[BigInt] Add ValueSub into DFG
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2
3         [BigInt] Add ValueSub into DFG
4         https://bugs.webkit.org/show_bug.cgi?id=186176
5
6         Reviewed by Yusuke Suzuki.
7
8         We are introducing in this patch a new node called ValueSub. This node
9         is necessary due to introduction of BigInt, making subtraction
10         operations result in non-Number values in some cases. In such case, ValueSub is
11         responsible to handle Untyped and BigInt operations.
12         In addition, we are also creating a speculative path when both
13         operands are BigInt. According to a simple BigInt subtraction microbenchmark,
14         this represents a speedup of ~1.2x faster.
15
16         big-int-simple-sub    14.6427+-0.5652    ^    11.9559+-0.6485   ^   definitely 1.2247x faster
17
18         * dfg/DFGAbstractInterpreterInlines.h:
19         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
20         * dfg/DFGByteCodeParser.cpp:
21         (JSC::DFG::ByteCodeParser::parseBlock):
22         * dfg/DFGClobberize.h:
23         (JSC::DFG::clobberize):
24         * dfg/DFGDoesGC.cpp:
25         (JSC::DFG::doesGC):
26         * dfg/DFGFixupPhase.cpp:
27         (JSC::DFG::FixupPhase::fixupNode):
28         * dfg/DFGGraph.h:
29         (JSC::DFG::Graph::addSpeculationMode):
30         * dfg/DFGNodeType.h:
31         * dfg/DFGOperations.cpp:
32         * dfg/DFGOperations.h:
33         * dfg/DFGPredictionPropagationPhase.cpp:
34         * dfg/DFGSafeToExecute.h:
35         (JSC::DFG::safeToExecute):
36         * dfg/DFGSpeculativeJIT.cpp:
37         (JSC::DFG::SpeculativeJIT::compileValueSub):
38         (JSC::DFG::SpeculativeJIT::compileArithSub):
39         * dfg/DFGSpeculativeJIT.h:
40         * dfg/DFGSpeculativeJIT32_64.cpp:
41         (JSC::DFG::SpeculativeJIT::compile):
42         * dfg/DFGSpeculativeJIT64.cpp:
43         (JSC::DFG::SpeculativeJIT::compile):
44         * dfg/DFGValidate.cpp:
45         * ftl/FTLCapabilities.cpp:
46         (JSC::FTL::canCompile):
47         * ftl/FTLLowerDFGToB3.cpp:
48         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
49         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
50         (JSC::FTL::DFG::LowerDFGToB3::compileValueSub):
51
52 2018-10-17  Mark Lam  <mark.lam@apple.com>
53
54         The parser should not emit a ApplyFunctionCallDotNode for Reflect.apply.
55         https://bugs.webkit.org/show_bug.cgi?id=190671
56         <rdar://problem/45201145>
57
58         Reviewed by Saam Barati.
59
60         The bytecode generator does not currently know how to inline Reflect.apply (see
61         https://bugs.webkit.org/show_bug.cgi?id=190668).  Hence, it's a waste of time to
62         emit the ApplyFunctionCallDotNode since the function check against Function.apply
63         that it will generate will always fail.
64
65         Also fixed CallVariant::dump() to be able to handle dumping a non-executable
66         callee.  Reflect.apply used to trip this up.  Any object with an apply property
67         invoked as a function could also trip this up.  This is now fixed.
68
69         * bytecode/CallVariant.cpp:
70         (JSC::CallVariant::dump const):
71         * bytecompiler/NodesCodegen.cpp:
72         (JSC::ApplyFunctionCallDotNode::emitBytecode):
73         * parser/ASTBuilder.h:
74         (JSC::ASTBuilder::makeFunctionCallNode):
75
76 2018-10-17  Commit Queue  <commit-queue@webkit.org>
77
78         Unreviewed, rolling out r237024.
79         https://bugs.webkit.org/show_bug.cgi?id=190673
80
81         "It regressed ARES6 on iOS devices by 4-8%" (Requested by
82         saamyjoon on #webkit).
83
84         Reverted changeset:
85
86         "Increase executable memory pool from 64MB to 128MB for ARM64"
87         https://bugs.webkit.org/show_bug.cgi?id=190453
88         https://trac.webkit.org/changeset/237024
89
90 2018-10-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
91
92         [JSC] Use WTF::Function instead of std::function
93         https://bugs.webkit.org/show_bug.cgi?id=190665
94
95         Reviewed by Keith Miller.
96
97         We should use WTF::Function as much as possible. It allocates memory from bmalloc instead of standard malloc.
98
99         * runtime/JSNativeStdFunction.h:
100
101 2018-10-17  Keith Miller  <keith_miller@apple.com>
102
103         Remove debug logging from generate_offsets_extractor.rb
104         https://bugs.webkit.org/show_bug.cgi?id=190667
105
106         Reviewed by Mark Lam.
107
108         * offlineasm/generate_offset_extractor.rb:
109
110 2018-10-17  Keith Miller  <keith_miller@apple.com>
111
112         Unreviewed, fix windows build.
113
114         * offlineasm/generate_offset_extractor.rb:
115
116 2018-10-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
117
118         [JSC] More aggressively use `constexpr` in LowLevelInterpreter.asm for constant values
119         https://bugs.webkit.org/show_bug.cgi?id=190659
120
121         Reviewed by Keith Miller.
122
123         Asking the actual constant value to the JSC binary is always the best way to get the correct value.
124         The value is correctly updated once the original value is changed. We would like to encourage this
125         approach more in LowLevelInterpreter.asm.
126
127         This patch expands the coverage of this approach. We make ObservedType, ResultType, and ArithProfile
128         constexpr-friendly to produce the magic value used in LowLevelInterpreter.asm at compiling time.
129         This change allows us to easily extend ArithProfile in the future to adopt BigInt efficiently.
130
131         We additionally use `constexpr` for several constant values in LowLevelInterpreter.asm.
132
133         * assembler/MaxFrameExtentForSlowPathCall.h:
134         Use this value in LowLevelInterpreter.asm directly. We also make them constexpr. And we add CPU(ARM64E).
135
136         * bytecode/ArithProfile.h:
137         (JSC::ObservedType::ObservedType):
138         (JSC::ObservedType::sawInt32 const):
139         (JSC::ObservedType::isOnlyInt32 const):
140         (JSC::ObservedType::sawNumber const):
141         (JSC::ObservedType::isOnlyNumber const):
142         (JSC::ObservedType::sawNonNumber const):
143         (JSC::ObservedType::isOnlyNonNumber const):
144         (JSC::ObservedType::isEmpty const):
145         (JSC::ObservedType::bits const):
146         (JSC::ObservedType::withInt32 const):
147         (JSC::ObservedType::withNumber const):
148         (JSC::ObservedType::withNonNumber const):
149         (JSC::ObservedType::withoutNonNumber const):
150         (JSC::ObservedType::operator== const):
151         (JSC::ArithProfile::ArithProfile):
152         (JSC::ArithProfile::fromInt):
153         (JSC::ArithProfile::observedUnaryInt):
154         (JSC::ArithProfile::observedUnaryNumber):
155         (JSC::ArithProfile::observedBinaryIntInt):
156         (JSC::ArithProfile::observedBinaryNumberInt):
157         (JSC::ArithProfile::observedBinaryIntNumber):
158         (JSC::ArithProfile::observedBinaryNumberNumber):
159         (JSC::ArithProfile::lhsObservedType const):
160         (JSC::ArithProfile::rhsObservedType const):
161         (JSC::ArithProfile::bits const):
162         Make ObservedType and ArithProfile constexpr-friendly.
163
164         * llint/LLIntData.cpp:
165         (JSC::LLInt::Data::performAssertions):
166         Make several ASSERTs to STATIC_ASSERTs. Remove some unnecessary checks.
167         * llint/LLIntOffsetsExtractor.cpp:
168         * llint/LowLevelInterpreter.asm:
169         Remove unused constant values. Use constexpr more and more aggressively.
170
171         * parser/ResultType.h:
172         (JSC::ResultType::ResultType):
173         (JSC::ResultType::isInt32 const):
174         (JSC::ResultType::definitelyIsNumber const):
175         (JSC::ResultType::definitelyIsString const):
176         (JSC::ResultType::definitelyIsBoolean const):
177         (JSC::ResultType::definitelyIsBigInt const):
178         (JSC::ResultType::mightBeNumber const):
179         (JSC::ResultType::isNotNumber const):
180         (JSC::ResultType::mightBeBigInt const):
181         (JSC::ResultType::isNotBigInt const):
182         (JSC::ResultType::nullType):
183         (JSC::ResultType::booleanType):
184         (JSC::ResultType::numberType):
185         (JSC::ResultType::numberTypeIsInt32):
186         (JSC::ResultType::stringOrNumberType):
187         (JSC::ResultType::addResultType):
188         (JSC::ResultType::stringType):
189         (JSC::ResultType::bigIntType):
190         (JSC::ResultType::unknownType):
191         (JSC::ResultType::forAdd):
192         (JSC::ResultType::forLogicalOp):
193         (JSC::ResultType::forBitOp):
194         (JSC::ResultType::bits const):
195         Make ResultType constexpr-friendly.
196
197         * runtime/JSCJSValue.h:
198         Use offsetof instead of OBJECT_OFFSETOF. It is OK since EncodedValueDescriptor is POD.
199         This change makes TagOffset and PayloadOffset macros constexpr-friendly while OBJECT_OFFSETOF
200         cannot be used in constexpr since it uses reinterpret_cast.
201
202 2018-10-17  Keith Miller  <keith_miller@apple.com>
203
204         Unreviewed revert Fujii's revert in r237214 with new WinCairo build fix.
205
206 2018-10-16  Mark Lam  <mark.lam@apple.com>
207
208         GetIndexedPropertyStorage can GC.
209         https://bugs.webkit.org/show_bug.cgi?id=190625
210         <rdar://problem/45309366>
211
212         Reviewed by Saam Barati.
213
214         This is because if the ArrayMode type is String, the DFG and FTL will be emitting
215         a call to operationResolveRope, and operationResolveRope can GC.  This patch
216         updates doesGC() to reflect this.
217
218         * dfg/DFGDoesGC.cpp:
219         (JSC::DFG::doesGC):
220
221 2018-10-16  Fujii Hironori  <Hironori.Fujii@sony.com>
222
223         Unreviewed, rolling out r237188, r237189, and r237197.
224
225         It breaks WinCairo Debug builds and Release LayoutTests
226
227         Reverted changesets:
228
229         https://bugs.webkit.org/show_bug.cgi?id=189708
230         https://trac.webkit.org/changeset/237188
231
232         "Unreviewed, forgot to add untracked files."
233         https://trac.webkit.org/changeset/237189
234
235         "isASTErroneous in offlineasm should de-macroify before
236         looking for Errors"
237         https://bugs.webkit.org/show_bug.cgi?id=190634
238         https://trac.webkit.org/changeset/237197
239
240 2018-10-16  Devin Rousso  <drousso@apple.com>
241
242         Web Inspector: Canvas: capture previously saved states and add them to the recording payload
243         https://bugs.webkit.org/show_bug.cgi?id=190473
244
245         Reviewed by Joseph Pecoraro.
246
247         * inspector/protocol/Recording.json:
248         Add `states` key to `InitialState` object.
249
250 2018-10-16  Keith Miller  <keith_miller@apple.com>
251
252         isASTErroneous in offlineasm should de-macroify before looking for Errors
253         https://bugs.webkit.org/show_bug.cgi?id=190634
254
255         Reviewed by Mark Lam.
256
257         If a macro isn't usable in a configuration it might still cause us to
258         think the ast is invalid. This change runs the de-macroifier before
259         looking for errors.
260
261         Also, it adds a missing include to Printer.h.
262
263         * assembler/Printer.h:
264         * offlineasm/settings.rb:
265
266 2018-10-16  Justin Michaud  <justin_michaud@apple.com>
267
268         Implement feature flag and bindings for CSS Painting API
269         https://bugs.webkit.org/show_bug.cgi?id=190237
270
271         Reviewed by Ryosuke Niwa.
272
273         * Configurations/FeatureDefines.xcconfig:
274
275 2018-10-16  Keith Miller  <keith_miller@apple.com>
276
277         Unreviewed, forgot to add untracked files.
278
279         * llint/LLIntSettingsExtractor.cpp: Added.
280         (main):
281         * offlineasm/generate_settings_extractor.rb: Added.
282
283 2018-10-16  Keith Miller  <keith_miller@apple.com>
284
285         Unreviewed, reland https://bugs.webkit.org/show_bug.cgi?id=189708 with build fix.
286
287         * CMakeLists.txt:
288         * JavaScriptCore.xcodeproj/project.pbxproj:
289         * llint/LLIntOffsetsExtractor.cpp:
290         (JSC::LLIntOffsetsExtractor::dummy):
291         * offlineasm/generate_offset_extractor.rb:
292         * offlineasm/offsets.rb:
293         * offlineasm/settings.rb:
294
295 2018-10-16  Keith Miller  <keith_miller@apple.com>
296
297         Unreviewed, add missing include.
298
299         * runtime/BasicBlockLocation.h:
300
301 2018-10-15  Keith Miller  <keith_miller@apple.com>
302
303         Support arm64 CPUs with a 32-bit address space
304         https://bugs.webkit.org/show_bug.cgi?id=190273
305
306         Reviewed by Michael Saboff.
307
308         This patch adds support for arm64_32 in the LLInt. In order to
309         make this work we needed to add a new type that reflects the size
310         of a cpu register. This type is called CPURegister or UCPURegister
311         for the unsigned version. Most places that used void* or intptr_t
312         to refer to a register have been changed to use this new type.
313
314         * JavaScriptCore.xcodeproj/project.pbxproj:
315         * assembler/ARM64Assembler.h:
316         (JSC::isInt):
317         (JSC::is4ByteAligned):
318         (JSC::PairPostIndex::PairPostIndex):
319         (JSC::PairPreIndex::PairPreIndex):
320         (JSC::ARM64Assembler::readPointer):
321         (JSC::ARM64Assembler::readCallTarget):
322         (JSC::ARM64Assembler::computeJumpType):
323         (JSC::ARM64Assembler::linkCompareAndBranch):
324         (JSC::ARM64Assembler::linkConditionalBranch):
325         (JSC::ARM64Assembler::linkTestAndBranch):
326         (JSC::ARM64Assembler::loadRegisterLiteral):
327         (JSC::ARM64Assembler::loadStoreRegisterPairPostIndex):
328         (JSC::ARM64Assembler::loadStoreRegisterPairPreIndex):
329         (JSC::ARM64Assembler::loadStoreRegisterPairOffset):
330         (JSC::ARM64Assembler::loadStoreRegisterPairNonTemporal):
331         (JSC::isInt7): Deleted.
332         (JSC::isInt11): Deleted.
333         * assembler/CPU.h:
334         (JSC::isAddress64Bit):
335         (JSC::isAddress32Bit):
336         * assembler/MacroAssembler.h:
337         (JSC::MacroAssembler::shouldBlind):
338         * assembler/MacroAssemblerARM64.cpp:
339         (JSC::MacroAssemblerARM64::collectCPUFeatures):
340         * assembler/MacroAssemblerARM64.h:
341         (JSC::MacroAssemblerARM64::load):
342         (JSC::MacroAssemblerARM64::store):
343         (JSC::MacroAssemblerARM64::isInIntRange): Deleted.
344         * assembler/Printer.h:
345         * assembler/ProbeContext.h:
346         (JSC::Probe::CPUState::gpr):
347         (JSC::Probe::CPUState::spr):
348         (JSC::Probe::Context::gpr):
349         (JSC::Probe::Context::spr):
350         * b3/B3ConstPtrValue.h:
351         * b3/B3StackmapSpecial.cpp:
352         (JSC::B3::StackmapSpecial::isArgValidForRep):
353         * b3/air/AirArg.h:
354         (JSC::B3::Air::Arg::stackSlot const):
355         (JSC::B3::Air::Arg::special const):
356         * b3/air/testair.cpp:
357         * b3/testb3.cpp:
358         (JSC::B3::testStoreConstantPtr):
359         (JSC::B3::testInterpreter):
360         (JSC::B3::testAddShl32):
361         (JSC::B3::testLoadBaseIndexShift32):
362         * bindings/ScriptFunctionCall.cpp:
363         (Deprecated::ScriptCallArgumentHandler::appendArgument):
364         * bindings/ScriptFunctionCall.h:
365         * bytecode/CodeBlock.cpp:
366         (JSC::roundCalleeSaveSpaceAsVirtualRegisters):
367         * dfg/DFGOSRExit.cpp:
368         (JSC::DFG::restoreCalleeSavesFor):
369         (JSC::DFG::saveCalleeSavesFor):
370         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
371         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
372         * dfg/DFGOSRExitCompilerCommon.cpp:
373         (JSC::DFG::reifyInlinedCallFrames):
374         * dfg/DFGSpeculativeJIT64.cpp:
375         (JSC::DFG::SpeculativeJIT::compile):
376         * disassembler/UDis86Disassembler.cpp:
377         (JSC::tryToDisassembleWithUDis86):
378         * ftl/FTLLowerDFGToB3.cpp:
379         (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
380         * heap/MachineStackMarker.cpp:
381         (JSC::copyMemory):
382         * interpreter/CallFrame.h:
383         (JSC::ExecState::returnPC const):
384         (JSC::ExecState::hasReturnPC const):
385         (JSC::ExecState::clearReturnPC):
386         (JSC::ExecState::returnPCOffset):
387         (JSC::ExecState::isGlobalExec const):
388         (JSC::ExecState::setReturnPC):
389         * interpreter/CalleeBits.h:
390         (JSC::CalleeBits::boxWasm):
391         (JSC::CalleeBits::isWasm const):
392         (JSC::CalleeBits::asWasmCallee const):
393         * interpreter/Interpreter.cpp:
394         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
395         * interpreter/VMEntryRecord.h:
396         * jit/AssemblyHelpers.h:
397         (JSC::AssemblyHelpers::clearStackFrame):
398         * jit/RegisterAtOffset.h:
399         (JSC::RegisterAtOffset::offsetAsIndex const):
400         * jit/RegisterAtOffsetList.cpp:
401         (JSC::RegisterAtOffsetList::RegisterAtOffsetList):
402         * llint/LLIntData.cpp:
403         (JSC::LLInt::Data::performAssertions):
404         * llint/LLIntOfflineAsmConfig.h:
405         * llint/LowLevelInterpreter.asm:
406         * llint/LowLevelInterpreter64.asm:
407         * offlineasm/arm64.rb:
408         * offlineasm/asm.rb:
409         * offlineasm/ast.rb:
410         * offlineasm/backends.rb:
411         * offlineasm/parser.rb:
412         * offlineasm/x86.rb:
413         * runtime/BasicBlockLocation.cpp:
414         (JSC::BasicBlockLocation::dumpData const):
415         (JSC::BasicBlockLocation::emitExecuteCode const):
416         * runtime/BasicBlockLocation.h:
417         * runtime/HasOwnPropertyCache.h:
418         * runtime/JSBigInt.cpp:
419         (JSC::JSBigInt::inplaceMultiplyAdd):
420         (JSC::JSBigInt::digitDiv):
421         * runtime/JSBigInt.h:
422         * runtime/JSObject.h:
423         * runtime/Options.cpp:
424         (JSC::jitEnabledByDefault):
425         * runtime/Options.h:
426         * runtime/RegExp.cpp:
427         (JSC::RegExp::printTraceData):
428         * runtime/SamplingProfiler.cpp:
429         (JSC::CFrameWalker::walk):
430         * runtime/SlowPathReturnType.h:
431         (JSC::encodeResult):
432         (JSC::decodeResult):
433         * tools/SigillCrashAnalyzer.cpp:
434         (JSC::SigillCrashAnalyzer::dumpCodeBlock):
435
436 2018-10-15  Justin Fan  <justin_fan@apple.com>
437
438         Add WebGPU 2018 feature flag and experimental feature flag
439         https://bugs.webkit.org/show_bug.cgi?id=190509
440
441         Reviewed by Dean Jackson.
442
443         Re-add ENABLE_WEBGPU, an experimental feature flag, and a RuntimeEnabledFeature
444         for the 2018 WebGPU prototype.
