7d184414900f02e42aaf11239baae41bc010fda4
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-10-01  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] Place VM* in TLS
4         https://bugs.webkit.org/show_bug.cgi?id=202391
5
6         Reviewed by Mark Lam.
7
8         This patch puts VM* in TLS mainly for debugging purpose. In JSLockHolder, we put VM* and save the old VM* in TLS.
9         And JSLockHolder's destructor restores it. It is possible that we have two VMs A and B. After locking A, we enter
10         B. In this case, when B's lock is released, we should restore TLS to A. We put the old VM* in JSLockHolder::m_previousVMInTLS
11         so that we can restore it in JSLockHolder's destructor.
12
13         This patch also cleans up Lock<JSLock> / std::lock_guard<JSLock> usage in JSRunLoopTimer and JSManagedValue by introducing
14         JSLockHolder with LockIfVMIsLive tag. Previously, we are intentionally use `std::lock_guard<JSLock>` since VM* can be dead
15         at these places. JSLockHolder with LockIfVMIsLive handles this case carefully: it locks JSLock when VM* is live.
16
17         * API/JSManagedValue.mm:
18         (-[JSManagedValue value]):
19         * API/glib/JSCWeakValue.cpp:
20         (jsc_weak_value_get_value):
21         * runtime/InitializeThreading.cpp:
22         (JSC::initializeThreading):
23         * runtime/JSLock.cpp:
24         (JSC::JSLockHolder::JSLockHolder):
25         (JSC::JSLockHolder::~JSLockHolder):
26         (JSC::JSLock::DropAllLocks::DropAllLocks):
27         (JSC::JSLock::DropAllLocks::~DropAllLocks):
28         * runtime/JSLock.h:
29         (JSC::JSLockHolder::vm):
30         * runtime/JSRunLoopTimer.cpp:
31         (JSC::JSRunLoopTimer::timerDidFire):
32         * runtime/VM.cpp:
33         (JSC::VM::initializeTLS):
34         * runtime/VM.h:
35         (JSC::VM::exchange):
36         (JSC::VM::current):
37
38 2019-10-01  Michael Saboff  <msaboff@apple.com> and Paulo Matos  <pmatos@igalia.com>
39
40         [YARR] Properly handle surrogates when matching back references
41         https://bugs.webkit.org/show_bug.cgi?id=202041
42
43         Reviewed by Keith Miller.
44
45         This patch is based on a work in progress patch by Paulo Matos <pmatos@igalia.com>.
46
47         When handling back references in Unicode patterns, we can't match un-decoded surrogate characters,
48         instead we need to read and process surrogate pairs.  Changed matchBackreference() to do this,
49         including properly incrementing the back reference pattern and search indexes.
50
51         In support of this change, on X86_64 we needed to free up r10 to be used exclusively for
52         "patternIndex".  It was also used as a temp in tryReadUnicodeCharImpl().  Made a new named
53         temp register, called unicodeTemp, to take the place of regT2(r10) in tryReadUnicodeCharImpl.
54         This new temp is r14 on X86_64 and X5 on ARM64.  To free up r14 on X86_64, changed the
55         old leadingSurrogateTag to be a literal.
56
57         * yarr/YarrJIT.cpp:
58         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
59         (JSC::Yarr::YarrGenerator::matchBackreference):
60         (JSC::Yarr::YarrGenerator::generateEnter):
61         (JSC::Yarr::YarrGenerator::readCharacterDontDecodeSurrogates): Deleted.
62
63 2019-10-01  Keith Miller  <keith_miller@apple.com>
64
65         Add support for the Wasm multi-value proposal
66         https://bugs.webkit.org/show_bug.cgi?id=202250
67
68         Reviewed by Saam Barati.
69
70         The wasm multi-value proposal makes two major changes to the
71         spec. The first is that functions may now return more than one
72         value across calls. When calling to/from JS, if there is more than
73         one return type we return/receive a JSArray/Iterable,
74         respectively. In the Wasm calls JS case, if the iteratable object
75         does not vend the exact number of objects expected by the
76         signature an error is thrown.
77
78         The second major change in the multi-value proposal allows blocks
79         to have any signature type. This works in a backwards compatible
80         way by exploiting the fact that the old value-type thunk signatures
81         (where the block takes no arguments and returns just the value
82         type i.e. [] -> [type]) were always encoded as a negative
83         number. If a block has a function signature, it is encoded as a
84         positive index into the type section. When a block has a function
85         signature type then the values from the enclosing stack are popped
86         off that stack and added to the new block's stack. In the case of
87         a br/br_if to a Loop block the "argument" values should be on the
88         brancher's stack.
89
90         The biggest change in this patch is stripping down the
91         WasmCallingConventions file into one simpler API that just tells
92         you where the each argument should be located. It also now handles
93         adding or subtracting sizeof(CallerFrameAndPC) depending on
94         whether you are caller or callee. Additionally, when computing
95         locations for the callee it returns a B3::ValueRep that has the
96         offsetFromFP rather than offsetFromSP. Since the code has been
97         cleaned up I tried to also reduce code duplication in the various
98         stubs for wasm code. This patch also removes the Air specific
99         calling convention code and moves that logic into the Air IR
100         generator.
101
102         Since blocks can now have arbitrary signatures the control entries
103         now use a const signature* rather than just the return
104         type. Additionally, what used to be the result phi is now the phis
105         for all the results for non-loop blocks and the arguments for a
106         loop block. Due to the control flow restrictions of wasm
107         conveniently we don't have to worry about generating non-optimal
108         SSA, thus we can just use phis directly rather than using a
109         variable.
110
111         Lastly, to help clean up some code in the IR generators new helper
112         methods were added to create call Patchpoints. These helpers do
113         most of the boiler-plate initialization.
114
115         * JavaScriptCore.xcodeproj/project.pbxproj:
116         * assembler/AbstractMacroAssembler.h:
117         (JSC::AbstractMacroAssembler::ImplicitAddress::ImplicitAddress):
118         * assembler/LinkBuffer.cpp:
119         (JSC::shouldDumpDisassemblyFor):
120         * assembler/LinkBuffer.h:
121         * assembler/MacroAssemblerARM64.h:
122         (JSC::MacroAssemblerARM64::callOperation):
123         * assembler/MacroAssemblerX86_64.h:
124         (JSC::MacroAssemblerX86_64::callOperation):
125         * b3/B3LowerToAir.cpp:
126         * b3/B3PatchpointSpecial.cpp:
127         (JSC::B3::PatchpointSpecial::forEachArg):
128         (JSC::B3::PatchpointSpecial::isValid):
129         (JSC::B3::PatchpointSpecial::admitsStack):
130         (JSC::B3::PatchpointSpecial::generate):
131         * b3/B3Procedure.h:
132         (JSC::B3::Procedure::resultCount const):
133         (JSC::B3::Procedure::typeAtOffset const):
134         (JSC::B3::Procedure::returnCount const): Deleted.
135         * b3/B3StackmapGenerationParams.cpp:
136         (JSC::B3::StackmapGenerationParams::code const):
137         * b3/B3StackmapGenerationParams.h:
138         * b3/B3ValueRep.h:
139         * b3/air/AirHelpers.h: Added.
140         (JSC::B3::Air::moveForType):
141         (JSC::B3::Air::relaxedMoveForType):
142         * jit/AssemblyHelpers.h:
143         (JSC::AssemblyHelpers::store64FromReg):
144         (JSC::AssemblyHelpers::store32FromReg):
145         (JSC::AssemblyHelpers::load64ToReg):
146         (JSC::AssemblyHelpers::load32ToReg):
147         * runtime/JSCConfig.h:
148         * runtime/OptionsList.h:
149         * tools/JSDollarVM.cpp:
150         * tools/VMInspector.cpp:
151         (JSC::VMInspector::dumpValue):
152         * wasm/WasmAirIRGenerator.cpp:
153         (JSC::Wasm::ConstrainedTmp::operator bool const):
154         (JSC::Wasm::TypedTmp::dump const):
155         (JSC::Wasm::AirIRGenerator::ControlData::ControlData):
156         (JSC::Wasm::AirIRGenerator::ControlData::dump const):
157         (JSC::Wasm::AirIRGenerator::ControlData::blockType const):
158         (JSC::Wasm::AirIRGenerator::ControlData::signature const):
159         (JSC::Wasm::AirIRGenerator::ControlData::targetBlockForBranch):
160         (JSC::Wasm::AirIRGenerator::ControlData::convertIfToBlock):
161         (JSC::Wasm::AirIRGenerator::addEndToUnreachable):
162         (JSC::Wasm::AirIRGenerator::emitCallPatchpoint):
163         (JSC::Wasm::AirIRGenerator::validateInst):
164         (JSC::Wasm::AirIRGenerator::tmpsForSignature):
165         (JSC::Wasm::AirIRGenerator::emitPatchpoint):
166         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
167         (JSC::Wasm::AirIRGenerator::toB3ResultType):
168         (JSC::Wasm::AirIRGenerator::addBottom):
169         (JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck):
170         (JSC::Wasm::AirIRGenerator::addTopLevel):
171         (JSC::Wasm::AirIRGenerator::addLoop):
172         (JSC::Wasm::AirIRGenerator::addBlock):
173         (JSC::Wasm::AirIRGenerator::addIf):
174         (JSC::Wasm::AirIRGenerator::addElse):
175         (JSC::Wasm::AirIRGenerator::addElseToUnreachable):
176         (JSC::Wasm::AirIRGenerator::addReturn):
177         (JSC::Wasm::AirIRGenerator::addBranch):
178         (JSC::Wasm::AirIRGenerator::addSwitch):
179         (JSC::Wasm::AirIRGenerator::endBlock):
180         (JSC::Wasm::AirIRGenerator::addCall):
181         (JSC::Wasm::AirIRGenerator::addCallIndirect):
182         (JSC::Wasm::dumpExpressionStack):
183         (JSC::Wasm::AirIRGenerator::dump):
184         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF64>):
185         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF32>):
186         (JSC::Wasm::AirIRGenerator::ControlData::type const): Deleted.
187         (JSC::Wasm::AirIRGenerator::ControlData::hasNonVoidSignature const): Deleted.
188         (JSC::Wasm::AirIRGenerator::ControlData::resultForBranch const): Deleted.
189         * wasm/WasmB3IRGenerator.cpp:
190         (JSC::Wasm::B3IRGenerator::ControlData::ControlData):
191         (JSC::Wasm::B3IRGenerator::ControlData::dump const):
192         (JSC::Wasm::B3IRGenerator::ControlData::blockType const):
193         (JSC::Wasm::B3IRGenerator::ControlData::hasNonVoidresult const):
194         (JSC::Wasm::B3IRGenerator::ControlData::targetBlockForBranch):
195         (JSC::Wasm::B3IRGenerator::ControlData::convertIfToBlock):
196         (JSC::Wasm::B3IRGenerator::addEndToUnreachable):
197         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
198         (JSC::Wasm::B3IRGenerator::framePointer):
199         (JSC::Wasm::B3IRGenerator::toB3ResultType):
200         (JSC::Wasm::B3IRGenerator::addArguments):
201         (JSC::Wasm::B3IRGenerator::addGrowMemory):
202         (JSC::Wasm::B3IRGenerator::addLoop):
203         (JSC::Wasm::B3IRGenerator::addTopLevel):
204         (JSC::Wasm::B3IRGenerator::addBlock):
205         (JSC::Wasm::B3IRGenerator::addIf):
206         (JSC::Wasm::B3IRGenerator::addElse):
207         (JSC::Wasm::B3IRGenerator::addElseToUnreachable):
208         (JSC::Wasm::B3IRGenerator::addReturn):
209         (JSC::Wasm::B3IRGenerator::addBranch):
210         (JSC::Wasm::B3IRGenerator::addSwitch):
211         (JSC::Wasm::B3IRGenerator::endBlock):
212         (JSC::Wasm::B3IRGenerator::createCallPatchpoint):
213         (JSC::Wasm::B3IRGenerator::addCall):
214         (JSC::Wasm::B3IRGenerator::addCallIndirect):
215         (JSC::Wasm::B3IRGenerator::ControlData::type const): Deleted.
216         (JSC::Wasm::B3IRGenerator::ControlData::hasNonVoidSignature const): Deleted.
217         (JSC::Wasm::B3IRGenerator::ControlData::resultForBranch const): Deleted.
218         (JSC::Wasm::B3IRGenerator::createStack): Deleted.
219         * wasm/WasmBBQPlan.cpp:
220         (JSC::Wasm::BBQPlan::didReceiveFunctionData):
221         (JSC::Wasm::BBQPlan::parseAndValidateModule):
222         (JSC::Wasm::BBQPlan::complete):
223         * wasm/WasmBBQPlan.h:
224         * wasm/WasmBinding.cpp:
225         (JSC::Wasm::wasmToWasm):
226         * wasm/WasmCallingConvention.cpp:
227         (JSC::Wasm::jsCallingConvention):
228         (JSC::Wasm::wasmCallingConvention):
229         (JSC::Wasm::jscCallingConvention): Deleted.
230         (JSC::Wasm::jscCallingConventionAir): Deleted.
231         (JSC::Wasm::wasmCallingConventionAir): Deleted.
232         * wasm/WasmCallingConvention.h:
233         (JSC::Wasm::CallInformation::CallInformation):
234         (JSC::Wasm::CallInformation::computeResultsOffsetList):
235         (JSC::Wasm::WasmCallingConvention::WasmCallingConvention):
236         (JSC::Wasm::WasmCallingConvention::marshallLocationImpl const):
237         (JSC::Wasm::WasmCallingConvention::marshallLocation const):
238         (JSC::Wasm::WasmCallingConvention::callInformationFor const):
239         (JSC::Wasm::JSCallingConvention::JSCallingConvention):
240         (JSC::Wasm::JSCallingConvention::marshallLocationImpl const):
241         (JSC::Wasm::JSCallingConvention::marshallLocation const):
242         (JSC::Wasm::JSCallingConvention::callInformationFor const):
243         (JSC::Wasm::CallingConvention::CallingConvention): Deleted.
244         (JSC::Wasm::CallingConvention::marshallArgumentImpl const): Deleted.
245         (JSC::Wasm::CallingConvention::marshallArgument const): Deleted.
246         (JSC::Wasm::CallingConvention::headerSizeInBytes): Deleted.
247         (JSC::Wasm::CallingConvention::setupFrameInPrologue const): Deleted.
248         (JSC::Wasm::CallingConvention::loadArguments const): Deleted.
249         (JSC::Wasm::CallingConvention::setupCall const): Deleted.
250         (JSC::Wasm::CallingConventionAir::CallingConventionAir): Deleted.
251         (JSC::Wasm::CallingConventionAir::prologueScratch const): Deleted.
252         (JSC::Wasm::CallingConventionAir::marshallArgumentImpl const): Deleted.
253         (JSC::Wasm::CallingConventionAir::marshallArgument const): Deleted.
254         (JSC::Wasm::CallingConventionAir::headerSizeInBytes): Deleted.
255         (JSC::Wasm::CallingConventionAir::loadArguments const): Deleted.
256         (JSC::Wasm::CallingConventionAir::setupCall const): Deleted.
257         (JSC::Wasm::nextJSCOffset): Deleted.
258         * wasm/WasmFormat.h:
259         * wasm/WasmFunctionParser.h:
260         (JSC::Wasm::splitStack):
261         (JSC::Wasm::FunctionParser::signature const):
262         (JSC::Wasm::FunctionParser<Context>::FunctionParser):
263         (JSC::Wasm::FunctionParser<Context>::parseBody):
264         (JSC::Wasm::FunctionParser<Context>::parseExpression):
265         (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
266         * wasm/WasmInstance.h:
267         * wasm/WasmMemoryInformation.cpp:
268         (JSC::Wasm::getPinnedRegisters):
269         * wasm/WasmOMGForOSREntryPlan.cpp:
270         (JSC::Wasm::OMGForOSREntryPlan::work):
271         * wasm/WasmOMGPlan.cpp:
272         (JSC::Wasm::OMGPlan::work):
273         * wasm/WasmParser.h:
274         (JSC::Wasm::FailureHelper::makeString):
275         (JSC::Wasm::Parser<SuccessType>::Parser):
276         (JSC::Wasm::Parser<SuccessType>::peekInt7):
277         (JSC::Wasm::Parser<SuccessType>::parseBlockSignature):
278         (JSC::Wasm::Parser<SuccessType>::parseValueType):
279         (JSC::Wasm::Parser<SuccessType>::parseResultType): Deleted.
280         * wasm/WasmSectionParser.cpp:
281         (JSC::Wasm::SectionParser::parseType):
282         (JSC::Wasm::SectionParser::parseStart):
283         * wasm/WasmSectionParser.h:
284         * wasm/WasmSignature.cpp:
285         (JSC::Wasm::Signature::toString const):
286         (JSC::Wasm::Signature::dump const):
287         (JSC::Wasm::computeHash):
288         (JSC::Wasm::Signature::hash const):
289         (JSC::Wasm::Signature::tryCreate):
290         (JSC::Wasm::SignatureInformation::SignatureInformation):
291         (JSC::Wasm::ParameterTypes::hash):
292         (JSC::Wasm::ParameterTypes::equal):
293         (JSC::Wasm::ParameterTypes::translate):
294         (JSC::Wasm::SignatureInformation::signatureFor):
295         (JSC::Wasm::SignatureInformation::adopt): Deleted.
296         * wasm/WasmSignature.h:
297         (JSC::Wasm::Signature::Signature):
298         (JSC::Wasm::Signature::allocatedSize):
299         (JSC::Wasm::Signature::returnCount const):
300         (JSC::Wasm::Signature::returnType const):
301         (JSC::Wasm::Signature::returnsVoid const):
302         (JSC::Wasm::Signature::argument const):
303         (JSC::Wasm::Signature::operator== const):
304         (JSC::Wasm::Signature::getReturnType):
305         (JSC::Wasm::Signature::getArgument):
306         (JSC::Wasm::SignatureHash::SignatureHash):
307         (JSC::Wasm::SignatureHash::equal):
308         (JSC::Wasm::SignatureInformation::thunkFor const):
309         (JSC::Wasm::Signature::returnType): Deleted.
310         (JSC::Wasm::Signature::argument): Deleted.
311         * wasm/WasmStreamingParser.cpp:
312         (JSC::Wasm::StreamingParser::parseCodeSectionSize):
313         (JSC::Wasm::StreamingParser::parseFunctionPayload):
314         (JSC::Wasm::StreamingParser::parseSectionPayload):
315         * wasm/WasmStreamingParser.h:
316         (JSC::Wasm::StreamingParserClient::didReceiveSectionData):
317         (JSC::Wasm::StreamingParser::reportError):
318         (JSC::Wasm::StreamingParserClient::didReceiveFunctionData): Deleted.
319         * wasm/WasmThunks.cpp:
320         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
321         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
322         (JSC::Wasm::triggerOMGEntryTierUpThunkGenerator):
323         * wasm/WasmValidate.cpp:
324         (JSC::Wasm::Validate::ControlData::ControlData):
325         (JSC::Wasm::Validate::ControlData::dump const):
326         (JSC::Wasm::Validate::ControlData::blockType const):
327         (JSC::Wasm::Validate::ControlData::signature const):
328         (JSC::Wasm::Validate::ControlData::branchTargetArity const):
329         (JSC::Wasm::Validate::ControlData::branchTargetType const):
330         (JSC::Wasm::Validate::fail const):
331         (JSC::Wasm::Validate::addTableGet):
332         (JSC::Wasm::Validate::addTableGrow):
333         (JSC::Wasm::Validate::addTableFill):
334         (JSC::Wasm::Validate::addRefIsNull):
335         (JSC::Wasm::Validate::addTopLevel):
336         (JSC::Wasm::splitStack):
337         (JSC::Wasm::Validate::addBlock):
338         (JSC::Wasm::Validate::addLoop):
339         (JSC::Wasm::Validate::addIf):
340         (JSC::Wasm::Validate::addElseToUnreachable):
341         (JSC::Wasm::Validate::addReturn):
342         (JSC::Wasm::Validate::checkBranchTarget):
343         (JSC::Wasm::Validate::addSwitch):
344         (JSC::Wasm::Validate::addGrowMemory):
345         (JSC::Wasm::Validate::addEndToUnreachable):
346         (JSC::Wasm::Validate::addCall):
347         (JSC::Wasm::Validate::addCallIndirect):
348         (JSC::Wasm::Validate::unify):
349         (JSC::Wasm::Validate::ControlData::hasNonVoidSignature const): Deleted.
350         (JSC::Wasm::Validate::ControlData::type const): Deleted.
351         (JSC::Wasm::Validate::ControlData::branchTargetSignature const): Deleted.
352         * wasm/generateWasmOpsHeader.py:
353         * wasm/js/JSToWasm.cpp:
354         (JSC::Wasm::boxWasmResult):
355         (JSC::Wasm::allocateResultsArray):
356         (JSC::Wasm::marshallJSResult):
357         (JSC::Wasm::createJSToWasmWrapper):
358         * wasm/js/JSToWasm.h:
359         * wasm/js/JSWebAssemblyCodeBlock.cpp:
360         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
361         * wasm/js/WasmToJS.cpp:
362         (JSC::Wasm::handleBadI64Use):
363         (JSC::Wasm::wasmToJS):
364         * wasm/js/WasmToJS.h:
365         * wasm/js/WebAssemblyFunction.cpp:
366         (JSC::callWebAssemblyFunction):
367         (JSC::WebAssemblyFunction::useTagRegisters const):
368         (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
369         * wasm/js/WebAssemblyModuleRecord.cpp:
370         (JSC::WebAssemblyModuleRecord::link):
371
372 2019-09-30  Alex Christensen  <achristensen@webkit.org>
373
374         Resurrect Mac CMake build
375         https://bugs.webkit.org/show_bug.cgi?id=202384
376
377         Rubber-stamped by Tim Horton.
378
379         * PlatformMac.cmake:
380
381 2019-09-30  Alex Christensen  <achristensen@webkit.org>
382
383         Rename JSTokenType::EXPORT to EXPORT_ to avoid naming conflict with internal header
384         https://bugs.webkit.org/show_bug.cgi?id=202385
385
386         * parser/Keywords.table:
387         * parser/Parser.cpp:
388         (JSC::Parser<LexerType>::parseModuleSourceElements):
389         (JSC::Parser<LexerType>::parseExportDeclaration):
390         * parser/ParserTokens.h:
391
392 2019-09-30  Tadeu Zagallo  <tzagallo@apple.com>
393
394         Make assertion in JSObject::putOwnDataProperty more precise
395         https://bugs.webkit.org/show_bug.cgi?id=202379
396         <rdar://problem/49515980>
397
398         Reviewed by Yusuke Suzuki.
399
400         Currently, we assert that the structure has no accessors/custom accessors, but that assertion is
401         too conservative. All we need to prove is that the property being inserted either does not exist
402         in the target object or is neither an accessor nor read-only.
403
404         * runtime/JSObject.h:
405         (JSC::JSObject::putOwnDataProperty): Deleted.
406         (JSC::JSObject::putOwnDataPropertyMayBeIndex): Deleted.
407         * runtime/JSObjectInlines.h:
408         (JSC::JSObject::validatePutOwnDataProperty):
409         (JSC::JSObject::putOwnDataProperty):
410         (JSC::JSObject::putOwnDataPropertyMayBeIndex):
411
412 2019-09-30  Yusuke Suzuki  <ysuzuki@apple.com>
413
414         [JSC] HeapSnapshotBuilder m_rootData should be protected with a lock too
415         https://bugs.webkit.org/show_bug.cgi?id=202389
416         <rdar://problem/50717564>
417
418         Reviewed by Mark Lam.
419
420         While we are protecting HeapSnapshotBuilder::m_edges with a lock, we are not protecting m_rootData, which is also concurrently modified.
421         This patch protects it.
422
423         * heap/HeapSnapshotBuilder.cpp:
424         (JSC::HeapSnapshotBuilder::setOpaqueRootReachabilityReasonForCell):
425
426 2019-09-30  Saam Barati  <sbarati@apple.com>
427
428         Inline caching is wrong for custom accessors and custom values
429         https://bugs.webkit.org/show_bug.cgi?id=201994
430         <rdar://problem/50850326>
431
432         Reviewed by Yusuke Suzuki.
433
434         There was an oversight in our inline caching code for custom accessors and
435         custom values. We used to assume that if an object O had a custom function for
436         property P, then O will forever respond to the same custom function for
437         property P.
