735e5363f06bc1d6aec53e702004a7498a8b2307
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-09-19  Mark Lam  <mark.lam@apple.com>
2
3         Rename VMInspector::m_list to m_vmList.
4         https://bugs.webkit.org/show_bug.cgi?id=202015
5
6         Reviewed by Yusuke Suzuki.
7
8         m_vmList is more descriptive, and this rename helps grep-ability by disambiguating
9         it from other m_lists in the code base.
10
11         * tools/VMInspector.cpp:
12         (JSC::VMInspector::add):
13         (JSC::VMInspector::remove):
14         * tools/VMInspector.h:
15         (JSC::VMInspector::iterate):
16
17 2019-09-19  Mark Lam  <mark.lam@apple.com>
18
19         Reduce the number of required tag bits for the JSValue.
20         https://bugs.webkit.org/show_bug.cgi?id=201990
21
22         Reviewed by Yusuke Suzuki.
23
24         We're reducing the number of tag bits to 15.  It should just work.
25
26         How did we arrive at 15 bits?
27         ============================
28         Currently, the minimum number of top bits used by doubles is 13-bits.  The
29         highest double bit encoding are:
30
31             "negative" pureNaN: starts with 0xfff8
32             negative infinity:  starts with 0xfff0
33             highest number:     starts with 0xffe*
34             lowest number:      starts with 0x0000
35
36         Requirements:
37         1. We need tags for 2 range of numbers: pointers (all 0s at the top), and ints
38            (all 1s at the top).
39
40         2. We want to be able to add an offset to double bits and ensure that they never
41            end up in the ranges for pointers and ints.
42
43         3. The int tag must be higher than whatever value is produced in the top bits
44            when boxing a double.  We have code that relies on this relationship being
45            true and checks if a JSValue is an int by checking if the tag bits are above
46            or equal to the int tag.
47
48         4. We don't want to burn more than 2 CPU registers for tag / mask registers.
49
50         Based on the bit encoding of doubles, the full number range of the top 13 bits
51         are used in valid double numbers.  This means the minimum tag bits must be greater
52         than 13.
53
54         Consider a 14-bit tag.  The DoubleEncodeOffset will be 1 << 50 i.e. starts with
55         0x0004.  With this encoding,
56             "negative" pureNaN: maps to 0xfff8 + 0x0004 => 0xfffc
57
58         i.e. the top 14 bits are all set.  This conflicts with the int number range.
59
60         Next, consider a 15-bit tag.  The DoubleEncodeOffset will be 1 << 49 i.e. starts
61         with 0x0002.  With this encoding:
62             "negative" pureNaN: maps to 0xfff8 + 0x0002 => 0xfffa
63             negative infinity:  maps to 0xfff0 + 0x0002 => 0xfff2
64
65         i.e. 0xfffe (top 5 bits set) is available to represent ints.  This is the encoding
66         that we'll adopt in this patch.
67
68         Alternate encodings schemes to consider in the future:
69         =====================================================
70         1. If we're willing and able to purifyNaN at all the places that can produce a
71            "negative" pureNaN, e.g. after a division, then we can remove the "negative"
72            pureNaN as a valid double bit encoding.  With this, we can now box doubles
73            with just a 14-bit tag, and DoubleEncodeOffset will be 1 << 50 i.e. starts with
74            0x0004.
75
76            With this encoding, the top double, negative infinity, is encoded as follows:
77
78                 negative infinity:  maps to 0xfff0 + 0x0004 => 0xfff4
79
80            i.e. leaving 0xfffc as the tag for ints.
81
82            We didn't adopt this scheme at this time because it adds complexity, and may
83            have performance impact from the extra purifyNaN checks.
84
85            Ref: https://bugs.webkit.org/show_bug.cgi?id=202002
86
87         2. If we're willing to use 3 tag registers or always materialize one of them, we
88            can also adopt a 14-bit tag as follows:
89
90                Pointer {  0000:PPPP:PPPP:PPPP
91                         / 0002:****:****:****
92                Double  {         ...
93                         \ FFFC:****:****:****
94                Integer {  FFFF:0000:IIII:IIII
95
96            where ...
97                NumberMask is 0xfffc: any bits set in the top 14 bits is a number.
98                IntMask is 0xffff: value is int if value & IntMask == IntMask.
99                NotCellMask is NumberMask | OtherTag.
100
101            Since the highest double is "negative" pureNaN i.e. starts with 0xfff8, adding
102            a DoubleEncodeOffset of 1<<50 (starts with 0x0004) produces 0xfffc which is
103            still less than 0xffff.
104
105            We didn't adopt this scheme at this time because it adds complexity and may
106            have a performance impact from either burning another register, or materializing
107            the 3rd mask.
108
109            Ref: https://bugs.webkit.org/show_bug.cgi?id=202005
110
111         * runtime/JSCJSValue.h:
112
113 2019-09-19  Mark Lam  <mark.lam@apple.com>
114
115         Refactoring: fix broken indentation in JSNonDestructibleProxy.h.
116         https://bugs.webkit.org/show_bug.cgi?id=201989
117
118         Reviewed by Saam Barati.
119
120         This patch only unindent the code to get it back to compliant formatting.
121         There is no actual code change.
122
123         * runtime/JSNonDestructibleProxy.h:
124         (JSC::JSNonDestructibleProxy::subspaceFor):
125         (JSC::JSNonDestructibleProxy::create):
126         (JSC::JSNonDestructibleProxy::createStructure):
127         (JSC::JSNonDestructibleProxy::JSNonDestructibleProxy):
128
129 2019-09-19  Tadeu Zagallo  <tzagallo@apple.com>
130
131         Syntax checker should report duplicate __proto__ properties
132         https://bugs.webkit.org/show_bug.cgi?id=201897
133         <rdar://problem/53201788>
134
135         Reviewed by Mark Lam.
136
137         Currently we have two ways of parsing object literals:
138         - parseObjectLiteral: this is called in sloppy mode, and as an optimization for syntax checking,
139           it doesn't allocate string literals while parsing properties. It does still allocate identifiers,
140           but it won't store them in the Property object that it creates for each parsed property. This
141           method backtracks and calls parseObjectStrictLiteral if it finds any getters or setters.
142         - parseObjectStrictLiteral: this is called in strict mode, or when the object contains getters/setters
143           as stated above. This will always allocate string literals as well as identifiers and store them in
144           the Property object, even during syntax checking.
145
146         From looking at the history, it seems that there was a distinction between these two methods:
147         parseStrictObjectLiteral was introduced in r62848 and contained an extra check for duplicate
148         getters/setters or properties defined as both getters/setters and constants. That distinction
149         was removed and the only distinction that remained was whether we build strings and store the
150         strings and properties as part of the Property object created by SyntaxChecker::createProperty.
151         However, this optimization is no longer valid, since we need to throw a SyntaxError for duplicate
152         __proto__ properties in object literals even in sloppy mode, which means that we do need to build
153         the strings and identifiers and store them as part of the Property objects.
154
155         * parser/Parser.cpp:
156         (JSC::Parser<LexerType>::parseObjectLiteral):
157         (JSC::Parser<LexerType>::parsePrimaryExpression):
158         (JSC::Parser<LexerType>::parseStrictObjectLiteral): Deleted.
159         * parser/Parser.h:
160
161 2019-09-19  Mark Lam  <mark.lam@apple.com>
162
163         Remove a now unnecessary hack to work around static const needing external linkage.
164         https://bugs.webkit.org/show_bug.cgi?id=201988
165
166         Reviewed by Saam Barati.
167
168         MacroAssembler::dataTempRegister is now a constexpr, thereby ensuring that it's
169         inlinable.
170
171         * b3/B3Common.cpp:
172         (JSC::B3::pinnedExtendedOffsetAddrRegister):
173
174 2019-09-19  Mark Lam  <mark.lam@apple.com>
175
176         Replace JSValue #defines with static constexpr values.
177         https://bugs.webkit.org/show_bug.cgi?id=201966
178
179         Reviewed by Yusuke Suzuki.
180
181         static constexpr is the modern C++ way to define these constants.
182
183         Some of the values are typed int64_t and some are int32_t.  The original #define
184         values are int64_t.  Hence, we adopt int64_t as the default type to use here.
185
186         However, some of these constants are being used as 32-bit values, and the code
187         was static_cast'ing them into int32_t.  This set of constants are all the small
188         values that fit in an int32_t anyway.  So, we're putting these in int32_t instead
189         so that we don't have to keep casting them.  In the few places where they are
190         used as int64_t, they will automatically get up-casted anyway.
191
192         In this patch, we also did the following:
193
194         1. Renamed TagMask to NotCellMask, because everywhere in the code, we're
195            basically using it to filter out cells like this:
196
197               if (value & NotCellMask) then goto handleNotCellCase;
198
199         2. Renamed TagTypeNumber to NumberTag for a shorter name.
200
201            Ditto for TagBitTypeOther, TagBitBool, TagBitUndefined, TagBitsWasm, and TagWasmMask.
202            They are now OtherTag, BoolTag, UndefinedTag, WasmTag, and WasmMask.
203
204         3. Introduced DoubleEncodeOffsetBit so that client code do not embed this value
205            as a literal constant.  We now define DoubleEncodeOffset based on
206            DoubleEncodeOffsetBit ensuring consistency.
207
208         4. Introduced MiscTag so that clients don't have to put this set of tags together
209            themselves.
210
211         5. Removed static asserts for tags in LLIntData.cpp because the offlineasm now
212            captures these values correctly with constexpr statements.  These static
213            asserts were holdovers from the old days back when we had to define LLInt
214            constant values manually, and we needed a mechanism to detect when the values
215            have changed in the source.
216
217         6. Replaced some runtime asserts in RegisterSet.cpp with static_asserts.
218
219         7. In Wasm::wasmToJS(), we were constructing the value of JSValue::DoubleEncodeOffset
220            constant by left shifting 1 by JSValue::DoubleEncodeOffsetBit.  There's no need
221            to do this for ARM64 because the constant can be loaded efficiently with a single
222            MOVZ instruction.  So, we add a CPU(ARM64) case to just move the constant into
223            the target register.
224
225         * assembler/AbortReason.h:
226         * bytecode/AccessCase.cpp:
227         (JSC::AccessCase::generateWithGuard):
228         * dfg/DFGOSRExit.cpp:
229         (JSC::DFG::OSRExit::executeOSRExit):
230         (JSC::DFG::OSRExit::compileExit):
231         * dfg/DFGSpeculativeJIT.cpp:
232         (JSC::DFG::SpeculativeJIT::silentFill):
233         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
234         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
235         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
236         (JSC::DFG::SpeculativeJIT::getIntTypedArrayStoreOperand):
237         (JSC::DFG::SpeculativeJIT::speculateMisc):
238         * dfg/DFGSpeculativeJIT.h:
239         (JSC::DFG::SpeculativeJIT::spill):
240         * dfg/DFGSpeculativeJIT64.cpp:
241         (JSC::DFG::SpeculativeJIT::fillJSValue):
242         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
243         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
244         (JSC::DFG::SpeculativeJIT::emitCall):
245         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
246         (JSC::DFG::SpeculativeJIT::compileObjectStrictEquality):
247         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
248         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
249         (JSC::DFG::SpeculativeJIT::compileInt52Compare):
250         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
251         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
252         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
253         (JSC::DFG::SpeculativeJIT::emitBranch):
254         (JSC::DFG::SpeculativeJIT::compile):
255         (JSC::DFG::SpeculativeJIT::moveTrueTo):
256         (JSC::DFG::SpeculativeJIT::moveFalseTo):
257         (JSC::DFG::SpeculativeJIT::blessBoolean):
258         * ftl/FTLLowerDFGToB3.cpp:
259         (JSC::FTL::DFG::LowerDFGToB3::lower):
260         (JSC::FTL::DFG::LowerDFGToB3::compileDoubleRep):
261         (JSC::FTL::DFG::LowerDFGToB3::compileBooleanToNumber):
262         (JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC):
263         (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC):
264         (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
265         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
266         (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf):
267         (JSC::FTL::DFG::LowerDFGToB3::compileGetArgument):
268         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
269         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
270         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
271         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
272         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
273         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
274         (JSC::FTL::DFG::LowerDFGToB3::compileInById):
275         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
276         (JSC::FTL::DFG::LowerDFGToB3::compileGetEnumeratorStructurePname):
277         (JSC::FTL::DFG::LowerDFGToB3::compileGetEnumeratorGenericPname):
278         (JSC::FTL::DFG::LowerDFGToB3::getById):
279         (JSC::FTL::DFG::LowerDFGToB3::getByIdWithThis):
280         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
281         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
282         (JSC::FTL::DFG::LowerDFGToB3::emitBinarySnippet):
283         (JSC::FTL::DFG::LowerDFGToB3::emitBinaryBitOpSnippet):
284         (JSC::FTL::DFG::LowerDFGToB3::emitRightShiftSnippet):
285         (JSC::FTL::DFG::LowerDFGToB3::equalNullOrUndefined):
286         (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf):
287         (JSC::FTL::DFG::LowerDFGToB3::isInt32):
288         (JSC::FTL::DFG::LowerDFGToB3::isNotInt32):
289         (JSC::FTL::DFG::LowerDFGToB3::boxInt32):
290         (JSC::FTL::DFG::LowerDFGToB3::isCellOrMisc):
291         (JSC::FTL::DFG::LowerDFGToB3::isNotCellOrMisc):
292         (JSC::FTL::DFG::LowerDFGToB3::unboxDouble):
293         (JSC::FTL::DFG::LowerDFGToB3::boxDouble):
294         (JSC::FTL::DFG::LowerDFGToB3::isNotCell):
295         (JSC::FTL::DFG::LowerDFGToB3::isCell):
296         (JSC::FTL::DFG::LowerDFGToB3::isNotMisc):
297         (JSC::FTL::DFG::LowerDFGToB3::isNotBoolean):
298         (JSC::FTL::DFG::LowerDFGToB3::boxBoolean):
299         (JSC::FTL::DFG::LowerDFGToB3::isNotOther):
300         (JSC::FTL::DFG::LowerDFGToB3::isOther):
301         * ftl/FTLOSRExitCompiler.cpp:
302         (JSC::FTL::reboxAccordingToFormat):
303         (JSC::FTL::compileStub):
304         * interpreter/CalleeBits.h:
305         (JSC::CalleeBits::boxWasm):
306         (JSC::CalleeBits::isWasm const):
307         (JSC::CalleeBits::asWasmCallee const):
308         * jit/AssemblyHelpers.cpp:
309         (JSC::AssemblyHelpers::jitAssertIsJSInt32):
310         (JSC::AssemblyHelpers::jitAssertIsJSNumber):
311         (JSC::AssemblyHelpers::jitAssertIsJSDouble):
312         (JSC::AssemblyHelpers::jitAssertIsCell):
313         (JSC::AssemblyHelpers::jitAssertTagsInPlace):
314         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
315         * jit/AssemblyHelpers.h:
316         (JSC::AssemblyHelpers::emitSaveThenMaterializeTagRegisters):
317         (JSC::AssemblyHelpers::emitRestoreSavedTagRegisters):
318         (JSC::AssemblyHelpers::emitMaterializeTagCheckRegisters):
319         (JSC::AssemblyHelpers::branchIfNotCell):
320         (JSC::AssemblyHelpers::branchIfCell):
321         (JSC::AssemblyHelpers::branchIfOther):
322         (JSC::AssemblyHelpers::branchIfNotOther):
323         (JSC::AssemblyHelpers::branchIfInt32):
324         (JSC::AssemblyHelpers::branchIfNotInt32):
325         (JSC::AssemblyHelpers::branchIfNumber):
326         (JSC::AssemblyHelpers::branchIfNotNumber):
327         (JSC::AssemblyHelpers::branchIfNotDoubleKnownNotInt32):
328         (JSC::AssemblyHelpers::branchIfBoolean):
329         (JSC::AssemblyHelpers::branchIfNotBoolean):
330         (JSC::AssemblyHelpers::boxDouble):
331         (JSC::AssemblyHelpers::unboxDoubleWithoutAssertions):
332         (JSC::AssemblyHelpers::boxInt52):
333         (JSC::AssemblyHelpers::boxBooleanPayload):
334         (JSC::AssemblyHelpers::boxInt32):
335         * jit/CallFrameShuffleData.h:
336         * jit/CallFrameShuffler.cpp:
337         (JSC::CallFrameShuffler::CallFrameShuffler):
338         (JSC::CallFrameShuffler::dump const):
339         (JSC::CallFrameShuffler::prepareAny):
340         * jit/CallFrameShuffler.h:
341         (JSC::CallFrameShuffler::getFreeRegister const):
342         * jit/CallFrameShuffler64.cpp:
343         (JSC::CallFrameShuffler::emitBox):
344         (JSC::CallFrameShuffler::tryAcquireNumberTagRegister):
345         (JSC::CallFrameShuffler::tryAcquireTagTypeNumber): Deleted.
346         * jit/GPRInfo.h:
347         (JSC::GPRInfo::reservedRegisters):
348         * jit/JITArithmetic.cpp:
349         (JSC::JIT::emit_compareAndJumpSlow):
350         * jit/JITBitAndGenerator.cpp:
351         (JSC::JITBitAndGenerator::generateFastPath):
352         * jit/JITBitOrGenerator.cpp:
353         (JSC::JITBitOrGenerator::generateFastPath):
354         * jit/JITBitXorGenerator.cpp:
355         (JSC::JITBitXorGenerator::generateFastPath):
356         * jit/JITCall.cpp:
357         (JSC::JIT::compileTailCall):
358         * jit/JITDivGenerator.cpp:
359         (JSC::JITDivGenerator::generateFastPath):
360         * jit/JITInlines.h:
361         (JSC::JIT::emitPatchableJumpIfNotInt):
362         * jit/JITLeftShiftGenerator.cpp:
363         (JSC::JITLeftShiftGenerator::generateFastPath):
364         * jit/JITMulGenerator.cpp:
365         (JSC::JITMulGenerator::generateFastPath):
366         * jit/JITOpcodes.cpp:
367         (JSC::JIT::emit_op_overrides_has_instance):
368         (JSC::JIT::emit_op_is_undefined):
369         (JSC::JIT::emit_op_is_undefined_or_null):
370         (JSC::JIT::emit_op_is_boolean):
371         (JSC::JIT::emit_op_is_number):
372         (JSC::JIT::emit_op_is_cell_with_type):
373         (JSC::JIT::emit_op_is_object):
374         (JSC::JIT::emit_op_not):
375         (JSC::JIT::emit_op_jeq_null):
376         (JSC::JIT::emit_op_jneq_null):
377         (JSC::JIT::emit_op_jundefined_or_null):
378         (JSC::JIT::emit_op_jnundefined_or_null):
379         (JSC::JIT::emit_op_eq_null):
380         (JSC::JIT::emit_op_neq_null):
381         * jit/JITPropertyAccess.cpp:
382         (JSC::JIT::emitGenericContiguousPutByVal):
383         (JSC::JIT::emitFloatTypedArrayPutByVal):
384         * jit/JITRightShiftGenerator.cpp:
385         (JSC::JITRightShiftGenerator::generateFastPath):
386         * jit/RegisterSet.cpp:
387         (JSC::RegisterSet::runtimeTagRegisters):
388         (JSC::RegisterSet::llintBaselineCalleeSaveRegisters):
389         (JSC::RegisterSet::dfgCalleeSaveRegisters):
390         (JSC::RegisterSet::ftlCalleeSaveRegisters):
391         * jit/SpecializedThunkJIT.h:
392         (JSC::SpecializedThunkJIT::returnDouble):
393         (JSC::SpecializedThunkJIT::tagReturnAsInt32):
394         * jit/ThunkGenerators.cpp:
395         (JSC::virtualThunkFor):
396         (JSC::nativeForGenerator):
397         (JSC::arityFixupGenerator):
398         (JSC::absThunkGenerator):
399         * llint/LLIntData.cpp:
400         (JSC::LLInt::Data::performAssertions):
401         * llint/LowLevelInterpreter.asm:
402         * llint/LowLevelInterpreter.cpp:
403         (JSC::CLoop::execute):
404         * llint/LowLevelInterpreter64.asm:
405         * offlineasm/arm64.rb:
406         * offlineasm/cloop.rb:
407         * offlineasm/x86.rb:
408         * runtime/JSCJSValue.h:
409         * runtime/JSCJSValueInlines.h:
410         (JSC::JSValue::isUndefinedOrNull const):
411         (JSC::JSValue::isCell const):
412         (JSC::JSValue::isInt32 const):
413         (JSC::JSValue::JSValue):
414         (JSC::JSValue::asDouble const):
415         (JSC::JSValue::isNumber const):
416         * wasm/js/WasmToJS.cpp:
417         (JSC::Wasm::wasmToJS):
418         * wasm/js/WebAssemblyFunction.cpp:
419         (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
420
421 2019-09-18  Devin Rousso  <drousso@apple.com>
422
423         Web Inspector: Better handling for large arrays and collections in Object Trees
424         https://bugs.webkit.org/show_bug.cgi?id=143589
425         <rdar://problem/16135388>
426
427         Reviewed by Joseph Pecoraro.
428
429         Adds two buttons before the "Prototype" item in expanded object/collection previews:
430          - Show %d More
431          - Show All (%d More)
432
433         The default `fetchCount` increment is `100`. The first button will only be shown if there
434         are more than `100` items remaining (haven't been shown).
435
436         * inspector/InjectedScriptSource.js:
437         (InjectedScript.prototype.getProperties):
438         (InjectedScript.prototype.getDisplayableProperties):
439         (InjectedScript.prototype.getCollectionEntries):
440         (InjectedScript.prototype._getProperties):
441         (InjectedScript.prototype._internalPropertyDescriptors):
442         (InjectedScript.prototype._propertyDescriptors):
443         (InjectedScript.prototype._propertyDescriptors.createFakeValueDescriptor):
444         (InjectedScript.prototype._propertyDescriptors.processProperties):
445         (InjectedScript.prototype._getSetEntries):
446         (InjectedScript.prototype._getMapEntries):
447         (InjectedScript.prototype._getWeakMapEntries):
448         (InjectedScript.prototype._getWeakSetEntries):
449         (InjectedScript.prototype._getIteratorEntries):
450         (InjectedScript.prototype._entries):
451         (RemoteObject.prototype._generatePreview):
452         (InjectedScript.prototype._propertyDescriptors.arrayIndexPropertyNames): Deleted.
453         Don't include boolean property descriptor values if they are `false.
454
455         * inspector/JSInjectedScriptHost.cpp:
456         (Inspector::JSInjectedScriptHost::weakMapEntries):
457         (Inspector::JSInjectedScriptHost::weakSetEntries):
458
459         * inspector/InjectedScript.h:
460         * inspector/InjectedScript.cpp:
461         (Inspector::InjectedScript::getProperties):
462         (Inspector::InjectedScript::getDisplayableProperties):
463         (Inspector::InjectedScript::getCollectionEntries):
464
465         * inspector/agents/InspectorRuntimeAgent.h:
466         * inspector/agents/InspectorRuntimeAgent.cpp:
467         (Inspector::asInt): Added.
468         (Inspector::InspectorRuntimeAgent::getProperties):
469         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
470         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
471
472         * inspector/protocol/Runtime.json:
473         Add `fetchStart`/`fetchCount` to `getProperties`/`getDisplayableProperties`/`getCollectionEntries`.
474         Mark boolean properties as optional so they can be omitted if `false`.
475
476 2019-09-18  Joonghun Park  <pjh0718@gmail.com>
477
478         Unreviewed. Remove build warning since r249976.
479
480         No new tests, no behavioral changes.
481
482         This patch removes the build warning below.
483         warning: control reaches end of non-void function [-Wreturn-type]
484
485         * dfg/DFGArrayMode.cpp:
486         (JSC::DFG::ArrayMode::alreadyChecked const):
487
488 2019-09-18  Saam Barati  <sbarati@apple.com>
489
490         TOCTOU bug in havingABadTime related assertion in DFGSpeculativeJIT
491         https://bugs.webkit.org/show_bug.cgi?id=201953
492         <rdar://problem/53803524>
493
494         Reviewed by Yusuke Suzuki.
495
496         We had code in DFGSpeculativeJIT like:
497         
498         if (!globalObject->isHavingABadTime()) {
499             <-- here -->
500             Structure* s = globalObject->arrayStructureForIndexingTypeDuringAllocation(node->indexingType()));
501             assert 's' has expected indexing type
502         }
503         
504         The problem is, we may have a bad time before we actually load the structure
505         inside the if. We may have a bad time while we're at the "<-- here -->" in the
506         above program. The fix is to first load the structure, then check if we're
507         having a bad time. If we're still not having a bad time, it's valid to assert
508         things about the structure.