445
446         * Configurations/FeatureDefines.xcconfig:
447
448 2018-10-15  Timothy Hatcher  <timothy@apple.com>
449
450         Add support for prefers-color-scheme media query
451         https://bugs.webkit.org/show_bug.cgi?id=190499
452         rdar://problem/45212025
453
454         Reviewed by Dean Jackson.
455
456         * Configurations/FeatureDefines.xcconfig: Added ENABLE_DARK_MODE_CSS.
457
458 2018-10-15  Commit Queue  <commit-queue@webkit.org>
459
460         Unreviewed, rolling out r237084, r237088, r237098, and
461         r237114.
462         https://bugs.webkit.org/show_bug.cgi?id=190602
463
464         Breaks internal builds. (Requested by ryanhaddad on #webkit).
465
466         Reverted changesets:
467
468         "Separate configuration extraction from offset extraction"
469         https://bugs.webkit.org/show_bug.cgi?id=189708
470         https://trac.webkit.org/changeset/237084
471
472         "Gardening: Build fix after r237084."
473         https://bugs.webkit.org/show_bug.cgi?id=189708
474         https://trac.webkit.org/changeset/237088
475
476         "Gardening: Build fix after r237084."
477         https://bugs.webkit.org/show_bug.cgi?id=189708
478         https://trac.webkit.org/changeset/237098
479
480         "REGRESSION (r237084): JavaScriptCore fails to build on Linux"
481         https://trac.webkit.org/changeset/237114
482
483 2018-10-15  Keith Miller  <keith_miller@apple.com>
484
485         BytecodeDumper should print all switch labels
486         https://bugs.webkit.org/show_bug.cgi?id=190596
487
488         Reviewed by Saam Barati.
489
490         Right now the bytecode dumper only prints the default target not any of the
491         non-default targets.
492
493         * bytecode/BytecodeDumper.cpp:
494         (JSC::BytecodeDumper<Block>::dumpBytecode):
495
496 2018-10-15  Saam barati  <sbarati@apple.com>
497
498         Emit fjcvtzs on ARM64E on Darwin
499         https://bugs.webkit.org/show_bug.cgi?id=184023
500
501         Reviewed by Yusuke Suzuki and Filip Pizlo.
502
503         ARMv8.3 introduced the fjcvtzs instruction which does double->int32
504         conversion using the semantics defined by JavaScript:
505         http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0801g/hko1477562192868.html
506         This patch teaches JSC to use that instruction when possible.
507
508         * assembler/ARM64Assembler.h:
509         (JSC::ARM64Assembler::fjcvtzs):
510         (JSC::ARM64Assembler::fjcvtzsInsn):
511         * assembler/MacroAssemblerARM64.cpp:
512         (JSC::MacroAssemblerARM64::collectCPUFeatures):
513         * assembler/MacroAssemblerARM64.h:
514         (JSC::MacroAssemblerARM64::supportsDoubleToInt32ConversionUsingJavaScriptSemantics):
515         (JSC::MacroAssemblerARM64::convertDoubleToInt32UsingJavaScriptSemantics):
516         * dfg/DFGSpeculativeJIT.cpp:
517         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
518         * disassembler/ARM64/A64DOpcode.cpp:
519         * disassembler/ARM64/A64DOpcode.h:
520         (JSC::ARM64Disassembler::A64DOpcode::appendInstructionName):
521         * ftl/FTLLowerDFGToB3.cpp:
522         (JSC::FTL::DFG::LowerDFGToB3::doubleToInt32):
523         * jit/JITRightShiftGenerator.cpp:
524         (JSC::JITRightShiftGenerator::generateFastPath):
525         * runtime/MathCommon.h:
526         (JSC::toInt32):
527
528 2018-10-15  Saam Barati  <sbarati@apple.com>
529
530         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
531         https://bugs.webkit.org/show_bug.cgi?id=190262
532         <rdar://problem/44986241>
533
534         Reviewed by Mark Lam.
535
536         We would take the fast path for shiftCountWithArrayStorage when the array
537         hasHoles(). However, the code for this was wrong. It'd incorrectly update
538         ArrayStorage::m_numValuesInVector. Since the hasHoles() for ArrayStorage
539         path is never taken in JetStream 2, this patch just removes that from
540         the fast path. Instead, we just fallback to the slow path when hasHoles().
541         If we find evidence that this matters for real use cases, we can
542         figure out a way to make the fast path work.
543
544         * runtime/JSArray.cpp:
545         (JSC::JSArray::shiftCountWithArrayStorage):
546
547 2018-10-15  Commit Queue  <commit-queue@webkit.org>
548
549         Unreviewed, rolling out r237054.
550         https://bugs.webkit.org/show_bug.cgi?id=190593
551
552         "this regressed JetStream 2 by 6% on iOS" (Requested by
553         saamyjoon on #webkit).
554
555         Reverted changeset:
556
557         "[JSC] JSC should have "parseFunction" to optimize Function
558         constructor"
559         https://bugs.webkit.org/show_bug.cgi?id=190340
560         https://trac.webkit.org/changeset/237054
561
562 2018-10-14  David Kilzer  <ddkilzer@apple.com>
563
564         REGRESSION (r237084): JavaScriptCore fails to build on Linux
565         <https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10949>
566
567         * llint/LLIntSettingsExtractor.cpp: Attempt to fix build by
568         including <stdio.h>.
569
570 2018-10-15  Alex Christensen  <achristensen@webkit.org>
571
572         Shrink more enum classes
573         https://bugs.webkit.org/show_bug.cgi?id=190540
574
575         Reviewed by Chris Dumez.
576
577         * runtime/ConsoleTypes.h:
578
579 2018-10-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
580
581         [JSC] Disable DOMJIT on 32bit architecture
582         https://bugs.webkit.org/show_bug.cgi?id=190387
583
584         Reviewed by Mark Lam.
585
586         We disable DOMJIT on 32bit architecture due to exhaustion of registers.
587
588         * runtime/Options.h:
589
590 2018-10-15  Alex Christensen  <achristensen@webkit.org>
591
592         Include EnumTraits.h less
593         https://bugs.webkit.org/show_bug.cgi?id=190535
594
595         Reviewed by Chris Dumez.
596
597         * runtime/ConsoleTypes.h:
598
599 2018-10-14  Mark Lam  <mark.lam@apple.com>
600
601         Gardening: Build fix after r237084.
602         https://bugs.webkit.org/show_bug.cgi?id=189708
603
604         Unreviewd.
605
606         * llint/LLIntOffsetsExtractor.cpp:
607
608 2018-10-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
609
610         [JSC] Remove Option::useAsyncIterator
611         https://bugs.webkit.org/show_bug.cgi?id=190567
612
613         Reviewed by Saam Barati.
614
615         Async iterator is enabled by default at 2017-08-09. It is already shipped in several releases,
616         and we can think that it is already mature. Let's drop the option `Option::useAsyncIterator`.
617
618         * Configurations/FeatureDefines.xcconfig:
619         * bytecompiler/BytecodeGenerator.cpp:
620         (JSC::BytecodeGenerator::emitNewFunctionExpressionCommon):
621         (JSC::BytecodeGenerator::emitNewFunction):
622         * parser/ASTBuilder.h:
623         (JSC::ASTBuilder::createFunctionMetadata):
624         * parser/Parser.cpp:
625         (JSC::Parser<LexerType>::parseForStatement):
626         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
627         (JSC::Parser<LexerType>::parseClass):
628         (JSC::Parser<LexerType>::parseProperty):
629         (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
630         * runtime/Options.h:
631
632 2018-10-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
633
634         [JSC] Remove Options::useObjectRestSpread
635         https://bugs.webkit.org/show_bug.cgi?id=190568
636
637         Reviewed by Saam Barati.
638
639         Options::useObjectRestSpread is enabled by default at 2017-06-27. It is already shipped in several releases,
640         and we can think that it is mature. Let's drop Options::useObjectRestSpread() flag.
641
642         * parser/Parser.cpp:
643         (JSC::Parser<LexerType>::Parser):
644         (JSC::Parser<LexerType>::parseDestructuringPattern):
645         (JSC::Parser<LexerType>::parseProperty):
646         * parser/Parser.h:
647         * runtime/Options.h:
648
649 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
650
651         [JSC] JSON.stringify can accept call-with-no-arguments
652         https://bugs.webkit.org/show_bug.cgi?id=190343
653
654         Reviewed by Mark Lam.
655
656         JSON.stringify can accept `JSON.stringify()` call (call-with-no-arguments) according to the spec[1].
657         Instead of throwing an error, we should take the first argument as `undefined` if it is not given.
658
659         [1]: https://tc39.github.io/ecma262/#sec-json.stringify
660
661         * runtime/JSONObject.cpp:
662         (JSC::JSONProtoFuncStringify):
663
664 2018-10-12  Tadeu Zagallo  <tzagallo@apple.com>
665
666         Gardening: Build fix after r237084.
667         https://bugs.webkit.org/show_bug.cgi?id=189708
668
669         Unreviewd.
670
671         * JavaScriptCore.xcodeproj/project.pbxproj:
672
673 2018-10-12  Tadeu Zagallo  <tzagallo@apple.com>
674
675         Separate configuration extraction from offset extraction
676         https://bugs.webkit.org/show_bug.cgi?id=189708
677
678         Reviewed by Keith Miller.
679
680         Instead of generating a file with all offsets for every combination of
681         configurations, we first generate a file with only the configuration
682         indices and pass that to the offset extractor. The offset extractor then
683         only generates the offsets for valid configurations
684
685         * CMakeLists.txt:
686         * JavaScriptCore.xcodeproj/project.pbxproj:
687         * llint/LLIntOffsetsExtractor.cpp:
688         (JSC::LLIntOffsetsExtractor::dummy):
689         * llint/LLIntSettingsExtractor.cpp: Added.
690         (main):
691         * offlineasm/generate_offset_extractor.rb:
692         * offlineasm/generate_settings_extractor.rb: Added.
693         * offlineasm/offsets.rb:
694         * offlineasm/settings.rb:
695
696 2018-10-12  Ryan Haddad  <ryanhaddad@apple.com>
697
698         Unreviewed, rolling out r237063.
699
700         Caused layout test fast/dom/Window/window-postmessage-clone-
701         deep-array.html to fail on macOS and iOS Debug bots.
702
703         Reverted changeset:
704
705         "[JSC] Remove gcc warnings on mips and armv7"
706         https://bugs.webkit.org/show_bug.cgi?id=188598
707         https://trac.webkit.org/changeset/237063
708
709 2018-10-11  Guillaume Emont  <guijemont@igalia.com>
710
711         [JSC] Remove gcc warnings on mips and armv7
712         https://bugs.webkit.org/show_bug.cgi?id=188598
713
714         Reviewed by Mark Lam.
715
716         Fix many gcc/clang warnings that are false positives, mostly alignment
717         issues.
718
719         * assembler/MacroAssemblerPrinter.cpp:
720         (JSC::Printer::printMemory):
721         Use bitwise_cast instead of reinterpret_cast.
722         * assembler/testmasm.cpp:
723         (JSC::floatOperands):
724         marked as potentially unused as it is not used on all platforms.
725         (JSC::testProbeModifiesStackValues):
726         modifiedFlags is not used on mips, so don't declare it.
727         * bytecode/CodeBlock.h:
728         Make ScriptExecutable::prepareForExecution() return an
729         std::optional<Exception*> instead of a JSObject*.
730         * interpreter/Interpreter.cpp:
731         (JSC::Interpreter::executeProgram):
732         (JSC::Interpreter::executeCall):
733         (JSC::Interpreter::executeConstruct):
734         (JSC::Interpreter::prepareForRepeatCall):
735         (JSC::Interpreter::execute):
736         (JSC::Interpreter::executeModuleProgram):
737         Update calling code for the prototype change of
738         ScriptExecutable::prepareForExecution().
739         * jit/JITOperations.cpp: Same as for Interpreter.cpp.
740         * llint/LLIntSlowPaths.cpp:
741         (JSC::LLInt::setUpCall): Same as for Interpreter.cpp.
742         * runtime/JSBigInt.cpp:
743         (JSC::JSBigInt::dataStorage):
744         Use bitwise_cast instead of reinterpret_cast.
745         * runtime/ScriptExecutable.cpp:
746         * runtime/ScriptExecutable.h:
747         Make ScriptExecutable::prepareForExecution() return an
748         std::optional<Exception*> instead of a JSObject*.
749         * tools/JSDollarVM.cpp:
750         (JSC::codeBlockFromArg): Use bitwise_cast instead of reinterpret_cast.
751
752 2018-10-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
753
754         Use currentStackPointer more
755         https://bugs.webkit.org/show_bug.cgi?id=190503
756
757         Reviewed by Saam Barati.
758
759         * runtime/VM.cpp:
760         (JSC::VM::committedStackByteCount):
761
762 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
763
764         [JSC] JSC should have "parseFunction" to optimize Function constructor
765         https://bugs.webkit.org/show_bug.cgi?id=190340
766
767         Reviewed by Mark Lam.
768
769         The current Function constructor is suboptimal. We parse the piece of the same code three times to meet
770         the spec requirement. (1) check parameters syntax, (2) check body syntax, and (3) parse the entire function.
771         And to parse 1-3 correctly, we create two strings, the parameters and the entire function. This operation
772         is really costly and ideally we should meet the above requirement by the one time parsing.
773
774         To meet the above requirement, we add a special function for Parser, parseSingleFunction. This function
775         takes `std::optional<int> functionConstructorParametersEndPosition` and check this end position is correct in the parser.
776         For example, if we run the code,
777
778             Function('/*', '*/){')
779
780         According to the spec, this should produce '/*' parameter string and '*/){' body string. And parameter
781         string should be syntax-checked by the parser, and raise the error since it is incorrect. Instead of doing
782         that, in our implementation, we first create the entire string.
783
784             function anonymous(/*) {
785                 */){
786             }
787
788         And we parse it. At that time, we also pass the end position of the parameters to the parser. In the above case,
789         the position of the `function anonymous(/*)' <> is passed. And in the parser, we check that the last token
790         offset of the parameters is the given end position. This check allows us to raise the error correctly to the
791         above example while we parse the entire function only once. And we do not need to create two strings too.
792
793         This improves the performance of the Function constructor significantly. And web-tooling-benchmark/uglify-js is
794         significantly sped up (28.2%).
795
796         Before:
797             uglify-js:  2.94 runs/s
798         After:
799             uglify-js:  3.77 runs/s
800
801         * bytecode/UnlinkedFunctionExecutable.cpp:
802         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
803         * bytecode/UnlinkedFunctionExecutable.h:
804         * parser/Parser.cpp:
805         (JSC::Parser<LexerType>::parseInner):
806         (JSC::Parser<LexerType>::parseSingleFunction):
807         (JSC::Parser<LexerType>::parseFunctionInfo):
808         (JSC::Parser<LexerType>::parseFunctionDeclaration):
809         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
810         (JSC::Parser<LexerType>::parseClass):
811         (JSC::Parser<LexerType>::parsePropertyMethod):
812         (JSC::Parser<LexerType>::parseGetterSetter):
813         (JSC::Parser<LexerType>::parseFunctionExpression):
814         (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
815         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
816         * parser/Parser.h:
817         (JSC::Parser<LexerType>::parse):
818         (JSC::parse):
819         (JSC::parseFunctionForFunctionConstructor):
820         * parser/ParserModes.h:
821         * parser/ParserTokens.h:
822         (JSC::JSTextPosition::JSTextPosition):
823         (JSC::JSTokenLocation::JSTokenLocation): Deleted.
824         * parser/SourceCodeKey.h:
825         (JSC::SourceCodeKey::SourceCodeKey):
826         (JSC::SourceCodeKey::operator== const):
827         * runtime/CodeCache.cpp:
828         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
829         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
830         * runtime/CodeCache.h:
831         * runtime/FunctionConstructor.cpp:
832         (JSC::constructFunctionSkippingEvalEnabledCheck):
833         * runtime/FunctionExecutable.cpp:
834         (JSC::FunctionExecutable::fromGlobalCode):
835         * runtime/FunctionExecutable.h:
836
837 2018-10-11  Ross Kirsling  <ross.kirsling@sony.com>
838
839         Fix non-existent define `CPU(JSVALUE64)`
840         https://bugs.webkit.org/show_bug.cgi?id=190479
841
842         Reviewed by Yusuke Suzuki.
843
844         * jit/CCallHelpers.h:
845         (JSC::CCallHelpers::setupArgumentsImpl):
846         Correct CPU(JSVALUE64) to USE(JSVALUE64).
847
848 2018-10-11  Keith Rollin  <krollin@apple.com>
849
850         CURRENT_ARCH should not be used in Run Script phase.
851         https://bugs.webkit.org/show_bug.cgi?id=190407
852         <rdar://problem/45133556>
853
854         Reviewed by Alexey Proskuryakov.
855
856         CURRENT_ARCH is used in a number of Xcode Run Script phases. However,
857         CURRENT_ARCH is not well-defined during this phase (and may even have
858         the value "undefined") since this phase is run just once per build
859         rather than once per supported architecture. Migrate away from
860         CURRENT_ARCH in favor of ARCHS, either by iterating over ARCHS and
861         performing an operation for each value, or by picking the first entry
862         in ARCHS and using that as a representative value.
863
864         * JavaScriptCore.xcodeproj/project.pbxproj: Store
865         LLIntDesiredOffsets.h into a directory with a name based on ARCHS
866         rather than CURRENT_ARCH.
867
868 2018-10-10  Mark Lam  <mark.lam@apple.com>
869
870         Changes towards allowing use of the ASAN detect_stack_use_after_return option.
871         https://bugs.webkit.org/show_bug.cgi?id=190405
872         <rdar://problem/45131464>
873
874         Reviewed by Michael Saboff.
875
876         The ASAN detect_stack_use_after_return option checks for use of stack variables
877         after they have been freed.  It does this by allocating relevant stack variables
878         in heap memory (instead of on the stack) if the code ever takes the address of
879         those stack variables.  Unfortunately, this is a common idiom that we use to
880         compute the approximate stack pointer value.  As a result, on such ASAN runs, the
881         computed approximate stack pointer value will point into the heap instead of the
882         stack.  This breaks the VM's expectations and wreaks havoc.
883
884         To fix this, we use the newly introduced WTF::currentStackPointer() instead of
885         taking the address of stack variables.
886
887         We also need to enhance ExceptionScopes to be able to work with ASAN
888         detect_stack_use_after_return which will allocated the scope in the heap.  We
889         work around this by passing the current stack pointer of the instantiating calling
890         frame into the scope constructor, and using that for the position check in
891         ~ThrowScope() instead.
