779         (CppBackendDispatcherImplementationGenerator._generate_secondary_header_includes):
1780         (CppBackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
1781         (CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
1782         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
1783         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
1784         (CppFrontendDispatcherHeaderGenerator._generate_secondary_header_includes):
1785         (CppFrontendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_event):
1786         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
1787         (CppFrontendDispatcherImplementationGenerator._generate_secondary_header_includes):
1788         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
1789         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
1790         (CppProtocolTypesHeaderGenerator._generate_secondary_header_includes):
1791         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
1792         (CppProtocolTypesImplementationGenerator._generate_secondary_header_includes):
1793         (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain):
1794         (CppProtocolTypesImplementationGenerator._generate_open_field_names):
1795         (CppProtocolTypesImplementationGenerator._generate_assertion_for_enum):
1796         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
1797         (ObjCBackendDispatcherHeaderGenerator._generate_objc_handler_declaration_for_command):
1798         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
1799         (ObjCBackendDispatcherImplementationGenerator._generate_handler_implementation_for_command):
1800         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
1801         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command.and):
1802         (ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command.in_param_expression):
1803         (ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command):
1804         (ObjCBackendDispatcherImplementationGenerator._generate_invocation_for_command):
1805         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
1806         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
1807         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
1808         * inspector/scripts/codegen/objc_generator_templates.py:
1809         * inspector/scripts/codegen/objc_generator.py:
1810         (ObjCGenerator.protocol_type_for_type):
1811         (ObjCGenerator.objc_type_for_param_internal):
1812         (ObjCGenerator.objc_protocol_import_expression_for_parameter):
1813
1814         * inspector/protocol/Page.json:
1815         Now that enums are processed before being passed to backend dispacher handlers, the
1816         `appearance` parameter of `Page.setForcedAppearance` must be marked `optional` as
1817         there's no way for it to accept an empty string, as that's not possible for an enum.
1818
1819         * inspector/agents/InspectorAgent.h:
1820         * inspector/agents/InspectorAgent.cpp:
1821         * inspector/agents/InspectorAuditAgent.h:
1822         * inspector/agents/InspectorAuditAgent.cpp:
1823         * inspector/agents/InspectorConsoleAgent.h:
1824         * inspector/agents/InspectorConsoleAgent.cpp:
1825         * inspector/agents/InspectorDebuggerAgent.h:
1826         * inspector/agents/InspectorDebuggerAgent.cpp:
1827         * inspector/agents/InspectorHeapAgent.h:
1828         * inspector/agents/InspectorHeapAgent.cpp:
1829         * inspector/agents/InspectorRuntimeAgent.h:
1830         * inspector/agents/InspectorRuntimeAgent.cpp:
1831         * inspector/agents/InspectorScriptProfilerAgent.h:
1832         * inspector/agents/InspectorScriptProfilerAgent.cpp:
1833         * inspector/agents/InspectorTargetAgent.h:
1834         * inspector/agents/InspectorTargetAgent.cpp:
1835         * inspector/agents/JSGlobalObjectAuditAgent.h:
1836         * inspector/agents/JSGlobalObjectAuditAgent.cpp:
1837         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
1838         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
1839         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
1840         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
1841         * inspector/JSGlobalObjectConsoleClient.cpp:
1842         * inspector/JSGlobalObjectInspectorController.cpp:
1843         Elided backend dispatcher handler changes describe above.
1844
1845         * bindings/ScriptValue.cpp:
1846         (Inspector::jsToInspectorValue):
1847         * inspector/AsyncStackTrace.h:
1848         * inspector/AsyncStackTrace.cpp:
1849         (Inspector::AsyncStackTrace::buildInspectorObject const):
1850         * inspector/ConsoleMessage.cpp:
1851         (Inspector::ConsoleMessage::addToFrontend):
1852         * inspector/InjectedScriptBase.h:
1853         * inspector/InjectedScriptBase.cpp:
1854         (Inspector::InjectedScriptBase::makeEvalCall):
1855         (Inspector::InjectedScriptBase::checkCallResult):
1856         (Inspector::InjectedScriptBase::checkAsyncCallResult):
1857         * inspector/InjectedScript.h:
1858         * inspector/InjectedScript.cpp:
1859         (Inspector::InjectedScript::execute):
1860         (Inspector::InjectedScript::evaluate):
1861         (Inspector::InjectedScript::callFunctionOn):
1862         (Inspector::InjectedScript::evaluateOnCallFrame):
1863         (Inspector::InjectedScript::getFunctionDetails):
1864         (Inspector::InjectedScript::functionDetails):
1865         (Inspector::InjectedScript::getPreview):
1866         (Inspector::InjectedScript::getProperties):
1867         (Inspector::InjectedScript::getDisplayableProperties):
1868         (Inspector::InjectedScript::getInternalProperties):
1869         (Inspector::InjectedScript::getCollectionEntries):
1870         (Inspector::InjectedScript::saveResult):
1871         (Inspector::InjectedScript::wrapCallFrames const):
1872         (Inspector::InjectedScript::wrapObject const):
1873         (Inspector::InjectedScript::wrapJSONString const):
1874         (Inspector::InjectedScript::wrapTable const):
1875         (Inspector::InjectedScript::previewValue const):
1876         * inspector/InjectedScriptManager.cpp:
1877         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
1878         * inspector/InspectorBackendDispatcher.h:
1879         * inspector/InspectorBackendDispatcher.cpp:
1880         (Inspector::BackendDispatcher::CallbackBase::sendSuccess):
1881         (Inspector::BackendDispatcher::dispatch):
1882         (Inspector::BackendDispatcher::sendResponse):
1883         (Inspector::BackendDispatcher::getPropertyValue):
1884         (Inspector::BackendDispatcher::getBoolean):
1885         (Inspector::BackendDispatcher::getInteger):
1886         (Inspector::BackendDispatcher::getDouble):
1887         (Inspector::BackendDispatcher::getString):
1888         (Inspector::BackendDispatcher::getValue):
1889         (Inspector::BackendDispatcher::getObject):
1890         (Inspector::BackendDispatcher::getArray):
1891         (Inspector::castToInteger): Deleted.
1892         (Inspector::castToNumber): Deleted.
1893         * inspector/InspectorProtocolTypes.h:
1894         (Inspector::Protocol::BindingTraits<JSON::ArrayOf<T>>::runtimeCast):
1895         (Inspector::Protocol::BindingTraits<JSON::ArrayOf<T>>::assertValueHasExpectedType):
1896         * inspector/remote/socket/RemoteInspectorConnectionClient.cpp:
1897         (Inspector::RemoteInspectorConnectionClient::extractEvent):
1898         * inspector/remote/socket/RemoteInspectorSocket.cpp:
1899         (Inspector::RemoteInspector::pushListingsNow):
1900         * runtime/TypeSet.cpp:
1901         (JSC::StructureShape::inspectorRepresentation):
1902         `JSON` classes now use `Ref&&` wherever possible and `Optional` instead of an out parameter
1903         for `get*`/`as*` so that values can be more easily manipulated and can be confidently known
1904         to exist.
1905
1906         * inspector/scripts/tests/enum-values.json:
1907         * inspector/scripts/tests/expected/command-targetType-matching-domain-debuggableType.json-result:
1908         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1909         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1910         * inspector/scripts/tests/expected/definitions-with-mac-platform.json-result:
1911         * inspector/scripts/tests/expected/domain-debuggableTypes.json-result:
1912         * inspector/scripts/tests/expected/domain-targetType-matching-domain-debuggableType.json-result:
1913         * inspector/scripts/tests/expected/domain-targetTypes.json-result:
1914         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1915         * inspector/scripts/tests/expected/enum-values.json-result:
1916         * inspector/scripts/tests/expected/event-targetType-matching-domain-debuggableType.json-result:
1917         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1918         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1919         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1920         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1921         * inspector/scripts/tests/expected/should-strip-comments.json-result:
1922         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1923         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1924         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1925         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1926         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1927         * inspector/scripts/tests/expected/type-with-open-parameters.json-result:
1928         * inspector/scripts/tests/expected/version.json-result:
1929
1930 2020-09-09  Saam Barati  <sbarati@apple.com>
1931
1932         OutOfBoundsSaneChain operations should use their own heap locations
1933         https://bugs.webkit.org/show_bug.cgi?id=216328
1934         <rdar://problem/68568039>
1935
1936         Reviewed by Keith Miller.
1937
1938         There is code in local CSE that does some basic bounds check elimination
1939         for PutByVal. It does this analysis by seeing if a particular heap location
1940         is already defined, and if so, it eliminates the bounds check for the
1941         PutByVal. This doesn't work for OutOfBoundsSaneChain for the obvious reason
1942         that these GetByVals are not proven to be in bounds. So GetByVal's in the
1943         OutOfBoundsSaneChain mode reusing non OutOfBoundsSaneChain heap locations
1944         can lead to a bug where we mistakenly remove a bounds check. The fix is to
1945         have all OutOfBoundsSaneChain operations use distinct heaps, and for CSE to
1946         not query those heaps.
1947
1948         * dfg/DFGArrayMode.h:
1949         (JSC::DFG::ArrayMode::isAnySaneChain const): Deleted.
1950         * dfg/DFGClobberize.h:
1951         (JSC::DFG::clobberize):
1952         * dfg/DFGHeapLocation.cpp:
1953         (WTF::printInternal):
1954         * dfg/DFGHeapLocation.h:
1955
1956 2020-09-09  Keith Miller  <keith_miller@apple.com>
1957
1958         BigInt should PACCage its data pointer
1959         https://bugs.webkit.org/show_bug.cgi?id=216319
1960
1961         Reviewed by Yusuke Suzuki.
1962
1963         * runtime/JSBigInt.h:
1964
1965 2020-09-09  Alexey Shvayka  <shvaikalesh@gmail.com>
1966
1967         Don't emitDirectBinding() if there is a [...rest] element binding
1968         https://bugs.webkit.org/show_bug.cgi?id=216228
1969
1970         Reviewed by Darin Adler.
1971
1972         emitDirectBinding() is up for removal due to not respecting overriden or removed
1973         Array.prototype[Symbol.iterator]. However, dropping it slows down popular swap pattern
1974         `[a, b] = [b, a]` by 40% with DFG/FTL, and by a factor of 6 with baseline JIT only.