438         
439         This assumption was very wrong. These custom accessors/values might be
440         properties in JS which are configurable, so they can be rewritten to be
441         other properties. Our inline caching code would be wrong in the scenarios
442         where these property descriptors got redefined.
443         
444         This patch makes it so that we now properly watchpoint for custom functions
445         being changed. If the custom accessor has been materialized, we place an
446         Equivalence watchpoint on the custom accessor. This patch also teaches
447         StructureStubInfo how to watchpoint on property value equivalence. Before,
448         we just watchpointed on structure transitions.
449         
450         This patch also adds a new property condition kind for when the custom function
451         exists inside the static property table. This case is really easy to test for
452         because we just need to see if the structure still has static properties and
453         the static property table has the entry for a particular property. This
454         property condition kind just needs to watch for structure transitions because
455         an entry in the static property table can't be mutated.
456         
457         This patch is neutral on the microbenchmarks I've added.
458
459         * bytecode/AccessCase.cpp:
460         (JSC::AccessCase::AccessCase):
461         (JSC::AccessCase::couldStillSucceed const):
462         (JSC::AccessCase::generateImpl):
463         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.h:
464         * bytecode/ObjectPropertyCondition.cpp:
465         (JSC::ObjectPropertyCondition::structureEnsuresValidityAssumingImpurePropertyWatchpoint const):
466         * bytecode/ObjectPropertyCondition.h:
467         (JSC::ObjectPropertyCondition::customFunctionEquivalence):
468         * bytecode/ObjectPropertyConditionSet.cpp:
469         (JSC::ObjectPropertyConditionSet::hasOneSlotBaseCondition const):
470         (JSC::ObjectPropertyConditionSet::slotBaseCondition const):
471         (JSC::generateConditionsForPrototypePropertyHitCustom):
472         * bytecode/ObjectPropertyConditionSet.h:
473         * bytecode/PolyProtoAccessChain.cpp:
474         (JSC::PolyProtoAccessChain::create):
475         * bytecode/PolymorphicAccess.cpp:
476         (JSC::AccessGenerationState::installWatchpoint):
477         (JSC::PolymorphicAccess::commit):
478         (JSC::AccessGenerationState::addWatchpoint): Deleted.
479         * bytecode/PolymorphicAccess.h:
480         * bytecode/PropertyCondition.cpp:
481         (JSC::PropertyCondition::dumpInContext const):
482         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
483         (JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint const):
484         (JSC::PropertyCondition::isStillValid const):
485         (JSC::PropertyCondition::isWatchableWhenValid const):
486         (WTF::printInternal):
487         * bytecode/PropertyCondition.h:
488         (JSC::PropertyCondition::customFunctionEquivalence):
489         (JSC::PropertyCondition::hash const):
490         (JSC::PropertyCondition::operator== const):
491         * bytecode/StructureStubClearingWatchpoint.cpp:
492         (JSC::StructureTransitionStructureStubClearingWatchpoint::fireInternal):
493         (JSC::WatchpointsOnStructureStubInfo::addWatchpoint):
494         (JSC::WatchpointsOnStructureStubInfo::ensureReferenceAndInstallWatchpoint):
495         (JSC::WatchpointsOnStructureStubInfo::ensureReferenceAndAddWatchpoint):
496         (JSC::AdaptiveValueStructureStubClearingWatchpoint::handleFire):
497         (JSC::StructureStubClearingWatchpoint::fireInternal): Deleted.
498         * bytecode/StructureStubClearingWatchpoint.h:
499         * bytecode/Watchpoint.h:
500         * jit/Repatch.cpp:
501         (JSC::tryCacheGetByID):
502         (JSC::tryCachePutByID):
503         * runtime/ClassInfo.h:
504         * runtime/JSObject.cpp:
505         (JSC::JSObject::findPropertyHashEntry const):
506         * runtime/JSObject.h:
507         * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h:
508         * runtime/Structure.cpp:
509         (JSC::Structure::findPropertyHashEntry const):
510         * runtime/Structure.h:
511         * tools/JSDollarVM.cpp:
512         (JSC::testStaticAccessorGetter):
513         (JSC::testStaticAccessorPutter):
514         (JSC::StaticCustomAccessor::StaticCustomAccessor):
515         (JSC::StaticCustomAccessor::createStructure):
516         (JSC::StaticCustomAccessor::create):
517         (JSC::StaticCustomAccessor::getOwnPropertySlot):
518         (JSC::functionCreateStaticCustomAccessor):
519         (JSC::JSDollarVM::finishCreation):
520
521 2019-09-30  Yusuke Suzuki  <ysuzuki@apple.com>
522
523         [JSC] AI folds CompareEq wrongly when it sees proven Boolean and Number
524         https://bugs.webkit.org/show_bug.cgi?id=202382
525         <rdar://problem/52669112>
526
527         Reviewed by Saam Barati.
528
529         If CompareEq(Untyped, Untyped) finds that it gets proven Boolean and Number types on its arguments,
530         we fold it to constant False. But this is wrong since `false == 0` is true in JS.
531         This patch adds leastUpperBoundOfEquivalentSpeculations, which merges Number, BigInt, and Boolean types
532         if one of them are seen.
533
534         * bytecode/SpeculatedType.cpp:
535         (JSC::leastUpperBoundOfEquivalentSpeculations):
536         (JSC::valuesCouldBeEqual):
537
538 2019-09-28  Adrian Perez de Castro  <aperez@igalia.com>
539
540         [GTK][WPE] Fix non-unified build issue caused by r250440
541         https://bugs.webkit.org/show_bug.cgi?id=202349
542
543         Reviewed by Mark Lam.
544
545         * dfg/DFGOSRExit.cpp: Add missing inclusion of the BytecodeUseDef.h header.
546
547 2019-09-27  Yusuke Suzuki  <ysuzuki@apple.com>
548
549         [JSC] Keep JSString::value(ExecState*)'s result as String instead of `const String&`
550         https://bugs.webkit.org/show_bug.cgi?id=202330
551
552         Reviewed by Saam Barati.
553
554         In toLocaleLowerCase and toLocaleUpperCase, we get `const String&` from JSString* and use it.
555         But if this string is newly created one in toLocaleLowerCase and toLocaleUpperCase (like, passing a number, and number.toString() is called
556         in C++), after getting `const String&`, our C++ code potentially does not have any reference to the owner of this `const String&`. So, this
557         JSString* can be collected by GC, while `const String&` is used. This makes `const String&` destroyed, and causes crash.
558
559         In this patch, we receive it as `String` instead of `const String&` to ref it. This ensures that this string is live even if the owner is collected.
560         I grepped the source code and make this changes conservatively to places which looks dangerous. And I added error checks more after calling `value(exec)`.
561
562         In this patch, I didn't introduce the change like that: `JSString::value(ExecState*)` returns `String` instead of `const String&`. Some of places are
563         really performance sensitive and we want to use the current behavior when we can ensure the owners are alive. We could figure out these points, and we
564         can change the default behavior of `JSString::value` function to returning `String`. But for now, I plan it as a future work.
565
566         * dfg/DFGOperations.cpp:
567         * jsc.cpp:
568         (GlobalObject::moduleLoaderImportModule):
569         * runtime/DateConstructor.cpp:
570         (JSC::constructDate):
571         * runtime/JSCJSValueInlines.h:
572         (JSC::JSValue::equalSlowCaseInline):
573         * runtime/RegExpMatchesArray.h:
574         (JSC::createRegExpMatchesArray):
575         * runtime/StringPrototype.cpp:
576         (JSC::toLocaleCase):
577         (JSC::stringProtoFuncToLocaleLowerCase):
578         (JSC::stringProtoFuncToLocaleUpperCase):
579         * tools/JSDollarVM.cpp:
580         (JSC::functionCreateBuiltin):
581
582 2019-09-27  Keith Miller  <keith_miller@apple.com>
583
584         OSR exit shouldn't bother updating get_by_id array profiles that have changed modes
585         https://bugs.webkit.org/show_bug.cgi?id=202324
586         <rdar://problem/52669110>
587
588         Reviewed by Yusuke Suzuki.
589
590         This is an optimization that avoids polluting the array profile.
591
592         * dfg/DFGOSRExit.cpp:
593         (JSC::DFG::OSRExit::executeOSRExit):
594         (JSC::DFG::OSRExit::compileExit):
595
596 2019-09-27  Alexey Shvayka  <shvaikalesh@gmail.com>
597
598         Non-standard Error properties should not be enumerable
599         https://bugs.webkit.org/show_bug.cgi?id=198975
600
601         Reviewed by Ross Kirsling.
602
603         Define non-standard Error properties "line", "column", and "sourceURL" as non-enumerable to match other engines.
604
605         * runtime/ErrorInstance.cpp:
606         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
607
608 2019-09-26  Yusuke Suzuki  <ysuzuki@apple.com>
609
610         [JSC] DFG recursive-tail-call optimization should not emit jump to call-frame with varargs
611         https://bugs.webkit.org/show_bug.cgi?id=202299
612         <rdar://problem/52669116>
613
614         Reviewed by Saam Barati.
615
616         When converting recursive-tail-call to jump to the upper call frame, we picked call-frame which is spread by LoadVarargs.
617         This is wrong since this call-frame does not know the exact number of arguments. We are using InlineCallFrame::argumentCountIncludingThis,
618         but this is maximal argumentCountIncludingThis when InlineCallFrame is Varargs call-frame. Let's see the simple example.
619
620             'use strict';
621             var count = 0;
622             function foo() {
623                 count--;
624                 if (count === 0)
625                     return 30;
626                 return foo(42, 42); // HERE
627             }
628
629             function test() {
630                 count = 100;
631                 return foo(...[42, 42]); // THERE
632             }
633             noInline(test);
634
635         In the above case, currently, we convert HERE's foo call to the jump to the prologue of the foo function inlined by "test". But since foo is called
636         in a varargs form, "test" emits LoadVarargs, and it also emits `SetArgumentMaybe` for 1st and 2nd arguments. Since HERE's foo call is actually passing
637         two arguments, we emit a Phi node which Upsilon is from SetArgumentMaybe and 42 Constant. This is wrong since SetArgumentMaybe should not be used. Later,
638         SSA conversion phase emits Upsilon with SetArgumentMaybe, and since SetArgumentMaybe is simply removed in SSA conversion phase, it ends up emitting
639         Upsilon without a child.
640
641         We are currently only performing recursive-tail-call optimization when argument count matches. Given this condition, we should not pick varargs CallFrame
642         as a jump target.
643
644         * dfg/DFGByteCodeParser.cpp:
645         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
646         * dfg/DFGSSAConversionPhase.cpp:
647         (JSC::DFG::SSAConversionPhase::run):
648
649 2019-09-26  Alexey Shvayka  <shvaikalesh@gmail.com>
650
651         toExponential, toFixed, and toPrecision should allow arguments up to 100
652         https://bugs.webkit.org/show_bug.cgi?id=199163
653
654         Reviewed by Ross Kirsling.
655
656         Previously, the spec gave fixed range of [0,20] for Number.prototype.{toExponential,toFixed} argument and
657         range of [1,21] for Number.prototype.toPrecision argument, but allowed implementations to permit a larger range.
658         Historically, only SpiderMonkey accepted a larger range, and other implementations threw a RangeError outside the range.
659         Later the spec was changed (see https://github.com/tc39/ecma262/pull/857) to specify the SpiderMonkey behavior.
660
661         * runtime/NumberPrototype.cpp:
662         (JSC::numberProtoFuncToExponential): Accept arguments between 0 and 100.
663         (JSC::numberProtoFuncToFixed): Accept arguments between 0 and 100.
664         (JSC::numberProtoFuncToPrecision): Accept arguments between 1 and 100.
665         (JSC::getIntegerArgumentInRange): Inline to improve readability.
666
667 2019-09-26  Mark Lam  <mark.lam@apple.com>
668
669         We need to initialize the Gigacage first in setJITEnabled() when disabling the JIT.
670         https://bugs.webkit.org/show_bug.cgi?id=202257
671
672         Reviewed by Saam Barati.
673
674         Because of an OS quirk, even after the JIT region has been unmapped, the OS thinks
675         that region is reserved, and as such, can cause Gigacage allocation to fail.  We
676         work around this by initializing the Gigacage first.
677
678         Note: when called, setJITEnabled() is always called extra early in the process
679         bootstrap.  Under normal operation (when setJITEnabled() isn't called at all), we
680         will naturally initialize the Gigacage before we allocate the JIT region. 
681         Hence, this workaround is merely ensuring the same behavior of allocation ordering.
682
683         This patch only applies to iOS.
684
685         * jit/ExecutableAllocator.cpp:
686         (JSC::ExecutableAllocator::setJITEnabled):
687
688 2019-09-25  Guillaume Emont  <guijemont@igalia.com>
689
690         testapi: slow devices need more time before watchdog fires
691         https://bugs.webkit.org/show_bug.cgi?id=202149
692
693         Reviewed by Mark Lam.
694
695         In testExecutionTimeLimit(), the time that we leave for the watchdog
696         to fire is often not enough on (slower) arm and mips devices, creating
697         a testapi failure.
698         This change also skips FTL-specific testing when FTL is disabled.
699
700         * API/tests/ExecutionTimeLimitTest.cpp:
701         (testExecutionTimeLimit):
702
703 2019-09-24  Christopher Reid  <chris.reid@sony.com>
704
705         [WinCairo] Start RemoteInspectorServer
706         https://bugs.webkit.org/show_bug.cgi?id=199938
707         <rdar://problem/53323048>
708
709         Reviewed by Fujii Hironori.
710
711         * inspector/remote/socket/RemoteInspectorSocket.cpp:
712         * inspector/remote/socket/win/RemoteInspectorSocketWin.cpp:
713           - Fixed some network byte order issues
714           - Need to check for POLLHUP in isReadable as closed windows sockets don't have POLLIN set
715
716 2019-09-24  Alexey Shvayka  <shvaikalesh@gmail.com>
717
718         [ES6] Come up with a test for Proxy.[[GetOwnProperty]] that tests the isExtensible error when the  result of the trap is undefined
719         https://bugs.webkit.org/show_bug.cgi?id=154376
720
721         Reviewed by Ross Kirsling.
722
723         * runtime/ProxyObject.cpp:
724         (JSC::ProxyObject::performInternalMethodGetOwnProperty): Remove resolved FIXME comments.
725
726 2019-09-24  Alexey Proskuryakov  <ap@apple.com>
727
728         JavaScriptCore (still) doesn't unlock the engineering keychain
729         https://bugs.webkit.org/show_bug.cgi?id=202123
730
731         Reviewed by Dan Bernstein.
732
733         Unlike WebKit, JavaScriptCore only defines CODE_SIGN_IDENTITY in ToolExecutable
734         configuration, not in DebugRelease. As a result, it's not defined when running
735         the script for Unlock Keychain phase.
736
737         Fix this by moving CODE_SIGN_IDENTITY to DebugRelease configuration, matching
738         WebKit. As a result, we are now using consistent signing options in all targets.
739
740         * Configurations/DebugRelease.xcconfig:
741         * Configurations/ToolExecutable.xcconfig:
742         When moving, removed a special case for Production, as that's never used with
743         DebugRelease (also, the Profile case was incorrect).
744
745 2019-09-24  Caio Lima  <ticaiolima@gmail.com>
746
747         [BigInt] Add ValueBitRShift into DFG
748         https://bugs.webkit.org/show_bug.cgi?id=192663
749
750         Reviewed by Robin Morisset.
751
752         We are introducing a new node called ValueBitRShift that is
753         responsible to handle speculation of `UntypedUse` and `BigIntUse` during
754         DFG. Following the approach of other bitwise operations, we
755         now have 2 nodes to handle ">>" operator during JIT, mainly because
756         of the introduction of BigInt, that makes this operator result into
757         Int32 or BigInt. We renamed `BitRShift` to `ArithBitRShift` and such
758         node handles Integers and Numbers speculation and can only return
759         Int32 values.
760
761         * bytecode/BytecodeList.rb:
762         * bytecode/CodeBlock.cpp:
763         (JSC::CodeBlock::finishCreation):
764         * bytecode/Opcode.h:
765
766         Adding support to ValueProfile to `op_rshift` to be used during
767         prediction propagation.
768
769         * dfg/DFGAbstractInterpreterInlines.h:
770         (JSC::DFG::AbstractInterpreter<AbstractStateType>::handleConstantBinaryBitwiseOp):
771         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
772
773         Adding support to still do constant propagation of ValueBitRShift when
774         it is `UntypedUse`.
775
776         * dfg/DFGBackwardsPropagationPhase.cpp:
777         (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
778         (JSC::DFG::BackwardsPropagationPhase::propagate):
779         * dfg/DFGByteCodeParser.cpp:
780         (JSC::DFG::ByteCodeParser::parseBlock):
781         * dfg/DFGClobberize.h:
782         (JSC::DFG::clobberize):
783         * dfg/DFGDoesGC.cpp:
784         (JSC::DFG::doesGC):
785
786         `ValueBitRshift` can trigger GC when it is `BigIntUse` because the
787         operation `JSBigInt::signedRightShift` potentially allocates new
788         JSBigInts. It also can trigger GC when it is `UntypedUse` because it
789         can execute arbitrary code.
790
791         * dfg/DFGFixupPhase.cpp:
792         (JSC::DFG::FixupPhase::fixupNode):
793
794         The fixup rule of `ValueBitRShift` checks if it should fixup for
795         `BigIntUse` or `UntypedUse`. If those checks fail, we fallback to
796         `ArithBitRShift`.
797
798         * dfg/DFGNode.h:
799         (JSC::DFG::Node::hasNumericResult):
800         (JSC::DFG::Node::hasHeapPrediction):
801         * dfg/DFGNodeType.h:
802         * dfg/DFGOperations.cpp:
803         * dfg/DFGOperations.h:
804         * dfg/DFGPredictionPropagationPhase.cpp:
805
806         We are using the same rule used by `ValueBitLShift` to propagate
807         types. We try to propagate the type based on operation's input, but
808         fallback to `getHeapPrediction()` if this is not possible.
809
810         * dfg/DFGSafeToExecute.h:
811         (JSC::DFG::safeToExecute):
812         * dfg/DFGSpeculativeJIT.cpp:
813         (JSC::DFG::SpeculativeJIT::emitUntypedRightShiftBitOp):
814         (JSC::DFG::SpeculativeJIT::compileValueBitRShift):
815         (JSC::DFG::SpeculativeJIT::compileShiftOp):
816         * dfg/DFGSpeculativeJIT.h:
817         (JSC::DFG::SpeculativeJIT::shiftOp):
818         * dfg/DFGSpeculativeJIT32_64.cpp:
819         (JSC::DFG::SpeculativeJIT::compile):
820         * dfg/DFGSpeculativeJIT64.cpp:
821         (JSC::DFG::SpeculativeJIT::compile):
822         * dfg/DFGStrengthReductionPhase.cpp:
823         (JSC::DFG::StrengthReductionPhase::handleNode):
824         * ftl/FTLCapabilities.cpp:
825         (JSC::FTL::canCompile):
826         * ftl/FTLLowerDFGToB3.cpp:
827         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
828         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitRShift):
829         (JSC::FTL::DFG::LowerDFGToB3::compileArithBitRShift):
830         (JSC::FTL::DFG::LowerDFGToB3::compileBitRShift): Deleted.
831         * llint/LowLevelInterpreter64.asm:
832         * runtime/CommonSlowPaths.cpp:
833         (JSC::SLOW_PATH_DECL):
834
835 2019-09-24  Mark Lam  <mark.lam@apple.com>
836
837         Refactor cellSize() out of VMInspector::verifyCellSize().
838         https://bugs.webkit.org/show_bug.cgi?id=202132
839
840         Reviewed by Saam Barati.
841
842         * CMakeLists.txt:
843         * JavaScriptCore.xcodeproj/project.pbxproj:
844         * runtime/CellSize.h: Added.
845         (JSC::isDynamicallySizedType):
846         (JSC::cellSize):
847         * runtime/DirectArguments.h:
848         * runtime/JSBigInt.h:
849         * runtime/JSModuleNamespaceObject.h:
850         * runtime/JSType.h:
851         (JSC::isDynamicallySizedType): Deleted.
852         * tools/VMInspectorInlines.h:
853         (JSC::VMInspector::verifyCellSize):
854
855 2019-09-23  Mark Lam  <mark.lam@apple.com>
856
857         Introducing Integrity audit functions.
858         https://bugs.webkit.org/show_bug.cgi?id=202085
859
860         Reviewed by Saam Barati.
861
862         This patch's main goal is to introduce the Integrity audit functions.  They can
863         be used wherever we want to audit a cell to probabilistically ensure it is not
864         corrupted.  However, to keep this patch small, we will only introduce the audit
865         tool here with one example use in SlotVisitor.  We'll follow up later with more
866         patches to deploy this tool throughout the VM.
867
868         1. Introduced Integrity audit functions that can be configured at several
869            AuditLevels:
870                None - don't do any audits.
871                Minimal - do a minimal quick audit (minimize perf impact).
872                Full - do a full audit of the many aspects of a cell.
873                Random - randomly do a full audit with a probability dictated by
874                     Options::randomIntegrityAuditRate() between 0.0 (never audit) and
875                     1.0 (audit at every chance).
876
877            The default AuditLevel for Debug builds is Random.
878            The default AuditLevel for Release builds is None.
879            The default Options::randomIntegrityAuditRate() is 0.05.
880
881            How full audits work?
882            ====================
883            The full audit uses the VMInspector::verifyCell() template function to do its
884            job.  The reason for keeping this separate is to allow the template function
885            to be used later for debug checks that want to take some custom action on
886            verification failure instead of crashing with a RELEASE_ASSERT.
887
888            Full audit of a cell pointer includes:
889            a. Verify that a cell designated as a LargeAllocation is in the heap's
890               set of LargeAllocations.
891
892            b. Verify that a cell not designated as a LargeAllocation is actually in its
893               MarkedBlock's bounds.
894
895            c. Verify that the cell's container (LargeAllocation / MarkedBlock) actually
896               belongs to the current VM.
897
898            d. Verify that a cell in a MarkedBlock is properly aligned on the block's
899               allocation unit size.
900
901            e. If the cell is not an ImmutableButterfly, verify that it is not located in
902               the Gigacage.
903
904            f. Verify that the cell's JSType matches its StructureBlob's JSType.
905
906            g. Verify that the cell size as dictated by the cell ClassInfo does not exceed
907               the size of the allocation unit size (as expected by the container
908               MarkedBlock or LargeAllocation).
909
910               Some cells are dynamically size (see isDynamicallySizedType()).  For these
911               cells, we compute their sizes and verify that the size does not exceed the
912               allocation unit size.  Their sizes should also be greater or equal to the
913               static cell size as dictated by their ClassInfo.
914
915            h. If a cell has a butterfly, verify that the butterfly is in its the JSValue
916               Gigacage.
917
918            We can add more verifications later, or make some these more robust, but this
919            is a start for now.
920
921            How random audits work?
922            ======================
923            Random audits are triggered by the m_triggerBits bits in VM::m_integrityRandom.
924            m_triggerBits is a 64-bit bitfield.
925
926            If Options::randomIntegrityAuditRate() is 0, m_triggerBits will always be 0,
927            and no audits will be done.
928
929            If Options::randomIntegrityAuditRate() is non-zero, m_triggerBits will be
930            initialized as follows:
931
932                 | 1 reload bit | ... 63 trigger bits ... |
933
934            The reload bit is always set (more details below).
935            Each of the 63 trigger bits are randomly set depending if the following is true
936            for the bit:
937
938                 VM::random() <= Options::randomIntegrityAuditRate() * UINT_MAX
939
940            When Integrity::auditCell() is called, we take the bottom bit as the trigger
941            bit for the current cell, and shifts the rest down by 1.
942
943            If m_triggerBits is non-null after the shift, the taken trigger bit will dictate
944            whether we do a full audit on the current cell or not.
945
946            Once the reload bit reaches the bottom, we call a reload function to
947            re-initialize m_triggerBits.  The reload function also returns a bool
948            indicating whether to trigger a full audit of the current cell.
949
950            With this scheme, we only need to call the reload function once every 64 calls
951            to Integrity::auditCell(), and can efficiently determine whether to trigger
952            the audit the other 63 times with the probability specified in
953            Options::randomIntegrityAuditRate().
954
955         2. Embedded the C++ class size of JSCells into their ClassInfo.  This is used in
956            the full audits to verify cell sizes.
957
958         3. Added isDynamicallySizedType() to check if a JSType has a dynamic size allocation
959            i.e. the size of instances of this type is not determined by the static C++
960            size of its class, but rather, depends on some runtime variable.