892
893         The above is only a start towards enabling ASAN detect_stack_use_after_return on
894         the VM.  There are still other issues to be resolved before we can run with this
895         ASAN option.
896
897         * runtime/CatchScope.h:
898         * runtime/ExceptionEventLocation.h:
899         (JSC::ExceptionEventLocation::ExceptionEventLocation):
900         * runtime/ExceptionScope.h:
901         (JSC::ExceptionScope::stackPosition const):
902         * runtime/JSLock.cpp:
903         (JSC::JSLock::didAcquireLock):
904         * runtime/ThrowScope.cpp:
905         (JSC::ThrowScope::~ThrowScope):
906         * runtime/ThrowScope.h:
907         * runtime/VM.h:
908         (JSC::VM::needExceptionCheck const):
909         (JSC::VM::isSafeToRecurse const):
910         * wasm/js/WebAssemblyFunction.cpp:
911         (JSC::callWebAssemblyFunction):
912         * yarr/YarrPattern.cpp:
913         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
914
915 2018-10-10  Devin Rousso  <drousso@apple.com>
916
917         Web Inspector: create special Network waterfall for media events
918         https://bugs.webkit.org/show_bug.cgi?id=189773
919         <rdar://problem/44626605>
920
921         Reviewed by Joseph Pecoraro.
922
923         * inspector/protocol/DOM.json:
924         Add `didFireEvent` event that is fired when specific event listeners added by
925         `InspectorInstrumentation::addEventListenersToNode` are fired.
926
927 2018-10-10  Michael Saboff  <msaboff@apple.com>
928
929         Increase executable memory pool from 64MB to 128MB for ARM64
930         https://bugs.webkit.org/show_bug.cgi?id=190453
931
932         Reviewed by Saam Barati.
933
934         * jit/ExecutableAllocator.cpp:
935
936 2018-10-10  Devin Rousso  <drousso@apple.com>
937
938         Web Inspector: notify the frontend when a canvas has started recording via console.record
939         https://bugs.webkit.org/show_bug.cgi?id=190306
940
941         Reviewed by Brian Burg.
942
943         * inspector/protocol/Canvas.json:
944         Add `recordingStarted` event.
945
946         * inspector/protocol/Recording.json:
947         Add `Initiator` enum for determining who started the recording.
948
949 2018-10-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
950
951         [JSC] Rename createXXX to tryCreateXXX if it can return RefPtr
952         https://bugs.webkit.org/show_bug.cgi?id=190429
953
954         Reviewed by Saam Barati.
955
956         Some createXXX functions can fail. But sometimes the caller does not perform error checking.
957         To make it explicit that these functions can fail, we rename these functions from createXXX
958         to tryCreateXXX. In this patch, we focus on non-JS-managed factory functions. If the factory
959         function does not fail, it should return Ref<>. Otherwise, it should be named as tryCreateXXX
960         and it should return RefPtr<>.
961
962         This patch mainly focuses on TypedArray factory functions. Previously, these functions are
963         `RefPtr<XXXArray> create(...)`. This patch changes them to `RefPtr<XXXArray> tryCreate(...)`.
964         And we also introduce `Ref<XXXArray> create(...)` function which internally performs
965         RELEASE_ASSERT on the result of `tryCreate(...)`.
966
967         And we also convert OpaqueJSString::create to OpaqueJSString::tryCreate since it can fail.
968
969         This change actually finds one place which does not perform any null checkings while it uses
970         `RefPtr<> create(...)` function.
971
972         * API/JSCallbackObjectFunctions.h:
973         (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
974         (JSC::JSCallbackObject<Parent>::put):
975         (JSC::JSCallbackObject<Parent>::putByIndex):
976         (JSC::JSCallbackObject<Parent>::deleteProperty):
977         (JSC::JSCallbackObject<Parent>::callbackGetter):
978         * API/JSClassRef.h:
979         (StaticValueEntry::StaticValueEntry):
980         * API/JSContext.mm:
981         (-[JSContext evaluateScript:withSourceURL:]):
982         (-[JSContext setName:]):
983         * API/JSContextRef.cpp:
984         (JSGlobalContextCopyName):
985         (JSContextCreateBacktrace):
986         * API/JSObjectRef.cpp:
987         (JSObjectCopyPropertyNames):
988         * API/JSScriptRef.cpp:
989         * API/JSStringRef.cpp:
990         (JSStringCreateWithCharactersNoCopy):
991         * API/JSValue.mm:
992         (+[JSValue valueWithNewRegularExpressionFromPattern:flags:inContext:]):
993         (+[JSValue valueWithNewErrorFromMessage:inContext:]):
994         (+[JSValue valueWithNewSymbolFromDescription:inContext:]):
995         (performPropertyOperation):
996         (-[JSValue invokeMethod:withArguments:]):
997         (containerValueToObject):
998         (objectToValueWithoutCopy):
999         (objectToValue):
1000         * API/JSValueRef.cpp:
1001         (JSValueCreateJSONString):
1002         (JSValueToStringCopy):
1003         * API/OpaqueJSString.cpp:
1004         (OpaqueJSString::tryCreate):
1005         (OpaqueJSString::create): Deleted.
1006         * API/OpaqueJSString.h:
1007         * API/glib/JSCContext.cpp:
1008         (evaluateScriptInContext):
1009         * API/glib/JSCValue.cpp:
1010         (jsc_value_new_string_from_bytes):
1011         * ftl/FTLLazySlowPath.h:
1012         (JSC::FTL::LazySlowPath::createGenerator):
1013         * ftl/FTLLazySlowPathCall.h:
1014         (JSC::FTL::createLazyCallGenerator):
1015         * ftl/FTLOSRExit.cpp:
1016         (JSC::FTL::OSRExitDescriptor::emitOSRExit):
1017         (JSC::FTL::OSRExitDescriptor::emitOSRExitLater):
1018         (JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle):
1019         * ftl/FTLOSRExit.h:
1020         * ftl/FTLPatchpointExceptionHandle.cpp:
1021         (JSC::FTL::PatchpointExceptionHandle::create):
1022         (JSC::FTL::PatchpointExceptionHandle::createHandle):
1023         * ftl/FTLPatchpointExceptionHandle.h:
1024         * heap/EdenGCActivityCallback.h:
1025         (JSC::GCActivityCallback::tryCreateEdenTimer):
1026         (JSC::GCActivityCallback::createEdenTimer): Deleted.
1027         * heap/FullGCActivityCallback.h:
1028         (JSC::GCActivityCallback::tryCreateFullTimer):
1029         (JSC::GCActivityCallback::createFullTimer): Deleted.
1030         * heap/GCActivityCallback.h:
1031         * heap/Heap.cpp:
1032         (JSC::Heap::Heap):
1033         * inspector/AsyncStackTrace.cpp:
1034         (Inspector::AsyncStackTrace::create):
1035         * inspector/AsyncStackTrace.h:
1036         * jsc.cpp:
1037         (fillBufferWithContentsOfFile):
1038         * runtime/ArrayBuffer.h:
1039         * runtime/GenericTypedArrayView.h:
1040         * runtime/GenericTypedArrayViewInlines.h:
1041         (JSC::GenericTypedArrayView<Adaptor>::create):
1042         (JSC::GenericTypedArrayView<Adaptor>::tryCreate):
1043         (JSC::GenericTypedArrayView<Adaptor>::createUninitialized):
1044         (JSC::GenericTypedArrayView<Adaptor>::tryCreateUninitialized):
1045         (JSC::GenericTypedArrayView<Adaptor>::subarray const):
1046         * runtime/JSArrayBufferView.cpp:
1047         (JSC::JSArrayBufferView::possiblySharedImpl):
1048         * runtime/JSGenericTypedArrayViewInlines.h:
1049         (JSC::JSGenericTypedArrayView<Adaptor>::possiblySharedTypedImpl):
1050         (JSC::JSGenericTypedArrayView<Adaptor>::unsharedTypedImpl):
1051         * wasm/WasmMemory.cpp:
1052         (JSC::Wasm::Memory::create):
1053         (JSC::Wasm::Memory::tryCreate):
1054         * wasm/WasmMemory.h:
1055         * wasm/WasmTable.cpp:
1056         (JSC::Wasm::Table::tryCreate):
1057         (JSC::Wasm::Table::create): Deleted.
1058         * wasm/WasmTable.h:
1059         * wasm/js/JSWebAssemblyInstance.cpp:
1060         (JSC::JSWebAssemblyInstance::create):
1061         * wasm/js/JSWebAssemblyMemory.cpp:
1062         (JSC::JSWebAssemblyMemory::JSWebAssemblyMemory):
1063         * wasm/js/WebAssemblyMemoryConstructor.cpp:
1064         (JSC::constructJSWebAssemblyMemory):
1065         * wasm/js/WebAssemblyModuleRecord.cpp:
1066         (JSC::WebAssemblyModuleRecord::link):
1067         * wasm/js/WebAssemblyTableConstructor.cpp:
1068         (JSC::constructJSWebAssemblyTable):
1069
1070 2018-10-09  Devin Rousso  <drousso@apple.com>
1071
1072         Web Inspector: show redirect requests in Network and Timelines tabs
1073         https://bugs.webkit.org/show_bug.cgi?id=150005
1074         <rdar://problem/5378164>
1075
1076         Reviewed by Joseph Pecoraro.
1077
1078         * inspector/protocol/Network.json:
1079         Add missing fields to `ResourceTiming`.
1080
1081 2018-10-09  Claudio Saavedra  <csaavedra@igalia.com>
1082
1083         [WPE] Explicitly link against gmodule where used
1084         https://bugs.webkit.org/show_bug.cgi?id=190398
1085
1086         Reviewed by Michael Catanzaro.
1087
1088         * PlatformWPE.cmake:
1089
1090 2018-10-08  Justin Fan  <justin_fan@apple.com>
1091
1092         WebGPU: Rename old WebGPU prototype to WebMetal
1093         https://bugs.webkit.org/show_bug.cgi?id=190325
1094         <rdar://problem/44990443>
1095
1096         Reviewed by Dean Jackson.
1097
1098         Rename WebGPU prototype files to WebMetal in preparation for implementing the new (Oct 2018) WebGPU interface.
1099
1100         * Configurations/FeatureDefines.xcconfig:
1101         * inspector/protocol/Canvas.json:
1102         * inspector/scripts/codegen/generator.py:
1103
1104 2018-10-08  Aditya Keerthi  <akeerthi@apple.com>
1105
1106         Make <input type=color> a runtime enabled (on-by-default) feature
1107         https://bugs.webkit.org/show_bug.cgi?id=189162
1108
1109         Reviewed by Wenson Hsieh and Tim Horton.
1110
1111         * Configurations/FeatureDefines.xcconfig:
1112
1113 2018-10-08  Devin Rousso  <drousso@apple.com>
1114
1115         Web Inspector: group media network entries by the node that triggered the request
1116         https://bugs.webkit.org/show_bug.cgi?id=189606
1117         <rdar://problem/44438527>
1118
1119         Reviewed by Brian Burg.
1120
1121         * inspector/protocol/Network.json:
1122         Add an optional `nodeId` field to the `Initiator` object that is set it is possible to
1123         determine which ancestor node triggered the load. It may not correspond directly to the node
1124         with the href/src, as that url may only be used by an ancestor for loading.
1125
1126 2018-10-07  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1127
1128         [JSC][Linux] Use non-truncated name for JIT workers in Linux
1129         https://bugs.webkit.org/show_bug.cgi?id=190339
1130
1131         Reviewed by Mark Lam.
1132
1133         The current thread names are meaningless in Linux environment. We do not want to
1134         have truncated name in Linux: we want to have clear name in Linux. Instead, we
1135         should have the name for Linux separately from the name used in the non-Linux
1136         environments. This patch adds FTLWorker, DFGWorker, and JITWorker names for
1137         Linux environment.
1138
1139         * dfg/DFGWorklist.cpp:
1140         (JSC::DFG::createWorklistName):
1141         (JSC::DFG::Worklist::Worklist):
1142         (JSC::DFG::Worklist::create):
1143         (JSC::DFG::ensureGlobalDFGWorklist):
1144         (JSC::DFG::ensureGlobalFTLWorklist):
1145         * dfg/DFGWorklist.h:
1146         * jit/JITWorklist.cpp:
1147
1148 2018-10-07  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1149
1150         Name Heap threads
1151         https://bugs.webkit.org/show_bug.cgi?id=190337
1152
1153         Reviewed by Mark Lam.
1154
1155         Name heap threads as "Heap Helper Thread". In Linux, we name it "HeapHelper" since
1156         Linux does not accept the name longer than 15. We do not want to use the short name
1157         for non-Linux environment. And we want to have clear name in Linux: truncated name
1158         is not good. So, having the two names is the only way.
1159
1160         * heap/HeapHelperPool.cpp:
1161         (JSC::heapHelperPool):
1162
1163 2018-10-07  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1164
1165         [JSC] Avoid creating ProgramExecutable in checkSyntax
1166         https://bugs.webkit.org/show_bug.cgi?id=190332
1167
1168         Reviewed by Mark Lam.
1169
1170         uglify-js in web-tooling-benchmark executes massive number of Function constructor calls.
1171         In Function constructor code, we perform checkSyntax for body and parameters. So fast checkSyntax
1172         is important when the performance of Function constructor matters. Current checkSyntax code
1173         unnecessarily allocates ProgramExecutable. This patch removes this allocation and improves
1174         the benchmark score slightly.
1175
1176         Before:
1177             uglify-js:  2.87 runs/s
1178         After:
1179             uglify-js:  2.94 runs/s
1180
1181         * runtime/Completion.cpp:
1182         (JSC::checkSyntaxInternal):
1183         (JSC::checkSyntax):
1184         * runtime/ProgramExecutable.cpp:
1185         (JSC::ProgramExecutable::checkSyntax): Deleted.
1186         * runtime/ProgramExecutable.h:
1187
1188 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
1189
1190         [ESNext][BigInt] Implement support for "|"
1191         https://bugs.webkit.org/show_bug.cgi?id=186229
1192
1193         Reviewed by Yusuke Suzuki.
1194
1195         This patch is introducing support for BigInt into bitwise "or" operator.
1196         In addition, we are also introducing 2 new DFG nodes, named "ArithBitOr" and
1197         "ValueBitOr", to replace "BitOr" node. The idea is to follow the
1198         difference that we make on Arith<op> and Value<op>, where ArithBitOr
1199         handles cases when the operands are Int32 and ValueBitOr handles
1200         the remaining cases.
1201
1202         We are also changing op_bitor to use ValueProfile. We are using
1203         ValueProfile during DFG generation to emit "ArithBitOr" when
1204         outcome prediction is Int32.
1205
1206         * bytecode/CodeBlock.cpp:
1207         (JSC::CodeBlock::finishCreation):
1208         (JSC::CodeBlock::arithProfileForPC):
1209         * bytecompiler/BytecodeGenerator.cpp:
1210         (JSC::BytecodeGenerator::emitBinaryOp):
1211         * dfg/DFGAbstractInterpreterInlines.h:
1212         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1213         * dfg/DFGBackwardsPropagationPhase.cpp:
1214         (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
1215         (JSC::DFG::BackwardsPropagationPhase::propagate):
1216         * dfg/DFGByteCodeParser.cpp:
1217         (JSC::DFG::ByteCodeParser::parseBlock):
1218         * dfg/DFGClobberize.h:
1219         (JSC::DFG::clobberize):
1220         * dfg/DFGDoesGC.cpp:
1221         (JSC::DFG::doesGC):
1222         * dfg/DFGFixupPhase.cpp:
1223         (JSC::DFG::FixupPhase::fixupNode):
1224         * dfg/DFGNodeType.h:
1225         * dfg/DFGOperations.cpp:
1226         (JSC::DFG::bitwiseOp):
1227         * dfg/DFGOperations.h:
1228         * dfg/DFGPredictionPropagationPhase.cpp:
1229         * dfg/DFGSafeToExecute.h:
1230         (JSC::DFG::safeToExecute):
1231         * dfg/DFGSpeculativeJIT.cpp:
1232         (JSC::DFG::SpeculativeJIT::compileValueBitwiseOp):
1233         (JSC::DFG::SpeculativeJIT::compileBitwiseOp):
1234         * dfg/DFGSpeculativeJIT.h:
1235         (JSC::DFG::SpeculativeJIT::bitOp):
1236         * dfg/DFGSpeculativeJIT32_64.cpp:
1237         (JSC::DFG::SpeculativeJIT::compile):
1238         * dfg/DFGSpeculativeJIT64.cpp:
1239         (JSC::DFG::SpeculativeJIT::compile):
1240         * dfg/DFGStrengthReductionPhase.cpp:
1241         (JSC::DFG::StrengthReductionPhase::handleNode):
1242         * ftl/FTLCapabilities.cpp:
1243         (JSC::FTL::canCompile):
1244         * ftl/FTLLowerDFGToB3.cpp:
1245         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1246         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitOr):
1247         (JSC::FTL::DFG::LowerDFGToB3::compileArithBitOr):
1248         (JSC::FTL::DFG::LowerDFGToB3::compileBitOr): Deleted.
1249         * jit/JITArithmetic.cpp:
1250         (JSC::JIT::emit_op_bitor):
1251         * llint/LowLevelInterpreter32_64.asm:
1252         * llint/LowLevelInterpreter64.asm:
1253         * runtime/CommonSlowPaths.cpp:
1254         (JSC::SLOW_PATH_DECL):
1255         * runtime/JSBigInt.cpp:
1256         (JSC::JSBigInt::bitwiseAnd):
1257         (JSC::JSBigInt::bitwiseOr):
1258         (JSC::JSBigInt::absoluteBitwiseOp):
1259         (JSC::JSBigInt::absoluteAddOne):
1260         * runtime/JSBigInt.h:
1261
1262 2018-10-05  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1263
1264         [JSC] Use new extra memory reporting in SparseArrayMap
1265         https://bugs.webkit.org/show_bug.cgi?id=190278
1266
1267         Reviewed by Keith Miller.
1268
1269         This patch switches the extra memory reporting mechanism from deprecatedReportExtraMemory
1270         to reportExtraMemoryAllocated & reportExtraMemoryVisited in SparseArrayMap.
1271
1272         * runtime/SparseArrayValueMap.cpp:
1273         (JSC::SparseArrayValueMap::add):
1274         (JSC::SparseArrayValueMap::visitChildren):
1275
1276 2018-10-05  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1277
1278         [JSC][Linux] Support Perf JITDump logging
1279         https://bugs.webkit.org/show_bug.cgi?id=189893
1280
1281         Reviewed by Mark Lam.
1282
1283         This patch adds Linux `perf` command's JIT Dump support. It allows JSC to tell perf about JIT code information.
1284         We add a command line option, `--logJITCodeForPerf`, which dumps `jit-%pid.dump` in the current directory.
1285         By using this dump and perf.data output, we can annotate JIT code with profiling information.
1286
1287             $ echo "(function f() { var s = 0; for (var i = 0; i < 1000000000; i++) { s += i; } return s; })();" > test.js
1288             $ perf record -k mono ../../WebKitBuild/perf/Release/bin/jsc test.js --logJITCodeForPerf=true
1289             [ perf record: Woken up 1 times to write data ]
1290             [ perf record: Captured and wrote 0.182 MB perf.data (4346 samples) ]
1291             $ perf inject --jit -i perf.data -o perf.jit.data
1292             $ perf report -i perf.jit.data
1293
1294         * Sources.txt:
1295         * assembler/LinkBuffer.cpp:
1296         (JSC::LinkBuffer::finalizeCodeWithDisassemblyImpl):
1297         * assembler/LinkBuffer.h:
1298         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
1299         * assembler/PerfLog.cpp: Added.
1300         (JSC::PerfLog::singleton):
1301         (JSC::generateTimestamp):
1302         (JSC::getCurrentThreadID):
1303         (JSC::PerfLog::PerfLog):
1304         (JSC::PerfLog::write):
1305         (JSC::PerfLog::flush):
1306         (JSC::PerfLog::log):
1307         * assembler/PerfLog.h: Added.
1308         * jit/ExecutableAllocator.cpp:
1309         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
1310         * runtime/Options.cpp:
1311         (JSC::Options::isAvailable):
1312         * runtime/Options.h:
1313
1314 2018-10-05  Mark Lam  <mark.lam@apple.com>
1315
1316         Gardening: Build fix after r236880.
1317         https://bugs.webkit.org/show_bug.cgi?id=190317
1318
1319         Unreviewed.
1320
1321         * jit/ExecutableAllocator.h:
1322
1323 2018-10-05  Mark Lam  <mark.lam@apple.com>
1324
1325         performJITMemcpy() should handle the case when the executable allocator is not initialized yet.