1975
1976         Until we figure out the best way to preserve common case performance, this patch
1977         prevents `let [...rest] = [1]` from ending up as a number instead of an array,
1978         aligning JSC with V8 and SpiderMonkey.
1979
1980         * bytecompiler/NodesCodegen.cpp:
1981         (JSC::ArrayPatternNode::emitDirectBinding):
1982
1983 2020-09-08  Yusuke Suzuki  <ysuzuki@apple.com>
1984
1985         [JSC] returnEarlyFromInfiniteLoopsForFuzzing should return object
1986         https://bugs.webkit.org/show_bug.cgi?id=216289
1987         <rdar://problem/68496533>
1988
1989         Reviewed by Saam Barati.
1990
1991         When returning early with returnEarlyFromInfiniteLoopsForFuzzing, we are returning with undefined.
1992         But this is wrong when the callee is constructor since constructor is strongly assumed that it returns an object.
1993         We should return some object from returnEarlyFromInfiniteLoopsForFuzzing. In this patch, we return global object
1994         associated to this callee instead of undefined
1995
1996         * bytecode/CodeBlock.cpp:
1997         (JSC::CodeBlock::finishCreation):
1998         (JSC::CodeBlock::~CodeBlock):
1999         * dfg/DFGSpeculativeJIT64.cpp:
2000         (JSC::DFG::SpeculativeJIT::compile):
2001         * ftl/FTLLowerDFGToB3.cpp:
2002         (JSC::FTL::DFG::LowerDFGToB3::compileLoopHint):
2003         * jit/JITOpcodes.cpp:
2004         (JSC::JIT::emit_op_loop_hint):
2005         * llint/LowLevelInterpreter64.asm:
2006
2007 2020-09-08  Saam Barati  <sbarati@apple.com>
2008
2009         re-enable TCSM on all OSs
2010         https://bugs.webkit.org/show_bug.cgi?id=216281
2011
2012         Reviewed by Tadeu Zagallo.
2013
2014         * runtime/Options.cpp:
2015         (JSC::defaultTCSMValue):
2016
2017 2020-09-08  Yusuke Suzuki  <ysuzuki@apple.com>
2018
2019         [JSC] Special property caching should check Structure's cacheability
2020         https://bugs.webkit.org/show_bug.cgi?id=216222
2021
2022         Reviewed by Saam Barati.
2023
2024         While StructureRareData::cacheSpecialPropertySlow caches properties, the way it takes is incomplete.
2025         It is not checking Structure's cacheability. We were caching miss condition even if structure is !propertyAccessesAreCacheableForAbsence.
2026         We should perform the same check done in IC case. Strictly speaking, we can cache value for uncacheable-dictionary because we are setting
2027         property change watchpoint (which will fire). But it sounds not so profitable if this structure is uncacheable.
2028
2029         * runtime/JSObject.cpp:
2030         (JSC::JSObject::convertToUncacheableDictionary):
2031         * runtime/JSObject.h:
2032         * runtime/StructureRareData.cpp:
2033         (JSC::StructureRareData::cacheSpecialPropertySlow):
2034         * tools/JSDollarVM.cpp:
2035         (JSC::functionToUncacheableDictionary):
2036         (JSC::JSDollarVM::finishCreation):
2037
2038 2020-09-07  Joonghun Park  <jh718.park@samsung.com>
2039
2040         Unreviewed. Remove the build warning below since r266567.
2041         warning: parameter ‘hint’ set but not used [-Wunused-but-set-parameter]
2042
2043         * runtime/JSObject.cpp:
2044         (JSC::callToPrimitiveFunction):
2045
2046 2020-09-06  Darin Adler  <darin@apple.com>
2047
2048         TextCodec refinements
2049         https://bugs.webkit.org/show_bug.cgi?id=216219
2050
2051         Reviewed by Sam Weinig.
2052
2053         * parser/Lexer.h:
2054         (JSC::Lexer<UChar>::isWhiteSpace): Use byteOrderMark constant.
2055
2056 2020-09-05  Yusuke Suzuki  <ysuzuki@apple.com>
2057
2058         Unreviewed, suppress exception checking after unwrapForOldFunctions
2059         https://bugs.webkit.org/show_bug.cgi?id=216193
2060
2061         * runtime/IntlNumberFormatPrototype.cpp:
2062         (JSC::IntlNumberFormatPrototypeGetterFormat):
2063         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
2064
2065 2020-09-05  Devin Rousso  <drousso@apple.com>
2066
2067         Web Inspector: allow DOM breakpoints to be configured
2068         https://bugs.webkit.org/show_bug.cgi?id=215795
2069
2070         Reviewed by Brian Burg.
2071
2072         * inspector/protocol/DOMDebugger.json:
2073         Add an `options` parameter to `DOMDebugger.setDOMBreakpoint` to allow configuration.
2074
2075 2020-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
2076
2077         [JSC] Align legacy Intl constructor behavior to spec
2078         https://bugs.webkit.org/show_bug.cgi?id=216193
2079
2080         Reviewed by Darin Adler.
2081
2082         Legacy Intl constructors (Intl.DateTimeFormat and Intl.NumberFormat) have special handling when it is called via `Intl.DateTimeFormat()` form.
2083         This allowed legacy Intl constructors to be used with prototype-based inheritance without using class syntax. This legacy behavior is later specified
2084         explicitly in the spec. So we should align our implementation to the spec's one.
2085
2086             1. When defining fallback formats, we need to put them into the property which is visible via Symbol("IntlLegacyConstructedSymbol").
2087             2. Even if the provided thisValue is IntlDateTimeFormat* / IntlNumberFormat*, we should create another instance and put it to Symbol("IntlLegacyConstructedSymbol") field.
2088
2089         * JavaScriptCore.xcodeproj/project.pbxproj:
2090         * builtins/BuiltinNames.cpp:
2091         (JSC::BuiltinNames::BuiltinNames):
2092         * builtins/BuiltinNames.h:
2093         (JSC::BuiltinNames::intlLegacyConstructedSymbol const):
2094         * runtime/CommonIdentifiers.h:
2095         * runtime/IntlDateTimeFormat.h:
2096         * runtime/IntlDateTimeFormatConstructor.cpp:
2097         (JSC::IntlDateTimeFormatConstructor::finishCreation):
2098         (JSC::callIntlDateTimeFormat):
2099         * runtime/IntlDateTimeFormatInlines.h: Added.
2100         (JSC::IntlDateTimeFormat::unwrapForOldFunctions):
2101         * runtime/IntlDateTimeFormatPrototype.cpp:
2102         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
2103         (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts):
2104         (JSC::IntlDateTimeFormatPrototypeFuncFormatRange):
2105         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
2106         * runtime/IntlNumberFormat.h:
2107         * runtime/IntlNumberFormatConstructor.cpp:
2108         (JSC::IntlNumberFormatConstructor::finishCreation):
2109         (JSC::callIntlNumberFormat):
2110         * runtime/IntlNumberFormatInlines.h:
2111         (JSC::IntlNumberFormat::unwrapForOldFunctions):
2112         * runtime/IntlNumberFormatPrototype.cpp:
2113         (JSC::IntlNumberFormatPrototypeGetterFormat):
2114         (JSC::IntlNumberFormatPrototypeFuncFormatToParts):
2115         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
2116         * runtime/IntlObject.cpp:
2117         (JSC::createDateTimeFormatConstructor):
2118         (JSC::createNumberFormatConstructor):
2119         * runtime/IntlObjectInlines.h:
2120         (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
2121         (JSC::unwrapForLegacyIntlConstructor):
2122         * runtime/JSGlobalObject.cpp:
2123         (JSC::JSGlobalObject::init):
2124         (JSC::JSGlobalObject::visitChildren):
2125         * runtime/JSGlobalObject.h:
2126         (JSC::JSGlobalObject::dateTimeFormatConstructor):
2127         (JSC::JSGlobalObject::dateTimeFormatPrototype):
2128         (JSC::JSGlobalObject::numberFormatConstructor):
2129         (JSC::JSGlobalObject::numberFormatPrototype):
2130
2131 2020-09-04  Alexey Shvayka  <shvaikalesh@gmail.com>
2132
2133         Array.prototype.push should always perform [[Set]] in strict mode
2134         https://bugs.webkit.org/show_bug.cgi?id=216121
2135
2136         Unreviewed, address Darin's feedback on r266581.
2137
2138         * runtime/ArrayPrototype.cpp:
2139         (JSC::arrayProtoFuncPush): Remove unnecessary static_cast<uint64_t>.
2140
2141 2020-09-04  Alexey Shvayka  <shvaikalesh@gmail.com>
2142
2143         Array.prototype.push should always perform [[Set]] in strict mode
2144         https://bugs.webkit.org/show_bug.cgi?id=216121
2145
2146         Reviewed by Darin Adler.
2147
2148         This patch fixes arrayProtoFuncPush() to throw a TypeError if putting an
2149         index beyond UINT32_MAX has failed, aligning JSC with the spec [1], V8,
2150         and SpiderMonkey. Also, refactors the method leveraging putByIndexInline().
2151
2152         Array.prototype.push microbenchmarks, including varargs tests, are neutral.
2153
2154         [1]: https://tc39.es/ecma262/#sec-array.prototype.push (step 5.b)
2155
2156         * runtime/ArrayPrototype.cpp:
2157         (JSC::arrayProtoFuncPush):
2158
2159 2020-09-03  Carlos Garcia Campos  <cgarcia@igalia.com>
2160
2161         Unreviewed. [GLIB] Add missing return
2162
2163         There's no change in behavior because jsObjectCall() returns undefined in case of failure, but fixes a memory leak.
2164
2165         * API/glib/JSCValue.cpp:
2166         (jsc_value_object_invoke_methodv):
2167
2168 2020-09-02  Yusuke Suzuki  <ysuzuki@apple.com>
2169
2170         [JSC] Cache toString / valueOf / @@toPrimitive for major cases
2171         https://bugs.webkit.org/show_bug.cgi?id=216061
2172
2173         Reviewed by Saam Barati.
2174
2175         When toPrimitive is called, we need to look-up three properties at most to perform operation. And these special properties do not have caching mechanism at all.