961
962         4. Made the VMInspector a friend of several classes so that it can access their
963            private methods and fields.
964
965         5. Moved the inline function JSBigInt::allocationSize() from BigInt.cpp to its
966            header file so that we can use it in VMInspector::verifyCellSize().
967
968         6. Gave the JSModuleNamespaceObject() its own JSType so that we can identify it
969            as a dynamically sized object.
970
971         7. Increased the randomness of VM::random() (which is implemented with WeakRandom)
972            by re-seeding it with a cryptographically random number each GC.
973
974         8. Called Integrity::auditCell() on SlotVisitor::appendJSCellOrAuxiliary()'s cell
975            as an example use of auditCell().  More uses will be added in later patches to
976            follow.
977
978         * CMakeLists.txt:
979         * JavaScriptCore.xcodeproj/project.pbxproj:
980         * Sources.txt:
981         * heap/Heap.cpp:
982         (JSC::Heap::runBeginPhase):
983         * heap/SlotVisitor.cpp:
984         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
985         * runtime/ClassInfo.h:
986         * runtime/DirectArguments.h:
987         * runtime/JSBigInt.cpp:
988         (JSC::JSBigInt::allocationSize): Deleted.
989         * runtime/JSBigInt.h:
990         (JSC::JSBigInt::allocationSize):
991         * runtime/JSModuleNamespaceObject.h:
992         * runtime/JSType.cpp:
993         (WTF::printInternal):
994         * runtime/JSType.h:
995         (JSC::isDynamicallySizedType):
996         * runtime/Options.cpp:
997         (JSC::recomputeDependentOptions):
998         * runtime/OptionsList.h:
999         * runtime/Structure.h:
1000         * runtime/VM.cpp:
1001         (JSC::VM::VM):
1002         * runtime/VM.h:
1003         (JSC::VM::random):
1004         (JSC::VM::integrityRandom):
1005         * tools/Integrity.cpp: Added.
1006         (JSC::Integrity::Random::Random):
1007         (JSC::Integrity::Random::reloadAndCheckShouldAuditSlow):
1008         (JSC::Integrity::auditCellFully):
1009         (JSC::Integrity::auditCellMinimallySlow):
1010         * tools/Integrity.h: Added.
1011         (JSC::Integrity::auditCell):
1012         * tools/IntegrityInlines.h: Added.
1013         (JSC::Integrity::Random::shouldAudit):
1014         (JSC::Integrity::auditCellMinimally):
1015         (JSC::Integrity::auditCellRandomly):
1016         * tools/VMInspector.h:
1017         (JSC::VMInspector::unusedVerifier):
1018         (JSC::VMInspector::verifyCellSize):
1019         * tools/VMInspectorInlines.h: Added.
1020         (JSC::VMInspector::verifyCellSize):
1021         (JSC::VMInspector::verifyCell):
1022
1023 2019-09-23  Commit Queue  <commit-queue@webkit.org>
1024
1025         Unreviewed, rolling out r250262.
1026         https://bugs.webkit.org/show_bug.cgi?id=202126
1027
1028         "Breaks Win64 builds because of MSVC bug" (Requested by mlam|a
1029         on #webkit).
1030
1031         Reverted changeset:
1032
1033         "Reduce the amount of memory needed to store Options."
1034         https://bugs.webkit.org/show_bug.cgi?id=202105
1035         https://trac.webkit.org/changeset/250262
1036
1037 2019-09-23  Ross Kirsling  <ross.kirsling@sony.com>
1038
1039         Array methods should throw TypeError upon attempting to modify a string
1040         https://bugs.webkit.org/show_bug.cgi?id=201910
1041
1042         Reviewed by Keith Miller.
1043
1044         We currently allow Array prototype methods to modify strings that they are called upon in certain cases.
1045         (In particular, we're inconsistent about permitting writes to the length property.)
1046
1047         According to section 22.1.3 of the ES spec, this should result in a TypeError.
1048         https://tc39.es/ecma262/#sec-properties-of-the-array-prototype-object
1049         (Test262 cases are needed, but the key is that all such methods use Set(..., true) which throws on failure.)
1050
1051         * runtime/ArrayPrototype.cpp:
1052         (JSC::putLength):
1053         (JSC::setLength):
1054         Never update the length property of a non-JSArray without checking whether we're actually allowed to.
1055
1056 2019-09-23  Mark Lam  <mark.lam@apple.com>
1057
1058         Lazy JSGlobalObject property materialization should not use putDirectWithoutTransition.
1059         https://bugs.webkit.org/show_bug.cgi?id=202122
1060         <rdar://problem/55535249>
1061
1062         Reviewed by Yusuke Suzuki.
1063
1064         * runtime/JSGlobalObject.cpp:
1065         (JSC::JSGlobalObject::init):
1066
1067 2019-09-23  Mark Lam  <mark.lam@apple.com>
1068
1069         Reduce the amount of memory needed to store Options.
1070         https://bugs.webkit.org/show_bug.cgi?id=202105
1071
1072         Reviewed by Yusuke Suzuki.
1073
1074         The size of the JSC::Config needed to store the Options is now reduced to 4K
1075         instead of 16K, enabled by constexpr template magic.
1076
1077         1. Instead of all options in a large array of OptionEntry (which is a union of
1078            all the option types), we now have separate arrays for each of the types of
1079            options.  For example,
1080
1081                 Removed g_jscConfig.options[].
1082                 Added g_jscConfig.typeBoolOptions[].
1083                 Added g_jscConfig.typeInt32Options[].
1084                 Added g_jscConfig.typeDoubleOptions[].
1085                 ...
1086
1087            We used to find the storage for the option using g_jscConfig.options[Options::ID].
1088            We now find the storage for each type of option using
1089            g_jscConfig.options[optionTypeSpecificIndex<OptionTypeID, OptionID>()].  For
1090            example, Options::useJIT() used to be implemented as:
1091
1092                inline bool& Options::useJIT()
1093                {
1094                     return g_jscConfig.options[Options::useJITID];
1095                }
1096
1097            ... which is now replaced with:
1098
1099                inline bool& Options::useJIT()
1100                {
1101                     return g_jscConfig.typeBoolOptions[optionTypeSpecificIndex<OptionTypeID::Bool, OptionID::useJIT>()];
1102                }
1103
1104         2. Introduce the optionTypeSpecificIndex() constexpr template function for
1105            computing the index of each option in their respective type specific options
1106            array.
1107
1108         3. Introduce OptionTypes, OptionTypeID, and OptionID.
1109
1110            The OptionTypes namespace replaces OptionEntry as the container of option types.
1111            The OptionID enum class replaces Options::ID.
1112            The OptionTypeID enum class is new and is used together with OptionID in
1113                constexpr templates to compute the typeSpecificIndex of options.
1114
1115         4. Removed the OptionEntry struct and OptionEntry.h.  After (1), this struct is
1116            only used in the Option class.  We just moved the union of option types (that
1117            OptionEntry embeds) into the Option class.
1118
1119            Moved class OptionRange into OptionsList.h.
1120
1121         5. Removed the large OptionEntry arrays from JSC::Config.
1122            Added type specific options arrays.
1123            Also ordered these arrays to maximize compactness and minimize internal fragmentation.
1124
1125         6. Changed scaleJITPolicy() to go directly to g_jscConfig.typeInt32Options[]
1126            instead of going through the Option wrapper object.  This allows us to simplify
1127            things and make the Option class a read only interface of options.
1128
1129         7. Changed Options::initialize() to only compute the option default value once.
1130            The default value specified in the OptionsList may not always be a constant.
1131            Sometimes, it is a function call.
1132
1133         8. The Option class now only gives read only access to the options.
1134
1135            The Option class' role is to provide an interface for reading an option at any
1136            given OptionID without first knowing about the type of the specific option.
1137            It is useful for iterating options, and is currently only used by
1138            Options::dumpOption().
1139
1140            Technically, we could merge all the Option class code into its single client.
1141            We opted not to do this because the amount of code is non-trivial, and the
1142            Option class does a good job of encapsulating this functionality.
1143
1144         * API/glib/JSCOptions.cpp:
1145         (jscOptionsSetValue):
1146         (jscOptionsGetValue):
1147         (jsc_options_foreach):
1148         (jsc_options_get_option_group):
1149         * CMakeLists.txt:
1150         * JavaScriptCore.xcodeproj/project.pbxproj:
1151         * runtime/JSCConfig.h:
1152         * runtime/OptionEntry.h: Removed.
1153         * runtime/Options.cpp:
1154         (JSC::Options::isAvailable):
1155         (JSC::overrideOptionWithHeuristic):
1156         (JSC::scaleJITPolicy):
1157         (JSC::recomputeDependentOptions):
1158         (JSC::Options::initialize):
1159         (JSC::Options::setOptionWithoutAlias):
1160         (JSC::Options::dumpAllOptions):
1161         (JSC::Options::dumpOption):
1162         (JSC::Option::Option):
1163         (JSC::Option::defaultOption const):
1164         (JSC::Option::dump const):
1165         (JSC::Option::operator== const):
1166         * runtime/Options.h:
1167         (JSC::Option::id const):
1168         (JSC::Option::name const):
1169         (JSC::Option::description const):
1170         (JSC::Option::type const):
1171         (JSC::Option::availability const):
1172         (JSC::Option::isOverridden const):
1173         (JSC::Option::Option):
1174         (JSC::Option::idIndex const):
1175         (JSC::Option::defaultOption const): Deleted.
1176         (JSC::Option::boolVal): Deleted.
1177         (JSC::Option::unsignedVal): Deleted.
1178         (JSC::Option::doubleVal): Deleted.
1179         (JSC::Option::int32Val): Deleted.
1180         (JSC::Option::optionRangeVal): Deleted.
1181         (JSC::Option::optionStringVal): Deleted.
1182         (JSC::Option::gcLogLevelVal): Deleted.
1183         * runtime/OptionsList.h:
1184         (JSC::OptionRange::operator= ):
1185         (JSC::OptionRange::rangeString const):
1186         (JSC::optionTypeSpecificIndex):
1187         (JSC::countNumberOfJSCOptionsOfType):
1188
1189 2019-09-23  Devin Rousso  <drousso@apple.com>
1190
1191         Web Inspector: Canvas: show WebGPU shader pipelines
1192         https://bugs.webkit.org/show_bug.cgi?id=201675
1193         <rdar://problem/55543450>
1194
1195         Reviewed by Joseph Pecoraro.
1196
1197         * inspector/protocol/Canvas.json:
1198         Add a `ProgramType` enum that conveys the type of shader program/pipeline when notifying the
1199         frontend of a new program
1200
1201 2019-09-23  Zan Dobersek  <zdobersek@igalia.com>
1202
1203         testmasm: integer operands loaded as unsigned values
1204         https://bugs.webkit.org/show_bug.cgi?id=202099
1205
1206         Reviewed by Mark Lam.
1207
1208         Suppress GCC warnings about comparing signed and unsigned values in
1209         test cases introduced in r247913 by using signed integer types for
1210         loading 32-bit and 64-bit integer operand values.
1211
1212         * assembler/testmasm.cpp:
1213         (JSC::testBranchTestBit32RegReg):
1214         (JSC::testBranchTestBit32RegImm):
1215         (JSC::testBranchTestBit32AddrImm):
1216         (JSC::testBranchTestBit64RegReg):
1217         (JSC::testBranchTestBit64RegImm):
1218         (JSC::testBranchTestBit64AddrImm):
1219
1220 2019-09-22  Yusuke Suzuki  <ysuzuki@apple.com>
1221
1222         [JSC] Int52Rep(DoubleRepAnyIntUse) should not call operation function
1223         https://bugs.webkit.org/show_bug.cgi?id=202072
1224
1225         Reviewed by Mark Lam.
1226
1227         Inline doubleToStrictInt52 in FTL since it is very simple function.
1228         This change improves JetStream2/stanford-crypto-sha256 by ~5%.
1229
1230         * ftl/FTLLowerDFGToB3.cpp:
1231         (JSC::FTL::DFG::LowerDFGToB3::doubleToStrictInt52):
1232         * ftl/FTLOutput.cpp:
1233         (JSC::FTL::Output::doubleToInt64):
1234         * ftl/FTLOutput.h:
1235
1236 2019-09-22  Yusuke Suzuki  <ysuzuki@apple.com>
1237
1238         Unreviewed, follow-up change after r250198
1239         https://bugs.webkit.org/show_bug.cgi?id=201633
1240
1241         * b3/testb3_5.cpp:
1242         (testCheckAddRemoveCheckWithSExt16):
1243
1244 2019-09-21  Yusuke Suzuki  <ysuzuki@apple.com>
1245
1246         [JSC] Remove CheckAdd in JetStream2/async-fs's Math.random function
1247         https://bugs.webkit.org/show_bug.cgi?id=201633
1248
1249         Reviewed by Mark Lam.
1250
1251         Int52Rep is used in DFG and FTL to calculate Int52 things faster. This is typically used when user code see uint32_t type.
1252         In JS, we handles Int32 well, but if the value exceeds Int32 range (like, using 0xffffffff), we use Int52 instead not to fallback to Double.
1253
1254         The problem is that we do not have optimizations for Int52's overflow checks. This emits many ArithAdd(Int52Rep x 2, CheckOverflow). Each
1255         of them emits OSR exit, which prevents dead-store-elimination in B3, and makes ValueToInt32(Int52) alive if it is referenced from some variable which
1256         can be seen if OSR exit occurs.
1257
1258         In this patch, we perform strength-reduction for CheckAdd, converting to Add. We already have such a thing. But the existing one does not handle instructions
1259         well emitted when Int52 is used.
1260
1261         When Int52 is used, we typically have the sequence like,
1262
1263             Int64 @78 = SExt32(@73, DFG:@67<Int52>) // Widen Int32 to Int64
1264             Int64 @81 = Shl(@78, $12(@80), DFG:@162<Int52>) // Convert Int32 to Int52
1265
1266         While we have Shl handling for integer-range optimization in B3ReduceStrength, we lack handling of SExt32 while it is very easy.
1267         This patch adds SExt8, SExt16, SExt32, and ZExt32 handling to B3ReduceStrength's integer range analysis.
1268         This converts many CheckAdd in JetStream2/async-fs's hot function to simple Add, and removes a bunch of unnecessary instructions which exist because of this OSR exit.
1269         We can see ~5% improvement in JetStream2/async-fs.
1270
1271         * b3/B3ReduceStrength.cpp:
1272         * b3/testb3.h:
1273         (int16Operands):
1274         (int8Operands):
1275         * b3/testb3_1.cpp:
1276         (run):
1277         * b3/testb3_5.cpp:
1278         (testCheckAddRemoveCheckWithSExt8):
1279         (testCheckAddRemoveCheckWithSExt16):
1280         (testCheckAddRemoveCheckWithSExt32):
1281         (testCheckAddRemoveCheckWithZExt32):
1282
1283 2019-09-21  Mark Lam  <mark.lam@apple.com>
1284
1285         Move JSLexicalEnvironment, DirectArguments, and ScopedArguments cells out of the Gigacage.
1286         https://bugs.webkit.org/show_bug.cgi?id=202082
1287
1288         Reviewed by Tadeu Zagallo.
1289
1290         They are not being caged anyway.
1291
1292         * runtime/DirectArguments.h:
1293         * runtime/JSLexicalEnvironment.h:
1294         (JSC::JSLexicalEnvironment::subspaceFor):
1295         * runtime/ScopedArguments.h:
1296         * runtime/VM.cpp:
1297         (JSC::VM::VM):
1298         * runtime/VM.h:
1299
1300 2019-09-21  Tadeu Zagallo  <tzagallo@apple.com>
1301
1302         AccessCase should strongly visit its dependencies while on stack
1303         https://bugs.webkit.org/show_bug.cgi?id=201986
1304         <rdar://problem/55521953>
1305
1306         Reviewed by Saam Barati and Yusuke Suzuki.
1307
1308         AccessCase::doesCalls is responsible for specifying the cells it depends on, so that
1309         MarkingGCAwareJITStubRoutine can strongly visit them while the stub is on stack. However,
1310         it was missing most of its dependencies, which led to it being collected while on stack.
1311         This manifested in the flaky test stress/ftl-put-by-id-setter-exception-interesting-live-state.js
1312         as the PolymorphicAccess being collected and removing its exception handler from the code
1313         block, which led to exception propagating past the try/catch.
1314
1315         In order to fix this, we abstract the dependency gathering logic from AccessCase into
1316         forEachDependentCell and use it to implement visitWeak as well as doesCalls in order to
1317         guarantee that their implementation is consistent.
1318
1319         * bytecode/AccessCase.cpp:
1320         (JSC::AccessCase::forEachDependentCell const):
1321         (JSC::AccessCase::doesCalls const):
1322         (JSC::AccessCase::visitWeak const):
1323         * bytecode/AccessCase.h:
1324         * bytecode/CallLinkInfo.cpp:
1325         (JSC::CallLinkInfo::lastSeenCallee const):
1326         (JSC::CallLinkInfo::haveLastSeenCallee const):
1327         (JSC::CallLinkInfo::lastSeenCallee): Deleted.
1328         (JSC::CallLinkInfo::haveLastSeenCallee): Deleted.
1329         * bytecode/CallLinkInfo.h:
1330         (JSC::CallLinkInfo::isDirect const):
1331         (JSC::CallLinkInfo::isLinked const):
1332         (JSC::CallLinkInfo::stub const):
1333         (JSC::CallLinkInfo::forEachDependentCell const):
1334         (JSC::CallLinkInfo::isLinked): Deleted.
1335         (JSC::CallLinkInfo::stub): Deleted.
1336         * bytecode/ObjectPropertyCondition.cpp:
1337         (JSC::ObjectPropertyCondition::isStillLive const):
1338         * bytecode/ObjectPropertyCondition.h:
1339         (JSC::ObjectPropertyCondition::forEachDependentCell const):
1340         * bytecode/ObjectPropertyConditionSet.cpp:
1341         (JSC::ObjectPropertyConditionSet::areStillLive const):
1342         * bytecode/ObjectPropertyConditionSet.h:
1343         (JSC::ObjectPropertyConditionSet::forEachDependentCell const):
1344         * bytecode/PropertyCondition.cpp:
1345         (JSC::PropertyCondition::isStillLive const):
1346         * bytecode/PropertyCondition.h:
1347         (JSC::PropertyCondition::forEachDependentCell const):
1348         * jit/PolymorphicCallStubRoutine.cpp:
1349         (JSC::PolymorphicCallStubRoutine::visitWeak):
1350         * jit/PolymorphicCallStubRoutine.h:
1351         (JSC::PolymorphicCallStubRoutine::forEachDependentCell):
1352
1353 2019-09-21  David Kilzer  <ddkilzer@apple.com>
1354
1355         clang-tidy: Fix unnecessary copy/ref churn of for loop variables in WTF/JavaScriptCore
1356         <https://webkit.org/b/202069>
1357
1358         Reviewed by Mark Lam.
1359
1360         Fix unwanted copying/ref churn of loop variables by making them
1361         const references.
1362
1363         * bytecode/CodeBlock.cpp:
1364         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
1365         * bytecompiler/BytecodeGenerator.cpp:
1366         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
1367         * dfg/DFGGraph.cpp:
1368         (JSC::DFG::Graph::dump):
1369         * inspector/agents/InspectorAgent.cpp:
1370         (Inspector::InspectorAgent::activateExtraDomains):
1371         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
1372         (Inspector::RemoteInspector::stopInternal):
1373         (Inspector::RemoteInspector::xpcConnectionFailed):
1374         (Inspector::RemoteInspector::pushListingsNow):
1375         * parser/Parser.h:
1376         (JSC::Scope::computeLexicallyCapturedVariablesAndPurgeCandidates):
1377         * runtime/ProxyObject.cpp:
1378         (JSC::ProxyObject::performGetOwnPropertyNames):
1379         * runtime/SamplingProfiler.cpp:
1380         (JSC::SamplingProfiler::registerForReportAtExit):
1381         (JSC::SamplingProfiler::reportTopFunctions):
1382         (JSC::SamplingProfiler::reportTopBytecodes):
1383         * runtime/TypeSet.cpp:
1384         (JSC::StructureShape::inspectorRepresentation):
1385         (JSC::StructureShape::merge):
1386
1387 2019-09-20  Keith Miller  <keith_miller@apple.com>
1388
1389         eliding a move in Air O0 needs to mark the dest's old reg as available
1390         https://bugs.webkit.org/show_bug.cgi?id=202066
1391
1392         Reviewed by Saam Barati.
1393
1394         Also adds a new release method that handles all the invariants of
1395         returning a register to the available register pool.
1396
1397         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp:
1398         (JSC::B3::Air::GenerateAndAllocateRegisters::release):
1399         (JSC::B3::Air::GenerateAndAllocateRegisters::spill):
1400         (JSC::B3::Air::GenerateAndAllocateRegisters::freeDeadTmpsIfNeeded):
1401         (JSC::B3::Air::GenerateAndAllocateRegisters::generate):
1402         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.h:
1403
1404 2019-09-20  Mark Lam  <mark.lam@apple.com>
1405
1406         Harden assertion in StructureIDTable::get().
1407         https://bugs.webkit.org/show_bug.cgi?id=202067
1408         <rdar://problem/55577923>
1409
1410         Reviewed by Keith Miller.
1411
1412         * runtime/StructureIDTable.h:
1413         (JSC::StructureIDTable::get):
1414
1415 2019-09-20  Truitt Savell  <tsavell@apple.com>
1416
1417         Unreviewed, rolling out r250114.
1418
1419         Broke ~16 webgpu/ tests on Mojave wk2
1420
1421         Reverted changeset:
1422
1423         "Web Inspector: Canvas: show WebGPU shader pipelines"
1424         https://bugs.webkit.org/show_bug.cgi?id=201675
1425         https://trac.webkit.org/changeset/250114
1426
1427 2019-09-20  Paulo Matos  <pmatos@igalia.com>
1428
1429         Implement memory monitoring functions for Linux OS
1430         https://bugs.webkit.org/show_bug.cgi?id=200391
1431
1432         Reviewed by Žan Doberšek.
1433
1434         * jsc.cpp:
1435
1436 2019-09-20  Devin Rousso  <drousso@apple.com>
1437
1438         ASSERT NOT REACHED in Inspector::InjectedScriptModule::ensureInjected() seen with inspector/heap/getRemoteObject.html
1439         https://bugs.webkit.org/show_bug.cgi?id=201713
1440         <rdar://problem/55290349>
1441
1442         Reviewed by Joseph Pecoraro.
1443
1444         Expose the `Exception` object by leveraging an `Expected` of `JSValue` as the return value
1445         instead of using a referenced `bool` (which wouldn't include any of the exception's info).
1446
1447         * bindings/ScriptFunctionCall.h:
1448         * bindings/ScriptFunctionCall.cpp:
1449         (Deprecated::ScriptFunctionCall::call):
1450
1451         * inspector/InjectedScript.cpp:
1452         (Inspector::InjectedScript::wrapCallFrames const):
1453         (Inspector::InjectedScript::wrapObject const):
1454         (Inspector::InjectedScript::wrapJSONString const):
1455         (Inspector::InjectedScript::wrapTable const):
1456         (Inspector::InjectedScript::previewValue const):
1457         (Inspector::InjectedScript::findObjectById const):
1458         (Inspector::InjectedScript::releaseObjectGroup):
1459
1460         * inspector/InjectedScriptBase.h:
1461         * inspector/InjectedScriptBase.cpp:
1462         (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled const):
1463         (Inspector::InjectedScriptBase::makeCall):
1464         (Inspector::InjectedScriptBase::makeAsyncCall):
1465
1466         * inspector/InjectedScriptManager.h:
1467         * inspector/InjectedScriptManager.cpp:
1468         (Inspector::InjectedScriptManager::createInjectedScript):
1469         (Inspector::InjectedScriptManager::injectedScriptFor):
1470
1471         * inspector/InjectedScriptModule.cpp:
1472         (Inspector::InjectedScriptModule::ensureInjected):
1473
1474 2019-09-19  Yusuke Suzuki  <ysuzuki@apple.com>
1475
1476         [JSC] DFG op_call_varargs should not assume that one-previous-local of freeReg is usable
1477         https://bugs.webkit.org/show_bug.cgi?id=202014
1478
1479         Reviewed by Saam Barati.
1480
1481         Let's look into the bytecode generated by the test.
1482
1483             [   0] enter
1484             [   1] get_scope          loc4
1485             [   3] mov                loc5, loc4
1486             [   6] check_traps
1487             [   7] mov                loc6, callee
1488             [  10] create_direct_arguments loc7
1489             [  12] to_this            this
1490             [  15] mov                loc8, loc7
1491             [  18] mov                loc9, loc6
1492             [  21] mov                loc12, Undefined(const0)
1493             [  24] get_by_id          loc11, loc6, 0
1494             [  29] jneq_ptr           loc11, ApplyFunction, 18(->47)
1495             [  34] mov                loc11, loc6
1496             [  37] call_varargs       loc11, loc11, this, loc8, loc13, 0
1497             [  45] jmp                17(->62)
1498             [  47] mov                loc16, loc6
1499             [  50] mov                loc15, this
1500             [  53] mov                loc14, loc8
1501             [  56] call               loc11, loc11, 3, 22
1502             ...