509
510         * dfg/DFGSpeculativeJIT.cpp:
511         (JSC::DFG::SpeculativeJIT::compileNewArray):
512
513 2019-09-18  Chris Dumez  <cdumez@apple.com>
514
515         Stop calling WTF::initializeMainThread() in JSGlobalContextCreate*()
516         https://bugs.webkit.org/show_bug.cgi?id=201947
517         <rdar://problem/55453612>
518
519         Reviewed by Mark Lam.
520
521         Stop calling WTF::initializeMainThread() in JSGlobalContextCreate*(). I started doing so in <https://trac.webkit.org/changeset/248533>
522         but it is causing crashes for apps using this JS API on background threads. It is also no longer necessary as of
523         <https://trac.webkit.org/changeset/249064>.
524
525         * API/JSContextRef.cpp:
526         (JSContextGroupCreate):
527         (JSGlobalContextCreate):
528         (JSGlobalContextCreateInGroup):
529
530 2019-09-18  Saam Barati  <sbarati@apple.com>
531
532         Phantom insertion phase may disagree with arguments forwarding about live ranges
533         https://bugs.webkit.org/show_bug.cgi?id=200715
534         <rdar://problem/54301717>
535
536         Reviewed by Yusuke Suzuki.
537
538         The issue is that Phantom insertion phase was disagreeing about live ranges
539         from the arguments forwarding phase. The effect is that Phantom insertion
540         would insert a Phantom creating a longer live range than what arguments
541         forwarding was analyzing. Arguments forwarding will look for the last DFG
542         use or the last bytecode use of a variable it wants to eliminate. It then
543         does an interference analysis to ensure that nothing clobbers other variables
544         it needs to recover the sunken allocation during OSR exit.
545         
546         Phantom insertion works by ordering the program into OSR exit epochs. If a value was used
547         in the current epoch, there is no need to insert a phantom for it. We
548         determine where we might need a Phantom by looking at bytecode kills. In this
549         analysis, we have a mapping from bytecode local to DFG node. However, we
550         sometimes forgot to remove the entry when a local is killed. So, if the first
551         kill of a variable is in the same OSR exit epoch, we won't insert a Phantom by design.
552         However, if the variable gets killed again, we might errantly insert a Phantom
553         for the prior variable which should've already been killed. The solution is to
554         clear the entry in our mapping when a variable is killed.
555         
556         The program in question was like this:
557         
558         1: DirectArguments
559         ...
560         2: MovHint(@1, loc1) // arguments forwarding treats this as the final kill for @1
561         ...
562         clobber things needed for recovery
563         ...
564         
565         Arguments elimination would transform the program since between @1 and
566         @2, nothing clobbers values needed for exit and nothing escapes @1. The
567         program becomes:
568         
569         1: PhantomDirectArguments
570         ...
571         2: MovHint(@1, loc1) // arguments forwarding treats this as the final kill for @1
572         ...
573         clobber things needed for recovery of @1
574         ...
575         
576         
577         Phantom insertion would then transform the program into:
578         
579         1: PhantomDirectArguments
580         ...
581         2: MovHint(@1, loc1) // arguments forwarding treats this as the final kill for @1
582         ...
583         clobber things needed for recovery of @1
584         ...
585         3: Phantom(@1)
586         ...
587         
588         This is wrong because Phantom insertion and arguments forwarding must agree on live
589         ranges, otherwise the interference analysis performed by arguments forwarding will
590         not correctly analyze up until where the value might be recovered.
591
592         * dfg/DFGPhantomInsertionPhase.cpp:
593
594 2019-09-18  Commit Queue  <commit-queue@webkit.org>
595
596         Unreviewed, rolling out r250002.
597         https://bugs.webkit.org/show_bug.cgi?id=201943
598
599         Patching of the callee and call is not atomic (Requested by
600         tadeuzagallo on #webkit).
601
602         Reverted changeset:
603
604         "Change WebAssembly calling conventions"
605         https://bugs.webkit.org/show_bug.cgi?id=201799
606         https://trac.webkit.org/changeset/250002
607
608 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
609
610         [JSC] Generator should have internal fields
611         https://bugs.webkit.org/show_bug.cgi?id=201159
612
613         Reviewed by Keith Miller.
614
615         This patch makes generator's internal states InternalField instead of private properties.
616         Each generator function produces a generator with different [[Prototype]], which makes generators have different Structures.
617         As a result, Generator.prototype.next etc.'s implementation becomes megamorphic even if it is not necessary.
618
619         If we make these structures adaptively poly-proto, some generators get poly-proto structures while others are not, resulting
620         in megamorphic lookup in Generator.prototype.next. If we make all the generator's structure poly-proto, it makes Generator.prototype.next
621         lookup suboptimal for now.
622
623         In this patch, we start with a relatively simple solution. This patch introduces JSGenerator class, and it has internal fields for generator's internal
624         states. We extend promise-internal-field access bytecodes to access to these fields from bytecode so that Generator.prototype.next can access
625         these fields without using megamorphic get_by_id_direct.
626
627         And we attach JSGeneratorType to JSGenerator so that we can efficiently implement `@isGenerator()` check in bytecode.
628
629         We reserve the offset = 0 slot for the future poly-proto extension for JSGenerator. By reserving this slot, non-poly-proto JSGenerator and poly-proto
630         JSGenerator still can offer the way to access to the same Generator internal fields with the same offset while poly-proto JSGenerator can get offset = 0
631         inline-storage slot for PolyProto implementation.
632
633         This patch adds op_create_generator since it is distinct from op_create_promise once we add PolyProto support.
634         In the future when we introduce some kind of op_create_async_generator we will probably share only one bytecode for both generator and async generator.
635
636         This patch offers around 10% improvement in JetStream2/Basic. And this patch is the basis of optimization of JetStream2/async-fs which leverages async generators significantly.
637
638         This patch includes several design decisions.
639
640             1. We add a new JSGenerator instead of leveraging JSFinalObject. The main reason is that we would like to have JSGeneratorType to quickly query `@isGenerator`.
641             2. This patch currently does not include object-allocation-sinking support for JSGenerator, but it is trivial, and will be added. And this patch also does not include poly-proto
642                support for JSGenerator. The main reason is simply because this patch is already large enough, and I do not want to make this patch larger and larger.
643             3. We can support arbitrary sized inline-storage: Reserving 0-5 offsets for internal fields, and start putting all the other things to the subsequent internal fields. But for now,
644                we are not taking this approach just because I'm not sure this is necessary. If we found such a pattern, we can easily extend the current one but for now, I would like to keep
645                this patch simple.
646
647         * JavaScriptCore.xcodeproj/project.pbxproj:
648         * Sources.txt:
649         * builtins/AsyncFunctionPrototype.js:
650         (globalPrivate.asyncFunctionResume):
651         * builtins/GeneratorPrototype.js:
652         (globalPrivate.generatorResume):
653         (next):
654         (return):
655         (throw):
656         * bytecode/BytecodeGeneratorification.cpp:
657         (JSC::BytecodeGeneratorification::run):
658         * bytecode/BytecodeIntrinsicRegistry.cpp:
659         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
660         * bytecode/BytecodeIntrinsicRegistry.h:
661         * bytecode/BytecodeList.rb:
662         * bytecode/BytecodeUseDef.h:
663         (JSC::computeUsesForBytecodeOffset):
664         (JSC::computeDefsForBytecodeOffset):
665         * bytecode/CodeBlock.cpp:
666         (JSC::CodeBlock::finishCreation):
667         (JSC::CodeBlock::finalizeLLIntInlineCaches):
668         * bytecode/SpeculatedType.cpp:
669         (JSC::speculationFromJSType):
670         * bytecode/SpeculatedType.h:
671         * bytecompiler/BytecodeGenerator.cpp:
672         (JSC::BytecodeGenerator::BytecodeGenerator):
673         (JSC::BytecodeGenerator::emitPutGeneratorFields):
674         (JSC::BytecodeGenerator::emitCreateGenerator):
675         (JSC::BytecodeGenerator::emitNewGenerator):
676         (JSC::BytecodeGenerator::emitYield):
677         (JSC::BytecodeGenerator::emitDelegateYield):
678         (JSC::BytecodeGenerator::emitGeneratorStateChange):
679         * bytecompiler/BytecodeGenerator.h:
680         (JSC::BytecodeGenerator::emitIsGenerator):
681         (JSC::BytecodeGenerator::generatorStateRegister):
682         (JSC::BytecodeGenerator::generatorValueRegister):
683         (JSC::BytecodeGenerator::generatorResumeModeRegister):
684         (JSC::BytecodeGenerator::generatorFrameRegister):
685         * bytecompiler/NodesCodegen.cpp:
686         (JSC::generatorInternalFieldIndex):
687         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getGeneratorInternalField):
688         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putGeneratorInternalField):
689         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isGenerator):
690         (JSC::FunctionNode::emitBytecode):
691         * dfg/DFGAbstractInterpreterInlines.h:
692         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
693         * dfg/DFGByteCodeParser.cpp:
694         (JSC::DFG::ByteCodeParser::parseBlock):
695         * dfg/DFGCapabilities.cpp:
696         (JSC::DFG::capabilityLevel):
697         * dfg/DFGClobberize.h:
698         (JSC::DFG::clobberize):
699         * dfg/DFGClobbersExitState.cpp:
700         (JSC::DFG::clobbersExitState):
701         * dfg/DFGConstantFoldingPhase.cpp:
702         (JSC::DFG::ConstantFoldingPhase::foldConstants):
703         * dfg/DFGDoesGC.cpp:
704         (JSC::DFG::doesGC):
705         * dfg/DFGFixupPhase.cpp:
706         (JSC::DFG::FixupPhase::fixupNode):
707         (JSC::DFG::FixupPhase::fixupIsCellWithType):
708         * dfg/DFGGraph.cpp:
709         (JSC::DFG::Graph::dump):
710         * dfg/DFGNode.h:
711         (JSC::DFG::Node::convertToNewGenerator):
712         (JSC::DFG::Node::speculatedTypeForQuery):
713         (JSC::DFG::Node::hasStructure):
714         * dfg/DFGNodeType.h:
715         * dfg/DFGOperations.cpp:
716         * dfg/DFGOperations.h:
717         * dfg/DFGPredictionPropagationPhase.cpp:
718         * dfg/DFGSafeToExecute.h:
719         (JSC::DFG::safeToExecute):
720         * dfg/DFGSpeculativeJIT.cpp:
721         (JSC::DFG::SpeculativeJIT::compileCreatePromise):
722         (JSC::DFG::SpeculativeJIT::compileCreateGenerator):
723         (JSC::DFG::SpeculativeJIT::compileNewGenerator):
724         * dfg/DFGSpeculativeJIT.h:
725         * dfg/DFGSpeculativeJIT32_64.cpp:
726         (JSC::DFG::SpeculativeJIT::compile):
727         * dfg/DFGSpeculativeJIT64.cpp:
728         (JSC::DFG::SpeculativeJIT::compile):
729         * dfg/DFGStoreBarrierInsertionPhase.cpp:
730         * ftl/FTLCapabilities.cpp:
731         (JSC::FTL::canCompile):
732         * ftl/FTLLowerDFGToB3.cpp:
733         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
734         (JSC::FTL::DFG::LowerDFGToB3::compileNewGenerator):
735         (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
736         (JSC::FTL::DFG::LowerDFGToB3::compileCreateGenerator):
737         (JSC::FTL::DFG::LowerDFGToB3::isCellWithType):
738         * jit/JIT.cpp:
739         (JSC::JIT::privateCompileMainPass):
740         (JSC::JIT::privateCompileSlowCases):
741         * jit/JITOperations.cpp:
742         * jit/JITOperations.h:
743         * jit/JITPropertyAccess.cpp:
744         (JSC::JIT::emit_op_get_internal_field):
745         (JSC::JIT::emit_op_put_internal_field):
746         * llint/LowLevelInterpreter.asm:
747         * runtime/CommonSlowPaths.cpp:
748         (JSC::SLOW_PATH_DECL):
749         * runtime/CommonSlowPaths.h:
750         * runtime/InternalFunction.cpp:
751         (JSC::InternalFunction::createSubclassStructureSlow):
752         * runtime/InternalFunction.h:
753         (JSC::InternalFunction::createSubclassStructure):
754         * runtime/JSGenerator.cpp: Added.
755         (JSC::JSGenerator::create):
756         (JSC::JSGenerator::createStructure):
757         (JSC::JSGenerator::JSGenerator):
758         (JSC::JSGenerator::finishCreation):
759         (JSC::JSGenerator::visitChildren):
760         * runtime/JSGenerator.h: Copied from Source/JavaScriptCore/runtime/JSGeneratorFunction.h.
761         * runtime/JSGeneratorFunction.h:
762         * runtime/JSGlobalObject.cpp:
763         (JSC::JSGlobalObject::init):
764         (JSC::JSGlobalObject::visitChildren):
765         * runtime/JSGlobalObject.h:
766         (JSC::JSGlobalObject::generatorStructure const):
767         * runtime/JSType.cpp:
768         (WTF::printInternal):
769         * runtime/JSType.h:
770
771 2019-09-17  Keith Miller  <keith_miller@apple.com>
772
773         Move comment explaining our Options to OptionsList.h
774         https://bugs.webkit.org/show_bug.cgi?id=201891
775
776         Rubber-stamped by Mark Lam.
777
778         We moved the list so we should move the comment.
779
780         * runtime/Options.h:
781         * runtime/OptionsList.h:
782
783 2019-09-17  Keith Miller  <keith_miller@apple.com>
784
785         Elide unnecessary moves in Air O0
786         https://bugs.webkit.org/show_bug.cgi?id=201703
787
788         Reviewed by Saam Barati.
789
790         This patch also removes the code that would try to reuse temps in
791         WasmAirIRGenerator. That code makes it hard to accurately
792         determine where a temp dies as it could be reused again
793         later. Thus every temp, may appear to live for a long time in the
794         global ordering.
795
796         This appears to be a minor progression on the overall score of
797         wasm subtests in JS2 and a 10% wasm-JIT memory usage reduction.
798
799         This patch also fixes an issue where we didn't ask Patchpoints
800         for early clobber registers when determining what callee saves
801         were used by the program.
802
803         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp:
804         (JSC::B3::Air::GenerateAndAllocateRegisters::generate):
805         * b3/air/AirBasicBlock.h:
806         * b3/air/AirCode.h:
807         * b3/air/AirHandleCalleeSaves.cpp:
808         (JSC::B3::Air::handleCalleeSaves):
809         * b3/air/testair.cpp:
810         * wasm/WasmAirIRGenerator.cpp:
811         (JSC::Wasm::AirIRGenerator::didKill): Deleted.
812         * wasm/WasmB3IRGenerator.cpp:
813         (JSC::Wasm::B3IRGenerator::didKill): Deleted.
814         * wasm/WasmFunctionParser.h:
815         (JSC::Wasm::FunctionParser<Context>::parseBody):
816         (JSC::Wasm::FunctionParser<Context>::parseExpression):
817         * wasm/WasmValidate.cpp:
818         (JSC::Wasm::Validate::didKill): Deleted.
819
820 2019-09-17  Mark Lam  <mark.lam@apple.com>
821
822         Use constexpr instead of const in symbol definitions that are obviously constexpr.
823         https://bugs.webkit.org/show_bug.cgi?id=201879
824
825         Rubber-stamped by Joseph Pecoraro.
826
827         const may require external storage  (at the compiler's whim) though these
828         currently do not.  constexpr makes it clear that the value is a literal constant
829         that can be inlined.  In most cases in the code, when we say static const, we
830         actually mean static constexpr.  I'm changing the code to reflect this.
831
832         * API/JSAPIValueWrapper.h:
833         * API/JSCallbackConstructor.h:
834         * API/JSCallbackObject.h:
835         * API/JSContextRef.cpp:
836         * API/JSWrapperMap.mm:
837         * API/tests/CompareAndSwapTest.cpp:
838         * API/tests/TypedArrayCTest.cpp:
839         * API/tests/testapi.mm:
840         (testObjectiveCAPIMain):
841         * KeywordLookupGenerator.py:
842         (Trie.printAsC):
843         * assembler/ARMv7Assembler.h:
844         * assembler/AssemblerBuffer.h:
845         * assembler/AssemblerCommon.h:
846         * assembler/MacroAssembler.h:
847         * assembler/MacroAssemblerARM64.h:
848         * assembler/MacroAssemblerARM64E.h:
849         * assembler/MacroAssemblerARMv7.h:
850         * assembler/MacroAssemblerCodeRef.h:
851         * assembler/MacroAssemblerMIPS.h:
852         * assembler/MacroAssemblerX86.h:
853         * assembler/MacroAssemblerX86Common.h:
854         (JSC::MacroAssemblerX86Common::absDouble):
855         (JSC::MacroAssemblerX86Common::negateDouble):
856         * assembler/MacroAssemblerX86_64.h:
857         * assembler/X86Assembler.h:
858         * b3/B3Bank.h:
859         * b3/B3CheckSpecial.h:
860         * b3/B3DuplicateTails.cpp:
861         * b3/B3EliminateCommonSubexpressions.cpp:
862         * b3/B3FixSSA.cpp:
863         * b3/B3FoldPathConstants.cpp:
864         * b3/B3InferSwitches.cpp:
865         * b3/B3Kind.h:
866         * b3/B3LowerToAir.cpp:
867         * b3/B3NativeTraits.h:
868         * b3/B3ReduceDoubleToFloat.cpp:
869         * b3/B3ReduceLoopStrength.cpp:
870         * b3/B3ReduceStrength.cpp:
871         * b3/B3ValueKey.h:
872         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
873         * b3/air/AirAllocateStackByGraphColoring.cpp:
874         * b3/air/AirArg.h:
875         * b3/air/AirCCallSpecial.h:
876         * b3/air/AirEmitShuffle.cpp:
877         * b3/air/AirFixObviousSpills.cpp:
878         * b3/air/AirFormTable.h:
879         * b3/air/AirLowerAfterRegAlloc.cpp:
880         * b3/air/AirPrintSpecial.h:
881         * b3/air/AirStackAllocation.cpp:
882         * b3/air/AirTmp.h:
883         * b3/testb3_6.cpp:
884         (testInterpreter):
885         * bytecode/AccessCase.cpp:
886         * bytecode/CallLinkStatus.cpp:
887         * bytecode/CallVariant.h:
888         * bytecode/CodeBlock.h:
889         * bytecode/CodeOrigin.h:
890         * bytecode/DFGExitProfile.h:
891         * bytecode/DirectEvalCodeCache.h:
892         * bytecode/ExecutableToCodeBlockEdge.h:
893         * bytecode/GetterSetterAccessCase.cpp:
894         * bytecode/LazyOperandValueProfile.h:
895         * bytecode/ObjectPropertyCondition.h:
896         * bytecode/ObjectPropertyConditionSet.cpp:
897         * bytecode/PolymorphicAccess.cpp:
898         * bytecode/PropertyCondition.h:
899         * bytecode/SpeculatedType.h:
900         * bytecode/StructureStubInfo.cpp:
901         * bytecode/UnlinkedCodeBlock.cpp:
902         (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset):
903         * bytecode/UnlinkedCodeBlock.h:
904         * bytecode/UnlinkedEvalCodeBlock.h:
905         * bytecode/UnlinkedFunctionCodeBlock.h:
906         * bytecode/UnlinkedFunctionExecutable.h:
907         * bytecode/UnlinkedModuleProgramCodeBlock.h:
908         * bytecode/UnlinkedProgramCodeBlock.h:
909         * bytecode/ValueProfile.h:
910         * bytecode/VirtualRegister.h:
911         * bytecode/Watchpoint.h:
912         * bytecompiler/BytecodeGenerator.h:
913         * bytecompiler/Label.h:
914         * bytecompiler/NodesCodegen.cpp:
915         (JSC::ThisNode::emitBytecode):
916         * bytecompiler/RegisterID.h:
917         * debugger/Breakpoint.h:
918         * debugger/DebuggerParseData.cpp:
919         * debugger/DebuggerPrimitives.h:
920         * debugger/DebuggerScope.h:
921         * dfg/DFGAbstractHeap.h:
922         * dfg/DFGAbstractValue.h:
923         * dfg/DFGArgumentsEliminationPhase.cpp:
924         * dfg/DFGByteCodeParser.cpp:
925         * dfg/DFGCSEPhase.cpp:
926         * dfg/DFGCommon.h:
927         * dfg/DFGCompilationKey.h:
928         * dfg/DFGDesiredGlobalProperty.h:
929         * dfg/DFGEdgeDominates.h:
930         * dfg/DFGEpoch.h:
931         * dfg/DFGForAllKills.h:
932         (JSC::DFG::forAllKilledNodesAtNodeIndex):
933         * dfg/DFGGraph.cpp:
934         (JSC::DFG::Graph::isLiveInBytecode):
935         * dfg/DFGHeapLocation.h:
936         * dfg/DFGInPlaceAbstractState.cpp:
937         * dfg/DFGIntegerCheckCombiningPhase.cpp:
938         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
939         * dfg/DFGInvalidationPointInjectionPhase.cpp:
940         * dfg/DFGLICMPhase.cpp:
941         * dfg/DFGLazyNode.h:
942         * dfg/DFGMinifiedID.h:
943         * dfg/DFGMovHintRemovalPhase.cpp:
944         * dfg/DFGNodeFlowProjection.h:
945         * dfg/DFGNodeType.h:
946         * dfg/DFGObjectAllocationSinkingPhase.cpp:
947         * dfg/DFGPhantomInsertionPhase.cpp:
948         * dfg/DFGPromotedHeapLocation.h:
949         * dfg/DFGPropertyTypeKey.h:
950         * dfg/DFGPureValue.h:
951         * dfg/DFGPutStackSinkingPhase.cpp:
952         * dfg/DFGRegisterBank.h:
953         * dfg/DFGSSAConversionPhase.cpp:
954         * dfg/DFGSSALoweringPhase.cpp:
955         * dfg/DFGSpeculativeJIT.cpp:
956         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
957         (JSC::DFG::compileClampDoubleToByte):
958         (JSC::DFG::SpeculativeJIT::compileArithRounding):
959         (JSC::DFG::compileArithPowIntegerFastPath):
960         (JSC::DFG::SpeculativeJIT::compileArithPow):
961         (JSC::DFG::SpeculativeJIT::emitBinarySwitchStringRecurse):
962         * dfg/DFGStackLayoutPhase.cpp:
963         * dfg/DFGStoreBarrierInsertionPhase.cpp:
964         * dfg/DFGStrengthReductionPhase.cpp:
965         * dfg/DFGStructureAbstractValue.h:
966         * dfg/DFGVarargsForwardingPhase.cpp:
967         * dfg/DFGVariableEventStream.cpp:
968         (JSC::DFG::VariableEventStream::reconstruct const):
969         * dfg/DFGWatchpointCollectionPhase.cpp:
970         * disassembler/ARM64/A64DOpcode.h:
971         * ftl/FTLLocation.h:
972         * ftl/FTLLowerDFGToB3.cpp:
973         (JSC::FTL::DFG::LowerDFGToB3::compileArithRandom):
974         * ftl/FTLSlowPathCall.cpp:
975         * ftl/FTLSlowPathCallKey.h:
976         * heap/CellContainer.h:
977         * heap/CellState.h:
978         * heap/ConservativeRoots.h:
979         * heap/GCSegmentedArray.h:
980         * heap/HandleBlock.h:
981         * heap/Heap.cpp:
982         (JSC::Heap::updateAllocationLimits):
983         * heap/Heap.h:
984         * heap/HeapSnapshot.h:
985         * heap/HeapUtil.h:
986         (JSC::HeapUtil::findGCObjectPointersForMarking):
987         * heap/IncrementalSweeper.cpp:
988         * heap/LargeAllocation.h:
989         * heap/MarkedBlock.cpp:
990         * heap/Strong.h:
991         * heap/VisitRaceKey.h:
992         * heap/Weak.h:
993         * heap/WeakBlock.h:
994         * inspector/JSInjectedScriptHost.h:
995         * inspector/JSInjectedScriptHostPrototype.h:
996         * inspector/JSJavaScriptCallFrame.h:
997         * inspector/JSJavaScriptCallFramePrototype.h:
998         * inspector/agents/InspectorConsoleAgent.cpp:
999         * inspector/agents/InspectorRuntimeAgent.cpp:
1000         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1001         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
1002         (CppProtocolTypesHeaderGenerator._generate_versions):
1003         * inspector/scripts/tests/generic/expected/version.json-result:
1004         * interpreter/Interpreter.h:
1005         * interpreter/ShadowChicken.cpp:
1006         * jit/BinarySwitch.cpp:
1007         * jit/CallFrameShuffler.h:
1008         * jit/ExecutableAllocator.h:
1009         * jit/FPRInfo.h:
1010         * jit/GPRInfo.h:
1011         * jit/ICStats.h:
1012         * jit/JITThunks.h:
1013         * jit/Reg.h:
1014         * jit/RegisterSet.h:
1015         * jit/TempRegisterSet.h:
1016         * jsc.cpp:
1017         * parser/ASTBuilder.h:
1018         * parser/Nodes.h:
1019         * parser/SourceCodeKey.h:
1020         * parser/SyntaxChecker.h:
1021         * parser/VariableEnvironment.h:
1022         * profiler/ProfilerOrigin.h:
1023         * profiler/ProfilerOriginStack.h:
1024         * profiler/ProfilerUID.h:
1025         * runtime/AbstractModuleRecord.cpp:
1026         * runtime/ArrayBufferNeuteringWatchpointSet.h:
1027         * runtime/ArrayConstructor.h:
1028         * runtime/ArrayConventions.h:
1029         * runtime/ArrayIteratorPrototype.h:
1030         * runtime/ArrayPrototype.cpp:
1031         (JSC::setLength):
1032         * runtime/AsyncFromSyncIteratorPrototype.h:
1033         * runtime/AsyncGeneratorFunctionPrototype.h:
1034         * runtime/AsyncGeneratorPrototype.h:
1035         * runtime/AsyncIteratorPrototype.h:
1036         * runtime/AtomicsObject.cpp:
1037         * runtime/BigIntConstructor.h:
1038         * runtime/BigIntPrototype.h:
1039         * runtime/BooleanPrototype.h:
1040         * runtime/ClonedArguments.h:
1041         * runtime/CodeCache.h:
1042         * runtime/ControlFlowProfiler.h:
1043         * runtime/CustomGetterSetter.h:
1044         * runtime/DateConstructor.h:
1045         * runtime/DatePrototype.h:
1046         * runtime/DefinePropertyAttributes.h:
1047         * runtime/ErrorPrototype.h:
1048         * runtime/EvalExecutable.h:
1049         * runtime/Exception.h:
1050         * runtime/ExceptionHelpers.cpp:
1051         (JSC::invalidParameterInSourceAppender):
1052         (JSC::invalidParameterInstanceofSourceAppender):
1053         * runtime/ExceptionHelpers.h:
1054         * runtime/ExecutableBase.h:
1055         * runtime/FunctionExecutable.h:
1056         * runtime/FunctionRareData.h:
1057         * runtime/GeneratorPrototype.h:
1058         * runtime/GenericArguments.h:
1059         * runtime/GenericOffset.h:
1060         * runtime/GetPutInfo.h:
1061         * runtime/GetterSetter.h:
1062         * runtime/GlobalExecutable.h:
1063         * runtime/Identifier.h:
1064         * runtime/InspectorInstrumentationObject.h:
1065         * runtime/InternalFunction.h:
1066         * runtime/IntlCollatorConstructor.h:
1067         * runtime/IntlCollatorPrototype.h:
1068         * runtime/IntlDateTimeFormatConstructor.h:
1069         * runtime/IntlDateTimeFormatPrototype.h:
1070         * runtime/IntlNumberFormatConstructor.h:
1071         * runtime/IntlNumberFormatPrototype.h:
1072         * runtime/IntlObject.h:
1073         * runtime/IntlPluralRulesConstructor.h:
1074         * runtime/IntlPluralRulesPrototype.h:
1075         * runtime/IteratorPrototype.h:
1076         * runtime/JSArray.cpp:
1077         (JSC::JSArray::tryCreateUninitializedRestricted):
1078         * runtime/JSArray.h:
1079         * runtime/JSArrayBuffer.h:
1080         * runtime/JSArrayBufferView.h:
1081         * runtime/JSBigInt.h:
1082         * runtime/JSCJSValue.h:
1083         * runtime/JSCell.h:
1084         * runtime/JSCustomGetterSetterFunction.h:
1085         * runtime/JSDataView.h:
1086         * runtime/JSDataViewPrototype.h:
1087         * runtime/JSDestructibleObject.h:
1088         * runtime/JSFixedArray.h:
1089         * runtime/JSGenericTypedArrayView.h:
1090         * runtime/JSGlobalLexicalEnvironment.h:
1091         * runtime/JSGlobalObject.h:
1092         * runtime/JSImmutableButterfly.h:
1093         * runtime/JSInternalPromiseConstructor.h:
1094         * runtime/JSInternalPromiseDeferred.h:
1095         * runtime/JSInternalPromisePrototype.h:
1096         * runtime/JSLexicalEnvironment.h:
1097         * runtime/JSModuleEnvironment.h:
1098         * runtime/JSModuleLoader.h:
1099         * runtime/JSModuleNamespaceObject.h:
1100         * runtime/JSNonDestructibleProxy.h:
1101         * runtime/JSONObject.cpp:
1102         * runtime/JSONObject.h:
1103         * runtime/JSObject.h:
1104         * runtime/JSPromiseConstructor.h:
1105         * runtime/JSPromiseDeferred.h:
1106         * runtime/JSPromisePrototype.h:
1107         * runtime/JSPropertyNameEnumerator.h:
1108         * runtime/JSProxy.h:
1109         * runtime/JSScope.h:
1110         * runtime/JSScriptFetchParameters.h:
1111         * runtime/JSScriptFetcher.h:
1112         * runtime/JSSegmentedVariableObject.h:
1113         * runtime/JSSourceCode.h:
1114         * runtime/JSString.cpp:
1115         * runtime/JSString.h:
1116         * runtime/JSSymbolTableObject.h:
1117         * runtime/JSTemplateObjectDescriptor.h:
1118         * runtime/JSTypeInfo.h:
1119         * runtime/MapPrototype.h:
1120         * runtime/MinimumReservedZoneSize.h:
1121         * runtime/ModuleProgramExecutable.h:
1122         * runtime/NativeExecutable.h:
1123         * runtime/NativeFunction.h:
1124         * runtime/NativeStdFunctionCell.h:
1125         * runtime/NumberConstructor.h:
1126         * runtime/NumberPrototype.h:
1127         * runtime/ObjectConstructor.h:
1128         * runtime/ObjectPrototype.h:
1129         * runtime/ProgramExecutable.h:
1130         * runtime/PromiseDeferredTimer.cpp:
1131         * runtime/PropertyMapHashTable.h:
1132         * runtime/PropertyNameArray.h:
1133         (JSC::PropertyNameArray::add):
1134         * runtime/PrototypeKey.h:
1135         * runtime/ProxyConstructor.h:
1136         * runtime/ProxyObject.cpp:
1137         (JSC::ProxyObject::performGetOwnPropertyNames):
1138         * runtime/ProxyRevoke.h:
1139         * runtime/ReflectObject.h:
1140         * runtime/RegExp.h:
1141         * runtime/RegExpCache.h:
1142         * runtime/RegExpConstructor.h:
1143         * runtime/RegExpKey.h:
1144         * runtime/RegExpObject.h:
1145         * runtime/RegExpPrototype.h:
1146         * runtime/RegExpStringIteratorPrototype.h:
1147         * runtime/SamplingProfiler.cpp:
1148         * runtime/ScopedArgumentsTable.h:
1149         * runtime/ScriptExecutable.h:
1150         * runtime/SetPrototype.h:
1151         * runtime/SmallStrings.h:
1152         * runtime/SparseArrayValueMap.h:
1153         * runtime/StringConstructor.h:
1154         * runtime/StringIteratorPrototype.h:
1155         * runtime/StringObject.h:
1156         * runtime/StringPrototype.h:
1157         * runtime/Structure.h:
1158         * runtime/StructureChain.h:
1159         * runtime/StructureRareData.h:
1160         * runtime/StructureTransitionTable.h:
1161         * runtime/Symbol.h:
1162         * runtime/SymbolConstructor.h:
1163         * runtime/SymbolPrototype.h:
1164         * runtime/SymbolTable.h:
1165         * runtime/TemplateObjectDescriptor.h:
1166         * runtime/TypeProfiler.cpp:
1167         * runtime/TypeProfiler.h:
1168         * runtime/TypeProfilerLog.cpp:
1169         * runtime/VarOffset.h:
1170         * testRegExp.cpp:
1171         * tools/HeapVerifier.cpp:
1172         (JSC::HeapVerifier::checkIfRecorded):
1173         * tools/JSDollarVM.cpp:
1174         * wasm/WasmB3IRGenerator.cpp:
1175         * wasm/WasmBBQPlan.cpp:
1176         * wasm/WasmFaultSignalHandler.cpp:
1177         * wasm/WasmFunctionParser.h:
1178         * wasm/WasmOMGForOSREntryPlan.cpp:
1179         * wasm/WasmOMGPlan.cpp:
1180         * wasm/WasmPlan.cpp:
1181         * wasm/WasmSignature.cpp:
1182         * wasm/WasmSignature.h:
1183         * wasm/WasmWorklist.cpp:
1184         * wasm/js/JSWebAssembly.h:
1185         * wasm/js/JSWebAssemblyCodeBlock.h:
1186         * wasm/js/WebAssemblyCompileErrorConstructor.h:
1187         * wasm/js/WebAssemblyCompileErrorPrototype.h:
1188         * wasm/js/WebAssemblyFunction.h:
1189         * wasm/js/WebAssemblyInstanceConstructor.h:
1190         * wasm/js/WebAssemblyInstancePrototype.h:
1191         * wasm/js/WebAssemblyLinkErrorConstructor.h:
1192         * wasm/js/WebAssemblyLinkErrorPrototype.h:
1193         * wasm/js/WebAssemblyMemoryConstructor.h:
1194         * wasm/js/WebAssemblyMemoryPrototype.h:
1195         * wasm/js/WebAssemblyModuleConstructor.h:
1196         * wasm/js/WebAssemblyModulePrototype.h:
1197         * wasm/js/WebAssemblyRuntimeErrorConstructor.h:
1198         * wasm/js/WebAssemblyRuntimeErrorPrototype.h:
1199         * wasm/js/WebAssemblyTableConstructor.h:
1200         * wasm/js/WebAssemblyTablePrototype.h:
1201         * wasm/js/WebAssemblyToJSCallee.h:
1202         * yarr/Yarr.h:
1203         * yarr/YarrParser.h:
1204         * yarr/generateYarrCanonicalizeUnicode:
1205
1206 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
1207
1208         Follow-up after String.codePointAt optimization
1209         https://bugs.webkit.org/show_bug.cgi?id=201889
1210
1211         Reviewed by Saam Barati.
1212
1213         Follow-up after string.codePointAt DFG / FTL optimizations,
1214
1215         1. Gracefully accept arguments more than expected for intrinsics
1216         2. Check BadType in String.codePointAt, String.charAt, and String.charCodeAt.
1217
1218         * dfg/DFGByteCodeParser.cpp:
1219         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1220
1221 2019-09-17  Tadeu Zagallo  <tzagallo@apple.com>
1222
1223         Change WebAssembly calling conventions
1224         https://bugs.webkit.org/show_bug.cgi?id=201799
1225
1226         Reviewed by Saam Barati.
1227
1228         Currently, the Wasm::Callee writes itself to CallFrameSlot::callee. However, this won't work when
1229         we have the Wasm interpreter, since we need the callee in order to know which function are we executing.
1230         This patch changes the calling conventions in preparation for the interpreter, so that the caller
1231         becomes responsible for writing the callee into the call frame.
1232         However, there are exceptions to this rule: stubs can still write to the callee slot, since they are individually
1233         generated and will still be present in the interpreter. We keep this design to avoid emitting unnecessary
1234         code when we know statically who is the callee:
1235         - Caller writes to call frame: intra-module direct wasm calls, indirect wasm calls, JS-to-wasm stub (new frame), JS-to-wasm IC.
1236         - Callee writes to call frame: inter-module wasm-to-wasm stub, JS-to-wasm stub (callee frame), wasm-to-JS stub, OMG osr entry
1237
1238         Additionally, this patch also changes it so that the callee keeps track of its callers, instead of having a global mapping
1239         of calls in the Wasm::CodeBlock. This makes it easier to repatch all callers of a given Callee when it tiers up.
1240
1241         * CMakeLists.txt:
1242         * JavaScriptCore.xcodeproj/project.pbxproj:
1243         * wasm/WasmAirIRGenerator.cpp:
1244         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
1245         (JSC::Wasm::AirIRGenerator::addCall):
1246         (JSC::Wasm::AirIRGenerator::addCallIndirect):
1247         (JSC::Wasm::parseAndCompileAir):
1248         * wasm/WasmAirIRGenerator.h:
1249         * wasm/WasmB3IRGenerator.cpp:
1250         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1251         (JSC::Wasm::B3IRGenerator::addCall):
1252         (JSC::Wasm::B3IRGenerator::addCallIndirect):
1253         (JSC::Wasm::parseAndCompile):
1254         * wasm/WasmB3IRGenerator.h:
1255         * wasm/WasmBBQPlan.cpp:
1256         (JSC::Wasm::BBQPlan::BBQPlan):
1257         (JSC::Wasm::BBQPlan::prepare):
1258         (JSC::Wasm::BBQPlan::compileFunctions):
1259         (JSC::Wasm::BBQPlan::complete):
1260         * wasm/WasmBBQPlan.h:
1261         * wasm/WasmBBQPlanInlines.h:
1262         (JSC::Wasm::BBQPlan::initializeCallees):
1263         * wasm/WasmBinding.cpp:
1264         (JSC::Wasm::wasmToWasm):
1265         * wasm/WasmCallee.cpp:
1266         (JSC::Wasm::Callee::Callee):
1267         (JSC::Wasm::repatchMove):
1268         (JSC::Wasm::repatchCall):
1269         (JSC::Wasm::BBQCallee::addCaller):
1270         (JSC::Wasm::BBQCallee::addAndLinkCaller):
1271         (JSC::Wasm::BBQCallee::repatchCallers):
1272         * wasm/WasmCallee.h:
1273         (JSC::Wasm::Callee::entrypoint):
1274         (JSC::Wasm::Callee::code const):
1275         (JSC::Wasm::Callee::calleeSaveRegisters):
1276         * wasm/WasmCallingConvention.h:
1277         (JSC::Wasm::CallingConvention::setupFrameInPrologue const):
1278         * wasm/WasmCodeBlock.cpp:
1279         (JSC::Wasm::CodeBlock::CodeBlock):
1280         * wasm/WasmCodeBlock.h:
1281         (JSC::Wasm::CodeBlock::embedderEntrypointCalleeFromFunctionIndexSpace):
1282         (JSC::Wasm::CodeBlock::wasmBBQCalleeFromFunctionIndexSpace):
1283         (JSC::Wasm::CodeBlock::entrypointLoadLocationFromFunctionIndexSpace):
1284         (JSC::Wasm::CodeBlock::boxedCalleeLoadLocationFromFunctionIndexSpace):
1285         * wasm/WasmEmbedder.h:
1286         * wasm/WasmFormat.h:
1287         (JSC::Wasm::WasmToWasmImportableFunction::offsetOfBoxedCalleeLoadLocation):
1288         * wasm/WasmInstance.h:
1289         (JSC::Wasm::Instance::offsetOfBoxedCalleeLoadLocation):
1290         * wasm/WasmOMGForOSREntryPlan.cpp:
1291         (JSC::Wasm::OMGForOSREntryPlan::OMGForOSREntryPlan):
1292         (JSC::Wasm::OMGForOSREntryPlan::work):
1293         * wasm/WasmOMGForOSREntryPlan.h:
1294         * wasm/WasmOMGPlan.cpp:
1295         (JSC::Wasm::OMGPlan::OMGPlan):
1296         (JSC::Wasm::OMGPlan::work):
1297         * wasm/WasmOMGPlan.h:
1298         * wasm/WasmOperations.cpp:
1299         (JSC::Wasm::triggerOMGReplacementCompile):
1300         (JSC::Wasm::doOSREntry):
1301         (JSC::Wasm::triggerOSREntryNow):
1302         * wasm/js/JSToWasm.cpp:
1303         (JSC::Wasm::createJSToWasmWrapper):
1304         * wasm/js/JSToWasm.h:
1305         * wasm/js/WebAssemblyFunction.cpp:
1306         (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
1307         (JSC::WebAssemblyFunction::create):
1308         (JSC::WebAssemblyFunction::WebAssemblyFunction):
1309         * wasm/js/WebAssemblyFunction.h:
1310         * wasm/js/WebAssemblyModuleRecord.cpp:
1311         (JSC::WebAssemblyModuleRecord::link):
1312         (JSC::WebAssemblyModuleRecord::evaluate):
1313         * wasm/js/WebAssemblyWrapperFunction.cpp:
1314         (JSC::WebAssemblyWrapperFunction::create):
1315
1316 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
1317
1318         [JSC] CheckArray+NonArray is not filtering out Array in AI
1319         https://bugs.webkit.org/show_bug.cgi?id=201857
1320         <rdar://problem/54194820>
1321
1322         Reviewed by Keith Miller.
1323
1324         The code of DFG::ArrayMode::alreadyChecked is different from SpeculativeJIT's CheckArray / CheckStructure.
1325         While we assume CheckArray+NonArray ensures it only passes non-array inputs, DFG::ArrayMode::alreadyChecked
1326         accepts arrays too. So CheckArray+NonArray is removed in AI if the input is proven that it is an array.
1327         This patch aligns DFG::ArrayMode::alreadyChecked to the checks done at runtime.
1328
1329         * dfg/DFGArrayMode.cpp:
1330         (JSC::DFG::ArrayMode::alreadyChecked const):
1331
1332 2019-09-17  Saam Barati  <sbarati@apple.com>
1333
1334         CheckArray on DirectArguments/ScopedArguments does not filter out slow put array storage
1335         https://bugs.webkit.org/show_bug.cgi?id=201853
1336         <rdar://problem/53805461>
1337
1338         Reviewed by Yusuke Suzuki.
1339
1340         We were claiming CheckArray for ScopedArguments/DirectArguments was filtering
1341         out SlowPutArrayStorage. It does no such thing. We just check that the object
1342         is either ScopedArguments/DirectArguments.
1343
1344         * dfg/DFGArrayMode.h:
1345         (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
1346         (JSC::DFG::ArrayMode::arrayModesWithIndexingShapes const):
1347         (JSC::DFG::ArrayMode::arrayModesWithIndexingShape const): Deleted.
1348
1349 2019-09-16  Tadeu Zagallo  <tzagallo@apple.com>
1350
1351         Wasm StreamingParser should validate that number of functions matches number of declarations
1352         https://bugs.webkit.org/show_bug.cgi?id=201850
1353         <rdar://problem/55290186>
1354
1355         Reviewed by Yusuke Suzuki.
1356
1357         Currently, when parsing the code section, we check that the number of functions matches the number
1358         of declarations in the function section. However, that check is never performed if the module does
1359         not have a code section. To fix that, we perform the check again in StreamingParser::finalize.
1360
1361         * wasm/WasmStreamingParser.cpp:
1362         (JSC::Wasm::StreamingParser::finalize):
1363
1364 2019-09-16  Michael Saboff  <msaboff@apple.com>
1365
1366         [JSC] Perform check again when we found non-BMP characters
1367         https://bugs.webkit.org/show_bug.cgi?id=201647
1368
1369         Reviewed by Yusuke Suzuki.
1370
1371         We need to check for end of input for non-BMP characters when matching a character class that contains
1372         both BMP and non-BMP characters.  In advanceIndexAfterCharacterClassTermMatch() we were checking for
1373         end of input for both BMP and non-BMP characters.  For BMP characters, this check is redundant.
1374         After moving the check to after the "is BMP check", we need to decrement index after reaching the failure
1375         label to back out the index++ for the first surrogate of the non-BMP character.
1376
1377         Added the same kind of check in generateCharacterClassOnce().  In that case, we have pre-checked the
1378         first character (surrogate) for a non-BMP codepoint, so we just need to check for end of input before
1379         we increment for the second surrogate.
1380
1381         While writing tests, I found an off by one error in backtrackCharacterClassGreedy() and changed the
1382         loop to check the count at loop top instead of loop bottom.
1383
1384         * yarr/YarrJIT.cpp:
1385         (JSC::Yarr::YarrGenerator::advanceIndexAfterCharacterClassTermMatch):
1386         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
1387         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
1388         (JSC::Yarr::YarrGenerator::backtrackCharacterClassGreedy):
1389         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
1390
1391 2019-09-16  Ross Kirsling  <ross.kirsling@sony.com>
1392
1393         [JSC] Add missing syntax errors for await in function parameter default expressions
1394         https://bugs.webkit.org/show_bug.cgi?id=201615
1395
1396         Reviewed by Darin Adler.
1397
1398         This patch rectifies two oversights:
1399           1. We were prohibiting `async function f(x = (await) => {}) {}` but not `async function f(x = await => {}) {}`
1400              (and likewise for async arrow functions).
1401           2. We were not prohibiting `(x = await => {}) => {}` in an async context
1402              (regardless of parentheses, but note that this one *only* applies to arrow functions).
1403
1404         * parser/Parser.cpp:
1405         (JSC::Parser<LexerType>::isArrowFunctionParameters): Fix case (1).
1406         (JSC::Parser<LexerType>::parseFunctionInfo): Fix case (2).
1407         (JSC::Parser<LexerType>::parseAwaitExpression): Convert unfailing check into an ASSERT.
1408         (JSC::Parser<LexerType>::parsePrimaryExpression): Adjust error message for case (2).
1409
1410 2019-09-16  Tadeu Zagallo  <tzagallo@apple.com>
1411
1412         SamplingProfiler should hold API lock before reporting results
1413         https://bugs.webkit.org/show_bug.cgi?id=201829
1414
1415         Reviewed by Yusuke Suzuki.
1416
1417         Right now, the SamplingProfiler crashes in debug builds when trying
1418         report results if it finds a JSFunction on the stack that doesn't have
1419         RareData. It tries to allocate the function's rare data when we call
1420         getOwnPropertySlot in order to get the function's name, but that fails
1421         because we are not holding the VM's API lock. We fix it by just holding
1422         the lock before reporting the results.
1423
1424         * runtime/SamplingProfiler.cpp:
1425         (JSC::SamplingProfiler::reportDataToOptionFile):
1426
1427 2019-09-16  David Kilzer  <ddkilzer@apple.com>
1428
1429         [JSC] REGRESSION (r248938): Leak of uint32_t arrays in testFastForwardCopy32()
1430         <https://webkit.org/b/201804>
1431
1432         Reviewed by Saam Barati.
1433
1434         * b3/testb3_8.cpp:
1435         (testFastForwardCopy32): Allocate arrays using
1436         WTF::makeUniqueArray<uint32_t> to fix leaks caused by continue
1437         statements.
1438
1439 2019-09-16  Saam Barati  <sbarati@apple.com>
1440
1441         JSObject::putInlineSlow should not ignore "__proto__" for Proxy
1442         https://bugs.webkit.org/show_bug.cgi?id=200386
1443         <rdar://problem/53854946>
1444
1445         Reviewed by Yusuke Suzuki.
1446
1447         We used to ignore '__proto__' in putInlineSlow when the object in question
1448         was Proxy. There is no reason for this, and it goes against the spec. So
1449         I've removed that condition. This also has the effect that it fixes an
1450         assertion firing inside our inline caching code which dictates that for a
1451         property replace that the base value's structure must be equal to the
1452         structure when we grabbed the structure prior to the put operation.