1326         https://bugs.webkit.org/show_bug.cgi?id=190317
1327         <rdar://problem/45039398>
1328
1329         Reviewed by Saam Barati.
1330
1331         When SeparatedWXHeaps is in use, jitWriteThunkGenerator() will call performJITMemcpy()
1332         to copy memory before the JIT fixed memory pool is initialize.  Before r236864,
1333         performJITMemcpy() would just do a memcpy in that case.  We need to restore the
1334         equivalent behavior.
1335
1336         * jit/ExecutableAllocator.cpp:
1337         (JSC::isJITPC):
1338         * jit/ExecutableAllocator.h:
1339         (JSC::performJITMemcpy):
1340
1341 2018-10-05  Carlos Eduardo Ramalho  <cadubentzen@gmail.com>
1342
1343         [WPE][JSC] Use Unified Sources for Platform-specific sources
1344         https://bugs.webkit.org/show_bug.cgi?id=190300
1345
1346         Reviewed by Yusuke Suzuki.
1347
1348         Currently the GTK port already used Unified Sources with the same source files.
1349         As WPE has conditional code using gmodule, we need to add GLIB_GMODULE_LIBRARIES
1350         to the list of libraries to link with.
1351
1352         * PlatformWPE.cmake:
1353         * SourcesWPE.txt: Added.
1354         * shell/PlatformWPE.cmake:
1355
1356 2018-10-05  Mike Gorse  <mgorse@alum.wpi.edu>
1357
1358         [GTK] build fails with python 3 if LANG and LC_TYPE are unset
1359         https://bugs.webkit.org/show_bug.cgi?id=190258
1360
1361         Reviewed by Konstantin Tokarev.
1362
1363         * Scripts/cssmin.py: Set stdout to UTF-8 on python 3.
1364         * Scripts/generateIntlCanonicalizeLanguage.py: Open files with
1365           encoding=UTF-8 on Python 3.
1366         * yarr/generateYarrCanonicalizeUnicode: Ditto.
1367         * yarr/generateYarrUnicodePropertyTables.py: Ditto.
1368
1369 2018-10-04  Mark Lam  <mark.lam@apple.com>
1370
1371         Move start/EndOfFixedExecutableMemoryPool pointers into the FixedVMPoolExecutableAllocator object.
1372         https://bugs.webkit.org/show_bug.cgi?id=190295
1373         <rdar://problem/19197193>
1374
1375         Reviewed by Saam Barati.
1376
1377         This allows us to use the tagging logic already baked into MacroAssemblerCodePtr
1378         instead of needing to use our own custom version here.
1379
1380         * jit/ExecutableAllocator.cpp:
1381         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
1382         (JSC::FixedVMPoolExecutableAllocator::memoryStart):
1383         (JSC::FixedVMPoolExecutableAllocator::memoryEnd):
1384         (JSC::FixedVMPoolExecutableAllocator::isJITPC):
1385         (JSC::ExecutableAllocator::allocate):
1386         (JSC::startOfFixedExecutableMemoryPoolImpl):
1387         (JSC::endOfFixedExecutableMemoryPoolImpl):
1388         (JSC::isJITPC):
1389         * jit/ExecutableAllocator.h:
1390
1391 2018-10-04  Mark Lam  <mark.lam@apple.com>
1392
1393         Disable Options::useWebAssemblyFastMemory() on linux if ASAN signal handling is not disabled.
1394         https://bugs.webkit.org/show_bug.cgi?id=190283
1395         <rdar://problem/45015752>
1396
1397         Reviewed by Keith Miller.
1398
1399         * runtime/Options.cpp:
1400         (JSC::Options::initialize):
1401         * wasm/WasmFaultSignalHandler.cpp:
1402         (JSC::Wasm::enableFastMemory):
1403
1404 2018-10-03  Ross Kirsling  <ross.kirsling@sony.com>
1405
1406         [JSC] print() changes CRLF to CRCRLF on Windows
1407         https://bugs.webkit.org/show_bug.cgi?id=190228
1408
1409         Reviewed by Mark Lam.
1410
1411         * jsc.cpp:
1412         (main):
1413         Ultimately, this is just the normal behavior of printf in text mode on Windows.
1414         Since we're reading in files as binary, we need to be printing out as binary too
1415         (just as we do in DumpRenderTree and ImageDiff.)
1416
1417 2018-10-03  Saam barati  <sbarati@apple.com>
1418
1419         lowXYZ in FTLLower should always filter the type of the incoming edge
1420         https://bugs.webkit.org/show_bug.cgi?id=189939
1421         <rdar://problem/44407030>
1422
1423         Reviewed by Michael Saboff.
1424
1425         For example, the FTL may know more about data flow than AI in certain programs,
1426         and it needs to inform AI of these data flow properties to appease the assertion
1427         we have in AI that a node must perform type checks on its child nodes.
1428         
1429         For example, consider this program:
1430         
1431         ```
1432         bb#1
1433         a: Phi // Let's say it has an Int32 result, so it goes into the int32 hash table in FTLLower
1434         Branch(...,  #2, #3)
1435         
1436         bb#2
1437         ArrayifyToStructure(Cell:@a) // This modifies @a to have the its previous type union the type of some structure set.
1438         Jump(#3)
1439         
1440         bb#3
1441         c: Add(Int32:@something, Int32:@a)
1442         ```
1443         
1444         When the Add node does lowInt32() for @a, FTL lower used to just grab it
1445         from the int32 hash table without filtering the AbstractValue. However,
1446         the parent node is asking for a type check to happen, so we must inform
1447         AI of this "type check" if we want to appease the assertion that all nodes
1448         perform type checks for their edges that semantically perform type checks.
1449         This patch makes it so we filter the AbstractValue in the lowXYZ even
1450         if FTLLower proved the value must be XYZ.
1451
1452         * ftl/FTLLowerDFGToB3.cpp:
1453         (JSC::FTL::DFG::LowerDFGToB3::compilePhi):
1454         (JSC::FTL::DFG::LowerDFGToB3::simulatedTypeCheck):
1455         (JSC::FTL::DFG::LowerDFGToB3::lowInt32):
1456         (JSC::FTL::DFG::LowerDFGToB3::lowCell):
1457         (JSC::FTL::DFG::LowerDFGToB3::lowBoolean):
1458
1459 2018-10-03  Michael Saboff  <msaboff@apple.com>
1460
1461         Command line jsc should report memory footprint in bytes
1462         https://bugs.webkit.org/show_bug.cgi?id=190267
1463
1464         Reviewed by Mark Lam.
1465
1466         Change to leave the footprint values from the system unmodified.
1467
1468         * jsc.cpp:
1469         (JSCMemoryFootprint::finishCreation):
1470
1471 2018-10-03  Mark Lam  <mark.lam@apple.com>
1472
1473         Suppress unreachable code warning for LLIntAssembly.h code.
1474         https://bugs.webkit.org/show_bug.cgi?id=190263
1475         <rdar://problem/44986532>
1476
1477         Reviewed by Saam Barati.
1478
1479         This is needed because LLIntAssembly.h is template generated from LowLevelInterpreter
1480         asm files, and may contain dead code which are harmless, but will trip up the warning.
1481         We should suppress the warning so that it doesn't break builds.
1482
1483         * llint/LowLevelInterpreter.cpp:
1484         (JSC::CLoop::execute):
1485
1486 2018-10-03  Dan Bernstein  <mitz@apple.com>
1487
1488         JavaScriptCore part of [Xcode] Update some build settings as recommended by Xcode 10
1489         https://bugs.webkit.org/show_bug.cgi?id=190250
1490
1491         Reviewed by Alex Christensen.
1492
1493         * API/tests/Regress141275.mm:
1494         (-[JSTEvaluator _sourcePerform]): Addressed newly-enabled CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF
1495           by making the self-retaining explicit.
1496
1497         * API/tests/testapi.cpp:
1498         (testCAPIViaCpp): Addressed newly-enabled CLANG_WARN_UNREACHABLE_CODE by breaking out of the
1499           loop instead of returning from the lambda.
1500
1501         * Configurations/Base.xcconfig: Enabled CLANG_WARN_COMMA, CLANG_WARN_UNREACHABLE_CODE,
1502           CLANG_WARN_DEPRECATED_OBJC_IMPLEMENTATIONS, CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF, and
1503           CLANG_ANALYZER_LOCALIZABILITY_NONLOCALIZED.
1504
1505         * JavaScriptCore.xcodeproj/project.pbxproj: Removed a duplicate reference to
1506           UnlinkedFunctionExecutable.h, and let Xcode update the project file.
1507
1508         * assembler/MacroAssemblerPrinter.cpp:
1509         (JSC::Printer::printAllRegisters): Addressed newly-enabled CLANG_WARN_COMMA by replacing
1510           some commas with semicolons.
1511
1512 2018-10-03  Mark Lam  <mark.lam@apple.com>
1513
1514         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
1515         https://bugs.webkit.org/show_bug.cgi?id=190187
1516         <rdar://problem/42512909>
1517
1518         Reviewed by Michael Saboff.
1519
1520         Allowing different max string lengths at each level opens up opportunities for
1521         bugs to creep in.  With 2 different max length values, it is more difficult to
1522         keep the story straight on how we do overflow / bounds checks at each place in
1523         the code.  It's also difficult to tell if a seemingly valid check at the WTF level
1524         will have bad ramifications at the JSC level.  Also, it's also not meaningful to
1525         support a max length > INT_MAX.  To eliminate this class of bugs, we'll
1526         standardize on a MaxLength of INT_MAX at all levels.
1527
1528         We'll also standardize the way we do length overflow checks on using
1529         CheckedArithmetic, and add some asserts to document the assumptions of the code.
1530
1531         * runtime/FunctionConstructor.cpp:
1532         (JSC::constructFunctionSkippingEvalEnabledCheck):
1533         - Fix OOM error handling which crashed a test after the new MaxLength was applied.
1534         * runtime/JSString.h:
1535         (JSC::JSString::finishCreation):
1536         (JSC::JSString::createHasOtherOwner):
1537         (JSC::JSString::setLength):
1538         * runtime/JSStringInlines.h:
1539         (JSC::jsMakeNontrivialString):
1540         * runtime/Operations.h:
1541         (JSC::jsString):
1542
1543 2018-10-03  Koby Boyango  <koby.b@mce-sys.com>
1544
1545         [JSC] Add a C++ callable overload of objectConstructorSeal
1546         https://bugs.webkit.org/show_bug.cgi?id=190137
1547
1548         Reviewed by Yusuke Suzuki.
1549
1550         * runtime/ObjectConstructor.cpp:
1551         * runtime/ObjectConstructor.h:
1552
1553 2018-10-02  Dominik Infuehr  <dinfuehr@igalia.com>
1554
1555         Fix Disassembler-output on ARM Thumb2
1556         https://bugs.webkit.org/show_bug.cgi?id=190203
1557
1558         On ARMv7 with Thumb2 addresses have bit 0 set to 1 to force
1559         execution in thumb mode for jumps and calls. The actual machine
1560         instructions are still aligned to 2-bytes though. Use dataLocation() as
1561         start address for disassembling since it unsets the thumb bit.
1562         Until now the disassembler would start at the wrong address (off by 1),
1563         resulting in the wrong disassembled machine instructions.
1564
1565         Reviewed by Mark Lam.
1566
1567         * disassembler/CapstoneDisassembler.cpp:
1568         (JSC::tryToDisassemble):
1569
1570 2018-10-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1571
1572         [JSC] Add stub of ExecutableAllocator used when JIT is disabled
1573         https://bugs.webkit.org/show_bug.cgi?id=190215
1574
1575         Reviewed by Mark Lam.
1576
1577         When ENABLE(JIT) is disabled, we do not use JIT. But we ExecutableAllocator is still available since
1578         it is guarded by ENABLE(ASSEMBLER). ENABLE(ASSEMBLER) is necessary for LLInt ASM interpreter since
1579         our MacroAssembler tells machine architecture information. Eventually, we would like to decouple
1580         this machine architecture information from MacroAssembler. But for now, we use ENABLE(ASSEMBLER)
1581         for LLInt ASM interpreter even if JIT is disabled by ENABLE(JIT).
1582
1583         To ensure any executable memory allocation is not done, we add a stub of ExecutableAllocator for
1584         non-JIT configurations. This does not have any functionality allocating executable memory, thus
1585         any accidental operation cannot attempt to allocate executable memory if ENABLE(JIT) = OFF.
1586
1587         * jit/ExecutableAllocator.cpp:
1588         (JSC::ExecutableAllocator::initializeAllocator):
1589         (JSC::ExecutableAllocator::singleton):
1590         * jit/ExecutableAllocator.h:
1591         (JSC::ExecutableAllocator::isValid const):
1592         (JSC::ExecutableAllocator::underMemoryPressure):
1593         (JSC::ExecutableAllocator::memoryPressureMultiplier):
1594         (JSC::ExecutableAllocator::dumpProfile):
1595         (JSC::ExecutableAllocator::allocate):
1596         (JSC::ExecutableAllocator::isValidExecutableMemory):
1597         (JSC::ExecutableAllocator::committedByteCount):
1598         (JSC::ExecutableAllocator::getLock const):
1599         (JSC::performJITMemcpy):
1600
1601 2018-10-01  Dean Jackson  <dino@apple.com>
1602
1603         Remove CSS Animation Triggers
1604         https://bugs.webkit.org/show_bug.cgi?id=190175
1605         <rdar://problem/44925626>
1606
1607         Reviewed by Simon Fraser.
1608
1609         * Configurations/FeatureDefines.xcconfig:
1610
1611 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
1612
1613         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
1614         https://bugs.webkit.org/show_bug.cgi?id=190033
1615
1616         Reviewed by Yusuke Suzuki.
1617
1618         The implementation of JSBigInt::toStringToGeneric doesn't handle power
1619         of 2 radix when JSBigInt length is >= 2. To handle such cases, we
1620         implemented JSBigInt::toStringBasePowerOfTwo that follows the
1621         algorithm that groups bits using mask of (2 ^ n) - 1 to extract every
1622         digit.
1623
1624         * runtime/JSBigInt.cpp:
1625         (JSC::JSBigInt::toString):
1626         (JSC::JSBigInt::toStringBasePowerOfTwo):
1627         * runtime/JSBigInt.h:
1628
1629 2018-10-01  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1630
1631         [JSC] Add branchIfNaN and branchIfNotNaN
1632         https://bugs.webkit.org/show_bug.cgi?id=190122
1633
1634         Reviewed by Mark Lam.
1635
1636         Add AssemblyHelpers::{branchIfNaN, branchIfNotNaN} to make code more readable.
1637
1638         * dfg/DFGSpeculativeJIT.cpp:
1639         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
1640         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
1641         (JSC::DFG::SpeculativeJIT::getIntTypedArrayStoreOperand):
1642         (JSC::DFG::SpeculativeJIT::compileSpread):
1643         (JSC::DFG::SpeculativeJIT::compileNewArray):
1644         (JSC::DFG::SpeculativeJIT::speculateRealNumber):
1645         (JSC::DFG::SpeculativeJIT::speculateDoubleRepReal):
1646         (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
1647         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
1648         * dfg/DFGSpeculativeJIT32_64.cpp:
1649         (JSC::DFG::SpeculativeJIT::compile):
1650         * dfg/DFGSpeculativeJIT64.cpp:
1651         (JSC::DFG::SpeculativeJIT::compile):
1652         * jit/AssemblyHelpers.cpp:
1653         (JSC::AssemblyHelpers::purifyNaN):
1654         * jit/AssemblyHelpers.h:
1655         (JSC::AssemblyHelpers::branchIfNaN):
1656         (JSC::AssemblyHelpers::branchIfNotNaN):
1657         * jit/JITPropertyAccess.cpp:
1658         (JSC::JIT::emitGenericContiguousPutByVal):
1659         (JSC::JIT::emitDoubleLoad):
1660         (JSC::JIT::emitFloatTypedArrayGetByVal):
1661         * jit/JITPropertyAccess32_64.cpp:
1662         (JSC::JIT::emitGenericContiguousPutByVal):
1663         * wasm/js/JSToWasm.cpp:
1664         (JSC::Wasm::createJSToWasmWrapper):
1665
1666 2018-10-01  Mark Lam  <mark.lam@apple.com>
1667
1668         Function.toString() should also copy the source code Functions that are class definitions.
1669         https://bugs.webkit.org/show_bug.cgi?id=190186
1670         <rdar://problem/44733360>
1671
1672         Reviewed by Saam Barati.
1673
1674         Previously, if the Function is a class definition, functionProtoFuncToString()
1675         would create a String using StringView::toStringWithoutCopying(), and use that
1676         String to make a JSString.  This is not a problem if the underlying SourceProvider
1677         (that backs the characters in that StringView) is immortal.  However, this is
1678         not always the case in practice.
1679
1680         This patch fixes this issue by changing functionProtoFuncToString() to create the
1681         String using StringView::toString() instead, which makes a copy of the underlying
1682         characters buffer.  This detaches the resultant JSString from the SourceProvider
1683         characters buffer that it was created from, and ensure that the underlying
1684         characters buffer of the string will be alive for the entire lifetime of the
1685         JSString.
1686
1687         * runtime/FunctionPrototype.cpp:
1688         (JSC::functionProtoFuncToString):
1689
1690 2018-10-01  Keith Miller  <keith_miller@apple.com>
1691
1692         Create a RELEASE_AND_RETURN macro for ExceptionScopes
1693         https://bugs.webkit.org/show_bug.cgi?id=190163
1694
1695         Reviewed by Mark Lam.
1696
1697         The new RELEASE_AND_RETURN does all the work for cases
1698         where you want to return the result of some expression
1699         without explicitly checking for an exception. This is
1700         much like the existing RETURN_IF_EXCEPTION macro.