1503
1504         call_varargs uses loc13 as firstFreeReg (first usable bottom register in the current stack-frame to spread variadic arguments after this).
1505         This is correct. And call_varargs uses |this| as this argument for the call_varargs. This |this| argument is not in a region starting from loc13.
1506         And it is not in the previous place to loc13 (|this| is not loc12).
1507
1508         On the other hand, DFG::ByteCodeParser's inlining path is always assuming that the previous to firstFreeReg is usable and part of arguments.
1509         But this is wrong. loc12 in the above bytecode is used for `[  56] call               loc11, loc11, 3, 22`'s argument later, and this call assumes
1510         that loc12 is not clobbered by call_varargs. But DFG and FTL clobbers it.
1511
1512         The test is recursively calling the same function, and we inline the same function one-level. And stack-overflow error happens when inlined
1513         CallForwardVarargs (from op_call_varargs) is called. FTL recovers the frames, and at this point, outer function's loc12 is recovered to garbage since
1514         LoadVarargs clobbers it. And we eventually use it and crash.
1515
1516             60:<!0:-> LoadVarargs(Check:Untyped:Kill:@30, MustGen, start = loc13, count = loc15, machineStart = loc7, machineCount = loc9, offset = 0, mandatoryMinimum = 0, limit = 2, R:World, W:Stack(-16),Stack(-14),Stack(-13),Heap, Exits, ClobbersExit, bc#37, ExitValid)
1517
1518         This LoadVarargs clobbers loc12, loc13, and loc15 while loc12 is used.
1519
1520         In all the tiers, op_call_varargs first allocates enough region to hold varargs including |this|. And we store |this| value to a correct place.
1521         DFG should not assume that the previous register to firstFreeReg is used for |this|.
1522
1523         This patch fixes DFG::ByteCodeParser's stack region calculation for op_call_varargs inlining. And we rename maxNumArguments to maxArgumentCountIncludingThis to
1524         represent that `maxArgumentCountIncludingThis` includes |this| count.
1525
1526         * bytecode/CallLinkInfo.cpp:
1527         (JSC::CallLinkInfo::setMaxArgumentCountIncludingThis):
1528         (JSC::CallLinkInfo::setMaxNumArguments): Deleted.
1529         * bytecode/CallLinkInfo.h:
1530         (JSC::CallLinkInfo::addressOfMaxArgumentCountIncludingThis):
1531         (JSC::CallLinkInfo::maxArgumentCountIncludingThis):
1532         (JSC::CallLinkInfo::addressOfMaxNumArguments): Deleted.
1533         (JSC::CallLinkInfo::maxNumArguments): Deleted.
1534         * bytecode/CallLinkStatus.cpp:
1535         (JSC::CallLinkStatus::computeFor):
1536         (JSC::CallLinkStatus::dump const):
1537         * bytecode/CallLinkStatus.h:
1538         (JSC::CallLinkStatus::maxArgumentCountIncludingThis const):
1539         (JSC::CallLinkStatus::maxNumArguments const): Deleted.
1540         * dfg/DFGByteCodeParser.cpp:
1541         (JSC::DFG::ByteCodeParser::handleVarargsInlining):
1542         * dfg/DFGSpeculativeJIT32_64.cpp:
1543         (JSC::DFG::SpeculativeJIT::emitCall):
1544         * dfg/DFGSpeculativeJIT64.cpp:
1545         (JSC::DFG::SpeculativeJIT::emitCall):
1546         * ftl/FTLLowerDFGToB3.cpp:
1547         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
1548         * jit/JITCall.cpp:
1549         (JSC::JIT::compileSetupFrame):
1550         * jit/JITCall32_64.cpp:
1551         (JSC::JIT::compileSetupFrame):
1552         * jit/JITOperations.cpp:
1553
1554 2019-09-19  Devin Rousso  <drousso@apple.com>
1555
1556         Web Inspector: Canvas: show WebGPU shader pipelines
1557         https://bugs.webkit.org/show_bug.cgi?id=201675
1558
1559         Reviewed by Joseph Pecoraro.
1560
1561         * inspector/protocol/Canvas.json:
1562         Add a `ProgramType` enum that conveys the type of shader program/pipeline when notifying the
1563         frontend of a new program
1564
1565 2019-09-19  Mark Lam  <mark.lam@apple.com>
1566
1567         Rename VMInspector::m_list to m_vmList.
1568         https://bugs.webkit.org/show_bug.cgi?id=202015
1569
1570         Reviewed by Yusuke Suzuki.
1571
1572         m_vmList is more descriptive, and this rename helps grep-ability by disambiguating
1573         it from other m_lists in the code base.
1574
1575         * tools/VMInspector.cpp:
1576         (JSC::VMInspector::add):
1577         (JSC::VMInspector::remove):
1578         * tools/VMInspector.h:
1579         (JSC::VMInspector::iterate):
1580
1581 2019-09-19  Mark Lam  <mark.lam@apple.com>
1582
1583         Reduce the number of required tag bits for the JSValue.
1584         https://bugs.webkit.org/show_bug.cgi?id=201990
1585
1586         Reviewed by Yusuke Suzuki.
1587
1588         We're reducing the number of tag bits to 15.  It should just work.
1589
1590         How did we arrive at 15 bits?
1591         ============================
1592         Currently, the minimum number of top bits used by doubles is 13-bits.  The
1593         highest double bit encoding are:
1594
1595             "negative" pureNaN: starts with 0xfff8
1596             negative infinity:  starts with 0xfff0
1597             highest number:     starts with 0xffe*
1598             lowest number:      starts with 0x0000
1599
1600         Requirements:
1601         1. We need tags for 2 range of numbers: pointers (all 0s at the top), and ints
1602            (all 1s at the top).
1603
1604         2. We want to be able to add an offset to double bits and ensure that they never
1605            end up in the ranges for pointers and ints.
1606
1607         3. The int tag must be higher than whatever value is produced in the top bits
1608            when boxing a double.  We have code that relies on this relationship being
1609            true and checks if a JSValue is an int by checking if the tag bits are above
1610            or equal to the int tag.
1611
1612         4. We don't want to burn more than 2 CPU registers for tag / mask registers.
1613
1614         Based on the bit encoding of doubles, the full number range of the top 13 bits
1615         are used in valid double numbers.  This means the minimum tag bits must be greater
1616         than 13.
1617
1618         Consider a 14-bit tag.  The DoubleEncodeOffset will be 1 << 50 i.e. starts with
1619         0x0004.  With this encoding,
1620             "negative" pureNaN: maps to 0xfff8 + 0x0004 => 0xfffc
1621
1622         i.e. the top 14 bits are all set.  This conflicts with the int number range.
1623
1624         Next, consider a 15-bit tag.  The DoubleEncodeOffset will be 1 << 49 i.e. starts
1625         with 0x0002.  With this encoding:
1626             "negative" pureNaN: maps to 0xfff8 + 0x0002 => 0xfffa
1627             negative infinity:  maps to 0xfff0 + 0x0002 => 0xfff2
1628
1629         i.e. 0xfffe (top 5 bits set) is available to represent ints.  This is the encoding
1630         that we'll adopt in this patch.
1631
1632         Alternate encodings schemes to consider in the future:
1633         =====================================================
1634         1. If we're willing and able to purifyNaN at all the places that can produce a
1635            "negative" pureNaN, e.g. after a division, then we can remove the "negative"
1636            pureNaN as a valid double bit encoding.  With this, we can now box doubles
1637            with just a 14-bit tag, and DoubleEncodeOffset will be 1 << 50 i.e. starts with
1638            0x0004.
1639
1640            With this encoding, the top double, negative infinity, is encoded as follows:
1641
1642                 negative infinity:  maps to 0xfff0 + 0x0004 => 0xfff4
1643
1644            i.e. leaving 0xfffc as the tag for ints.
1645
1646            We didn't adopt this scheme at this time because it adds complexity, and may
1647            have performance impact from the extra purifyNaN checks.
1648
1649            Ref: https://bugs.webkit.org/show_bug.cgi?id=202002
1650
1651         2. If we're willing to use 3 tag registers or always materialize one of them, we
1652            can also adopt a 14-bit tag as follows:
1653
1654                Pointer {  0000:PPPP:PPPP:PPPP
1655                         / 0002:****:****:****
1656                Double  {         ...
1657                         \ FFFC:****:****:****
1658                Integer {  FFFF:0000:IIII:IIII
1659
1660            where ...
1661                NumberMask is 0xfffc: any bits set in the top 14 bits is a number.
1662                IntMask is 0xffff: value is int if value & IntMask == IntMask.
1663                NotCellMask is NumberMask | OtherTag.
1664
1665            Since the highest double is "negative" pureNaN i.e. starts with 0xfff8, adding
1666            a DoubleEncodeOffset of 1<<50 (starts with 0x0004) produces 0xfffc which is
1667            still less than 0xffff.
1668
1669            We didn't adopt this scheme at this time because it adds complexity and may
1670            have a performance impact from either burning another register, or materializing
1671            the 3rd mask.
1672
1673            Ref: https://bugs.webkit.org/show_bug.cgi?id=202005
1674
1675         * runtime/JSCJSValue.h:
1676
1677 2019-09-19  Mark Lam  <mark.lam@apple.com>
1678
1679         Refactoring: fix broken indentation in JSNonDestructibleProxy.h.
1680         https://bugs.webkit.org/show_bug.cgi?id=201989
1681
1682         Reviewed by Saam Barati.
1683
1684         This patch only unindent the code to get it back to compliant formatting.
1685         There is no actual code change.
1686
1687         * runtime/JSNonDestructibleProxy.h:
1688         (JSC::JSNonDestructibleProxy::subspaceFor):
1689         (JSC::JSNonDestructibleProxy::create):
1690         (JSC::JSNonDestructibleProxy::createStructure):
1691         (JSC::JSNonDestructibleProxy::JSNonDestructibleProxy):
1692
1693 2019-09-19  Tadeu Zagallo  <tzagallo@apple.com>
1694
1695         Syntax checker should report duplicate __proto__ properties
1696         https://bugs.webkit.org/show_bug.cgi?id=201897
1697         <rdar://problem/53201788>
1698
1699         Reviewed by Mark Lam.
1700
1701         Currently we have two ways of parsing object literals:
1702         - parseObjectLiteral: this is called in sloppy mode, and as an optimization for syntax checking,
1703           it doesn't allocate string literals while parsing properties. It does still allocate identifiers,
1704           but it won't store them in the Property object that it creates for each parsed property. This
1705           method backtracks and calls parseObjectStrictLiteral if it finds any getters or setters.
1706         - parseObjectStrictLiteral: this is called in strict mode, or when the object contains getters/setters
1707           as stated above. This will always allocate string literals as well as identifiers and store them in
1708           the Property object, even during syntax checking.
1709
1710         From looking at the history, it seems that there was a distinction between these two methods:
1711         parseStrictObjectLiteral was introduced in r62848 and contained an extra check for duplicate
1712         getters/setters or properties defined as both getters/setters and constants. That distinction
1713         was removed and the only distinction that remained was whether we build strings and store the
1714         strings and properties as part of the Property object created by SyntaxChecker::createProperty.
1715         However, this optimization is no longer valid, since we need to throw a SyntaxError for duplicate
1716         __proto__ properties in object literals even in sloppy mode, which means that we do need to build
1717         the strings and identifiers and store them as part of the Property objects.
1718
1719         * parser/Parser.cpp:
1720         (JSC::Parser<LexerType>::parseObjectLiteral):
1721         (JSC::Parser<LexerType>::parsePrimaryExpression):
1722         (JSC::Parser<LexerType>::parseStrictObjectLiteral): Deleted.
1723         * parser/Parser.h:
1724
1725 2019-09-19  Mark Lam  <mark.lam@apple.com>
1726
1727         Remove a now unnecessary hack to work around static const needing external linkage.
1728         https://bugs.webkit.org/show_bug.cgi?id=201988
1729
1730         Reviewed by Saam Barati.
1731
1732         MacroAssembler::dataTempRegister is now a constexpr, thereby ensuring that it's
1733         inlinable.
1734
1735         * b3/B3Common.cpp:
1736         (JSC::B3::pinnedExtendedOffsetAddrRegister):
1737
1738 2019-09-19  Mark Lam  <mark.lam@apple.com>
1739
1740         Replace JSValue #defines with static constexpr values.
1741         https://bugs.webkit.org/show_bug.cgi?id=201966
1742
1743         Reviewed by Yusuke Suzuki.
1744
1745         static constexpr is the modern C++ way to define these constants.
1746
1747         Some of the values are typed int64_t and some are int32_t.  The original #define
1748         values are int64_t.  Hence, we adopt int64_t as the default type to use here.
1749
1750         However, some of these constants are being used as 32-bit values, and the code
1751         was static_cast'ing them into int32_t.  This set of constants are all the small
1752         values that fit in an int32_t anyway.  So, we're putting these in int32_t instead
1753         so that we don't have to keep casting them.  In the few places where they are
1754         used as int64_t, they will automatically get up-casted anyway.
1755
1756         In this patch, we also did the following:
1757
1758         1. Renamed TagMask to NotCellMask, because everywhere in the code, we're
1759            basically using it to filter out cells like this:
1760
1761               if (value & NotCellMask) then goto handleNotCellCase;
1762
1763         2. Renamed TagTypeNumber to NumberTag for a shorter name.
1764
1765            Ditto for TagBitTypeOther, TagBitBool, TagBitUndefined, TagBitsWasm, and TagWasmMask.
1766            They are now OtherTag, BoolTag, UndefinedTag, WasmTag, and WasmMask.
1767
1768         3. Introduced DoubleEncodeOffsetBit so that client code do not embed this value
1769            as a literal constant.  We now define DoubleEncodeOffset based on
1770            DoubleEncodeOffsetBit ensuring consistency.
1771
1772         4. Introduced MiscTag so that clients don't have to put this set of tags together
1773            themselves.
1774
1775         5. Removed static asserts for tags in LLIntData.cpp because the offlineasm now
1776            captures these values correctly with constexpr statements.  These static
1777            asserts were holdovers from the old days back when we had to define LLInt
1778            constant values manually, and we needed a mechanism to detect when the values
1779            have changed in the source.
1780
1781         6. Replaced some runtime asserts in RegisterSet.cpp with static_asserts.
1782
1783         7. In Wasm::wasmToJS(), we were constructing the value of JSValue::DoubleEncodeOffset
1784            constant by left shifting 1 by JSValue::DoubleEncodeOffsetBit.  There's no need
1785            to do this for ARM64 because the constant can be loaded efficiently with a single
1786            MOVZ instruction.  So, we add a CPU(ARM64) case to just move the constant into
1787            the target register.
1788
1789         * assembler/AbortReason.h:
1790         * bytecode/AccessCase.cpp:
1791         (JSC::AccessCase::generateWithGuard):
1792         * dfg/DFGOSRExit.cpp:
1793         (JSC::DFG::OSRExit::executeOSRExit):
1794         (JSC::DFG::OSRExit::compileExit):
1795         * dfg/DFGSpeculativeJIT.cpp:
1796         (JSC::DFG::SpeculativeJIT::silentFill):
1797         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
1798         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1799         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
1800         (JSC::DFG::SpeculativeJIT::getIntTypedArrayStoreOperand):
1801         (JSC::DFG::SpeculativeJIT::speculateMisc):
1802         * dfg/DFGSpeculativeJIT.h:
1803         (JSC::DFG::SpeculativeJIT::spill):
1804         * dfg/DFGSpeculativeJIT64.cpp:
1805         (JSC::DFG::SpeculativeJIT::fillJSValue):
1806         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
1807         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
1808         (JSC::DFG::SpeculativeJIT::emitCall):
1809         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1810         (JSC::DFG::SpeculativeJIT::compileObjectStrictEquality):
1811         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1812         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1813         (JSC::DFG::SpeculativeJIT::compileInt52Compare):
1814         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1815         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1816         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1817         (JSC::DFG::SpeculativeJIT::emitBranch):
1818         (JSC::DFG::SpeculativeJIT::compile):
1819         (JSC::DFG::SpeculativeJIT::moveTrueTo):
1820         (JSC::DFG::SpeculativeJIT::moveFalseTo):
1821         (JSC::DFG::SpeculativeJIT::blessBoolean):
1822         * ftl/FTLLowerDFGToB3.cpp:
1823         (JSC::FTL::DFG::LowerDFGToB3::lower):
1824         (JSC::FTL::DFG::LowerDFGToB3::compileDoubleRep):
1825         (JSC::FTL::DFG::LowerDFGToB3::compileBooleanToNumber):
1826         (JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC):
1827         (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC):
1828         (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
1829         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1830         (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf):
1831         (JSC::FTL::DFG::LowerDFGToB3::compileGetArgument):
1832         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
1833         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
1834         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
1835         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
1836         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
1837         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
1838         (JSC::FTL::DFG::LowerDFGToB3::compileInById):
1839         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
1840         (JSC::FTL::DFG::LowerDFGToB3::compileGetEnumeratorStructurePname):
1841         (JSC::FTL::DFG::LowerDFGToB3::compileGetEnumeratorGenericPname):
1842         (JSC::FTL::DFG::LowerDFGToB3::getById):
1843         (JSC::FTL::DFG::LowerDFGToB3::getByIdWithThis):
1844         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1845         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
1846         (JSC::FTL::DFG::LowerDFGToB3::emitBinarySnippet):
1847         (JSC::FTL::DFG::LowerDFGToB3::emitBinaryBitOpSnippet):
1848         (JSC::FTL::DFG::LowerDFGToB3::emitRightShiftSnippet):
1849         (JSC::FTL::DFG::LowerDFGToB3::equalNullOrUndefined):
1850         (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf):
1851         (JSC::FTL::DFG::LowerDFGToB3::isInt32):
1852         (JSC::FTL::DFG::LowerDFGToB3::isNotInt32):
1853         (JSC::FTL::DFG::LowerDFGToB3::boxInt32):
1854         (JSC::FTL::DFG::LowerDFGToB3::isCellOrMisc):
1855         (JSC::FTL::DFG::LowerDFGToB3::isNotCellOrMisc):
1856         (JSC::FTL::DFG::LowerDFGToB3::unboxDouble):
1857         (JSC::FTL::DFG::LowerDFGToB3::boxDouble):
1858         (JSC::FTL::DFG::LowerDFGToB3::isNotCell):
1859         (JSC::FTL::DFG::LowerDFGToB3::isCell):
1860         (JSC::FTL::DFG::LowerDFGToB3::isNotMisc):
1861         (JSC::FTL::DFG::LowerDFGToB3::isNotBoolean):
1862         (JSC::FTL::DFG::LowerDFGToB3::boxBoolean):
1863         (JSC::FTL::DFG::LowerDFGToB3::isNotOther):
1864         (JSC::FTL::DFG::LowerDFGToB3::isOther):
1865         * ftl/FTLOSRExitCompiler.cpp:
1866         (JSC::FTL::reboxAccordingToFormat):
1867         (JSC::FTL::compileStub):
1868         * interpreter/CalleeBits.h:
1869         (JSC::CalleeBits::boxWasm):
1870         (JSC::CalleeBits::isWasm const):
1871         (JSC::CalleeBits::asWasmCallee const):
1872         * jit/AssemblyHelpers.cpp:
1873         (JSC::AssemblyHelpers::jitAssertIsJSInt32):
1874         (JSC::AssemblyHelpers::jitAssertIsJSNumber):
1875         (JSC::AssemblyHelpers::jitAssertIsJSDouble):
1876         (JSC::AssemblyHelpers::jitAssertIsCell):
1877         (JSC::AssemblyHelpers::jitAssertTagsInPlace):
1878         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
1879         * jit/AssemblyHelpers.h:
1880         (JSC::AssemblyHelpers::emitSaveThenMaterializeTagRegisters):
1881         (JSC::AssemblyHelpers::emitRestoreSavedTagRegisters):
1882         (JSC::AssemblyHelpers::emitMaterializeTagCheckRegisters):
1883         (JSC::AssemblyHelpers::branchIfNotCell):
1884         (JSC::AssemblyHelpers::branchIfCell):
1885         (JSC::AssemblyHelpers::branchIfOther):
1886         (JSC::AssemblyHelpers::branchIfNotOther):
1887         (JSC::AssemblyHelpers::branchIfInt32):
1888         (JSC::AssemblyHelpers::branchIfNotInt32):
1889         (JSC::AssemblyHelpers::branchIfNumber):
1890         (JSC::AssemblyHelpers::branchIfNotNumber):
1891         (JSC::AssemblyHelpers::branchIfNotDoubleKnownNotInt32):
1892         (JSC::AssemblyHelpers::branchIfBoolean):
1893         (JSC::AssemblyHelpers::branchIfNotBoolean):
1894         (JSC::AssemblyHelpers::boxDouble):
1895         (JSC::AssemblyHelpers::unboxDoubleWithoutAssertions):
1896         (JSC::AssemblyHelpers::boxInt52):
1897         (JSC::AssemblyHelpers::boxBooleanPayload):
1898         (JSC::AssemblyHelpers::boxInt32):
1899         * jit/CallFrameShuffleData.h:
1900         * jit/CallFrameShuffler.cpp:
1901         (JSC::CallFrameShuffler::CallFrameShuffler):
1902         (JSC::CallFrameShuffler::dump const):
1903         (JSC::CallFrameShuffler::prepareAny):
1904         * jit/CallFrameShuffler.h:
1905         (JSC::CallFrameShuffler::getFreeRegister const):
1906         * jit/CallFrameShuffler64.cpp:
1907         (JSC::CallFrameShuffler::emitBox):
1908         (JSC::CallFrameShuffler::tryAcquireNumberTagRegister):
1909         (JSC::CallFrameShuffler::tryAcquireTagTypeNumber): Deleted.