1453         The old code caused a weird edge case where we broke this invariant.
1454
1455         * runtime/JSObject.cpp:
1456         (JSC::JSObject::putInlineSlow):
1457
1458 2019-09-15  David Kilzer  <ddkilzer@apple.com>
1459
1460         Leak of NSMapTable in -[JSVirtualMachine addManagedReference:withOwner:]
1461         <https://webkit.org/b/201803>
1462
1463         Reviewed by Dan Bernstein.
1464
1465         * API/JSVirtualMachine.mm:
1466         (-[JSVirtualMachine addManagedReference:withOwner:]): Use
1467         RetainPtr<> to fix the leak.
1468
1469 2019-09-14  Yusuke Suzuki  <ysuzuki@apple.com>
1470
1471         Retire x86 32bit JIT support
1472         https://bugs.webkit.org/show_bug.cgi?id=201790
1473
1474         Reviewed by Mark Lam.
1475
1476         Now, Xcode no longer has ability to build 32bit binary, so we cannot even test it on macOS.
1477         Fedora stops shipping x86 32bit kernel. Our x86/x86_64 JIT requires SSE2, and so such relatively modern CPUs
1478         can use JIT by switching x86 to x86_64. And these CPUs are modern enough to run CLoop at high speed.
1479         WebKit already disabled x86 JIT by default while the implementation exists. So literary, it is not tested.
1480
1481         While x86 32bit becomes less useful, x86 32bit JIT backend is very complicated and is being a major maintenance burden.
1482         This is due to very few # of registers. Which scatters a lot of isX86 / CPU(X86) in Baseline, DFG, and Yarr.
1483
1484         This patch retires x86 JIT support from JavaScriptCore and CSS JIT. We still keep MacroAssembler and GPRInfo / FPRInfo,
1485         MachineContext information since they are useful even though JIT is not supported.
1486
1487         * dfg/DFGArrayMode.cpp:
1488         (JSC::DFG::ArrayMode::refine const):
1489         * dfg/DFGByteCodeParser.cpp:
1490         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1491         (JSC::DFG::ByteCodeParser::parseBlock):
1492         * dfg/DFGFixupPhase.cpp:
1493         (JSC::DFG::FixupPhase::fixupNode):
1494         * dfg/DFGJITCompiler.cpp:
1495         (JSC::DFG::JITCompiler::compileExceptionHandlers):
1496         * dfg/DFGOSRExitCompilerCommon.cpp:
1497         (JSC::DFG::osrWriteBarrier):
1498         * dfg/DFGSpeculativeJIT.cpp:
1499         (JSC::DFG::SpeculativeJIT::compileArithDiv):
1500         (JSC::DFG::SpeculativeJIT::compileArithMod):
1501         (JSC::DFG::SpeculativeJIT::compileCreateRest):
1502         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
1503         * dfg/DFGSpeculativeJIT.h:
1504         * dfg/DFGSpeculativeJIT32_64.cpp:
1505         (JSC::DFG::SpeculativeJIT::emitCall):
1506         (JSC::DFG::SpeculativeJIT::compile):
1507         * dfg/DFGThunks.cpp:
1508         (JSC::DFG::osrExitGenerationThunkGenerator):
1509         * ftl/FTLThunks.cpp:
1510         (JSC::FTL::slowPathCallThunkGenerator):
1511         * jit/AssemblyHelpers.cpp:
1512         (JSC::AssemblyHelpers::callExceptionFuzz):
1513         (JSC::AssemblyHelpers::debugCall):
1514         * jit/AssemblyHelpers.h:
1515         (JSC::AssemblyHelpers::emitComputeButterflyIndexingMask):
1516         * jit/CCallHelpers.h:
1517         (JSC::CCallHelpers::setupArgumentsImpl):
1518         (JSC::CCallHelpers::prepareForTailCallSlow):
1519         * jit/CallFrameShuffler.cpp:
1520         (JSC::CallFrameShuffler::prepareForTailCall):
1521         * jit/JIT.cpp:
1522         (JSC::JIT::privateCompileExceptionHandlers):
1523         * jit/JITArithmetic32_64.cpp:
1524         (JSC::JIT::emit_op_mod):
1525         (JSC::JIT::emitSlow_op_mod):
1526         * jit/SlowPathCall.h:
1527         (JSC::JITSlowPathCall::call):
1528         * jit/ThunkGenerators.cpp:
1529         (JSC::nativeForGenerator):
1530         (JSC::arityFixupGenerator):
1531         * wasm/WasmAirIRGenerator.cpp:
1532         (JSC::Wasm::AirIRGenerator::emitModOrDiv):
1533         * yarr/YarrJIT.cpp:
1534         (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
1535         (JSC::Yarr::YarrGenerator::generateEnter):
1536         (JSC::Yarr::YarrGenerator::generateReturn):
1537         (JSC::Yarr::YarrGenerator::compile):
1538         * yarr/YarrJIT.h:
1539
1540 2019-09-13  Mark Lam  <mark.lam@apple.com>
1541
1542         jsc -d stopped working.
1543         https://bugs.webkit.org/show_bug.cgi?id=201787
1544
1545         Reviewed by Joseph Pecoraro.
1546
1547         The reason is because, in this case, the jsc shell is trying to set an option
1548         after the VM has been instantiated.  The fix is simply to move all options
1549         initialization before the VM is instantiated.
1550
1551         * jsc.cpp:
1552         (runWithOptions):
1553         (jscmain):
1554
1555 2019-09-13  Mark Lam  <mark.lam@apple.com>
1556
1557         watchOS requires PageSize alignment of 16K for JSC::Config.
1558         https://bugs.webkit.org/show_bug.cgi?id=201786
1559         <rdar://problem/55357890>
1560
1561         Reviewed by Yusuke Suzuki.
1562
1563         * runtime/JSCConfig.h:
1564
1565 2019-09-13  Yusuke Suzuki  <ysuzuki@apple.com>
1566
1567         Unreviewed, follow-up fix after r249842
1568         https://bugs.webkit.org/show_bug.cgi?id=201750
1569
1570         Michael reviewed this offline. When performing nearCall, we need to invalidate cache registers.
1571
1572         * assembler/MacroAssemblerARM64.h:
1573         (JSC::MacroAssemblerARM64::nearCall):
1574         (JSC::MacroAssemblerARM64::threadSafePatchableNearCall):
1575
1576 2019-09-13  Alexey Shvayka  <shvaikalesh@gmail.com>
1577
1578         Date.prototype.toJSON does not execute steps 1-2
1579         https://bugs.webkit.org/show_bug.cgi?id=105282
1580
1581         Reviewed by Ross Kirsling.
1582
1583         According to https://tc39.es/ecma262/#sec-built-in-function-objects, built-in methods must be
1584         strict mode functions. Before this change, `this` value in Date.prototype.toJSON was resolved
1585         using sloppy mode semantics, resulting in `toISOString` being called on global object if `this`
1586         value equals `null` or `undefined`.
1587
1588         * runtime/DatePrototype.cpp:
1589         (JSC::dateProtoFuncToJSON): Resolve thisValue using strict semantics and simplify std::isfinite check.
1590
1591 2019-09-13  Mark Lam  <mark.lam@apple.com>
1592
1593         performJITMemcpy() should do its !Gigacage assertion on exit.
1594         https://bugs.webkit.org/show_bug.cgi?id=201780
1595         <rdar://problem/55354867>
1596
1597         Reviewed by Robin Morisset.
1598
1599         Re-doing previous fix.
1600
1601         * jit/ExecutableAllocator.h:
1602         (JSC::performJITMemcpy):
1603         (JSC::GigacageAssertScope::GigacageAssertScope): Deleted.
1604         (JSC::GigacageAssertScope::~GigacageAssertScope): Deleted.
1605
1606 2019-09-13  Mark Lam  <mark.lam@apple.com>
1607
1608         performJITMemcpy() should do its !Gigacage assertion on exit.
1609         https://bugs.webkit.org/show_bug.cgi?id=201780
1610         <rdar://problem/55354867>
1611
1612         Reviewed by Robin Morisset.
1613
1614         * jit/ExecutableAllocator.h:
1615         (JSC::GigacageAssertScope::GigacageAssertScope):
1616         (JSC::GigacageAssertScope::~GigacageAssertScope):
1617         (JSC::performJITMemcpy):
1618
1619 2019-09-13  Yusuke Suzuki  <ysuzuki@apple.com>
1620
1621         [JSC] Micro-optimize YarrJIT's surrogate pair handling
1622         https://bugs.webkit.org/show_bug.cgi?id=201750
1623
1624         Reviewed by Michael Saboff.
1625
1626         Optimize sequence of machine code used to get code-point with unicode flag.
1627
1628         * yarr/YarrJIT.cpp:
1629         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
1630
1631 2019-09-13  Mark Lam  <mark.lam@apple.com>
1632
1633         We should assert $vm is enabled on entry and exit in its functions.
1634         https://bugs.webkit.org/show_bug.cgi?id=201762
1635         <rdar://problem/55338742>
1636
1637         Rubber-stamped by Michael Saboff.
1638
1639         1. Also do the same for FunctionOverrides.
1640         2. Added the DollarVMAssertScope and FunctionOverridesAssertScope to achieve this.
1641         3. Also added assertions to lambda functions in $vm.
1642
1643         * tools/FunctionOverrides.cpp:
1644         (JSC::FunctionOverridesAssertScope::FunctionOverridesAssertScope):
1645         (JSC::FunctionOverridesAssertScope::~FunctionOverridesAssertScope):
1646         (JSC::FunctionOverrides::overrides):
1647         (JSC::FunctionOverrides::FunctionOverrides):
1648         (JSC::FunctionOverrides::reinstallOverrides):
1649         (JSC::initializeOverrideInfo):
1650         (JSC::FunctionOverrides::initializeOverrideFor):
1651         (JSC::parseClause):
1652         (JSC::FunctionOverrides::parseOverridesInFile):
1653         * tools/JSDollarVM.cpp:
1654         (JSC::JSDollarVMCallFrame::JSDollarVMCallFrame):
1655         (JSC::JSDollarVMCallFrame::createStructure):
1656         (JSC::JSDollarVMCallFrame::create):
1657         (JSC::JSDollarVMCallFrame::finishCreation):
1658         (JSC::JSDollarVMCallFrame::addProperty):
1659         (JSC::Element::Element):
1660         (JSC::Element::create):
1661         (JSC::Element::visitChildren):
1662         (JSC::Element::createStructure):
1663         (JSC::Root::Root):
1664         (JSC::Root::setElement):
1665         (JSC::Root::create):
1666         (JSC::Root::createStructure):
1667         (JSC::Root::visitChildren):
1668         (JSC::SimpleObject::SimpleObject):
1669         (JSC::SimpleObject::create):
1670         (JSC::SimpleObject::visitChildren):
1671         (JSC::SimpleObject::createStructure):
1672         (JSC::ImpureGetter::ImpureGetter):
1673         (JSC::ImpureGetter::createStructure):
1674         (JSC::ImpureGetter::create):
1675         (JSC::ImpureGetter::finishCreation):
1676         (JSC::ImpureGetter::getOwnPropertySlot):
1677         (JSC::ImpureGetter::visitChildren):
1678         (JSC::CustomGetter::CustomGetter):
1679         (JSC::CustomGetter::createStructure):
1680         (JSC::CustomGetter::create):
1681         (JSC::CustomGetter::getOwnPropertySlot):
1682         (JSC::CustomGetter::customGetter):
1683         (JSC::CustomGetter::customGetterAcessor):
1684         (JSC::RuntimeArray::create):
1685         (JSC::RuntimeArray::destroy):
1686         (JSC::RuntimeArray::getOwnPropertySlot):
1687         (JSC::RuntimeArray::getOwnPropertySlotByIndex):
1688         (JSC::RuntimeArray::createPrototype):
1689         (JSC::RuntimeArray::createStructure):
1690         (JSC::RuntimeArray::finishCreation):
1691         (JSC::RuntimeArray::RuntimeArray):
1692         (JSC::RuntimeArray::lengthGetter):
1693         (JSC::DOMJITNode::DOMJITNode):
1694         (JSC::DOMJITNode::createStructure):
1695         (JSC::DOMJITNode::checkSubClassSnippet):
1696         (JSC::DOMJITNode::create):
1697         (JSC::DOMJITGetter::DOMJITGetter):
1698         (JSC::DOMJITGetter::createStructure):
1699         (JSC::DOMJITGetter::create):
1700         (JSC::DOMJITGetter::DOMJITAttribute::slowCall):
1701         (JSC::DOMJITGetter::DOMJITAttribute::callDOMGetter):
1702         (JSC::DOMJITGetter::customGetter):
1703         (JSC::DOMJITGetter::finishCreation):
1704         (JSC::DOMJITGetterComplex::DOMJITGetterComplex):
1705         (JSC::DOMJITGetterComplex::createStructure):
1706         (JSC::DOMJITGetterComplex::create):
1707         (JSC::DOMJITGetterComplex::DOMJITAttribute::slowCall):
1708         (JSC::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
1709         (JSC::DOMJITGetterComplex::functionEnableException):
1710         (JSC::DOMJITGetterComplex::customGetter):
1711         (JSC::DOMJITGetterComplex::finishCreation):
1712         (JSC::DOMJITFunctionObject::DOMJITFunctionObject):
1713         (JSC::DOMJITFunctionObject::createStructure):
1714         (JSC::DOMJITFunctionObject::create):
1715         (JSC::DOMJITFunctionObject::functionWithTypeCheck):
1716         (JSC::DOMJITFunctionObject::functionWithoutTypeCheck):
1717         (JSC::DOMJITFunctionObject::checkSubClassSnippet):
1718         (JSC::DOMJITFunctionObject::finishCreation):
1719         (JSC::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
1720         (JSC::DOMJITCheckSubClassObject::createStructure):
1721         (JSC::DOMJITCheckSubClassObject::create):
1722         (JSC::DOMJITCheckSubClassObject::functionWithTypeCheck):
1723         (JSC::DOMJITCheckSubClassObject::functionWithoutTypeCheck):
1724         (JSC::DOMJITCheckSubClassObject::finishCreation):
1725         (JSC::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject):
1726         (JSC::DOMJITGetterBaseJSObject::createStructure):
1727         (JSC::DOMJITGetterBaseJSObject::create):
1728         (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
1729         (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter):
1730         (JSC::DOMJITGetterBaseJSObject::customGetter):
1731         (JSC::DOMJITGetterBaseJSObject::finishCreation):
1732         (JSC::JSTestCustomGetterSetter::JSTestCustomGetterSetter):
1733         (JSC::JSTestCustomGetterSetter::create):
1734         (JSC::JSTestCustomGetterSetter::createStructure):
1735         (JSC::customSetAccessor):
1736         (JSC::customSetValue):
1737         (JSC::JSTestCustomGetterSetter::finishCreation):
1738         (JSC::Element::handleOwner):
1739         (JSC::Element::finishCreation):
1740         (JSC::WasmStreamingParser::WasmStreamingParser):
1741         (JSC::WasmStreamingParser::create):
1742         (JSC::WasmStreamingParser::createStructure):
1743         (JSC::WasmStreamingParser::finishCreation):
1744         (JSC::functionWasmStreamingParserAddBytes):
1745         (JSC::functionWasmStreamingParserFinalize):
1746         (JSC::functionCrash):
1747         (JSC::functionBreakpoint):
1748         (JSC::functionDFGTrue):
1749         (JSC::functionFTLTrue):
1750         (JSC::functionCpuMfence):
1751         (JSC::functionCpuRdtsc):
1752         (JSC::functionCpuCpuid):
1753         (JSC::functionCpuPause):
1754         (JSC::functionCpuClflush):
1755         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
1756         (JSC::getExecutableForFunction):
1757         (JSC::functionLLintTrue):
1758         (JSC::functionJITTrue):
1759         (JSC::functionNoInline):
1760         (JSC::functionGC):
1761         (JSC::functionEdenGC):
1762         (JSC::functionDumpSubspaceHashes):
1763         (JSC::functionCallFrame):
1764         (JSC::functionCodeBlockForFrame):
1765         (JSC::codeBlockFromArg):
1766         (JSC::functionCodeBlockFor):
1767         (JSC::functionDumpSourceFor):
1768         (JSC::functionDumpBytecodeFor):
1769         (JSC::doPrint):
1770         (JSC::functionDataLog):
1771         (JSC::functionPrint):
1772         (JSC::functionDumpCallFrame):
1773         (JSC::functionDumpStack):
1774         (JSC::functionDumpRegisters):
1775         (JSC::functionDumpCell):
1776         (JSC::functionIndexingMode):
1777         (JSC::functionInlineCapacity):
1778         (JSC::functionValue):
1779         (JSC::functionGetPID):
1780         (JSC::functionHaveABadTime):
1781         (JSC::functionIsHavingABadTime):
1782         (JSC::functionCreateGlobalObject):
1783         (JSC::functionCreateProxy):
1784         (JSC::functionCreateRuntimeArray):
1785         (JSC::functionCreateNullRopeString):
1786         (JSC::functionCreateImpureGetter):
1787         (JSC::functionCreateCustomGetterObject):
1788         (JSC::functionCreateDOMJITNodeObject):
1789         (JSC::functionCreateDOMJITGetterObject):
1790         (JSC::functionCreateDOMJITGetterComplexObject):
1791         (JSC::functionCreateDOMJITFunctionObject):
1792         (JSC::functionCreateDOMJITCheckSubClassObject):
1793         (JSC::functionCreateDOMJITGetterBaseJSObject):
1794         (JSC::functionCreateWasmStreamingParser):
1795         (JSC::functionSetImpureGetterDelegate):
1796         (JSC::functionCreateBuiltin):
1797         (JSC::functionGetPrivateProperty):
1798         (JSC::functionCreateRoot):
1799         (JSC::functionCreateElement):
1800         (JSC::functionGetElement):
1801         (JSC::functionCreateSimpleObject):
1802         (JSC::functionGetHiddenValue):
1803         (JSC::functionSetHiddenValue):
1804         (JSC::functionShadowChickenFunctionsOnStack):
1805         (JSC::functionSetGlobalConstRedeclarationShouldNotThrow):
1806         (JSC::functionFindTypeForExpression):
1807         (JSC::functionReturnTypeFor):
1808         (JSC::functionFlattenDictionaryObject):
1809         (JSC::functionDumpBasicBlockExecutionRanges):
1810         (JSC::functionHasBasicBlockExecuted):
1811         (JSC::functionBasicBlockExecutionCount):
1812         (JSC::functionEnableExceptionFuzz):
1813         (JSC::changeDebuggerModeWhenIdle):
1814         (JSC::functionEnableDebuggerModeWhenIdle):
1815         (JSC::functionDisableDebuggerModeWhenIdle):
1816         (JSC::functionDeleteAllCodeWhenIdle):
1817         (JSC::functionGlobalObjectCount):
1818         (JSC::functionGlobalObjectForObject):
1819         (JSC::functionGetGetterSetter):
1820         (JSC::functionLoadGetterFromGetterSetter):
1821         (JSC::functionCreateCustomTestGetterSetter):
1822         (JSC::functionDeltaBetweenButterflies):
1823         (JSC::functionTotalGCTime):
1824         (JSC::functionParseCount):
1825         (JSC::functionIsWasmSupported):
1826         (JSC::JSDollarVM::finishCreation):
1827         (JSC::JSDollarVM::addFunction):
1828         (JSC::JSDollarVM::addConstructibleFunction):
1829         * tools/JSDollarVM.h:
1830         (JSC::DollarVMAssertScope::DollarVMAssertScope):
1831         (JSC::DollarVMAssertScope::~DollarVMAssertScope):
1832
1833 2019-09-13  Joseph Pecoraro  <pecoraro@apple.com>
1834
1835         Web Inspector: Formatter: Pretty Print HTML resources (including inline <script>/<style>)
1836         https://bugs.webkit.org/show_bug.cgi?id=201535
1837         <rdar://problem/29119232>
1838
1839         Reviewed by Devin Rousso.
1840
1841         * debugger/Debugger.cpp:
1842         (JSC::Debugger::resolveBreakpoint):
1843         When resolving a breakpoint inside of an inline <script> we need to adjust
1844         based on the starting position of the <script> in the HTML resource.
1845
1846 2019-09-13  Yusuke Suzuki  <ysuzuki@apple.com>
1847
1848         [JSC] X86Registers.h callee-save register definition is wrong
1849         https://bugs.webkit.org/show_bug.cgi?id=201756
1850
1851         Reviewed by Mark Lam.
1852
1853         I think nobody is using X86 JIT backend, but it is simply wrong.
1854         edi and esi should be callee-save.
1855
1856         * assembler/X86Registers.h:
1857
1858 2019-09-12  Mark Lam  <mark.lam@apple.com>
1859
1860         Harden JSC against the abuse of runtime options.
1861         https://bugs.webkit.org/show_bug.cgi?id=201597
1862         <rdar://problem/55167068>
1863
1864         Reviewed by Filip Pizlo.
1865
1866         Linux parts contributed by Carlos Garcia Campos <cgarcia@igalia.com>.
1867
1868         1. Introduce a JSC::Config struct that will be protected as ReadOnly once the
1869            first VM instance is constructed.  The end of the VM constructor calls
1870            Config::permanentlyFreeze() which will make the Config ReadOnly.
1871
1872            Note: this is currently only supported for OS(DARWIN) and OS(LINUX).
1873            OS(WINDOWS) will need to implement some missing pieces before it can enable
1874            this hardening (see FIXME in JSCConfig.cpp).
1875
1876            The hardening strategy here is to put immutable global values into the Config.
1877            Any modifications that need to be made to these values must be done before the
1878            first VM instance is done instantiating.  This ensures that no script will
1879            ever run while the Config is still writable.
1880
1881            Also, the policy for this hardening is that a process is opted in by default.
1882            If there's a valid need to disable this hardening (e.g. for some test
1883            environments), the relevant process will need to opt itself out by calling
1884            Config::configureForTesting().
1885
1886            The jsc shell, WK2 UI and WebContent processes are opted in by default.
1887            Only test processes may be opt out.
1888
1889         2. Put all JSC::Options in the Config.  This enforces the invariant that options
1890            can only be changed before we instantiate a VM.  Once a VM is instantiated,
1891            the options are immutable.
1892
1893         3. Remove functionForceGCSlowPaths() from the jsc shell.  Setting
1894            Options::forceGCSlowPaths this way is no longer allowed.
1895
1896         4. Re-factored the Options code (Options.h) into:
1897            - OptionEntry.h: the data structure that stores the option values.
1898            - OptionsList.h: the list of options.
1899            - Options.h: the Options singleton object which is the interface for accessing options.
1900
1901            Renamed the JSC_OPTIONS macro to FOR_EACH_JSC_OPTION, because
1902            "FOR_EACH_JSC_OPTION(SET_OPTION_VALUE)" reads a lot better than
1903            "JSC_OPTIONS(FOR_EACH_OPTION)".
1904
1905         5. Change testapi to call Config::configureForTesting().  Parts of testapi makes
1906            use of setting options in its tests.  Hence, this hardening is disabled for
1907            testapi.
1908
1909            Note: the jsc shell does enable this hardening.
1910
1911         6. Put ExecutableAllocator's immutable globals in the Config.
1912
1913         7. RELEASE_ASSERT that restrictedOptionsEnabled in order to use the
1914            FunctionOverrides test utility.
1915
1916         8. RELEASE_ASSERT that Options::useDollarVM() is enabled in order to use the $vm.
1917
1918            We must RELEASE_ASSERT(Options::useDollarVM()) in all JSDollarVM functions
1919            that are non-trivial at an eye's glance.  This includes (but is not limited to):
1920                constructors
1921                create() factory
1922                createStructure() factory
1923                finishCreation()
1924                HOST_CALL or operation functions
1925                Constructors and methods of utility and test classes
1926
1927            The only exception are some constexpr constructors used for instantiating
1928            globals (since these must have trivial constructors) e.g. DOMJITAttribute.