1701
1702         * dfg/DFGOperations.cpp:
1703         (JSC::DFG::newTypedArrayWithSize):
1704         * interpreter/Interpreter.cpp:
1705         (JSC::eval):
1706         * jit/JITOperations.cpp:
1707         (JSC::getByVal):
1708         * jsc.cpp:
1709         (functionDollarAgentReceiveBroadcast):
1710         * llint/LLIntSlowPaths.cpp:
1711         (JSC::LLInt::setUpCall):
1712         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1713         (JSC::LLInt::varargsSetup):
1714         * profiler/ProfilerDatabase.cpp:
1715         (JSC::Profiler::Database::toJSON const):
1716         * runtime/AbstractModuleRecord.cpp:
1717         (JSC::AbstractModuleRecord::hostResolveImportedModule):
1718         * runtime/ArrayConstructor.cpp:
1719         (JSC::constructArrayWithSizeQuirk):
1720         * runtime/ArrayPrototype.cpp:
1721         (JSC::getProperty):
1722         (JSC::fastJoin):
1723         (JSC::arrayProtoFuncToString):
1724         (JSC::arrayProtoFuncToLocaleString):
1725         (JSC::arrayProtoFuncJoin):
1726         (JSC::arrayProtoFuncPop):
1727         (JSC::arrayProtoPrivateFuncConcatMemcpy):
1728         * runtime/BigIntConstructor.cpp:
1729         (JSC::toBigInt):
1730         * runtime/CommonSlowPaths.h:
1731         (JSC::CommonSlowPaths::opInByVal):
1732         * runtime/ConstructData.cpp:
1733         (JSC::construct):
1734         * runtime/DateConstructor.cpp:
1735         (JSC::dateParse):
1736         * runtime/DatePrototype.cpp:
1737         (JSC::dateProtoFuncToPrimitiveSymbol):
1738         * runtime/DirectArguments.h:
1739         * runtime/ErrorConstructor.cpp:
1740         (JSC::Interpreter::constructWithErrorConstructor):
1741         * runtime/ErrorPrototype.cpp:
1742         (JSC::errorProtoFuncToString):
1743         * runtime/ExceptionScope.h:
1744         * runtime/FunctionConstructor.cpp:
1745         (JSC::constructFunction):
1746         * runtime/FunctionPrototype.cpp:
1747         (JSC::functionProtoFuncToString):
1748         * runtime/GenericArgumentsInlines.h:
1749         (JSC::GenericArguments<Type>::defineOwnProperty):
1750         * runtime/GetterSetter.cpp:
1751         (JSC::callGetter):
1752         * runtime/IntlCollatorConstructor.cpp:
1753         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
1754         * runtime/IntlCollatorPrototype.cpp:
1755         (JSC::IntlCollatorFuncCompare):
1756         (JSC::IntlCollatorPrototypeFuncResolvedOptions):
1757         * runtime/IntlDateTimeFormatConstructor.cpp:
1758         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
1759         * runtime/IntlDateTimeFormatPrototype.cpp:
1760         (JSC::IntlDateTimeFormatFuncFormatDateTime):
1761         (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts):
1762         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
1763         * runtime/IntlNumberFormatConstructor.cpp:
1764         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
1765         * runtime/IntlNumberFormatPrototype.cpp:
1766         (JSC::IntlNumberFormatFuncFormatNumber):
1767         (JSC::IntlNumberFormatPrototypeFuncFormatToParts):
1768         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
1769         * runtime/IntlObject.cpp:
1770         (JSC::intlNumberOption):
1771         * runtime/IntlObjectInlines.h:
1772         (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
1773         * runtime/IntlPluralRules.cpp:
1774         (JSC::IntlPluralRules::resolvedOptions):
1775         * runtime/IntlPluralRulesConstructor.cpp:
1776         (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf):
1777         * runtime/IntlPluralRulesPrototype.cpp:
1778         (JSC::IntlPluralRulesPrototypeFuncSelect):
1779         (JSC::IntlPluralRulesPrototypeFuncResolvedOptions):
1780         * runtime/JSArray.cpp:
1781         (JSC::JSArray::defineOwnProperty):
1782         (JSC::JSArray::put):
1783         (JSC::JSArray::setLength):
1784         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1785         * runtime/JSArrayBufferPrototype.cpp:
1786         (JSC::arrayBufferProtoGetterFuncByteLength):
1787         (JSC::sharedArrayBufferProtoGetterFuncByteLength):
1788         * runtime/JSArrayInlines.h:
1789         (JSC::toLength):
1790         * runtime/JSBoundFunction.cpp:
1791         (JSC::boundFunctionCall):
1792         (JSC::boundFunctionConstruct):
1793         * runtime/JSCJSValue.cpp:
1794         (JSC::JSValue::putToPrimitive):
1795         * runtime/JSCJSValueInlines.h:
1796         (JSC::JSValue::toIndex const):
1797         (JSC::JSValue::toPropertyKey const):
1798         (JSC::JSValue::get const):
1799         (JSC::JSValue::getPropertySlot const):
1800         (JSC::JSValue::getOwnPropertySlot const):
1801         (JSC::JSValue::equalSlowCaseInline):
1802         * runtime/JSDataView.cpp:
1803         (JSC::JSDataView::put):
1804         (JSC::JSDataView::defineOwnProperty):
1805         * runtime/JSFunction.cpp:
1806         (JSC::JSFunction::put):
1807         (JSC::JSFunction::defineOwnProperty):
1808         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1809         (JSC::constructGenericTypedArrayViewWithArguments):
1810         (JSC::constructGenericTypedArrayView):
1811         * runtime/JSGenericTypedArrayViewInlines.h:
1812         (JSC::JSGenericTypedArrayView<Adaptor>::set):
1813         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
1814         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1815         (JSC::speciesConstruct):
1816         (JSC::genericTypedArrayViewProtoFuncJoin):
1817         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
1818         * runtime/JSGlobalObject.cpp:
1819         (JSC::JSGlobalObject::put):
1820         * runtime/JSGlobalObjectFunctions.cpp:
1821         (JSC::decode):
1822         (JSC::globalFuncEval):
1823         (JSC::globalFuncProtoGetter):
1824         * runtime/JSInternalPromise.cpp:
1825         (JSC::JSInternalPromise::then):
1826         * runtime/JSModuleEnvironment.cpp:
1827         (JSC::JSModuleEnvironment::put):
1828         * runtime/JSModuleLoader.cpp:
1829         (JSC::JSModuleLoader::provideFetch):
1830         (JSC::JSModuleLoader::loadAndEvaluateModule):
1831         (JSC::JSModuleLoader::loadModule):
1832         (JSC::JSModuleLoader::linkAndEvaluateModule):
1833         (JSC::JSModuleLoader::requestImportModule):
1834         (JSC::JSModuleLoader::getModuleNamespaceObject):
1835         (JSC::moduleLoaderRequestedModules):
1836         * runtime/JSONObject.cpp:
1837         (JSC::Stringifier::stringify):
1838         (JSC::Stringifier::toJSON):
1839         (JSC::Walker::walk):
1840         (JSC::JSONProtoFuncStringify):
1841         * runtime/JSObject.cpp:
1842         (JSC::ordinarySetSlow):
1843         (JSC::JSObject::putInlineSlow):
1844         (JSC::JSObject::toPrimitive const):
1845         (JSC::JSObject::hasInstance):
1846         (JSC::JSObject::toNumber const):
1847         (JSC::JSObject::defineOwnIndexedProperty):
1848         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
1849         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
1850         (JSC::JSObject::defineOwnNonIndexProperty):
1851         * runtime/JSObject.h:
1852         (JSC::JSObject::get const):
1853         * runtime/JSObjectInlines.h:
1854         (JSC::JSObject::getPropertySlot const):
1855         (JSC::JSObject::putInlineForJSObject):
1856         * runtime/MapConstructor.cpp:
1857         (JSC::constructMap):
1858         * runtime/NativeErrorConstructor.cpp:
1859         (JSC::Interpreter::constructWithNativeErrorConstructor):
1860         * runtime/ObjectConstructor.cpp:
1861         (JSC::constructObject):
1862         (JSC::objectConstructorGetPrototypeOf):
1863         (JSC::objectConstructorGetOwnPropertyDescriptor):
1864         (JSC::objectConstructorGetOwnPropertyDescriptors):
1865         (JSC::objectConstructorGetOwnPropertyNames):
1866         (JSC::objectConstructorGetOwnPropertySymbols):
1867         (JSC::objectConstructorKeys):
1868         (JSC::objectConstructorDefineProperty):
1869         (JSC::objectConstructorDefineProperties):
1870         (JSC::objectConstructorCreate):
1871         * runtime/ObjectPrototype.cpp:
1872         (JSC::objectProtoFuncToLocaleString):
1873         (JSC::objectProtoFuncToString):
1874         * runtime/Operations.cpp:
1875         (JSC::jsAddSlowCase):
1876         * runtime/Operations.h:
1877         (JSC::jsString):
1878         (JSC::jsLess):
1879         (JSC::jsLessEq):
1880         * runtime/ParseInt.h:
1881         (JSC::toStringView):
1882         * runtime/ProxyConstructor.cpp:
1883         (JSC::constructProxyObject):
1884         * runtime/ProxyObject.cpp:
1885         (JSC::ProxyObject::toStringName):
1886         (JSC::performProxyGet):
1887         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1888         (JSC::ProxyObject::performHasProperty):
1889         (JSC::ProxyObject::getOwnPropertySlotCommon):
1890         (JSC::ProxyObject::performPut):
1891         (JSC::ProxyObject::putByIndexCommon):
1892         (JSC::performProxyCall):
1893         (JSC::performProxyConstruct):
1894         (JSC::ProxyObject::performDelete):
1895         (JSC::ProxyObject::performPreventExtensions):
1896         (JSC::ProxyObject::performIsExtensible):
1897         (JSC::ProxyObject::performDefineOwnProperty):
1898         (JSC::ProxyObject::performSetPrototype):
1899         (JSC::ProxyObject::performGetPrototype):
1900         * runtime/ReflectObject.cpp:
1901         (JSC::reflectObjectConstruct):
1902         (JSC::reflectObjectDefineProperty):
1903         (JSC::reflectObjectGet):
1904         (JSC::reflectObjectGetOwnPropertyDescriptor):
1905         (JSC::reflectObjectGetPrototypeOf):
1906         (JSC::reflectObjectOwnKeys):
1907         (JSC::reflectObjectSet):
1908         * runtime/RegExpConstructor.cpp:
1909         (JSC::constructRegExp):
1910         * runtime/RegExpObject.cpp:
1911         (JSC::RegExpObject::defineOwnProperty):
1912         (JSC::RegExpObject::matchGlobal):
1913         * runtime/RegExpPrototype.cpp:
1914         (JSC::regExpProtoFuncTestFast):
1915         (JSC::regExpProtoFuncExec):
1916         (JSC::regExpProtoFuncToString):
1917         * runtime/ScriptExecutable.cpp:
1918         (JSC::ScriptExecutable::newCodeBlockFor):
1919         * runtime/SetConstructor.cpp:
1920         (JSC::constructSet):
1921         * runtime/SparseArrayValueMap.cpp:
1922         (JSC::SparseArrayValueMap::putEntry):
1923         (JSC::SparseArrayEntry::put):
1924         * runtime/StringConstructor.cpp:
1925         (JSC::stringFromCharCode):
1926         (JSC::stringFromCodePoint):
1927         * runtime/StringObject.cpp:
1928         (JSC::StringObject::put):
1929         (JSC::StringObject::putByIndex):
1930         (JSC::StringObject::defineOwnProperty):
1931         * runtime/StringPrototype.cpp:
1932         (JSC::jsSpliceSubstrings):
1933         (JSC::jsSpliceSubstringsWithSeparators):
1934         (JSC::removeUsingRegExpSearch):
1935         (JSC::replaceUsingRegExpSearch):
1936         (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
1937         (JSC::replaceUsingStringSearch):
1938         (JSC::repeatCharacter):
1939         (JSC::replace):
1940         (JSC::stringProtoFuncReplaceUsingRegExp):
1941         (JSC::stringProtoFuncReplaceUsingStringSearch):
1942         (JSC::stringProtoFuncSplitFast):
1943         (JSC::stringProtoFuncToLowerCase):
1944         (JSC::stringProtoFuncToUpperCase):
1945         (JSC::toLocaleCase):
1946         (JSC::trimString):
1947         (JSC::stringProtoFuncIncludes):
1948         (JSC::builtinStringIncludesInternal):
1949         (JSC::normalize):
1950         (JSC::stringProtoFuncNormalize):
1951         * runtime/SymbolPrototype.cpp:
1952         (JSC::symbolProtoFuncToString):
1953         (JSC::symbolProtoFuncValueOf):
1954         * tools/JSDollarVM.cpp:
1955         (WTF::functionWasmStreamingParserAddBytes):
1956         (JSC::functionGetPrivateProperty):
1957         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
1958         (JSC::constructJSWebAssemblyCompileError):
1959         * wasm/js/WebAssemblyModuleConstructor.cpp:
1960         (JSC::constructJSWebAssemblyModule):
1961         (JSC::WebAssemblyModuleConstructor::createModule):
1962         * wasm/js/WebAssemblyTableConstructor.cpp:
1963         (JSC::constructJSWebAssemblyTable):
1964         * wasm/js/WebAssemblyWrapperFunction.cpp:
1965         (JSC::callWebAssemblyWrapperFunction):
1966
1967 2018-10-01  Koby Boyango  <koby.b@mce-sys.com>
1968
1969         [JSC] Add a JSONStringify overload that receives a JSValue space
1970         https://bugs.webkit.org/show_bug.cgi?id=190131
1971
1972         Reviewed by Yusuke Suzuki.
1973
1974         * runtime/JSONObject.cpp:
1975         * runtime/JSONObject.h:
1976
1977 2018-10-01  Commit Queue  <commit-queue@webkit.org>
1978
1979         Unreviewed, rolling out r236647.
1980         https://bugs.webkit.org/show_bug.cgi?id=190124
1981
1982         Breaking test stress/big-int-to-string.js (Requested by
1983         caiolima_ on #webkit).
1984
1985         Reverted changeset:
1986
1987         "[BigInt] BigInt.proptotype.toString is broken when radix is
1988         power of 2"
1989         https://bugs.webkit.org/show_bug.cgi?id=190033
1990         https://trac.webkit.org/changeset/236647
1991
1992 2018-10-01  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1993
1994         [WebAssembly] Move type conversion code of JSToWasm return type to JS wasm wrapper
1995         https://bugs.webkit.org/show_bug.cgi?id=189498
1996
1997         Reviewed by Saam Barati.
1998
1999         To call JS-to-Wasm code we need to convert the result value from wasm function to
2000         the JS type. Previously this is done by callWebAssemblyFunction by using swtich
2001         over signature.returnType(). But since we know the value of `signature.returnType()`
2002         at compiling phase, we can emit a small conversion code directly to JSToWasm glue
2003         and remove this switch from callWebAssemblyFunction.
2004
2005         In JSToWasm glue code, we do not have tag registers. So we use DoNotHaveTagRegisters
2006         in boxInt32 and boxDouble. Since boxDouble does not have DoNotHaveTagRegisters version,
2007         we add an implementation for that.
2008
2009         * jit/AssemblyHelpers.h:
2010         (JSC::AssemblyHelpers::boxDouble):
2011         * wasm/js/JSToWasm.cpp:
2012         (JSC::Wasm::createJSToWasmWrapper):
2013         * wasm/js/WebAssemblyFunction.cpp:
2014         (JSC::callWebAssemblyFunction):
2015
2016 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2017
2018         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2019         https://bugs.webkit.org/show_bug.cgi?id=190033
2020
2021         Reviewed by Yusuke Suzuki.
2022
2023         The implementation of JSBigInt::toStringToGeneric doesn't handle power
2024         of 2 radix when JSBigInt length is >= 2. To handle such cases, we
2025         implemented JSBigInt::toStringBasePowerOfTwo that follows the
2026         algorithm that groups bits using mask of (2 ^ n) - 1 to extract every
2027         digit.
2028
2029         * runtime/JSBigInt.cpp:
2030         (JSC::JSBigInt::toString):
2031         (JSC::JSBigInt::toStringBasePowerOfTwo):
2032         * runtime/JSBigInt.h:
2033
2034 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2035
2036         [ESNext][BigInt] Implement support for "&"
2037         https://bugs.webkit.org/show_bug.cgi?id=186228
2038
2039         Reviewed by Yusuke Suzuki.
2040
2041         This patch introduces support of BigInt into bitwise "&" operation.
2042         We are also introducing the ValueBitAnd DFG node, that is responsible
2043         to take care of JIT for non-Int32 operands. With the introduction of this
2044         new node, we renamed the BitAnd node to ArithBitAnd. The ArithBitAnd
2045         follows the behavior of ArithAdd and other arithmetic nodes, where
2046         the Arith<op> version always results in Number (in the case of
2047         ArithBitAnd, its is always an Int32).
2048
2049         * bytecode/CodeBlock.cpp:
2050         (JSC::CodeBlock::finishCreation):
2051         * bytecompiler/BytecodeGenerator.cpp:
2052         (JSC::BytecodeGenerator::emitBinaryOp):
2053         * dfg/DFGAbstractInterpreterInlines.h:
2054         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2055         * dfg/DFGBackwardsPropagationPhase.cpp:
2056         (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
2057         (JSC::DFG::BackwardsPropagationPhase::propagate):
2058         * dfg/DFGByteCodeParser.cpp:
2059         (JSC::DFG::ByteCodeParser::parseBlock):
2060         * dfg/DFGClobberize.h:
2061         (JSC::DFG::clobberize):
2062         * dfg/DFGDoesGC.cpp:
2063         (JSC::DFG::doesGC):
2064         * dfg/DFGFixupPhase.cpp:
2065         (JSC::DFG::FixupPhase::fixupNode):
2066         * dfg/DFGNodeType.h:
2067         * dfg/DFGOperations.cpp:
2068         * dfg/DFGOperations.h:
2069         * dfg/DFGPredictionPropagationPhase.cpp:
2070         * dfg/DFGSafeToExecute.h:
2071         (JSC::DFG::safeToExecute):
2072         * dfg/DFGSpeculativeJIT.cpp:
2073         (JSC::DFG::SpeculativeJIT::compileValueBitwiseOp):
2074         (JSC::DFG::SpeculativeJIT::compileBitwiseOp):
2075         * dfg/DFGSpeculativeJIT.h:
2076         (JSC::DFG::SpeculativeJIT::bitOp):
2077         * dfg/DFGSpeculativeJIT32_64.cpp:
2078         (JSC::DFG::SpeculativeJIT::compile):
2079         * dfg/DFGSpeculativeJIT64.cpp:
2080         (JSC::DFG::SpeculativeJIT::compile):
2081         * dfg/DFGStrengthReductionPhase.cpp:
2082         (JSC::DFG::StrengthReductionPhase::handleNode):
2083         * ftl/FTLCapabilities.cpp:
2084         (JSC::FTL::canCompile):
2085         * ftl/FTLLowerDFGToB3.cpp:
2086         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2087         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitAnd):
2088         (JSC::FTL::DFG::LowerDFGToB3::compileArithBitAnd):
2089         (JSC::FTL::DFG::LowerDFGToB3::compileBitAnd): Deleted.
2090         * jit/JIT.h:
2091         * jit/JITArithmetic.cpp:
2092         (JSC::JIT::emitBitBinaryOpFastPath):
2093         (JSC::JIT::emit_op_bitand):
2094         * llint/LowLevelInterpreter32_64.asm:
2095         * llint/LowLevelInterpreter64.asm:
2096         * runtime/CommonSlowPaths.cpp:
2097         (JSC::SLOW_PATH_DECL):
2098         * runtime/JSBigInt.cpp:
2099         (JSC::JSBigInt::JSBigInt):
2100         (JSC::JSBigInt::initialize):
2101         (JSC::JSBigInt::createZero):
2102         (JSC::JSBigInt::createFrom):
2103         (JSC::JSBigInt::bitwiseAnd):
2104         (JSC::JSBigInt::absoluteBitwiseOp):
2105         (JSC::JSBigInt::absoluteAnd):
2106         (JSC::JSBigInt::absoluteOr):
2107         (JSC::JSBigInt::absoluteAndNot):
2108         (JSC::JSBigInt::absoluteAddOne):
2109         (JSC::JSBigInt::absoluteSubOne):
2110         * runtime/JSBigInt.h:
2111         * runtime/JSCJSValue.h:
2112         * runtime/JSCJSValueInlines.h:
2113         (JSC::JSValue::toBigIntOrInt32 const):
2114
2115 2018-09-28  Mark Lam  <mark.lam@apple.com>
2116
2117         Gardening: speculative build fix.
2118         <rdar://problem/44869924>
2119
2120         Not reviewed.
2121
2122         * assembler/LinkBuffer.cpp:
2123         (JSC::LinkBuffer::copyCompactAndLinkCode):
2124
2125 2018-09-28  Guillaume Emont  <guijemont@igalia.com>
2126
2127         [JSC] [Armv7] Add a copy function argument to MacroAssemblerARMv7::link() and pass it down to the assembler's linking functions.
2128         https://bugs.webkit.org/show_bug.cgi?id=190080
2129
2130         Reviewed by Mark Lam.
2131
2132         * assembler/ARMv7Assembler.h:
2133         (JSC::ARMv7Assembler::link):
2134         (JSC::ARMv7Assembler::linkJumpT1):
2135         (JSC::ARMv7Assembler::linkJumpT2):
2136         (JSC::ARMv7Assembler::linkJumpT3):
2137         (JSC::ARMv7Assembler::linkJumpT4):
2138         (JSC::ARMv7Assembler::linkConditionalJumpT4):
2139         (JSC::ARMv7Assembler::linkBX):
2140         (JSC::ARMv7Assembler::linkConditionalBX):
2141         * assembler/MacroAssemblerARMv7.h:
2142         (JSC::MacroAssemblerARMv7::link):
2143
2144 2018-09-27  Saam barati  <sbarati@apple.com>
2145
2146         Verify the contents of AssemblerBuffer on arm64e
2147         https://bugs.webkit.org/show_bug.cgi?id=190057
2148         <rdar://problem/38916630>
2149
2150         Reviewed by Mark Lam.
2151
2152         * assembler/ARM64Assembler.h:
2153         (JSC::ARM64Assembler::ARM64Assembler):
2154         (JSC::ARM64Assembler::fillNops):
2155         (JSC::ARM64Assembler::link):
2156         (JSC::ARM64Assembler::linkJumpOrCall):
2157         (JSC::ARM64Assembler::linkCompareAndBranch):
2158         (JSC::ARM64Assembler::linkConditionalBranch):
2159         (JSC::ARM64Assembler::linkTestAndBranch):
2160         (JSC::ARM64Assembler::unlinkedCode): Deleted.
2161         * assembler/ARMAssembler.h:
2162         (JSC::ARMAssembler::fillNops):
2163         * assembler/ARMv7Assembler.h:
2164         (JSC::ARMv7Assembler::unlinkedCode): Deleted.
2165         * assembler/AbstractMacroAssembler.h:
2166         (JSC::AbstractMacroAssembler::emitNops):
2167         (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
2168         * assembler/AssemblerBuffer.h:
2169         (JSC::ARM64EHash::ARM64EHash):
2170         (JSC::ARM64EHash::update):
2171         (JSC::ARM64EHash::hash const):
2172         (JSC::ARM64EHash::randomSeed const):
2173         (JSC::AssemblerBuffer::AssemblerBuffer):
2174         (JSC::AssemblerBuffer::putShort):
2175         (JSC::AssemblerBuffer::putIntUnchecked):
2176         (JSC::AssemblerBuffer::putInt):
2177         (JSC::AssemblerBuffer::hash const):
2178         (JSC::AssemblerBuffer::data const):
2179         (JSC::AssemblerBuffer::putIntegralUnchecked):
2180         (JSC::AssemblerBuffer::append): Deleted.
2181         * assembler/LinkBuffer.cpp:
2182         (JSC::LinkBuffer::copyCompactAndLinkCode):
2183         * assembler/MIPSAssembler.h:
2184         (JSC::MIPSAssembler::fillNops):
2185         * assembler/MacroAssemblerARM64.h:
2186         (JSC::MacroAssemblerARM64::jumpsToLink):
2187         (JSC::MacroAssemblerARM64::link):
2188         (JSC::MacroAssemblerARM64::unlinkedCode): Deleted.
2189         * assembler/MacroAssemblerARMv7.h:
2190         (JSC::MacroAssemblerARMv7::jumpsToLink):
2191         (JSC::MacroAssemblerARMv7::unlinkedCode): Deleted.
2192         * assembler/X86Assembler.h:
2193         (JSC::X86Assembler::fillNops):
2194
2195 2018-09-27  Mark Lam  <mark.lam@apple.com>
2196
2197         ByValInfo should not use integer offsets.
2198         https://bugs.webkit.org/show_bug.cgi?id=190070
2199         <rdar://problem/44803430>
2200
2201         Reviewed by Saam Barati.
2202
2203         Also moved some fields around to allow the ByValInfo struct to be more densely packed.
2204
2205         * bytecode/ByValInfo.h:
2206         (JSC::ByValInfo::ByValInfo):
2207         * jit/JIT.cpp:
2208         (JSC::JIT::link):
2209         * jit/JITOpcodes.cpp:
2210         (JSC::JIT::privateCompileHasIndexedProperty):
2211         * jit/JITOpcodes32_64.cpp:
2212         (JSC::JIT::privateCompileHasIndexedProperty):
2213         * jit/JITPropertyAccess.cpp:
2214         (JSC::JIT::privateCompileGetByVal):
2215         (JSC::JIT::privateCompileGetByValWithCachedId):
2216         (JSC::JIT::privateCompilePutByVal):
2217         (JSC::JIT::privateCompilePutByValWithCachedId):
2218
2219 2018-09-27  Saam barati  <sbarati@apple.com>
2220
2221         DFG::OSRExit::m_patchableCodeOffset should not be an int
2222         https://bugs.webkit.org/show_bug.cgi?id=190066
2223         <rdar://problem/39498244>
2224
2225         Reviewed by Mark Lam.
2226
2227         * dfg/DFGJITCompiler.cpp:
2228         (JSC::DFG::JITCompiler::linkOSRExits):
2229         (JSC::DFG::JITCompiler::link):
2230         * dfg/DFGOSRExit.cpp:
2231         (JSC::DFG::OSRExit::codeLocationForRepatch const):
2232         (JSC::DFG::OSRExit::compileOSRExit):
2233         (JSC::DFG::OSRExit::setPatchableCodeOffset): Deleted.
2234         (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const): Deleted.
2235         (JSC::DFG::OSRExit::correctJump): Deleted.
2236         * dfg/DFGOSRExit.h:
2237         * dfg/DFGOSRExitCompilationInfo.h:
2238
2239 2018-09-27  Saam barati  <sbarati@apple.com>
2240
2241         Don't use int offsets in StructureStubInfo
2242         https://bugs.webkit.org/show_bug.cgi?id=190064
2243         <rdar://problem/44784719>
2244
2245         Reviewed by Mark Lam.
2246
2247         * bytecode/InlineAccess.cpp:
2248         (JSC::linkCodeInline):
2249         * bytecode/StructureStubInfo.h:
2250         (JSC::StructureStubInfo::slowPathCallLocation):
2251         (JSC::StructureStubInfo::doneLocation):
2252         (JSC::StructureStubInfo::slowPathStartLocation):
2253         * jit/JITInlineCacheGenerator.cpp:
2254         (JSC::JITInlineCacheGenerator::finalize):
2255
2256 2018-09-27  Mark Lam  <mark.lam@apple.com>
2257
2258         DFG::OSREntry::m_machineCodeOffset should be a CodeLocation.
2259         https://bugs.webkit.org/show_bug.cgi?id=190054
2260         <rdar://problem/44803543>
2261
2262         Reviewed by Saam Barati.
2263
2264         * dfg/DFGJITCode.h:
2265         (JSC::DFG::JITCode::appendOSREntryData):
2266         * dfg/DFGJITCompiler.cpp:
2267         (JSC::DFG::JITCompiler::noticeOSREntry):
2268         * dfg/DFGOSREntry.cpp:
2269         (JSC::DFG::OSREntryData::dumpInContext const):
2270         (JSC::DFG::prepareOSREntry):
2271         * dfg/DFGOSREntry.h:
2272         * runtime/JSCPtrTag.h:
2273
2274 2018-09-27  Mark Lam  <mark.lam@apple.com>
2275
2276         JITMathIC should not use integer offsets into machine code.
2277         https://bugs.webkit.org/show_bug.cgi?id=190030
2278         <rdar://problem/44803307>
2279
2280         Reviewed by Saam Barati.
2281
2282         We'll replace them with CodeLocation smart pointers instead.
2283
2284         * jit/JITMathIC.h:
2285         (JSC::isProfileEmpty):
2286
2287 2018-09-26  Mark Lam  <mark.lam@apple.com>
2288
2289         Options::useSeparatedWXHeap() should always be false when ENABLE(FAST_JIT_PERMISSIONS) && CPU(ARM64E).
2290         https://bugs.webkit.org/show_bug.cgi?id=190022
2291         <rdar://problem/44800928>
2292
2293         Reviewed by Saam Barati.
2294
2295         * jit/ExecutableAllocator.cpp:
2296         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
2297         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
2298         * jit/ExecutableAllocator.h:
2299         (JSC::performJITMemcpy):
2300         * runtime/Options.cpp:
2301         (JSC::recomputeDependentOptions):
2302
2303 2018-09-26  Mark Lam  <mark.lam@apple.com>
2304
2305         Assert that performJITMemcpy() is always called with instruction size aligned addresses on ARM64.
2306         https://bugs.webkit.org/show_bug.cgi?id=190016
2307         <rdar://problem/44802875>
2308
2309         Reviewed by Saam Barati.
2310
2311         Also assert in performJITMemcpy() that the entire buffer to be copied will fit in
2312         JIT memory.
2313
2314         * assembler/ARM64Assembler.h:
2315         (JSC::ARM64Assembler::fillNops):
2316         (JSC::ARM64Assembler::replaceWithVMHalt):
2317         (JSC::ARM64Assembler::replaceWithJump):
2318         (JSC::ARM64Assembler::replaceWithLoad):
2319         (JSC::ARM64Assembler::replaceWithAddressComputation):
2320         (JSC::ARM64Assembler::setPointer):
2321         (JSC::ARM64Assembler::repatchInt32):
2322         (JSC::ARM64Assembler::repatchCompact):
2323         (JSC::ARM64Assembler::linkJumpOrCall):
2324         (JSC::ARM64Assembler::linkCompareAndBranch):
2325         (JSC::ARM64Assembler::linkConditionalBranch):
2326         (JSC::ARM64Assembler::linkTestAndBranch):
2327         * assembler/LinkBuffer.cpp:
2328         (JSC::LinkBuffer::copyCompactAndLinkCode):
2329         (JSC::LinkBuffer::linkCode):
2330         * jit/ExecutableAllocator.h:
2331         (JSC::performJITMemcpy):
2332
2333 2018-09-25  Keith Miller  <keith_miller@apple.com>
2334
2335         Move Symbol API to SPI
2336         https://bugs.webkit.org/show_bug.cgi?id=189946
2337
2338         Reviewed by Michael Saboff.
2339
2340         Some of the property access methods on JSValue needed to be moved
2341         to a category so that SPI overloads don't result in a compiler
2342         error for internal users.
2343
2344         Additionally, this patch does not move the new enum entry for
2345         Symbols in the JSType enumeration.
2346
2347         * API/JSObjectRef.h:
2348         * API/JSObjectRefPrivate.h:
2349         * API/JSValue.h:
2350         * API/JSValuePrivate.h:
2351         * API/JSValueRef.h:
2352
2353 2018-09-26  Keith Miller  <keith_miller@apple.com>
2354
2355         We should zero unused property storage when rebalancing array storage.
2356         https://bugs.webkit.org/show_bug.cgi?id=188151
2357
2358         Reviewed by Michael Saboff.
2359
2360         In unshiftCountSlowCase we sometimes will move property storage to the right even when net adding elements.
2361         This can happen because we "balance" the pre/post-capacity in that code so we need to zero the unused
2362         property storage.
2363
2364         * runtime/JSArray.cpp:
2365         (JSC::JSArray::unshiftCountSlowCase):
2366
2367 2018-09-26  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2368
2369         Unreviewed, add scope verification handling
2370         https://bugs.webkit.org/show_bug.cgi?id=189780
2371
2372         * runtime/ArrayPrototype.cpp:
2373         (JSC::arrayProtoFuncIndexOf):
2374         (JSC::arrayProtoFuncLastIndexOf):
2375
2376 2018-09-26  Koby Boyango  <koby.b@mce.systems>
2377
2378         [JSC] offlineasm parser should handle CRLF in asm files
2379         https://bugs.webkit.org/show_bug.cgi?id=189949
2380
2381         Reviewed by Mark Lam.
2382
2383         * offlineasm/parser.rb:
2384
2385 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2386
2387         [JSC] Optimize Array#lastIndexOf
2388         https://bugs.webkit.org/show_bug.cgi?id=189780
2389
2390         Reviewed by Saam Barati.
2391
2392         Optimize Array#lastIndexOf as the same to Array#indexOf. We add a fast path
2393         for JSArray with contiguous storage.
2394
2395         * runtime/ArrayPrototype.cpp:
2396         (JSC::arrayProtoFuncLastIndexOf):
2397
2398 2018-09-25  Saam Barati  <sbarati@apple.com>
2399
2400         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2401         https://bugs.webkit.org/show_bug.cgi?id=189940
2402         <rdar://problem/43640987>
2403
2404         Reviewed by Mark Lam.
2405
2406         We were calling baselineCodeBlockForOriginAndBaselineCodeBlock with the FTL
2407         CodeBlock. There is nothing semantically wrong with doing that (except for
2408         poor naming), however, the poor naming here led us to make a real semantic
2409         mistake. We wanted the baseline CodeBlock's constant pool, but we were
2410         accessing the FTL CodeBlock's constant pool accidentally. We need to
2411         access the baseline CodeBlock's constant pool when we update the NewArrayBuffer
2412         constant value.
2413
2414         * bytecode/InlineCallFrame.h:
2415         (JSC::baselineCodeBlockForOriginAndBaselineCodeBlock):
2416         * ftl/FTLOperations.cpp:
2417         (JSC::FTL::operationMaterializeObjectInOSR):
2418
2419 2018-09-25  Joseph Pecoraro  <pecoraro@apple.com>
2420
2421         Web Inspector: Stricter block syntax in generated ObjC protocol interfaces
2422         https://bugs.webkit.org/show_bug.cgi?id=189962
2423         <rdar://problem/44648287>
2424
2425         Reviewed by Brian Burg.
2426
2427         * inspector/scripts/codegen/generate_objc_header.py:
2428         (ObjCHeaderGenerator._callback_block_for_command):
2429         If there are no return parameters include "void" in the block signature.
2430
2431         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
2432         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
2433         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
2434         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
2435         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
2436         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
2437         Rebaseline test results.
2438
2439 2018-09-24  Joseph Pecoraro  <pecoraro@apple.com>
2440
2441         Remove AUTHORS and THANKS files which are stale
2442         https://bugs.webkit.org/show_bug.cgi?id=189941
2443
2444         Reviewed by Darin Adler.
2445
2446         Included mentions below so their names are still in ChangeLogs.
2447
2448         * AUTHORS: Removed.
2449         Harri Porten (porten@kde.org) and Peter Kelly (pmk@post.com).
2450         These authors remain mentioned in copyrights in source files.
2451
2452         * THANKS: Removed.
2453         Richard Moore <rich@kde.org> - for filling the Math object with some life
2454         Daegeun Lee <realking@mizi.com> - for pointing out some bugs and providing much code for the String and Date object.
2455         Marco Pinelli <pinmc@libero.it> - for his patches
2456         Christian Kirsch <ck@held.mind.de> - for his contribution to the Date object
2457         
2458 2018-09-24  Fujii Hironori  <Hironori.Fujii@sony.com>
2459
2460         Rename WTF_COMPILER_GCC_OR_CLANG to WTF_COMPILER_GCC_COMPATIBLE
2461         https://bugs.webkit.org/show_bug.cgi?id=189733
2462
2463         Reviewed by Michael Catanzaro.
2464
2465         * assembler/ARM64Assembler.h:
2466         * assembler/ARMAssembler.h:
2467         (JSC::ARMAssembler::cacheFlush):
2468         * assembler/MacroAssemblerARM.cpp:
2469         (JSC::isVFPPresent):
2470         * assembler/MacroAssemblerARM64.cpp:
2471         * assembler/MacroAssemblerARMv7.cpp:
2472         * assembler/MacroAssemblerMIPS.cpp:
2473         * assembler/MacroAssemblerX86Common.cpp:
2474         * heap/HeapCell.cpp:
2475         * heap/HeapCell.h:
2476         * jit/HostCallReturnValue.h:
2477         * jit/JIT.h:
2478         * jit/JITOperations.cpp:
2479         * jit/ThunkGenerators.cpp:
2480         * runtime/ArrayConventions.cpp:
2481         (JSC::clearArrayMemset):
2482         * runtime/JSBigInt.cpp:
2483         (JSC::JSBigInt::digitDiv):
2484
2485 2018-09-24  Saam Barati  <sbarati@apple.com>
2486
2487         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2488         https://bugs.webkit.org/show_bug.cgi?id=189922
2489         <rdar://problem/44651275>
2490
2491         Reviewed by Mark Lam.
2492
2493         The implementation was first getting the length to iterate up to,
2494         then getting the starting index. However, getting the starting
2495         index may perform effects. e.g, it could change the length of the
2496         array. This changes it so we verify the length is still valid.
2497
2498         * runtime/ArrayPrototype.cpp:
2499         (JSC::arrayProtoFuncIndexOf):
2500
2501 2018-09-24  Tadeu Zagallo  <tzagallo@apple.com>
2502
2503         offlineasm: fix macro scoping
2504         https://bugs.webkit.org/show_bug.cgi?id=189902
2505
2506         Reviewed by Mark Lam.
2507
2508         In the code below, the reference to `f` in `g`, which should refer to
2509         the outer macro definition will instead refer to the f argument of the
2510         anonymous macro passed to `g`. That leads to this code failing to
2511         compile (f expected 0 args but got 1).
2512         
2513         ```
2514         macro f(x)
2515             move x, t0
2516         end
2517         
2518         macro g(fn)
2519             fn(macro () f(42) end)
2520         end
2521         
2522         g(macro(f) f() end)
2523         ```
2524
2525         * offlineasm/ast.rb:
2526         * offlineasm/transform.rb:
2527
2528 2018-09-24  Tadeu Zagallo  <tzagallo@apple.com>
2529
2530         Add forEach method for iterating CodeBlock's ValueProfiles
2531         https://bugs.webkit.org/show_bug.cgi?id=189897
2532
2533         Reviewed by Mark Lam.
2534
2535         Add method to abstract how we find ValueProfiles in a CodeBlock in
2536         preparation for https://bugs.webkit.org/show_bug.cgi?id=189785, when
2537         ValueProfiles will be stored in the MetadataTable.
2538
2539         * bytecode/CodeBlock.cpp:
2540         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
2541         (JSC::CodeBlock::updateAllValueProfilePredictions):
2542         (JSC::CodeBlock::shouldOptimizeNow):
2543         (JSC::CodeBlock::dumpValueProfiles):
2544         * bytecode/CodeBlock.h:
2545         (JSC::CodeBlock::forEachValueProfile):
2546         (JSC::CodeBlock::numberOfArgumentValueProfiles):
2547         (JSC::CodeBlock::valueProfileForArgument):
2548         (JSC::CodeBlock::numberOfValueProfiles):
2549         (JSC::CodeBlock::valueProfile):
2550         (JSC::CodeBlock::totalNumberOfValueProfiles): Deleted.
2551         (JSC::CodeBlock::getFromAllValueProfiles): Deleted.
2552         * tools/HeapVerifier.cpp:
2553         (JSC::HeapVerifier::validateJSCell):
2554
2555 2018-09-24  Saam barati  <sbarati@apple.com>
2556
2557         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2558         https://bugs.webkit.org/show_bug.cgi?id=189682
2559         <rdar://problem/43557315>
2560
2561         Reviewed by Mark Lam.
2562
2563         Otherwise, if we have code like this:
2564         ```
2565         a: Arguments
2566         b: GetButterfly(@a)
2567         c: ForceExit
2568         d: GetArrayLength(@a, @b)
2569         ```
2570         it will get transformed into this invalid DFG IR:
2571         ```
2572         a: PhantomArguments
2573         b: Check(@a)
2574         c: ForceExit
2575         d: GetArrayLength(@a, @b)
2576         ```
2577         
2578         And we will fail DFG validation since @b does not have a result.
2579         
2580         The fix is to just remove all nodes after the ForceExit and plant an
2581         Unreachable after it. So the above code program will now turn into this:
2582         ```
2583         a: PhantomArguments
2584         b: Check(@a)
2585         c: ForceExit
2586         e: Unreachable
2587         ```
2588
2589         * dfg/DFGArgumentsEliminationPhase.cpp:
2590
2591 2018-09-22  Saam barati  <sbarati@apple.com>
2592
2593         The sampling should not use Strong<CodeBlock> in its machineLocation field
2594         https://bugs.webkit.org/show_bug.cgi?id=189319
2595
2596         Reviewed by Filip Pizlo.
2597
2598         The sampling profiler has a CLI mode where we gather information about inline
2599         call frames. That data structure was using a Strong<CodeBlock>. We were
2600         constructing this Strong<CodeBlock> during GC concurrently to processing all
2601         the Strong handles. This is a bug since we end up corrupting that data
2602         structure. This patch fixes this by just making this data structure use the
2603         sampling profiler's mechanism for holding onto and properly visiting heap pointers.
2604
2605         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2606         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
2607         * runtime/SamplingProfiler.cpp:
2608         (JSC::SamplingProfiler::processUnverifiedStackTraces):
2609
2610         (JSC::SamplingProfiler::reportTopFunctions):
2611         (JSC::SamplingProfiler::reportTopBytecodes):
2612         These CLI helpers needed a DeferGC otherwise we may end up deadlocking when we
2613         cause a GC to happen while already holding the sampling profiler's
2614         lock.
2615
2616 2018-09-21  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2617
2618         [JSC] Enable LLInt ASM interpreter on X64 and ARM64 in non JIT configuration
2619         https://bugs.webkit.org/show_bug.cgi?id=189778
2620
2621         Reviewed by Keith Miller.
2622
2623         LLInt ASM interpreter is 2x and 15% faster than CLoop interpreter on
2624         Linux and macOS respectively. We would like to enable it for non JIT
2625         configurations in X86_64 and ARM64.
2626
2627         This patch enables LLInt for non JIT builds in X86_64 and ARM64 architectures.
2628         Previously, we switch LLInt ASM interpreter and CLoop by using ENABLE(JIT)
2629         configuration. But it is wrong in the new scenario since we have a build
2630         configuration that uses LLInt ASM interpreter and JIT is disabled. We introduce
2631         ENABLE(C_LOOP) option, which represents that we use CLoop. And we replace
2632         ENABLE(JIT) with ENABLE(C_LOOP) if the previous ENABLE(JIT) is essentially just
2633         related to LLInt ASM interpreter and not related to JIT.
2634
2635         We also replace some ENABLE(JIT) configurations with ENABLE(ASSEMBLER).
2636         ENABLE(ASSEMBLER) is now enabled even if we disable JIT since MacroAssembler
2637         has machine register information that is used in LLInt ASM interpreter.
2638
2639         * API/tests/PingPongStackOverflowTest.cpp:
2640         (testPingPongStackOverflow):
2641         * CMakeLists.txt:
2642         * JavaScriptCore.xcodeproj/project.pbxproj:
2643         * assembler/MaxFrameExtentForSlowPathCall.h:
2644         * bytecode/CallReturnOffsetToBytecodeOffset.h: Removed. It is no longer used.
2645         * bytecode/CodeBlock.cpp:
2646         (JSC::CodeBlock::finishCreation):
2647         * bytecode/CodeBlock.h:
2648         (JSC::CodeBlock::calleeSaveRegisters const):
2649         (JSC::CodeBlock::numberOfLLIntBaselineCalleeSaveRegisters):
2650         (JSC::CodeBlock::llintBaselineCalleeSaveSpaceAsVirtualRegisters):
2651         (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
2652         * bytecode/Opcode.h:
2653         (JSC::padOpcodeName):
2654         * heap/Heap.cpp:
2655         (JSC::Heap::gatherJSStackRoots):
2656         (JSC::Heap::stopThePeriphery):
2657         * interpreter/CLoopStack.cpp:
2658         * interpreter/CLoopStack.h:
2659         * interpreter/CLoopStackInlines.h:
2660         * interpreter/EntryFrame.h:
2661         * interpreter/Interpreter.cpp:
2662         (JSC::Interpreter::Interpreter):
2663         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
2664         * interpreter/Interpreter.h:
2665         * interpreter/StackVisitor.cpp:
2666         (JSC::StackVisitor::Frame::calleeSaveRegisters):
2667         * interpreter/VMEntryRecord.h:
2668         * jit/ExecutableAllocator.h:
2669         * jit/FPRInfo.h:
2670         (WTF::printInternal):
2671         * jit/GPRInfo.cpp:
2672         * jit/GPRInfo.h:
2673         (WTF::printInternal):
2674         * jit/HostCallReturnValue.cpp:
2675         (JSC::getHostCallReturnValueWithExecState): Moved. They are used in LLInt ASM interpreter too.
2676         * jit/HostCallReturnValue.h:
2677         * jit/JITOperations.cpp:
2678         (JSC::getHostCallReturnValueWithExecState): Deleted.
2679         * jit/JITOperationsMSVC64.cpp:
2680         * jit/Reg.cpp:
2681         * jit/Reg.h:
2682         * jit/RegisterAtOffset.cpp:
2683         * jit/RegisterAtOffset.h:
2684         * jit/RegisterAtOffsetList.cpp:
2685         * jit/RegisterAtOffsetList.h:
2686         * jit/RegisterMap.h:
2687         * jit/RegisterSet.cpp:
2688         * jit/RegisterSet.h:
2689         * jit/TempRegisterSet.cpp:
2690         * jit/TempRegisterSet.h:
2691         * llint/LLIntCLoop.cpp:
2692         * llint/LLIntCLoop.h:
2693         * llint/LLIntData.cpp:
2694         (JSC::LLInt::initialize):
2695         (JSC::LLInt::Data::performAssertions):
2696         * llint/LLIntData.h:
2697         * llint/LLIntOfflineAsmConfig.h:
2698         * llint/LLIntOpcode.h:
2699         * llint/LLIntPCRanges.h:
2700         * llint/LLIntSlowPaths.cpp:
2701         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2702         * llint/LLIntSlowPaths.h:
2703         * llint/LLIntThunks.cpp:
2704         * llint/LowLevelInterpreter.cpp:
2705         * llint/LowLevelInterpreter.h:
2706         * runtime/JSCJSValue.h:
2707         * runtime/MachineContext.h:
2708         * runtime/SamplingProfiler.cpp:
2709         (JSC::SamplingProfiler::processUnverifiedStackTraces): Enable SamplingProfiler
2710         for LLInt ASM interpreter with non JIT configuration.
2711         * runtime/TestRunnerUtils.cpp:
2712         (JSC::optimizeNextInvocation):
2713         * runtime/VM.cpp:
2714         (JSC::VM::VM):
2715         (JSC::VM::getHostFunction):
2716         (JSC::VM::updateSoftReservedZoneSize):
2717         (JSC::sanitizeStackForVM):
2718         (JSC::VM::committedStackByteCount):
2719         * runtime/VM.h:
2720         * runtime/VMInlines.h:
2721         (JSC::VM::ensureStackCapacityFor):
2722         (JSC::VM::isSafeToRecurseSoft const):
2723
2724 2018-09-21  Keith Miller  <keith_miller@apple.com>
2725
2726         Add Promise SPI
2727         https://bugs.webkit.org/show_bug.cgi?id=189809
2728
2729         Reviewed by Saam Barati.
2730
2731         The Patch adds new SPI to create promises. It's mostly SPI because
2732         I want to see how internal users react to it before we make it
2733         public.
2734
2735         This patch adds a couple of new Obj-C SPI methods. The first
2736         creates a new promise using the same API that JS does where the
2737         user provides an executor callback. If an exception is raised
2738         in/to that callback the promise is automagically rejected. The
2739         other methods create a pre-resolved or rejected promise as this
2740         appears to be a common way to initialize a promise.
2741
2742         I was also considering adding a second version of executor API
2743         where it would catch specific Obj-C exceptions. This would work by
2744         taking a Class paramter and checking isKindOfClass: on the
2745         exception. I decided against this as nothing else in our API
2746         handles Obj-C exceptions. I'm pretty sure the VM will end up in a
2747         corrupt state if an Obj-C exception unwinds through JS frames.
2748
2749         This patch adds a new C function that will create a "deferred"
2750         promise. A deferred promise is a style of creating promise/futures
2751         where the resolve and reject functions are passed as outputs of a
2752         function. I went with this style for the C SPI because we don't have
2753         any concept of forwarding exceptions in the C API.
2754
2755         In order to make the C API work I refactored a bit of the promise code
2756         so that we can call a static method on JSDeferredPromise and just get
2757         the components without allocating an extra cell wrapper.
2758
2759         * API/JSContext.mm:
2760         (+[JSContext currentCallee]):
2761         * API/JSObjectRef.cpp:
2762         (JSObjectMakeDeferredPromise):
2763         * API/JSObjectRefPrivate.h:
2764         * API/JSValue.mm:
2765         (+[JSValue valueWithNewPromiseInContext:fromExecutor:]):
2766         (+[JSValue valueWithNewPromiseResolvedWithResult:inContext:]):
2767         (+[JSValue valueWithNewPromiseRejectedWithReason:inContext:]):
2768         * API/JSValuePrivate.h: Added.
2769         * API/JSVirtualMachine.mm:
2770         * API/JSVirtualMachinePrivate.h:
2771         * API/tests/testapi.c:
2772         (main):
2773         * API/tests/testapi.cpp:
2774         (APIContext::operator JSC::ExecState*):
2775         (TestAPI::failed const):
2776         (TestAPI::check):
2777         (TestAPI::basicSymbol):
2778         (TestAPI::symbolsTypeof):
2779         (TestAPI::symbolsGetPropertyForKey):
2780         (TestAPI::symbolsSetPropertyForKey):
2781         (TestAPI::symbolsHasPropertyForKey):
2782         (TestAPI::symbolsDeletePropertyForKey):
2783         (TestAPI::promiseResolveTrue):
2784         (TestAPI::promiseRejectTrue):
2785         (testCAPIViaCpp):
2786         (TestAPI::run): Deleted.
2787         * API/tests/testapi.mm:
2788         (testObjectiveCAPIMain):
2789         (promiseWithExecutor):
2790         (promiseRejectOnJSException):
2791         (promiseCreateResolved):
2792         (promiseCreateRejected):
2793         (parallelPromiseResolveTest):
2794         (testObjectiveCAPI):
2795         * JavaScriptCore.xcodeproj/project.pbxproj:
2796         * runtime/JSInternalPromiseDeferred.cpp:
2797         (JSC::JSInternalPromiseDeferred::create):
2798         * runtime/JSPromise.h:
2799         * runtime/JSPromiseConstructor.cpp:
2800         (JSC::constructPromise):
2801         * runtime/JSPromiseDeferred.cpp:
2802         (JSC::JSPromiseDeferred::createDeferredData):
2803         (JSC::JSPromiseDeferred::create):
2804         (JSC::JSPromiseDeferred::finishCreation):
2805         (JSC::newPromiseCapability): Deleted.
2806         * runtime/JSPromiseDeferred.h:
2807         (JSC::JSPromiseDeferred::promise const):
2808         (JSC::JSPromiseDeferred::resolve const):
2809         (JSC::JSPromiseDeferred::reject const):
2810
2811 2018-09-21  Ryan Haddad  <ryanhaddad@apple.com>
2812
2813         Unreviewed, rolling out r236359.
2814
2815         Broke the Windows build.
2816
2817         Reverted changeset:
2818
2819         "Add Promise SPI"
2820         https://bugs.webkit.org/show_bug.cgi?id=189809
2821         https://trac.webkit.org/changeset/236359
2822
2823 2018-09-21  Mark Lam  <mark.lam@apple.com>
2824
2825         JSRopeString::resolveRope() wrongly assumes that tryGetValue() passes it a valid ExecState.
2826         https://bugs.webkit.org/show_bug.cgi?id=189855
2827         <rdar://problem/44680181>
2828
2829         Reviewed by Filip Pizlo.
2830
2831         tryGetValue() always passes a nullptr to JSRopeString::resolveRope() for the
2832         ExecState* argument.  This is intentional so that resolveRope() does not throw
2833         in the event of an OutOfMemory error.  Hence, JSRopeString::resolveRope() should
2834         get the VM from the cell instead of via the ExecState.
2835
2836         Also removed an obsolete and unused field in JSString.
2837
2838         * runtime/JSString.cpp:
2839         (JSC::JSRopeString::resolveRope const):
2840         (JSC::JSRopeString::outOfMemory const):
2841         * runtime/JSString.h:
2842         (JSC::JSString::tryGetValue const):
2843
2844 2018-09-21  Michael Saboff  <msaboff@apple.com>
2845
2846         Add functions to measure memory footprint to JSC
2847         https://bugs.webkit.org/show_bug.cgi?id=189768
2848
2849         Reviewed by Saam Barati.
2850
2851         Rolling this back in again.
2852
2853         Provide system memory metrics for the current process to aid in memory reduction measurement and
2854         tuning using native JS tests.
2855
2856         * jsc.cpp:
2857         (MemoryFootprint::now):
2858         (MemoryFootprint::resetPeak):
2859         (GlobalObject::finishCreation):
2860         (JSCMemoryFootprint::JSCMemoryFootprint):
2861         (JSCMemoryFootprint::createStructure):
2862         (JSCMemoryFootprint::create):
2863         (JSCMemoryFootprint::finishCreation):
2864         (JSCMemoryFootprint::addProperty):
2865         (functionResetMemoryPeak):
2866
2867 2018-09-21  Keith Miller  <keith_miller@apple.com>
2868
2869         Add Promise SPI
2870         https://bugs.webkit.org/show_bug.cgi?id=189809
2871
2872         Reviewed by Saam Barati.
2873
2874         The Patch adds new SPI to create promises. It's mostly SPI because
2875         I want to see how internal users react to it before we make it
2876         public.
2877
2878         This patch adds a couple of new Obj-C SPI methods. The first
2879         creates a new promise using the same API that JS does where the
2880         user provides an executor callback. If an exception is raised
2881         in/to that callback the promise is automagically rejected. The
2882         other methods create a pre-resolved or rejected promise as this
2883         appears to be a common way to initialize a promise.
2884
2885         I was also considering adding a second version of executor API
2886         where it would catch specific Obj-C exceptions. This would work by
2887         taking a Class paramter and checking isKindOfClass: on the
2888         exception. I decided against this as nothing else in our API
2889         handles Obj-C exceptions. I'm pretty sure the VM will end up in a
2890         corrupt state if an Obj-C exception unwinds through JS frames.
2891
2892         This patch adds a new C function that will create a "deferred"
2893         promise. A deferred promise is a style of creating promise/futures
2894         where the resolve and reject functions are passed as outputs of a
2895         function. I went with this style for the C SPI because we don't have
2896         any concept of forwarding exceptions in the C API.
2897
2898         In order to make the C API work I refactored a bit of the promise code
2899         so that we can call a static method on JSDeferredPromise and just get
2900         the components without allocating an extra cell wrapper.
2901
2902         * API/JSContext.mm:
2903         (+[JSContext currentCallee]):
2904         * API/JSObjectRef.cpp:
2905         (JSObjectMakeDeferredPromise):
2906         * API/JSObjectRefPrivate.h:
2907         * API/JSValue.mm:
2908         (+[JSValue valueWithNewPromiseInContext:fromExecutor:]):
2909         (+[JSValue valueWithNewPromiseResolvedWithResult:inContext:]):
2910         (+[JSValue valueWithNewPromiseRejectedWithReason:inContext:]):
2911         * API/JSValuePrivate.h: Added.
2912         * API/JSVirtualMachine.mm:
2913         * API/JSVirtualMachinePrivate.h:
2914         * API/tests/testapi.c:
2915         (main):
2916         * API/tests/testapi.cpp:
2917         (APIContext::operator JSC::ExecState*):
2918         (TestAPI::failed const):
2919         (TestAPI::check):
2920         (TestAPI::basicSymbol):
2921         (TestAPI::symbolsTypeof):
2922         (TestAPI::symbolsGetPropertyForKey):
2923         (TestAPI::symbolsSetPropertyForKey):
2924         (TestAPI::symbolsHasPropertyForKey):
2925         (TestAPI::symbolsDeletePropertyForKey):
2926         (TestAPI::promiseResolveTrue):
2927         (TestAPI::promiseRejectTrue):
2928         (testCAPIViaCpp):
2929         (TestAPI::run): Deleted.
2930         * API/tests/testapi.mm:
2931         (testObjectiveCAPIMain):
2932         (promiseWithExecutor):
2933         (promiseRejectOnJSException):
2934         (promiseCreateResolved):
2935         (promiseCreateRejected):
2936         (parallelPromiseResolveTest):
2937         (testObjectiveCAPI):
2938         * JavaScriptCore.xcodeproj/project.pbxproj:
2939         * runtime/JSInternalPromiseDeferred.cpp:
2940         (JSC::JSInternalPromiseDeferred::create):
2941         * runtime/JSPromise.h:
2942         * runtime/JSPromiseConstructor.cpp:
2943         (JSC::constructPromise):
2944         * runtime/JSPromiseDeferred.cpp:
2945         (JSC::JSPromiseDeferred::createDeferredData):
2946         (JSC::JSPromiseDeferred::create):
2947         (JSC::JSPromiseDeferred::finishCreation):
2948         (JSC::newPromiseCapability): Deleted.
2949         * runtime/JSPromiseDeferred.h:
2950         (JSC::JSPromiseDeferred::promise const):
2951         (JSC::JSPromiseDeferred::resolve const):
2952         (JSC::JSPromiseDeferred::reject const):
2953
2954 2018-09-21  Truitt Savell  <tsavell@apple.com>
2955
2956         Rebaseline tests after changes in https://trac.webkit.org/changeset/236321/webkit
2957         https://bugs.webkit.org/show_bug.cgi?id=156674
2958
2959         Unreviewed Test Gardening
2960
2961         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
2962         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
2963
2964 2018-09-21  Mike Gorse  <mgorse@suse.com>
2965
2966         Build tools should work when the /usr/bin/python is python3
2967         https://bugs.webkit.org/show_bug.cgi?id=156674
2968
2969         Reviewed by Michael Catanzaro.
2970
2971         * Scripts/cssmin.py:
2972         * Scripts/generate-js-builtins.py:
2973         (do_open):
2974         (generate_bindings_for_builtins_files):
2975         * Scripts/generateIntlCanonicalizeLanguage.py:
2976         * Scripts/jsmin.py:
2977         (JavascriptMinify.minify.write):
2978         (JavascriptMinify):
2979         (JavascriptMinify.minify):
2980         * Scripts/make-js-file-arrays.py:
2981         (chunk):
2982         (main):
2983         * Scripts/wkbuiltins/__init__.py:
2984         * Scripts/wkbuiltins/builtins_generate_combined_header.py:
2985         (generate_section_for_global_private_code_name_macro):
2986         * Scripts/wkbuiltins/builtins_generate_internals_wrapper_header.py:
2987         (BuiltinsInternalsWrapperHeaderGenerator.__init__):
2988         * Scripts/wkbuiltins/builtins_generate_internals_wrapper_implementation.py:
2989         (BuiltinsInternalsWrapperImplementationGenerator.__init__):
2990         * Scripts/wkbuiltins/builtins_model.py:
2991         (BuiltinFunction.__lt__):
2992         (BuiltinsCollection.copyrights):
2993         (BuiltinsCollection._parse_functions):
2994         * disassembler/udis86/ud_opcode.py:
2995         (UdOpcodeTables.pprint.printWalk):
2996         * generate-bytecode-files:
2997         * inspector/scripts/codegen/__init__.py:
2998         * inspector/scripts/codegen/cpp_generator.py:
2999         * inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py:
3000         (CppAlternateBackendDispatcherHeaderGenerator.generate_output):
3001         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
3002         (CppBackendDispatcherHeaderGenerator.domains_to_generate):
3003         (CppBackendDispatcherHeaderGenerator.generate_output):
3004         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
3005         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
3006         (CppBackendDispatcherImplementationGenerator.domains_to_generate):
3007         (CppBackendDispatcherImplementationGenerator.generate_output):
3008         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
3009         (CppFrontendDispatcherHeaderGenerator.domains_to_generate):
3010         (CppFrontendDispatcherHeaderGenerator.generate_output):
3011         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
3012         (CppFrontendDispatcherImplementationGenerator.domains_to_generate):
3013         (CppFrontendDispatcherImplementationGenerator.generate_output):
3014         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
3015         (CppProtocolTypesHeaderGenerator.generate_output):
3016         (CppProtocolTypesHeaderGenerator._generate_forward_declarations):
3017         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
3018         (CppProtocolTypesImplementationGenerator.generate_output):
3019         (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain):
3020         (CppProtocolTypesImplementationGenerator._generate_enum_mapping_and_conversion_methods):
3021         (CppProtocolTypesImplementationGenerator._generate_open_field_names):
3022         (CppProtocolTypesImplementationGenerator._generate_builders_for_domain):
3023         (CppProtocolTypesImplementationGenerator._generate_assertion_for_object_declaration):
3024         * inspector/scripts/codegen/generate_js_backend_commands.py:
3025         (JSBackendCommandsGenerator.should_generate_domain):
3026         (JSBackendCommandsGenerator.domains_to_generate):
3027         (JSBackendCommandsGenerator.generate_output):
3028         (JSBackendCommandsGenerator.generate_domain):
3029         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
3030         (ObjCBackendDispatcherHeaderGenerator.domains_to_generate):
3031         (ObjCBackendDispatcherHeaderGenerator.generate_output):
3032         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
3033         (ObjCBackendDispatcherImplementationGenerator.domains_to_generate):
3034         (ObjCBackendDispatcherImplementationGenerator.generate_output):
3035         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
3036         * inspector/scripts/codegen/generate_objc_configuration_header.py:
3037         * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
3038         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
3039         (ObjCFrontendDispatcherImplementationGenerator.domains_to_generate):
3040         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
3041         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
3042         * inspector/scripts/codegen/generate_objc_header.py:
3043         (ObjCHeaderGenerator.generate_output):
3044         (ObjCHeaderGenerator._generate_type_interface):
3045         * inspector/scripts/codegen/generate_objc_internal_header.py:
3046         (ObjCInternalHeaderGenerator.generate_output):
3047         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
3048         (ObjCProtocolTypeConversionsHeaderGenerator.domains_to_generate):
3049         (ObjCProtocolTypeConversionsHeaderGenerator.generate_output):
3050         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_implementation.py:
3051         (ObjCProtocolTypeConversionsImplementationGenerator.domains_to_generate):
3052         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
3053         (ObjCProtocolTypesImplementationGenerator.domains_to_generate):
3054         (ObjCProtocolTypesImplementationGenerator.generate_output):
3055         (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
3056         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members):
3057         * inspector/scripts/codegen/generator.py:
3058         (Generator.non_supplemental_domains):
3059         (Generator.open_fields):
3060         (Generator.calculate_types_requiring_shape_assertions):
3061         (Generator._traverse_and_assign_enum_values):
3062         (Generator.stylized_name_for_enum_value):
3063         * inspector/scripts/codegen/models.py:
3064         (find_duplicates):
3065         * inspector/scripts/codegen/objc_generator.py:
3066         * wasm/generateWasm.py:
3067         (opcodeIterator):
3068         * yarr/generateYarrCanonicalizeUnicode:
3069         * yarr/generateYarrUnicodePropertyTables.py:
3070         * yarr/hasher.py:
3071         (stringHash):
3072
3073 2018-09-21  Tomas Popela  <tpopela@redhat.com>
3074
3075         [ARM] Build broken on armv7hl after r235517
3076         https://bugs.webkit.org/show_bug.cgi?id=189831
3077
3078         Reviewed by Yusuke Suzuki.
3079
3080         Add missing implementation of patchebleBranch8() for traditional ARM.
3081
3082         * assembler/MacroAssemblerARM.h:
3083         (JSC::MacroAssemblerARM::patchableBranch8):
3084
3085 2018-09-20  Ryan Haddad  <ryanhaddad@apple.com>
3086
3087         Unreviewed, rolling out r236293.
3088
3089         Internal build still broken.
3090
3091         Reverted changeset:
3092
3093         "Add functions to measure memory footprint to JSC"
3094         https://bugs.webkit.org/show_bug.cgi?id=189768
3095         https://trac.webkit.org/changeset/236293
3096
3097 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3098
3099         [JSC] Heap::reportExtraMemoryVisited shows contention if we have many JSString
3100         https://bugs.webkit.org/show_bug.cgi?id=189558
3101
3102         Reviewed by Mark Lam.
3103
3104         When running web-tooling-benchmark postcss test on Linux JSCOnly port, we get the following result in `perf report`.
3105
3106             10.95%  AutomaticThread  libJavaScriptCore.so.1.0.0  [.] JSC::Heap::reportExtraMemoryVisited
3107
3108         This is because postcss produces bunch of JSString, which require reportExtraMemoryVisited calls in JSString::visitChildren.
3109         And since reportExtraMemoryVisited attempts to update atomic counter, if we have bunch of marking threads, it becomes super contended.
3110
3111         This patch reduces the frequency of updating the atomic counter. Each SlotVisitor has per-SlotVisitor m_extraMemorySize counter.
3112         And we propagate this value to the global atomic counter when rebalance happens.
3113
3114         We also reduce HeapCell::heap() access by using `vm.heap`.
3115
3116         * heap/SlotVisitor.cpp:
3117         (JSC::SlotVisitor::didStartMarking):
3118         (JSC::SlotVisitor::propagateExternalMemoryVisitedIfNecessary):
3119         (JSC::SlotVisitor::drain):
3120         (JSC::SlotVisitor::performIncrementOfDraining):
3121         * heap/SlotVisitor.h:
3122         * heap/SlotVisitorInlines.h:
3123         (JSC::SlotVisitor::reportExtraMemoryVisited):
3124         * runtime/JSString.cpp:
3125         (JSC::JSRopeString::resolveRopeToAtomicString const):
3126         (JSC::JSRopeString::resolveRope const):
3127         * runtime/JSString.h:
3128         (JSC::JSString::finishCreation):
3129         * wasm/js/JSWebAssemblyInstance.cpp:
3130         (JSC::JSWebAssemblyInstance::finishCreation):
3131         * wasm/js/JSWebAssemblyMemory.cpp:
3132         (JSC::JSWebAssemblyMemory::finishCreation):
3133
3134 2018-09-20  Michael Saboff  <msaboff@apple.com>
3135
3136         Add functions to measure memory footprint to JSC
3137         https://bugs.webkit.org/show_bug.cgi?id=189768
3138
3139         Reviewed by Saam Barati.
3140
3141         Rolling this back in.
3142
3143         Provide system memory metrics for the current process to aid in memory reduction measurement and
3144         tuning using native JS tests.
3145
3146         * jsc.cpp:
3147         (MemoryFootprint::now):
3148         (MemoryFootprint::resetPeak):
3149         (GlobalObject::finishCreation):
3150         (JSCMemoryFootprint::JSCMemoryFootprint):
3151         (JSCMemoryFootprint::createStructure):
3152         (JSCMemoryFootprint::create):
3153         (JSCMemoryFootprint::finishCreation):
3154         (JSCMemoryFootprint::addProperty):
3155         (functionResetMemoryPeak):
3156
3157 2018-09-20  Ryan Haddad  <ryanhaddad@apple.com>
3158
3159         Unreviewed, rolling out r236235.
3160
3161         Breaks internal builds.
3162
3163         Reverted changeset:
3164
3165         "Add functions to measure memory footprint to JSC"
3166         https://bugs.webkit.org/show_bug.cgi?id=189768
3167         https://trac.webkit.org/changeset/236235
3168
3169 2018-09-20  Fujii Hironori  <Hironori.Fujii@sony.com>
3170
3171         [Win][Clang] JITMathIC.h: error: missing 'template' keyword prior to dependent template name 'retagged'
3172         https://bugs.webkit.org/show_bug.cgi?id=189730
3173
3174         Reviewed by Saam Barati.
3175
3176         Clang for Windows can't compile the workaround for MSVC quirk in generateOutOfLine.
3177
3178         * jit/JITMathIC.h:
3179         (generateOutOfLine): Append "&& !COMPILER(CLANG)" to "#if COMPILER(MSVC)".
3180
3181 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3182
3183         [JSC] Optimize Array#indexOf in C++ runtime
3184         https://bugs.webkit.org/show_bug.cgi?id=189507
3185
3186         Reviewed by Saam Barati.
3187
3188         C++ Array#indexOf runtime function takes so much time in babylon benchmark in
3189         web-tooling-benchmark. While our DFG and FTL has Array#indexOf optimization
3190         and actually it is working well, C++ Array#indexOf is called significant amount
3191         of time before tiering up, and it takes 6.74% of jsc main thread samples according
3192         to perf command in Linux. This is because C++ Array#indexOf is too generic and
3193         misses the chance to optimize JSArray cases.
3194
3195         This patch adds JSArray fast path for Array#indexOf. If we know that indexed
3196         access to the given JSArray is non-observable and indexing type is good for the fast
3197         path, we go to the fast path. This makes sampling of Array#indexOf 3.83% in
3198         babylon web-tooling-benchmark.
3199
3200         * runtime/ArrayPrototype.cpp:
3201         (JSC::arrayProtoFuncIndexOf):
3202         * runtime/JSArray.h:
3203         * runtime/JSArrayInlines.h:
3204         (JSC::JSArray::canDoFastIndexedAccess):
3205         (JSC::toLength):
3206         * runtime/JSCJSValueInlines.h:
3207         (JSC::JSValue::JSValue):
3208         * runtime/JSGlobalObject.h:
3209         * runtime/JSGlobalObjectInlines.h:
3210         (JSC::JSGlobalObject::isArrayPrototypeIndexedAccessFastAndNonObservable):
3211         (JSC::JSGlobalObject::isArrayPrototypeIteratorProtocolFastAndNonObservable):
3212         * runtime/MathCommon.h:
3213         (JSC::canBeStrictInt32):
3214         (JSC::canBeInt32):
3215
3216 2018-09-19  Michael Saboff  <msaboff@apple.com>
3217
3218         Add functions to measure memory footprint to JSC
3219         https://bugs.webkit.org/show_bug.cgi?id=189768
3220
3221         Reviewed by Saam Barati.
3222
3223         Provide system memory metrics for the current process to aid in memory reduction measurement and
3224         tuning using native JS tests.
3225
3226         * jsc.cpp:
3227         (MemoryFootprint::now):
3228         (MemoryFootprint::resetPeak):
3229         (GlobalObject::finishCreation):
3230         (JSCMemoryFootprint::JSCMemoryFootprint):
3231         (JSCMemoryFootprint::createStructure):
3232         (JSCMemoryFootprint::create):
3233         (JSCMemoryFootprint::finishCreation):
3234         (JSCMemoryFootprint::addProperty):
3235         (functionResetMemoryPeak):
3236
3237 2018-09-19  Saam barati  <sbarati@apple.com>
3238
3239         CheckStructureOrEmpty should pass in a tempGPR to emitStructureCheck since it may jump over that code
3240         https://bugs.webkit.org/show_bug.cgi?id=189703
3241
3242         Reviewed by Mark Lam.
3243
3244         This fixes a crash that a TypeProfiler change revealed.
3245
3246         * dfg/DFGSpeculativeJIT64.cpp:
3247         (JSC::DFG::SpeculativeJIT::compile):
3248
3249 2018-09-19  Saam barati  <sbarati@apple.com>
3250
3251         AI rule for MultiPutByOffset executes its effects in the wrong order
3252         https://bugs.webkit.org/show_bug.cgi?id=189757
3253         <rdar://problem/43535257>
3254
3255         Reviewed by Michael Saboff.
3256
3257         The AI rule for MultiPutByOffset was executing effects in the wrong order.
3258         It first executed the transition effects and the effects on the base, and
3259         then executed the filtering effects on the value being stored. However, you
3260         can end up with the wrong type when the base and the value being stored
3261         are the same. E.g, in a program like `o.f = o`. These effects need to happen
3262         in the opposite order, modeling what happens in the runtime executing of
3263         MultiPutByOffset.
3264
3265         * dfg/DFGAbstractInterpreterInlines.h:
3266         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3267
3268 2018-09-18  Mark Lam  <mark.lam@apple.com>
3269
3270         Ensure that ForInContexts are invalidated if their loop local is over-written.
3271         https://bugs.webkit.org/show_bug.cgi?id=189571
3272         <rdar://problem/44402277>
3273
3274         Reviewed by Saam Barati.
3275
3276         Instead of hunting down every place in the BytecodeGenerator that potentially
3277         needs to invalidate an enclosing ForInContext (if one exists), we simply iterate
3278         the bytecode range of the loop body when the ForInContext is popped, and
3279         invalidate the context if we ever find the loop temp variable over-written.
3280
3281         This has 2 benefits:
3282         1. It ensures that every type of opcode that can write to the loop temp will be
3283            handled appropriately, not just the op_mov that we've hunted down.
3284         2. It avoids us having to check the BytecodeGenerator's m_forInContextStack
3285            every time we emit an op_mov (or other opcodes that can write to a local)
3286            even when we're not inside a for-in loop.
3287
3288         JSC benchmarks show that that this change is performance neutral.
3289
3290         * bytecompiler/BytecodeGenerator.cpp:
3291         (JSC::BytecodeGenerator::pushIndexedForInScope):
3292         (JSC::BytecodeGenerator::popIndexedForInScope):
3293         (JSC::BytecodeGenerator::pushStructureForInScope):
3294         (JSC::BytecodeGenerator::popStructureForInScope):
3295         (JSC::ForInContext::finalize):
3296         (JSC::StructureForInContext::finalize):
3297         (JSC::IndexedForInContext::finalize):
3298         (JSC::BytecodeGenerator::invalidateForInContextForLocal): Deleted.
3299         * bytecompiler/BytecodeGenerator.h:
3300         (JSC::ForInContext::ForInContext):
3301         (JSC::ForInContext::bodyBytecodeStartOffset const):
3302         (JSC::StructureForInContext::StructureForInContext):
3303         (JSC::IndexedForInContext::IndexedForInContext):
3304         * bytecompiler/NodesCodegen.cpp:
3305         (JSC::PostfixNode::emitResolve):
3306         (JSC::PrefixNode::emitResolve):
3307         (JSC::ReadModifyResolveNode::emitBytecode):
3308         (JSC::AssignResolveNode::emitBytecode):
3309         (JSC::EmptyLetExpression::emitBytecode):
3310         (JSC::ForInNode::emitLoopHeader):
3311         (JSC::ForOfNode::emitBytecode):
3312         (JSC::BindingNode::bindValue const):
3313         (JSC::AssignmentElementNode::bindValue const):
3314         * runtime/CommonSlowPaths.cpp:
3315         (JSC::SLOW_PATH_DECL):
3316
3317 2018-09-17  Devin Rousso  <drousso@apple.com>
3318
3319         Web Inspector: generate CSSKeywordCompletions from backend values
3320         https://bugs.webkit.org/show_bug.cgi?id=189041
3321
3322         Reviewed by Joseph Pecoraro.
3323
3324         * inspector/protocol/CSS.json:
3325         Include an optional `aliases` array and `inherited` boolean for `CSSPropertyInfo`.
3326
3327 2018-09-17  Saam barati  <sbarati@apple.com>
3328
3329         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3330         https://bugs.webkit.org/show_bug.cgi?id=189676
3331         <rdar://problem/39682897>
3332
3333         Reviewed by Michael Saboff.
3334
3335         Because the incoming value may be TDZ, CheckStructure may end up crashing.
3336         Since the Type Profile does not currently record TDZ values in any of its
3337         data structures, this is not a semantic change in how it will show you data.
3338         It just fixes crashes when we emit a CheckStructure and the incoming value
3339         is TDZ.
3340
3341         * dfg/DFGFixupPhase.cpp:
3342         (JSC::DFG::FixupPhase::fixupNode):
3343         * dfg/DFGNode.h:
3344         (JSC::DFG::Node::convertToCheckStructureOrEmpty):
3345
3346 2018-09-17  Darin Adler  <darin@apple.com>
3347
3348         Use OpaqueJSString rather than JSRetainPtr inside WebKit
3349         https://bugs.webkit.org/show_bug.cgi?id=189652
3350
3351         Reviewed by Saam Barati.
3352
3353         * API/JSCallbackObjectFunctions.h: Removed an uneeded include of
3354         JSStringRef.h.
3355
3356         * API/JSContext.mm:
3357         (-[JSContext evaluateScript:withSourceURL:]): Use OpaqueJSString::create rather
3358         than JSStringCreateWithCFString, simplifying the code and also obviating the
3359         need for explicit JSStringRelease.
3360         (-[JSContext setName:]): Ditto.
3361
3362         * API/JSStringRef.cpp:
3363         (JSStringIsEqualToUTF8CString): Use adoptRef rather than explicit JSStringRelease.
3364         It seems that additional optimization is possible, obviating the need to allocate
3365         an OpaqueJSString, but that's true almost everywhere else in this patch, too.
3366
3367         * API/JSValue.mm:
3368         (+[JSValue valueWithNewRegularExpressionFromPattern:flags:inContext:]): Use
3369         OpaqueJSString::create and adoptRef as appropriate.
3370         (+[JSValue valueWithNewErrorFromMessage:inContext:]): Ditto.
3371         (+[JSValue valueWithNewSymbolFromDescription:inContext:]): Ditto.
3372         (performPropertyOperation): Ditto.
3373         (-[JSValue invokeMethod:withArguments:]): Ditto.
3374         (valueToObjectWithoutCopy): Ditto.
3375         (containerValueToObject): Ditto.
3376         (valueToString): Ditto.
3377         (objectToValueWithoutCopy): Ditto.
3378         (objectToValue): Ditto.
3379
3380 2018-09-08  Darin Adler  <darin@apple.com>
3381
3382         Streamline JSRetainPtr, fix leaks of JSString and JSGlobalContext
3383         https://bugs.webkit.org/show_bug.cgi?id=189455
3384
3385         Reviewed by Keith Miller.
3386
3387         * API/JSObjectRef.cpp:
3388         (OpaqueJSPropertyNameArray): Use Ref<OpaqueJSString> instead of
3389         JSRetainPtr<JSStringRef>.
3390         (JSObjectCopyPropertyNames): Remove now-unneeded use of leakRef and
3391         adopt constructor.
3392         (JSPropertyNameArrayGetNameAtIndex): Use ptr() instead of get() since
3393         the array elements are now Ref.
3394
3395         * API/JSRetainPtr.h: While JSRetainPtr is written as a template,
3396         it only works for two specific unrelated types, JSStringRef and
3397         JSGlobalContextRef. Simplified the default constructor using data
3398         member initialization. Prepared to make the adopt constructor private
3399         (got everything compiling that way, then made it public again so that
3400         Apple internal software will still build). Got rid of unneeded
3401         templated constructor and assignment operator, since it's not relevant
3402         since there is no inheritance between JSRetainPtr template types.
3403         Added WARN_UNUSED_RETURN to leakRef as in RefPtr and RetainPtr.
3404         Added move constructor and move assignment operator for slightly better
3405         performance. Simplified implementations of various member functions
3406         so they are more obviously correct, by using leakPtr in more of them
3407         and using std::exchange to make the flow of values more obvious.
3408
3409         * API/JSValue.mm:
3410         (+[JSValue valueWithNewSymbolFromDescription:inContext:]): Added a
3411         missing JSStringRelease to fix a leak.
3412
3413    &nb