1910         * jit/GPRInfo.h:
1911         (JSC::GPRInfo::reservedRegisters):
1912         * jit/JITArithmetic.cpp:
1913         (JSC::JIT::emit_compareAndJumpSlow):
1914         * jit/JITBitAndGenerator.cpp:
1915         (JSC::JITBitAndGenerator::generateFastPath):
1916         * jit/JITBitOrGenerator.cpp:
1917         (JSC::JITBitOrGenerator::generateFastPath):
1918         * jit/JITBitXorGenerator.cpp:
1919         (JSC::JITBitXorGenerator::generateFastPath):
1920         * jit/JITCall.cpp:
1921         (JSC::JIT::compileTailCall):
1922         * jit/JITDivGenerator.cpp:
1923         (JSC::JITDivGenerator::generateFastPath):
1924         * jit/JITInlines.h:
1925         (JSC::JIT::emitPatchableJumpIfNotInt):
1926         * jit/JITLeftShiftGenerator.cpp:
1927         (JSC::JITLeftShiftGenerator::generateFastPath):
1928         * jit/JITMulGenerator.cpp:
1929         (JSC::JITMulGenerator::generateFastPath):
1930         * jit/JITOpcodes.cpp:
1931         (JSC::JIT::emit_op_overrides_has_instance):
1932         (JSC::JIT::emit_op_is_undefined):
1933         (JSC::JIT::emit_op_is_undefined_or_null):
1934         (JSC::JIT::emit_op_is_boolean):
1935         (JSC::JIT::emit_op_is_number):
1936         (JSC::JIT::emit_op_is_cell_with_type):
1937         (JSC::JIT::emit_op_is_object):
1938         (JSC::JIT::emit_op_not):
1939         (JSC::JIT::emit_op_jeq_null):
1940         (JSC::JIT::emit_op_jneq_null):
1941         (JSC::JIT::emit_op_jundefined_or_null):
1942         (JSC::JIT::emit_op_jnundefined_or_null):
1943         (JSC::JIT::emit_op_eq_null):
1944         (JSC::JIT::emit_op_neq_null):
1945         * jit/JITPropertyAccess.cpp:
1946         (JSC::JIT::emitGenericContiguousPutByVal):
1947         (JSC::JIT::emitFloatTypedArrayPutByVal):
1948         * jit/JITRightShiftGenerator.cpp:
1949         (JSC::JITRightShiftGenerator::generateFastPath):
1950         * jit/RegisterSet.cpp:
1951         (JSC::RegisterSet::runtimeTagRegisters):
1952         (JSC::RegisterSet::llintBaselineCalleeSaveRegisters):
1953         (JSC::RegisterSet::dfgCalleeSaveRegisters):
1954         (JSC::RegisterSet::ftlCalleeSaveRegisters):
1955         * jit/SpecializedThunkJIT.h:
1956         (JSC::SpecializedThunkJIT::returnDouble):
1957         (JSC::SpecializedThunkJIT::tagReturnAsInt32):
1958         * jit/ThunkGenerators.cpp:
1959         (JSC::virtualThunkFor):
1960         (JSC::nativeForGenerator):
1961         (JSC::arityFixupGenerator):
1962         (JSC::absThunkGenerator):
1963         * llint/LLIntData.cpp:
1964         (JSC::LLInt::Data::performAssertions):
1965         * llint/LowLevelInterpreter.asm:
1966         * llint/LowLevelInterpreter.cpp:
1967         (JSC::CLoop::execute):
1968         * llint/LowLevelInterpreter64.asm:
1969         * offlineasm/arm64.rb:
1970         * offlineasm/cloop.rb:
1971         * offlineasm/x86.rb:
1972         * runtime/JSCJSValue.h:
1973         * runtime/JSCJSValueInlines.h:
1974         (JSC::JSValue::isUndefinedOrNull const):
1975         (JSC::JSValue::isCell const):
1976         (JSC::JSValue::isInt32 const):
1977         (JSC::JSValue::JSValue):
1978         (JSC::JSValue::asDouble const):
1979         (JSC::JSValue::isNumber const):
1980         * wasm/js/WasmToJS.cpp:
1981         (JSC::Wasm::wasmToJS):
1982         * wasm/js/WebAssemblyFunction.cpp:
1983         (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
1984
1985 2019-09-18  Devin Rousso  <drousso@apple.com>
1986
1987         Web Inspector: Better handling for large arrays and collections in Object Trees
1988         https://bugs.webkit.org/show_bug.cgi?id=143589
1989         <rdar://problem/16135388>
1990
1991         Reviewed by Joseph Pecoraro.
1992
1993         Adds two buttons before the "Prototype" item in expanded object/collection previews:
1994          - Show %d More
1995          - Show All (%d More)
1996
1997         The default `fetchCount` increment is `100`. The first button will only be shown if there
1998         are more than `100` items remaining (haven't been shown).
1999
2000         * inspector/InjectedScriptSource.js:
2001         (InjectedScript.prototype.getProperties):
2002         (InjectedScript.prototype.getDisplayableProperties):
2003         (InjectedScript.prototype.getCollectionEntries):
2004         (InjectedScript.prototype._getProperties):
2005         (InjectedScript.prototype._internalPropertyDescriptors):
2006         (InjectedScript.prototype._propertyDescriptors):
2007         (InjectedScript.prototype._propertyDescriptors.createFakeValueDescriptor):
2008         (InjectedScript.prototype._propertyDescriptors.processProperties):
2009         (InjectedScript.prototype._getSetEntries):
2010         (InjectedScript.prototype._getMapEntries):
2011         (InjectedScript.prototype._getWeakMapEntries):
2012         (InjectedScript.prototype._getWeakSetEntries):
2013         (InjectedScript.prototype._getIteratorEntries):
2014         (InjectedScript.prototype._entries):
2015         (RemoteObject.prototype._generatePreview):
2016         (InjectedScript.prototype._propertyDescriptors.arrayIndexPropertyNames): Deleted.
2017         Don't include boolean property descriptor values if they are `false.
2018
2019         * inspector/JSInjectedScriptHost.cpp:
2020         (Inspector::JSInjectedScriptHost::weakMapEntries):
2021         (Inspector::JSInjectedScriptHost::weakSetEntries):
2022
2023         * inspector/InjectedScript.h:
2024         * inspector/InjectedScript.cpp:
2025         (Inspector::InjectedScript::getProperties):
2026         (Inspector::InjectedScript::getDisplayableProperties):
2027         (Inspector::InjectedScript::getCollectionEntries):
2028
2029         * inspector/agents/InspectorRuntimeAgent.h:
2030         * inspector/agents/InspectorRuntimeAgent.cpp:
2031         (Inspector::asInt): Added.
2032         (Inspector::InspectorRuntimeAgent::getProperties):
2033         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
2034         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
2035
2036         * inspector/protocol/Runtime.json:
2037         Add `fetchStart`/`fetchCount` to `getProperties`/`getDisplayableProperties`/`getCollectionEntries`.
2038         Mark boolean properties as optional so they can be omitted if `false`.
2039
2040 2019-09-18  Joonghun Park  <pjh0718@gmail.com>
2041
2042         Unreviewed. Remove build warning since r249976.
2043
2044         No new tests, no behavioral changes.
2045
2046         This patch removes the build warning below.
2047         warning: control reaches end of non-void function [-Wreturn-type]
2048
2049         * dfg/DFGArrayMode.cpp:
2050         (JSC::DFG::ArrayMode::alreadyChecked const):
2051
2052 2019-09-18  Saam Barati  <sbarati@apple.com>
2053
2054         TOCTOU bug in havingABadTime related assertion in DFGSpeculativeJIT
2055         https://bugs.webkit.org/show_bug.cgi?id=201953
2056         <rdar://problem/53803524>
2057
2058         Reviewed by Yusuke Suzuki.
2059
2060         We had code in DFGSpeculativeJIT like:
2061         
2062         if (!globalObject->isHavingABadTime()) {
2063             <-- here -->
2064             Structure* s = globalObject->arrayStructureForIndexingTypeDuringAllocation(node->indexingType()));
2065             assert 's' has expected indexing type
2066         }
2067         
2068         The problem is, we may have a bad time before we actually load the structure
2069         inside the if. We may have a bad time while we're at the "<-- here -->" in the
2070         above program. The fix is to first load the structure, then check if we're
2071         having a bad time. If we're still not having a bad time, it's valid to assert
2072         things about the structure.
2073
2074         * dfg/DFGSpeculativeJIT.cpp:
2075         (JSC::DFG::SpeculativeJIT::compileNewArray):
2076
2077 2019-09-18  Chris Dumez  <cdumez@apple.com>
2078
2079         Stop calling WTF::initializeMainThread() in JSGlobalContextCreate*()
2080         https://bugs.webkit.org/show_bug.cgi?id=201947
2081         <rdar://problem/55453612>
2082
2083         Reviewed by Mark Lam.
2084
2085         Stop calling WTF::initializeMainThread() in JSGlobalContextCreate*(). I started doing so in <https://trac.webkit.org/changeset/248533>
2086         but it is causing crashes for apps using this JS API on background threads. It is also no longer necessary as of
2087         <https://trac.webkit.org/changeset/249064>.
2088
2089         * API/JSContextRef.cpp:
2090         (JSContextGroupCreate):
2091         (JSGlobalContextCreate):
2092         (JSGlobalContextCreateInGroup):
2093
2094 2019-09-18  Saam Barati  <sbarati@apple.com>
2095
2096         Phantom insertion phase may disagree with arguments forwarding about live ranges
2097         https://bugs.webkit.org/show_bug.cgi?id=200715
2098         <rdar://problem/54301717>
2099
2100         Reviewed by Yusuke Suzuki.
2101
2102         The issue is that Phantom insertion phase was disagreeing about live ranges
2103         from the arguments forwarding phase. The effect is that Phantom insertion
2104         would insert a Phantom creating a longer live range than what arguments
2105         forwarding was analyzing. Arguments forwarding will look for the last DFG
2106         use or the last bytecode use of a variable it wants to eliminate. It then
2107         does an interference analysis to ensure that nothing clobbers other variables
2108         it needs to recover the sunken allocation during OSR exit.
2109         
2110         Phantom insertion works by ordering the program into OSR exit epochs. If a value was used
2111         in the current epoch, there is no need to insert a phantom for it. We
2112         determine where we might need a Phantom by looking at bytecode kills. In this
2113         analysis, we have a mapping from bytecode local to DFG node. However, we
2114         sometimes forgot to remove the entry when a local is killed. So, if the first
2115         kill of a variable is in the same OSR exit epoch, we won't insert a Phantom by design.
2116         However, if the variable gets killed again, we might errantly insert a Phantom
2117         for the prior variable which should've already been killed. The solution is to
2118         clear the entry in our mapping when a variable is killed.
2119         
2120         The program in question was like this:
2121         
2122         1: DirectArguments
2123         ...
2124         2: MovHint(@1, loc1) // arguments forwarding treats this as the final kill for @1
2125         ...
2126         clobber things needed for recovery
2127         ...
2128         
2129         Arguments elimination would transform the program since between @1 and
2130         @2, nothing clobbers values needed for exit and nothing escapes @1. The
2131         program becomes:
2132         
2133         1: PhantomDirectArguments
2134         ...
2135         2: MovHint(@1, loc1) // arguments forwarding treats this as the final kill for @1
2136         ...
2137         clobber things needed for recovery of @1
2138         ...
2139         
2140         
2141         Phantom insertion would then transform the program into:
2142         
2143         1: PhantomDirectArguments
2144         ...
2145         2: MovHint(@1, loc1) // arguments forwarding treats this as the final kill for @1
2146         ...
2147         clobber things needed for recovery of @1
2148         ...
2149         3: Phantom(@1)
2150         ...
2151         
2152         This is wrong because Phantom insertion and arguments forwarding must agree on live
2153         ranges, otherwise the interference analysis performed by arguments forwarding will
2154         not correctly analyze up until where the value might be recovered.
2155
2156         * dfg/DFGPhantomInsertionPhase.cpp:
2157
2158 2019-09-18  Commit Queue  <commit-queue@webkit.org>
2159
2160         Unreviewed, rolling out r250002.
2161         https://bugs.webkit.org/show_bug.cgi?id=201943
2162
2163         Patching of the callee and call is not atomic (Requested by
2164         tadeuzagallo on #webkit).
2165
2166         Reverted changeset:
2167
2168         "Change WebAssembly calling conventions"
2169         https://bugs.webkit.org/show_bug.cgi?id=201799
2170         https://trac.webkit.org/changeset/250002
2171
2172 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
2173
2174         [JSC] Generator should have internal fields
2175         https://bugs.webkit.org/show_bug.cgi?id=201159
2176
2177         Reviewed by Keith Miller.
2178
2179         This patch makes generator's internal states InternalField instead of private properties.
2180         Each generator function produces a generator with different [[Prototype]], which makes generators have different Structures.
2181         As a result, Generator.prototype.next etc.'s implementation becomes megamorphic even if it is not necessary.
2182
2183         If we make these structures adaptively poly-proto, some generators get poly-proto structures while others are not, resulting
2184         in megamorphic lookup in Generator.prototype.next. If we make all the generator's structure poly-proto, it makes Generator.prototype.next
2185         lookup suboptimal for now.
2186
2187         In this patch, we start with a relatively simple solution. This patch introduces JSGenerator class, and it has internal fields for generator's internal
2188         states. We extend promise-internal-field access bytecodes to access to these fields from bytecode so that Generator.prototype.next can access
2189         these fields without using megamorphic get_by_id_direct.
2190
2191         And we attach JSGeneratorType to JSGenerator so that we can efficiently implement `@isGenerator()` check in bytecode.
2192
2193         We reserve the offset = 0 slot for the future poly-proto extension for JSGenerator. By reserving this slot, non-poly-proto JSGenerator and poly-proto
2194         JSGenerator still can offer the way to access to the same Generator internal fields with the same offset while poly-proto JSGenerator can get offset = 0
2195         inline-storage slot for PolyProto implementation.
2196
2197         This patch adds op_create_generator since it is distinct from op_create_promise once we add PolyProto support.
2198         In the future when we introduce some kind of op_create_async_generator we will probably share only one bytecode for both generator and async generator.
2199
2200         This patch offers around 10% improvement in JetStream2/Basic. And this patch is the basis of optimization of JetStream2/async-fs which leverages async generators significantly.
2201
2202         This patch includes several design decisions.
2203
2204             1. We add a new JSGenerator instead of leveraging JSFinalObject. The main reason is that we would like to have JSGeneratorType to quickly query `@isGenerator`.
2205             2. This patch currently does not include object-allocation-sinking support for JSGenerator, but it is trivial, and will be added. And this patch also does not include poly-proto
2206                support for JSGenerator. The main reason is simply because this patch is already large enough, and I do not want to make this patch larger and larger.
2207             3. We can support arbitrary sized inline-storage: Reserving 0-5 offsets for internal fields, and start putting all the other things to the subsequent internal fields. But for now,
2208                we are not taking this approach just because I'm not sure this is necessary. If we found such a pattern, we can easily extend the current one but for now, I would like to keep
2209                this patch simple.
2210
2211         * JavaScriptCore.xcodeproj/project.pbxproj:
2212         * Sources.txt:
2213         * builtins/AsyncFunctionPrototype.js:
2214         (globalPrivate.asyncFunctionResume):
2215         * builtins/GeneratorPrototype.js:
2216         (globalPrivate.generatorResume):
2217         (next):
2218         (return):
2219         (throw):
2220         * bytecode/BytecodeGeneratorification.cpp:
2221         (JSC::BytecodeGeneratorification::run):
2222         * bytecode/BytecodeIntrinsicRegistry.cpp:
2223         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
2224         * bytecode/BytecodeIntrinsicRegistry.h:
2225         * bytecode/BytecodeList.rb:
2226         * bytecode/BytecodeUseDef.h:
2227         (JSC::computeUsesForBytecodeOffset):
2228         (JSC::computeDefsForBytecodeOffset):
2229         * bytecode/CodeBlock.cpp:
2230         (JSC::CodeBlock::finishCreation):
2231         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2232         * bytecode/SpeculatedType.cpp:
2233         (JSC::speculationFromJSType):
2234         * bytecode/SpeculatedType.h:
2235         * bytecompiler/BytecodeGenerator.cpp:
2236         (JSC::BytecodeGenerator::BytecodeGenerator):
2237         (JSC::BytecodeGenerator::emitPutGeneratorFields):
2238         (JSC::BytecodeGenerator::emitCreateGenerator):
2239         (JSC::BytecodeGenerator::emitNewGenerator):
2240         (JSC::BytecodeGenerator::emitYield):
2241         (JSC::BytecodeGenerator::emitDelegateYield):
2242         (JSC::BytecodeGenerator::emitGeneratorStateChange):
2243         * bytecompiler/BytecodeGenerator.h:
2244         (JSC::BytecodeGenerator::emitIsGenerator):
2245         (JSC::BytecodeGenerator::generatorStateRegister):
2246         (JSC::BytecodeGenerator::generatorValueRegister):
2247         (JSC::BytecodeGenerator::generatorResumeModeRegister):
2248         (JSC::BytecodeGenerator::generatorFrameRegister):
2249         * bytecompiler/NodesCodegen.cpp:
2250         (JSC::generatorInternalFieldIndex):
2251         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getGeneratorInternalField):
2252         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putGeneratorInternalField):
2253         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isGenerator):
2254         (JSC::FunctionNode::emitBytecode):
2255         * dfg/DFGAbstractInterpreterInlines.h:
2256         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2257         * dfg/DFGByteCodeParser.cpp:
2258         (JSC::DFG::ByteCodeParser::parseBlock):
2259         * dfg/DFGCapabilities.cpp:
2260         (JSC::DFG::capabilityLevel):
2261         * dfg/DFGClobberize.h:
2262         (JSC::DFG::clobberize):
2263         * dfg/DFGClobbersExitState.cpp:
2264         (JSC::DFG::clobbersExitState):
2265         * dfg/DFGConstantFoldingPhase.cpp:
2266         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2267         * dfg/DFGDoesGC.cpp:
2268         (JSC::DFG::doesGC):
2269         * dfg/DFGFixupPhase.cpp:
2270         (JSC::DFG::FixupPhase::fixupNode):
2271         (JSC::DFG::FixupPhase::fixupIsCellWithType):
2272         * dfg/DFGGraph.cpp:
2273         (JSC::DFG::Graph::dump):
2274         * dfg/DFGNode.h:
2275         (JSC::DFG::Node::convertToNewGenerator):
2276         (JSC::DFG::Node::speculatedTypeForQuery):
2277         (JSC::DFG::Node::hasStructure):
2278         * dfg/DFGNodeType.h:
2279         * dfg/DFGOperations.cpp:
2280         * dfg/DFGOperations.h:
2281         * dfg/DFGPredictionPropagationPhase.cpp:
2282         * dfg/DFGSafeToExecute.h:
2283         (JSC::DFG::safeToExecute):
2284         * dfg/DFGSpeculativeJIT.cpp:
2285         (JSC::DFG::SpeculativeJIT::compileCreatePromise):
2286         (JSC::DFG::SpeculativeJIT::compileCreateGenerator):
2287         (JSC::DFG::SpeculativeJIT::compileNewGenerator):
2288         * dfg/DFGSpeculativeJIT.h:
2289         * dfg/DFGSpeculativeJIT32_64.cpp:
2290         (JSC::DFG::SpeculativeJIT::compile):
2291         * dfg/DFGSpeculativeJIT64.cpp:
2292         (JSC::DFG::SpeculativeJIT::compile):
2293         * dfg/DFGStoreBarrierInsertionPhase.cpp:
2294         * ftl/FTLCapabilities.cpp:
2295         (JSC::FTL::canCompile):
2296         * ftl/FTLLowerDFGToB3.cpp:
2297         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2298         (JSC::FTL::DFG::LowerDFGToB3::compileNewGenerator):
2299         (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
2300         (JSC::FTL::DFG::LowerDFGToB3::compileCreateGenerator):
2301         (JSC::FTL::DFG::LowerDFGToB3::isCellWithType):
2302         * jit/JIT.cpp:
2303         (JSC::JIT::privateCompileMainPass):
2304         (JSC::JIT::privateCompileSlowCases):
2305         * jit/JITOperations.cpp:
2306         * jit/JITOperations.h:
2307         * jit/JITPropertyAccess.cpp:
2308         (JSC::JIT::emit_op_get_internal_field):
2309         (JSC::JIT::emit_op_put_internal_field):
2310         * llint/LowLevelInterpreter.asm:
2311         * runtime/CommonSlowPaths.cpp:
2312         (JSC::SLOW_PATH_DECL):
2313         * runtime/CommonSlowPaths.h:
2314         * runtime/InternalFunction.cpp:
2315         (JSC::InternalFunction::createSubclassStructureSlow):
2316         * runtime/InternalFunction.h:
2317         (JSC::InternalFunction::createSubclassStructure):
2318         * runtime/JSGenerator.cpp: Added.
2319         (JSC::JSGenerator::create):
2320         (JSC::JSGenerator::createStructure):
2321         (JSC::JSGenerator::JSGenerator):
2322         (JSC::JSGenerator::finishCreation):
2323         (JSC::JSGenerator::visitChildren):
2324         * runtime/JSGenerator.h: Copied from Source/JavaScriptCore/runtime/JSGeneratorFunction.h.
2325         * runtime/JSGeneratorFunction.h:
2326         * runtime/JSGlobalObject.cpp:
2327         (JSC::JSGlobalObject::init):
2328         (JSC::JSGlobalObject::visitChildren):
2329         * runtime/JSGlobalObject.h:
2330         (JSC::JSGlobalObject::generatorStructure const):
2331         * runtime/JSType.cpp:
2332         (WTF::printInternal):
2333         * runtime/JSType.h:
2334
2335 2019-09-17  Keith Miller  <keith_miller@apple.com>
2336
2337         Move comment explaining our Options to OptionsList.h
2338         https://bugs.webkit.org/show_bug.cgi?id=201891
2339
2340         Rubber-stamped by Mark Lam.
2341
2342         We moved the list so we should move the comment.
2343
2344         * runtime/Options.h:
2345         * runtime/OptionsList.h:
2346
2347 2019-09-17  Keith Miller  <keith_miller@apple.com>
2348
2349         Elide unnecessary moves in Air O0
2350         https://bugs.webkit.org/show_bug.cgi?id=201703
2351
2352         Reviewed by Saam Barati.
2353
2354         This patch also removes the code that would try to reuse temps in
2355         WasmAirIRGenerator. That code makes it hard to accurately
2356         determine where a temp dies as it could be reused again
2357         later. Thus every temp, may appear to live for a long time in the
2358         global ordering.
2359
2360         This appears to be a minor progression on the overall score of
2361         wasm subtests in JS2 and a 10% wasm-JIT memory usage reduction.
2362
2363         This patch also fixes an issue where we didn't ask Patchpoints
2364         for early clobber registers when determining what callee saves
2365         were used by the program.
2366
2367         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp:
2368         (JSC::B3::Air::GenerateAndAllocateRegisters::generate):
2369         * b3/air/AirBasicBlock.h:
2370         * b3/air/AirCode.h:
2371         * b3/air/AirHandleCalleeSaves.cpp:
2372         (JSC::B3::Air::handleCalleeSaves):
2373         * b3/air/testair.cpp:
2374         * wasm/WasmAirIRGenerator.cpp:
2375         (JSC::Wasm::AirIRGenerator::didKill): Deleted.
2376         * wasm/WasmB3IRGenerator.cpp:
2377         (JSC::Wasm::B3IRGenerator::didKill): Deleted.
2378         * wasm/WasmFunctionParser.h:
2379         (JSC::Wasm::FunctionParser<Context>::parseBody):
2380         (JSC::Wasm::FunctionParser<Context>::parseExpression):
2381         * wasm/WasmValidate.cpp:
2382         (JSC::Wasm::Validate::didKill): Deleted.
2383
2384 2019-09-17  Mark Lam  <mark.lam@apple.com>
2385
2386         Use constexpr instead of const in symbol definitions that are obviously constexpr.
2387         https://bugs.webkit.org/show_bug.cgi?id=201879
2388
2389         Rubber-stamped by Joseph Pecoraro.
2390
2391         const may require external storage  (at the compiler's whim) though these
2392         currently do not.  constexpr makes it clear that the value is a literal constant
2393         that can be inlined.  In most cases in the code, when we say static const, we
2394         actually mean static constexpr.  I'm changing the code to reflect this.
2395
2396         * API/JSAPIValueWrapper.h:
2397         * API/JSCallbackConstructor.h:
2398         * API/JSCallbackObject.h:
2399         * API/JSContextRef.cpp:
2400         * API/JSWrapperMap.mm:
2401         * API/tests/CompareAndSwapTest.cpp:
2402         * API/tests/TypedArrayCTest.cpp:
2403         * API/tests/testapi.mm:
2404         (testObjectiveCAPIMain):
2405         * KeywordLookupGenerator.py:
2406         (Trie.printAsC):
2407         * assembler/ARMv7Assembler.h:
2408         * assembler/AssemblerBuffer.h:
2409         * assembler/AssemblerCommon.h:
2410         * assembler/MacroAssembler.h:
2411         * assembler/MacroAssemblerARM64.h:
2412         * assembler/MacroAssemblerARM64E.h:
2413         * assembler/MacroAssemblerARMv7.h:
2414         * assembler/MacroAssemblerCodeRef.h:
2415         * assembler/MacroAssemblerMIPS.h:
2416         * assembler/MacroAssemblerX86.h:
2417         * assembler/MacroAssemblerX86Common.h:
2418         (JSC::MacroAssemblerX86Common::absDouble):
2419         (JSC::MacroAssemblerX86Common::negateDouble):
2420         * assembler/MacroAssemblerX86_64.h:
2421         * assembler/X86Assembler.h:
2422         * b3/B3Bank.h:
2423         * b3/B3CheckSpecial.h:
2424         * b3/B3DuplicateTails.cpp:
2425         * b3/B3EliminateCommonSubexpressions.cpp:
2426         * b3/B3FixSSA.cpp:
2427         * b3/B3FoldPathConstants.cpp:
2428         * b3/B3InferSwitches.cpp:
2429         * b3/B3Kind.h:
2430         * b3/B3LowerToAir.cpp:
2431         * b3/B3NativeTraits.h:
2432         * b3/B3ReduceDoubleToFloat.cpp:
2433         * b3/B3ReduceLoopStrength.cpp:
2434         * b3/B3ReduceStrength.cpp:
2435         * b3/B3ValueKey.h:
2436         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
2437         * b3/air/AirAllocateStackByGraphColoring.cpp:
2438         * b3/air/AirArg.h:
2439         * b3/air/AirCCallSpecial.h:
2440         * b3/air/AirEmitShuffle.cpp:
2441         * b3/air/AirFixObviousSpills.cpp:
2442         * b3/air/AirFormTable.h:
2443         * b3/air/AirLowerAfterRegAlloc.cpp:
2444         * b3/air/AirPrintSpecial.h:
2445         * b3/air/AirStackAllocation.cpp:
2446         * b3/air/AirTmp.h:
2447         * b3/testb3_6.cpp:
2448         (testInterpreter):
2449         * bytecode/AccessCase.cpp:
2450         * bytecode/CallLinkStatus.cpp:
2451         * bytecode/CallVariant.h:
2452         * bytecode/CodeBlock.h:
2453         * bytecode/CodeOrigin.h:
2454         * bytecode/DFGExitProfile.h:
2455         * bytecode/DirectEvalCodeCache.h:
2456         * bytecode/ExecutableToCodeBlockEdge.h:
2457         * bytecode/GetterSetterAccessCase.cpp:
2458         * bytecode/LazyOperandValueProfile.h:
2459         * bytecode/ObjectPropertyCondition.h:
2460         * bytecode/ObjectPropertyConditionSet.cpp:
2461         * bytecode/PolymorphicAccess.cpp:
2462         * bytecode/PropertyCondition.h:
2463         * bytecode/SpeculatedType.h:
2464         * bytecode/StructureStubInfo.cpp:
2465         * bytecode/UnlinkedCodeBlock.cpp:
2466         (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset):
2467         * bytecode/UnlinkedCodeBlock.h:
2468         * bytecode/UnlinkedEvalCodeBlock.h:
2469         * bytecode/UnlinkedFunctionCodeBlock.h:
2470         * bytecode/UnlinkedFunctionExecutable.h:
2471         * bytecode/UnlinkedModuleProgramCodeBlock.h:
2472         * bytecode/UnlinkedProgramCodeBlock.h:
2473         * bytecode/ValueProfile.h:
2474         * bytecode/VirtualRegister.h:
2475         * bytecode/Watchpoint.h:
2476         * bytecompiler/BytecodeGenerator.h:
2477         * bytecompiler/Label.h:
2478         * bytecompiler/NodesCodegen.cpp:
2479         (JSC::ThisNode::emitBytecode):
2480         * bytecompiler/RegisterID.h:
2481         * debugger/Breakpoint.h:
2482         * debugger/DebuggerParseData.cpp:
2483         * debugger/DebuggerPrimitives.h:
2484         * debugger/DebuggerScope.h:
2485         * dfg/DFGAbstractHeap.h:
2486         * dfg/DFGAbstractValue.h:
2487         * dfg/DFGArgumentsEliminationPhase.cpp:
2488         * dfg/DFGByteCodeParser.cpp:
2489         * dfg/DFGCSEPhase.cpp:
2490         * dfg/DFGCommon.h:
2491         * dfg/DFGCompilationKey.h:
2492         * dfg/DFGDesiredGlobalProperty.h:
2493         * dfg/DFGEdgeDominates.h:
2494         * dfg/DFGEpoch.h:
2495         * dfg/DFGForAllKills.h:
2496         (JSC::DFG::forAllKilledNodesAtNodeIndex):
2497         * dfg/DFGGraph.cpp:
2498         (JSC::DFG::Graph::isLiveInBytecode):
2499         * dfg/DFGHeapLocation.h:
2500         * dfg/DFGInPlaceAbstractState.cpp:
2501         * dfg/DFGIntegerCheckCombiningPhase.cpp:
2502         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
2503         * dfg/DFGInvalidationPointInjectionPhase.cpp:
2504         * dfg/DFGLICMPhase.cpp:
2505         * dfg/DFGLazyNode.h:
2506         * dfg/DFGMinifiedID.h:
2507         * dfg/DFGMovHintRemovalPhase.cpp:
2508         * dfg/DFGNodeFlowProjection.h:
2509         * dfg/DFGNodeType.h:
2510         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2511         * dfg/DFGPhantomInsertionPhase.cpp:
2512         * dfg/DFGPromotedHeapLocation.h:
2513         * dfg/DFGPropertyTypeKey.h:
2514         * dfg/DFGPureValue.h:
2515         * dfg/DFGPutStackSinkingPhase.cpp:
2516         * dfg/DFGRegisterBank.h:
2517         * dfg/DFGSSAConversionPhase.cpp:
2518         * dfg/DFGSSALoweringPhase.cpp:
2519         * dfg/DFGSpeculativeJIT.cpp:
2520         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
2521         (JSC::DFG::compileClampDoubleToByte):
2522         (JSC::DFG::SpeculativeJIT::compileArithRounding):
2523         (JSC::DFG::compileArithPowIntegerFastPath):
2524         (JSC::DFG::SpeculativeJIT::compileArithPow):
2525         (JSC::DFG::SpeculativeJIT::emitBinarySwitchStringRecurse):
2526         * dfg/DFGStackLayoutPhase.cpp:
2527         * dfg/DFGStoreBarrierInsertionPhase.cpp:
2528         * dfg/DFGStrengthReductionPhase.cpp:
2529         * dfg/DFGStructureAbstractValue.h:
2530         * dfg/DFGVarargsForwardingPhase.cpp:
2531         * dfg/DFGVariableEventStream.cpp:
2532         (JSC::DFG::VariableEventStream::reconstruct const):
2533         * dfg/DFGWatchpointCollectionPhase.cpp:
2534         * disassembler/ARM64/A64DOpcode.h:
2535         * ftl/FTLLocation.h:
2536         * ftl/FTLLowerDFGToB3.cpp:
2537         (JSC::FTL::DFG::LowerDFGToB3::compileArithRandom):
2538         * ftl/FTLSlowPathCall.cpp:
2539         * ftl/FTLSlowPathCallKey.h:
2540         * heap/CellContainer.h:
2541         * heap/CellState.h:
2542         * heap/ConservativeRoots.h:
2543         * heap/GCSegmentedArray.h:
2544         * heap/HandleBlock.h:
2545         * heap/Heap.cpp:
2546         (JSC::Heap::updateAllocationLimits):
2547         * heap/Heap.h:
2548         * heap/HeapSnapshot.h:
2549         * heap/HeapUtil.h:
2550         (JSC::HeapUtil::findGCObjectPointersForMarking):
2551         * heap/IncrementalSweeper.cpp:
2552         * heap/LargeAllocation.h:
2553         * heap/MarkedBlock.cpp:
2554         * heap/Strong.h:
2555         * heap/VisitRaceKey.h:
2556         * heap/Weak.h:
2557         * heap/WeakBlock.h:
2558         * inspector/JSInjectedScriptHost.h:
2559         * inspector/JSInjectedScriptHostPrototype.h:
2560         * inspector/JSJavaScriptCallFrame.h:
2561         * inspector/JSJavaScriptCallFramePrototype.h:
2562         * inspector/agents/InspectorConsoleAgent.cpp:
2563         * inspector/agents/InspectorRuntimeAgent.cpp:
2564         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
2565         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2566         (CppProtocolTypesHeaderGenerator._generate_versions):
2567         * inspector/scripts/tests/generic/expected/version.json-result:
2568         * interpreter/Interpreter.h:
2569         * interpreter/ShadowChicken.cpp:
2570         * jit/BinarySwitch.cpp:
2571         * jit/CallFrameShuffler.h:
2572         * jit/ExecutableAllocator.h:
2573         * jit/FPRInfo.h:
2574         * jit/GPRInfo.h:
2575         * jit/ICStats.h:
2576         * jit/JITThunks.h:
2577         * jit/Reg.h:
2578         * jit/RegisterSet.h:
2579         * jit/TempRegisterSet.h:
2580         * jsc.cpp:
2581         * parser/ASTBuilder.h:
2582         * parser/Nodes.h:
2583         * parser/SourceCodeKey.h:
2584         * parser/SyntaxChecker.h:
2585         * parser/VariableEnvironment.h:
2586         * profiler/ProfilerOrigin.h:
2587         * profiler/ProfilerOriginStack.h:
2588         * profiler/ProfilerUID.h:
2589         * runtime/AbstractModuleRecord.cpp:
2590         * runtime/ArrayBufferNeuteringWatchpointSet.h:
2591         * runtime/ArrayConstructor.h:
2592         * runtime/ArrayConventions.h:
2593         * runtime/ArrayIteratorPrototype.h:
2594         * runtime/ArrayPrototype.cpp:
2595         (JSC::setLength):
2596         * runtime/AsyncFromSyncIteratorPrototype.h:
2597         * runtime/AsyncGeneratorFunctionPrototype.h:
2598         * runtime/AsyncGeneratorPrototype.h:
2599         * runtime/AsyncIteratorPrototype.h:
2600         * runtime/AtomicsObject.cpp:
2601         * runtime/BigIntConstructor.h:
2602         * runtime/BigIntPrototype.h:
2603         * runtime/BooleanPrototype.h:
2604         * runtime/ClonedArguments.h:
2605         * runtime/CodeCache.h:
2606         * runtime/ControlFlowProfiler.h:
2607         * runtime/CustomGetterSetter.h:
2608         * runtime/DateConstructor.h:
2609         * runtime/DatePrototype.h:
2610         * runtime/DefinePropertyAttributes.h:
2611         * runtime/ErrorPrototype.h:
2612         * runtime/EvalExecutable.h:
2613         * runtime/Exception.h:
2614         * runtime/ExceptionHelpers.cpp:
2615         (JSC::invalidParameterInSourceAppender):
2616         (JSC::invalidParameterInstanceofSourceAppender):
2617         * runtime/ExceptionHelpers.h:
2618         * runtime/ExecutableBase.h:
2619         * runtime/FunctionExecutable.h:
2620         * runtime/FunctionRareData.h:
2621         * runtime/GeneratorPrototype.h:
2622         * runtime/GenericArguments.h:
2623         * runtime/GenericOffset.h:
2624         * runtime/GetPutInfo.h:
2625         * runtime/GetterSetter.h:
2626         * runtime/GlobalExecutable.h:
2627         * runtime/Identifier.h:
2628         * runtime/InspectorInstrumentationObject.h:
2629         * runtime/InternalFunction.h:
2630         * runtime/IntlCollatorConstructor.h:
2631         * runtime/IntlCollatorPrototype.h:
2632         * runtime/IntlDateTimeFormatConstructor.h:
2633         * runtime/IntlDateTimeFormatPrototype.h:
2634         * runtime/IntlNumberFormatConstructor.h:
2635         * runtime/IntlNumberFormatPrototype.h:
2636         * runtime/IntlObject.h:
2637         * runtime/IntlPluralRulesConstructor.h:
2638         * runtime/IntlPluralRulesPrototype.h:
2639         * runtime/IteratorPrototype.h:
2640         * runtime/JSArray.cpp:
2641         (JSC::JSArray::tryCreateUninitializedRestricted):
2642         * runtime/JSArray.h:
2643         * runtime/JSArrayBuffer.h:
2644         * runtime/JSArrayBufferView.h:
2645         * runtime/JSBigInt.h:
2646         * runtime/JSCJSValue.h:
2647         * runtime/JSCell.h:
2648         * runtime/JSCustomGetterSetterFunction.h:
2649         * runtime/JSDataView.h:
2650         * runtime/JSDataViewPrototype.h:
2651         * runtime/JSDestructibleObject.h:
2652         * runtime/JSFixedArray.h:
2653         * runtime/JSGenericTypedArrayView.h:
2654         * runtime/JSGlobalLexicalEnvironment.h:
2655         * runtime/JSGlobalObject.h:
2656         * runtime/JSImmutableButterfly.h:
2657         * runtime/JSInternalPromiseConstructor.h:
2658         * runtime/JSInternalPromiseDeferred.h:
2659         * runtime/JSInternalPromisePrototype.h:
2660         * runtime/JSLexicalEnvironment.h:
2661         * runtime/JSModuleEnvironment.h:
2662         * runtime/JSModuleLoader.h:
2663         * runtime/JSModuleNamespaceObject.h:
2664         * runtime/JSNonDestructibleProxy.h:
2665         * runtime/JSONObject.cpp:
2666         * runtime/JSONObject.h:
2667         * runtime/JSObject.h:
2668         * runtime/JSPromiseConstructor.h:
2669         * runtime/JSPromiseDeferred.h:
2670         * runtime/JSPromisePrototype.h:
2671         * runtime/JSPropertyNameEnumerator.h:
2672         * runtime/JSProxy.h:
2673         * runtime/JSScope.h:
2674         * runtime/JSScriptFetchParameters.h:
2675         * runtime/JSScriptFetcher.h:
2676         * runtime/JSSegmentedVariableObject.h:
2677         * runtime/JSSourceCode.h:
2678         * runtime/JSString.cpp:
2679         * runtime/JSString.h:
2680         * runtime/JSSymbolTableObject.h:
2681         * runtime/JSTemplateObjectDescriptor.h:
2682         * runtime/JSTypeInfo.h:
2683         * runtime/MapPrototype.h:
2684         * runtime/MinimumReservedZoneSize.h:
2685         * runtime/ModuleProgramExecutable.h:
2686         * runtime/NativeExecutable.h:
2687         * runtime/NativeFunction.h:
2688         * runtime/NativeStdFunctionCell.h:
2689         * runtime/NumberConstructor.h:
2690         * runtime/NumberPrototype.h:
2691         * runtime/ObjectConstructor.h:
2692         * runtime/ObjectPrototype.h:
2693         * runtime/ProgramExecutable.h:
2694         * runtime/PromiseDeferredTimer.cpp:
2695         * runtime/PropertyMapHashTable.h:
2696         * runtime/PropertyNameArray.h:
2697         (JSC::PropertyNameArray::add):
2698         * runtime/PrototypeKey.h:
2699         * runtime/ProxyConstructor.h:
2700         * runtime/ProxyObject.cpp:
2701         (JSC::ProxyObject::performGetOwnPropertyNames):
2702         * runtime/ProxyRevoke.h:
2703         * runtime/ReflectObject.h:
2704         * runtime/RegExp.h:
2705         * runtime/RegExpCache.h:
2706         * runtime/RegExpConstructor.h:
2707         * runtime/RegExpKey.h:
2708         * runtime/RegExpObject.h:
2709         * runtime/RegExpPrototype.h:
2710         * runtime/RegExpStringIteratorPrototype.h:
2711         * runtime/SamplingProfiler.cpp:
2712         * runtime/ScopedArgumentsTable.h:
2713         * runtime/ScriptExecutable.h:
2714         * runtime/SetPrototype.h:
2715         * runtime/SmallStrings.h:
2716         * runtime/SparseArrayValueMap.h:
2717         * runtime/StringConstructor.h:
2718         * runtime/StringIteratorPrototype.h:
2719         * runtime/StringObject.h:
2720         * runtime/StringPrototype.h:
2721         * runtime/Structure.h:
2722         * runtime/StructureChain.h:
2723         * runtime/StructureRareData.h:
2724         * runtime/StructureTransitionTable.h:
2725         * runtime/Symbol.h:
2726         * runtime/SymbolConstructor.h:
2727         * runtime/SymbolPrototype.h:
2728         * runtime/SymbolTable.h:
2729         * runtime/TemplateObjectDescriptor.h:
2730         * runtime/TypeProfiler.cpp:
2731         * runtime/TypeProfiler.h:
2732         * runtime/TypeProfilerLog.cpp:
2733         * runtime/VarOffset.h:
2734         * testRegExp.cpp:
2735         * tools/HeapVerifier.cpp:
2736         (JSC::HeapVerifier::checkIfRecorded):
2737         * tools/JSDollarVM.cpp:
2738         * wasm/WasmB3IRGenerator.cpp:
2739         * wasm/WasmBBQPlan.cpp:
2740         * wasm/WasmFaultSignalHandler.cpp:
2741         * wasm/WasmFunctionParser.h:
2742         * wasm/WasmOMGForOSREntryPlan.cpp:
2743         * wasm/WasmOMGPlan.cpp:
2744         * wasm/WasmPlan.cpp:
2745         * wasm/WasmSignature.cpp:
2746         * wasm/WasmSignature.h:
2747         * wasm/WasmWorklist.cpp:
2748         * wasm/js/JSWebAssembly.h:
2749         * wasm/js/JSWebAssemblyCodeBlock.h:
2750         * wasm/js/WebAssemblyCompileErrorConstructor.h:
2751         * wasm/js/WebAssemblyCompileErrorPrototype.h:
2752         * wasm/js/WebAssemblyFunction.h:
2753         * wasm/js/WebAssemblyInstanceConstructor.h:
2754         * wasm/js/WebAssemblyInstancePrototype.h:
2755         * wasm/js/WebAssemblyLinkErrorConstructor.h:
2756         * wasm/js/WebAssemblyLinkErrorPrototype.h:
2757         * wasm/js/WebAssemblyMemoryConstructor.h:
2758         * wasm/js/WebAssemblyMemoryPrototype.h:
2759         * wasm/js/WebAssemblyModuleConstructor.h:
2760         * wasm/js/WebAssemblyModulePrototype.h:
2761         * wasm/js/WebAssemblyRuntimeErrorConstructor.h:
2762         * wasm/js/WebAssemblyRuntimeErrorPrototype.h:
2763         * wasm/js/WebAssemblyTableConstructor.h:
2764         * wasm/js/WebAssemblyTablePrototype.h:
2765         * wasm/js/WebAssemblyToJSCallee.h:
2766         * yarr/Yarr.h:
2767         * yarr/YarrParser.h:
2768         * yarr/generateYarrCanonicalizeUnicode:
2769
2770 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
2771
2772         Follow-up after String.codePointAt optimization
2773         https://bugs.webkit.org/show_bug.cgi?id=201889
2774
2775         Reviewed by Saam Barati.
2776
2777         Follow-up after string.codePointAt DFG / FTL optimizations,
2778
2779         1. Gracefully accept arguments more than expected for intrinsics
2780         2. Check BadType in String.codePointAt, String.charAt, and String.charCodeAt.
2781
2782         * dfg/DFGByteCodeParser.cpp:
2783         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2784
2785 2019-09-17  Tadeu Zagallo  <tzagallo@apple.com>
2786
2787         Change WebAssembly calling conventions
2788         https://bugs.webkit.org/show_bug.cgi?id=201799
2789
2790         Reviewed by Saam Barati.
2791
2792         Currently, the Wasm::Callee writes itself to CallFrameSlot::callee. However, this won't work when
2793         we have the Wasm interpreter, since we need the callee in order to know which function are we executing.
2794         This patch changes the calling conventions in preparation for the interpreter, so that the caller
2795         becomes responsible for writing the callee into the call frame.
2796         However, there are exceptions to this rule: stubs can still write to the callee slot, since they are individually
2797         generated and will still be present in the interpreter. We keep this design to avoid emitting unnecessary
2798         code when we know statically who is the callee:
2799         - Caller writes to call frame: intra-module direct wasm calls, indirect wasm calls, JS-to-wasm stub (new frame), JS-to-wasm IC.
2800         - Callee writes to call frame: inter-module wasm-to-wasm stub, JS-to-wasm stub (callee frame), wasm-to-JS stub, OMG osr entry
2801
2802         Additionally, this patch also changes it so that the callee keeps track of its callers, instead of having a global mapping
2803         of calls in the Wasm::CodeBlock. This makes it easier to repatch all callers of a given Callee when it tiers up.
2804
2805         * CMakeLists.txt:
2806         * JavaScriptCore.xcodeproj/project.pbxproj:
2807         * wasm/WasmAirIRGenerator.cpp:
2808         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
2809         (JSC::Wasm::AirIRGenerator::addCall):
2810         (JSC::Wasm::AirIRGenerator::addCallIndirect):
2811         (JSC::Wasm::parseAndCompileAir):
2812         * wasm/WasmAirIRGenerator.h:
2813         * wasm/WasmB3IRGenerator.cpp:
2814         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2815         (JSC::Wasm::B3IRGenerator::addCall):
2816         (JSC::Wasm::B3IRGenerator::addCallIndirect):
2817         (JSC::Wasm::parseAndCompile):
2818         * wasm/WasmB3IRGenerator.h:
2819         * wasm/WasmBBQPlan.cpp:
2820         (JSC::Wasm::BBQPlan::BBQPlan):
2821         (JSC::Wasm::BBQPlan::prepare):
2822         (JSC::Wasm::BBQPlan::compileFunctions):
2823         (JSC::Wasm::BBQPlan::complete):
2824         * wasm/WasmBBQPlan.h:
2825         * wasm/WasmBBQPlanInlines.h:
2826         (JSC::Wasm::BBQPlan::initializeCallees):
2827         * wasm/WasmBinding.cpp:
2828         (JSC::Wasm::wasmToWasm):
2829         * wasm/WasmCallee.cpp:
2830         (JSC::Wasm::Callee::Callee):
2831         (JSC::Wasm::repatchMove):
2832         (JSC::Wasm::repatchCall):
2833         (JSC::Wasm::BBQCallee::addCaller):
2834         (JSC::Wasm::BBQCallee::addAndLinkCaller):
2835         (JSC::Wasm::BBQCallee::repatchCallers):
2836         * wasm/WasmCallee.h:
2837         (JSC::Wasm::Callee::entrypoint):
2838         (JSC::Wasm::Callee::code const):
2839         (JSC::Wasm::Callee::calleeSaveRegisters):
2840         * wasm/WasmCallingConvention.h:
2841         (JSC::Wasm::CallingConvention::setupFrameInPrologue const):
2842         * wasm/WasmCodeBlock.cpp:
2843         (JSC::Wasm::CodeBlock::CodeBlock):
2844         * wasm/WasmCodeBlock.h:
2845         (JSC::Wasm::CodeBlock::embedderEntrypointCalleeFromFunctionIndexSpace):
2846         (JSC::Wasm::CodeBlock::wasmBBQCalleeFromFunctionIndexSpace):
2847         (JSC::Wasm::CodeBlock::entrypointLoadLocationFromFunctionIndexSpace):
2848         (JSC::Wasm::CodeBlock::boxedCalleeLoadLocationFromFunctionIndexSpace):
2849         * wasm/WasmEmbedder.h:
2850         * wasm/WasmFormat.h:
2851         (JSC::Wasm::WasmToWasmImportableFunction::offsetOfBoxedCalleeLoadLocation):
2852         * wasm/WasmInstance.h:
2853         (JSC::Wasm::Instance::offsetOfBoxedCalleeLoadLocation):
2854         * wasm/WasmOMGForOSREntryPlan.cpp:
2855         (JSC::Wasm::OMGForOSREntryPlan::OMGForOSREntryPlan):
2856         (JSC::Wasm::OMGForOSREntryPlan::work):
2857         * wasm/WasmOMGForOSREntryPlan.h:
2858         * wasm/WasmOMGPlan.cpp:
2859         (JSC::Wasm::OMGPlan::OMGPlan):
2860         (JSC::Wasm::OMGPlan::work):
2861         * wasm/WasmOMGPlan.h:
2862         * wasm/WasmOperations.cpp:
2863         (JSC::Wasm::triggerOMGReplacementCompile):
2864         (JSC::Wasm::doOSREntry):
2865         (JSC::Wasm::triggerOSREntryNow):
2866         * wasm/js/JSToWasm.cpp:
2867         (JSC::Wasm::createJSToWasmWrapper):
2868         * wasm/js/JSToWasm.h:
2869         * wasm/js/WebAssemblyFunction.cpp:
2870         (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
2871         (JSC::WebAssemblyFunction::create):
2872         (JSC::WebAssemblyFunction::WebAssemblyFunction):
2873         * wasm/js/WebAssemblyFunction.h:
2874         * wasm/js/WebAssemblyModuleRecord.cpp:
2875         (JSC::WebAssemblyModuleRecord::link):
2876         (JSC::WebAssemblyModuleRecord::evaluate):
2877         * wasm/js/WebAssemblyWrapperFunction.cpp:
2878         (JSC::WebAssemblyWrapperFunction::create):
2879
2880 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
2881
2882         [JSC] CheckArray+NonArray is not filtering out Array in AI
2883         https://bugs.webkit.org/show_bug.cgi?id=201857
2884         <rdar://problem/54194820>
2885
2886         Reviewed by Keith Miller.
2887
2888         The code of DFG::ArrayMode::alreadyChecked is different from SpeculativeJIT's CheckArray / CheckStructure.
2889         While we assume CheckArray+NonArray ensures it only passes non-array inputs, DFG::ArrayMode::alreadyChecked
2890         accepts arrays too. So CheckArray+NonArray is removed in AI if the input is proven that it is an array.
2891         This patch aligns DFG::ArrayMode::alreadyChecked to the checks done at runtime.
2892
2893         * dfg/DFGArrayMode.cpp:
2894         (JSC::DFG::ArrayMode::alreadyChecked const):
2895
2896 2019-09-17  Saam Barati  <sbarati@apple.com>
2897
2898         CheckArray on DirectArguments/ScopedArguments does not filter out slow put array storage
2899         https://bugs.webkit.org/show_bug.cgi?id=201853
2900         <rdar://problem/53805461>
2901
2902         Reviewed by Yusuke Suzuki.
2903
2904         We were claiming CheckArray for ScopedArguments/DirectArguments was filtering
2905         out SlowPutArrayStorage. It does no such thing. We just check that the object
2906         is either ScopedArguments/DirectArguments.
2907
2908         * dfg/DFGArrayMode.h:
2909         (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
2910         (JSC::DFG::ArrayMode::arrayModesWithIndexingShapes const):
2911         (JSC::DFG::ArrayMode::arrayModesWithIndexingShape const): Deleted.
2912
2913 2019-09-16  Tadeu Zagallo  <tzagallo@apple.com>
2914
2915         Wasm StreamingParser should validate that number of functions matches number of declarations
2916         https://bugs.webkit.org/show_bug.cgi?id=201850
2917         <rdar://problem/55290186>
2918
2919         Reviewed by Yusuke Suzuki.
2920
2921         Currently, when parsing the code section, we check that the number of functions matches the number
2922         of declarations in the function section. However, that check is never performed if the module does
2923         not have a code section. To fix that, we perform the check again in StreamingParser::finalize.
2924
2925         * wasm/WasmStreamingParser.cpp:
2926         (JSC::Wasm::StreamingParser::finalize):
2927
2928 2019-09-16  Michael Saboff  <msaboff@apple.com>
2929
2930         [JSC] Perform check again when we found non-BMP characters
2931         https://bugs.webkit.org/show_bug.cgi?id=201647
2932
2933         Reviewed by Yusuke Suzuki.
2934
2935         We need to check for end of input for non-BMP characters when matching a character class that contains
2936         both BMP and non-BMP characters.  In advanceIndexAfterCharacterClassTermMatch() we were checking for
2937         end of input for both BMP and non-BMP characters.  For BMP characters, this check is redundant.
2938         After moving the check to after the "is BMP check", we need to decrement index after reaching the failure
2939         label to back out the index++ for the first surrogate of the non-BMP character.
2940
2941         Added the same kind of check in generateCharacterClassOnce().  In that case, we have pre-checked the
2942         first character (surrogate) for a non-BMP codepoint, so we just need to check for end of input before
2943         we increment for the second surrogate.
2944
2945         While writing tests, I found an off by one error in backtrackCharacterClassGreedy() and changed the
2946         loop to check the count at loop top instead of loop bottom.
2947
2948         * yarr/YarrJIT.cpp:
2949         (JSC::Yarr::YarrGenerator::advanceIndexAfterCharacterClassTermMatch):
2950         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
2951         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
2952         (JSC::Yarr::YarrGenerator::backtrackCharacterClassGreedy):
2953         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
2954
2955 2019-09-16  Ross Kirsling  <ross.kirsling@sony.com>
2956
2957         [JSC] Add missing syntax errors for await in function parameter default expressions
2958         https://bugs.webkit.org/show_bug.cgi?id=201615
2959
2960         Reviewed by Darin Adler.
2961
2962         This patch rectifies two oversights:
2963           1. We were prohibiting `async function f(x = (await) => {}) {}` but not `async function f(x = await => {}) {}`
2964              (and likewise for async arrow functions).
2965           2. We were not prohibiting `(x = await => {}) => {}` in an async context
2966              (regardless of parentheses, but note that this one *only* applies to arrow functions).
2967
2968         * parser/Parser.cpp:
2969         (JSC::Parser<LexerType>::isArrowFunctionParameters): Fix case (1).
2970         (JSC::Parser<LexerType>::parseFunctionInfo): Fix case (2).
2971         (JSC::Parser<LexerType>::parseAwaitExpression): Convert unfailing check into an ASSERT.
2972         (JSC::Parser<LexerType>::parsePrimaryExpression): Adjust error message for case (2).
2973
2974 2019-09-16  Tadeu Zagallo  <tzagallo@apple.com>
2975
2976         SamplingProfiler should hold API lock before reporting results
2977         https://bugs.webkit.org/show_bug.cgi?id=201829
2978
2979         Reviewed by Yusuke Suzuki.
2980
2981         Right now, the SamplingProfiler crashes in debug builds when trying
2982         report results if it finds a JSFunction on the stack that doesn't have
2983         RareData. It tries to allocate the function's rare data when we call
2984         getOwnPropertySlot in order to get the function's name, but that fails
2985         because we are not holding the VM's API lock. We fix it by just holding
2986         the lock before reporting the results.
2987
2988         * runtime/SamplingProfiler.cpp:
2989         (JSC::SamplingProfiler::reportDataToOptionFile):
2990
2991 2019-09-16  David Kilzer  <ddkilzer@apple.com>
2992
2993         [JSC] REGRESSION (r248938): Leak of uint32_t arrays in testFastForwardCopy32()
2994         <https://webkit.org/b/201804>
2995
2996         Reviewed by Saam Barati.
2997
2998         * b3/testb3_8.cpp:
2999         (testFastForwardCopy32): Allocate arrays using
3000         WTF::makeUniqueArray<uint32_t> to fix leaks caused by continue
3001         statements.
3002
3003 2019-09-16  Saam Barati  <sbarati@apple.com>
3004
3005         JSObject::putInlineSlow should not ignore "__proto__" for Proxy
3006         https://bugs.webkit.org/show_bug.cgi?id=200386
3007         <rdar://problem/53854946>
3008
3009         Reviewed by Yusuke Suzuki.
3010
3011         We used to ignore '__proto__' in putInlineSlow when the object in question
3012         was Proxy. There is no reason for this, and it goes against the spec. So
3013         I've removed that condition. This also has the effect that it fixes an
3014         assertion firing inside our inline caching code which dictates that for a
3015         property replace that the base value's structure must be equal to the
3016         structure when we grabbed the structure prior to the put operation.
3017         The old code caused a weird edge case where we broke this invariant.
3018
3019         * runtime/JSObject.cpp:
3020         (JSC::JSObject::putInlineSlow):
3021
3022 2019-09-15  David Kilzer  <ddkilzer@apple.com>
3023
3024         Leak of NSMapTable in -[JSVirtualMachine addManagedReference:withOwner:]
3025         <https://webkit.org/b/201803>
3026
3027         Reviewed by Dan Bernstein.
3028
3029         * API/JSVirtualMachine.mm:
3030         (-[JSVirtualMachine addManagedReference:withOwner:]): Use
3031         RetainPtr<> to fix the leak.
3032
3033 2019-09-14  Yusuke Suzuki  <ysuzuki@apple.com>
3034
3035         Retire x86 32bit JIT support
3036         https://bugs.webkit.org/show_bug.cgi?id=201790
3037
3038         Reviewed by Mark Lam.
3039
3040         Now, Xcode no longer has ability to build 32bit binary, so we cannot even test it on macOS.
3041         Fedora stops shipping x86 32bit kernel. Our x86/x86_64 JIT requires SSE2, and so such relatively modern CPUs
3042         can use JIT by switching x86 to x86_64. And these CPUs are modern enough to run CLoop at high speed.
3043         WebKit already disabled x86 JIT by default while the implementation exists. So literary, it is not tested.
3044
3045         While x86 32bit becomes less useful, x86 32bit JIT backend is very complicated and is being a major maintenance burden.
3046         This is due to very few # of registers. Which scatters a lot of isX86 / CPU(X86) in Baseline, DFG, and Yarr.
3047
3048         This patch retires x86 JIT support from JavaScriptCore and CSS JIT. We still keep MacroAssembler and GPRInfo / FPRInfo,
3049         MachineContext information since they are useful even though JIT is not supported.
3050
3051         * dfg/DFGArrayMode.cpp:
3052         (JSC::DFG::ArrayMode::refine const):
3053         * dfg/DFGByteCodeParser.cpp:
3054         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3055         (JSC::DFG::ByteCodeParser::parseBlock):
3056         * dfg/DFGFixupPhase.cpp:
3057         (JSC::DFG::FixupPhase::fixupNode):
3058         * dfg/DFGJITCompiler.cpp:
3059         (JSC::DFG::JITCompiler::compileExceptionHandlers):
3060         * dfg/DFGOSRExitCompilerCommon.cpp:
3061         (JSC::DFG::osrWriteBarrier):
3062         * dfg/DFGSpeculativeJIT.cpp:
3063         (JSC::DFG::SpeculativeJIT::compileArithDiv):
3064         (JSC::DFG::SpeculativeJIT::compileArithMod):
3065         (JSC::DFG::SpeculativeJIT::compileCreateRest):
3066         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
3067         * dfg/DFGSpeculativeJIT.h:
3068         * dfg/DFGSpeculativeJIT32_64.cpp:
3069         (JSC::DFG::SpeculativeJIT::emitCall):
3070         (JSC::DFG::SpeculativeJIT::compile):
3071         * dfg/DFGThunks.cpp:
3072         (JSC::DFG::osrExitGenerationThunkGenerator):
3073         * ftl/FTLThunks.cpp:
3074         (JSC::FTL::slowPathCallThunkGenerator):
3075         * jit/AssemblyHelpers.cpp:
3076         (JSC::AssemblyHelpers::callExceptionFuzz):
3077         (JSC::AssemblyHelpers::debugCall):
3078         * jit/AssemblyHelpers.h:
3079         (JSC::AssemblyHelpers::emitComputeButterflyIndexingMask):
3080         * jit/CCallHelpers.h:
3081         (JSC::CCallHelpers::setupArgumentsImpl):
3082         (JSC::CCallHelpers::prepareForTailCallSlow):
3083         * jit/CallFrameShuffler.cpp:
3084         (JSC::CallFrameShuffler::prepareForTailCall):
3085         * jit/JIT.cpp:
3086         (JSC::JIT::privateCompileExceptionHandlers):
3087         * jit/JITArithmetic32_64.cpp:
3088         (JSC::JIT::emit_op_mod):
3089         (JSC::JIT::emitSlow_op_mod):
3090         * jit/SlowPathCall.h:
3091         (JSC::JITSlowPathCall::call):
3092         * jit/ThunkGenerators.cpp:
3093         (JSC::nativeForGenerator):
3094         (JSC::arityFixupGenerator):
3095         * wasm/WasmAirIRGenerator.cpp:
3096         (JSC::Wasm::AirIRGenerator::emitModOrDiv):
3097         * yarr/YarrJIT.cpp:
3098         (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
3099         (JSC::Yarr::YarrGenerator::generateEnter):
3100         (JSC::Yarr::YarrGenerator::generateReturn):
3101         (JSC::Yarr::YarrGenerator::compile):
3102         * yarr/YarrJIT.h:
3103
3104 2019-09-13  Mark Lam  <mark.lam@apple.com>
3105
3106         jsc -d stopped working.
3107         https://bugs.webkit.org/show_bug.cgi?id=201787
3108
3109         Reviewed by Joseph Pecoraro.
3110
3111         The reason is because, in this case, the jsc shell is trying to set an option
3112         after the VM has been instantiated.  The fix is simply to move all options
3113         initialization before the VM is instantiated.
3114
3115         * jsc.cpp:
3116         (runWithOptions):
3117         (jscmain):
3118
3119 2019-09-13  Mark Lam  <mark.lam@apple.com>
3120
3121         watchOS requires PageSize alignment of 16K for JSC::Config.
3122         https://bugs.webkit.org/show_bug.cgi?id=201786
3123         <rdar://problem/55357890>
3124
3125         Reviewed by Yusuke Suzuki.
3126
3127         * runtime/JSCConfig.h:
3128
3129 2019-09-13  Yusuke Suzuki  <ysuzuki@apple.com>
3130
3131         Unreviewed, follow-up fix after r249842
3132         https://bugs.webkit.org/show_bug.cgi?id=201750
3133
3134         Michael reviewed this offline. When performing nearCall, we need to invalidate cache registers.
3135
3136         * assembler/MacroAssemblerARM64.h:
3137         (JSC::MacroAssemblerARM64::nearCall):
3138         (JSC::MacroAssemblerARM64::threadSafePatchableNearCall):
3139
3140 2019-09-13  Alexey Shvayka  <shvaikalesh@gmail.com>
3141
3142         Date.prototype.toJSON does not execute steps 1-2
3143         https://bugs.webkit.org/show_bug.cgi?id=105282
3144
3145         Reviewed by Ross Kirsling.
3146
3147         According to https://tc39.es/ecma262/#sec-built-in-function-objects, built-in methods must be
3148         strict mode functions. Before this change, `this` value in Date.prototype.toJSON was resolved
3149         using sloppy mode semantics, resulting in `toISOString` being called on global object if `this`
3150         value equals `null` or `undefined`.
3151
3152         * runtime/DatePrototype.cpp:
3153         (JSC::dateProtoFuncToJSON): Resolve thisValue using strict semantics and simplify std::isfinite check.
3154
3155 2019-09-13  Mark Lam  <mark.lam@apple.com>
3156
3157         performJITMemcpy() should do its !Gigacage assertion on exit.
3158         https://bugs.webkit.org/show_bug.cgi?id=201780
3159         <rdar://problem/55354867>
3160
3161         Reviewed by Robin Morisset.
3162
3163         Re-doing previous fix.
3164
3165         * jit/ExecutableAllocator.h:
3166         (JSC::performJITMemcpy):
3167         (JSC::GigacageAssertScope::GigacageAssertScope): Deleted.
3168         (JSC::GigacageAssertScope::~GigacageAssertScope): Deleted.
3169
3170 2019-09-13  Mark Lam  <mark.lam@apple.com>
3171
3172         performJITMemcpy() should do its !Gigacage assertion on exit.
3173         https://bugs.webkit.org/show_bug.cgi?id=201780
3174         <rdar://problem/55354867>
3175
3176         Reviewed by Robin Morisset.
3177
3178         * jit/ExecutableAllocator.h:
3179         (JSC::GigacageAssertScope::GigacageAssertScope):
3180         (JSC::GigacageAssertScope::~GigacageAssertScope):
3181         (JSC::performJITMemcpy):
3182
3183 2019-09-13  Yusuke Suzuki  <ysuzuki@apple.com>
3184
3185         [JSC] Micro-optimize YarrJIT's surrogate pair handling
3186         https://bugs.webkit.org/show_bug.cgi?id=201750
3187
3188         Reviewed by Michael Saboff.
3189
3190         Optimize sequence of machine code used to get code-point with unicode flag.
3191
3192         * yarr/YarrJIT.cpp:
3193         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
3194
3195 2019-09-13  Mark Lam  <mark.lam@apple.com>
3196
3197         We should assert $vm is enabled on entry and exit in its functions.
3198         https://bugs.webkit.org/show_bug.cgi?id=201762
3199         <rdar://problem/55338742>
3200
3201         Rubber-stamped by Michael Saboff.
3202
3203         1. Also do the same for FunctionOverrides.
3204         2. Added the DollarVMAssertScope and FunctionOverridesAssertScope to achieve this.
3205         3. Also added assertions to lambda functions in $vm.
3206
3207         * tools/FunctionOverrides.cpp:
3208         (JSC::FunctionOverridesAssertScope::FunctionOverridesAssertScope):
3209         (JSC::FunctionOverridesAssertScope::~FunctionOverridesAssertScope):
3210         (JSC::FunctionOverrides::overrides):
3211         (JSC::FunctionOverrides::FunctionOverrides):
3212         (JSC::FunctionOverrides::reinstallOverrides):
3213         (JSC::initializeOverrideInfo):
3214         (JSC::FunctionOverrides::initializeOverrideFor):
3215         (JSC::parseClause):
3216         (JSC::FunctionOverrides::parseOverridesInFile):
3217         * tools/JSDollarVM.cpp:
3218         (JSC::JSDollarVMCallFrame::JSDollarVMCallFrame):
3219         (JSC::JSDollarVMCallFrame::createStructure):
3220         (JSC::JSDollarVMCallFrame::create):
3221         (JSC::JSDollarVMCallFrame::finishCreation):
3222         (JSC::JSDollarVMCallFrame::addProperty):
3223         (JSC::Element::Element):
3224         (JSC::Element::create):
3225         (JSC::Element::visitChildren):
3226         (JSC::Element::createStructure):
3227         (JSC::Root::Root):
3228         (JSC::Root::setElement):
3229         (JSC::Root::create):
3230         (JSC::Root::createStructure):
3231         (JSC::Root::visitChildren):
3232         (JSC::SimpleObject::SimpleObject):
3233         (JSC::SimpleObject::create):
3234         (JSC::SimpleObject::visitChildren):
3235         (JSC::SimpleObject::createStructure):
3236         (JSC::ImpureGetter::ImpureGetter):
3237         (JSC::ImpureGetter::createStructure):
3238         (JSC::ImpureGetter::create):
3239         (JSC::ImpureGetter::finishCreation):
3240         (JSC::ImpureGetter::getOwnPropertySlot):
3241         (JSC::ImpureGetter::visitChildren):
3242         (JSC::CustomGetter::CustomGetter):
3243         (JSC::CustomGetter::createStructure):
3244         (JSC::CustomGetter::create):
3245         (JSC::CustomGetter::getOwnPropertySlot):
3246         (JSC::CustomGetter::customGetter):
3247         (JSC::CustomGetter::customGetterAcessor):
3248         (JSC::RuntimeArray::create):
3249         (JSC::RuntimeArray::destroy):
3250         (JSC::RuntimeArray::getOwnPropertySlot):
3251         (JSC::RuntimeArray::getOwnPropertySlotByIndex):
3252         (JSC::RuntimeArray::createPrototype):
3253         (JSC::RuntimeArray::createStructure):
3254         (JSC::RuntimeArray::finishCreation):
3255         (JSC::RuntimeArray::RuntimeArray):
3256         (JSC::RuntimeArray::lengthGetter):
3257         (JSC::DOMJITNode::DOMJITNode):
3258         (JSC::DOMJITNode::createStructure):
3259         (JSC::DOMJITNode::checkSubClassSnippet):
3260         (JSC::DOMJITNode::create):
3261         (JSC::DOMJITGetter::DOMJITGetter):
3262         (JSC::DOMJITGetter::createStructure):
3263         (JSC::DOMJITGetter::create):
3264         (JSC::DOMJITGetter::DOMJITAttribute::slowCall):
3265         (JSC::DOMJITGetter::DOMJITAttribute::callDOMGetter):
3266         (JSC::DOMJITGetter::customGetter):
3267         (JSC::DOMJITGetter::finishCreation):
3268         (JSC::DOMJITGetterComplex::DOMJITGetterComplex):
3269         (JSC::DOMJITGetterComplex::createStructure):
3270         (JSC::DOMJITGetterComplex::create):
3271         (JSC::DOMJITGetterComplex::DOMJITAttribute::slowCall):
3272         (JSC::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
3273         (JSC::DOMJITGetterComplex::functionEnableException):
3274         (JSC::DOMJITGetterComplex::customGetter):
3275         (JSC::DOMJITGetterComplex::finishCreation):
3276         (JSC::DOMJITFunctionObject::DOMJITFunctionObject):
3277         (JSC::DOMJITFunctionObject::createStructure):
3278         (JSC::DOMJITFunctionObject::create):
3279         (JSC::DOMJITFunctionObject::functionWithTypeCheck):
3280         (JSC::DOMJITFunctionObject::functionWithoutTypeCheck):
3281         (JSC::DOMJITFunctionObject::checkSubClassSnippet):
3282         (JSC::DOMJITFunctionObject::finishCreation):
3283         (JSC::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
3284         (JSC::DOMJITCheckSubClassObject::createStructure):
3285         (JSC::DOMJITCheckSubClassObject::create):
3286         (JSC::DOMJITCheckSubClassObject::functionWithTypeCheck):
3287         (JSC::DOMJITCheckSubClassObject::functionWithoutTypeCheck):
3288         (JSC::DOMJITCheckSubClassObject::finishCreation):
3289         (JSC::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject):
3290         (JSC::DOMJITGetterBaseJSObject::createStructure):
3291         (JSC::DOMJITGetterBaseJSObject::create):
3292         (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
3293         (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter):
3294         (JSC::DOMJITGetterBaseJSObject::customGetter):
3295         (JSC::DOMJITGetterBaseJSObject::finishCreation):
3296         (JSC::JSTestCustomGetterSetter::JSTestCustomGetterSetter):
3297         (JSC::JSTestCustomGetterSetter::create):
3298         (JSC::JSTestCustomGetterSetter::createStructure):
3299         (JSC::customSetAccessor):
3300         (JSC::customSetValue):
3301         (JSC::JSTestCustomGetterSetter::finishCreation):
3302         (JSC::Element::handleOwner):
3303         (JSC::Element::finishCreation):
3304         (JSC::WasmStreamingParser::WasmStreamingParser):
3305         (JSC::WasmStreamingParser::create):
3306         (JSC::WasmStreamingParser::createStructure):
3307         (JSC::WasmStreamingParser::finishCreation):
3308         (JSC::functionWasmStreamingParserAddBytes):
3309         (JSC::functionWasmStreamingParserFinalize):
3310         (JSC::functionCrash):
3311         (JSC::functionBreakpoint):
3312         (JSC::functionDFGTrue):
3313         (JSC::functionFTLTrue):
3314         (JSC::functionCpuMfence):
3315         (JSC::functionCpuRdtsc):
3316         (JSC::functionCpuCpuid):
3317         (JSC::functionCpuPause):
3318         (JSC::functionCpuClflush):
3319         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
3320         (JSC::getExecutableForFunction):
3321         (JSC::functionLLintTrue):
3322         (JSC::functionJITTrue):
3323         (JSC::functionNoInline):
3324         (JSC::functionGC):
3325         (JSC::functionEdenGC):
3326         (JSC::functionDumpSubspaceHashes):
3327         (JSC::functionCallFrame):
3328         (JSC::functionCodeBlockForFrame):
3329         (JSC::codeBlockFromArg):
3330         (JSC::functionCodeBlockFor):
3331         (JSC::functionDumpSourceFor):
3332         (JSC::functionDumpBytecodeFor):
3333         (JSC::doPrint):
3334         (JSC::functionDataLog):
3335         (JSC::functionPrint):
3336         (JSC::functionDumpCallFrame):
3337         (JSC::functionDumpStack):
3338         (JSC::functionDumpRegisters):
3339         (JSC::functionDumpCell):
3340         (JSC::functionIndexingMode):
3341         (JSC::functionInlineCapacity):
3342         (JSC::functionValue):
3343         (JSC::functionGetPID):
3344         (JSC::functionHaveABadTime):
3345         (JSC::functionIsHavingABadTime):
3346         (JSC::functionCreateGlobalObject):
3347         (JSC::functionCreateProxy):
3348         (JSC::functionCreateRuntimeArray):
3349         (JSC::functionCreateNullRopeString):
3350         (JSC::functionCreateImpureGetter):
3351         (JSC::functionCreateCustomGetterObject):
3352         (JSC::functionCreateDOMJITNodeObject):
3353         (JSC::functionCreateDOMJITGetterObject):
3354         (JSC::functionCreateDOMJITGetterComplexObject):
3355         (JSC::functionCreateDOMJITFunctionObject):
3356         (JSC::functionCreateDOMJITCheckSubClassObject):
3357         (JSC::functionCreateDOMJITGetterBaseJSObject):
3358         (JSC::functionCreateWasmStreamingParser):
3359         (JSC::functionSetImpureGetterDelegate):
3360         (JSC::functionCreateBuiltin):
3361         (JSC::functionGetPrivateProperty):
3362         (JSC::functionCreateRoot):
3363         (JSC::functionCreateElement):
3364         (JSC::functionGetElement):
3365         (JSC::functionCreateSimpleObject):
3366         (JSC::functionGetHiddenValue):
3367         (JSC::functionSetHiddenValue):
3368         (JSC::functionShadowChickenFunctionsOnStack):
3369         (JSC::functionSetGlobalConstRedeclarationShouldNotThrow):
3370         (JSC::functionFindTypeForExpression):
3371         (JSC::functionReturnTypeFor):
3372         (JSC::functionFlattenDictionaryObject):
3373         (JSC::functionDumpBasicBlockExecutionRanges):
3374         (JSC::functionHasBasicBlockExecuted):
3375         (JSC::functionBasicBlockExecutionCount):
3376         (JSC::functionEnableExceptionFuzz):
3377         (JSC::changeDebuggerModeWhenIdle):
3378         (JSC::functionEnableDebuggerModeWhenIdle):
3379         (JSC::functionDisableDebuggerModeWhenIdle):
3380         (JSC::functionDeleteAllCodeWhenIdle):
3381         (JSC::functionGlobalObjectCount):
3382         (JSC::functionGlobalObjectForObject):
3383         (JSC::functionGetGetterSetter):
3384         (JSC::functionLoadGetterFromGetterSetter):
3385         (JSC::functionCreateCustomTestGetterSetter):
3386         (JSC::functionDeltaBetweenButterflies):
3387         (JSC::functionTotalGCTime):
3388         (JSC::functionParseCount):
3389         (JSC::functionIsWasmSupported):
3390         (JSC::JSDollarVM::finishCreation):
3391         (JSC::JSDollarVM::addFunction):
3392         (JSC::JSDollarVM::addConstructibleFunction):
3393         * tools/JSDollarVM.h:
3394         (JSC::DollarVMAssertScope::DollarVMAssertScope):
3395         (JSC::DollarVMAssertScope::~DollarVMAssertScope):
3396
3397 2019-09-13  Joseph Pecoraro  <pecoraro@apple.com>
3398
3399         Web Inspector: Formatter: Pretty Print HTML resources (including inline <script>/<style>)
3400         https://bugs.webkit.org/show_bug.cgi?id=201535
3401         <rdar://problem/29119232>
3402
3403         Reviewed by Devin Rousso.
3404
3405         * debugger/Debugger.cpp:
3406         (JSC::Debugger::resolveBreakpoint):
3407         When resolving a breakpoint inside of an inline <script> we need to adjust
3408         based on the starting position of the <script> in the HTML resource.
3409
3410 2019-09-13  Yusuke Suzuki  <ysuzuki@apple.com>
3411
3412         [JSC] X86Registers.h callee-save register definition is wrong
3413         https://bugs.webkit.org/show_bug.cgi?id=201756
3414
3415         Reviewed by Mark Lam.
3416
3417         I think nobody is using X86 JIT backend, but it is simply wrong.
3418         edi and esi should be callee-save.
3419
3420         * assembler/X86Registers.h:
3421
3422 2019-09-12  Mark Lam  <mark.lam@apple.com>
3423
3424         Harden JSC against the abuse of runtime options.
3425         https://bugs.webkit.org/show_bug.cgi?id=201597
3426         <rdar://problem/55167068>
3427
3428         Reviewed by Filip Pizlo.
3429
3430         Linux parts contributed by Carlos Garcia Campos <cgarcia@igalia.com>.
3431
3432         1. Introduce a JSC::Config struct that will be protected as ReadOnly once the
3433            first VM instance is constructed.  The end of the VM constructor calls
3434            Config::permanentlyFreeze() which will make the Config ReadOnly.
3435
3436            Note: this is currently only supported for OS(DARWIN) and OS(LINUX).
3437            OS(WINDOWS) will need to implement some missing pieces before it can enable
3438            this hardening (see FIXME in JSCConfig.cpp).
3439
3440            The hardening strategy here is to put immutable global values into the Config.
3441            Any modifications that need to be made to these values must be done before the
3442            first VM instance is done instantiating.  This ensures that no script will
3443            ever run while the Config is still writable.
3444
3445            Also, the policy for this hardening is that a process is opted in by default.
3446            If there's a valid need to disable this hardening (e.g. for some test
3447            environments), the relevant process will need to opt itself out by calling
3448            Config::configureForTesting().
3449
3450            The jsc shell, WK2 UI and WebContent processes are opted in by default.
3451            Only test processes may be opt out.
3452
3453         2. Put all JSC::Options in the Config.  This enforces the invariant that options
3454            can only be changed before we instantiate a VM.  Once a VM is instantiated,
3455            the options are immutable.
3456
3457         3. Remove functionForceGCSlowPaths() from the jsc shell.  Setting
3458            Options::forceGCSlowPaths this way is no longer allowed.
3459
3460         4. Re-factored the Options code (Options.h) into:
3461            - OptionEntry.h: the data structure that stores the option values.
3462            - OptionsList.h: the list of options.
3463            - Options.h: the Options singleton object which is the interface for accessing options.
3464
3465            Renamed the JSC_OPTIONS macro to FOR_EACH_JSC_OPTION, because
3466            "FOR_EACH_JSC_OPTION(SET_OPTION_VALUE)" reads a lot better than
3467            "JSC_OPTIONS(FOR_EACH_OPTION)".
3468
3469         5. Change testapi to call Config::configureForTesting().  Parts of testapi makes
3470            use of setting options in its tests.  Hence, this hardening is disabled for
3471            testapi.
3472
3473            Note: the jsc shell does enable this hardening.
3474
3475         6. Put ExecutableAllocator's immutable globals in the Config.
3476
3477         7. RELEASE_ASSERT that restrictedOptionsEnabled in order to use the
3478            FunctionOverrides test utility.
3479
3480         8. RELEASE_ASSERT that Options::useDollarVM() is enabled in order to use the $vm.
3481
3482            We must RELEASE_ASSERT(Options::useDollarVM()) in all JSDollarVM functions
3483            that are non-trivial at an eye's glance.  This includes (but is not limited to):
3484                constructors
3485                create() factory
3486                createStructure() factory
3487                finishCreation()
3488                HOST_CALL or operation functions
3489                Constructors and methods of utility and test classes
3490
3491            The only exception are some constexpr constructors used for instantiating
3492            globals (since these must have trivial constructors) e.g. DOMJITAttribute.
3493            Instead, these constructors should always be ALWAYS_INLINE.
3494
3495         * API/glib/JSCOptions.cpp:
3496         (jscOptionsSetValue):
3497         (jscOptionsGetValue):
3498         (jsc_options_foreach):
3499         (jsc_options_get_option_group):
3500         * API/tests/testapi.c:
3501         (main):
3502         * API/tests/testapi.cpp:
3503         (configureJSCForTesting):
3504         * CMakeLists.txt:
3505         * JavaScriptCore.xcodeproj/project.pbxproj:
3506         * Sources.txt:
3507         * jit/ExecutableAllocator.cpp:
3508         (JSC::isJITEnabled):
3509         (JSC::ExecutableAllocator::setJITEnabled):
3510         (JSC::ExecutableAllocator::initializeUnderlyingAllocator):
3511         (JSC::ExecutableAllocator::isValid const):
3512         (JSC::ExecutableAllocator::underMemoryPressure):
3513         (JSC::ExecutableAllocator::memoryPressureMultiplier):
3514         (JSC::ExecutableAllocator::allocate):
3515         (JSC::ExecutableAllocator::isValidExecutableMemory):
3516         (JSC::ExecutableAllocator::getLock const):
3517         (JSC::ExecutableAllocator::committedByteCount):
3518         (JSC::ExecutableAllocator::dumpProfile):
3519         (JSC::startOfFixedExecutableMemoryPoolImpl):
3520         (JSC::endOfFixedExecutableMemoryPoolImpl):
3521         (JSC::isJITPC):
3522         (JSC::dumpJITMemory):
3523         (JSC::ExecutableAllocator::initialize):
3524         (JSC::ExecutableAllocator::singleton):
3525         * jit/ExecutableAllocator.h:
3526         (JSC::performJITMemcpy):
3527         * jsc.cpp:
3528         (GlobalObject::finishCreation):
3529         (functionJSCOptions):
3530         (jscmain):
3531         (functionForceGCSlowPaths): Deleted.
3532         * runtime/ConfigFile.cpp:
3533         (JSC::ConfigFile::parse):
3534         * runtime/InitializeThreading.cpp:
3535         (JSC::initializeThreading):
3536         * runtime/JSCConfig.cpp: Added.
3537         (JSC::Config::disableFreezingForTesting):
3538         (JSC::Config::enableRestrictedOptions):
3539         (JSC::Config::permanentlyFreeze):
3540         * runtime/JSCConfig.h: Added.
3541         (JSC::Config::configureForTesting):
3542         * runtime/JSGlobalObject.cpp:
3543         (JSC::JSGlobalObject::exposeDollarVM):
3544         * runtime/OptionEntry.h: Added.
3545         (JSC::OptionRange::operator= ):
3546         (JSC::OptionRange::rangeString const):
3547         * runtime/Options.cpp:
3548         (JSC::Options::isAvailable):
3549         (JSC::scaleJITPolicy):
3550         (JSC::Options::initialize):
3551         (JSC::Options::setOptions):
3552         (JSC::Options::setOptionWithoutAlias):
3553         (JSC::Options::setAliasedOption):
3554         (JSC::Option::dump const):
3555         (JSC::Option::operator== const):
3556         (): Deleted.
3557         (JSC::Options::enableRestrictedOptions): Deleted.
3558         * runtime/Options.h:
3559         (JSC::Option::Option):
3560         (JSC::Option::defaultOption const):
3561         (JSC::Option::boolVal):
3562         (JSC::Option::unsignedVal):
3563         (JSC::Option::doubleVal):
3564         (JSC::Option::int32Val):
3565         (JSC::Option::optionRangeVal):
3566         (JSC::Option::optionStringVal):
3567         (JSC::Option::gcLogLevelVal):
3568         (JSC::OptionRange::operator= ): Deleted.
3569         (JSC::OptionRange::rangeString const): Deleted.
3570         * runtime/OptionsList.h: Added.
3571         (JSC::countNumberOfJSCOptions):
3572         * runtime/VM.cpp:
3573         (JSC::VM::VM):
3574         * tools/FunctionOverrides.cpp:
3575         (JSC::FunctionOverrides::FunctionOverrides):
3576         (JSC::FunctionOverrides::reinstallOverrides):
3577         (JSC::FunctionOverrides::initializeOverrideFor):
3578         (JSC::FunctionOverrides::parseOverridesInFile):
3579         * tools/JSDollarVM.cpp:
3580         (JSC::JSDollarVMCallFrame::JSDollarVMCallFrame):
3581         (JSC::JSDollarVMCallFrame::createStructure):
3582         (JSC::JSDollarVMCallFrame::create):
3583         (JSC::JSDollarVMCallFrame::finishCreation):
3584         (JSC::JSDollarVMCallFrame::addProperty):
3585         (JSC::Element::Element):
3586         (JSC::Element::create):
3587         (JSC::Element::createStructure):
3588         (JSC::Root::Root):
3589         (JSC::Root::create):
3590         (JSC::Root::createStructure):
3591         (JSC::SimpleObject::SimpleObject):
3592         (JSC::SimpleObject::create):
3593         (JSC::SimpleObject::createStructure):
3594         (JSC::ImpureGetter::ImpureGetter):
3595         (JSC::ImpureGetter::createStructure):
3596         (JSC::ImpureGetter::create):
3597         (JSC::ImpureGetter::finishCreation):
3598         (JSC::ImpureGetter::getOwnPropertySlot):
3599         (JSC::CustomGetter::CustomGetter):
3600         (JSC::CustomGetter::createStructure):
3601         (JSC::CustomGetter::create):
3602         (JSC::CustomGetter::getOwnPropertySlot):
3603         (JSC::CustomGetter::customGetter):
3604         (JSC::CustomGetter::customGetterAcessor):
3605         (JSC::RuntimeArray::create):
3606         (JSC::RuntimeArray::destroy):
3607         (JSC::RuntimeArray::getOwnPropertySlot):
3608         (JSC::RuntimeArray::getOwnPropertySlotByIndex):
3609         (JSC::RuntimeArray::createPrototype):
3610         (JSC::RuntimeArray::createStructure):
3611         (JSC::RuntimeArray::finishCreation):
3612         (JSC::RuntimeArray::RuntimeArray):
3613         (JSC::RuntimeArray::lengthGetter):
3614         (JSC::DOMJITNode::DOMJITNode):
3615         (JSC::DOMJITNode::createStructure):
3616         (JSC::DOMJITNode::checkSubClassSnippet):
3617         (JSC::DOMJITNode::create):
3618         (JSC::DOMJITGetter::DOMJITGetter):
3619         (JSC::DOMJITGetter::createStructure):
3620         (JSC::DOMJITGetter::create):
3621         (JSC::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
3622         (JSC::DOMJITGetter::DOMJITAttribute::slowCall):
3623         (JSC::DOMJITGetter::DOMJITAttribute::callDOMGetter):
3624         (JSC::DOMJITGetter::customGetter):
3625         (JSC::DOMJITGetter::finishCreation):
3626         (JSC::DOMJITGetterComplex::DOMJITGetterComplex):
3627         (JSC::DOMJITGetterComplex::createStructure):
3628         (JSC::DOMJITGetterComplex::create):
3629         (JSC::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
3630         (JSC::DOMJITGetterComplex::DOMJITAttribute::slowCall):
3631         (JSC::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
3632         (JSC::DOMJITGetterComplex::functionEnableException):
3633         (JSC::DOMJITGetterComplex::customGetter):
3634         (JSC::DOMJITGetterComplex::finishCreation):
3635         (JSC::DOMJITFunctionObject::DOMJITFunctionObject):
3636         (JSC::DOMJITFunctionObject::createStructure):
3637         (JSC::DOMJITFunctionObject::create):
3638         (JSC::DOMJITFunctionObject::functionWithTypeCheck):
3639         (JSC::DOMJITFunctionObject::functionWithoutTypeCheck):
3640         (JSC::DOMJITFunctionObject::checkSubClassSnippet):
3641         (JSC::DOMJITFunctionObject::finishCreation):
3642         (JSC::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
3643         (JSC::DOMJITCheckSubClassObject::createStructure):
3644         (JSC::DOMJITCheckSubClassObject::create):
3645         (JSC::DOMJITCheckSubClassObject::functionWithTypeCheck):
3646         (JSC::DOMJITCheckSubClassObject::functionWithoutTypeCheck):
3647         (JSC::DOMJITCheckSubClassObject::finishCreation):
3648         (JSC::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject):
3649         (JSC::DOMJITGetterBaseJSObject::createStructure):
3650         (JSC::DOMJITGetterBaseJSObject::create):
3651         (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute):
3652         (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
3653         (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter):
3654         (JSC::DOMJITGetterBaseJSObject::customGetter):
3655         (JSC::DOMJITGetterBaseJSObject::finishCreation):
3656         (JSC::JSTestCustomGetterSetter::JSTestCustomGetterSetter):
3657         (JSC::JSTestCustomGetterSetter::create):
3658         (JSC::JSTestCustomGetterSetter::createStructure):
3659         (JSC::customSetAccessor):
3660         (JSC::customSetValue):
3661         (JSC::JSTestCustomGetterSetter::finishCreation):
3662         (JSC::Element::handleOwner):
3663         (JSC::Element::finishCreation):
3664         (JSC::WasmStreamingParser::WasmStreamingParser):
3665         (JSC::WasmStreamingParser::create):
3666         (JSC::WasmStreamingParser::createStructure):
3667         (JSC::WasmStreamingParser::finishCreation):
3668         (JSC::functionWasmStreamingParserAddBytes):
3669         (JSC::functionWasmStreamingParserFinalize):
3670         (JSC::functionCrash):
3671         (JSC::functionBreakpoint):
3672         (JSC::functionDFGTrue):
3673         (JSC::functionFTLTrue):
3674         (JSC::functionCpuMfence):
3675         (JSC::functionCpuRdtsc):
3676         (JSC::functionCpuCpuid):
3677         (JSC::functionCpuPause):
3678         (JSC::functionCpuClflush):
3679         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
3680         (JSC::getExecutableForFunction):
3681         (JSC::functionLLintTrue):
3682         (JSC::functionJITTrue):
3683         (JSC::functionNoInline):
3684         (JSC::functionGC):
3685         (JSC::functionEdenGC):
3686         (JSC::functionDumpSubspaceHashes):
3687         (JSC::functionCallFrame):
3688         (JSC::functionCodeBlockForFrame):
3689         (JSC::codeBlockFromArg):
3690         (JSC::functionCodeBlockFor):
3691         (JSC::functionDumpSourceFor):
3692         (JSC::functionDumpBytecodeFor):
3693         (JSC::doPrint):
3694         (JSC::functionDataLog):
3695         (JSC::functionPrint):
3696         (JSC::functionDumpCallFrame):
3697         (JSC::functionDumpStack):
3698         (JSC::functionDumpRegisters):
3699         (JSC::functionDumpCell):
3700         (JSC::functionIndexingMode):
3701         (JSC::functionInlineCapacity):
3702         (JSC::functionValue):
3703         (JSC::functionGetPID):
3704         (JSC::functionHaveABadTime):
3705         (JSC::functionIsHavingABadTime):
3706         (JSC::functionCreateGlobalObject):
3707         (JSC::functionCreateProxy):
3708         (JSC::functionCreateRuntimeArray):
3709         (JSC::functionCreateNullRopeString):
3710         (JSC::functionCreateImpureGetter):
3711         (JSC::functionCreateCustomGetterObject):
3712         (JSC::functionCreateDOMJITNodeObject):
3713         (JSC::functionCreateDOMJITGetterObject):
3714         (JSC::functionCreateDOMJITGetterComplexObject):
3715         (JSC::functionCreateDOMJITFunctionObject):
3716         (JSC::functionCreateDOMJITCheckSubClassObject):
3717         (JSC::functionCreateDOMJITGetterBaseJSObject):
3718         (JSC::functionCreateWasmStreamingParser):
3719         (JSC::functionSetImpureGetterDelegate):
3720         (JSC::functionCreateBuiltin):
3721         (JSC::functionGetPrivateProperty):
3722         (JSC::functionCreateRoot):
3723         (JSC::functionCreateElement):
3724         (JSC::functionGetElement):
3725         (JSC::functionCreateSimpleObject):
3726         (JSC::functionGetHiddenValue):
3727         (JSC::functionSetHiddenValue):
3728         (JSC::functionShadowChickenFunctionsOnStack):
3729         (JSC::functionSetGlobalConstRedeclarationShouldNotThrow):
3730         (JSC::functionFindTypeForExpression):
3731         (JSC::functionReturnTypeFor):
3732         (JSC::functionFlattenDictionaryObject):
3733         (JSC::functionDumpBasicBlockExecutionRanges):
3734         (JSC::functionHasBasicBlockExecuted):
3735         (JSC::functionBasicBlockExecutionCount):
3736         (JSC::functionEnableExceptionFuzz):
3737         (JSC::changeDebuggerModeWhenIdle):
3738         (JSC::functionEnableDebuggerModeWhenIdle):
3739         (JSC::functionDisableDebuggerModeWhenIdle):
3740         (JSC::functionDeleteAllCodeWhenIdle):
3741         (JSC::functionGlobalObjectCount):
3742         (JSC::functionGlobalObjectForObject):
3743         (JSC::functionGetGetterSetter):
3744         (JSC::functionLoadGetterFromGetterSetter):
3745         (JSC::functionCreateCustomTestGetterSetter):
3746         (JSC::functionDeltaBetweenButterflies):
3747         (JSC::functionTotalGCTime):
3748         (JSC::functionParseCount):
3749         (JSC::functionIsWasmSupported):
3750         (JSC::JSDollarVM::finishCreation):
3751         (JSC::JSDollarVM::addFunction):
3752         (JSC::JSDollarVM::addConstructibleFunction):
3753         * tools/JSDollarVM.h:
3754
3755 2019-09-11  Devin Rousso  <drousso@apple.com>
3756
3757         Web Inspector: Canvas: instrument WebGPUDevice instead of GPUCanvasContext
3758         https://bugs.webkit.org/show_bug.cgi?id=201650
3759
3760         Reviewed by Joseph Pecoraro.
3761
3762         Most of the actual "work" done with Web GPU actually uses a `WebGPUDevice`.
3763
3764         A `GPUCanvasContext` is basically just a display "client" of the device, and isn't even
3765         required (e.g. compute pipeline).  We should treat the `GPUCanvasContext` almost like a
3766         `-webkit-canvas` client of a `WebGPUDevice`.
3767
3768         * inspector/protocol/Canvas.json:
3769          - Add `powerPreference` key to `ContextAttributes` type.
3770          - Rename `requestCSSCanvasClientNodes` command to `requestClientNodes` for the above reason.
3771          - Rename `cssCanvasClientNodesChanged` event to `clientNodesChanged` for the above reason.
3772          - Rename `resolveCanvasContext` command to `resolveContext` since a `WebGPUDevice` isn't
3773            really a "canvas".
3774
3775 2019-09-11  Yusuke Suzuki  <ysuzuki@apple.com>
3776
3777         [JSC] Add StringCodePointAt intrinsic
3778         https://bugs.webkit.org/show_bug.cgi?id=201673
3779
3780         Reviewed by Michael Saboff.
3781
3782         JetStream2/UniPoker executes String#codePointAt frequently. We should handle it in ThunkGenerator, DFG, and FTL like we are doing so for String#charCodeAt.
3783         This patch adds these supports for String#codePointAt to get ~10% score improvement in JetStream2/UniPoker.
3784
3785         In ThunkGenerator, we add a thunk for String#codePointAt, which accelerates LLInt and Baseline. In DFG, we handle this as StringCodePointAt node, and emit
3786         inlined code in DFG and FTL. The characteristics of StringCodePointAt node is basically the same to StringCharAt. It has String array-mode, so it emits
3787         preceding CheckArray. This ensures that (1) StringCodePointAt node itself does not do GC since the string is always resolved, and (2) we can skip the rope
3788         check. This thing is just the same to the existing StringCharCodeAt mechanism.
3789
3790         * dfg/DFGAbstractInterpreterInlines.h:
3791         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3792         * dfg/DFGBackwardsPropagationPhase.cpp:
3793         (JSC::DFG::BackwardsPropagationPhase::propagate):
3794         * dfg/DFGByteCodeParser.cpp:
3795         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3796         * dfg/DFGClobberize.h:
3797         (JSC::DFG::clobberize):
3798         * dfg/DFGDoesGC.cpp:
3799         (JSC::DFG::doesGC):
3800         * dfg/DFGFixupPhase.cpp:
3801         (JSC::DFG::FixupPhase::fixupNode):
3802         * dfg/DFGNode.h:
3803         (JSC::DFG::Node::hasArrayMode):
3804         * dfg/DFGNodeType.h:
3805         * dfg/DFGPredictionPropagationPhase.cpp:
3806         * dfg/DFGSafeToExecute.h:
3807         (JSC::DFG::safeToExecute):
3808         * dfg/DFGSpeculativeJIT.h:
3809         * dfg/DFGSpeculativeJIT32_64.cpp:
3810         (JSC::DFG::SpeculativeJIT::compile):
3811         * dfg/DFGSpeculativeJIT64.cpp:
3812         (JSC::DFG::SpeculativeJIT::compile):
3813         (JSC::DFG::SpeculativeJIT::compileStringCodePointAt):
3814         * ftl/FTLCapabilities.cpp:
3815         (JSC::FTL::canCompile):
3816         * ftl/FTLLowerDFGToB3.cpp:
3817         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3818         (JSC::FTL::DFG::LowerDFGToB3::compileStringCodePointAt):
3819         * jit/JITInlines.h:
3820         (JSC::JIT::emitLoadCharacterString):
3821         * jit/ThunkGenerators.cpp:
3822         (JSC::stringGetByValGenerator):
3823         (JSC::stringCharLoad):
3824         (JSC::stringPrototypeCodePointAtThunkGenerator):
3825         * jit/ThunkGenerators.h:
3826         * runtime/Intrinsic.cpp:
3827         (JSC::intrinsicName):
3828         * runtime/Intrinsic.h:
3829         * runtime/StringPrototype.cpp:
3830         (JSC::StringPrototype::finishCreation):
3831         * runtime/VM.cpp:
3832         (JSC::thunkGeneratorForIntrinsic):
3833
3834 2019-09-11  Michael Saboff  <msaboff@apple.com>
3835
3836         JSC crashes due to stack overflow while building RegExp
3837         https://bugs.webkit.org/show_bug.cgi?id=201649
3838
3839         Reviewed by Yusuke Suzuki.
3840
3841         Check for running out of stack when we are optimizing RegExp containing BOL terms or
3842         other deep copying of disjunctions.
3843
3844         * yarr/YarrPattern.cpp:
3845         (JSC::Yarr::YarrPatternConstructor::copyDisjunction):
3846         (JSC::Yarr::YarrPatternConstructor::copyTerm):
3847         (JSC::Yarr::YarrPatternConstructor::error):
3848         (JSC::Yarr::YarrPattern::compile):
3849
3850 2019-09-11  Truitt Savell  <tsavell@a