1929            Instead, these constructors should always be ALWAYS_INLINE.
1930
1931         * API/glib/JSCOptions.cpp:
1932         (jscOptionsSetValue):
1933         (jscOptionsGetValue):
1934         (jsc_options_foreach):
1935         (jsc_options_get_option_group):
1936         * API/tests/testapi.c:
1937         (main):
1938         * API/tests/testapi.cpp:
1939         (configureJSCForTesting):
1940         * CMakeLists.txt:
1941         * JavaScriptCore.xcodeproj/project.pbxproj:
1942         * Sources.txt:
1943         * jit/ExecutableAllocator.cpp:
1944         (JSC::isJITEnabled):
1945         (JSC::ExecutableAllocator::setJITEnabled):
1946         (JSC::ExecutableAllocator::initializeUnderlyingAllocator):
1947         (JSC::ExecutableAllocator::isValid const):
1948         (JSC::ExecutableAllocator::underMemoryPressure):
1949         (JSC::ExecutableAllocator::memoryPressureMultiplier):
1950         (JSC::ExecutableAllocator::allocate):
1951         (JSC::ExecutableAllocator::isValidExecutableMemory):
1952         (JSC::ExecutableAllocator::getLock const):
1953         (JSC::ExecutableAllocator::committedByteCount):
1954         (JSC::ExecutableAllocator::dumpProfile):
1955         (JSC::startOfFixedExecutableMemoryPoolImpl):
1956         (JSC::endOfFixedExecutableMemoryPoolImpl):
1957         (JSC::isJITPC):
1958         (JSC::dumpJITMemory):
1959         (JSC::ExecutableAllocator::initialize):
1960         (JSC::ExecutableAllocator::singleton):
1961         * jit/ExecutableAllocator.h:
1962         (JSC::performJITMemcpy):
1963         * jsc.cpp:
1964         (GlobalObject::finishCreation):
1965         (functionJSCOptions):
1966         (jscmain):
1967         (functionForceGCSlowPaths): Deleted.
1968         * runtime/ConfigFile.cpp:
1969         (JSC::ConfigFile::parse):
1970         * runtime/InitializeThreading.cpp:
1971         (JSC::initializeThreading):
1972         * runtime/JSCConfig.cpp: Added.
1973         (JSC::Config::disableFreezingForTesting):
1974         (JSC::Config::enableRestrictedOptions):
1975         (JSC::Config::permanentlyFreeze):
1976         * runtime/JSCConfig.h: Added.
1977         (JSC::Config::configureForTesting):
1978         * runtime/JSGlobalObject.cpp:
1979         (JSC::JSGlobalObject::exposeDollarVM):
1980         * runtime/OptionEntry.h: Added.
1981         (JSC::OptionRange::operator= ):
1982         (JSC::OptionRange::rangeString const):
1983         * runtime/Options.cpp:
1984         (JSC::Options::isAvailable):
1985         (JSC::scaleJITPolicy):
1986         (JSC::Options::initialize):
1987         (JSC::Options::setOptions):
1988         (JSC::Options::setOptionWithoutAlias):
1989         (JSC::Options::setAliasedOption):
1990         (JSC::Option::dump const):
1991         (JSC::Option::operator== const):
1992         (): Deleted.
1993         (JSC::Options::enableRestrictedOptions): Deleted.
1994         * runtime/Options.h:
1995         (JSC::Option::Option):
1996         (JSC::Option::defaultOption const):
1997         (JSC::Option::boolVal):
1998         (JSC::Option::unsignedVal):
1999         (JSC::Option::doubleVal):
2000         (JSC::Option::int32Val):
2001         (JSC::Option::optionRangeVal):
2002         (JSC::Option::optionStringVal):
2003         (JSC::Option::gcLogLevelVal):
2004         (JSC::OptionRange::operator= ): Deleted.
2005         (JSC::OptionRange::rangeString const): Deleted.
2006         * runtime/OptionsList.h: Added.
2007         (JSC::countNumberOfJSCOptions):
2008         * runtime/VM.cpp:
2009         (JSC::VM::VM):
2010         * tools/FunctionOverrides.cpp:
2011         (JSC::FunctionOverrides::FunctionOverrides):
2012         (JSC::FunctionOverrides::reinstallOverrides):
2013         (JSC::FunctionOverrides::initializeOverrideFor):
2014         (JSC::FunctionOverrides::parseOverridesInFile):
2015         * tools/JSDollarVM.cpp:
2016         (JSC::JSDollarVMCallFrame::JSDollarVMCallFrame):
2017         (JSC::JSDollarVMCallFrame::createStructure):
2018         (JSC::JSDollarVMCallFrame::create):
2019         (JSC::JSDollarVMCallFrame::finishCreation):
2020         (JSC::JSDollarVMCallFrame::addProperty):
2021         (JSC::Element::Element):
2022         (JSC::Element::create):
2023         (JSC::Element::createStructure):
2024         (JSC::Root::Root):
2025         (JSC::Root::create):
2026         (JSC::Root::createStructure):
2027         (JSC::SimpleObject::SimpleObject):
2028         (JSC::SimpleObject::create):
2029         (JSC::SimpleObject::createStructure):
2030         (JSC::ImpureGetter::ImpureGetter):
2031         (JSC::ImpureGetter::createStructure):
2032         (JSC::ImpureGetter::create):
2033         (JSC::ImpureGetter::finishCreation):
2034         (JSC::ImpureGetter::getOwnPropertySlot):
2035         (JSC::CustomGetter::CustomGetter):
2036         (JSC::CustomGetter::createStructure):
2037         (JSC::CustomGetter::create):
2038         (JSC::CustomGetter::getOwnPropertySlot):
2039         (JSC::CustomGetter::customGetter):
2040         (JSC::CustomGetter::customGetterAcessor):
2041         (JSC::RuntimeArray::create):
2042         (JSC::RuntimeArray::destroy):
2043         (JSC::RuntimeArray::getOwnPropertySlot):
2044         (JSC::RuntimeArray::getOwnPropertySlotByIndex):
2045         (JSC::RuntimeArray::createPrototype):
2046         (JSC::RuntimeArray::createStructure):
2047         (JSC::RuntimeArray::finishCreation):
2048         (JSC::RuntimeArray::RuntimeArray):
2049         (JSC::RuntimeArray::lengthGetter):
2050         (JSC::DOMJITNode::DOMJITNode):
2051         (JSC::DOMJITNode::createStructure):
2052         (JSC::DOMJITNode::checkSubClassSnippet):
2053         (JSC::DOMJITNode::create):
2054         (JSC::DOMJITGetter::DOMJITGetter):
2055         (JSC::DOMJITGetter::createStructure):
2056         (JSC::DOMJITGetter::create):
2057         (JSC::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
2058         (JSC::DOMJITGetter::DOMJITAttribute::slowCall):
2059         (JSC::DOMJITGetter::DOMJITAttribute::callDOMGetter):
2060         (JSC::DOMJITGetter::customGetter):
2061         (JSC::DOMJITGetter::finishCreation):
2062         (JSC::DOMJITGetterComplex::DOMJITGetterComplex):
2063         (JSC::DOMJITGetterComplex::createStructure):
2064         (JSC::DOMJITGetterComplex::create):
2065         (JSC::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
2066         (JSC::DOMJITGetterComplex::DOMJITAttribute::slowCall):
2067         (JSC::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
2068         (JSC::DOMJITGetterComplex::functionEnableException):
2069         (JSC::DOMJITGetterComplex::customGetter):
2070         (JSC::DOMJITGetterComplex::finishCreation):
2071         (JSC::DOMJITFunctionObject::DOMJITFunctionObject):
2072         (JSC::DOMJITFunctionObject::createStructure):
2073         (JSC::DOMJITFunctionObject::create):
2074         (JSC::DOMJITFunctionObject::functionWithTypeCheck):
2075         (JSC::DOMJITFunctionObject::functionWithoutTypeCheck):
2076         (JSC::DOMJITFunctionObject::checkSubClassSnippet):
2077         (JSC::DOMJITFunctionObject::finishCreation):
2078         (JSC::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
2079         (JSC::DOMJITCheckSubClassObject::createStructure):
2080         (JSC::DOMJITCheckSubClassObject::create):
2081         (JSC::DOMJITCheckSubClassObject::functionWithTypeCheck):
2082         (JSC::DOMJITCheckSubClassObject::functionWithoutTypeCheck):
2083         (JSC::DOMJITCheckSubClassObject::finishCreation):
2084         (JSC::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject):
2085         (JSC::DOMJITGetterBaseJSObject::createStructure):
2086         (JSC::DOMJITGetterBaseJSObject::create):
2087         (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute):
2088         (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
2089         (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter):
2090         (JSC::DOMJITGetterBaseJSObject::customGetter):
2091         (JSC::DOMJITGetterBaseJSObject::finishCreation):
2092         (JSC::JSTestCustomGetterSetter::JSTestCustomGetterSetter):
2093         (JSC::JSTestCustomGetterSetter::create):
2094         (JSC::JSTestCustomGetterSetter::createStructure):
2095         (JSC::customSetAccessor):
2096         (JSC::customSetValue):
2097         (JSC::JSTestCustomGetterSetter::finishCreation):
2098         (JSC::Element::handleOwner):
2099         (JSC::Element::finishCreation):
2100         (JSC::WasmStreamingParser::WasmStreamingParser):
2101         (JSC::WasmStreamingParser::create):
2102         (JSC::WasmStreamingParser::createStructure):
2103         (JSC::WasmStreamingParser::finishCreation):
2104         (JSC::functionWasmStreamingParserAddBytes):
2105         (JSC::functionWasmStreamingParserFinalize):
2106         (JSC::functionCrash):
2107         (JSC::functionBreakpoint):
2108         (JSC::functionDFGTrue):
2109         (JSC::functionFTLTrue):
2110         (JSC::functionCpuMfence):
2111         (JSC::functionCpuRdtsc):
2112         (JSC::functionCpuCpuid):
2113         (JSC::functionCpuPause):
2114         (JSC::functionCpuClflush):
2115         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
2116         (JSC::getExecutableForFunction):
2117         (JSC::functionLLintTrue):
2118         (JSC::functionJITTrue):
2119         (JSC::functionNoInline):
2120         (JSC::functionGC):
2121         (JSC::functionEdenGC):
2122         (JSC::functionDumpSubspaceHashes):
2123         (JSC::functionCallFrame):
2124         (JSC::functionCodeBlockForFrame):
2125         (JSC::codeBlockFromArg):
2126         (JSC::functionCodeBlockFor):
2127         (JSC::functionDumpSourceFor):
2128         (JSC::functionDumpBytecodeFor):
2129         (JSC::doPrint):
2130         (JSC::functionDataLog):
2131         (JSC::functionPrint):
2132         (JSC::functionDumpCallFrame):
2133         (JSC::functionDumpStack):
2134         (JSC::functionDumpRegisters):
2135         (JSC::functionDumpCell):
2136         (JSC::functionIndexingMode):
2137         (JSC::functionInlineCapacity):
2138         (JSC::functionValue):
2139         (JSC::functionGetPID):
2140         (JSC::functionHaveABadTime):
2141         (JSC::functionIsHavingABadTime):
2142         (JSC::functionCreateGlobalObject):
2143         (JSC::functionCreateProxy):
2144         (JSC::functionCreateRuntimeArray):
2145         (JSC::functionCreateNullRopeString):
2146         (JSC::functionCreateImpureGetter):
2147         (JSC::functionCreateCustomGetterObject):
2148         (JSC::functionCreateDOMJITNodeObject):
2149         (JSC::functionCreateDOMJITGetterObject):
2150         (JSC::functionCreateDOMJITGetterComplexObject):
2151         (JSC::functionCreateDOMJITFunctionObject):
2152         (JSC::functionCreateDOMJITCheckSubClassObject):
2153         (JSC::functionCreateDOMJITGetterBaseJSObject):
2154         (JSC::functionCreateWasmStreamingParser):
2155         (JSC::functionSetImpureGetterDelegate):
2156         (JSC::functionCreateBuiltin):
2157         (JSC::functionGetPrivateProperty):
2158         (JSC::functionCreateRoot):
2159         (JSC::functionCreateElement):
2160         (JSC::functionGetElement):
2161         (JSC::functionCreateSimpleObject):
2162         (JSC::functionGetHiddenValue):
2163         (JSC::functionSetHiddenValue):
2164         (JSC::functionShadowChickenFunctionsOnStack):
2165         (JSC::functionSetGlobalConstRedeclarationShouldNotThrow):
2166         (JSC::functionFindTypeForExpression):
2167         (JSC::functionReturnTypeFor):
2168         (JSC::functionFlattenDictionaryObject):
2169         (JSC::functionDumpBasicBlockExecutionRanges):
2170         (JSC::functionHasBasicBlockExecuted):
2171         (JSC::functionBasicBlockExecutionCount):
2172         (JSC::functionEnableExceptionFuzz):
2173         (JSC::changeDebuggerModeWhenIdle):
2174         (JSC::functionEnableDebuggerModeWhenIdle):
2175         (JSC::functionDisableDebuggerModeWhenIdle):
2176         (JSC::functionDeleteAllCodeWhenIdle):
2177         (JSC::functionGlobalObjectCount):
2178         (JSC::functionGlobalObjectForObject):
2179         (JSC::functionGetGetterSetter):
2180         (JSC::functionLoadGetterFromGetterSetter):
2181         (JSC::functionCreateCustomTestGetterSetter):
2182         (JSC::functionDeltaBetweenButterflies):
2183         (JSC::functionTotalGCTime):
2184         (JSC::functionParseCount):
2185         (JSC::functionIsWasmSupported):
2186         (JSC::JSDollarVM::finishCreation):
2187         (JSC::JSDollarVM::addFunction):
2188         (JSC::JSDollarVM::addConstructibleFunction):
2189         * tools/JSDollarVM.h:
2190
2191 2019-09-11  Devin Rousso  <drousso@apple.com>
2192
2193         Web Inspector: Canvas: instrument WebGPUDevice instead of GPUCanvasContext
2194         https://bugs.webkit.org/show_bug.cgi?id=201650
2195
2196         Reviewed by Joseph Pecoraro.
2197
2198         Most of the actual "work" done with Web GPU actually uses a `WebGPUDevice`.
2199
2200         A `GPUCanvasContext` is basically just a display "client" of the device, and isn't even
2201         required (e.g. compute pipeline).  We should treat the `GPUCanvasContext` almost like a
2202         `-webkit-canvas` client of a `WebGPUDevice`.
2203
2204         * inspector/protocol/Canvas.json:
2205          - Add `powerPreference` key to `ContextAttributes` type.
2206          - Rename `requestCSSCanvasClientNodes` command to `requestClientNodes` for the above reason.
2207          - Rename `cssCanvasClientNodesChanged` event to `clientNodesChanged` for the above reason.
2208          - Rename `resolveCanvasContext` command to `resolveContext` since a `WebGPUDevice` isn't
2209            really a "canvas".
2210
2211 2019-09-11  Yusuke Suzuki  <ysuzuki@apple.com>
2212
2213         [JSC] Add StringCodePointAt intrinsic
2214         https://bugs.webkit.org/show_bug.cgi?id=201673
2215
2216         Reviewed by Michael Saboff.
2217
2218         JetStream2/UniPoker executes String#codePointAt frequently. We should handle it in ThunkGenerator, DFG, and FTL like we are doing so for String#charCodeAt.
2219         This patch adds these supports for String#codePointAt to get ~10% score improvement in JetStream2/UniPoker.
2220
2221         In ThunkGenerator, we add a thunk for String#codePointAt, which accelerates LLInt and Baseline. In DFG, we handle this as StringCodePointAt node, and emit
2222         inlined code in DFG and FTL. The characteristics of StringCodePointAt node is basically the same to StringCharAt. It has String array-mode, so it emits
2223         preceding CheckArray. This ensures that (1) StringCodePointAt node itself does not do GC since the string is always resolved, and (2) we can skip the rope
2224         check. This thing is just the same to the existing StringCharCodeAt mechanism.
2225
2226         * dfg/DFGAbstractInterpreterInlines.h:
2227         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2228         * dfg/DFGBackwardsPropagationPhase.cpp:
2229         (JSC::DFG::BackwardsPropagationPhase::propagate):
2230         * dfg/DFGByteCodeParser.cpp:
2231         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2232         * dfg/DFGClobberize.h:
2233         (JSC::DFG::clobberize):
2234         * dfg/DFGDoesGC.cpp:
2235         (JSC::DFG::doesGC):
2236         * dfg/DFGFixupPhase.cpp:
2237         (JSC::DFG::FixupPhase::fixupNode):
2238         * dfg/DFGNode.h:
2239         (JSC::DFG::Node::hasArrayMode):
2240         * dfg/DFGNodeType.h:
2241         * dfg/DFGPredictionPropagationPhase.cpp:
2242         * dfg/DFGSafeToExecute.h:
2243         (JSC::DFG::safeToExecute):
2244         * dfg/DFGSpeculativeJIT.h:
2245         * dfg/DFGSpeculativeJIT32_64.cpp:
2246         (JSC::DFG::SpeculativeJIT::compile):
2247         * dfg/DFGSpeculativeJIT64.cpp:
2248         (JSC::DFG::SpeculativeJIT::compile):
2249         (JSC::DFG::SpeculativeJIT::compileStringCodePointAt):
2250         * ftl/FTLCapabilities.cpp:
2251         (JSC::FTL::canCompile):
2252         * ftl/FTLLowerDFGToB3.cpp:
2253         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2254         (JSC::FTL::DFG::LowerDFGToB3::compileStringCodePointAt):
2255         * jit/JITInlines.h:
2256         (JSC::JIT::emitLoadCharacterString):
2257         * jit/ThunkGenerators.cpp:
2258         (JSC::stringGetByValGenerator):
2259         (JSC::stringCharLoad):
2260         (JSC::stringPrototypeCodePointAtThunkGenerator):
2261         * jit/ThunkGenerators.h:
2262         * runtime/Intrinsic.cpp:
2263         (JSC::intrinsicName):
2264         * runtime/Intrinsic.h:
2265         * runtime/StringPrototype.cpp:
2266         (JSC::StringPrototype::finishCreation):
2267         * runtime/VM.cpp:
2268         (JSC::thunkGeneratorForIntrinsic):
2269
2270 2019-09-11  Michael Saboff  <msaboff@apple.com>
2271
2272         JSC crashes due to stack overflow while building RegExp
2273         https://bugs.webkit.org/show_bug.cgi?id=201649
2274
2275         Reviewed by Yusuke Suzuki.
2276
2277         Check for running out of stack when we are optimizing RegExp containing BOL terms or
2278         other deep copying of disjunctions.
2279
2280         * yarr/YarrPattern.cpp:
2281         (JSC::Yarr::YarrPatternConstructor::copyDisjunction):
2282         (JSC::Yarr::YarrPatternConstructor::copyTerm):
2283         (JSC::Yarr::YarrPatternConstructor::error):
2284         (JSC::Yarr::YarrPattern::compile):
2285
2286 2019-09-11  Truitt Savell  <tsavell@apple.com>
2287
2288         Unreviewed, rolling out r249753.
2289
2290         caused inspector/canvas/shaderProgram-add-remove-webgl.html to
2291         crash on all Mac platforms.
2292
2293         Reverted changeset:
2294
2295         "Web Inspector: Canvas: instrument WebGPUDevice instead of
2296         GPUCanvasContext"
2297         https://bugs.webkit.org/show_bug.cgi?id=201650
2298         https://trac.webkit.org/changeset/249753
2299
2300 2019-09-10  Devin Rousso  <drousso@apple.com>
2301
2302         Web Inspector: Canvas: instrument WebGPUDevice instead of GPUCanvasContext
2303         https://bugs.webkit.org/show_bug.cgi?id=201650
2304
2305         Reviewed by Joseph Pecoraro.
2306
2307         Most of the actual "work" done with Web GPU actually uses a `WebGPUDevice`.
2308
2309         A `GPUCanvasContext` is basically just a display "client" of the device, and isn't even
2310         required (e.g. compute pipeline).  We should treat the `GPUCanvasContext` almost like a
2311         `-webkit-canvas` client of a `WebGPUDevice`.
2312
2313         * inspector/protocol/Canvas.json:
2314          - Add `powerPreference` key to `ContextAttributes` type.
2315          - Rename `requestCSSCanvasClientNodes` command to `requestClientNodes` for the above reason.
2316          - Rename `cssCanvasClientNodesChanged` event to `clientNodesChanged` for the above reason.
2317          - Rename `resolveCanvasContext` command to `resolveContext` since a `WebGPUDevice` isn't
2318            really a "canvas".
2319
2320 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
2321
2322         [JSC] 32bit bitwide operation with all-one (-1) is wrong in B3
2323         https://bugs.webkit.org/show_bug.cgi?id=201634
2324
2325         Reviewed by Mark Lam and Robin Morisset.
2326
2327         This patch includes two things. One is fixing 32bit bitwise operation with allOne constants. Another is fixing the existing bug in BitAnd strength reduction.
2328
2329         1. 32bit bitwise operation with allOne constants
2330
2331             Accidentally, the B3::Value is ConstInt32(-1), `value->isInt(std::numeric_limits<uint32_t>::max())` returns `false`!
2332             For example, in BitAnd strength reduction,
2333
2334                 1034             // Turn this: BitAnd(value, all-ones)
2335                 1035             // Into this: value.
2336                 1036             if ((m_value->type() == Int64 && m_value->child(1)->isInt(std::numeric_limits<uint64_t>::max()))
2337                 1037                 || (m_value->type() == Int32 && m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max()))) {
2338                 1038                 replaceWithIdentity(m_value->child(0));
2339                 1039                 break;
2340                 1040             }
2341
2342             We use `m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max())`. However, Value::isInt is,
2343
2344                 262 inline bool Value::isInt(int64_t value) const
2345                 263 {
2346                 264     return hasInt() && asInt() == value;
2347                 265 }
2348
2349             So, UINT32_MAX is expanded to int64_t, but it is not -1 since UINT32_MAX can be representable in int64_t. And Value::asInt implementation is,
2350
2351                 257 inline int64_t Value::asInt() const
2352                 258 {
2353                 259     return hasInt32() ? asInt32() : asInt64();
2354                 260 }
2355
2356             So, we perform `static_cast<int64_t>(-1) == static_cast<int64_t>(UINT32_MAX)`. This is false, but this comparison is not what we want!
2357             We should use `isInt32` and `isInt64` for bit patterns (like, operands for Bitwise opcodes).
2358
2359         2. BitAnd and BitOr strength reduction bug
2360
2361             We also fix the following optimization.
2362
2363                 // Turn this: BitAnd(Op(value, constant1), constant2)
2364                 //     where !(constant1 & constant2)
2365                 //       and Op is BitOr or BitXor
2366                 // into this: BitAnd(value, constant2)
2367
2368             Since we stop further optimization when we match `if (m_value->child(1)->hasInt())`, the following optimization is never taken.
2369
2370                 // Turn this: BitAnd(BitXor(x, allOnes), c)
2371                 // Into this: BitXor(BitOr(x, ~c), allOnes)
2372
2373             And we also found that this not-used optimization has a bug not inserting a newly produced constant B3::Value. This patch also fixes it.
2374
2375         For both, this patch adds tests. And (2) fix can be ensured that the testb3 does not crash with validate-graph option.
2376
2377         * b3/B3LowerToAir.cpp:
2378         * b3/B3ReduceStrength.cpp:
2379         * b3/testb3.h:
2380         * b3/testb3_2.cpp:
2381         (testBitAndNotNot32):
2382         (testBitAndNotImm):
2383         (testBitAndNotImm32):
2384         (testBitOrAndAndArgs32):
2385         (testBitOrAndSameArgs32):
2386         (testBitOrNotNot32):
2387         (testBitOrNotImm32):
2388         (addBitTests):
2389         * b3/testb3_3.cpp:
2390         (testBitXorAndAndArgs32):
2391         (testBitXorAndSameArgs32):
2392
2393 2019-09-10  Commit Queue  <commit-queue@webkit.org>
2394
2395         Unreviewed, rolling out r249721.
2396         https://bugs.webkit.org/show_bug.cgi?id=201667
2397
2398         Discovering existing bug (Requested by yusukesuzuki on
2399         #webkit).
2400
2401         Reverted changeset:
2402
2403         "[JSC] 32bit bitwide operation with all-one (-1) is wrong in
2404         B3"
2405         https://bugs.webkit.org/show_bug.cgi?id=201634
2406         https://trac.webkit.org/changeset/249721
2407
2408 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
2409
2410         [JSC] CodeBlock::calleeSaveRegisters should not see half-baked JITData
2411         https://bugs.webkit.org/show_bug.cgi?id=201664
2412         <rdar://problem/52126927>
2413
2414         Reviewed by Tadeu Zagallo.
2415
2416         We are hitting the crash accessing invalid-pointer as CodeBlock::calleeSaveRegisters result.
2417         This is because concurrent Baseline JIT compiler can access m_jitData without taking a lock through CodeBlock::calleeSaveRegisters.