2176         We found that Speedometer2/EmberJS-Debug-TodoMVC is using very much time for this property look-up. We should have caching mechanism in StructureRareData, which
2177         should be similar to @@toStringTag & Object#toString caching mechanism.
2178
2179         This patch generalizes @@toStringTag & Object#toString caching mechanism as SpecialPropertyCache. And we accelerate toString / valueOf / @@toPrimitive look-ups in
2180         toPrimitive with this caching mechanism.
2181
2182         This patch improved Speedometer2/EmberJS-Debug-TodoMVC by 10%.
2183
2184         * JavaScriptCore.xcodeproj/project.pbxproj:
2185         * Sources.txt:
2186         * bytecode/Watchpoint.cpp:
2187         * bytecode/Watchpoint.h:
2188         * runtime/CachedSpecialPropertyAdaptiveStructureWatchpoint.cpp: Renamed from Source/JavaScriptCore/runtime/ObjectToStringAdaptiveStructureWatchpoint.cpp.
2189         (JSC::CachedSpecialPropertyAdaptiveStructureWatchpoint::CachedSpecialPropertyAdaptiveStructureWatchpoint):
2190         (JSC::CachedSpecialPropertyAdaptiveStructureWatchpoint::install):
2191         (JSC::CachedSpecialPropertyAdaptiveStructureWatchpoint::fireInternal):
2192         * runtime/CachedSpecialPropertyAdaptiveStructureWatchpoint.h: Renamed from Source/JavaScriptCore/runtime/ObjectToStringAdaptiveStructureWatchpoint.h.
2193         * runtime/JSGlobalObject.cpp:
2194         (JSC::JSGlobalObject::init):
2195         (JSC::JSGlobalObject::visitChildren):
2196         * runtime/JSGlobalObject.h:
2197         (JSC::JSGlobalObject::objectProtoToStringFunction const):
2198         * runtime/JSObject.cpp:
2199         (JSC::callToPrimitiveFunction):
2200         (JSC::JSObject::ordinaryToPrimitive const):
2201         (JSC::JSObject::toPrimitive const):
2202         * runtime/ObjectPrototype.cpp:
2203         (JSC::ObjectPrototype::finishCreation):
2204         (JSC::objectProtoFuncToString):
2205         * runtime/Structure.h:
2206         * runtime/StructureInlines.h:
2207         (JSC::Structure::cacheSpecialProperty):
2208         (JSC::Structure::setObjectToStringValue): Deleted.
2209         * runtime/StructureRareData.cpp:
2210         (JSC::StructureRareData::visitChildren):
2211         (JSC::StructureRareData::ensureSpecialPropertyCacheSlow):
2212         (JSC::StructureRareData::giveUpOnSpecialPropertyCache):
2213         (JSC::StructureRareData::cacheSpecialPropertySlow):
2214         (JSC::StructureRareData::clearCachedSpecialProperty):
2215         (JSC::StructureRareData::finalizeUnconditionally):
2216         (JSC::CachedSpecialPropertyAdaptiveInferredPropertyValueWatchpoint::CachedSpecialPropertyAdaptiveInferredPropertyValueWatchpoint):
2217         (JSC::CachedSpecialPropertyAdaptiveInferredPropertyValueWatchpoint::isValid const):
2218         (JSC::CachedSpecialPropertyAdaptiveInferredPropertyValueWatchpoint::handleFire):
2219         (JSC::StructureRareData::setObjectToStringValue): Deleted.
2220         (JSC::StructureRareData::clearObjectToStringValue): Deleted.
2221         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::ObjectToStringAdaptiveInferredPropertyValueWatchpoint): Deleted.
2222         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::isValid const): Deleted.
2223         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire): Deleted.
2224         * runtime/StructureRareData.h:
2225         * runtime/StructureRareDataInlines.h:
2226         (JSC::StructureRareData::cachedSpecialProperty const):
2227         (JSC::StructureRareData::canCacheSpecialProperty):
2228         (JSC::StructureRareData::ensureSpecialPropertyCache):
2229         (JSC::StructureRareData::cacheSpecialProperty):
2230         (JSC::StructureRareData::objectToStringValue const): Deleted.
2231
2232 2020-09-03  Saam Barati  <sbarati@apple.com>
2233
2234         Sampling profiler should dump hash as part of the top function key to prevent incorrectly grouping nameless functions together
2235         https://bugs.webkit.org/show_bug.cgi?id=216087
2236
2237         Reviewed by Tadeu Zagallo.
2238
2239         * runtime/SamplingProfiler.cpp:
2240         (JSC::SamplingProfiler::reportTopFunctions):
2241
2242 2020-09-03  Devin Rousso  <drousso@apple.com>
2243
2244         Web Inspector: allow url breakpoints to be configured
2245         https://bugs.webkit.org/show_bug.cgi?id=215793
2246
2247         Reviewed by Brian Burg.
2248
2249         * inspector/protocol/DOMDebugger.json:
2250         Add an `options` parameter to `DOMDebugger.setURLBreakpoint` to allow configuration.
2251         Add an `isRegex` parameter to `DOMDebugger.removeURLBreakpoint` so that we know what
2252         type of URL breakpoint is being removed.
2253
2254 2020-09-03  Devin Rousso  <drousso@apple.com>
2255
2256         Web Inspector: allow special JavaScript breakpoints to be configured
2257         https://bugs.webkit.org/show_bug.cgi?id=215794
2258
2259         Reviewed by Brian Burg.
2260
2261         * inspector/protocol/Debugger.json:
2262         Add an `options` parameter to the following commands for configuring the related breakpoint:
2263          - `Debugger.setPauseOnDebuggerStatements`
2264          - `Debugger.setPauseOnExceptions`
2265          - `Debugger.setPauseOnAssertions`
2266          - `Debugger.setPauseOnMicrotasks`
2267
2268         * debugger/Debugger.h:
2269         (JSC::Debugger::needsExceptionCallbacks const):
2270         (JSC::Debugger::pauseOnAllExceptionsBreakpoint const): Added.
2271         (JSC::Debugger::setPauseOnAllExceptionsBreakpoint): Added.
2272         (JSC::Debugger::pauseOnUncaughtExceptionsBreakpoint const): Added.
2273         (JSC::Debugger::setPauseOnUncaughtExceptionsBreakpoint): Added.
2274         (JSC::Debugger::setPauseOnDebuggerStatementsBreakpoint): Added.
2275         (JSC::Debugger::pauseOnExceptionsState const): Deleted.
2276         (JSC::Debugger::setPauseOnDebuggerStatements): Deleted.
2277         * debugger/Debugger.cpp:
2278         (JSC::Debugger::TemporarilyDisableExceptionBreakpoints::TemporarilyDisableExceptionBreakpoints): Added.
2279         (JSC::Debugger::TemporarilyDisableExceptionBreakpoints::~TemporarilyDisableExceptionBreakpoints): Added.
2280         (JSC::Debugger::TemporarilyDisableExceptionBreakpoints::replace): Added.
2281         (JSC::Debugger::TemporarilyDisableExceptionBreakpoints::restore): Added.
2282         (JSC::Debugger::Debugger):
2283         (JSC::Debugger::breakProgram):
2284         (JSC::Debugger::exception):
2285         (JSC::Debugger::didReachDebuggerStatement):
2286         (JSC::Debugger::setPauseOnExceptionsState): Deleted.
2287         Add `JSC::Breakpoint` member variables for the Debugger Statements and Exceptions
2288         breakpoints. Split the Exceptions breakpoint into two `JSC::Breakpoint` now that
2289         All Exceptions and Uncaught Exceptions can be independently configured (the All
2290         Exceptions breakpoint still takes precedence).
2291
2292         * debugger/DebuggerCallFrame.h:
2293         * debugger/DebuggerCallFrame.cpp:
2294         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
2295         If there is no `CallFrame`, climb the backtrace until the first valid `CallFrame` is reached.
2296         This is needed when pausing in native code, such as for assertions/exceptions.
2297
2298         * debugger/Breakpoint.h:
2299         Export `JSC::Breakpoint::create` so that other parts of WebKit can create breakpoints.
2300
2301         * inspector/agents/InspectorDebuggerAgent.h:
2302         * inspector/agents/InspectorDebuggerAgent.cpp:
2303         (Inspector::InspectorDebuggerAgent::disable):
2304         (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
2305         (Inspector::InspectorDebuggerAgent::setPauseOnDebuggerStatements):
2306         (Inspector::InspectorDebuggerAgent::setPauseOnExceptions):
2307         (Inspector::InspectorDebuggerAgent::setPauseOnAssertions):
2308         (Inspector::InspectorDebuggerAgent::setPauseOnMicrotasks):
2309         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
2310         (Inspector::InspectorDebuggerAgent::scriptExecutionBlockedByCSP):
2311         (Inspector::InspectorDebuggerAgent::willRunMicrotask):
2312         (Inspector::InspectorDebuggerAgent::didRunMicrotask):
2313         (Inspector::InspectorDebuggerAgent::breakProgram):
2314         Add `JSC::Breakpoint` member variables for the Assertion Failures and All Microtasks
2315         breakpoints. Pass them to the `JSC::Debugger` when they are hit.
2316
2317         * inspector/agents/InspectorAuditAgent.cpp:
2318         (Inspector::InspectorAuditAgent::run):
2319         * inspector/agents/InspectorRuntimeAgent.cpp:
2320         (Inspector::InspectorRuntimeAgent::evaluate):
2321         (Inspector::InspectorRuntimeAgent::callFunctionOn):
2322         (Inspector::InspectorRuntimeAgent::getPreview):
2323         (Inspector::InspectorRuntimeAgent::getProperties):
2324         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
2325         (Inspector::setPauseOnExceptionsState): Deleted.
2326         Use `TemporarilyDisableExceptionBreakpoints` to save, override, and restore the exceptions
2327         breakpoints now that they've been separated into two `JSC::Breakpoint` instead of an `enum`.
2328
2329 2020-09-03  Keith Miller  <keith_miller@apple.com>
2330
2331         Finish comment describing the various *Stack SSA nodes in DFG
2332         https://bugs.webkit.org/show_bug.cgi?id=216110
2333
2334         Reviewed by Sam Weinig.
2335
2336         * dfg/DFGNodeType.h:
2337
2338 2020-09-03  David Kilzer  <ddkilzer@apple.com>
2339
2340         AbstractMacroAssembler::Jump class has uninitialized instance variables
2341         <https://webkit.org/b/216082>
2342
2343         Reviewed by Michael Saboff.
2344
2345         * assembler/AbstractMacroAssembler.h:
2346         (JSC::AbstractMacroAssembler::Jump):
2347         - Switch to default constructor syntax.
2348         - Provide defaults for instance variables.
2349
2350 2020-09-03  Ross Kirsling  <ross.kirsling@sony.com>
2351
2352         [JSC] Add missing detached buffer errors for DataView
2353         https://bugs.webkit.org/show_bug.cgi?id=216062
2354
2355         Reviewed by Yusuke Suzuki.
2356
2357         DataView methods are often expected to throw a TypeError if the underlying ArrayBuffer is detached
2358         (or neutered, in older terminology) -- this patch adds a slew of missing cases from the following spec section:
2359           - https://tc39.es/ecma262/#sec-properties-of-the-dataview-prototype-object
2360
2361         At the same time:
2362          - get rid of JSDataView::getOwnPropertySlot, which was turning dataViewProtoGetterByte{Length,Offset}
2363            into mostly unreachable code and erroneously causing byte{Length,Offset} to have property descriptors
2364          - perform some simple cleanup of neighboring error calls / messages
2365          - fix value of DataView.length (our only other DataView spec bug)
2366
2367         * runtime/JSDataView.cpp:
2368         (JSC::JSDataView::create):
2369         (JSC::JSDataView::getOwnPropertySlot): Deleted.
2370         * runtime/JSDataView.h:
2371         * runtime/JSDataViewPrototype.cpp:
2372         (JSC::getData):
2373         (JSC::setData):
2374         (JSC::dataViewProtoGetterByteLength):
2375         (JSC::dataViewProtoGetterByteOffset):
2376         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2377         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation):
2378
2379 2020-09-02  Michael Saboff  <msaboff@apple.com>
2380
2381         ASSERTION FAILED: value.isCell() && value.asCell()->type() == CustomGetterSetterType ./bytecode/ObjectPropertyConditionSet.cpp
2382         https://bugs.webkit.org/show_bug.cgi?id=216103
2383
2384         Reviewed by Saam Barati.
2385
2386         Changed the ASSERT to an if statement.  This checks to see if, the likely newly changed,
2387         property is still a custom getter setter before caching its access as such.
2388
2389         * bytecode/ObjectPropertyConditionSet.cpp:
2390         (JSC::generateConditionsForPrototypePropertyHitCustom):
2391         * tools/JSDollarVM.cpp: Added test helper function.
2392
2393 2020-09-01  Yusuke Suzuki  <ysuzuki@apple.com>
2394
2395         Skip fast/css-custom-paint/out-of-memory-while-adding-worklet-module.html if Gigacage is not enabled
2396         https://bugs.webkit.org/show_bug.cgi?id=216043
2397         <rdar://problem/66394369>
2398
2399         Reviewed by Mark Lam.
2400
2401         * tools/JSDollarVM.cpp:
2402         (JSC::functionIsGigacageEnabled):
2403         (JSC::JSDollarVM::finishCreation):
2404
2405 2020-08-31  Mark Lam  <mark.lam@apple.com>
2406
2407         Remove some PtrTag debugging code from release builds.
2408         https://bugs.webkit.org/show_bug.cgi?id=216025
2409         <rdar://problem/68098263>
2410
2411         Reviewed by Saam Barati.
2412
2413         Removed PtrTag name lookup debugging utility from release builds.
2414
2415         * runtime/JSCPtrTag.cpp:
2416         * runtime/JSCPtrTag.h:
2417
2418 2020-09-01  Carlos Garcia Campos  <cgarcia@igalia.com>
2419
2420         [Linux] Web Inspector: show per thread cpu usage
2421         https://bugs.webkit.org/show_bug.cgi?id=215883
2422
2423         Reviewed by Adrian Perez de Castro.
2424
2425         Remove platform specific getter machThread() and add thread() to return the Thread instead. The caller knows how
2426         to get the machThread or id from a Thread.
2427
2428         * runtime/SamplingProfiler.cpp:
2429         (JSC::SamplingProfiler::reportTopBytecodes):
2430         (JSC::SamplingProfiler::machThread): Deleted.
2431         * runtime/SamplingProfiler.h:
2432         (JSC::SamplingProfiler::thread):
2433
2434 2020-08-31  Yusuke Suzuki  <ysuzuki@apple.com>
2435
2436         [JSC] StructureStubInfo / CallLinkInfo / ByValInfo should set CodeOrigin or BytecodeIndex at construction
2437         https://bugs.webkit.org/show_bug.cgi?id=215987
2438         <rdar://problem/66370323>
2439
2440         Reviewed by Mark Lam.
2441
2442         We had race condition during construction of StructureStubInfo and CodeOrigin field setting.
2443
2444             1. The thread creates StructureStubInfo by calling CodeBlock::addStubInfo. This is guarded by the lock. But at this point we are not setting StructureStubInfo::codeOrigin.
2445             2. Then (1)'s thread attempts to set StructureStubInfo::codeOrigin. But at this point, it is not guarded by the lock.
2446             3. Before (2) is executed, DFG ByteCodeParser calls CodeBlock::getICStatusMap. It creates HashMap<CodeOrigin, StructureStubInfo*>.
2447             4. Since StructureStubInfo*'s codeOrigin is not configured yet, (3) sees invalid CodeOrigin. And storing invalid CodeOrigin as a HashMap key is not correct.
2448
2449         We should configure CodeOrigin at construction of StructureStubInfo, which is guarded by the lock. We have the same problem for CallLinkInfo and ByValInfo. This patch fixes them.
2450         To reproduce this, we need to execute a script 2~ days repeatedly. So it is difficult to add a test.
2451
2452         * bytecode/AccessCase.cpp:
2453         (JSC::AccessCase::generateImpl):
2454         * bytecode/ByValInfo.h:
2455         (JSC::ByValInfo::ByValInfo):
2456         (JSC::ByValInfo::setUp):
2457         * bytecode/CallLinkInfo.cpp:
2458         (JSC::CallLinkInfo::CallLinkInfo):
2459         * bytecode/CallLinkInfo.h:
2460         (JSC::CallLinkInfo::setUpCall):
2461         (JSC::CallLinkInfo::setCodeOrigin): Deleted.
2462         * bytecode/CodeBlock.cpp:
2463         (JSC::CodeBlock::addStubInfo):
2464         (JSC::CodeBlock::addByValInfo):
2465         (JSC::CodeBlock::addCallLinkInfo):
2466         * bytecode/CodeBlock.h:
2467         * bytecode/StructureStubInfo.cpp:
2468         (JSC::StructureStubInfo::StructureStubInfo):
2469         * bytecode/StructureStubInfo.h:
2470         * dfg/DFGSpeculativeJIT32_64.cpp:
2471         (JSC::DFG::SpeculativeJIT::emitCall):
2472         * dfg/DFGSpeculativeJIT64.cpp:
2473         (JSC::DFG::SpeculativeJIT::emitCall):
2474         * ftl/FTLLowerDFGToB3.cpp:
2475         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
2476         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
2477         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
2478         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
2479         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
2480         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
2481         * jit/JIT.cpp:
2482         (JSC::JIT::link):
2483         * jit/JITCall.cpp:
2484         (JSC::JIT::compileCallEvalSlowCase):
2485         (JSC::JIT::compileOpCall):
2486         * jit/JITCall32_64.cpp:
2487         (JSC::JIT::compileCallEvalSlowCase):
2488         (JSC::JIT::compileOpCall):
2489         * jit/JITInlineCacheGenerator.cpp:
2490         (JSC::garbageStubInfo):
2491         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
2492         * jit/JITOpcodes.cpp:
2493         (JSC::JIT::emit_op_has_indexed_property):
2494         * jit/JITOpcodes32_64.cpp:
2495         (JSC::JIT::emit_op_has_indexed_property):
2496         * jit/JITPropertyAccess.cpp:
2497         (JSC::JIT::emit_op_put_by_val):
2498         * jit/JITPropertyAccess32_64.cpp:
2499         (JSC::JIT::emit_op_put_by_val):
2500         * wasm/js/WasmToJS.cpp:
2501         (JSC::Wasm::wasmToJS):
2502
2503 2020-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
2504
2505         [JSC] @defaultPromiseThen fast path should check species constructor
2506         https://bugs.webkit.org/show_bug.cgi?id=215996
2507
2508         Reviewed by Ross Kirsling.
2509
2510         When executing @defaultPromiseThen fast path, we assumed that this execution is not observable.
2511         This is wrong only for species constructor part: this @@species access & derived constructor calls
2512         can be observable. In this patch,
2513
2514             1. We extract part of Promise#then as @performPromiseThen, which corresponds to the spec's PerformPromiseThen.
2515             2. In promise fast path, we check @speciesConstructor is @Promise or @InternalPromise. If it is not, then we go to the slow path.
2516
2517         This fixes Promise#finally failures in test262.
2518
2519         * builtins/PromiseOperations.js:
2520         (globalPrivate.promiseResolveThenableJobFast):
2521         (globalPrivate.promiseResolveThenableJobWithoutPromiseFast):
2522         (globalPrivate.promiseResolveThenableJobWithDerivedPromise):
2523         (onFulfilled):
2524         (onRejected):
2525         (globalPrivate.performPromiseThen):
2526         * builtins/PromisePrototype.js:
2527         (then):
2528         (onFulfilled): Deleted.
2529         (onRejected): Deleted.
2530
2531 2020-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
2532
2533         [JSC] Use -2 for grouping options in IntlRelativeTimeFormat
2534         https://bugs.webkit.org/show_bug.cgi?id=215984
2535
2536         Reviewed by Ross Kirsling.
2537
2538         Several test262 tests are failing after ICU 67. This is because Intl.RelativeTimeFormat is not using locale-sensitive grouping option.
2539         There are hidden option -2 for UNumberFormat. It is supported so long, but it is not explicitly documented. After ICU 68, it is exposed as a constant,
2540         we should pass -2 to UNumberFormat's grouping options to use locale-sensitive grouping option here.
2541
2542         * runtime/IntlRelativeTimeFormat.cpp:
2543         (JSC::IntlRelativeTimeFormat::initializeRelativeTimeFormat):
2544
2545 2020-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
2546
2547         [JSC] async function cannot appear in single-statement context
2548         https://bugs.webkit.org/show_bug.cgi?id=215993
2549
2550         Reviewed by Darin Adler.
2551
2552         The following code is syntax error[1] because ExpressionStatement has `async [no LineTerminator here] function` lookahead.
2553
2554             if (false)
2555                 async function t() { }
2556
2557         [1]: https://tc39.es/ecma262/#sec-expression-statement
2558
2559         * parser/Parser.cpp:
2560         (JSC::Parser<LexerType>::parseStatement):
2561         (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement): Deleted.
2562         * parser/Parser.h:
2563
2564 2020-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
2565
2566         [JSC] `let [` sequence cannot appear in ExpressionStatement context
2567         https://bugs.webkit.org/show_bug.cgi?id=215977
2568
2569         Reviewed by Ross Kirsling.
2570
2571         Because of ambiguity between destructuring assignment and member access (let IDENTIFIER), ECMA262 does not allow `let [` sequence in ExpressionStatement context[1].
2572         We should throw SyntaxError when we see something like this.
2573
2574             if (false)
2575                 let [ok] = [42];
2576
2577         [1]: https://tc39.es/ecma262/#sec-expression-statement
2578
2579         * parser/Parser.cpp:
2580         (JSC::Parser<LexerType>::parseStatement):
2581
2582 2020-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
2583
2584         [JSC] for-of uses AssignmentExpression while for-in uses Expression
2585         https://bugs.webkit.org/show_bug.cgi?id=215975
2586
2587         Reviewed by Ross Kirsling.
2588
2589         While for-in uses Expression, for-of and for-await-of use AssignmentExpression which does not accept comma-expression.
2590         We should align our implementation to that.
2591
2592             for (LeftHandSideExpression in Expression) Statement
2593             for (LeftHandSideExpression of AssignmentExpression) Statement
2594             for await(LeftHandSideExpression of AssignmentExpression) Statement
2595
2596         * parser/Parser.cpp:
2597         (JSC::Parser<LexerType>::parseForStatement):
2598
2599 2020-08-28  Yusuke Suzuki  <ysuzuki@apple.com>
2600
2601         [JSC] for-of / for-in left-hand-side target should be simple-assignment-target
2602         https://bugs.webkit.org/show_bug.cgi?id=215969
2603
2604         Reviewed by Ross Kirsling.
2605
2606         Left-hand-side of `for-in`, `for-of`, and `for-await-of` should be simple assignment target[1]
2607         if the target is not declaration and not destructuring pattern.
2608
2609         [1]: https://tc39.es/ecma262/#sec-for-in-and-for-of-statements-static-semantics-early-errors
2610
2611         * parser/Parser.cpp:
2612         (JSC::Parser<LexerType>::parseForStatement):
2613         * parser/SyntaxChecker.h:
2614         (JSC::SyntaxChecker::createCommaExpr): Should return CommaExpr to align it to ASTBuilder.
2615         (JSC::SyntaxChecker::appendToCommaExpr):
2616         (JSC::SyntaxChecker::appendStatement):
2617         (JSC::SyntaxChecker::combineCommaNodes): Deleted since it is not used.
2618
2619 2020-08-28  Yusuke Suzuki  <ysuzuki@apple.com>
2620
2621         [JSC] Implement Intl.DateTimeFormat dayPeriod
2622         https://bugs.webkit.org/show_bug.cgi?id=215839
2623
2624         Reviewed by Ross Kirsling.
2625
2626         This patch implements Intl.DateTimeFormat dayPeriod option[1]. We can use "narrow", "short", or "long" for dayPeriod,
2627         and it determines how "AM" etc. is represented.
2628
2629         [1]: https://github.com/tc39/ecma402/pull/346
2630
2631         * builtins/DatePrototype.js:
2632         (toLocaleString.toDateTimeOptionsAnyAll):
2633         (toLocaleString):
2634         (toLocaleTimeString.toDateTimeOptionsTimeTime):
2635         (toLocaleTimeString):
2636         * bytecode/BytecodeIntrinsicRegistry.cpp:
2637         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
2638         * bytecode/BytecodeIntrinsicRegistry.h:
2639         * runtime/CommonIdentifiers.h:
2640         * runtime/IntlDateTimeFormat.cpp:
2641         (JSC::toDateTimeOptionsAnyDate):
2642         (JSC::IntlDateTimeFormat::setFormatsFromPattern):
2643         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2644         (JSC::IntlDateTimeFormat::dayPeriodString):
2645         (JSC::IntlDateTimeFormat::resolvedOptions const):
2646         * runtime/IntlDateTimeFormat.h:
2647         * runtime/OptionsList.h:
2648
2649 2020-08-28  Yusuke Suzuki  <ysuzuki@apple.com>
2650
2651         [JSC] super property with new should be accepted
2652         https://bugs.webkit.org/show_bug.cgi?id=215966
2653
2654         Reviewed by Ross Kirsling.
2655
2656         While we should reject `new super` / `new super()`, we should accept `new super.property`.
2657         https://tc39.es/ecma262/#prod-SuperProperty is a child production of https://tc39.es/ecma262/#prod-MemberExpression,
2658         unlike https://tc39.es/ecma262/#prod-SuperCall. So `new` should accept SuperProperty (e.g. `super.xxx`).
2659
2660         * parser/Parser.cpp:
2661         (JSC::Parser<LexerType>::parseMemberExpression):
2662
2663 2020-08-28  Yusuke Suzuki  <ysuzuki@apple.com>
2664
2665         [JSC] `new import.meta()` is acceptable
2666         https://bugs.webkit.org/show_bug.cgi?id=215915
2667
2668         Reviewed by Ross Kirsling.
2669
2670         `new import.meta()` is valid in terms of syntax while it throws runtime error.
2671         We should accept this code, while `new import()` is not correct syntax.
2672
2673         * parser/Parser.cpp:
2674         (JSC::Parser<LexerType>::parseMemberExpression):
2675
2676 2020-08-27  Alexey Shvayka  <shvaikalesh@gmail.com>
2677
2678         __proto__ in object literal should perform [[SetPrototypeOf]] directly
2679         https://bugs.webkit.org/show_bug.cgi?id=215769
2680
2681         Reviewed by Ross Kirsling.
2682
2683         To fix __proto__ usage in object literals if Object.prototype.__proto__ is overridden
2684         or removed, this patch sets the [[Prototype]] directly, aligning JSC with V8 and
2685         SpiderMonkey. We are safe to skip method table lookups and cycle checks, as the
2686         spec [1] calls [[SetPrototypeOf]] on newly created (unreferenced) ordinary objects.
2687
2688         This change removes PropertyNode::PutType because its only purpose was to accomodate
2689         __proto__ in object literals. Since emitPutConstantProperty() handles static public
2690         class fields, which don't need `super` binding, PropertyNode::isUnderscoreProtoSetter()
2691         is extended to reject class properties.
2692
2693         This patch speeds up creating object literals with __proto__ by 25%.
2694
2695         [1]: https://tc39.es/ecma262/#sec-__proto__-property-names-in-object-initializers (step 7.a)
2696
2697         * bytecompiler/BytecodeGenerator.cpp:
2698         (JSC::BytecodeGenerator::emitDirectPutById):
2699         (JSC::BytecodeGenerator::emitDirectSetPrototypeOf):
2700         1. Remove unused `dst` parameter to align with other `put` methods.
2701         2. Remove `divot*` parameters as it's cumbersome to pass them through,
2702            and globalFuncSetPrototypeDirect() never throws anyway.
2703
2704         * bytecompiler/BytecodeGenerator.h:
2705         * bytecompiler/NodesCodegen.cpp:
2706         (JSC::PropertyListNode::emitPutConstantProperty):
2707         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirect):
2708         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
2709         (JSC::ClassExprNode::emitBytecode):
2710         * parser/ASTBuilder.h:
2711         (JSC::ASTBuilder::createGetterOrSetterProperty):
2712         (JSC::ASTBuilder::createProperty):
2713         (JSC::ASTBuilder::isUnderscoreProtoSetter const):
2714         * parser/NodeConstructors.h:
2715         (JSC::PropertyNode::PropertyNode):
2716         * parser/Nodes.h:
2717         * parser/Parser.cpp:
2718         (JSC::Parser<LexerType>::parseClass):
2719         (JSC::Parser<LexerType>::parseProperty):
2720         * parser/SyntaxChecker.h:
2721         (JSC::SyntaxChecker::createProperty):
2722         * runtime/JSGlobalObjectFunctions.cpp:
2723         (JSC::globalFuncSetPrototypeDirect):
2724         1. Ignore a prototype value of incorrect type as per spec [1],
2725            which is unobservable for call sites in ClassExprNode::emitBytecode().
2726         2. Assert that JSObject::setPrototypeDirect() doesn't throw.
2727
2728 2020-08-27  Yusuke Suzuki  <ysuzuki@apple.com>
2729
2730         [JSC] setLength in Array#push could get very large length
2731         https://bugs.webkit.org/show_bug.cgi?id=215897
2732         <rdar://problem/67859149>
2733
2734         Reviewed by Keith Miller.
2735
2736         Array#push can get length larger than UINT32_MAX. And in this case, we should throw a RangeError.
2737         Before r266215, it was using putLength which throws an error. But it was replaced with setLength,
2738         and JSC::setLength assumes that it never gets a length greater than UINT32_MAX by asserting. We
2739         should fix it so that Array#push should thrown an error correctly.
2740
2741         * runtime/ArrayPrototype.cpp:
2742         (JSC::setLength):
2743
2744 2020-08-27  Saam Barati  <sbarati@apple.com>
2745
2746         GetByVal constant folding over a Double OutOfBoundsSaneChain array with no BytecodeUsesAsOther should constant fold to PNaN, not undefined
2747         https://bugs.webkit.org/show_bug.cgi?id=215894
2748         <rdar://problem/67669696>
2749
2750         Reviewed by Michael Saboff and Keith Miller.
2751
2752         GetByVals of the form { OutOfBoundsSaneChain, Double } where there are no
2753         BytecodeUsesAsOther return PNaN for holes and OOB accesses, not jsUndefined().
2754         The constant folding for this though was folding to jsUndefined(). I forgot
2755         to update that code to constant fold to PNaN when I wrote the OutOfBoundsSaneChain
2756         implementation.
2757
2758         * dfg/DFGAbstractInterpreterInlines.h:
2759         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2760
2761 2020-08-27  Keith Miller  <keith_miller@apple.com>
2762
2763         structureOrNull should take VM instead of getting it from the marked block
2764         https://bugs.webkit.org/show_bug.cgi?id=215899
2765
2766         Reviewed by Yusuke Suzuki.
2767
2768         It's slightly faster use an existing VM over recomputing the address. It probably doesn't
2769         happen to matter here for performance but it's good hygiene.
2770
2771         * API/tests/JSWrapperMapTests.mm:
2772         (+[JSWrapperMapTests testStructureIdentity]):
2773         * jit/JITOperations.cpp:
2774         * runtime/JSCJSValue.h:
2775         * runtime/JSCJSValueInlines.h:
2776         (JSC::JSValue::structureOrNull const):
2777         (JSC::JSValue::structureOrUndefined const): Deleted.
2778
2779 2020-08-27  Yusuke Suzuki  <ysuzuki@apple.com>
2780
2781         [JSC] Use auxiliary memory for JSBigInt storage
2782         https://bugs.webkit.org/show_bug.cgi?id=215876
2783
2784         Reviewed by Mark Lam.
2785
2786         This makes JSBigInt non-destructible cell. And it makes allocating JSBigInt from JIT easy.
2787
2788         * runtime/JSBigInt.cpp:
2789         (JSC::JSBigInt::JSBigInt):
2790         (JSC::JSBigInt::visitChildren):
2791         (JSC::JSBigInt::createWithLength):
2792         (JSC::JSBigInt::destroy): Deleted.
2793         * runtime/JSBigInt.h:
2794         * runtime/VM.cpp:
2795         (JSC::VM::VM):
2796
2797 2020-08-27  Keith Miller  <keith_miller@apple.com>
2798
2799         OSR availability validation should run for any node with exitOK
2800         https://bugs.webkit.org/show_bug.cgi?id=215672
2801
2802         Reviewed by Saam Barati.
2803
2804         Currently we only validate OSR exit availability if a node would
2805         say `mayExit(graph, node) != DoesNotExit` and the node is marked
2806         as exitOK. However, it would be perfectly valid to insert a node
2807         that exits anywhere we have a node marked exitOK. So with this
2808         patch we now validate all places where it would ever be possible
2809         to OSR exit.
2810
2811         Relaxing our criteria revealed a number of bugs however. Which I
2812         will describe below in, IMO, increasing complexity/subtly.
2813
2814         First, we currently don't mark arity fixup during inlining as not
2815         exitOK. However, since our arity code says its code origin is
2816         OpEnter, we assume arity fixup has already happened.
2817
2818         Second, OpGetScope, should not mark its first argument as used
2819         since it's not actually used. This is problematic because we could
2820         have a loop where OpGetScope is the first bytecode, namely when
2821         doing tail recursive inlining. If we were in that position, there
2822         could be a local that was used at a merge point at the loop
2823         backedge that had two MovHint defs from both predecessors. In DFG
2824         IR this would look like:
2825
2826         BB#1:
2827         @1: MovHint(Undefined, loc1)
2828         ...
2829         Jump(#2)
2830
2831         BB#2:
2832         ... // loc1 is live here in bytecode
2833         @2: MovHint(@scopeObject, loc1)
2834         @3: SetLocal(@scopeObject, loc1)
2835         Branch(#3, #4) // #4 is the successor of the tail call loop
2836
2837         BB#3:
2838         @4 MovHint(Undefined, loc1)
2839         ...
2840         Jump(#2)
2841
2842         When we do CPS conversion the MovHints at @1 and @4 will be seen
2843         as different variables (there's no GetLocal). Then, after, during
2844         SSA conversion we won't insert a phi connecting them, making the
2845         argument to OpGetScope, in this case loc1, unrecoverable there are
2846         conflicting nodes and the value isn't saved on the stack.
2847
2848         There were also issues with MovHintRemoval Phase but rather than
2849         fix them we opted to just remove the phase as it didn't show any
2850         performance impact. I'll describe the issues I found below for
2851         completeness, however.
2852
2853         Third, MovHint removal phase had a bug where it would not mark
2854         sections where a zombied MovHint has yet to be killed as not
2855         exitOK. So in theory another phase could come along and insert an
2856         exiting node there.
2857
2858         Fourth, MovHint removal phase had a second bug where a MovHint
2859         that was not killed in the current block would be zombied, which
2860         is wrong for SSA. It's wrong because the MovHinted value could
2861         still be live for OSR exit in a successor block.
2862
2863         Lastly, this patch adds some new verbose options as well as the ability to
2864         dump a DFG::BasicBlock without dereferencing it.
2865
2866         * bytecode/BytecodeUseDef.cpp:
2867         (JSC::computeUsesForBytecodeIndexImpl):
2868         * dfg/DFGBasicBlock.cpp:
2869         (WTF::printInternal):
2870         * dfg/DFGBasicBlock.h:
2871         * dfg/DFGByteCodeParser.cpp:
2872         (JSC::DFG::ByteCodeParser::inlineCall):
2873         * dfg/DFGCPSRethreadingPhase.cpp:
2874         (JSC::DFG::CPSRethreadingPhase::propagatePhis):
2875         * dfg/DFGEpoch.h:
2876         (JSC::DFG::Epoch::operator bool const):
2877         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2878         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
2879         * dfg/DFGSSACalculator.cpp:
2880         (JSC::DFG::SSACalculator::dump const):
2881
2882 2020-08-27  Keith Miller  <keith_miller@apple.com>
2883
2884         JSClassRef should work with JS class syntax.
2885         https://bugs.webkit.org/show_bug.cgi?id=215047
2886
2887         Reviewed by Darin Adler.
2888
2889         This is done by checking if value returned by the
2890         callAsConstructor parameter to JSObjectMakeConstructor returns an
2891         object allocated as the jsClass parameter. When that happens we
2892         replace the prototype of the returned object with the prototype of
2893         the new.target. Ideally we would have passed the derived classes
2894         constructor from the beginning of our support for JS subclassing
2895         but at this point that's probably not compatible with too many
2896         applications.
2897
2898         * API/APICallbackFunction.h:
2899         (JSC::APICallbackFunction::construct):
2900         * API/JSObjectRef.h:
2901         * API/tests/testapi.cpp:
2902         (APIString::APIString):
2903         (TestAPI::markedJSValueArrayAndGC):
2904         (TestAPI::classDefinitionWithJSSubclass):
2905         (testCAPIViaCpp):
2906         * API/tests/testapi.mm:
2907         (testObjectiveCAPI):
2908
2909 2020-08-26  Alexey Shvayka  <shvaikalesh@gmail.com>
2910
2911         Use jsTypeofIsObject() in DFG AI and operationTypeOfIsObject()
2912         https://bugs.webkit.org/show_bug.cgi?id=144457
2913
2914         Reviewed by Saam Barati.
2915
2916         This patch refactors jsTypeofIsObject(), leveraging fast path of isCallable(),
2917         moves it to the header, and utilizes it in operationTypeOfIsObject() & DFG AI
2918         (minding concurrency) to eliminate code duplication.
2919
2920         Also, removes orphaned slow_path_is_object declaration.
2921
2922         No behavior change, `typeof` microbenchmarks are neutral.
2923
2924         * dfg/DFGAbstractInterpreterInlines.h:
2925         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2926         * dfg/DFGOperations.cpp:
2927         * runtime/CommonSlowPaths.h:
2928         * runtime/Operations.cpp:
2929         (JSC::jsTypeofIsObject): Deleted.
2930         * runtime/Operations.h:
2931         (JSC::jsTypeofIsObjectWithConcurrency):
2932         (JSC::jsTypeofIsObject):
2933
2934 2020-08-26  Alexey Shvayka  <shvaikalesh@gmail.com>
2935
2936         Merge putLength() into setLength()
2937         https://bugs.webkit.org/show_bug.cgi?id=211279
2938
2939         Reviewed by Darin Adler and Saam Barati.
2940
2941         This patch:
2942
2943         1. Replaces all putLength() call sites with setLength(), saving two JSValue
2944            instantiations in arrayProtoFuncPop() and two in arrayProtoFuncShift().
2945
2946         2. Merges putLength() into setLength(), removing superfluous put() call for
2947            JSArray. Also, performs put() in strict mode to preserve the original
2948            error messages, like ones in ProxyObject::performPut().
2949
2950         3. Inlines performPop(), which avoided an extra index check and Identifier
2951            creation, as it was on the slow path anyway (note JSArray::pop() call).
2952
2953         This change advances provided setLength()-heavy microbenchmark by ~40%,
2954         while existing Array tests are neutral.
2955
2956         * runtime/ArrayPrototype.cpp:
2957         (JSC::setLength):
2958         (JSC::arrayProtoFuncPop):
2959         (JSC::arrayProtoFuncPush):
2960         (JSC::arrayProtoFuncShift):
2961         (JSC::arrayProtoFuncUnShift):
2962         (JSC::putLength): Deleted.
2963
2964 2020-08-26  Saam Barati  <sbarati@apple.com>
2965
2966         Make isIndex use MAX_ARRAY_INDEX
2967         https://bugs.webkit.org/show_bug.cgi?id=215872
2968
2969         Reviewed by Darin Adler.
2970
2971         It's already written in such a way where it relies on what MAX_ARRAY_INDEX
2972         is defined as. But instead of MAX_ARRAY_INDEX, the function was hardcoding
2973         MAX_ARRAY_INDEX + 1.
2974
2975         * runtime/Identifier.h:
2976         (JSC::isIndex):
2977
2978 2020-08-26  Alexey Shvayka  <shvaikalesh@gmail.com>
2979
2980         Use unsigned type for `length` of JSFunction
2981         https://bugs.webkit.org/show_bug.cgi?id=215870
2982
2983         Reviewed by Darin Adler.
2984
2985         Since the `length` value of a built-in function is its arity,
2986         we can communicate it's always non-negative via method signatures.
2987
2988         No behavior change: `length` values redefined by user code are unaffected.
2989
2990         * runtime/InternalFunction.cpp:
2991         (JSC::InternalFunction::createFunctionThatMasqueradesAsUndefined):
2992         * runtime/InternalFunction.h:
2993         * runtime/JSFunction.cpp:
2994         (JSC::JSFunction::create):
2995         (JSC::JSFunction::finishCreation):
2996         * runtime/JSFunction.h:
2997         * runtime/JSNativeStdFunction.cpp:
2998         (JSC::JSNativeStdFunction::finishCreation):
2999         (JSC::JSNativeStdFunction::create):
3000         * runtime/JSNativeStdFunction.h:
3001
3002 2020-08-26  Yusuke Suzuki  <ysuzuki@apple.com>
3003
3004         [JSC] Enable Intl.Segmenter
3005         https://bugs.webkit.org/show_bug.cgi?id=215854
3006
3007         Reviewed by Ross Kirsling.
3008
3009         This is already stage-3 and all the features are implemented. Let's just enable it.
3010
3011         * runtime/IntlObject.cpp:
3012         (JSC::IntlObject::finishCreation):
3013         * runtime/OptionsList.h:
3014
3015 2020-08-26  Yusuke Suzuki  <ysuzuki@apple.com>
3016
3017         [JSC] Add ASCII comparison fast path for IntlCollator
3018         https://bugs.webkit.org/show_bug.cgi?id=215798
3019
3020         Reviewed by Darin Adler, Ross Kirsling, and Saam Barati.
3021
3022         The idea behind this change is the following: ICU Collator's comparison is too slow. We should have fast path for ASCII strings when we know this equals to ICU Collator's result.
3023         The problem is that even for ASCII strings, collation is super complicated!
3024
3025             1. Unicode defines Unicode Collation Algorithm (UCA). To perform collation, it uses collation element tables which defines weights on various levels per code point. UCA also offers
3026                the Default Unicode Collation Element Table (DUCET). This UCA with DUCET is used when using ICU Root Collator.
3027             2. UCA collation consists of rules, which defines how collation works. And ICU locales define customized collations by adding special rules to that.
3028             3. UCA behaves differently by using different options.
3029
3030         Based on that, our observation is that some of major locales are not defining additional rules in (2). This means that they behaves the same to UCA with DUCET.
3031         This patch implements a simplified version of comparison which generates the same results for ASCII strings (excluding control characters) to UCA with DUCET. This fast path can be usable only when the following conditions are met.
3032
3033             1. The collator does not have additional rules to ICU Root Colator.
3034             2. The collator is using default options.
3035
3036         These checks are very important since there are a lot of edge-case locales. For example,
3037
3038             1. th (Thai language) ignores punctuations (even including ASCII punctuations) by default. This is defined as ignore-punctuations option is enabled by default, so without (2)'s check, th comparison becomes wrong.
3039             2. There are contraction concept (multiple letters behave as a single letter). "ch" letters are ordered interestingly in Czech language. So even in ASCII, Czech shows very interesting collation behavior.
3040
3041         So we cannot safely take this fast path without carefully querying the information to ICU.
3042
3043         This shows 37% improvement in JetStream2/cdjs in en-US environment.
3044
3045         * runtime/IntlCollator.cpp:
3046         (JSC::IntlCollator::initializeCollator):
3047         (JSC::IntlCollator::compareStrings const):
3048         (JSC::canDoASCIIUCADUCETComparisonWithUCollator):
3049         (JSC::IntlCollator::updateCanDoASCIIUCADUCETComparison const):
3050         (JSC::IntlCollator::checkICULocaleInvariants):
3051         * runtime/IntlCollator.h:
3052         * runtime/IntlObject.cpp:
3053         (JSC::intlCollatorAvailableLocales):
3054         * runtime/IntlObject.h:
3055         * runtime/IntlObjectInlines.h:
3056         (JSC::canUseASCIIUCADUCETComparison):
3057         (JSC::compareASCIIWithUCADUCET):
3058
3059 2020-08-26  Yusuke Suzuki  <ysuzuki@apple.com>
3060
3061         [JSC] Implement Intl.DateTimeFormat fractionalSecondDigits
3062         https://bugs.webkit.org/show_bug.cgi?id=215840
3063
3064         Reviewed by Ross Kirsling.
3065
3066         This patch implements fractionalSecondDigits option for Intl.DateTimeFormat. If it is
3067         specified, milliseconds in N digits are represented in the formatted output.
3068         This extension is about to be merged into the spec[1]. SpiderMonkey and V8 support it,
3069         and V8 shipped it without flags.
3070
3071         [1]: https://github.com/tc39/ecma402/pull/347
3072
3073         * builtins/DatePrototype.js:
3074         (toLocaleString.toDateTimeOptionsAnyAll):
3075         (toLocaleString):
3076         (toLocaleTimeString.toDateTimeOptionsTimeTime):
3077         (toLocaleTimeString):
3078         * runtime/CommonIdentifiers.h:
3079         * runtime/IntlDateTimeFormat.cpp:
3080         (JSC::toDateTimeOptionsAnyDate):
3081         (JSC::IntlDateTimeFormat::setFormatsFromPattern):
3082         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
3083         (JSC::IntlDateTimeFormat::resolvedOptions const):
3084         (JSC::partTypeString):
3085         * runtime/IntlDateTimeFormat.h:
3086
3087 2020-08-25  Yusuke Suzuki  <ysuzuki@apple.com>
3088
3089         [JSC] FTL should use m_origin instead of m_node->origin since m_node can be nullptr
3090         https://bugs.webkit.org/show_bug.cgi?id=215833
3091
3092         Reviewed by Mark Lam.
3093
3094         While we are using m_node->origin, m_node can be nullptr (at the entry of the FTL function).
3095         m_origin is always pointing appropriate origin. We should use it instead.
3096
3097         * ftl/FTLLowerDFGToB3.cpp:
3098         (JSC::FTL::DFG::LowerDFGToB3::compileToObjectOrCallObjectConstructor):
3099         (JSC::FTL::DFG::LowerDFGToB3::compileToThis):
3100         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
3101         (JSC::FTL::DFG::LowerDFGToB3::compileValueSub):
3102         (JSC::FTL::DFG::LowerDFGToB3::compileValueMul):
3103         (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC):
3104         (JSC::FTL::DFG::LowerDFGToB3::compileStrCat):
3105         (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
3106         (JSC::FTL::DFG::LowerDFGToB3::compileArithClz32):
3107         (JSC::FTL::DFG::LowerDFGToB3::compileValueDiv):
3108         (JSC::FTL::DFG::LowerDFGToB3::compileValueMod):
3109         (JSC::FTL::DFG::LowerDFGToB3::compileArithAbs):
3110         (JSC::FTL::DFG::LowerDFGToB3::compileArithUnary):
3111         (JSC::FTL::DFG::LowerDFGToB3::compileValuePow):
3112         (JSC::FTL::DFG::LowerDFGToB3::compileArithRandom):
3113         (JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
3114         (JSC::FTL::DFG::LowerDFGToB3::compileArithFloor):
3115         (JSC::FTL::DFG::LowerDFGToB3::compileArithCeil):
3116         (JSC::FTL::DFG::LowerDFGToB3::compileArithTrunc):
3117         (JSC::FTL::DFG::LowerDFGToB3::compileArithSqrt):
3118         (JSC::FTL::DFG::LowerDFGToB3::compileArithFRound):
3119         (JSC::FTL::DFG::LowerDFGToB3::compileIncOrDec):
3120         (JSC::FTL::DFG::LowerDFGToB3::compileValueNegate):
3121         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitNot):
3122         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitAnd):
3123         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitOr):
3124         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitXor):
3125         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitRShift):
3126         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitLShift):
3127         (JSC::FTL::DFG::LowerDFGToB3::compileGetById):
3128         (JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis):
3129         (JSC::FTL::DFG::LowerDFGToB3::compileGetByValWithThis):
3130         (JSC::FTL::DFG::LowerDFGToB3::compilePutByIdWithThis):
3131         (JSC::FTL::DFG::LowerDFGToB3::compilePutByValWithThis):
3132         (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
3133         (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsIsLockFree):
3134         (JSC::FTL::DFG::LowerDFGToB3::compileDefineDataProperty):
3135         (JSC::FTL::DFG::LowerDFGToB3::compileDefineAccessorProperty):
3136         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
3137         (JSC::FTL::DFG::LowerDFGToB3::compileGetPrototypeOf):
3138         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
3139         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
3140         (JSC::FTL::DFG::LowerDFGToB3::compilePutAccessorById):
3141         (JSC::FTL::DFG::LowerDFGToB3::compilePutGetterSetterById):
3142         (JSC::FTL::DFG::LowerDFGToB3::compilePutAccessorByVal):
3143         (JSC::FTL::DFG::LowerDFGToB3::compileDeleteById):
3144         (JSC::FTL::DFG::LowerDFGToB3::compileDeleteByVal):
3145         (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
3146         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
3147         (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf):
3148         (JSC::FTL::DFG::LowerDFGToB3::compileArrayPop):
3149         (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope):
3150         (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
3151         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
3152         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
3153         (JSC::FTL::DFG::LowerDFGToB3::compileCreateScopedArguments):
3154         (JSC::FTL::DFG::LowerDFGToB3::compileCreateClonedArguments):
3155         (JSC::FTL::DFG::LowerDFGToB3::compileCreateArgumentsButterfly):
3156         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
3157         (JSC::FTL::DFG::LowerDFGToB3::compileObjectKeysOrObjectGetOwnPropertyNames):
3158         (JSC::FTL::DFG::LowerDFGToB3::compileObjectCreate):
3159         (JSC::FTL::DFG::LowerDFGToB3::compileNewSymbol):
3160         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
3161         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
3162         (JSC::FTL::DFG::LowerDFGToB3::compileCreateThis):
3163         (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
3164         (JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject):
3165         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
3166         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
3167         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
3168         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
3169         (JSC::FTL::DFG::LowerDFGToB3::compileToNumber):
3170         (JSC::FTL::DFG::LowerDFGToB3::compileToNumeric):
3171         (JSC::FTL::DFG::LowerDFGToB3::compileCallNumberConstructor):
3172         (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructorOrStringValueOf):
3173         (JSC::FTL::DFG::LowerDFGToB3::compileToPrimitive):
3174         (JSC::FTL::DFG::LowerDFGToB3::compileToPropertyKey):
3175         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
3176         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
3177         (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
3178         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
3179         (JSC::FTL::DFG::LowerDFGToB3::compileGetGlobalThis):
3180         (JSC::FTL::DFG::LowerDFGToB3::compileGetArgument):
3181         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
3182         (JSC::FTL::DFG::LowerDFGToB3::compileSameValue):
3183         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
3184         (JSC::FTL::DFG::LowerDFGToB3::compileVarargsLength):
3185         (JSC::FTL::DFG::LowerDFGToB3::compileLoadVarargs):
3186         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargs):
3187         (JSC::FTL::DFG::LowerDFGToB3::compileSwitch):
3188         (JSC::FTL::DFG::LowerDFGToB3::compileThrow):
3189         (JSC::FTL::DFG::LowerDFGToB3::compileThrowStaticError):
3190         (JSC::FTL::DFG::LowerDFGToB3::mapHashString):
3191         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
3192         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
3193         (JSC::FTL::DFG::LowerDFGToB3::compileSetAdd):
3194         (JSC::FTL::DFG::LowerDFGToB3::compileMapSet):
3195         (JSC::FTL::DFG::LowerDFGToB3::compileTypeOfIsObject):
3196         (JSC::FTL::DFG::LowerDFGToB3::compileIsCallable):
3197         (JSC::FTL::DFG::LowerDFGToB3::compileIsConstructor):
3198         (JSC::FTL::DFG::LowerDFGToB3::compileInByVal):
3199         (JSC::FTL::DFG::LowerDFGToB3::compileHasOwnProperty):
3200         (JSC::FTL::DFG::LowerDFGToB3::compileParseInt):
3201         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOfCustom):
3202         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
3203         (JSC::FTL::DFG::LowerDFGToB3::compileHasGenericProperty):
3204         (JSC::FTL::DFG::LowerDFGToB3::compileHasStructurePropertyImpl):
3205         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
3206         (JSC::FTL::DFG::LowerDFGToB3::compileGetPropertyEnumerator):
3207         (JSC::FTL::DFG::LowerDFGToB3::compileToIndexString):
3208         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
3209         (JSC::FTL::DFG::LowerDFGToB3::compileCheckTraps):
3210         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
3211         (JSC::FTL::DFG::LowerDFGToB3::compileSetFunctionName):
3212         (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace):
3213         (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenTail):
3214         (JSC::FTL::DFG::LowerDFGToB3::getArgumentsLength):
3215         (JSC::FTL::DFG::LowerDFGToB3::getCurrentCallee):
3216         (JSC::FTL::DFG::LowerDFGToB3::getArgumentsStart):
3217         (JSC::FTL::DFG::LowerDFGToB3::compare):
3218         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
3219         (JSC::FTL::DFG::LowerDFGToB3::compileToLowerCase):
3220         (JSC::FTL::DFG::LowerDFGToB3::compileNumberToStringWithRadix):
3221         (JSC::FTL::DFG::LowerDFGToB3::compileNumberToStringWithValidRadixConstant):
3222         (JSC::FTL::DFG::LowerDFGToB3::compileResolveScopeForHoistingFuncDeclInEval):
3223         (JSC::FTL::DFG::LowerDFGToB3::compileResolveScope):
3224         (JSC::FTL::DFG::LowerDFGToB3::compileGetDynamicVar):
3225         (JSC::FTL::DFG::LowerDFGToB3::compilePutDynamicVar):
3226         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
3227         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
3228         (JSC::FTL::DFG::LowerDFGToB3::compileLoopHint):
3229         (JSC::FTL::DFG::LowerDFGToB3::genericJSValueCompare):
3230         (JSC::FTL::DFG::LowerDFGToB3::stringsEqual):
3231         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
3232         (JSC::FTL::DFG::LowerDFGToB3::boolify):
3233         (JSC::FTL::DFG::LowerDFGToB3::equalNullOrUndefined):
3234         (JSC::FTL::DFG::LowerDFGToB3::contiguousPutByValOutOfBounds):
3235         (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow):
3236         (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf):
3237         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
3238         (JSC::FTL::DFG::LowerDFGToB3::masqueradesAsUndefinedWatchpointIsStillValid):
3239         (JSC::FTL::DFG::LowerDFGToB3::codeOriginDescriptionOfCallSite const):
3240         (JSC::FTL::DFG::LowerDFGToB3::callCheck):
3241         (JSC::FTL::DFG::LowerDFGToB3::appendOSRExit):
3242         * jsc.cpp:
3243         (runJSC):
3244         * runtime/OptionsList.h:
3245
3246 2020-08-25  Devin Rousso  <drousso@apple.com>
3247
3248         Web Inspector: breakpoint condition should be evaluated before the ignore count
3249         https://bugs.webkit.org/show_bug.cgi?id=215364
3250         <rdar://problem/67310703>
3251
3252         Reviewed by Joseph Pecoraro.
3253
3254         Previously, when pausing, `JSC::Breakpoint` would check that it's `ignoreCount` before it
3255         would even attempt to evaluate it's `condition`. This meant that a `JSC::Breakpoint` with
3256         a `condition` of `foo === 42` and an `ignoreCount` of `3` would ignore the first three
3257         pauses and then only pause if `foo === 42`. This is likely contrary to the expectation of
3258         most users (especially since the `condition` input is before the `ignoreCount` input in
3259         the Web Inspector frontend UI) in that they would probably expect to ignore the first
3260         three pauses if `foo === 42`.
3261
3262         * debugger/Breakpoint.cpp:
3263         (JSC::Breakpoint::shouldPause):
3264
3265 2020-08-25  Alexey Shvayka  <shvaikalesh@gmail.com>
3266
3267         Invalid early error for object literal method named "__proto__"
3268         https://bugs.webkit.org/show_bug.cgi?id=215760
3269
3270         Reviewed by Ross Kirsling.
3271
3272         According to Annex B [1], `{ __proto__: null, __proto__() {} }` is a valid object literal as the second
3273         `__proto__` wasn't obtained from `PropertyDefinition : PropertyName : AssignmentExpression` production.
3274         Currently, JSC throws an early SyntaxError, unlike V8 and SpiderMonkey.
3275
3276         Since a method needs `super` binding, the most straightforward fix would be adding SuperBinding field
3277         to SyntaxChecker::Property and exposing it via an accessor. However, given that Property is a very
3278         common structure, this approach would noticeably increase memory pressure during parsing.
3279
3280         Instead, this patch reworks SyntaxChecker::Property to accept `isUnderscoreProtoSetter` parameter,
3281         removing optional `name` field, its accessor, and shouldCheckPropertyForUnderscoreProtoDuplicate(),
3282         which reduces sizeof(SyntaxChecker::Property) by a factor of 8: from 16 to 2 bytes.
3283         Also, this change avoids two extra makeNumericIdentifier() calls, speeding up numeric keys parsing.
3284
3285         This approach is feasible because "__proto__" is the only identifier-based early error for object
3286         literals [2], with no such errors being added in upcoming stage 2-4 proposals.
3287
3288         Additionally, this patch removes `strict` / `complete` bool parameter from {parse,create}Property()
3289         signatures as a) it was always `true`, b) is now unused, and c) strict mode can be checked via scope.
3290
3291         [1]: https://tc39.es/ecma262/#sec-__proto__-property-names-in-object-initializers
3292         [2]: https://tc39.es/ecma262/#sec-object-initializer-static-semantics-early-errors
3293
3294         * parser/ASTBuilder.h:
3295         (JSC::ASTBuilder::createGetterOrSetterProperty):
3296         (JSC::ASTBuilder::createProperty):
3297         (JSC::ASTBuilder::isUnderscoreProtoSetter const):
3298         (JSC::ASTBuilder::getName const): Deleted.
3299         * parser/Nodes.h:
3300         * parser/Parser.cpp:
3301         (JSC::Parser<LexerType>::parseClass):
3302         (JSC::Parser<LexerType>::parseProperty):
3303         (JSC::Parser<LexerType>::parseGetterSetter):
3304         (JSC::Parser<LexerType>::parseObjectLiteral):
3305         (JSC::Parser<LexerType>::shouldCheckPropertyForUnderscoreProtoDuplicate): Deleted.
3306         * parser/Parser.h:
3307         * parser/SyntaxChecker.h:
3308         (JSC::SyntaxChecker::SyntaxChecker):
3309         (JSC::SyntaxChecker::Property::Property):
3310         (JSC::SyntaxChecker::Property::operator!):
3311         (JSC::SyntaxChecker::createProperty):
3312         (JSC::SyntaxChecker::createGetterOrSetterProperty):
3313         (JSC::SyntaxChecker::operatorStackPop):
3314
3315 2020-08-25  Yusuke Suzuki  <ysuzuki@apple.com>
3316
3317         [JSC] Add concurrency-aware version of isCallable / isConstructor to make it usable in DFG compiler
3318         https://bugs.webkit.org/show_bug.cgi?id=215746
3319
3320         Reviewed by Saam Barati.