2418         Since m_jitData can be initialized in the main thread while calling CodeBlock::calleeSaveRegisters from concurrent Baseline JIT compiler thread,
2419         we can see half-baked JITData structure which holds garbage pointers.
2420
2421         But we do not want to make CodeBlock::calleeSaveRegisters() call with CodeBlock::m_lock due to several reasons.
2422
2423         1. This function is very primitive one and it is called from various AssemblyHelpers functions and other code-generation functions. Some of these functions are
2424            called while taking this exact same lock, so dead-lock can happen.
2425         2. JITData::m_calleeSaveRegisters is filled only for DFG and FTL CodeBlock. And DFG and FTL code accesses these field after initializing properly. For Baseline JIT
2426            compiler case, only thing we should do is that JITData should say m_calleeSaveRegisters is nullptr and it won't be filled for this CodeBlock.
2427
2428         Instead of guarding CodeBlock::calleeSaveRegisters() function with CodeBlock::m_lock, this patch inserts WTF::storeStoreFence when filling m_jitData. This ensures that
2429         JITData::m_calleeSaveRegisters is initialized with nullptr when this JITData pointer is exposed to concurrent Baseline JIT compiler thread.
2430
2431         * bytecode/CodeBlock.cpp:
2432         (JSC::CodeBlock::ensureJITDataSlow):
2433
2434 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
2435
2436         [JSC] ResultType implementation is wrong for bit ops, and ends up making ArithDiv take the DFG Int32 fast path even if Baseline constantly produces Double result
2437         https://bugs.webkit.org/show_bug.cgi?id=198253
2438
2439         Reviewed by Mark Lam.
2440
2441         ResultType of bitwise operation needs to include TypeMaybeNumber. TypeInt32 is something like a flag indicating the number looks like a int32.
2442         When it is specified, TypeMaybeNumber must exist too. This issue compiles op_div in JetStream2/async-fs slow-path. And eventually DFG first mis-compiles
2443         it with Int32 ArithDiv while that div always produces double. And unnecessary OSR exit happens.
2444
2445         In this patch, we add TypeMaybeNumber to bigIntOrInt32Type correctly.
2446
2447         * parser/ResultType.h:
2448         (JSC::ResultType::bigIntOrInt32Type):
2449
2450 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
2451
2452         [JSC] 32bit bitwide operation with all-one (-1) is wrong in B3
2453         https://bugs.webkit.org/show_bug.cgi?id=201634
2454
2455         Reviewed by Mark Lam.
2456
2457         Accidentally, the B3::Value is ConstInt32(-1), `value->isInt(std::numeric_limits<uint32_t>::max())` returns `false`!
2458         For example, in BitAnd strength reduction,
2459
2460             1034             // Turn this: BitAnd(value, all-ones)
2461             1035             // Into this: value.
2462             1036             if ((m_value->type() == Int64 && m_value->child(1)->isInt(std::numeric_limits<uint64_t>::max()))
2463             1037                 || (m_value->type() == Int32 && m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max()))) {
2464             1038                 replaceWithIdentity(m_value->child(0));
2465             1039                 break;
2466             1040             }
2467
2468         We use `m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max())`. However, Value::isInt is,
2469
2470             262 inline bool Value::isInt(int64_t value) const
2471             263 {
2472             264     return hasInt() && asInt() == value;
2473             265 }
2474
2475         So, UINT32_MAX is expanded to int64_t, but it is not -1 since UINT32_MAX can be representable in int64_t. And Value::asInt implementation is,
2476
2477             257 inline int64_t Value::asInt() const
2478             258 {
2479             259     return hasInt32() ? asInt32() : asInt64();
2480             260 }
2481
2482         So, we perform `static_cast<int64_t>(-1) == static_cast<int64_t>(UINT32_MAX)`. This is false, but this comparison is not what we want!
2483         We should use `isInt32` and `isInt64` for bit patterns (like, operands for Bitwise opcodes).
2484
2485         We also fix the following optimization.
2486
2487             // Turn this: BitAnd(Op(value, constant1), constant2)
2488             //     where !(constant1 & constant2)
2489             //       and Op is BitOr or BitXor
2490             // into this: BitAnd(value, constant2)
2491
2492         Since we stop further optimization when we match `if (m_value->child(1)->hasInt())`, the following optimization is never taken.
2493
2494             // Turn this: BitAnd(BitXor(x, allOnes), c)
2495             // Into this: BitXor(BitOr(x, ~c), allOnes)
2496
2497         We add 32bit version of B3 tests for these optimizations.
2498
2499         * b3/B3LowerToAir.cpp:
2500         * b3/B3ReduceStrength.cpp:
2501         * b3/testb3.h:
2502         * b3/testb3_2.cpp:
2503         (testBitAndNotNot32):
2504         (testBitAndNotImm):
2505         (testBitAndNotImm32):
2506         (testBitOrAndAndArgs32):
2507         (testBitOrAndSameArgs32):
2508         (testBitOrNotNot32):
2509         (testBitOrNotImm32):
2510         (addBitTests):
2511         * b3/testb3_3.cpp:
2512         (testBitXorAndAndArgs32):
2513         (testBitXorAndSameArgs32):
2514
2515 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
2516
2517         [WebAssembly] Use StreamingParser in existing Wasm::BBQPlan
2518         https://bugs.webkit.org/show_bug.cgi?id=189043
2519
2520         Reviewed by Keith Miller.
2521
2522         This patch integrates Wasm::StreamingParser into the existing Wasm::BBQPlan.
2523         And remove Wasm::ModuleParser. This patch paves the way to implementing Wasm streaming features by
2524         using Wasm::StreamingParser.
2525
2526         Currently, we are not using streaming feature of StreamingParser. In a subsequent patch, we will
2527         create a mechanism to pipe a chunk of data to streaming parser to enable WebAssembly.compileStreaming
2528         and instantiateStreaming.
2529
2530         * JavaScriptCore.xcodeproj/project.pbxproj:
2531         * Sources.txt:
2532         * tools/JSDollarVM.cpp:
2533         (JSC::WasmStreamingParser::WasmStreamingParser):
2534         * wasm/WasmAirIRGenerator.cpp:
2535         (JSC::Wasm::parseAndCompileAir):
2536         * wasm/WasmAirIRGenerator.h:
2537         * wasm/WasmB3IRGenerator.cpp:
2538         (JSC::Wasm::parseAndCompile): Use FunctionData, it is good since it is more strongly typed.
2539         * wasm/WasmB3IRGenerator.h:
2540         * wasm/WasmBBQPlan.cpp:
2541         (JSC::Wasm::BBQPlan::BBQPlan):
2542         (JSC::Wasm::BBQPlan::didReceiveFunctionData): Add a callback, which invokes validation.
2543         (JSC::Wasm::BBQPlan::parseAndValidateModule): Use StreamingParser instead of old ModuleParser.
2544         (JSC::Wasm::BBQPlan::compileFunctions):
2545         (JSC::Wasm::BBQPlan::complete):
2546         * wasm/WasmBBQPlan.h:
2547         * wasm/WasmModuleParser.cpp: Removed.
2548         * wasm/WasmModuleParser.h: Removed.
2549         * wasm/WasmOMGForOSREntryPlan.cpp:
2550         (JSC::Wasm::OMGForOSREntryPlan::work):
2551         * wasm/WasmOMGPlan.cpp:
2552         (JSC::Wasm::OMGPlan::work):
2553         * wasm/WasmPlan.cpp:
2554         (JSC::Wasm::Plan::fail): Make fail function callable multiple times. The first error will be used.
2555         * wasm/WasmSectionParser.cpp:
2556         (JSC::Wasm::SectionParser::parseCode): Since the Code section is specially handled in StreamingParser, this code is never used.
2557         * wasm/WasmStreamingParser.cpp:
2558         (JSC::Wasm::StreamingParser::StreamingParser):
2559         (JSC::Wasm::StreamingParser::parseCodeSectionSize):
2560         (JSC::Wasm::StreamingParser::parseFunctionPayload):
2561         (JSC::Wasm::StreamingParser::parseSectionPayload):
2562         (JSC::Wasm::StreamingParser::finalize): Call client's callbacks at appropriate timings.
2563         * wasm/WasmStreamingParser.h:
2564         (JSC::Wasm::StreamingParserClient::didReceiveSectionData):
2565         (JSC::Wasm::StreamingParserClient::didReceiveFunctionData):
2566         (JSC::Wasm::StreamingParserClient::didFinishParsing): Add StreamingParserClient,
2567         which has 3 callbacks right now. StreamingParser gets this client and call these callbacks
2568         at appropriate timings.
2569         * wasm/WasmValidate.cpp:
2570         (JSC::Wasm::validateFunction):
2571         * wasm/WasmValidate.h: Use FunctionData, it is good since it is more strongly typed.
2572
2573 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
2574
2575         [JSC] CodeBlock::m_constantRegisters should be guarded by ConcurrentJSLock when Vector reallocate memory
2576         https://bugs.webkit.org/show_bug.cgi?id=201622
2577
2578         Reviewed by Mark Lam.
2579
2580         CodeBlock::visitChildren takes ConcurrentJSLock while iterating m_constantRegisters, some of the places reallocate
2581         this Vector without taking a lock. If a Vector memory is reallocated while iterating it in concurrent collector,
2582         the concurrent collector can see a garbage. This patch guards m_constantRegisters reallocation with ConcurrentJSLock.
2583
2584         * bytecode/CodeBlock.cpp:
2585         (JSC::CodeBlock::finishCreation):
2586         (JSC::CodeBlock::setConstantRegisters):
2587         * bytecode/CodeBlock.h:
2588         (JSC::CodeBlock::addConstant):
2589         (JSC::CodeBlock::addConstantLazily):
2590         * dfg/DFGDesiredWatchpoints.cpp:
2591         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
2592         (JSC::DFG::SymbolTableAdaptor::add):
2593         (JSC::DFG::FunctionExecutableAdaptor::add):
2594         * dfg/DFGGraph.cpp:
2595         (JSC::DFG::Graph::registerFrozenValues):
2596         * dfg/DFGJITFinalizer.cpp:
2597         (JSC::DFG::JITFinalizer::finalizeCommon):
2598         * dfg/DFGLazyJSValue.cpp:
2599         (JSC::DFG::LazyJSValue::emit const):
2600
2601 2019-09-09  Robin Morisset  <rmorisset@apple.com>
2602
2603         [Air] highOrderAdjacents in AbstractColoringAllocator::conservativeHeuristic should be some kind of array
2604         https://bugs.webkit.org/show_bug.cgi?id=197305
2605
2606         Reviewed by Keith Miller.
2607
2608         Currently it is a HashSet, but it only ever holds at most registerCount() items. And linear search tends to be faster on such a small collection than hashing + searching in a HashSet.
2609         Further benefits include avoiding the allocation of the HashSet, not actually adding the nodes adjacent to V (since there are no duplicates in the adjacency lists).
2610
2611         This patch also contains a trivial optimization: if the remaining number of nodes to consider + the number of highOrderAdjacents already seen is smaller than registerCount() we can return true directly.
2612         Apart from that, the patch got some trivial cleanup of GraphColoringRegisterAllocation::allocateOnBank() (that for example was only logging the number of iterations for FP registers, and not the more interesting number for GP registers).
2613
2614         The time spent in the register allocator throughout JetStream2 on this MacBook Pro moves from 3767 / 3710 / 3785 ms to 3551 / 3454 / 3503 ms.
2615         So about a 6% speedup for that phase, and between 1 and 1.5% speedup for FTL/OMG compilation overall.
2616
2617         No new tests as there is no intended change to the code being generated, and this was already tested by running testb3 + JetStream2.
2618
2619         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
2620
2621 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
2622
2623         [JSC] Use metadata table to iterate specific bytecode metadata instead of propertyAccessInstructions vector
2624         https://bugs.webkit.org/show_bug.cgi?id=201613
2625
2626         Reviewed by Mark Lam.
2627
2628         We do not need to maintain propertyAccessInstructions vector to access metadata tied to a specific bytecode opcode
2629         since we have MetadataTable::forEach<Op> feature. This removes propertyAccessInstructions entirely, and fixes the
2630         issue that `op_create_promise` missed propertyAccessInstructions registration (a name "propertyAccessInstructions" is
2631         misleading, it is like "instructions-requires-llint-finalize").
2632
2633         * bytecode/CodeBlock.cpp:
2634         (JSC::CodeBlock::propagateTransitions):
2635         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2636         * bytecode/UnlinkedCodeBlock.cpp:
2637         (JSC::UnlinkedCodeBlock::applyModification):
2638         (JSC::UnlinkedCodeBlock::shrinkToFit):
2639         * bytecode/UnlinkedCodeBlock.h:
2640         (JSC::UnlinkedCodeBlock::addPropertyAccessInstruction): Deleted.
2641         (JSC::UnlinkedCodeBlock::numberOfPropertyAccessInstructions const): Deleted.
2642         (JSC::UnlinkedCodeBlock::propertyAccessInstructions const): Deleted.
2643         * bytecompiler/BytecodeGenerator.cpp:
2644         (JSC::BytecodeGenerator::emitResolveScope):
2645         (JSC::BytecodeGenerator::emitGetFromScope):
2646         (JSC::BytecodeGenerator::emitPutToScope):
2647         (JSC::BytecodeGenerator::emitGetById):
2648         (JSC::BytecodeGenerator::emitDirectGetById):
2649         (JSC::BytecodeGenerator::emitPutById):
2650         (JSC::BytecodeGenerator::emitDirectPutById):
2651         (JSC::BytecodeGenerator::emitCreateThis):
2652         (JSC::BytecodeGenerator::emitToThis):
2653         * runtime/CachedTypes.cpp:
2654         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
2655         (JSC::CachedCodeBlock<CodeBlockType>::encode):
2656
2657 2019-09-07  Keith Miller  <keith_miller@apple.com>
2658
2659         OSR entry into wasm misses some contexts
2660         https://bugs.webkit.org/show_bug.cgi?id=201569
2661
2662         Reviewed by Yusuke Suzuki.
2663
2664         This patch fixes an issue where we could fail to capture some of
2665         our contexts when OSR entering into wasm code. Before we would
2666         only capture the state of the block immediately surrounding the
2667         entrance loop block header. We actually need to capture all
2668         enclosed stacks.
2669
2670         Additionally, we don't need to use variables for all the captured
2671         values. We can use a Phi and insert an upsilon just below the
2672         captured value.
2673
2674         * interpreter/CallFrame.h:
2675         * jsc.cpp:
2676         (GlobalObject::finishCreation):
2677         (functionCallerIsOMGCompiled):
2678         * wasm/WasmAirIRGenerator.cpp:
2679         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
2680         (JSC::Wasm::AirIRGenerator::emitEntryTierUpCheck):
2681         (JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck):
2682         (JSC::Wasm::AirIRGenerator::addLoop):
2683         * wasm/WasmB3IRGenerator.cpp:
2684         (JSC::Wasm::B3IRGenerator::createStack):
2685         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2686         (JSC::Wasm::B3IRGenerator::addConstant):
2687         (JSC::Wasm::B3IRGenerator::emitEntryTierUpCheck):
2688         (JSC::Wasm::B3IRGenerator::emitLoopTierUpCheck):
2689         (JSC::Wasm::B3IRGenerator::addLoop):
2690         (JSC::Wasm::B3IRGenerator::addEndToUnreachable):
2691         (JSC::Wasm::dumpExpressionStack):
2692         (JSC::Wasm::B3IRGenerator::dump):
2693         (JSC::Wasm::B3IRGenerator::Stack::Stack): Deleted.
2694         (JSC::Wasm::B3IRGenerator::Stack::append): Deleted.
2695         (JSC::Wasm::B3IRGenerator::Stack::takeLast): Deleted.
2696         (JSC::Wasm::B3IRGenerator::Stack::last): Deleted.
2697         (JSC::Wasm::B3IRGenerator::Stack::size const): Deleted.
2698         (JSC::Wasm::B3IRGenerator::Stack::isEmpty const): Deleted.
2699         (JSC::Wasm::B3IRGenerator::Stack::convertToExpressionList): Deleted.
2700         (JSC::Wasm::B3IRGenerator::Stack::at const): Deleted.
2701         (JSC::Wasm::B3IRGenerator::Stack::variableAt const): Deleted.
2702         (JSC::Wasm::B3IRGenerator::Stack::shrink): Deleted.
2703         (JSC::Wasm::B3IRGenerator::Stack::swap): Deleted.
2704         (JSC::Wasm::B3IRGenerator::Stack::dump const): Deleted.
2705         * wasm/WasmFunctionParser.h:
2706         (JSC::Wasm::FunctionParser::controlStack):
2707
2708 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
2709
2710         [JSC] Promise resolve/reject functions should be created more efficiently
2711         https://bugs.webkit.org/show_bug.cgi?id=201488
2712
2713         Reviewed by Mark Lam.
2714
2715         While r246553 fixed an important issue, it makes anonymous-builtin-function creation costly since it enforces FunctionRareData allocations.
2716         Unfortunately, anonymous-builtin-function function can be created frequently since this type of function is used
2717         for `resolve` and `reject` arguments of Promise's executor (e.g. `new Promise((resolve, reject) => ...)`'s resolve and reject).
2718         Since we are now always creating FunctionRareData for these functions, this additional allocation makes promise creation slower.
2719
2720         In this patch, we use `isAnonymousBuiltinFunction` information for `hasReifiedName` correctly. And we propagate `isAnonymousBuiltinFunction` information
2721         to FunctionRareData to initialize `m_hasReifiedName` correctly. Then we can avoid unnecessary FunctionRareData allocation, which makes
2722         anonymous-builtin-function creation faster.
2723
2724         We can ensure that this patch does not revert r246553's fix by running JSTests/stress/builtin-private-function-name.js test.
2725         The simple microbenchmark shows 1.7x improvement.
2726
2727                                               ToT                     Patched
2728
2729             promise-creation-many       45.6701+-0.1488     ^     26.8663+-1.8336        ^ definitely 1.6999x faster
2730
2731         * dfg/DFGSpeculativeJIT.cpp:
2732         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
2733         * ftl/FTLLowerDFGToB3.cpp:
2734         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
2735         * runtime/FunctionRareData.cpp:
2736         (JSC::FunctionRareData::create):
2737         (JSC::FunctionRareData::FunctionRareData):
2738         * runtime/FunctionRareData.h:
2739         * runtime/JSFunction.cpp:
2740         (JSC::JSFunction::finishCreation):
2741         (JSC::JSFunction::allocateRareData):
2742         (JSC::JSFunction::allocateAndInitializeRareData):
2743         * runtime/JSFunctionInlines.h:
2744         (JSC::JSFunction::hasReifiedName const):
2745
2746 2019-09-07  Mark Lam  <mark.lam@apple.com>
2747
2748         performJITMemcpy() source buffer should not be in the Gigacage.
2749         https://bugs.webkit.org/show_bug.cgi?id=201577
2750         <rdar://problem/55142606>
2751
2752         Reviewed by Michael Saboff.
2753
2754         Add a RELEASE_ASSERT in performJITMemcpy() to ensure that the passed in source
2755         buffer is not in the Gigacage.
2756
2757         * jit/ExecutableAllocator.h:
2758         (JSC::performJITMemcpy):
2759
2760 2019-09-07  Mark Lam  <mark.lam@apple.com>
2761
2762         The jsc shell should allow disabling of the Gigacage for testing purposes.
2763         https://bugs.webkit.org/show_bug.cgi?id=201579
2764
2765         Reviewed by Michael Saboff.
2766
2767         Check for the same GIGACAGE_ENABLED env var that is checked by Gigacage code.  If
2768         this env var is present and it has a falsy value, then do not
2769         forbidDisablingPrimitiveGigacage() in the jsc shell.
2770
2771         * jsc.cpp:
2772         (jscmain):
2773
2774 2019-09-06  Mark Lam  <mark.lam@apple.com>
2775
2776         Harden protection of the Gigacage Config parameters.
2777         https://bugs.webkit.org/show_bug.cgi?id=201570
2778         <rdar://problem/55134229>
2779
2780         Reviewed by Saam Barati.
2781
2782         Just renaming some function names here.
2783
2784         * assembler/testmasm.cpp:
2785         (JSC::testCagePreservesPACFailureBit):
2786         * jit/AssemblyHelpers.h:
2787         (JSC::AssemblyHelpers::cageConditionally):
2788         * jsc.cpp:
2789         (jscmain):
2790
2791 2019-09-06  Ross Kirsling  <ross.kirsling@sony.com>
2792
2793         Math.round() produces wrong result for value prior to 0.5
2794         https://bugs.webkit.org/show_bug.cgi?id=185115
2795
2796         Reviewed by Saam Barati.
2797
2798         Our Math.round implementation goes in the wrong direction for double values like 0.49999999999999994.
2799         This requires just a subtle adjustment for three of our four versions; only baseline JIT needed a full rewrite.
2800
2801         Specifically:
2802           - While 0.49999999999999994 is representable, 1 - 0.49999999999999994 is not (it turns into 0.5),
2803             so taking the difference between ceil(value)` and `value` is problematic.
2804           - The baseline implementation was doing `floor(x + 0.5)` for positive doubles and slowpathing negative ones
2805             (by falling back to jsRound). This patch gives baseline a legitimate implementation too.
2806
2807         * dfg/DFGSpeculativeJIT.cpp:
2808         (JSC::DFG::SpeculativeJIT::compileArithRounding):
2809         * ftl/FTLLowerDFGToB3.cpp:
2810         (JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
2811         * jit/ThunkGenerators.cpp:
2812         (JSC::roundThunkGenerator):
2813         * runtime/MathCommon.cpp:
2814
2815 2019-09-05  Joseph Pecoraro  <pecoraro@apple.com>
2816
2817         Tail Deleted Frames shown in Web Inspector are sometimes incorrect (Shadow Chicken)
2818         https://bugs.webkit.org/show_bug.cgi?id=201366
2819
2820         Reviewed by Saam Barati.
2821
2822         It is possible for the log buffer to be full right as someone is trying to
2823         log a function prologue. In such a case the machine stack has already been
2824         updated to include the new JavaScript call frame, but the prologue packet
2825         cannot be included in the update because the log is full. This would mean
2826         that the update fails to rationalize the machine stack with the shadow
2827         log / stack. Namely, the current JavaScript call frame is unable to
2828         find a matching prologue (the one we are holding to include after the update)
2829         and inserts a questionable value into the stack; and in the process
2830         missing and removing real potential tail calls.
2831
2832         For example:
2833         
2834             "use strict";
2835             function third() { return 1; }
2836             function second() { return third(); }
2837             function first() { return second(); }
2838             function start() { return first(); }
2839
2840         If the the log fills up just as we are entering `b` then we may have a list
2841         full log of packets looking like:
2842
2843           Shadow Log:
2844             ...
2845             { prologue-packet: entering `start` ... }
2846             { prologue-packet: entering `first` ... }
2847             { tail-packet: leaving `first` with a tail call }
2848
2849           Incoming Packet:
2850             { prologue-packet: entering `second` ... }
2851
2852           Current JS Stack:
2853             second
2854             start
2855
2856         Since the Current JavaScript stack already has `second`, if we process the
2857         log without the prologue for `second` then we push a confused entry on the
2858         shadow stack and clear the log such that we eventually lose the tail-call
2859         information for `first` to `second`.
2860
2861         This patch solves this issue by providing enough extra space in the log
2862         to always process the incoming packet when that forces an update. This way
2863         clients can continue to behave exactly as they are.
2864
2865         --
2866
2867         We also document a corner case in some circumstances where the shadow
2868         log may currently be insufficient to know how to reconcile:
2869         
2870         For example:
2871
2872             "use strict";
2873             function third() { return 1; }
2874             function second() { return third(); }
2875             function first() { return second(); }
2876             function doNothingTail() { return Math.random() }
2877             function start() {
2878                 for (i=0;i<1000;++i) doNothingTail();
2879                 return first();
2880             }
2881
2882         In this case the ShadowChicken log may be processed multiple times due
2883         to the many calls to `doNothingTail` / `Math.random()`. When calling the
2884         Native function no prologue packet is emitted, so it is unclear that we
2885         temporarly go deeper and come back out on the stack, so the log appears
2886         to have lots of doNothingTail calls reusing the same frame:
2887
2888           Shadow Log:
2889             ...
2890             , [123] {callee = 0x72a21aee0, frame = 0x7ffeef897270, callerFrame = 0x7ffeef8972e0, name = start}
2891             , [124] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
2892             , [125] tail-packet:{frame = 0x7ffeef8971f0}
2893             , [126] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
2894             , [127] tail-packet:{frame = 0x7ffeef8971f0}
2895             ...
2896             , [140] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
2897             , [141] tail-packet:{frame = 0x7ffeef8971f0}
2898             , [142] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
2899             , [143] tail-packet:{frame = 0x7ffeef8971f0}
2900             , [144] {callee = 0x72a21aeb0, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = first}
2901             , [145] tail-packet:{frame = 0x7ffeef8971f0}
2902             , [146] {callee = 0x72a21ae80, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = second}
2903             ...
2904
2905         This log would seem to be indistinguishable from real tail recursion, such as:
2906
2907             "use strict";
2908             function third() { return 1; }
2909             function second() { return third(); }
2910             function first() { return second(); }
2911             function doNothingTail(n) {
2912                 return n ? doNothingTail(n-1) : first();
2913             }
2914             function start() {
2915                 return doNothingTail(1000);
2916             }
2917
2918         Likewise there are more cases where the shadow log appears to be ambiguous with determining
2919         the appropriate parent call frame with intermediate function calls. In practice this may
2920         not be too problematic, as this is a best effort reconstruction of tail deleted frames.
2921         It seems likely we would only show additional frames that did in fact happen serially
2922         between JavaScript call frames, but may not actually be the proper parent frames
2923         heirachy in the stack.
2924
2925         * interpreter/ShadowChicken.cpp:
2926         (JSC::ShadowChicken::Packet::dump const):
2927         (JSC::ShadowChicken::Frame::dump const):
2928         (JSC::ShadowChicken::dump const):
2929         Improved debugging output. Especially for functions.
2930
2931         (JSC::ShadowChicken::ShadowChicken):
2932         Make space in the log for 1 additional packet to process when we slow log.
2933
2934         (JSC::ShadowChicken::log):
2935         Include this packet in our update.
2936
2937         (JSC::ShadowChicken::update):
2938         Address an edge case where we can eliminate tail-deleted frames that don't make sense.
2939
2940 2019-09-06  Ryan Haddad  <ryanhaddad@apple.com>
2941
2942         Unreviewed, rolling out r249566.
2943
2944         Causes inspector layout test crashes under GuardMalloc
2945
2946         Reverted changeset:
2947
2948         "Tail Deleted Frames shown in Web Inspector are sometimes
2949         incorrect (Shadow Chicken)"
2950         https://bugs.webkit.org/show_bug.cgi?id=201366
2951         https://trac.webkit.org/changeset/249566
2952
2953 2019-09-06  Guillaume Emont  <guijemont@igalia.com>
2954
2955         testmasm: save r6 in JIT'ed code on ARM_THUMB2
2956         https://bugs.webkit.org/show_bug.cgi?id=201138
2957
2958         Reviewed by Mark Lam.
2959
2960         MacroAssemblerArmv7 uses r6 as a temporary register, and it is a
2961         callee-saved register. The JITs use
2962         AssemblyHelpers::emitSaveCalleeSaves() and friends to save
2963         callee-saved registers, but there is no such mechanism in testmasm,
2964         which seems to make the assumption that the macroassembler does not
2965         use callee-saved registers (which I guess is true for all other
2966         architectures, but not for Armv7).
2967
2968         This issue means that testmasm crashes on Armv7 since code generated
2969         by gcc uses r6, and it gets modified by JIT'ed code.
2970
2971         This change makes sure that we save and restore r6 for all code
2972         compiled by testmasm on Armv7.
2973
2974         * assembler/testmasm.cpp:
2975         (JSC::emitFunctionPrologue):
2976         (JSC::emitFunctionEpilogue):
2977         (JSC::testSimple):
2978         (JSC::testGetEffectiveAddress):
2979         (JSC::testBranchTruncateDoubleToInt32):
2980         (JSC::testBranchTestBit32RegReg):
2981         (JSC::testBranchTestBit32RegImm):
2982         (JSC::testBranchTestBit32AddrImm):
2983         (JSC::testBranchTestBit64RegReg):
2984         (JSC::testBranchTestBit64RegImm):
2985         (JSC::testBranchTestBit64AddrImm):
2986         (JSC::testCompareDouble):
2987         (JSC::testMul32WithImmediates):
2988         (JSC::testMul32SignExtend):
2989         (JSC::testCompareFloat):
2990         (JSC::testProbeReadsArgumentRegisters):
2991         (JSC::testProbeWritesArgumentRegisters):
2992         (JSC::testProbePreservesGPRS):
2993         (JSC::testProbeModifiesStackPointer):
2994         (JSC::testProbeModifiesProgramCounter):
2995         (JSC::testProbeModifiesStackValues):
2996         (JSC::testByteSwap):
2997         (JSC::testMoveDoubleConditionally32):
2998         (JSC::testMoveDoubleConditionally64):
2999         (JSC::testCagePreservesPACFailureBit):
3000
3001 2019-09-05  Joseph Pecoraro  <pecoraro@apple.com>
3002
3003         Tail Deleted Frames shown in Web Inspector are sometimes incorrect (Shadow Chicken)
3004         https://bugs.webkit.org/show_bug.cgi?id=201366
3005
3006         Reviewed by Saam Barati.
3007
3008         It is possible for the log buffer to be full right as someone is trying to
3009         log a function prologue. In such a case the machine stack has already been
3010         updated to include the new JavaScript call frame, but the prologue packet
3011         cannot be included in the update because the log is full. This would mean
3012         that the update fails to rationalize the machine stack with the shadow
3013         log / stack. Namely, the current JavaScript call frame is unable to
3014         find a matching prologue (the one we are holding to include after the update)
3015         and inserts a questionable value into the stack; and in the process
3016         missing and removing real potential tail calls.
3017
3018         For example:
3019         
3020             "use strict";
3021             function third() { return 1; }
3022             function second() { return third(); }
3023             function first() { return second(); }
3024             function start() { return first(); }
3025
3026         If the the log fills up just as we are entering `b` then we may have a list
3027         full log of packets looking like:
3028
3029           Shadow Log:
3030             ...
3031             { prologue-packet: entering `start` ... }
3032             { prologue-packet: entering `first` ... }
3033             { tail-packet: leaving `first` with a tail call }
3034
3035           Incoming Packet:
3036             { prologue-packet: entering `second` ... }
3037
3038           Current JS Stack:
3039             second
3040             start
3041
3042         Since the Current JavaScript stack already has `second`, if we process the
3043         log without the prologue for `second` then we push a confused entry on the
3044         shadow stack and clear the log such that we eventually lose the tail-call
3045         information for `first` to `second`.
3046
3047         This patch solves this issue by providing enough extra space in the log
3048         to always process the incoming packet when that forces an update. This way
3049         clients can continue to behave exactly as they are.
3050
3051         --
3052
3053         We also document a corner case in some circumstances where the shadow
3054         log may currently be insufficient to know how to reconcile:
3055         
3056         For example:
3057
3058             "use strict";
3059             function third() { return 1; }
3060             function second() { return third(); }
3061             function first() { return second(); }
3062             function doNothingTail() { return Math.random() }
3063             function start() {
3064                 for (i=0;i<1000;++i) doNothingTail();
3065                 return first();
3066             }
3067
3068         In this case the ShadowChicken log may be processed multiple times due
3069         to the many calls to `doNothingTail` / `Math.random()`. When calling the
3070         Native function no prologue packet is emitted, so it is unclear that we
3071         temporarly go deeper and come back out on the stack, so the log appears
3072         to have lots of doNothingTail calls reusing the same frame:
3073
3074           Shadow Log:
3075             ...
3076             , [123] {callee = 0x72a21aee0, frame = 0x7ffeef897270, callerFrame = 0x7ffeef8972e0, name = start}
3077             , [124] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
3078             , [125] tail-packet:{frame = 0x7ffeef8971f0}
3079             , [126] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
3080             , [127] tail-packet:{frame = 0x7ffeef8971f0}
3081             ...
3082             , [140] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
3083             , [141] tail-packet:{frame = 0x7ffeef8971f0}
3084             , [142] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
3085             , [143] tail-packet:{frame = 0x7ffeef8971f0}
3086             , [144] {callee = 0x72a21aeb0, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = first}
3087             , [145] tail-packet:{frame = 0x7ffeef8971f0}
3088             , [146] {callee = 0x72a21ae80, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = second}
3089             ...
3090
3091         This log would seem to be indistinguishable from real tail recursion, such as:
3092
3093             "use strict";
3094             function third() { return 1; }
3095             function second() { return third(); }
3096             function first() { return second(); }
3097             function doNothingTail(n) {
3098                 return n ? doNothingTail(n-1) : first();
3099             }
3100             function start() {
3101                 return doNothingTail(1000);
3102             }
3103
3104         Likewise there are more cases where the shadow log appears to be ambiguous with determining
3105         the appropriate parent call frame with intermediate function calls. In practice this may
3106         not be too problematic, as this is a best effort reconstruction of tail deleted frames.
3107         It seems likely we would only show additional frames that did in fact happen serially
3108         between JavaScript call frames, but may not actually be the proper parent frames
3109         heirachy in the stack.
3110
3111         * interpreter/ShadowChicken.cpp:
3112         (JSC::ShadowChicken::Packet::dump const):
3113         (JSC::ShadowChicken::Frame::dump const):
3114         (JSC::ShadowChicken::dump const):
3115         Improved debugging output. Especially for functions.
3116
3117         (JSC::ShadowChicken::ShadowChicken):
3118         Make space in the log for 1 additional packet to process when we slow log.
3119
3120         (JSC::ShadowChicken::log):
3121         Include this packet in our update.
3122
3123         (JSC::ShadowChicken::update):
3124         Address an edge case where we can eliminate tail-deleted frames that don't make sense.
3125
3126 2019-09-05  Mark Lam  <mark.lam@apple.com>
3127
3128         Refactor the Gigacage code to require less pointer casting.
3129         https://bugs.webkit.org/show_bug.cgi?id=201521
3130
3131         Reviewed by Saam Barati.
3132
3133         Change LLInt's loadCagedJSValue() to skip the caging if Gigacage is not enabled
3134         in the build.  This allows us to remove the unneeded stubs in WTF Gigacage.h.
3135
3136         * jit/AssemblyHelpers.h:
3137         (JSC::AssemblyHelpers::cageConditionally):
3138         * llint/LowLevelInterpreter.asm:
3139         * llint/LowLevelInterpreter64.asm:
3140         * runtime/VM.h:
3141         (JSC::VM::gigacageAuxiliarySpace):
3142
3143 2019-09-05  Yusuke Suzuki  <ysuzuki@apple.com>
3144
3145         Unreviewed, follow-up after r249530 and r249509
3146         https://bugs.webkit.org/show_bug.cgi?id=201495
3147
3148         Rename FTLOutput::weakPointer to alreadyRegisteredWeakPointer and alreadyRegisteredFrozenPointer.
3149
3150         * builtins/PromiseConstructor.js:
3151         (nakedConstructor.Promise.resolve):
3152         (nakedConstructor.Promise.reject):
3153         (nakedConstructor.Promise):
3154         (nakedConstructor.InternalPromise.resolve):
3155         (nakedConstructor.InternalPromise.reject):
3156         (nakedConstructor.InternalPromise):
3157         * ftl/FTLLowerDFGToB3.cpp:
3158         (JSC::FTL::DFG::LowerDFGToB3::weakPointer):
3159         (JSC::FTL::DFG::LowerDFGToB3::frozenPointer):
3160         (JSC::FTL::DFG::LowerDFGToB3::weakStructure):
3161         * ftl/FTLOutput.h:
3162         (JSC::FTL::Output::alreadyRegisteredWeakPointer):
3163         (JSC::FTL::Output::alreadyRegisteredFrozenPointer):
3164         (JSC::FTL::Output::weakPointer): Deleted.
3165
3166 2019-09-05  Yusuke Suzuki  <ysuzuki@apple.com>
3167
3168         [JSC] Generalize Get/PutPromiseInternalField for InternalFieldObjectImpl
3169         https://bugs.webkit.org/show_bug.cgi?id=201513
3170
3171         Reviewed by Ross Kirsling.
3172
3173         This patch extracts JSPromise's internal fields mechanism as JSInternalFieldsObjectImpl, and make it reusable for the other objects.
3174         It is preparation for using this internal fields mechanism for generators, async functions, async generators, array iterators and so on.
3175
3176         The profiler is telling many recompilation of Generator's resume function (including async generator's one). We are using properties
3177         with private-symbols as a storage for internal state of generators. However, the spec defines that each generator from different generator-functions
3178         has different [[Prototype]]. While we need to share one Generator.prototype.next function, generators tend to have different Structures due to
3179         different [[Prototype]] and accessing internal fields with `get_by_id_direct` sadly becomes super megamorphic while it is not necessary.
3180         And every time new Structure for new generator pops up, DFG/FTL code for generator resume function gets OSR exit or eventually this function gets
3181         emits super generic code unfortunately. By using internal fields for storing these state, we can avoid this performance problem.
3182
3183         Bytecodes and corresponding DFG nodes are just renamed. JSPromise is now inheriting JSInternalFieldsObjectImpl, which can holds specified
3184         number of internal fields. And op_get_internal_field / op_put_internal_field can access these internal fields.
3185
3186         * CMakeLists.txt:
3187         * JavaScriptCore.xcodeproj/project.pbxproj:
3188         * bytecode/BytecodeList.rb:
3189         * bytecode/BytecodeUseDef.h:
3190         (JSC::computeUsesForBytecodeOffset):
3191         (JSC::computeDefsForBytecodeOffset):
3192         * bytecode/CodeBlock.cpp:
3193         (JSC::CodeBlock::finishCreation):
3194         * bytecode/Opcode.h:
3195         * bytecompiler/BytecodeGenerator.cpp:
3196         (JSC::BytecodeGenerator::emitGetInternalField):
3197         (JSC::BytecodeGenerator::emitPutInternalField):
3198         (JSC::BytecodeGenerator::emitGetPromiseInternalField): Deleted.
3199         (JSC::BytecodeGenerator::emitPutPromiseInternalField): Deleted.
3200         * bytecompiler/BytecodeGenerator.h:
3201         * bytecompiler/NodesCodegen.cpp:
3202         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getPromiseInternalField):
3203         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putPromiseInternalField):
3204         * dfg/DFGAbstractInterpreterInlines.h:
3205         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3206         * dfg/DFGByteCodeParser.cpp:
3207         (JSC::DFG::ByteCodeParser::parseBlock):
3208         * dfg/DFGCapabilities.cpp:
3209         (JSC::DFG::capabilityLevel):
3210         * dfg/DFGClobberize.h:
3211         (JSC::DFG::clobberize):
3212         * dfg/DFGDoesGC.cpp:
3213         (JSC::DFG::doesGC):
3214         * dfg/DFGFixupPhase.cpp:
3215         (JSC::DFG::FixupPhase::fixupNode):
3216         * dfg/DFGMayExit.cpp:
3217         * dfg/DFGNode.h:
3218         (JSC::DFG::Node::hasInternalFieldIndex):
3219         (JSC::DFG::Node::hasHeapPrediction):
3220         * dfg/DFGNodeType.h:
3221         * dfg/DFGPredictionPropagationPhase.cpp:
3222         * dfg/DFGSafeToExecute.h:
3223         (JSC::DFG::safeToExecute):
3224         * dfg/DFGSpeculativeJIT.cpp:
3225         (JSC::DFG::SpeculativeJIT::compileGetInternalField):
3226         (JSC::DFG::SpeculativeJIT::compilePutInternalField):
3227         (JSC::DFG::SpeculativeJIT::compileCreatePromise):
3228         (JSC::DFG::SpeculativeJIT::compileNewPromise):
3229         (JSC::DFG::SpeculativeJIT::compileGetPromiseInternalField): Deleted.
3230         (JSC::DFG::SpeculativeJIT::compilePutPromiseInternalField): Deleted.
3231         * dfg/DFGSpeculativeJIT.h:
3232         * dfg/DFGSpeculativeJIT32_64.cpp:
3233         (JSC::DFG::SpeculativeJIT::compile):
3234         * dfg/DFGSpeculativeJIT64.cpp:
3235         (JSC::DFG::SpeculativeJIT::compile):
3236         * dfg/DFGStoreBarrierInsertionPhase.cpp:
3237         * ftl/FTLAbstractHeapRepository.h:
3238         * ftl/FTLCapabilities.cpp:
3239         (JSC::FTL::canCompile):
3240         * ftl/FTLLowerDFGToB3.cpp:
3241         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3242         (JSC::FTL::DFG::LowerDFGToB3::compileNewPromise):
3243         (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
3244         (JSC::FTL::DFG::LowerDFGToB3::compileGetInternalField):
3245         (JSC::FTL::DFG::LowerDFGToB3::compilePutInternalField):
3246         (JSC::FTL::DFG::LowerDFGToB3::compileGetPromiseInternalField): Deleted.
3247         (JSC::FTL::DFG::LowerDFGToB3::compilePutPromiseInternalField): Deleted.
3248         * jit/JIT.cpp:
3249         (JSC::JIT::privateCompileMainPass):
3250         * jit/JIT.h:
3251         * jit/JITPropertyAccess.cpp:
3252         (JSC::JIT::emit_op_get_internal_field):
3253         (JSC::JIT::emit_op_put_internal_field):
3254         (JSC::JIT::emit_op_get_promise_internal_field): Deleted.
3255         (JSC::JIT::emit_op_put_promise_internal_field): Deleted.
3256         * jit/JITPropertyAccess32_64.cpp:
3257         (JSC::JIT::emit_op_get_internal_field):
3258         (JSC::JIT::emit_op_put_internal_field):
3259         (JSC::JIT::emit_op_get_promise_internal_field): Deleted.
3260         (JSC::JIT::emit_op_put_promise_internal_field): Deleted.
3261         * llint/LLIntOffsetsExtractor.cpp:
3262         * llint/LowLevelInterpreter.asm:
3263         * llint/LowLevelInterpreter32_64.asm:
3264         * llint/LowLevelInterpreter64.asm:
3265         * runtime/JSInternalFieldObjectImpl.h: Copied from Source/JavaScriptCore/runtime/JSPromise.h.
3266         (JSC::JSInternalFieldObjectImpl::allocationSize):
3267         (JSC::JSInternalFieldObjectImpl::internalField const):
3268         (JSC::JSInternalFieldObjectImpl::internalField):
3269         (JSC::JSInternalFieldObjectImpl::offsetOfInternalFields):
3270         (JSC::JSInternalFieldObjectImpl::offsetOfInternalField):
3271         (JSC::JSInternalFieldObjectImpl::JSInternalFieldObjectImpl):
3272         * runtime/JSInternalFieldObjectImplInlines.h: Added.
3273         (JSC::JSInternalFieldObjectImpl<passedNumberOfInternalFields>::visitChildren):
3274         * runtime/JSPromise.cpp:
3275         (JSC::JSPromise::finishCreation):
3276         (JSC::JSPromise::visitChildren):
3277         (JSC::JSPromise::status const):
3278         (JSC::JSPromise::result const):
3279         (JSC::JSPromise::isHandled const):
3280         * runtime/JSPromise.h:
3281         (JSC::JSPromise::allocationSize): Deleted.
3282         (JSC::JSPromise::offsetOfInternalFields): Deleted.
3283         (JSC::JSPromise::offsetOfInternalField): Deleted.
3284         (): Deleted.
3285
3286 2019-09-05  Commit Queue  <commit-queue@webkit.org>
3287
3288         Unreviewed, rolling out r247463.
3289         https://bugs.webkit.org/show_bug.cgi?id=201515
3290
3291         JetStream2 code-load related regression (Requested by
3292         yusukesuzuki on #webkit).
3293
3294         Reverted changeset:
3295
3296         "Keyword lookup can use memcmp to get around unaligned load
3297         undefined behavior"
3298         https://bugs.webkit.org/show_bug.cgi?id=199650
3299         https://trac.webkit.org/changeset/247463
3300
3301 2019-09-05  Tadeu Zagallo  <tzagallo@apple.com>
3302
3303         LazyClassStructure::setConstructor should not store the constructor to the global object
3304         https://bugs.webkit.org/show_bug.cgi?id=201484
3305         <rdar://problem/50400451>
3306
3307         Reviewed by Yusuke Suzuki.
3308
3309         LazyClassStructure::setConstructor sets the constructor as a property of the global object.
3310         This became a problem when it started being used for WebAssembly constructors, such as Module
3311         and Instance, since they are properties of the WebAssembly object, not the global object. That
3312         resulted in properties of the global object replaced whenever a lazy WebAssembly constructor
3313         was first accessed. e.g.
3314
3315         globalThis.Module = x;
3316         WebAssembly.Module;
3317         globalThis.Module === WebAssembly.Module;
3318
3319         * runtime/LazyClassStructure.cpp:
3320         (JSC::LazyClassStructure::Initializer::setConstructor):
3321         * runtime/LazyClassStructure.h:
3322         * runtime/Lookup.h:
3323         (JSC::reifyStaticProperty):
3324
3325 2019-09-05  Yusuke Suzuki  <ysuzuki@apple.com>
3326
3327         [JSC] Do not use FTLOutput::weakPointer directly
3328         https://bugs.webkit.org/show_bug.cgi?id=201495
3329
3330         Reviewed by Filip Pizlo.
3331
3332         FTLOutput::weakPointer does not register the cell as a weak pointer.
3333         CreatePromise's implementation is accidentally using m_out.weakPointer and hits the debug assertion.
3334         While the current implementation is not posing correctness issue since these cells are live so long as JSGlobalObject is live,
3335         and we register JSGlobalObject as a weakPointer, we should always use FTLLowerDFGToB3's helper function.
3336         For FrozenValue, we should use frozenPointer helper function.
3337
3338         * ftl/FTLLowerDFGToB3.cpp:
3339         (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
3340         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
3341
3342 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
3343
3344         Unreviewed, partial roll out r249372 due to JetStream2/Basic ~10% regression
3345         https://bugs.webkit.org/show_bug.cgi?id=201373
3346
3347         * bytecode/BytecodeList.rb:
3348         * bytecode/BytecodeUseDef.h:
3349         (JSC::computeUsesForBytecodeOffset):
3350         (JSC::computeDefsForBytecodeOffset):
3351         * bytecompiler/BytecodeGenerator.cpp:
3352         (JSC::BytecodeGenerator::BytecodeGenerator):
3353         (JSC::BytecodeGenerator::emitLoopHint):
3354         (JSC::BytecodeGenerator::emitCheckTraps):
3355         * bytecompiler/BytecodeGenerator.h:
3356         * dfg/DFGByteCodeParser.cpp:
3357         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
3358         (JSC::DFG::ByteCodeParser::parseBlock):
3359         * dfg/DFGCapabilities.cpp:
3360         (JSC::DFG::capabilityLevel):
3361         * jit/JIT.cpp:
3362         (JSC::JIT::emitEnterOptimizationCheck):
3363         (JSC::JIT::privateCompileMainPass):
3364         (JSC::JIT::privateCompileSlowCases):
3365         * jit/JIT.h:
3366         * jit/JITOpcodes.cpp:
3367         (JSC::JIT::emit_op_enter):
3368         (JSC::JIT::emit_op_loop_hint):
3369         (JSC::JIT::emitSlow_op_loop_hint):
3370         (JSC::JIT::emit_op_check_traps):
3371         (JSC::JIT::emitSlow_op_check_traps):
3372         (JSC::JIT::emitSlow_op_enter): Deleted.
3373         * jit/JITOpcodes32_64.cpp:
3374         (JSC::JIT::emit_op_enter):
3375         * llint/LowLevelInterpreter.asm:
3376         * llint/LowLevelInterpreter32_64.asm:
3377         * llint/LowLevelInterpreter64.asm:
3378         * runtime/CommonSlowPaths.cpp:
3379         (JSC::SLOW_PATH_DECL):
3380         * runtime/CommonSlowPaths.h:
3381
3382 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
3383
3384         Unreviewed, rebaseline builtin generator test results
3385         https://bugs.webkit.org/show_bug.cgi?id=200898
3386
3387         Rebaseline the result files.
3388
3389         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
3390         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
3391         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
3392         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
3393         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
3394         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
3395         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
3396         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
3397         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
3398         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
3399         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
3400         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
3401         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
3402
3403 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
3404
3405         [JSC] FunctionOverrides should have a lock to ensure concurrent access to hash table does not happen
3406         https://bugs.webkit.org/show_bug.cgi?id=201485
3407
3408         Reviewed by Tadeu Zagallo.
3409
3410         FunctionOverrides is a per-process singleton for registering overrides information. But we are accessing
3411         it without taking a lock. If multiple threads with multiple VMs are accessing this concurrently, we have
3412         a race issue like,
3413
3414         1. While one thread is adding overrides information,
3415         2. Another thread is accessing this hash table.
3416
3417         This patch adds a lock to make sure that only one thread can access this registry.
3418
3419         * tools/FunctionOverrides.cpp:
3420         (JSC::FunctionOverrides::FunctionOverrides):
3421         (JSC::FunctionOverrides::reinstallOverrides):
3422         (JSC::FunctionOverrides::initializeOverrideFor):
3423         (JSC::FunctionOverrides::parseOverridesInFile):
3424         * tools/FunctionOverrides.h:
3425         (JSC::FunctionOverrides::clear):
3426
3427 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
3428
3429         [JSC] Make Promise implementation faster
3430         https://bugs.webkit.org/show_bug.cgi?id=200898
3431
3432         Reviewed by Saam Barati.
3433
3434         This is the major change of the Promise implementation and it improves JetStream2/async-fs by 62%.
3435
3436         1. Make JSPromise C++ friendly
3437
3438             Instead of using objects with private properties (properties with private symbols), we put internal fields in JSPromise.
3439             This avoids allocating unnecessary butterflies for these private fields, and makes allocating JSPromise and accessing these
3440             fields from C++ easy. Moreover, this patch reduces # of fields of JSPromise from 4 to 2 to make JSPromise compact. To access these internal
3441             fields efficiently from JS, we add `op_get_promise_internal_field` and `op_put_promise_internal_field` bytecodes, and corresponding DFG/FTL
3442             supports. They are similar to GetClosureVar / PutClosureVar implementation. These two bytecodes are intentionally generic to later expand
3443             this support to generator and async-generator by renaming them to `op_get_internal_field` and `op_put_internal_field`. It is filed in [1].
3444
3445             We also add JSPromiseType as JSType. And structures for JSPromise should have that. So that now `@isPromise` is efficiently implemented.
3446             This also requires adding SpecPromiseObject and PromiseObjectUse to DFG.
3447
3448             Further, by introducing another bit flag representing `alreadyResolved` to JSPromise's flags, we can remove JSPromiseDeferred. This extension
3449             is filed in [2].
3450
3451         2. Make JSPromise constructor JS friendly
3452
3453             The old JSPromise constructor was very inefficient: JSPromise constructor is InternalFunction in C++, and in it, it
3454             calls `initializePromise` JS function. And this `initializePromise` function invokes `executor` function passed by user program.
3455             If we can implement JSPromise constructor fully in JS, we can recognize `executor` and we have a chance to fully inline them.
3456             Unfortunately, we cannot inline JSPromise constructor for now since it takes 120 bytecode cost while our inlining threshold for
3457             construct is 100. We might want to investigate getting it inlined in the future[3].
3458
3459             We can avoid C++ <-> JS dance in such an important operation, allocating JSPromise. This patch introduces @nakedConstructor
3460             annotation to builtin JS. And this is propagated as `ConstructorKind::Naked`. If this kind is attached, the bytecode generator
3461             do not emit `op_create_this` implicitly and the constructor does not return `this` object implicitly. The naked constructor allows
3462             us to emit bare-metal bytecode, specifically necessary to allocate non-final JSObject from JS constructor. We introduce op_create_promise,
3463             which is similar to op_create_this, but it allocates JSPromise. And by using @createPromise bytecode intrinsic, we implement
3464             JSPromise constructor fully in JS.
3465             With this, we can start introducing object-allocation-sinking for JSPromise too. It is filed in [4].
3466
3467         3. DFG supports for JSPromise operations
3468
3469             This patch adds four DFG nodes, CreatePromise, NewPromise, GetPromiseInternalField, and PutPromiseInternalField. CreatePromise mimics CreateThis,
3470             and NewPromise mimics NewObject. CreatePromise can be converted to NewPromise with some condition checks and NewPromise can efficiently allocate
3471             promises. CreatePromise and NewPromise have `isInternalPromise` flag so that InternalPromise is also correctly handled in DFG.
3472             When converting CreatePromise to NewPromise, we need to get the correct structure with a specified `callee.prototype`. We mimic the mechanism
3473             used in CreateThis, but we use InternalFunctionAllocationProfile instead of ObjectAllocationProfile because (1) InternalFunctionAllocationProfile
3474             can handle non-final JSObjects and (2) we do not need to handle inline-capacity for promises. To make InternalFunctionAllocationProfile usable
3475             in DFG, we connect watchpoint to InternalFunctionAllocationProfile's invalidation so that DFG code can notice when InternalFunctionAllocationProfile's
3476             structure is invalidated: `callee.prototype` is replaced.
3477
3478         4. Avoid creating unnecessary promises
3479
3480             Some promises are never shown to users, and they are never rejected. One example is `await`'s promise. And some of promise creation can be avoided.
3481             For example, when resolving a value with `Promise.resolve`, if a value is promise and if it's `then` method is the builtin `then`, we can avoid creating
3482             intermediate promise. To handle these things well, we introduce `@resolveWithoutPromise`, `@rejectWithoutPromise`, and `@fulfillWithoutPromise`. They
3483             take `onFulfilled` and `onRejected` handlers and they do not need an intermediate promise for resolving. This removes internal promise allocations
3484             in major cases and makes promise / async-functions efficient. And we also expose builtin `then` function as `@then`, and insert `@isPromise(xxx) && then === @then`
3485             check to take a fast path. We introduced four types of promise reactions to avoid some of object allocations. And microtask reaction is handling these four types.
3486
3487         5. Avoid creating resolving-functions and promise capabilities
3488
3489             Resolving functions have `alreadyResolved` flag to prevent calling `resolve` and `reject` multiple times. For the first resolving function creation, this
3490             patch embeds one bit flag to JSPromise itself which indicates `alreadyResolved` in the first created resolving functions (resolving functions can be later
3491             created again for the same promise. In that case, we just create a usual resolving functions). By doing so, we avoid unnecessary resolving functions
3492             and promise capability allocations. We introduce a wrapper function `@resolvePromiseWithFirstResolvingFunctionCallCheck` and `@rejectPromiseWithFirstResolvingFunctionCallCheck`.
3493             The resolving functions which are first created with `@newPromiseCapability` can be mechanically replaced with the calls to these functions, e.g. replacing
3494             `promiseCapability.@resolve.@call(@undefined, value)` with `@resolvePromiseWithFirstResolvingFunctionCallCheck(promise, value)`.
3495             This mechanism will be used to drop JSPromiseDeferred in a separate patch.
3496
3497         JetStream2/async-fs results.
3498             ToT:
3499                 Running async-fs:
3500                     Startup: 116.279
3501                     Worst Case: 151.515
3502                     Average: 176.630
3503                     Score: 145.996
3504                     Wall time: 0:01.149
3505
3506             Patched:
3507                 Running async-fs:
3508                     Startup: 166.667
3509                     Worst Case: 267.857
3510                     Average: 299.080
3511                     Score: 237.235
3512                     Wall time: 0:00.683
3513
3514         [1]: https://bugs.webkit.org/show_bug.cgi?id=201159
3515         [2]: https://bugs.webkit.org/show_bug.cgi?id=201160
3516         [3]: https://bugs.webkit.org/show_bug.cgi?id=201452
3517         [4]: https://bugs.webkit.org/show_bug.cgi?id=201158
3518
3519         * CMakeLists.txt:
3520         * JavaScriptCore.xcodeproj/project.pbxproj:
3521         * Scripts/wkbuiltins/builtins_generate_combined_header.py:
3522         (ConstructAbility):
3523         (ConstructorKind):
3524         * Scripts/wkbuiltins/builtins_generate_separate_header.py:
3525         * Scripts/wkbuiltins/builtins_generator.py:
3526         (BuiltinsGenerator.generate_embedded_code_data_for_function):
3527         (BuiltinsGenerator.generate_embedded_code_string_section_for_data):
3528         * Scripts/wkbuiltins/builtins_model.py:
3529         (BuiltinFunction.__init__):
3530         (BuiltinFunction.fromString):
3531         * Scripts/wkbuiltins/builtins_templates.py:
3532         * builtins/AsyncFromSyncIteratorPrototype.js:
3533         (next.try):
3534         (next):
3535         (return.try):
3536         (return):
3537         (throw.try):
3538         (throw):
3539         * builtins/AsyncFunctionPrototype.js:
3540         (globalPrivate.asyncFunctionResume):
3541         * builtins/AsyncGeneratorPrototype.js:
3542         (globalPrivate.asyncGeneratorQueueIsEmpty):
3543         (globalPrivate.asyncGeneratorQueueEnqueue):
3544         (globalPrivate.asyncGeneratorQueueDequeue):
3545         (globalPrivate.asyncGeneratorReject):
3546         (globalPrivate.asyncGeneratorResolve):
3547         (globalPrivate.asyncGeneratorYield):
3548         (onRejected):
3549         (globalPrivate.awaitValue):
3550         (onFulfilled):
3551         (globalPrivate.doAsyncGeneratorBodyCall):
3552         (globalPrivate.asyncGeneratorResumeNext):
3553         (globalPrivate.asyncGeneratorEnqueue):
3554         (globalPrivate.asyncGeneratorDequeue): Deleted.
3555         (const.onRejected): Deleted.
3556         (const.onFulfilled): Deleted.
3557         (globalPrivate.asyncGeneratorResumeNext.): Deleted.
3558         * builtins/BuiltinExecutableCreator.h:
3559         * builtins/BuiltinExecutables.cpp:
3560         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
3561         (JSC::BuiltinExecutables::createDefaultConstructor):
3562         (JSC::BuiltinExecutables::createBuiltinExecutable):
3563         (JSC::BuiltinExecutables::createExecutable):
3564         (JSC::createBuiltinExecutable): Deleted.
3565         * builtins/BuiltinExecutables.h:
3566         * builtins/BuiltinNames.h:
3567         * builtins/BuiltinUtils.h:
3568         * builtins/ModuleLoader.js:
3569         (forceFulfillPromise):
3570         * builtins/PromiseConstructor.js:
3571         (nakedConstructor.Promise.resolve):
3572         (nakedConstructor.Promise.reject):
3573         (nakedConstructor.Promise):
3574         (nakedConstructor.InternalPromise.resolve):
3575         (nakedConstructor.InternalPromise.reject):
3576         (nakedConstructor.InternalPromise):
3577         * builtins/PromiseOperations.js:
3578         (globalPrivate.newPromiseReaction):
3579         (globalPrivate.newPromiseCapability):
3580         (globalPrivate.newHandledRejectedPromise):
3581         (globalPrivate.triggerPromiseReactions):
3582         (globalPrivate.resolvePromise):
3583         (globalPrivate.rejectPromise):
3584         (globalPrivate.fulfillPromise):
3585         (globalPrivate.resolvePromiseWithFirstResolvingFunctionCallCheck):
3586         (globalPrivate.rejectPromiseWithFirstResolvingFunctionCallCheck):
3587         (globalPrivate.createResolvingFunctions.resolve):
3588         (globalPrivate.createResolvingFunctions.reject):
3589         (globalPrivate.createResolvingFunctions):
3590         (globalPrivate.promiseReactionJobWithoutPromise):
3591         (globalPrivate.resolveWithoutPromise):
3592         (globalPrivate.rejectWithoutPromise):
3593         (globalPrivate.fulfillWithoutPromise):
3594         (resolve):
3595         (reject):
3596         (globalPrivate.createResolvingFunctionsWithoutPromise):
3597         (globalPrivate.promiseReactionJob):
3598         (globalPrivate.promiseResolveThenableJobFast):
3599         (globalPrivate.promiseResolveThenableJobWithoutPromiseFast):
3600         (globalPrivate.promiseResolveThenableJob):
3601         (globalPrivate.isPromise): Deleted.
3602         (globalPrivate.newPromiseCapability.executor): Deleted.
3603         (globalPrivate.initializePromise): Deleted.
3604         * builtins/PromisePrototype.js:
3605         (then):
3606         * bytecode/BytecodeIntrinsicRegistry.cpp:
3607         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
3608         * bytecode/BytecodeIntrinsicRegistry.h:
3609         * bytecode/BytecodeList.rb:
3610         * bytecode/BytecodeUseDef.h:
3611         (JSC::computeUsesForBytecodeOffset):
3612         (JSC::computeDefsForBytecodeOffset):
3613         * bytecode/CodeBlock.cpp:
3614         (JSC::CodeBlock::finishCreation):
3615         (JSC::CodeBlock::finalizeLLIntInlineCaches):
3616         * bytecode/Opcode.h:
3617         * bytecode/SpeculatedType.cpp:
3618         (JSC::dumpSpeculation):
3619         (JSC::speculationFromClassInfo):
3620         (JSC::speculationFromJSType):
3621         (JSC::speculationFromString):
3622         * bytecode/SpeculatedType.h:
3623         * bytecode/UnlinkedFunctionExecutable.h:
3624         * bytecompiler/BytecodeGenerator.cpp:
3625         (JSC::BytecodeGenerator::generate):
3626         (JSC::BytecodeGenerator::BytecodeGenerator):
3627         (JSC::BytecodeGenerator::emitGetPromiseInternalField):
3628         (JSC::BytecodeGenerator::emitPutPromiseInternalField):
3629         (JSC::BytecodeGenerator::emitCreatePromise):
3630         (JSC::BytecodeGenerator::emitNewPromise):
3631         (JSC::BytecodeGenerator::emitReturn):
3632         * bytecompiler/BytecodeGenerator.h:
3633         (JSC::BytecodeGenerator::promiseRegister):
3634         (JSC::BytecodeGenerator::emitIsPromise):
3635         (JSC::BytecodeGenerator::promiseCapabilityRegister): Deleted.
3636         * bytecompiler/NodesCodegen.cpp:
3637         (JSC::promiseInternalFieldIndex):
3638         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getPromiseInternalField):
3639         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putPromiseInternalField):
3640         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isPromise):
3641         (JSC::BytecodeIntrinsicNode::emit_intrinsic_createPromise):
3642         (JSC::BytecodeIntrinsicNode::emit_intrinsic_newPromise):
3643         (JSC::FunctionNode::emitBytecode):
3644         * dfg/DFGAbstractHeap.h:
3645         * dfg/DFGAbstractInterpreterInlines.h:
3646         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3647         * dfg/DFGByteCodeParser.cpp:
3648         (JSC::DFG::ByteCodeParser::parseBlock):
3649         * dfg/DFGCapabilities.cpp:
3650         (JSC::DFG::capabilityLevel):
3651         * dfg/DFGClobberize.h:
3652         (JSC::DFG::clobberize):
3653         * dfg/DFGClobbersExitState.cpp:
3654         (JSC::DFG::clobbersExitState):
3655         * dfg/DFGConstantFoldingPhase.cpp:
3656         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3657         * dfg/DFGDoesGC.cpp:
3658         (JSC::DFG::doesGC):
3659         * dfg/DFGFixupPhase.cpp:
3660         (JSC::DFG::FixupPhase::fixupNode):
3661         * dfg/DFGGraph.cpp:
3662         (JSC::DFG::Graph::dump):
3663         * dfg/DFGHeapLocation.cpp:
3664         (WTF::printInternal):
3665         * dfg/DFGHeapLocation.h:
3666         * dfg/DFGMayExit.cpp:
3667         * dfg/DFGNode.h:
3668         (JSC::DFG::Node::convertToNewPromise):
3669         (JSC::DFG::Node::hasIsInternalPromise):
3670         (JSC::DFG::Node::isInternalPromise):
3671         (JSC::DFG::Node::hasInternalFieldIndex):
3672         (JSC::DFG::Node::internalFieldIndex):
3673         (JSC::DFG::Node::hasHeapPrediction):
3674         (JSC::DFG::Node::hasStructure):
3675         * dfg/DFGNodeType.h:
3676         * dfg/DFGOperations.cpp:
3677         * dfg/DFGOperations.h:
3678         * dfg/DFGPredictionPropagationPhase.cpp:
3679         * dfg/DFGPromotedHeapLocation.cpp:
3680         (WTF::printInternal):
3681         * dfg/DFGPromotedHeapLocation.h:
3682         * dfg/DFGSafeToExecute.h:
3683         (JSC::DFG::SafeToExecuteEdge::operator()):
3684         (JSC::DFG::safeToExecute):
3685         * dfg/DFGSpeculativeJIT.cpp:
3686         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
3687         (JSC::DFG::SpeculativeJIT::speculatePromiseObject):
3688         (JSC::DFG::SpeculativeJIT::speculate):
3689         (JSC::DFG::SpeculativeJIT::compileGetPromiseInternalField):
3690         (JSC::DFG::SpeculativeJIT::compilePutPromiseInternalField):
3691         (JSC::DFG::SpeculativeJIT::compileCreatePromise):
3692         (JSC::DFG::SpeculativeJIT::compileNewPromise):
3693         * dfg/DFGSpeculativeJIT.h:
3694         * dfg/DFGSpeculativeJIT32_64.cpp:
3695         (JSC::DFG::SpeculativeJIT::compile):
3696         * dfg/DFGSpeculativeJIT64.cpp:
3697         (JSC::DFG::SpeculativeJIT::compile):
3698         * dfg/DFGStoreBarrierInsertionPhase.cpp:
3699         * dfg/DFGUseKind.cpp:
3700         (WTF::printInternal):
3701         * dfg/DFGUseKind.h:
3702         (JSC::DFG::typeFilterFor):
3703         (JSC::DFG::isCell):
3704         * ftl/FTLAbstractHeapRepository.h:
3705         * ftl/FTLCapabilities.cpp:
3706         (JSC::FTL::canCompile):
3707         * ftl/FTLLowerDFGToB3.cpp:
3708         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3709         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
3710         (JSC::FTL::DFG::LowerDFGToB3::compileNewPromise):
3711         (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
3712         (JSC::FTL::DFG::LowerDFGToB3::compileGetPromiseInternalField):
3713         (JSC::FTL::DFG::LowerDFGToB3::compilePutPromiseInternalField):
3714         (JSC::FTL::DFG::LowerDFGToB3::speculate):
3715         (JSC::FTL::DFG::LowerDFGToB3::speculatePromiseObject):
3716         * jit/JIT.cpp:
3717         (JSC::JIT::privateCompileMainPass):
3718         (JSC::JIT::privateCompileSlowCases):
3719         * jit/JIT.h:
3720         * jit/JITOperations.cpp:
3721         * jit/JITOperations.h:
3722         * jit/JITPropertyAccess.cpp:
3723         (JSC::JIT::emit_op_get_promise_internal_field):
3724         (JSC::JIT::emit_op_put_promise_internal_field):
3725         * jit/JITPropertyAccess32_64.cpp:
3726         (JSC::JIT::emit_op_get_promise_internal_field):
3727         (JSC::JIT::emit_op_put_promise_internal_field):
3728         * llint/LowLevelInterpreter.asm:
3729         * llint/LowLevelInterpreter32_64.asm:
3730         * llint/LowLevelInterpreter64.asm:
3731         * parser/Parser.cpp:
3732         (JSC::Parser<LexerType>::Parser):
3733         (JSC::Parser<LexerType>::parseFunctionInfo):
3734         * parser/Parser.h:
3735         (JSC::parse):
3736         * parser/ParserModes.h:
3737         * runtime/CommonSlowPaths.cpp:
3738         (JSC::SLOW_PATH_DECL):
3739         * runtime/CommonSlowPaths.h:
3740         * runtime/ConstructAbility.h:
3741         * runtime/ConstructorKind.h: Copied from Source/JavaScriptCore/runtime/ConstructAbility.h.
3742         * runtime/FunctionRareData.cpp:
3743         (JSC::FunctionRareData::FunctionRareData):
3744         (JSC::FunctionRareData::initializeObjectAllocationProfile):
3745         (JSC::FunctionRareData::clear):
3746         * runtime/FunctionRareData.h:
3747         * runtime/InternalFunction.cpp:
3748         (JSC::InternalFunction::createSubclassStructureSlow):
3749         * runtime/InternalFunction.h:
3750         (JSC::InternalFunction::createSubclassStructure):
3751         * runtime/JSCast.h:
3752         * runtime/JSGlobalObject.cpp:
3753         (JSC::enqueueJob):
3754         (JSC::JSGlobalObject::init):
3755         (JSC::JSGlobalObject::visitChildren):
3756         * runtime/JSGlobalObject.h:
3757         (JSC::JSGlobalObject::arrayProtoValuesFunction const):
3758         (JSC::JSGlobalObject::promiseProtoThenFunction const):
3759         (JSC::JSGlobalObject::initializePromiseFunction const): Deleted.
3760         * runtime/JSInternalPromise.cpp:
3761         (JSC::JSInternalPromise::createStructure):
3762         * runtime/JSInternalPromiseConstructor.cpp:
3763         (JSC::JSInternalPromiseConstructor::create):
3764         (JSC::JSInternalPromiseConstructor::createStructure):
3765         (JSC::JSInternalPromiseConstructor::JSInternalPromiseConstructor):
3766         (JSC::constructPromise): Deleted.
3767         * runtime/JSInternalPromiseConstructor.h:
3768         * runtime/JSInternalPromisePrototype.cpp:
3769         (JSC::JSInternalPromisePrototype::create):
3770         * runtime/JSMicrotask.cpp:
3771         (JSC::createJSMicrotask):
3772         (JSC::JSMicrotask::run):
3773         * runtime/JSMicrotask.h:
3774         * runtime/JSPromise.cpp:
3775         (JSC::JSPromise::createStructure):
3776         (JSC::JSPromise::finishCreation):
3777         (JSC::JSPromise::visitChildren):
3778         (JSC::JSPromise::status const):
3779         (JSC::JSPromise::result const):
3780         (JSC::JSPromise::isHandled const):
3781         (JSC::JSPromise::initialize): Deleted.
3782         * runtime/JSPromise.h:
3783         (JSC::JSPromise::allocationSize):
3784         (JSC::JSPromise::offsetOfInternalFields):
3785         (JSC::JSPromise::offsetOfInternalField):
3786         * runtime/JSPromiseConstructor.cpp:
3787         (JSC::JSPromiseConstructor::create):
3788         (JSC::JSPromiseConstructor::createStructure):
3789         (JSC::JSPromiseConstructor::JSPromiseConstructor):
3790         (JSC::JSPromiseConstructor::finishCreation):
3791         (JSC::constructPromise): Deleted.
3792         (JSC::callPromise): Deleted.
3793         * runtime/JSPromiseConstructor.h:
3794         * runtime/JSPromisePrototype.cpp:
3795         (JSC::JSPromisePrototype::create):
3796         (JSC::JSPromisePrototype::finishCreation):
3797         (JSC::JSPromisePrototype::addOwnInternalSlots):
3798         * runtime/JSPromisePrototype.h:
3799         * runtime/JSType.cpp:
3800         (WTF::printInternal):
3801         * runtime/JSType.h:
3802
3803 2019-09-04  Joseph Pecoraro  <pecoraro@apple.com>
3804
3805         Web Inspector: Local Overrides - Provide substitution content for resource loads (URL based)
3806         https://bugs.webkit.org/show_bug.cgi?id=201262
3807         <rdar://problem/13108764>
3808
3809         Reviewed by Devin Rousso.
3810
3811         When interception is enabled, Network requests that match any of the configured
3812         interception patterns will be paused on the backend and allowed to be modified
3813         by the frontend.
3814
3815         Currently the only time a network request can be intercepted is during the
3816         HTTP response. However, this intercepting interface is mean to extend to
3817         HTTP requests as well.
3818
3819         When a response is to be intercepted a new event is sent to the frontend: