7ef3484716b888e10e080c31622d7aa1f3081005
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-09-27  Alexey Shvayka  <shvaikalesh@gmail.com>
2
3         Non-standard Error properties should not be enumerable
4         https://bugs.webkit.org/show_bug.cgi?id=198975
5
6         Reviewed by Ross Kirsling.
7
8         Define non-standard Error properties "line", "column", and "sourceURL" as non-enumerable to match other engines.
9
10         * runtime/ErrorInstance.cpp:
11         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
12
13 2019-09-26  Yusuke Suzuki  <ysuzuki@apple.com>
14
15         [JSC] DFG recursive-tail-call optimization should not emit jump to call-frame with varargs
16         https://bugs.webkit.org/show_bug.cgi?id=202299
17         <rdar://problem/52669116>
18
19         Reviewed by Saam Barati.
20
21         When converting recursive-tail-call to jump to the upper call frame, we picked call-frame which is spread by LoadVarargs.
22         This is wrong since this call-frame does not know the exact number of arguments. We are using InlineCallFrame::argumentCountIncludingThis,
23         but this is maximal argumentCountIncludingThis when InlineCallFrame is Varargs call-frame. Let's see the simple example.
24
25             'use strict';
26             var count = 0;
27             function foo() {
28                 count--;
29                 if (count === 0)
30                     return 30;
31                 return foo(42, 42); // HERE
32             }
33
34             function test() {
35                 count = 100;
36                 return foo(...[42, 42]); // THERE
37             }
38             noInline(test);
39
40         In the above case, currently, we convert HERE's foo call to the jump to the prologue of the foo function inlined by "test". But since foo is called
41         in a varargs form, "test" emits LoadVarargs, and it also emits `SetArgumentMaybe` for 1st and 2nd arguments. Since HERE's foo call is actually passing
42         two arguments, we emit a Phi node which Upsilon is from SetArgumentMaybe and 42 Constant. This is wrong since SetArgumentMaybe should not be used. Later,
43         SSA conversion phase emits Upsilon with SetArgumentMaybe, and since SetArgumentMaybe is simply removed in SSA conversion phase, it ends up emitting
44         Upsilon without a child.
45
46         We are currently only performing recursive-tail-call optimization when argument count matches. Given this condition, we should not pick varargs CallFrame
47         as a jump target.
48
49         * dfg/DFGByteCodeParser.cpp:
50         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
51         * dfg/DFGSSAConversionPhase.cpp:
52         (JSC::DFG::SSAConversionPhase::run):
53
54 2019-09-26  Alexey Shvayka  <shvaikalesh@gmail.com>
55
56         toExponential, toFixed, and toPrecision should allow arguments up to 100
57         https://bugs.webkit.org/show_bug.cgi?id=199163
58
59         Reviewed by Ross Kirsling.
60
61         Previously, the spec gave fixed range of [0,20] for Number.prototype.{toExponential,toFixed} argument and
62         range of [1,21] for Number.prototype.toPrecision argument, but allowed implementations to permit a larger range.
63         Historically, only SpiderMonkey accepted a larger range, and other implementations threw a RangeError outside the range.
64         Later the spec was changed (see https://github.com/tc39/ecma262/pull/857) to specify the SpiderMonkey behavior.
65
66         * runtime/NumberPrototype.cpp:
67         (JSC::numberProtoFuncToExponential): Accept arguments between 0 and 100.
68         (JSC::numberProtoFuncToFixed): Accept arguments between 0 and 100.
69         (JSC::numberProtoFuncToPrecision): Accept arguments between 1 and 100.
70         (JSC::getIntegerArgumentInRange): Inline to improve readability.
71
72 2019-09-26  Mark Lam  <mark.lam@apple.com>
73
74         We need to initialize the Gigacage first in setJITEnabled() when disabling the JIT.
75         https://bugs.webkit.org/show_bug.cgi?id=202257
76
77         Reviewed by Saam Barati.
78
79         Because of an OS quirk, even after the JIT region has been unmapped, the OS thinks
80         that region is reserved, and as such, can cause Gigacage allocation to fail.  We
81         work around this by initializing the Gigacage first.
82
83         Note: when called, setJITEnabled() is always called extra early in the process
84         bootstrap.  Under normal operation (when setJITEnabled() isn't called at all), we
85         will naturally initialize the Gigacage before we allocate the JIT region. 
86         Hence, this workaround is merely ensuring the same behavior of allocation ordering.
87
88         This patch only applies to iOS.
89
90         * jit/ExecutableAllocator.cpp:
91         (JSC::ExecutableAllocator::setJITEnabled):
92
93 2019-09-25  Guillaume Emont  <guijemont@igalia.com>
94
95         testapi: slow devices need more time before watchdog fires
96         https://bugs.webkit.org/show_bug.cgi?id=202149
97
98         Reviewed by Mark Lam.
99
100         In testExecutionTimeLimit(), the time that we leave for the watchdog
101         to fire is often not enough on (slower) arm and mips devices, creating
102         a testapi failure.
103         This change also skips FTL-specific testing when FTL is disabled.
104
105         * API/tests/ExecutionTimeLimitTest.cpp:
106         (testExecutionTimeLimit):
107
108 2019-09-24  Christopher Reid  <chris.reid@sony.com>
109
110         [WinCairo] Start RemoteInspectorServer
111         https://bugs.webkit.org/show_bug.cgi?id=199938
112         <rdar://problem/53323048>
113
114         Reviewed by Fujii Hironori.
115
116         * inspector/remote/socket/RemoteInspectorSocket.cpp:
117         * inspector/remote/socket/win/RemoteInspectorSocketWin.cpp:
118           - Fixed some network byte order issues
119           - Need to check for POLLHUP in isReadable as closed windows sockets don't have POLLIN set
120
121 2019-09-24  Alexey Shvayka  <shvaikalesh@gmail.com>
122
123         [ES6] Come up with a test for Proxy.[[GetOwnProperty]] that tests the isExtensible error when the  result of the trap is undefined
124         https://bugs.webkit.org/show_bug.cgi?id=154376
125
126         Reviewed by Ross Kirsling.
127
128         * runtime/ProxyObject.cpp:
129         (JSC::ProxyObject::performInternalMethodGetOwnProperty): Remove resolved FIXME comments.
130
131 2019-09-24  Alexey Proskuryakov  <ap@apple.com>
132
133         JavaScriptCore (still) doesn't unlock the engineering keychain
134         https://bugs.webkit.org/show_bug.cgi?id=202123
135
136         Reviewed by Dan Bernstein.
137
138         Unlike WebKit, JavaScriptCore only defines CODE_SIGN_IDENTITY in ToolExecutable
139         configuration, not in DebugRelease. As a result, it's not defined when running
140         the script for Unlock Keychain phase.
141
142         Fix this by moving CODE_SIGN_IDENTITY to DebugRelease configuration, matching
143         WebKit. As a result, we are now using consistent signing options in all targets.
144
145         * Configurations/DebugRelease.xcconfig:
146         * Configurations/ToolExecutable.xcconfig:
147         When moving, removed a special case for Production, as that's never used with
148         DebugRelease (also, the Profile case was incorrect).
149
150 2019-09-24  Caio Lima  <ticaiolima@gmail.com>
151
152         [BigInt] Add ValueBitRShift into DFG
153         https://bugs.webkit.org/show_bug.cgi?id=192663
154
155         Reviewed by Robin Morisset.
156
157         We are introducing a new node called ValueBitRShift that is
158         responsible to handle speculation of `UntypedUse` and `BigIntUse` during
159         DFG. Following the approach of other bitwise operations, we
160         now have 2 nodes to handle ">>" operator during JIT, mainly because
161         of the introduction of BigInt, that makes this operator result into
162         Int32 or BigInt. We renamed `BitRShift` to `ArithBitRShift` and such
163         node handles Integers and Numbers speculation and can only return
164         Int32 values.
165
166         * bytecode/BytecodeList.rb:
167         * bytecode/CodeBlock.cpp:
168         (JSC::CodeBlock::finishCreation):
169         * bytecode/Opcode.h:
170
171         Adding support to ValueProfile to `op_rshift` to be used during
172         prediction propagation.
173
174         * dfg/DFGAbstractInterpreterInlines.h:
175         (JSC::DFG::AbstractInterpreter<AbstractStateType>::handleConstantBinaryBitwiseOp):
176         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
177
178         Adding support to still do constant propagation of ValueBitRShift when
179         it is `UntypedUse`.
180
181         * dfg/DFGBackwardsPropagationPhase.cpp:
182         (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
183         (JSC::DFG::BackwardsPropagationPhase::propagate):
184         * dfg/DFGByteCodeParser.cpp:
185         (JSC::DFG::ByteCodeParser::parseBlock):
186         * dfg/DFGClobberize.h:
187         (JSC::DFG::clobberize):
188         * dfg/DFGDoesGC.cpp:
189         (JSC::DFG::doesGC):
190
191         `ValueBitRshift` can trigger GC when it is `BigIntUse` because the
192         operation `JSBigInt::signedRightShift` potentially allocates new
193         JSBigInts. It also can trigger GC when it is `UntypedUse` because it
194         can execute arbitrary code.
195
196         * dfg/DFGFixupPhase.cpp:
197         (JSC::DFG::FixupPhase::fixupNode):
198
199         The fixup rule of `ValueBitRShift` checks if it should fixup for
200         `BigIntUse` or `UntypedUse`. If those checks fail, we fallback to
201         `ArithBitRShift`.
202
203         * dfg/DFGNode.h:
204         (JSC::DFG::Node::hasNumericResult):
205         (JSC::DFG::Node::hasHeapPrediction):
206         * dfg/DFGNodeType.h:
207         * dfg/DFGOperations.cpp:
208         * dfg/DFGOperations.h:
209         * dfg/DFGPredictionPropagationPhase.cpp:
210
211         We are using the same rule used by `ValueBitLShift` to propagate
212         types. We try to propagate the type based on operation's input, but
213         fallback to `getHeapPrediction()` if this is not possible.
214
215         * dfg/DFGSafeToExecute.h:
216         (JSC::DFG::safeToExecute):
217         * dfg/DFGSpeculativeJIT.cpp:
218         (JSC::DFG::SpeculativeJIT::emitUntypedRightShiftBitOp):
219         (JSC::DFG::SpeculativeJIT::compileValueBitRShift):
220         (JSC::DFG::SpeculativeJIT::compileShiftOp):
221         * dfg/DFGSpeculativeJIT.h:
222         (JSC::DFG::SpeculativeJIT::shiftOp):
223         * dfg/DFGSpeculativeJIT32_64.cpp:
224         (JSC::DFG::SpeculativeJIT::compile):
225         * dfg/DFGSpeculativeJIT64.cpp:
226         (JSC::DFG::SpeculativeJIT::compile):
227         * dfg/DFGStrengthReductionPhase.cpp:
228         (JSC::DFG::StrengthReductionPhase::handleNode):
229         * ftl/FTLCapabilities.cpp:
230         (JSC::FTL::canCompile):
231         * ftl/FTLLowerDFGToB3.cpp:
232         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
233         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitRShift):
234         (JSC::FTL::DFG::LowerDFGToB3::compileArithBitRShift):
235         (JSC::FTL::DFG::LowerDFGToB3::compileBitRShift): Deleted.
236         * llint/LowLevelInterpreter64.asm:
237         * runtime/CommonSlowPaths.cpp:
238         (JSC::SLOW_PATH_DECL):
239
240 2019-09-24  Mark Lam  <mark.lam@apple.com>
241
242         Refactor cellSize() out of VMInspector::verifyCellSize().
243         https://bugs.webkit.org/show_bug.cgi?id=202132
244
245         Reviewed by Saam Barati.
246
247         * CMakeLists.txt:
248         * JavaScriptCore.xcodeproj/project.pbxproj:
249         * runtime/CellSize.h: Added.
250         (JSC::isDynamicallySizedType):
251         (JSC::cellSize):
252         * runtime/DirectArguments.h:
253         * runtime/JSBigInt.h:
254         * runtime/JSModuleNamespaceObject.h:
255         * runtime/JSType.h:
256         (JSC::isDynamicallySizedType): Deleted.
257         * tools/VMInspectorInlines.h:
258         (JSC::VMInspector::verifyCellSize):
259
260 2019-09-23  Mark Lam  <mark.lam@apple.com>
261
262         Introducing Integrity audit functions.
263         https://bugs.webkit.org/show_bug.cgi?id=202085
264
265         Reviewed by Saam Barati.
266
267         This patch's main goal is to introduce the Integrity audit functions.  They can
268         be used wherever we want to audit a cell to probabilistically ensure it is not
269         corrupted.  However, to keep this patch small, we will only introduce the audit
270         tool here with one example use in SlotVisitor.  We'll follow up later with more
271         patches to deploy this tool throughout the VM.
272
273         1. Introduced Integrity audit functions that can be configured at several
274            AuditLevels:
275                None - don't do any audits.
276                Minimal - do a minimal quick audit (minimize perf impact).
277                Full - do a full audit of the many aspects of a cell.
278                Random - randomly do a full audit with a probability dictated by
279                     Options::randomIntegrityAuditRate() between 0.0 (never audit) and
280                     1.0 (audit at every chance).
281
282            The default AuditLevel for Debug builds is Random.
283            The default AuditLevel for Release builds is None.
284            The default Options::randomIntegrityAuditRate() is 0.05.
285
286            How full audits work?
287            ====================
288            The full audit uses the VMInspector::verifyCell() template function to do its
289            job.  The reason for keeping this separate is to allow the template function
290            to be used later for debug checks that want to take some custom action on
291            verification failure instead of crashing with a RELEASE_ASSERT.
292
293            Full audit of a cell pointer includes:
294            a. Verify that a cell designated as a LargeAllocation is in the heap's
295               set of LargeAllocations.
296
297            b. Verify that a cell not designated as a LargeAllocation is actually in its
298               MarkedBlock's bounds.
299
300            c. Verify that the cell's container (LargeAllocation / MarkedBlock) actually
301               belongs to the current VM.
302
303            d. Verify that a cell in a MarkedBlock is properly aligned on the block's
304               allocation unit size.
305
306            e. If the cell is not an ImmutableButterfly, verify that it is not located in
307               the Gigacage.
308
309            f. Verify that the cell's JSType matches its StructureBlob's JSType.
310
311            g. Verify that the cell size as dictated by the cell ClassInfo does not exceed
312               the size of the allocation unit size (as expected by the container
313               MarkedBlock or LargeAllocation).
314
315               Some cells are dynamically size (see isDynamicallySizedType()).  For these
316               cells, we compute their sizes and verify that the size does not exceed the
317               allocation unit size.  Their sizes should also be greater or equal to the
318               static cell size as dictated by their ClassInfo.
319
320            h. If a cell has a butterfly, verify that the butterfly is in its the JSValue
321               Gigacage.
322
323            We can add more verifications later, or make some these more robust, but this
324            is a start for now.
325
326            How random audits work?
327            ======================
328            Random audits are triggered by the m_triggerBits bits in VM::m_integrityRandom.
329            m_triggerBits is a 64-bit bitfield.
330
331            If Options::randomIntegrityAuditRate() is 0, m_triggerBits will always be 0,
332            and no audits will be done.
333
334            If Options::randomIntegrityAuditRate() is non-zero, m_triggerBits will be
335            initialized as follows:
336
337                 | 1 reload bit | ... 63 trigger bits ... |
338
339            The reload bit is always set (more details below).
340            Each of the 63 trigger bits are randomly set depending if the following is true
341            for the bit:
342
343                 VM::random() <= Options::randomIntegrityAuditRate() * UINT_MAX
344
345            When Integrity::auditCell() is called, we take the bottom bit as the trigger
346            bit for the current cell, and shifts the rest down by 1.
347
348            If m_triggerBits is non-null after the shift, the taken trigger bit will dictate
349            whether we do a full audit on the current cell or not.
350
351            Once the reload bit reaches the bottom, we call a reload function to
352            re-initialize m_triggerBits.  The reload function also returns a bool
353            indicating whether to trigger a full audit of the current cell.
354
355            With this scheme, we only need to call the reload function once every 64 calls
356            to Integrity::auditCell(), and can efficiently determine whether to trigger
357            the audit the other 63 times with the probability specified in
358            Options::randomIntegrityAuditRate().
359
360         2. Embedded the C++ class size of JSCells into their ClassInfo.  This is used in
361            the full audits to verify cell sizes.
362
363         3. Added isDynamicallySizedType() to check if a JSType has a dynamic size allocation
364            i.e. the size of instances of this type is not determined by the static C++
365            size of its class, but rather, depends on some runtime variable.
366
367         4. Made the VMInspector a friend of several classes so that it can access their
368            private methods and fields.
369
370         5. Moved the inline function JSBigInt::allocationSize() from BigInt.cpp to its
371            header file so that we can use it in VMInspector::verifyCellSize().
372
373         6. Gave the JSModuleNamespaceObject() its own JSType so that we can identify it
374            as a dynamically sized object.
375
376         7. Increased the randomness of VM::random() (which is implemented with WeakRandom)
377            by re-seeding it with a cryptographically random number each GC.
378
379         8. Called Integrity::auditCell() on SlotVisitor::appendJSCellOrAuxiliary()'s cell
380            as an example use of auditCell().  More uses will be added in later patches to
381            follow.
382
383         * CMakeLists.txt:
384         * JavaScriptCore.xcodeproj/project.pbxproj:
385         * Sources.txt:
386         * heap/Heap.cpp:
387         (JSC::Heap::runBeginPhase):
388         * heap/SlotVisitor.cpp:
389         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
390         * runtime/ClassInfo.h:
391         * runtime/DirectArguments.h:
392         * runtime/JSBigInt.cpp:
393         (JSC::JSBigInt::allocationSize): Deleted.
394         * runtime/JSBigInt.h:
395         (JSC::JSBigInt::allocationSize):
396         * runtime/JSModuleNamespaceObject.h:
397         * runtime/JSType.cpp:
398         (WTF::printInternal):
399         * runtime/JSType.h:
400         (JSC::isDynamicallySizedType):
401         * runtime/Options.cpp:
402         (JSC::recomputeDependentOptions):
403         * runtime/OptionsList.h:
404         * runtime/Structure.h:
405         * runtime/VM.cpp:
406         (JSC::VM::VM):
407         * runtime/VM.h:
408         (JSC::VM::random):
409         (JSC::VM::integrityRandom):
410         * tools/Integrity.cpp: Added.
411         (JSC::Integrity::Random::Random):
412         (JSC::Integrity::Random::reloadAndCheckShouldAuditSlow):
413         (JSC::Integrity::auditCellFully):
414         (JSC::Integrity::auditCellMinimallySlow):
415         * tools/Integrity.h: Added.
416         (JSC::Integrity::auditCell):
417         * tools/IntegrityInlines.h: Added.
418         (JSC::Integrity::Random::shouldAudit):
419         (JSC::Integrity::auditCellMinimally):
420         (JSC::Integrity::auditCellRandomly):
421         * tools/VMInspector.h:
422         (JSC::VMInspector::unusedVerifier):
423         (JSC::VMInspector::verifyCellSize):
424         * tools/VMInspectorInlines.h: Added.
425         (JSC::VMInspector::verifyCellSize):
426         (JSC::VMInspector::verifyCell):
427
428 2019-09-23  Commit Queue  <commit-queue@webkit.org>
429
430         Unreviewed, rolling out r250262.
431         https://bugs.webkit.org/show_bug.cgi?id=202126
432
433         "Breaks Win64 builds because of MSVC bug" (Requested by mlam|a
434         on #webkit).
435
436         Reverted changeset:
437
438         "Reduce the amount of memory needed to store Options."
439         https://bugs.webkit.org/show_bug.cgi?id=202105
440         https://trac.webkit.org/changeset/250262
441
442 2019-09-23  Ross Kirsling  <ross.kirsling@sony.com>
443
444         Array methods should throw TypeError upon attempting to modify a string
445         https://bugs.webkit.org/show_bug.cgi?id=201910
446
447         Reviewed by Keith Miller.
448
449         We currently allow Array prototype methods to modify strings that they are called upon in certain cases.
450         (In particular, we're inconsistent about permitting writes to the length property.)
451
452         According to section 22.1.3 of the ES spec, this should result in a TypeError.
453         https://tc39.es/ecma262/#sec-properties-of-the-array-prototype-object
454         (Test262 cases are needed, but the key is that all such methods use Set(..., true) which throws on failure.)
455
456         * runtime/ArrayPrototype.cpp:
457         (JSC::putLength):
458         (JSC::setLength):
459         Never update the length property of a non-JSArray without checking whether we're actually allowed to.
460
461 2019-09-23  Mark Lam  <mark.lam@apple.com>
462
463         Lazy JSGlobalObject property materialization should not use putDirectWithoutTransition.
464         https://bugs.webkit.org/show_bug.cgi?id=202122
465         <rdar://problem/55535249>
466
467         Reviewed by Yusuke Suzuki.
468
469         * runtime/JSGlobalObject.cpp:
470         (JSC::JSGlobalObject::init):
471
472 2019-09-23  Mark Lam  <mark.lam@apple.com>
473
474         Reduce the amount of memory needed to store Options.
475         https://bugs.webkit.org/show_bug.cgi?id=202105
476
477         Reviewed by Yusuke Suzuki.
478
479         The size of the JSC::Config needed to store the Options is now reduced to 4K
480         instead of 16K, enabled by constexpr template magic.
481
482         1. Instead of all options in a large array of OptionEntry (which is a union of
483            all the option types), we now have separate arrays for each of the types of
484            options.  For example,
485
486                 Removed g_jscConfig.options[].
487                 Added g_jscConfig.typeBoolOptions[].
488                 Added g_jscConfig.typeInt32Options[].
489                 Added g_jscConfig.typeDoubleOptions[].
490                 ...
491
492            We used to find the storage for the option using g_jscConfig.options[Options::ID].
493            We now find the storage for each type of option using
494            g_jscConfig.options[optionTypeSpecificIndex<OptionTypeID, OptionID>()].  For
495            example, Options::useJIT() used to be implemented as:
496
497                inline bool& Options::useJIT()
498                {
499                     return g_jscConfig.options[Options::useJITID];
500                }
501
502            ... which is now replaced with:
503
504                inline bool& Options::useJIT()
505                {
506                     return g_jscConfig.typeBoolOptions[optionTypeSpecificIndex<OptionTypeID::Bool, OptionID::useJIT>()];
507                }
508
509         2. Introduce the optionTypeSpecificIndex() constexpr template function for
510            computing the index of each option in their respective type specific options
511            array.
512
513         3. Introduce OptionTypes, OptionTypeID, and OptionID.
514
515            The OptionTypes namespace replaces OptionEntry as the container of option types.
516            The OptionID enum class replaces Options::ID.
517            The OptionTypeID enum class is new and is used together with OptionID in
518                constexpr templates to compute the typeSpecificIndex of options.
519
520         4. Removed the OptionEntry struct and OptionEntry.h.  After (1), this struct is
521            only used in the Option class.  We just moved the union of option types (that
522            OptionEntry embeds) into the Option class.
523
524            Moved class OptionRange into OptionsList.h.
525
526         5. Removed the large OptionEntry arrays from JSC::Config.
527            Added type specific options arrays.
528            Also ordered these arrays to maximize compactness and minimize internal fragmentation.
529
530         6. Changed scaleJITPolicy() to go directly to g_jscConfig.typeInt32Options[]
531            instead of going through the Option wrapper object.  This allows us to simplify
532            things and make the Option class a read only interface of options.
533
534         7. Changed Options::initialize() to only compute the option default value once.
535            The default value specified in the OptionsList may not always be a constant.
536            Sometimes, it is a function call.
537
538         8. The Option class now only gives read only access to the options.
539
540            The Option class' role is to provide an interface for reading an option at any
541            given OptionID without first knowing about the type of the specific option.
542            It is useful for iterating options, and is currently only used by
543            Options::dumpOption().
544
545            Technically, we could merge all the Option class code into its single client.
546            We opted not to do this because the amount of code is non-trivial, and the
547            Option class does a good job of encapsulating this functionality.
548
549         * API/glib/JSCOptions.cpp:
550         (jscOptionsSetValue):
551         (jscOptionsGetValue):
552         (jsc_options_foreach):
553         (jsc_options_get_option_group):
554         * CMakeLists.txt:
555         * JavaScriptCore.xcodeproj/project.pbxproj:
556         * runtime/JSCConfig.h:
557         * runtime/OptionEntry.h: Removed.
558         * runtime/Options.cpp:
559         (JSC::Options::isAvailable):
560         (JSC::overrideOptionWithHeuristic):
561         (JSC::scaleJITPolicy):
562         (JSC::recomputeDependentOptions):
563         (JSC::Options::initialize):
564         (JSC::Options::setOptionWithoutAlias):
565         (JSC::Options::dumpAllOptions):
566         (JSC::Options::dumpOption):
567         (JSC::Option::Option):
568         (JSC::Option::defaultOption const):
569         (JSC::Option::dump const):
570         (JSC::Option::operator== const):
571         * runtime/Options.h:
572         (JSC::Option::id const):
573         (JSC::Option::name const):
574         (JSC::Option::description const):
575         (JSC::Option::type const):
576         (JSC::Option::availability const):
577         (JSC::Option::isOverridden const):
578         (JSC::Option::Option):
579         (JSC::Option::idIndex const):
580         (JSC::Option::defaultOption const): Deleted.
581         (JSC::Option::boolVal): Deleted.
582         (JSC::Option::unsignedVal): Deleted.
583         (JSC::Option::doubleVal): Deleted.
584         (JSC::Option::int32Val): Deleted.
585         (JSC::Option::optionRangeVal): Deleted.
586         (JSC::Option::optionStringVal): Deleted.
587         (JSC::Option::gcLogLevelVal): Deleted.
588         * runtime/OptionsList.h:
589         (JSC::OptionRange::operator= ):
590         (JSC::OptionRange::rangeString const):
591         (JSC::optionTypeSpecificIndex):
592         (JSC::countNumberOfJSCOptionsOfType):
593
594 2019-09-23  Devin Rousso  <drousso@apple.com>
595
596         Web Inspector: Canvas: show WebGPU shader pipelines
597         https://bugs.webkit.org/show_bug.cgi?id=201675
598         <rdar://problem/55543450>
599
600         Reviewed by Joseph Pecoraro.
601
602         * inspector/protocol/Canvas.json:
603         Add a `ProgramType` enum that conveys the type of shader program/pipeline when notifying the
604         frontend of a new program
605
606 2019-09-23  Zan Dobersek  <zdobersek@igalia.com>
607
608         testmasm: integer operands loaded as unsigned values
609         https://bugs.webkit.org/show_bug.cgi?id=202099
610
611         Reviewed by Mark Lam.
612
613         Suppress GCC warnings about comparing signed and unsigned values in
614         test cases introduced in r247913 by using signed integer types for
615         loading 32-bit and 64-bit integer operand values.
616
617         * assembler/testmasm.cpp:
618         (JSC::testBranchTestBit32RegReg):
619         (JSC::testBranchTestBit32RegImm):
620         (JSC::testBranchTestBit32AddrImm):
621         (JSC::testBranchTestBit64RegReg):
622         (JSC::testBranchTestBit64RegImm):
623         (JSC::testBranchTestBit64AddrImm):
624
625 2019-09-22  Yusuke Suzuki  <ysuzuki@apple.com>
626
627         [JSC] Int52Rep(DoubleRepAnyIntUse) should not call operation function
628         https://bugs.webkit.org/show_bug.cgi?id=202072
629
630         Reviewed by Mark Lam.
631
632         Inline doubleToStrictInt52 in FTL since it is very simple function.
633         This change improves JetStream2/stanford-crypto-sha256 by ~5%.
634
635         * ftl/FTLLowerDFGToB3.cpp:
636         (JSC::FTL::DFG::LowerDFGToB3::doubleToStrictInt52):
637         * ftl/FTLOutput.cpp:
638         (JSC::FTL::Output::doubleToInt64):
639         * ftl/FTLOutput.h:
640
641 2019-09-22  Yusuke Suzuki  <ysuzuki@apple.com>
642
643         Unreviewed, follow-up change after r250198
644         https://bugs.webkit.org/show_bug.cgi?id=201633
645
646         * b3/testb3_5.cpp:
647         (testCheckAddRemoveCheckWithSExt16):
648
649 2019-09-21  Yusuke Suzuki  <ysuzuki@apple.com>
650
651         [JSC] Remove CheckAdd in JetStream2/async-fs's Math.random function
652         https://bugs.webkit.org/show_bug.cgi?id=201633
653
654         Reviewed by Mark Lam.
655
656         Int52Rep is used in DFG and FTL to calculate Int52 things faster. This is typically used when user code see uint32_t type.
657         In JS, we handles Int32 well, but if the value exceeds Int32 range (like, using 0xffffffff), we use Int52 instead not to fallback to Double.
658
659         The problem is that we do not have optimizations for Int52's overflow checks. This emits many ArithAdd(Int52Rep x 2, CheckOverflow). Each
660         of them emits OSR exit, which prevents dead-store-elimination in B3, and makes ValueToInt32(Int52) alive if it is referenced from some variable which
661         can be seen if OSR exit occurs.
662
663         In this patch, we perform strength-reduction for CheckAdd, converting to Add. We already have such a thing. But the existing one does not handle instructions
664         well emitted when Int52 is used.
665
666         When Int52 is used, we typically have the sequence like,
667
668             Int64 @78 = SExt32(@73, DFG:@67<Int52>) // Widen Int32 to Int64
669             Int64 @81 = Shl(@78, $12(@80), DFG:@162<Int52>) // Convert Int32 to Int52
670
671         While we have Shl handling for integer-range optimization in B3ReduceStrength, we lack handling of SExt32 while it is very easy.
672         This patch adds SExt8, SExt16, SExt32, and ZExt32 handling to B3ReduceStrength's integer range analysis.
673         This converts many CheckAdd in JetStream2/async-fs's hot function to simple Add, and removes a bunch of unnecessary instructions which exist because of this OSR exit.
674         We can see ~5% improvement in JetStream2/async-fs.
675
676         * b3/B3ReduceStrength.cpp:
677         * b3/testb3.h:
678         (int16Operands):
679         (int8Operands):
680         * b3/testb3_1.cpp:
681         (run):
682         * b3/testb3_5.cpp:
683         (testCheckAddRemoveCheckWithSExt8):
684         (testCheckAddRemoveCheckWithSExt16):
685         (testCheckAddRemoveCheckWithSExt32):
686         (testCheckAddRemoveCheckWithZExt32):
687
688 2019-09-21  Mark Lam  <mark.lam@apple.com>
689
690         Move JSLexicalEnvironment, DirectArguments, and ScopedArguments cells out of the Gigacage.
691         https://bugs.webkit.org/show_bug.cgi?id=202082
692
693         Reviewed by Tadeu Zagallo.
694
695         They are not being caged anyway.
696
697         * runtime/DirectArguments.h:
698         * runtime/JSLexicalEnvironment.h:
699         (JSC::JSLexicalEnvironment::subspaceFor):
700         * runtime/ScopedArguments.h:
701         * runtime/VM.cpp:
702         (JSC::VM::VM):
703         * runtime/VM.h:
704
705 2019-09-21  Tadeu Zagallo  <tzagallo@apple.com>
706
707         AccessCase should strongly visit its dependencies while on stack
708         https://bugs.webkit.org/show_bug.cgi?id=201986
709         <rdar://problem/55521953>
710
711         Reviewed by Saam Barati and Yusuke Suzuki.
712
713         AccessCase::doesCalls is responsible for specifying the cells it depends on, so that
714         MarkingGCAwareJITStubRoutine can strongly visit them while the stub is on stack. However,
715         it was missing most of its dependencies, which led to it being collected while on stack.
716         This manifested in the flaky test stress/ftl-put-by-id-setter-exception-interesting-live-state.js
717         as the PolymorphicAccess being collected and removing its exception handler from the code
718         block, which led to exception propagating past the try/catch.
719
720         In order to fix this, we abstract the dependency gathering logic from AccessCase into
721         forEachDependentCell and use it to implement visitWeak as well as doesCalls in order to
722         guarantee that their implementation is consistent.
723
724         * bytecode/AccessCase.cpp:
725         (JSC::AccessCase::forEachDependentCell const):
726         (JSC::AccessCase::doesCalls const):
727         (JSC::AccessCase::visitWeak const):
728         * bytecode/AccessCase.h:
729         * bytecode/CallLinkInfo.cpp:
730         (JSC::CallLinkInfo::lastSeenCallee const):
731         (JSC::CallLinkInfo::haveLastSeenCallee const):
732         (JSC::CallLinkInfo::lastSeenCallee): Deleted.
733         (JSC::CallLinkInfo::haveLastSeenCallee): Deleted.
734         * bytecode/CallLinkInfo.h:
735         (JSC::CallLinkInfo::isDirect const):
736         (JSC::CallLinkInfo::isLinked const):
737         (JSC::CallLinkInfo::stub const):
738         (JSC::CallLinkInfo::forEachDependentCell const):
739         (JSC::CallLinkInfo::isLinked): Deleted.
740         (JSC::CallLinkInfo::stub): Deleted.
741         * bytecode/ObjectPropertyCondition.cpp:
742         (JSC::ObjectPropertyCondition::isStillLive const):
743         * bytecode/ObjectPropertyCondition.h:
744         (JSC::ObjectPropertyCondition::forEachDependentCell const):
745         * bytecode/ObjectPropertyConditionSet.cpp:
746         (JSC::ObjectPropertyConditionSet::areStillLive const):
747         * bytecode/ObjectPropertyConditionSet.h:
748         (JSC::ObjectPropertyConditionSet::forEachDependentCell const):
749         * bytecode/PropertyCondition.cpp:
750         (JSC::PropertyCondition::isStillLive const):
751         * bytecode/PropertyCondition.h:
752         (JSC::PropertyCondition::forEachDependentCell const):
753         * jit/PolymorphicCallStubRoutine.cpp:
754         (JSC::PolymorphicCallStubRoutine::visitWeak):
755         * jit/PolymorphicCallStubRoutine.h:
756         (JSC::PolymorphicCallStubRoutine::forEachDependentCell):
757
758 2019-09-21  David Kilzer  <ddkilzer@apple.com>
759
760         clang-tidy: Fix unnecessary copy/ref churn of for loop variables in WTF/JavaScriptCore
761         <https://webkit.org/b/202069>
762
763         Reviewed by Mark Lam.
764
765         Fix unwanted copying/ref churn of loop variables by making them
766         const references.
767
768         * bytecode/CodeBlock.cpp:
769         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
770         * bytecompiler/BytecodeGenerator.cpp:
771         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
772         * dfg/DFGGraph.cpp:
773         (JSC::DFG::Graph::dump):
774         * inspector/agents/InspectorAgent.cpp:
775         (Inspector::InspectorAgent::activateExtraDomains):
776         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
777         (Inspector::RemoteInspector::stopInternal):
778         (Inspector::RemoteInspector::xpcConnectionFailed):
779         (Inspector::RemoteInspector::pushListingsNow):
780         * parser/Parser.h:
781         (JSC::Scope::computeLexicallyCapturedVariablesAndPurgeCandidates):
782         * runtime/ProxyObject.cpp:
783         (JSC::ProxyObject::performGetOwnPropertyNames):
784         * runtime/SamplingProfiler.cpp:
785         (JSC::SamplingProfiler::registerForReportAtExit):
786         (JSC::SamplingProfiler::reportTopFunctions):
787         (JSC::SamplingProfiler::reportTopBytecodes):
788         * runtime/TypeSet.cpp:
789         (JSC::StructureShape::inspectorRepresentation):
790         (JSC::StructureShape::merge):
791
792 2019-09-20  Keith Miller  <keith_miller@apple.com>
793
794         eliding a move in Air O0 needs to mark the dest's old reg as available
795         https://bugs.webkit.org/show_bug.cgi?id=202066
796
797         Reviewed by Saam Barati.
798
799         Also adds a new release method that handles all the invariants of
800         returning a register to the available register pool.
801
802         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp:
803         (JSC::B3::Air::GenerateAndAllocateRegisters::release):
804         (JSC::B3::Air::GenerateAndAllocateRegisters::spill):
805         (JSC::B3::Air::GenerateAndAllocateRegisters::freeDeadTmpsIfNeeded):
806         (JSC::B3::Air::GenerateAndAllocateRegisters::generate):
807         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.h:
808
809 2019-09-20  Mark Lam  <mark.lam@apple.com>
810
811         Harden assertion in StructureIDTable::get().
812         https://bugs.webkit.org/show_bug.cgi?id=202067
813         <rdar://problem/55577923>
814
815         Reviewed by Keith Miller.
816
817         * runtime/StructureIDTable.h:
818         (JSC::StructureIDTable::get):
819
820 2019-09-20  Truitt Savell  <tsavell@apple.com>
821
822         Unreviewed, rolling out r250114.
823
824         Broke ~16 webgpu/ tests on Mojave wk2
825
826         Reverted changeset:
827
828         "Web Inspector: Canvas: show WebGPU shader pipelines"
829         https://bugs.webkit.org/show_bug.cgi?id=201675
830         https://trac.webkit.org/changeset/250114
831
832 2019-09-20  Paulo Matos  <pmatos@igalia.com>
833
834         Implement memory monitoring functions for Linux OS
835         https://bugs.webkit.org/show_bug.cgi?id=200391
836
837         Reviewed by Žan Doberšek.
838
839         * jsc.cpp:
840
841 2019-09-20  Devin Rousso  <drousso@apple.com>
842
843         ASSERT NOT REACHED in Inspector::InjectedScriptModule::ensureInjected() seen with inspector/heap/getRemoteObject.html
844         https://bugs.webkit.org/show_bug.cgi?id=201713
845         <rdar://problem/55290349>
846
847         Reviewed by Joseph Pecoraro.
848
849         Expose the `Exception` object by leveraging an `Expected` of `JSValue` as the return value
850         instead of using a referenced `bool` (which wouldn't include any of the exception's info).
851
852         * bindings/ScriptFunctionCall.h:
853         * bindings/ScriptFunctionCall.cpp:
854         (Deprecated::ScriptFunctionCall::call):
855
856         * inspector/InjectedScript.cpp:
857         (Inspector::InjectedScript::wrapCallFrames const):
858         (Inspector::InjectedScript::wrapObject const):
859         (Inspector::InjectedScript::wrapJSONString const):
860         (Inspector::InjectedScript::wrapTable const):
861         (Inspector::InjectedScript::previewValue const):
862         (Inspector::InjectedScript::findObjectById const):
863         (Inspector::InjectedScript::releaseObjectGroup):
864
865         * inspector/InjectedScriptBase.h:
866         * inspector/InjectedScriptBase.cpp:
867         (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled const):
868         (Inspector::InjectedScriptBase::makeCall):
869         (Inspector::InjectedScriptBase::makeAsyncCall):
870
871         * inspector/InjectedScriptManager.h:
872         * inspector/InjectedScriptManager.cpp:
873         (Inspector::InjectedScriptManager::createInjectedScript):
874         (Inspector::InjectedScriptManager::injectedScriptFor):
875
876         * inspector/InjectedScriptModule.cpp:
877         (Inspector::InjectedScriptModule::ensureInjected):
878
879 2019-09-19  Yusuke Suzuki  <ysuzuki@apple.com>
880
881         [JSC] DFG op_call_varargs should not assume that one-previous-local of freeReg is usable
882         https://bugs.webkit.org/show_bug.cgi?id=202014
883
884         Reviewed by Saam Barati.
885
886         Let's look into the bytecode generated by the test.
887
888             [   0] enter
889             [   1] get_scope          loc4
890             [   3] mov                loc5, loc4
891             [   6] check_traps
892             [   7] mov                loc6, callee
893             [  10] create_direct_arguments loc7
894             [  12] to_this            this
895             [  15] mov                loc8, loc7
896             [  18] mov                loc9, loc6
897             [  21] mov                loc12, Undefined(const0)
898             [  24] get_by_id          loc11, loc6, 0
899             [  29] jneq_ptr           loc11, ApplyFunction, 18(->47)
900             [  34] mov                loc11, loc6
901             [  37] call_varargs       loc11, loc11, this, loc8, loc13, 0
902             [  45] jmp                17(->62)
903             [  47] mov                loc16, loc6
904             [  50] mov                loc15, this
905             [  53] mov                loc14, loc8
906             [  56] call               loc11, loc11, 3, 22
907             ...
908
909         call_varargs uses loc13 as firstFreeReg (first usable bottom register in the current stack-frame to spread variadic arguments after this).
910         This is correct. And call_varargs uses |this| as this argument for the call_varargs. This |this| argument is not in a region starting from loc13.
911         And it is not in the previous place to loc13 (|this| is not loc12).
912
913         On the other hand, DFG::ByteCodeParser's inlining path is always assuming that the previous to firstFreeReg is usable and part of arguments.
914         But this is wrong. loc12 in the above bytecode is used for `[  56] call               loc11, loc11, 3, 22`'s argument later, and this call assumes
915         that loc12 is not clobbered by call_varargs. But DFG and FTL clobbers it.
916
917         The test is recursively calling the same function, and we inline the same function one-level. And stack-overflow error happens when inlined
918         CallForwardVarargs (from op_call_varargs) is called. FTL recovers the frames, and at this point, outer function's loc12 is recovered to garbage since
919         LoadVarargs clobbers it. And we eventually use it and crash.
920
921             60:<!0:-> LoadVarargs(Check:Untyped:Kill:@30, MustGen, start = loc13, count = loc15, machineStart = loc7, machineCount = loc9, offset = 0, mandatoryMinimum = 0, limit = 2, R:World, W:Stack(-16),Stack(-14),Stack(-13),Heap, Exits, ClobbersExit, bc#37, ExitValid)
922
923         This LoadVarargs clobbers loc12, loc13, and loc15 while loc12 is used.
924
925         In all the tiers, op_call_varargs first allocates enough region to hold varargs including |this|. And we store |this| value to a correct place.
926         DFG should not assume that the previous register to firstFreeReg is used for |this|.
927
928         This patch fixes DFG::ByteCodeParser's stack region calculation for op_call_varargs inlining. And we rename maxNumArguments to maxArgumentCountIncludingThis to
929         represent that `maxArgumentCountIncludingThis` includes |this| count.
930
931         * bytecode/CallLinkInfo.cpp:
932         (JSC::CallLinkInfo::setMaxArgumentCountIncludingThis):
933         (JSC::CallLinkInfo::setMaxNumArguments): Deleted.
934         * bytecode/CallLinkInfo.h:
935         (JSC::CallLinkInfo::addressOfMaxArgumentCountIncludingThis):
936         (JSC::CallLinkInfo::maxArgumentCountIncludingThis):
937         (JSC::CallLinkInfo::addressOfMaxNumArguments): Deleted.
938         (JSC::CallLinkInfo::maxNumArguments): Deleted.
939         * bytecode/CallLinkStatus.cpp:
940         (JSC::CallLinkStatus::computeFor):
941         (JSC::CallLinkStatus::dump const):
942         * bytecode/CallLinkStatus.h:
943         (JSC::CallLinkStatus::maxArgumentCountIncludingThis const):
944         (JSC::CallLinkStatus::maxNumArguments const): Deleted.
945         * dfg/DFGByteCodeParser.cpp:
946         (JSC::DFG::ByteCodeParser::handleVarargsInlining):
947         * dfg/DFGSpeculativeJIT32_64.cpp:
948         (JSC::DFG::SpeculativeJIT::emitCall):
949         * dfg/DFGSpeculativeJIT64.cpp:
950         (JSC::DFG::SpeculativeJIT::emitCall):
951         * ftl/FTLLowerDFGToB3.cpp:
952         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
953         * jit/JITCall.cpp:
954         (JSC::JIT::compileSetupFrame):
955         * jit/JITCall32_64.cpp:
956         (JSC::JIT::compileSetupFrame):
957         * jit/JITOperations.cpp:
958
959 2019-09-19  Devin Rousso  <drousso@apple.com>
960
961         Web Inspector: Canvas: show WebGPU shader pipelines
962         https://bugs.webkit.org/show_bug.cgi?id=201675
963
964         Reviewed by Joseph Pecoraro.
965
966         * inspector/protocol/Canvas.json:
967         Add a `ProgramType` enum that conveys the type of shader program/pipeline when notifying the
968         frontend of a new program
969
970 2019-09-19  Mark Lam  <mark.lam@apple.com>
971
972         Rename VMInspector::m_list to m_vmList.
973         https://bugs.webkit.org/show_bug.cgi?id=202015
974
975         Reviewed by Yusuke Suzuki.
976
977         m_vmList is more descriptive, and this rename helps grep-ability by disambiguating
978         it from other m_lists in the code base.
979
980         * tools/VMInspector.cpp:
981         (JSC::VMInspector::add):
982         (JSC::VMInspector::remove):
983         * tools/VMInspector.h:
984         (JSC::VMInspector::iterate):
985
986 2019-09-19  Mark Lam  <mark.lam@apple.com>
987
988         Reduce the number of required tag bits for the JSValue.
989         https://bugs.webkit.org/show_bug.cgi?id=201990
990
991         Reviewed by Yusuke Suzuki.
992
993         We're reducing the number of tag bits to 15.  It should just work.
994
995         How did we arrive at 15 bits?
996         ============================
997         Currently, the minimum number of top bits used by doubles is 13-bits.  The
998         highest double bit encoding are:
999
1000             "negative" pureNaN: starts with 0xfff8
1001             negative infinity:  starts with 0xfff0
1002             highest number:     starts with 0xffe*
1003             lowest number:      starts with 0x0000
1004
1005         Requirements:
1006         1. We need tags for 2 range of numbers: pointers (all 0s at the top), and ints
1007            (all 1s at the top).
1008
1009         2. We want to be able to add an offset to double bits and ensure that they never
1010            end up in the ranges for pointers and ints.
1011
1012         3. The int tag must be higher than whatever value is produced in the top bits
1013            when boxing a double.  We have code that relies on this relationship being
1014            true and checks if a JSValue is an int by checking if the tag bits are above
1015            or equal to the int tag.
1016
1017         4. We don't want to burn more than 2 CPU registers for tag / mask registers.
1018
1019         Based on the bit encoding of doubles, the full number range of the top 13 bits
1020         are used in valid double numbers.  This means the minimum tag bits must be greater
1021         than 13.
1022
1023         Consider a 14-bit tag.  The DoubleEncodeOffset will be 1 << 50 i.e. starts with
1024         0x0004.  With this encoding,
1025             "negative" pureNaN: maps to 0xfff8 + 0x0004 => 0xfffc
1026
1027         i.e. the top 14 bits are all set.  This conflicts with the int number range.
1028
1029         Next, consider a 15-bit tag.  The DoubleEncodeOffset will be 1 << 49 i.e. starts
1030         with 0x0002.  With this encoding:
1031             "negative" pureNaN: maps to 0xfff8 + 0x0002 => 0xfffa
1032             negative infinity:  maps to 0xfff0 + 0x0002 => 0xfff2
1033
1034         i.e. 0xfffe (top 5 bits set) is available to represent ints.  This is the encoding
1035         that we'll adopt in this patch.
1036
1037         Alternate encodings schemes to consider in the future:
1038         =====================================================
1039         1. If we're willing and able to purifyNaN at all the places that can produce a
1040            "negative" pureNaN, e.g. after a division, then we can remove the "negative"
1041            pureNaN as a valid double bit encoding.  With this, we can now box doubles
1042            with just a 14-bit tag, and DoubleEncodeOffset will be 1 << 50 i.e. starts with
1043            0x0004.
1044
1045            With this encoding, the top double, negative infinity, is encoded as follows:
1046
1047                 negative infinity:  maps to 0xfff0 + 0x0004 => 0xfff4
1048
1049            i.e. leaving 0xfffc as the tag for ints.
1050
1051            We didn't adopt this scheme at this time because it adds complexity, and may
1052            have performance impact from the extra purifyNaN checks.
1053
1054            Ref: https://bugs.webkit.org/show_bug.cgi?id=202002
1055
1056         2. If we're willing to use 3 tag registers or always materialize one of them, we
1057            can also adopt a 14-bit tag as follows:
1058
1059                Pointer {  0000:PPPP:PPPP:PPPP
1060                         / 0002:****:****:****
1061                Double  {         ...
1062                         \ FFFC:****:****:****
1063                Integer {  FFFF:0000:IIII:IIII
1064
1065            where ...
1066                NumberMask is 0xfffc: any bits set in the top 14 bits is a number.
1067                IntMask is 0xffff: value is int if value & IntMask == IntMask.
1068                NotCellMask is NumberMask | OtherTag.
1069
1070            Since the highest double is "negative" pureNaN i.e. starts with 0xfff8, adding
1071            a DoubleEncodeOffset of 1<<50 (starts with 0x0004) produces 0xfffc which is
1072            still less than 0xffff.
1073
1074            We didn't adopt this scheme at this time because it adds complexity and may
1075            have a performance impact from either burning another register, or materializing
1076            the 3rd mask.
1077
1078            Ref: https://bugs.webkit.org/show_bug.cgi?id=202005
1079
1080         * runtime/JSCJSValue.h:
1081
1082 2019-09-19  Mark Lam  <mark.lam@apple.com>
1083
1084         Refactoring: fix broken indentation in JSNonDestructibleProxy.h.
1085         https://bugs.webkit.org/show_bug.cgi?id=201989
1086
1087         Reviewed by Saam Barati.
1088
1089         This patch only unindent the code to get it back to compliant formatting.
1090         There is no actual code change.
1091
1092         * runtime/JSNonDestructibleProxy.h:
1093         (JSC::JSNonDestructibleProxy::subspaceFor):
1094         (JSC::JSNonDestructibleProxy::create):
1095         (JSC::JSNonDestructibleProxy::createStructure):
1096         (JSC::JSNonDestructibleProxy::JSNonDestructibleProxy):
1097
1098 2019-09-19  Tadeu Zagallo  <tzagallo@apple.com>
1099
1100         Syntax checker should report duplicate __proto__ properties
1101         https://bugs.webkit.org/show_bug.cgi?id=201897
1102         <rdar://problem/53201788>
1103
1104         Reviewed by Mark Lam.
1105
1106         Currently we have two ways of parsing object literals:
1107         - parseObjectLiteral: this is called in sloppy mode, and as an optimization for syntax checking,
1108           it doesn't allocate string literals while parsing properties. It does still allocate identifiers,
1109           but it won't store them in the Property object that it creates for each parsed property. This
1110           method backtracks and calls parseObjectStrictLiteral if it finds any getters or setters.
1111         - parseObjectStrictLiteral: this is called in strict mode, or when the object contains getters/setters
1112           as stated above. This will always allocate string literals as well as identifiers and store them in
1113           the Property object, even during syntax checking.
1114
1115         From looking at the history, it seems that there was a distinction between these two methods:
1116         parseStrictObjectLiteral was introduced in r62848 and contained an extra check for duplicate
1117         getters/setters or properties defined as both getters/setters and constants. That distinction
1118         was removed and the only distinction that remained was whether we build strings and store the
1119         strings and properties as part of the Property object created by SyntaxChecker::createProperty.
1120         However, this optimization is no longer valid, since we need to throw a SyntaxError for duplicate
1121         __proto__ properties in object literals even in sloppy mode, which means that we do need to build
1122         the strings and identifiers and store them as part of the Property objects.
1123
1124         * parser/Parser.cpp:
1125         (JSC::Parser<LexerType>::parseObjectLiteral):
1126         (JSC::Parser<LexerType>::parsePrimaryExpression):
1127         (JSC::Parser<LexerType>::parseStrictObjectLiteral): Deleted.
1128         * parser/Parser.h:
1129
1130 2019-09-19  Mark Lam  <mark.lam@apple.com>
1131
1132         Remove a now unnecessary hack to work around static const needing external linkage.
1133         https://bugs.webkit.org/show_bug.cgi?id=201988
1134
1135         Reviewed by Saam Barati.
1136
1137         MacroAssembler::dataTempRegister is now a constexpr, thereby ensuring that it's
1138         inlinable.
1139
1140         * b3/B3Common.cpp:
1141         (JSC::B3::pinnedExtendedOffsetAddrRegister):
1142
1143 2019-09-19  Mark Lam  <mark.lam@apple.com>
1144
1145         Replace JSValue #defines with static constexpr values.
1146         https://bugs.webkit.org/show_bug.cgi?id=201966
1147
1148         Reviewed by Yusuke Suzuki.
1149
1150         static constexpr is the modern C++ way to define these constants.
1151
1152         Some of the values are typed int64_t and some are int32_t.  The original #define
1153         values are int64_t.  Hence, we adopt int64_t as the default type to use here.
1154
1155         However, some of these constants are being used as 32-bit values, and the code
1156         was static_cast'ing them into int32_t.  This set of constants are all the small
1157         values that fit in an int32_t anyway.  So, we're putting these in int32_t instead
1158         so that we don't have to keep casting them.  In the few places where they are
1159         used as int64_t, they will automatically get up-casted anyway.
1160
1161         In this patch, we also did the following:
1162
1163         1. Renamed TagMask to NotCellMask, because everywhere in the code, we're
1164            basically using it to filter out cells like this:
1165
1166               if (value & NotCellMask) then goto handleNotCellCase;
1167
1168         2. Renamed TagTypeNumber to NumberTag for a shorter name.
1169
1170            Ditto for TagBitTypeOther, TagBitBool, TagBitUndefined, TagBitsWasm, and TagWasmMask.
1171            They are now OtherTag, BoolTag, UndefinedTag, WasmTag, and WasmMask.
1172
1173         3. Introduced DoubleEncodeOffsetBit so that client code do not embed this value
1174            as a literal constant.  We now define DoubleEncodeOffset based on
1175            DoubleEncodeOffsetBit ensuring consistency.
1176
1177         4. Introduced MiscTag so that clients don't have to put this set of tags together
1178            themselves.
1179
1180         5. Removed static asserts for tags in LLIntData.cpp because the offlineasm now
1181            captures these values correctly with constexpr statements.  These static
1182            asserts were holdovers from the old days back when we had to define LLInt
1183            constant values manually, and we needed a mechanism to detect when the values
1184            have changed in the source.
1185
1186         6. Replaced some runtime asserts in RegisterSet.cpp with static_asserts.
1187
1188         7. In Wasm::wasmToJS(), we were constructing the value of JSValue::DoubleEncodeOffset
1189            constant by left shifting 1 by JSValue::DoubleEncodeOffsetBit.  There's no need
1190            to do this for ARM64 because the constant can be loaded efficiently with a single
1191            MOVZ instruction.  So, we add a CPU(ARM64) case to just move the constant into
1192            the target register.
1193
1194         * assembler/AbortReason.h:
1195         * bytecode/AccessCase.cpp:
1196         (JSC::AccessCase::generateWithGuard):
1197         * dfg/DFGOSRExit.cpp:
1198         (JSC::DFG::OSRExit::executeOSRExit):
1199         (JSC::DFG::OSRExit::compileExit):
1200         * dfg/DFGSpeculativeJIT.cpp:
1201         (JSC::DFG::SpeculativeJIT::silentFill):
1202         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
1203         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1204         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
1205         (JSC::DFG::SpeculativeJIT::getIntTypedArrayStoreOperand):
1206         (JSC::DFG::SpeculativeJIT::speculateMisc):
1207         * dfg/DFGSpeculativeJIT.h:
1208         (JSC::DFG::SpeculativeJIT::spill):
1209         * dfg/DFGSpeculativeJIT64.cpp:
1210         (JSC::DFG::SpeculativeJIT::fillJSValue):
1211         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
1212         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
1213         (JSC::DFG::SpeculativeJIT::emitCall):
1214         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1215         (JSC::DFG::SpeculativeJIT::compileObjectStrictEquality):
1216         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1217         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1218         (JSC::DFG::SpeculativeJIT::compileInt52Compare):
1219         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1220         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1221         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1222         (JSC::DFG::SpeculativeJIT::emitBranch):
1223         (JSC::DFG::SpeculativeJIT::compile):
1224         (JSC::DFG::SpeculativeJIT::moveTrueTo):
1225         (JSC::DFG::SpeculativeJIT::moveFalseTo):
1226         (JSC::DFG::SpeculativeJIT::blessBoolean):
1227         * ftl/FTLLowerDFGToB3.cpp:
1228         (JSC::FTL::DFG::LowerDFGToB3::lower):
1229         (JSC::FTL::DFG::LowerDFGToB3::compileDoubleRep):
1230         (JSC::FTL::DFG::LowerDFGToB3::compileBooleanToNumber):
1231         (JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC):
1232         (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC):
1233         (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
1234         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1235         (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf):
1236         (JSC::FTL::DFG::LowerDFGToB3::compileGetArgument):
1237         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
1238         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
1239         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
1240         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
1241         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
1242         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
1243         (JSC::FTL::DFG::LowerDFGToB3::compileInById):
1244         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
1245         (JSC::FTL::DFG::LowerDFGToB3::compileGetEnumeratorStructurePname):
1246         (JSC::FTL::DFG::LowerDFGToB3::compileGetEnumeratorGenericPname):
1247         (JSC::FTL::DFG::LowerDFGToB3::getById):
1248         (JSC::FTL::DFG::LowerDFGToB3::getByIdWithThis):
1249         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1250         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
1251         (JSC::FTL::DFG::LowerDFGToB3::emitBinarySnippet):
1252         (JSC::FTL::DFG::LowerDFGToB3::emitBinaryBitOpSnippet):
1253         (JSC::FTL::DFG::LowerDFGToB3::emitRightShiftSnippet):
1254         (JSC::FTL::DFG::LowerDFGToB3::equalNullOrUndefined):
1255         (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf):
1256         (JSC::FTL::DFG::LowerDFGToB3::isInt32):
1257         (JSC::FTL::DFG::LowerDFGToB3::isNotInt32):
1258         (JSC::FTL::DFG::LowerDFGToB3::boxInt32):
1259         (JSC::FTL::DFG::LowerDFGToB3::isCellOrMisc):
1260         (JSC::FTL::DFG::LowerDFGToB3::isNotCellOrMisc):
1261         (JSC::FTL::DFG::LowerDFGToB3::unboxDouble):
1262         (JSC::FTL::DFG::LowerDFGToB3::boxDouble):
1263         (JSC::FTL::DFG::LowerDFGToB3::isNotCell):
1264         (JSC::FTL::DFG::LowerDFGToB3::isCell):
1265         (JSC::FTL::DFG::LowerDFGToB3::isNotMisc):
1266         (JSC::FTL::DFG::LowerDFGToB3::isNotBoolean):
1267         (JSC::FTL::DFG::LowerDFGToB3::boxBoolean):
1268         (JSC::FTL::DFG::LowerDFGToB3::isNotOther):
1269         (JSC::FTL::DFG::LowerDFGToB3::isOther):
1270         * ftl/FTLOSRExitCompiler.cpp:
1271         (JSC::FTL::reboxAccordingToFormat):
1272         (JSC::FTL::compileStub):
1273         * interpreter/CalleeBits.h:
1274         (JSC::CalleeBits::boxWasm):
1275         (JSC::CalleeBits::isWasm const):
1276         (JSC::CalleeBits::asWasmCallee const):
1277         * jit/AssemblyHelpers.cpp:
1278         (JSC::AssemblyHelpers::jitAssertIsJSInt32):
1279         (JSC::AssemblyHelpers::jitAssertIsJSNumber):
1280         (JSC::AssemblyHelpers::jitAssertIsJSDouble):
1281         (JSC::AssemblyHelpers::jitAssertIsCell):
1282         (JSC::AssemblyHelpers::jitAssertTagsInPlace):
1283         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
1284         * jit/AssemblyHelpers.h:
1285         (JSC::AssemblyHelpers::emitSaveThenMaterializeTagRegisters):
1286         (JSC::AssemblyHelpers::emitRestoreSavedTagRegisters):
1287         (JSC::AssemblyHelpers::emitMaterializeTagCheckRegisters):
1288         (JSC::AssemblyHelpers::branchIfNotCell):
1289         (JSC::AssemblyHelpers::branchIfCell):
1290         (JSC::AssemblyHelpers::branchIfOther):
1291         (JSC::AssemblyHelpers::branchIfNotOther):
1292         (JSC::AssemblyHelpers::branchIfInt32):
1293         (JSC::AssemblyHelpers::branchIfNotInt32):
1294         (JSC::AssemblyHelpers::branchIfNumber):
1295         (JSC::AssemblyHelpers::branchIfNotNumber):
1296         (JSC::AssemblyHelpers::branchIfNotDoubleKnownNotInt32):
1297         (JSC::AssemblyHelpers::branchIfBoolean):
1298         (JSC::AssemblyHelpers::branchIfNotBoolean):
1299         (JSC::AssemblyHelpers::boxDouble):
1300         (JSC::AssemblyHelpers::unboxDoubleWithoutAssertions):
1301         (JSC::AssemblyHelpers::boxInt52):
1302         (JSC::AssemblyHelpers::boxBooleanPayload):
1303         (JSC::AssemblyHelpers::boxInt32):
1304         * jit/CallFrameShuffleData.h:
1305         * jit/CallFrameShuffler.cpp:
1306         (JSC::CallFrameShuffler::CallFrameShuffler):
1307         (JSC::CallFrameShuffler::dump const):
1308         (JSC::CallFrameShuffler::prepareAny):
1309         * jit/CallFrameShuffler.h:
1310         (JSC::CallFrameShuffler::getFreeRegister const):
1311         * jit/CallFrameShuffler64.cpp:
1312         (JSC::CallFrameShuffler::emitBox):
1313         (JSC::CallFrameShuffler::tryAcquireNumberTagRegister):
1314         (JSC::CallFrameShuffler::tryAcquireTagTypeNumber): Deleted.
1315         * jit/GPRInfo.h:
1316         (JSC::GPRInfo::reservedRegisters):
1317         * jit/JITArithmetic.cpp:
1318         (JSC::JIT::emit_compareAndJumpSlow):
1319         * jit/JITBitAndGenerator.cpp:
1320         (JSC::JITBitAndGenerator::generateFastPath):
1321         * jit/JITBitOrGenerator.cpp:
1322         (JSC::JITBitOrGenerator::generateFastPath):
1323         * jit/JITBitXorGenerator.cpp:
1324         (JSC::JITBitXorGenerator::generateFastPath):
1325         * jit/JITCall.cpp:
1326         (JSC::JIT::compileTailCall):
1327         * jit/JITDivGenerator.cpp:
1328         (JSC::JITDivGenerator::generateFastPath):
1329         * jit/JITInlines.h:
1330         (JSC::JIT::emitPatchableJumpIfNotInt):
1331         * jit/JITLeftShiftGenerator.cpp:
1332         (JSC::JITLeftShiftGenerator::generateFastPath):
1333         * jit/JITMulGenerator.cpp:
1334         (JSC::JITMulGenerator::generateFastPath):
1335         * jit/JITOpcodes.cpp:
1336         (JSC::JIT::emit_op_overrides_has_instance):
1337         (JSC::JIT::emit_op_is_undefined):
1338         (JSC::JIT::emit_op_is_undefined_or_null):
1339         (JSC::JIT::emit_op_is_boolean):
1340         (JSC::JIT::emit_op_is_number):
1341         (JSC::JIT::emit_op_is_cell_with_type):
1342         (JSC::JIT::emit_op_is_object):
1343         (JSC::JIT::emit_op_not):
1344         (JSC::JIT::emit_op_jeq_null):
1345         (JSC::JIT::emit_op_jneq_null):
1346         (JSC::JIT::emit_op_jundefined_or_null):
1347         (JSC::JIT::emit_op_jnundefined_or_null):
1348         (JSC::JIT::emit_op_eq_null):
1349         (JSC::JIT::emit_op_neq_null):
1350         * jit/JITPropertyAccess.cpp:
1351         (JSC::JIT::emitGenericContiguousPutByVal):
1352         (JSC::JIT::emitFloatTypedArrayPutByVal):
1353         * jit/JITRightShiftGenerator.cpp:
1354         (JSC::JITRightShiftGenerator::generateFastPath):
1355         * jit/RegisterSet.cpp:
1356         (JSC::RegisterSet::runtimeTagRegisters):
1357         (JSC::RegisterSet::llintBaselineCalleeSaveRegisters):
1358         (JSC::RegisterSet::dfgCalleeSaveRegisters):
1359         (JSC::RegisterSet::ftlCalleeSaveRegisters):
1360         * jit/SpecializedThunkJIT.h:
1361         (JSC::SpecializedThunkJIT::returnDouble):
1362         (JSC::SpecializedThunkJIT::tagReturnAsInt32):
1363         * jit/ThunkGenerators.cpp:
1364         (JSC::virtualThunkFor):
1365         (JSC::nativeForGenerator):
1366         (JSC::arityFixupGenerator):
1367         (JSC::absThunkGenerator):
1368         * llint/LLIntData.cpp:
1369         (JSC::LLInt::Data::performAssertions):
1370         * llint/LowLevelInterpreter.asm:
1371         * llint/LowLevelInterpreter.cpp:
1372         (JSC::CLoop::execute):
1373         * llint/LowLevelInterpreter64.asm:
1374         * offlineasm/arm64.rb:
1375         * offlineasm/cloop.rb:
1376         * offlineasm/x86.rb:
1377         * runtime/JSCJSValue.h:
1378         * runtime/JSCJSValueInlines.h:
1379         (JSC::JSValue::isUndefinedOrNull const):
1380         (JSC::JSValue::isCell const):
1381         (JSC::JSValue::isInt32 const):
1382         (JSC::JSValue::JSValue):
1383         (JSC::JSValue::asDouble const):
1384         (JSC::JSValue::isNumber const):
1385         * wasm/js/WasmToJS.cpp:
1386         (JSC::Wasm::wasmToJS):
1387         * wasm/js/WebAssemblyFunction.cpp:
1388         (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
1389
1390 2019-09-18  Devin Rousso  <drousso@apple.com>
1391
1392         Web Inspector: Better handling for large arrays and collections in Object Trees
1393         https://bugs.webkit.org/show_bug.cgi?id=143589
1394         <rdar://problem/16135388>
1395
1396         Reviewed by Joseph Pecoraro.
1397
1398         Adds two buttons before the "Prototype" item in expanded object/collection previews:
1399          - Show %d More
1400          - Show All (%d More)
1401
1402         The default `fetchCount` increment is `100`. The first button will only be shown if there
1403         are more than `100` items remaining (haven't been shown).
1404
1405         * inspector/InjectedScriptSource.js:
1406         (InjectedScript.prototype.getProperties):
1407         (InjectedScript.prototype.getDisplayableProperties):
1408         (InjectedScript.prototype.getCollectionEntries):
1409         (InjectedScript.prototype._getProperties):
1410         (InjectedScript.prototype._internalPropertyDescriptors):
1411         (InjectedScript.prototype._propertyDescriptors):
1412         (InjectedScript.prototype._propertyDescriptors.createFakeValueDescriptor):
1413         (InjectedScript.prototype._propertyDescriptors.processProperties):
1414         (InjectedScript.prototype._getSetEntries):
1415         (InjectedScript.prototype._getMapEntries):
1416         (InjectedScript.prototype._getWeakMapEntries):
1417         (InjectedScript.prototype._getWeakSetEntries):
1418         (InjectedScript.prototype._getIteratorEntries):
1419         (InjectedScript.prototype._entries):
1420         (RemoteObject.prototype._generatePreview):
1421         (InjectedScript.prototype._propertyDescriptors.arrayIndexPropertyNames): Deleted.
1422         Don't include boolean property descriptor values if they are `false.
1423
1424         * inspector/JSInjectedScriptHost.cpp:
1425         (Inspector::JSInjectedScriptHost::weakMapEntries):
1426         (Inspector::JSInjectedScriptHost::weakSetEntries):
1427
1428         * inspector/InjectedScript.h:
1429         * inspector/InjectedScript.cpp:
1430         (Inspector::InjectedScript::getProperties):
1431         (Inspector::InjectedScript::getDisplayableProperties):
1432         (Inspector::InjectedScript::getCollectionEntries):
1433
1434         * inspector/agents/InspectorRuntimeAgent.h:
1435         * inspector/agents/InspectorRuntimeAgent.cpp:
1436         (Inspector::asInt): Added.
1437         (Inspector::InspectorRuntimeAgent::getProperties):
1438         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
1439         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
1440
1441         * inspector/protocol/Runtime.json:
1442         Add `fetchStart`/`fetchCount` to `getProperties`/`getDisplayableProperties`/`getCollectionEntries`.
1443         Mark boolean properties as optional so they can be omitted if `false`.
1444
1445 2019-09-18  Joonghun Park  <pjh0718@gmail.com>
1446
1447         Unreviewed. Remove build warning since r249976.
1448
1449         No new tests, no behavioral changes.
1450
1451         This patch removes the build warning below.
1452         warning: control reaches end of non-void function [-Wreturn-type]
1453
1454         * dfg/DFGArrayMode.cpp:
1455         (JSC::DFG::ArrayMode::alreadyChecked const):
1456
1457 2019-09-18  Saam Barati  <sbarati@apple.com>
1458
1459         TOCTOU bug in havingABadTime related assertion in DFGSpeculativeJIT
1460         https://bugs.webkit.org/show_bug.cgi?id=201953
1461         <rdar://problem/53803524>
1462
1463         Reviewed by Yusuke Suzuki.
1464
1465         We had code in DFGSpeculativeJIT like:
1466         
1467         if (!globalObject->isHavingABadTime()) {
1468             <-- here -->
1469             Structure* s = globalObject->arrayStructureForIndexingTypeDuringAllocation(node->indexingType()));
1470             assert 's' has expected indexing type
1471         }
1472         
1473         The problem is, we may have a bad time before we actually load the structure
1474         inside the if. We may have a bad time while we're at the "<-- here -->" in the
1475         above program. The fix is to first load the structure, then check if we're
1476         having a bad time. If we're still not having a bad time, it's valid to assert
1477         things about the structure.
1478
1479         * dfg/DFGSpeculativeJIT.cpp:
1480         (JSC::DFG::SpeculativeJIT::compileNewArray):
1481
1482 2019-09-18  Chris Dumez  <cdumez@apple.com>
1483
1484         Stop calling WTF::initializeMainThread() in JSGlobalContextCreate*()
1485         https://bugs.webkit.org/show_bug.cgi?id=201947
1486         <rdar://problem/55453612>
1487
1488         Reviewed by Mark Lam.
1489
1490         Stop calling WTF::initializeMainThread() in JSGlobalContextCreate*(). I started doing so in <https://trac.webkit.org/changeset/248533>
1491         but it is causing crashes for apps using this JS API on background threads. It is also no longer necessary as of
1492         <https://trac.webkit.org/changeset/249064>.
1493
1494         * API/JSContextRef.cpp:
1495         (JSContextGroupCreate):
1496         (JSGlobalContextCreate):
1497         (JSGlobalContextCreateInGroup):
1498
1499 2019-09-18  Saam Barati  <sbarati@apple.com>
1500
1501         Phantom insertion phase may disagree with arguments forwarding about live ranges
1502         https://bugs.webkit.org/show_bug.cgi?id=200715
1503         <rdar://problem/54301717>
1504
1505         Reviewed by Yusuke Suzuki.
1506
1507         The issue is that Phantom insertion phase was disagreeing about live ranges
1508         from the arguments forwarding phase. The effect is that Phantom insertion
1509         would insert a Phantom creating a longer live range than what arguments
1510         forwarding was analyzing. Arguments forwarding will look for the last DFG
1511         use or the last bytecode use of a variable it wants to eliminate. It then
1512         does an interference analysis to ensure that nothing clobbers other variables
1513         it needs to recover the sunken allocation during OSR exit.
1514         
1515         Phantom insertion works by ordering the program into OSR exit epochs. If a value was used
1516         in the current epoch, there is no need to insert a phantom for it. We
1517         determine where we might need a Phantom by looking at bytecode kills. In this
1518         analysis, we have a mapping from bytecode local to DFG node. However, we
1519         sometimes forgot to remove the entry when a local is killed. So, if the first
1520         kill of a variable is in the same OSR exit epoch, we won't insert a Phantom by design.
1521         However, if the variable gets killed again, we might errantly insert a Phantom
1522         for the prior variable which should've already been killed. The solution is to
1523         clear the entry in our mapping when a variable is killed.
1524         
1525         The program in question was like this:
1526         
1527         1: DirectArguments
1528         ...
1529         2: MovHint(@1, loc1) // arguments forwarding treats this as the final kill for @1
1530         ...
1531         clobber things needed for recovery
1532         ...
1533         
1534         Arguments elimination would transform the program since between @1 and
1535         @2, nothing clobbers values needed for exit and nothing escapes @1. The
1536         program becomes:
1537         
1538         1: PhantomDirectArguments
1539         ...
1540         2: MovHint(@1, loc1) // arguments forwarding treats this as the final kill for @1
1541         ...
1542         clobber things needed for recovery of @1
1543         ...
1544         
1545         
1546         Phantom insertion would then transform the program into:
1547         
1548         1: PhantomDirectArguments
1549         ...
1550         2: MovHint(@1, loc1) // arguments forwarding treats this as the final kill for @1
1551         ...
1552         clobber things needed for recovery of @1
1553         ...
1554         3: Phantom(@1)
1555         ...
1556         
1557         This is wrong because Phantom insertion and arguments forwarding must agree on live
1558         ranges, otherwise the interference analysis performed by arguments forwarding will
1559         not correctly analyze up until where the value might be recovered.
1560
1561         * dfg/DFGPhantomInsertionPhase.cpp:
1562
1563 2019-09-18  Commit Queue  <commit-queue@webkit.org>
1564
1565         Unreviewed, rolling out r250002.
1566         https://bugs.webkit.org/show_bug.cgi?id=201943
1567
1568         Patching of the callee and call is not atomic (Requested by
1569         tadeuzagallo on #webkit).
1570
1571         Reverted changeset:
1572
1573         "Change WebAssembly calling conventions"
1574         https://bugs.webkit.org/show_bug.cgi?id=201799
1575         https://trac.webkit.org/changeset/250002
1576
1577 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
1578
1579         [JSC] Generator should have internal fields
1580         https://bugs.webkit.org/show_bug.cgi?id=201159
1581
1582         Reviewed by Keith Miller.
1583
1584         This patch makes generator's internal states InternalField instead of private properties.
1585         Each generator function produces a generator with different [[Prototype]], which makes generators have different Structures.
1586         As a result, Generator.prototype.next etc.'s implementation becomes megamorphic even if it is not necessary.
1587
1588         If we make these structures adaptively poly-proto, some generators get poly-proto structures while others are not, resulting
1589         in megamorphic lookup in Generator.prototype.next. If we make all the generator's structure poly-proto, it makes Generator.prototype.next
1590         lookup suboptimal for now.
1591
1592         In this patch, we start with a relatively simple solution. This patch introduces JSGenerator class, and it has internal fields for generator's internal
1593         states. We extend promise-internal-field access bytecodes to access to these fields from bytecode so that Generator.prototype.next can access
1594         these fields without using megamorphic get_by_id_direct.
1595
1596         And we attach JSGeneratorType to JSGenerator so that we can efficiently implement `@isGenerator()` check in bytecode.
1597
1598         We reserve the offset = 0 slot for the future poly-proto extension for JSGenerator. By reserving this slot, non-poly-proto JSGenerator and poly-proto
1599         JSGenerator still can offer the way to access to the same Generator internal fields with the same offset while poly-proto JSGenerator can get offset = 0
1600         inline-storage slot for PolyProto implementation.
1601
1602         This patch adds op_create_generator since it is distinct from op_create_promise once we add PolyProto support.
1603         In the future when we introduce some kind of op_create_async_generator we will probably share only one bytecode for both generator and async generator.
1604
1605         This patch offers around 10% improvement in JetStream2/Basic. And this patch is the basis of optimization of JetStream2/async-fs which leverages async generators significantly.
1606
1607         This patch includes several design decisions.
1608
1609             1. We add a new JSGenerator instead of leveraging JSFinalObject. The main reason is that we would like to have JSGeneratorType to quickly query `@isGenerator`.
1610             2. This patch currently does not include object-allocation-sinking support for JSGenerator, but it is trivial, and will be added. And this patch also does not include poly-proto
1611                support for JSGenerator. The main reason is simply because this patch is already large enough, and I do not want to make this patch larger and larger.
1612             3. We can support arbitrary sized inline-storage: Reserving 0-5 offsets for internal fields, and start putting all the other things to the subsequent internal fields. But for now,
1613                we are not taking this approach just because I'm not sure this is necessary. If we found such a pattern, we can easily extend the current one but for now, I would like to keep
1614                this patch simple.
1615
1616         * JavaScriptCore.xcodeproj/project.pbxproj:
1617         * Sources.txt:
1618         * builtins/AsyncFunctionPrototype.js:
1619         (globalPrivate.asyncFunctionResume):
1620         * builtins/GeneratorPrototype.js:
1621         (globalPrivate.generatorResume):
1622         (next):
1623         (return):
1624         (throw):
1625         * bytecode/BytecodeGeneratorification.cpp:
1626         (JSC::BytecodeGeneratorification::run):
1627         * bytecode/BytecodeIntrinsicRegistry.cpp:
1628         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1629         * bytecode/BytecodeIntrinsicRegistry.h:
1630         * bytecode/BytecodeList.rb:
1631         * bytecode/BytecodeUseDef.h:
1632         (JSC::computeUsesForBytecodeOffset):
1633         (JSC::computeDefsForBytecodeOffset):
1634         * bytecode/CodeBlock.cpp:
1635         (JSC::CodeBlock::finishCreation):
1636         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1637         * bytecode/SpeculatedType.cpp:
1638         (JSC::speculationFromJSType):
1639         * bytecode/SpeculatedType.h:
1640         * bytecompiler/BytecodeGenerator.cpp:
1641         (JSC::BytecodeGenerator::BytecodeGenerator):
1642         (JSC::BytecodeGenerator::emitPutGeneratorFields):
1643         (JSC::BytecodeGenerator::emitCreateGenerator):
1644         (JSC::BytecodeGenerator::emitNewGenerator):
1645         (JSC::BytecodeGenerator::emitYield):
1646         (JSC::BytecodeGenerator::emitDelegateYield):
1647         (JSC::BytecodeGenerator::emitGeneratorStateChange):
1648         * bytecompiler/BytecodeGenerator.h:
1649         (JSC::BytecodeGenerator::emitIsGenerator):
1650         (JSC::BytecodeGenerator::generatorStateRegister):
1651         (JSC::BytecodeGenerator::generatorValueRegister):
1652         (JSC::BytecodeGenerator::generatorResumeModeRegister):
1653         (JSC::BytecodeGenerator::generatorFrameRegister):
1654         * bytecompiler/NodesCodegen.cpp:
1655         (JSC::generatorInternalFieldIndex):
1656         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getGeneratorInternalField):
1657         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putGeneratorInternalField):
1658         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isGenerator):
1659         (JSC::FunctionNode::emitBytecode):
1660         * dfg/DFGAbstractInterpreterInlines.h:
1661         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1662         * dfg/DFGByteCodeParser.cpp:
1663         (JSC::DFG::ByteCodeParser::parseBlock):
1664         * dfg/DFGCapabilities.cpp:
1665         (JSC::DFG::capabilityLevel):
1666         * dfg/DFGClobberize.h:
1667         (JSC::DFG::clobberize):
1668         * dfg/DFGClobbersExitState.cpp:
1669         (JSC::DFG::clobbersExitState):
1670         * dfg/DFGConstantFoldingPhase.cpp:
1671         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1672         * dfg/DFGDoesGC.cpp:
1673         (JSC::DFG::doesGC):
1674         * dfg/DFGFixupPhase.cpp:
1675         (JSC::DFG::FixupPhase::fixupNode):
1676         (JSC::DFG::FixupPhase::fixupIsCellWithType):
1677         * dfg/DFGGraph.cpp:
1678         (JSC::DFG::Graph::dump):
1679         * dfg/DFGNode.h:
1680         (JSC::DFG::Node::convertToNewGenerator):
1681         (JSC::DFG::Node::speculatedTypeForQuery):
1682         (JSC::DFG::Node::hasStructure):
1683         * dfg/DFGNodeType.h:
1684         * dfg/DFGOperations.cpp:
1685         * dfg/DFGOperations.h:
1686         * dfg/DFGPredictionPropagationPhase.cpp:
1687         * dfg/DFGSafeToExecute.h:
1688         (JSC::DFG::safeToExecute):
1689         * dfg/DFGSpeculativeJIT.cpp:
1690         (JSC::DFG::SpeculativeJIT::compileCreatePromise):
1691         (JSC::DFG::SpeculativeJIT::compileCreateGenerator):
1692         (JSC::DFG::SpeculativeJIT::compileNewGenerator):
1693         * dfg/DFGSpeculativeJIT.h:
1694         * dfg/DFGSpeculativeJIT32_64.cpp:
1695         (JSC::DFG::SpeculativeJIT::compile):
1696         * dfg/DFGSpeculativeJIT64.cpp:
1697         (JSC::DFG::SpeculativeJIT::compile):
1698         * dfg/DFGStoreBarrierInsertionPhase.cpp:
1699         * ftl/FTLCapabilities.cpp:
1700         (JSC::FTL::canCompile):
1701         * ftl/FTLLowerDFGToB3.cpp:
1702         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1703         (JSC::FTL::DFG::LowerDFGToB3::compileNewGenerator):
1704         (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
1705         (JSC::FTL::DFG::LowerDFGToB3::compileCreateGenerator):
1706         (JSC::FTL::DFG::LowerDFGToB3::isCellWithType):
1707         * jit/JIT.cpp:
1708         (JSC::JIT::privateCompileMainPass):
1709         (JSC::JIT::privateCompileSlowCases):
1710         * jit/JITOperations.cpp:
1711         * jit/JITOperations.h:
1712         * jit/JITPropertyAccess.cpp:
1713         (JSC::JIT::emit_op_get_internal_field):
1714         (JSC::JIT::emit_op_put_internal_field):
1715         * llint/LowLevelInterpreter.asm:
1716         * runtime/CommonSlowPaths.cpp:
1717         (JSC::SLOW_PATH_DECL):
1718         * runtime/CommonSlowPaths.h:
1719         * runtime/InternalFunction.cpp:
1720         (JSC::InternalFunction::createSubclassStructureSlow):
1721         * runtime/InternalFunction.h:
1722         (JSC::InternalFunction::createSubclassStructure):
1723         * runtime/JSGenerator.cpp: Added.
1724         (JSC::JSGenerator::create):
1725         (JSC::JSGenerator::createStructure):
1726         (JSC::JSGenerator::JSGenerator):
1727         (JSC::JSGenerator::finishCreation):
1728         (JSC::JSGenerator::visitChildren):
1729         * runtime/JSGenerator.h: Copied from Source/JavaScriptCore/runtime/JSGeneratorFunction.h.
1730         * runtime/JSGeneratorFunction.h:
1731         * runtime/JSGlobalObject.cpp:
1732         (JSC::JSGlobalObject::init):
1733         (JSC::JSGlobalObject::visitChildren):
1734         * runtime/JSGlobalObject.h:
1735         (JSC::JSGlobalObject::generatorStructure const):
1736         * runtime/JSType.cpp:
1737         (WTF::printInternal):
1738         * runtime/JSType.h:
1739
1740 2019-09-17  Keith Miller  <keith_miller@apple.com>
1741
1742         Move comment explaining our Options to OptionsList.h
1743         https://bugs.webkit.org/show_bug.cgi?id=201891
1744
1745         Rubber-stamped by Mark Lam.
1746
1747         We moved the list so we should move the comment.
1748
1749         * runtime/Options.h:
1750         * runtime/OptionsList.h:
1751
1752 2019-09-17  Keith Miller  <keith_miller@apple.com>
1753
1754         Elide unnecessary moves in Air O0
1755         https://bugs.webkit.org/show_bug.cgi?id=201703
1756
1757         Reviewed by Saam Barati.
1758
1759         This patch also removes the code that would try to reuse temps in
1760         WasmAirIRGenerator. That code makes it hard to accurately
1761         determine where a temp dies as it could be reused again
1762         later. Thus every temp, may appear to live for a long time in the
1763         global ordering.
1764
1765         This appears to be a minor progression on the overall score of
1766         wasm subtests in JS2 and a 10% wasm-JIT memory usage reduction.
1767
1768         This patch also fixes an issue where we didn't ask Patchpoints
1769         for early clobber registers when determining what callee saves
1770         were used by the program.
1771
1772         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp:
1773         (JSC::B3::Air::GenerateAndAllocateRegisters::generate):
1774         * b3/air/AirBasicBlock.h:
1775         * b3/air/AirCode.h:
1776         * b3/air/AirHandleCalleeSaves.cpp:
1777         (JSC::B3::Air::handleCalleeSaves):
1778         * b3/air/testair.cpp:
1779         * wasm/WasmAirIRGenerator.cpp:
1780         (JSC::Wasm::AirIRGenerator::didKill): Deleted.
1781         * wasm/WasmB3IRGenerator.cpp:
1782         (JSC::Wasm::B3IRGenerator::didKill): Deleted.
1783         * wasm/WasmFunctionParser.h:
1784         (JSC::Wasm::FunctionParser<Context>::parseBody):
1785         (JSC::Wasm::FunctionParser<Context>::parseExpression):
1786         * wasm/WasmValidate.cpp:
1787         (JSC::Wasm::Validate::didKill): Deleted.
1788
1789 2019-09-17  Mark Lam  <mark.lam@apple.com>
1790
1791         Use constexpr instead of const in symbol definitions that are obviously constexpr.
1792         https://bugs.webkit.org/show_bug.cgi?id=201879
1793
1794         Rubber-stamped by Joseph Pecoraro.
1795
1796         const may require external storage  (at the compiler's whim) though these
1797         currently do not.  constexpr makes it clear that the value is a literal constant
1798         that can be inlined.  In most cases in the code, when we say static const, we
1799         actually mean static constexpr.  I'm changing the code to reflect this.
1800
1801         * API/JSAPIValueWrapper.h:
1802         * API/JSCallbackConstructor.h:
1803         * API/JSCallbackObject.h:
1804         * API/JSContextRef.cpp:
1805         * API/JSWrapperMap.mm:
1806         * API/tests/CompareAndSwapTest.cpp:
1807         * API/tests/TypedArrayCTest.cpp:
1808         * API/tests/testapi.mm:
1809         (testObjectiveCAPIMain):
1810         * KeywordLookupGenerator.py:
1811         (Trie.printAsC):
1812         * assembler/ARMv7Assembler.h:
1813         * assembler/AssemblerBuffer.h:
1814         * assembler/AssemblerCommon.h:
1815         * assembler/MacroAssembler.h:
1816         * assembler/MacroAssemblerARM64.h:
1817         * assembler/MacroAssemblerARM64E.h:
1818         * assembler/MacroAssemblerARMv7.h:
1819         * assembler/MacroAssemblerCodeRef.h:
1820         * assembler/MacroAssemblerMIPS.h:
1821         * assembler/MacroAssemblerX86.h:
1822         * assembler/MacroAssemblerX86Common.h:
1823         (JSC::MacroAssemblerX86Common::absDouble):
1824         (JSC::MacroAssemblerX86Common::negateDouble):
1825         * assembler/MacroAssemblerX86_64.h:
1826         * assembler/X86Assembler.h:
1827         * b3/B3Bank.h:
1828         * b3/B3CheckSpecial.h:
1829         * b3/B3DuplicateTails.cpp:
1830         * b3/B3EliminateCommonSubexpressions.cpp:
1831         * b3/B3FixSSA.cpp:
1832         * b3/B3FoldPathConstants.cpp:
1833         * b3/B3InferSwitches.cpp:
1834         * b3/B3Kind.h:
1835         * b3/B3LowerToAir.cpp:
1836         * b3/B3NativeTraits.h:
1837         * b3/B3ReduceDoubleToFloat.cpp:
1838         * b3/B3ReduceLoopStrength.cpp:
1839         * b3/B3ReduceStrength.cpp:
1840         * b3/B3ValueKey.h:
1841         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
1842         * b3/air/AirAllocateStackByGraphColoring.cpp:
1843         * b3/air/AirArg.h:
1844         * b3/air/AirCCallSpecial.h:
1845         * b3/air/AirEmitShuffle.cpp:
1846         * b3/air/AirFixObviousSpills.cpp:
1847         * b3/air/AirFormTable.h:
1848         * b3/air/AirLowerAfterRegAlloc.cpp:
1849         * b3/air/AirPrintSpecial.h:
1850         * b3/air/AirStackAllocation.cpp:
1851         * b3/air/AirTmp.h:
1852         * b3/testb3_6.cpp:
1853         (testInterpreter):
1854         * bytecode/AccessCase.cpp:
1855         * bytecode/CallLinkStatus.cpp:
1856         * bytecode/CallVariant.h:
1857         * bytecode/CodeBlock.h:
1858         * bytecode/CodeOrigin.h:
1859         * bytecode/DFGExitProfile.h:
1860         * bytecode/DirectEvalCodeCache.h:
1861         * bytecode/ExecutableToCodeBlockEdge.h:
1862         * bytecode/GetterSetterAccessCase.cpp:
1863         * bytecode/LazyOperandValueProfile.h:
1864         * bytecode/ObjectPropertyCondition.h:
1865         * bytecode/ObjectPropertyConditionSet.cpp:
1866         * bytecode/PolymorphicAccess.cpp:
1867         * bytecode/PropertyCondition.h:
1868         * bytecode/SpeculatedType.h:
1869         * bytecode/StructureStubInfo.cpp:
1870         * bytecode/UnlinkedCodeBlock.cpp:
1871         (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset):
1872         * bytecode/UnlinkedCodeBlock.h:
1873         * bytecode/UnlinkedEvalCodeBlock.h:
1874         * bytecode/UnlinkedFunctionCodeBlock.h:
1875         * bytecode/UnlinkedFunctionExecutable.h:
1876         * bytecode/UnlinkedModuleProgramCodeBlock.h:
1877         * bytecode/UnlinkedProgramCodeBlock.h:
1878         * bytecode/ValueProfile.h:
1879         * bytecode/VirtualRegister.h:
1880         * bytecode/Watchpoint.h:
1881         * bytecompiler/BytecodeGenerator.h:
1882         * bytecompiler/Label.h:
1883         * bytecompiler/NodesCodegen.cpp:
1884         (JSC::ThisNode::emitBytecode):
1885         * bytecompiler/RegisterID.h:
1886         * debugger/Breakpoint.h:
1887         * debugger/DebuggerParseData.cpp:
1888         * debugger/DebuggerPrimitives.h:
1889         * debugger/DebuggerScope.h:
1890         * dfg/DFGAbstractHeap.h:
1891         * dfg/DFGAbstractValue.h:
1892         * dfg/DFGArgumentsEliminationPhase.cpp:
1893         * dfg/DFGByteCodeParser.cpp:
1894         * dfg/DFGCSEPhase.cpp:
1895         * dfg/DFGCommon.h:
1896         * dfg/DFGCompilationKey.h:
1897         * dfg/DFGDesiredGlobalProperty.h:
1898         * dfg/DFGEdgeDominates.h:
1899         * dfg/DFGEpoch.h:
1900         * dfg/DFGForAllKills.h:
1901         (JSC::DFG::forAllKilledNodesAtNodeIndex):
1902         * dfg/DFGGraph.cpp:
1903         (JSC::DFG::Graph::isLiveInBytecode):
1904         * dfg/DFGHeapLocation.h:
1905         * dfg/DFGInPlaceAbstractState.cpp:
1906         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1907         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
1908         * dfg/DFGInvalidationPointInjectionPhase.cpp:
1909         * dfg/DFGLICMPhase.cpp:
1910         * dfg/DFGLazyNode.h:
1911         * dfg/DFGMinifiedID.h:
1912         * dfg/DFGMovHintRemovalPhase.cpp:
1913         * dfg/DFGNodeFlowProjection.h:
1914         * dfg/DFGNodeType.h:
1915         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1916         * dfg/DFGPhantomInsertionPhase.cpp:
1917         * dfg/DFGPromotedHeapLocation.h:
1918         * dfg/DFGPropertyTypeKey.h:
1919         * dfg/DFGPureValue.h:
1920         * dfg/DFGPutStackSinkingPhase.cpp:
1921         * dfg/DFGRegisterBank.h:
1922         * dfg/DFGSSAConversionPhase.cpp:
1923         * dfg/DFGSSALoweringPhase.cpp:
1924         * dfg/DFGSpeculativeJIT.cpp:
1925         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
1926         (JSC::DFG::compileClampDoubleToByte):
1927         (JSC::DFG::SpeculativeJIT::compileArithRounding):
1928         (JSC::DFG::compileArithPowIntegerFastPath):
1929         (JSC::DFG::SpeculativeJIT::compileArithPow):
1930         (JSC::DFG::SpeculativeJIT::emitBinarySwitchStringRecurse):
1931         * dfg/DFGStackLayoutPhase.cpp:
1932         * dfg/DFGStoreBarrierInsertionPhase.cpp:
1933         * dfg/DFGStrengthReductionPhase.cpp:
1934         * dfg/DFGStructureAbstractValue.h:
1935         * dfg/DFGVarargsForwardingPhase.cpp:
1936         * dfg/DFGVariableEventStream.cpp:
1937         (JSC::DFG::VariableEventStream::reconstruct const):
1938         * dfg/DFGWatchpointCollectionPhase.cpp:
1939         * disassembler/ARM64/A64DOpcode.h:
1940         * ftl/FTLLocation.h:
1941         * ftl/FTLLowerDFGToB3.cpp:
1942         (JSC::FTL::DFG::LowerDFGToB3::compileArithRandom):
1943         * ftl/FTLSlowPathCall.cpp:
1944         * ftl/FTLSlowPathCallKey.h:
1945         * heap/CellContainer.h:
1946         * heap/CellState.h:
1947         * heap/ConservativeRoots.h:
1948         * heap/GCSegmentedArray.h:
1949         * heap/HandleBlock.h:
1950         * heap/Heap.cpp:
1951         (JSC::Heap::updateAllocationLimits):
1952         * heap/Heap.h:
1953         * heap/HeapSnapshot.h:
1954         * heap/HeapUtil.h:
1955         (JSC::HeapUtil::findGCObjectPointersForMarking):
1956         * heap/IncrementalSweeper.cpp:
1957         * heap/LargeAllocation.h:
1958         * heap/MarkedBlock.cpp:
1959         * heap/Strong.h:
1960         * heap/VisitRaceKey.h:
1961         * heap/Weak.h:
1962         * heap/WeakBlock.h:
1963         * inspector/JSInjectedScriptHost.h:
1964         * inspector/JSInjectedScriptHostPrototype.h:
1965         * inspector/JSJavaScriptCallFrame.h:
1966         * inspector/JSJavaScriptCallFramePrototype.h:
1967         * inspector/agents/InspectorConsoleAgent.cpp:
1968         * inspector/agents/InspectorRuntimeAgent.cpp:
1969         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1970         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
1971         (CppProtocolTypesHeaderGenerator._generate_versions):
1972         * inspector/scripts/tests/generic/expected/version.json-result:
1973         * interpreter/Interpreter.h:
1974         * interpreter/ShadowChicken.cpp:
1975         * jit/BinarySwitch.cpp:
1976         * jit/CallFrameShuffler.h:
1977         * jit/ExecutableAllocator.h:
1978         * jit/FPRInfo.h:
1979         * jit/GPRInfo.h:
1980         * jit/ICStats.h:
1981         * jit/JITThunks.h:
1982         * jit/Reg.h:
1983         * jit/RegisterSet.h:
1984         * jit/TempRegisterSet.h:
1985         * jsc.cpp:
1986         * parser/ASTBuilder.h:
1987         * parser/Nodes.h:
1988         * parser/SourceCodeKey.h:
1989         * parser/SyntaxChecker.h:
1990         * parser/VariableEnvironment.h:
1991         * profiler/ProfilerOrigin.h:
1992         * profiler/ProfilerOriginStack.h:
1993         * profiler/ProfilerUID.h:
1994         * runtime/AbstractModuleRecord.cpp:
1995         * runtime/ArrayBufferNeuteringWatchpointSet.h:
1996         * runtime/ArrayConstructor.h:
1997         * runtime/ArrayConventions.h:
1998         * runtime/ArrayIteratorPrototype.h:
1999         * runtime/ArrayPrototype.cpp:
2000         (JSC::setLength):
2001         * runtime/AsyncFromSyncIteratorPrototype.h:
2002         * runtime/AsyncGeneratorFunctionPrototype.h:
2003         * runtime/AsyncGeneratorPrototype.h:
2004         * runtime/AsyncIteratorPrototype.h:
2005         * runtime/AtomicsObject.cpp:
2006         * runtime/BigIntConstructor.h:
2007         * runtime/BigIntPrototype.h:
2008         * runtime/BooleanPrototype.h:
2009         * runtime/ClonedArguments.h:
2010         * runtime/CodeCache.h:
2011         * runtime/ControlFlowProfiler.h:
2012         * runtime/CustomGetterSetter.h:
2013         * runtime/DateConstructor.h:
2014         * runtime/DatePrototype.h:
2015         * runtime/DefinePropertyAttributes.h:
2016         * runtime/ErrorPrototype.h:
2017         * runtime/EvalExecutable.h:
2018         * runtime/Exception.h:
2019         * runtime/ExceptionHelpers.cpp:
2020         (JSC::invalidParameterInSourceAppender):
2021         (JSC::invalidParameterInstanceofSourceAppender):
2022         * runtime/ExceptionHelpers.h:
2023         * runtime/ExecutableBase.h:
2024         * runtime/FunctionExecutable.h:
2025         * runtime/FunctionRareData.h:
2026         * runtime/GeneratorPrototype.h:
2027         * runtime/GenericArguments.h:
2028         * runtime/GenericOffset.h:
2029         * runtime/GetPutInfo.h:
2030         * runtime/GetterSetter.h:
2031         * runtime/GlobalExecutable.h:
2032         * runtime/Identifier.h:
2033         * runtime/InspectorInstrumentationObject.h:
2034         * runtime/InternalFunction.h:
2035         * runtime/IntlCollatorConstructor.h:
2036         * runtime/IntlCollatorPrototype.h:
2037         * runtime/IntlDateTimeFormatConstructor.h:
2038         * runtime/IntlDateTimeFormatPrototype.h:
2039         * runtime/IntlNumberFormatConstructor.h:
2040         * runtime/IntlNumberFormatPrototype.h:
2041         * runtime/IntlObject.h:
2042         * runtime/IntlPluralRulesConstructor.h:
2043         * runtime/IntlPluralRulesPrototype.h:
2044         * runtime/IteratorPrototype.h:
2045         * runtime/JSArray.cpp:
2046         (JSC::JSArray::tryCreateUninitializedRestricted):
2047         * runtime/JSArray.h:
2048         * runtime/JSArrayBuffer.h:
2049         * runtime/JSArrayBufferView.h:
2050         * runtime/JSBigInt.h:
2051         * runtime/JSCJSValue.h:
2052         * runtime/JSCell.h:
2053         * runtime/JSCustomGetterSetterFunction.h:
2054         * runtime/JSDataView.h:
2055         * runtime/JSDataViewPrototype.h:
2056         * runtime/JSDestructibleObject.h:
2057         * runtime/JSFixedArray.h:
2058         * runtime/JSGenericTypedArrayView.h:
2059         * runtime/JSGlobalLexicalEnvironment.h:
2060         * runtime/JSGlobalObject.h:
2061         * runtime/JSImmutableButterfly.h:
2062         * runtime/JSInternalPromiseConstructor.h:
2063         * runtime/JSInternalPromiseDeferred.h:
2064         * runtime/JSInternalPromisePrototype.h:
2065         * runtime/JSLexicalEnvironment.h:
2066         * runtime/JSModuleEnvironment.h:
2067         * runtime/JSModuleLoader.h:
2068         * runtime/JSModuleNamespaceObject.h:
2069         * runtime/JSNonDestructibleProxy.h:
2070         * runtime/JSONObject.cpp:
2071         * runtime/JSONObject.h:
2072         * runtime/JSObject.h:
2073         * runtime/JSPromiseConstructor.h:
2074         * runtime/JSPromiseDeferred.h:
2075         * runtime/JSPromisePrototype.h:
2076         * runtime/JSPropertyNameEnumerator.h:
2077         * runtime/JSProxy.h:
2078         * runtime/JSScope.h:
2079         * runtime/JSScriptFetchParameters.h:
2080         * runtime/JSScriptFetcher.h:
2081         * runtime/JSSegmentedVariableObject.h:
2082         * runtime/JSSourceCode.h:
2083         * runtime/JSString.cpp:
2084         * runtime/JSString.h:
2085         * runtime/JSSymbolTableObject.h:
2086         * runtime/JSTemplateObjectDescriptor.h:
2087         * runtime/JSTypeInfo.h:
2088         * runtime/MapPrototype.h:
2089         * runtime/MinimumReservedZoneSize.h:
2090         * runtime/ModuleProgramExecutable.h:
2091         * runtime/NativeExecutable.h:
2092         * runtime/NativeFunction.h:
2093         * runtime/NativeStdFunctionCell.h:
2094         * runtime/NumberConstructor.h:
2095         * runtime/NumberPrototype.h:
2096         * runtime/ObjectConstructor.h:
2097         * runtime/ObjectPrototype.h:
2098         * runtime/ProgramExecutable.h:
2099         * runtime/PromiseDeferredTimer.cpp:
2100         * runtime/PropertyMapHashTable.h:
2101         * runtime/PropertyNameArray.h:
2102         (JSC::PropertyNameArray::add):
2103         * runtime/PrototypeKey.h:
2104         * runtime/ProxyConstructor.h:
2105         * runtime/ProxyObject.cpp:
2106         (JSC::ProxyObject::performGetOwnPropertyNames):
2107         * runtime/ProxyRevoke.h:
2108         * runtime/ReflectObject.h:
2109         * runtime/RegExp.h:
2110         * runtime/RegExpCache.h:
2111         * runtime/RegExpConstructor.h:
2112         * runtime/RegExpKey.h:
2113         * runtime/RegExpObject.h:
2114         * runtime/RegExpPrototype.h:
2115         * runtime/RegExpStringIteratorPrototype.h:
2116         * runtime/SamplingProfiler.cpp:
2117         * runtime/ScopedArgumentsTable.h:
2118         * runtime/ScriptExecutable.h:
2119         * runtime/SetPrototype.h:
2120         * runtime/SmallStrings.h:
2121         * runtime/SparseArrayValueMap.h:
2122         * runtime/StringConstructor.h:
2123         * runtime/StringIteratorPrototype.h:
2124         * runtime/StringObject.h:
2125         * runtime/StringPrototype.h:
2126         * runtime/Structure.h:
2127         * runtime/StructureChain.h:
2128         * runtime/StructureRareData.h:
2129         * runtime/StructureTransitionTable.h:
2130         * runtime/Symbol.h:
2131         * runtime/SymbolConstructor.h:
2132         * runtime/SymbolPrototype.h:
2133         * runtime/SymbolTable.h:
2134         * runtime/TemplateObjectDescriptor.h:
2135         * runtime/TypeProfiler.cpp:
2136         * runtime/TypeProfiler.h:
2137         * runtime/TypeProfilerLog.cpp:
2138         * runtime/VarOffset.h:
2139         * testRegExp.cpp:
2140         * tools/HeapVerifier.cpp:
2141         (JSC::HeapVerifier::checkIfRecorded):
2142         * tools/JSDollarVM.cpp:
2143         * wasm/WasmB3IRGenerator.cpp:
2144         * wasm/WasmBBQPlan.cpp:
2145         * wasm/WasmFaultSignalHandler.cpp:
2146         * wasm/WasmFunctionParser.h:
2147         * wasm/WasmOMGForOSREntryPlan.cpp:
2148         * wasm/WasmOMGPlan.cpp:
2149         * wasm/WasmPlan.cpp:
2150         * wasm/WasmSignature.cpp:
2151         * wasm/WasmSignature.h:
2152         * wasm/WasmWorklist.cpp:
2153         * wasm/js/JSWebAssembly.h:
2154         * wasm/js/JSWebAssemblyCodeBlock.h:
2155         * wasm/js/WebAssemblyCompileErrorConstructor.h:
2156         * wasm/js/WebAssemblyCompileErrorPrototype.h:
2157         * wasm/js/WebAssemblyFunction.h:
2158         * wasm/js/WebAssemblyInstanceConstructor.h:
2159         * wasm/js/WebAssemblyInstancePrototype.h:
2160         * wasm/js/WebAssemblyLinkErrorConstructor.h:
2161         * wasm/js/WebAssemblyLinkErrorPrototype.h:
2162         * wasm/js/WebAssemblyMemoryConstructor.h:
2163         * wasm/js/WebAssemblyMemoryPrototype.h:
2164         * wasm/js/WebAssemblyModuleConstructor.h:
2165         * wasm/js/WebAssemblyModulePrototype.h:
2166         * wasm/js/WebAssemblyRuntimeErrorConstructor.h:
2167         * wasm/js/WebAssemblyRuntimeErrorPrototype.h:
2168         * wasm/js/WebAssemblyTableConstructor.h:
2169         * wasm/js/WebAssemblyTablePrototype.h:
2170         * wasm/js/WebAssemblyToJSCallee.h:
2171         * yarr/Yarr.h:
2172         * yarr/YarrParser.h:
2173         * yarr/generateYarrCanonicalizeUnicode:
2174
2175 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
2176
2177         Follow-up after String.codePointAt optimization
2178         https://bugs.webkit.org/show_bug.cgi?id=201889
2179
2180         Reviewed by Saam Barati.
2181
2182         Follow-up after string.codePointAt DFG / FTL optimizations,
2183
2184         1. Gracefully accept arguments more than expected for intrinsics
2185         2. Check BadType in String.codePointAt, String.charAt, and String.charCodeAt.
2186
2187         * dfg/DFGByteCodeParser.cpp:
2188         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2189
2190 2019-09-17  Tadeu Zagallo  <tzagallo@apple.com>
2191
2192         Change WebAssembly calling conventions
2193         https://bugs.webkit.org/show_bug.cgi?id=201799
2194
2195         Reviewed by Saam Barati.
2196
2197         Currently, the Wasm::Callee writes itself to CallFrameSlot::callee. However, this won't work when
2198         we have the Wasm interpreter, since we need the callee in order to know which function are we executing.
2199         This patch changes the calling conventions in preparation for the interpreter, so that the caller
2200         becomes responsible for writing the callee into the call frame.
2201         However, there are exceptions to this rule: stubs can still write to the callee slot, since they are individually
2202         generated and will still be present in the interpreter. We keep this design to avoid emitting unnecessary
2203         code when we know statically who is the callee:
2204         - Caller writes to call frame: intra-module direct wasm calls, indirect wasm calls, JS-to-wasm stub (new frame), JS-to-wasm IC.
2205         - Callee writes to call frame: inter-module wasm-to-wasm stub, JS-to-wasm stub (callee frame), wasm-to-JS stub, OMG osr entry
2206
2207         Additionally, this patch also changes it so that the callee keeps track of its callers, instead of having a global mapping
2208         of calls in the Wasm::CodeBlock. This makes it easier to repatch all callers of a given Callee when it tiers up.
2209
2210         * CMakeLists.txt:
2211         * JavaScriptCore.xcodeproj/project.pbxproj:
2212         * wasm/WasmAirIRGenerator.cpp:
2213         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
2214         (JSC::Wasm::AirIRGenerator::addCall):
2215         (JSC::Wasm::AirIRGenerator::addCallIndirect):
2216         (JSC::Wasm::parseAndCompileAir):
2217         * wasm/WasmAirIRGenerator.h:
2218         * wasm/WasmB3IRGenerator.cpp:
2219         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2220         (JSC::Wasm::B3IRGenerator::addCall):
2221         (JSC::Wasm::B3IRGenerator::addCallIndirect):
2222         (JSC::Wasm::parseAndCompile):
2223         * wasm/WasmB3IRGenerator.h:
2224         * wasm/WasmBBQPlan.cpp:
2225         (JSC::Wasm::BBQPlan::BBQPlan):
2226         (JSC::Wasm::BBQPlan::prepare):
2227         (JSC::Wasm::BBQPlan::compileFunctions):
2228         (JSC::Wasm::BBQPlan::complete):
2229         * wasm/WasmBBQPlan.h:
2230         * wasm/WasmBBQPlanInlines.h:
2231         (JSC::Wasm::BBQPlan::initializeCallees):
2232         * wasm/WasmBinding.cpp:
2233         (JSC::Wasm::wasmToWasm):
2234         * wasm/WasmCallee.cpp:
2235         (JSC::Wasm::Callee::Callee):
2236         (JSC::Wasm::repatchMove):
2237         (JSC::Wasm::repatchCall):
2238         (JSC::Wasm::BBQCallee::addCaller):
2239         (JSC::Wasm::BBQCallee::addAndLinkCaller):
2240         (JSC::Wasm::BBQCallee::repatchCallers):
2241         * wasm/WasmCallee.h:
2242         (JSC::Wasm::Callee::entrypoint):
2243         (JSC::Wasm::Callee::code const):
2244         (JSC::Wasm::Callee::calleeSaveRegisters):
2245         * wasm/WasmCallingConvention.h:
2246         (JSC::Wasm::CallingConvention::setupFrameInPrologue const):
2247         * wasm/WasmCodeBlock.cpp:
2248         (JSC::Wasm::CodeBlock::CodeBlock):
2249         * wasm/WasmCodeBlock.h:
2250         (JSC::Wasm::CodeBlock::embedderEntrypointCalleeFromFunctionIndexSpace):
2251         (JSC::Wasm::CodeBlock::wasmBBQCalleeFromFunctionIndexSpace):
2252         (JSC::Wasm::CodeBlock::entrypointLoadLocationFromFunctionIndexSpace):
2253         (JSC::Wasm::CodeBlock::boxedCalleeLoadLocationFromFunctionIndexSpace):
2254         * wasm/WasmEmbedder.h:
2255         * wasm/WasmFormat.h:
2256         (JSC::Wasm::WasmToWasmImportableFunction::offsetOfBoxedCalleeLoadLocation):
2257         * wasm/WasmInstance.h:
2258         (JSC::Wasm::Instance::offsetOfBoxedCalleeLoadLocation):
2259         * wasm/WasmOMGForOSREntryPlan.cpp:
2260         (JSC::Wasm::OMGForOSREntryPlan::OMGForOSREntryPlan):
2261         (JSC::Wasm::OMGForOSREntryPlan::work):
2262         * wasm/WasmOMGForOSREntryPlan.h:
2263         * wasm/WasmOMGPlan.cpp:
2264         (JSC::Wasm::OMGPlan::OMGPlan):
2265         (JSC::Wasm::OMGPlan::work):
2266         * wasm/WasmOMGPlan.h:
2267         * wasm/WasmOperations.cpp:
2268         (JSC::Wasm::triggerOMGReplacementCompile):
2269         (JSC::Wasm::doOSREntry):
2270         (JSC::Wasm::triggerOSREntryNow):
2271         * wasm/js/JSToWasm.cpp:
2272         (JSC::Wasm::createJSToWasmWrapper):
2273         * wasm/js/JSToWasm.h:
2274         * wasm/js/WebAssemblyFunction.cpp:
2275         (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
2276         (JSC::WebAssemblyFunction::create):
2277         (JSC::WebAssemblyFunction::WebAssemblyFunction):
2278         * wasm/js/WebAssemblyFunction.h:
2279         * wasm/js/WebAssemblyModuleRecord.cpp:
2280         (JSC::WebAssemblyModuleRecord::link):
2281         (JSC::WebAssemblyModuleRecord::evaluate):
2282         * wasm/js/WebAssemblyWrapperFunction.cpp:
2283         (JSC::WebAssemblyWrapperFunction::create):
2284
2285 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
2286
2287         [JSC] CheckArray+NonArray is not filtering out Array in AI
2288         https://bugs.webkit.org/show_bug.cgi?id=201857
2289         <rdar://problem/54194820>
2290
2291         Reviewed by Keith Miller.
2292
2293         The code of DFG::ArrayMode::alreadyChecked is different from SpeculativeJIT's CheckArray / CheckStructure.
2294         While we assume CheckArray+NonArray ensures it only passes non-array inputs, DFG::ArrayMode::alreadyChecked
2295         accepts arrays too. So CheckArray+NonArray is removed in AI if the input is proven that it is an array.
2296         This patch aligns DFG::ArrayMode::alreadyChecked to the checks done at runtime.
2297
2298         * dfg/DFGArrayMode.cpp:
2299         (JSC::DFG::ArrayMode::alreadyChecked const):
2300
2301 2019-09-17  Saam Barati  <sbarati@apple.com>
2302
2303         CheckArray on DirectArguments/ScopedArguments does not filter out slow put array storage
2304         https://bugs.webkit.org/show_bug.cgi?id=201853
2305         <rdar://problem/53805461>
2306
2307         Reviewed by Yusuke Suzuki.
2308
2309         We were claiming CheckArray for ScopedArguments/DirectArguments was filtering
2310         out SlowPutArrayStorage. It does no such thing. We just check that the object
2311         is either ScopedArguments/DirectArguments.
2312
2313         * dfg/DFGArrayMode.h:
2314         (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
2315         (JSC::DFG::ArrayMode::arrayModesWithIndexingShapes const):
2316         (JSC::DFG::ArrayMode::arrayModesWithIndexingShape const): Deleted.
2317
2318 2019-09-16  Tadeu Zagallo  <tzagallo@apple.com>
2319
2320         Wasm StreamingParser should validate that number of functions matches number of declarations
2321         https://bugs.webkit.org/show_bug.cgi?id=201850
2322         <rdar://problem/55290186>
2323
2324         Reviewed by Yusuke Suzuki.
2325
2326         Currently, when parsing the code section, we check that the number of functions matches the number
2327         of declarations in the function section. However, that check is never performed if the module does
2328         not have a code section. To fix that, we perform the check again in StreamingParser::finalize.
2329
2330         * wasm/WasmStreamingParser.cpp:
2331         (JSC::Wasm::StreamingParser::finalize):
2332
2333 2019-09-16  Michael Saboff  <msaboff@apple.com>
2334
2335         [JSC] Perform check again when we found non-BMP characters
2336         https://bugs.webkit.org/show_bug.cgi?id=201647
2337
2338         Reviewed by Yusuke Suzuki.
2339
2340         We need to check for end of input for non-BMP characters when matching a character class that contains
2341         both BMP and non-BMP characters.  In advanceIndexAfterCharacterClassTermMatch() we were checking for
2342         end of input for both BMP and non-BMP characters.  For BMP characters, this check is redundant.
2343         After moving the check to after the "is BMP check", we need to decrement index after reaching the failure
2344         label to back out the index++ for the first surrogate of the non-BMP character.
2345
2346         Added the same kind of check in generateCharacterClassOnce().  In that case, we have pre-checked the
2347         first character (surrogate) for a non-BMP codepoint, so we just need to check for end of input before
2348         we increment for the second surrogate.
2349
2350         While writing tests, I found an off by one error in backtrackCharacterClassGreedy() and changed the
2351         loop to check the count at loop top instead of loop bottom.
2352
2353         * yarr/YarrJIT.cpp:
2354         (JSC::Yarr::YarrGenerator::advanceIndexAfterCharacterClassTermMatch):
2355         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
2356         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
2357         (JSC::Yarr::YarrGenerator::backtrackCharacterClassGreedy):
2358         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
2359
2360 2019-09-16  Ross Kirsling  <ross.kirsling@sony.com>
2361
2362         [JSC] Add missing syntax errors for await in function parameter default expressions
2363         https://bugs.webkit.org/show_bug.cgi?id=201615
2364
2365         Reviewed by Darin Adler.
2366
2367         This patch rectifies two oversights:
2368           1. We were prohibiting `async function f(x = (await) => {}) {}` but not `async function f(x = await => {}) {}`
2369              (and likewise for async arrow functions).
2370           2. We were not prohibiting `(x = await => {}) => {}` in an async context
2371              (regardless of parentheses, but note that this one *only* applies to arrow functions).
2372
2373         * parser/Parser.cpp:
2374         (JSC::Parser<LexerType>::isArrowFunctionParameters): Fix case (1).
2375         (JSC::Parser<LexerType>::parseFunctionInfo): Fix case (2).
2376         (JSC::Parser<LexerType>::parseAwaitExpression): Convert unfailing check into an ASSERT.
2377         (JSC::Parser<LexerType>::parsePrimaryExpression): Adjust error message for case (2).
2378
2379 2019-09-16  Tadeu Zagallo  <tzagallo@apple.com>
2380
2381         SamplingProfiler should hold API lock before reporting results
2382         https://bugs.webkit.org/show_bug.cgi?id=201829
2383
2384         Reviewed by Yusuke Suzuki.
2385
2386         Right now, the SamplingProfiler crashes in debug builds when trying
2387         report results if it finds a JSFunction on the stack that doesn't have
2388         RareData. It tries to allocate the function's rare data when we call
2389         getOwnPropertySlot in order to get the function's name, but that fails
2390         because we are not holding the VM's API lock. We fix it by just holding
2391         the lock before reporting the results.
2392
2393         * runtime/SamplingProfiler.cpp:
2394         (JSC::SamplingProfiler::reportDataToOptionFile):
2395
2396 2019-09-16  David Kilzer  <ddkilzer@apple.com>
2397
2398         [JSC] REGRESSION (r248938): Leak of uint32_t arrays in testFastForwardCopy32()
2399         <https://webkit.org/b/201804>
2400
2401         Reviewed by Saam Barati.
2402
2403         * b3/testb3_8.cpp:
2404         (testFastForwardCopy32): Allocate arrays using
2405         WTF::makeUniqueArray<uint32_t> to fix leaks caused by continue
2406         statements.
2407
2408 2019-09-16  Saam Barati  <sbarati@apple.com>
2409
2410         JSObject::putInlineSlow should not ignore "__proto__" for Proxy
2411         https://bugs.webkit.org/show_bug.cgi?id=200386
2412         <rdar://problem/53854946>
2413
2414         Reviewed by Yusuke Suzuki.
2415
2416         We used to ignore '__proto__' in putInlineSlow when the object in question
2417         was Proxy. There is no reason for this, and it goes against the spec. So
2418         I've removed that condition. This also has the effect that it fixes an
2419         assertion firing inside our inline caching code which dictates that for a
2420         property replace that the base value's structure must be equal to the
2421         structure when we grabbed the structure prior to the put operation.
2422         The old code caused a weird edge case where we broke this invariant.
2423
2424         * runtime/JSObject.cpp:
2425         (JSC::JSObject::putInlineSlow):
2426
2427 2019-09-15  David Kilzer  <ddkilzer@apple.com>
2428
2429         Leak of NSMapTable in -[JSVirtualMachine addManagedReference:withOwner:]
2430         <https://webkit.org/b/201803>
2431
2432         Reviewed by Dan Bernstein.
2433
2434         * API/JSVirtualMachine.mm:
2435         (-[JSVirtualMachine addManagedReference:withOwner:]): Use
2436         RetainPtr<> to fix the leak.
2437
2438 2019-09-14  Yusuke Suzuki  <ysuzuki@apple.com>
2439
2440         Retire x86 32bit JIT support
2441         https://bugs.webkit.org/show_bug.cgi?id=201790
2442
2443         Reviewed by Mark Lam.
2444
2445         Now, Xcode no longer has ability to build 32bit binary, so we cannot even test it on macOS.
2446         Fedora stops shipping x86 32bit kernel. Our x86/x86_64 JIT requires SSE2, and so such relatively modern CPUs
2447         can use JIT by switching x86 to x86_64. And these CPUs are modern enough to run CLoop at high speed.
2448         WebKit already disabled x86 JIT by default while the implementation exists. So literary, it is not tested.
2449
2450         While x86 32bit becomes less useful, x86 32bit JIT backend is very complicated and is being a major maintenance burden.
2451         This is due to very few # of registers. Which scatters a lot of isX86 / CPU(X86) in Baseline, DFG, and Yarr.
2452
2453         This patch retires x86 JIT support from JavaScriptCore and CSS JIT. We still keep MacroAssembler and GPRInfo / FPRInfo,
2454         MachineContext information since they are useful even though JIT is not supported.
2455
2456         * dfg/DFGArrayMode.cpp:
2457         (JSC::DFG::ArrayMode::refine const):
2458         * dfg/DFGByteCodeParser.cpp:
2459         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2460         (JSC::DFG::ByteCodeParser::parseBlock):
2461         * dfg/DFGFixupPhase.cpp:
2462         (JSC::DFG::FixupPhase::fixupNode):
2463         * dfg/DFGJITCompiler.cpp:
2464         (JSC::DFG::JITCompiler::compileExceptionHandlers):
2465         * dfg/DFGOSRExitCompilerCommon.cpp:
2466         (JSC::DFG::osrWriteBarrier):
2467         * dfg/DFGSpeculativeJIT.cpp:
2468         (JSC::DFG::SpeculativeJIT::compileArithDiv):
2469         (JSC::DFG::SpeculativeJIT::compileArithMod):
2470         (JSC::DFG::SpeculativeJIT::compileCreateRest):
2471         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
2472         * dfg/DFGSpeculativeJIT.h:
2473         * dfg/DFGSpeculativeJIT32_64.cpp:
2474         (JSC::DFG::SpeculativeJIT::emitCall):
2475         (JSC::DFG::SpeculativeJIT::compile):
2476         * dfg/DFGThunks.cpp:
2477         (JSC::DFG::osrExitGenerationThunkGenerator):
2478         * ftl/FTLThunks.cpp:
2479         (JSC::FTL::slowPathCallThunkGenerator):
2480         * jit/AssemblyHelpers.cpp:
2481         (JSC::AssemblyHelpers::callExceptionFuzz):
2482         (JSC::AssemblyHelpers::debugCall):
2483         * jit/AssemblyHelpers.h:
2484         (JSC::AssemblyHelpers::emitComputeButterflyIndexingMask):
2485         * jit/CCallHelpers.h:
2486         (JSC::CCallHelpers::setupArgumentsImpl):
2487         (JSC::CCallHelpers::prepareForTailCallSlow):
2488         * jit/CallFrameShuffler.cpp:
2489         (JSC::CallFrameShuffler::prepareForTailCall):
2490         * jit/JIT.cpp:
2491         (JSC::JIT::privateCompileExceptionHandlers):
2492         * jit/JITArithmetic32_64.cpp:
2493         (JSC::JIT::emit_op_mod):
2494         (JSC::JIT::emitSlow_op_mod):
2495         * jit/SlowPathCall.h:
2496         (JSC::JITSlowPathCall::call):
2497         * jit/ThunkGenerators.cpp:
2498         (JSC::nativeForGenerator):
2499         (JSC::arityFixupGenerator):
2500         * wasm/WasmAirIRGenerator.cpp:
2501         (JSC::Wasm::AirIRGenerator::emitModOrDiv):
2502         * yarr/YarrJIT.cpp:
2503         (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
2504         (JSC::Yarr::YarrGenerator::generateEnter):
2505         (JSC::Yarr::YarrGenerator::generateReturn):
2506         (JSC::Yarr::YarrGenerator::compile):
2507         * yarr/YarrJIT.h:
2508
2509 2019-09-13  Mark Lam  <mark.lam@apple.com>
2510
2511         jsc -d stopped working.
2512         https://bugs.webkit.org/show_bug.cgi?id=201787
2513
2514         Reviewed by Joseph Pecoraro.
2515
2516         The reason is because, in this case, the jsc shell is trying to set an option
2517         after the VM has been instantiated.  The fix is simply to move all options
2518         initialization before the VM is instantiated.
2519
2520         * jsc.cpp:
2521         (runWithOptions):
2522         (jscmain):
2523
2524 2019-09-13  Mark Lam  <mark.lam@apple.com>
2525
2526         watchOS requires PageSize alignment of 16K for JSC::Config.
2527         https://bugs.webkit.org/show_bug.cgi?id=201786
2528         <rdar://problem/55357890>
2529
2530         Reviewed by Yusuke Suzuki.
2531
2532         * runtime/JSCConfig.h:
2533
2534 2019-09-13  Yusuke Suzuki  <ysuzuki@apple.com>
2535
2536         Unreviewed, follow-up fix after r249842
2537         https://bugs.webkit.org/show_bug.cgi?id=201750
2538
2539         Michael reviewed this offline. When performing nearCall, we need to invalidate cache registers.
2540
2541         * assembler/MacroAssemblerARM64.h:
2542         (JSC::MacroAssemblerARM64::nearCall):
2543         (JSC::MacroAssemblerARM64::threadSafePatchableNearCall):
2544
2545 2019-09-13  Alexey Shvayka  <shvaikalesh@gmail.com>
2546
2547         Date.prototype.toJSON does not execute steps 1-2
2548         https://bugs.webkit.org/show_bug.cgi?id=105282
2549
2550         Reviewed by Ross Kirsling.
2551
2552         According to https://tc39.es/ecma262/#sec-built-in-function-objects, built-in methods must be
2553         strict mode functions. Before this change, `this` value in Date.prototype.toJSON was resolved
2554         using sloppy mode semantics, resulting in `toISOString` being called on global object if `this`
2555         value equals `null` or `undefined`.
2556
2557         * runtime/DatePrototype.cpp:
2558         (JSC::dateProtoFuncToJSON): Resolve thisValue using strict semantics and simplify std::isfinite check.
2559
2560 2019-09-13  Mark Lam  <mark.lam@apple.com>
2561
2562         performJITMemcpy() should do its !Gigacage assertion on exit.
2563         https://bugs.webkit.org/show_bug.cgi?id=201780
2564         <rdar://problem/55354867>
2565
2566         Reviewed by Robin Morisset.
2567
2568         Re-doing previous fix.
2569
2570         * jit/ExecutableAllocator.h:
2571         (JSC::performJITMemcpy):
2572         (JSC::GigacageAssertScope::GigacageAssertScope): Deleted.
2573         (JSC::GigacageAssertScope::~GigacageAssertScope): Deleted.
2574
2575 2019-09-13  Mark Lam  <mark.lam@apple.com>
2576
2577         performJITMemcpy() should do its !Gigacage assertion on exit.
2578         https://bugs.webkit.org/show_bug.cgi?id=201780
2579         <rdar://problem/55354867>
2580
2581         Reviewed by Robin Morisset.
2582
2583         * jit/ExecutableAllocator.h:
2584         (JSC::GigacageAssertScope::GigacageAssertScope):
2585         (JSC::GigacageAssertScope::~GigacageAssertScope):
2586         (JSC::performJITMemcpy):
2587
2588 2019-09-13  Yusuke Suzuki  <ysuzuki@apple.com>
2589
2590         [JSC] Micro-optimize YarrJIT's surrogate pair handling
2591         https://bugs.webkit.org/show_bug.cgi?id=201750
2592
2593         Reviewed by Michael Saboff.
2594
2595         Optimize sequence of machine code used to get code-point with unicode flag.
2596
2597         * yarr/YarrJIT.cpp:
2598         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
2599
2600 2019-09-13  Mark Lam  <mark.lam@apple.com>
2601
2602         We should assert $vm is enabled on entry and exit in its functions.
2603         https://bugs.webkit.org/show_bug.cgi?id=201762
2604         <rdar://problem/55338742>
2605
2606         Rubber-stamped by Michael Saboff.
2607
2608         1. Also do the same for FunctionOverrides.
2609         2. Added the DollarVMAssertScope and FunctionOverridesAssertScope to achieve this.
2610         3. Also added assertions to lambda functions in $vm.
2611
2612         * tools/FunctionOverrides.cpp:
2613         (JSC::FunctionOverridesAssertScope::FunctionOverridesAssertScope):
2614         (JSC::FunctionOverridesAssertScope::~FunctionOverridesAssertScope):
2615         (JSC::FunctionOverrides::overrides):
2616         (JSC::FunctionOverrides::FunctionOverrides):
2617         (JSC::FunctionOverrides::reinstallOverrides):
2618         (JSC::initializeOverrideInfo):
2619         (JSC::FunctionOverrides::initializeOverrideFor):
2620         (JSC::parseClause):
2621         (JSC::FunctionOverrides::parseOverridesInFile):
2622         * tools/JSDollarVM.cpp:
2623         (JSC::JSDollarVMCallFrame::JSDollarVMCallFrame):
2624         (JSC::JSDollarVMCallFrame::createStructure):
2625         (JSC::JSDollarVMCallFrame::create):
2626         (JSC::JSDollarVMCallFrame::finishCreation):
2627         (JSC::JSDollarVMCallFrame::addProperty):
2628         (JSC::Element::Element):
2629         (JSC::Element::create):
2630         (JSC::Element::visitChildren):
2631         (JSC::Element::createStructure):
2632         (JSC::Root::Root):
2633         (JSC::Root::setElement):
2634         (JSC::Root::create):
2635         (JSC::Root::createStructure):
2636         (JSC::Root::visitChildren):
2637         (JSC::SimpleObject::SimpleObject):
2638         (JSC::SimpleObject::create):
2639         (JSC::SimpleObject::visitChildren):
2640         (JSC::SimpleObject::createStructure):
2641         (JSC::ImpureGetter::ImpureGetter):
2642         (JSC::ImpureGetter::createStructure):
2643         (JSC::ImpureGetter::create):
2644         (JSC::ImpureGetter::finishCreation):
2645         (JSC::ImpureGetter::getOwnPropertySlot):
2646         (JSC::ImpureGetter::visitChildren):
2647         (JSC::CustomGetter::CustomGetter):
2648         (JSC::CustomGetter::createStructure):
2649         (JSC::CustomGetter::create):
2650         (JSC::CustomGetter::getOwnPropertySlot):
2651         (JSC::CustomGetter::customGetter):
2652         (JSC::CustomGetter::customGetterAcessor):
2653         (JSC::RuntimeArray::create):
2654         (JSC::RuntimeArray::destroy):
2655         (JSC::RuntimeArray::getOwnPropertySlot):
2656         (JSC::RuntimeArray::getOwnPropertySlotByIndex):
2657         (JSC::RuntimeArray::createPrototype):
2658         (JSC::RuntimeArray::createStructure):
2659         (JSC::RuntimeArray::finishCreation):
2660         (JSC::RuntimeArray::RuntimeArray):
2661         (JSC::RuntimeArray::lengthGetter):
2662         (JSC::DOMJITNode::DOMJITNode):
2663         (JSC::DOMJITNode::createStructure):
2664         (JSC::DOMJITNode::checkSubClassSnippet):
2665         (JSC::DOMJITNode::create):
2666         (JSC::DOMJITGetter::DOMJITGetter):
2667         (JSC::DOMJITGetter::createStructure):
2668         (JSC::DOMJITGetter::create):
2669         (JSC::DOMJITGetter::DOMJITAttribute::slowCall):
2670         (JSC::DOMJITGetter::DOMJITAttribute::callDOMGetter):
2671         (JSC::DOMJITGetter::customGetter):
2672         (JSC::DOMJITGetter::finishCreation):
2673         (JSC::DOMJITGetterComplex::DOMJITGetterComplex):
2674         (JSC::DOMJITGetterComplex::createStructure):
2675         (JSC::DOMJITGetterComplex::create):
2676         (JSC::DOMJITGetterComplex::DOMJITAttribute::slowCall):
2677         (JSC::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
2678         (JSC::DOMJITGetterComplex::functionEnableException):
2679         (JSC::DOMJITGetterComplex::customGetter):
2680         (JSC::DOMJITGetterComplex::finishCreation):
2681         (JSC::DOMJITFunctionObject::DOMJITFunctionObject):
2682         (JSC::DOMJITFunctionObject::createStructure):
2683         (JSC::DOMJITFunctionObject::create):
2684         (JSC::DOMJITFunctionObject::functionWithTypeCheck):
2685         (JSC::DOMJITFunctionObject::functionWithoutTypeCheck):
2686         (JSC::DOMJITFunctionObject::checkSubClassSnippet):
2687         (JSC::DOMJITFunctionObject::finishCreation):
2688         (JSC::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
2689         (JSC::DOMJITCheckSubClassObject::createStructure):
2690         (JSC::DOMJITCheckSubClassObject::create):
2691         (JSC::DOMJITCheckSubClassObject::functionWithTypeCheck):
2692         (JSC::DOMJITCheckSubClassObject::functionWithoutTypeCheck):
2693         (JSC::DOMJITCheckSubClassObject::finishCreation):
2694         (JSC::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject):
2695         (JSC::DOMJITGetterBaseJSObject::createStructure):
2696         (JSC::DOMJITGetterBaseJSObject::create):
2697         (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
2698         (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter):
2699         (JSC::DOMJITGetterBaseJSObject::customGetter):
2700         (JSC::DOMJITGetterBaseJSObject::finishCreation):
2701         (JSC::JSTestCustomGetterSetter::JSTestCustomGetterSetter):
2702         (JSC::JSTestCustomGetterSetter::create):
2703         (JSC::JSTestCustomGetterSetter::createStructure):
2704         (JSC::customSetAccessor):
2705         (JSC::customSetValue):
2706         (JSC::JSTestCustomGetterSetter::finishCreation):
2707         (JSC::Element::handleOwner):
2708         (JSC::Element::finishCreation):
2709         (JSC::WasmStreamingParser::WasmStreamingParser):
2710         (JSC::WasmStreamingParser::create):
2711         (JSC::WasmStreamingParser::createStructure):
2712         (JSC::WasmStreamingParser::finishCreation):
2713         (JSC::functionWasmStreamingParserAddBytes):
2714         (JSC::functionWasmStreamingParserFinalize):
2715         (JSC::functionCrash):
2716         (JSC::functionBreakpoint):
2717         (JSC::functionDFGTrue):
2718         (JSC::functionFTLTrue):
2719         (JSC::functionCpuMfence):
2720         (JSC::functionCpuRdtsc):
2721         (JSC::functionCpuCpuid):
2722         (JSC::functionCpuPause):
2723         (JSC::functionCpuClflush):
2724         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
2725         (JSC::getExecutableForFunction):
2726         (JSC::functionLLintTrue):
2727         (JSC::functionJITTrue):
2728         (JSC::functionNoInline):
2729         (JSC::functionGC):
2730         (JSC::functionEdenGC):
2731         (JSC::functionDumpSubspaceHashes):
2732         (JSC::functionCallFrame):
2733         (JSC::functionCodeBlockForFrame):
2734         (JSC::codeBlockFromArg):
2735         (JSC::functionCodeBlockFor):
2736         (JSC::functionDumpSourceFor):
2737         (JSC::functionDumpBytecodeFor):
2738         (JSC::doPrint):
2739         (JSC::functionDataLog):
2740         (JSC::functionPrint):
2741         (JSC::functionDumpCallFrame):
2742         (JSC::functionDumpStack):
2743         (JSC::functionDumpRegisters):
2744         (JSC::functionDumpCell):
2745         (JSC::functionIndexingMode):
2746         (JSC::functionInlineCapacity):
2747         (JSC::functionValue):
2748         (JSC::functionGetPID):
2749         (JSC::functionHaveABadTime):
2750         (JSC::functionIsHavingABadTime):
2751         (JSC::functionCreateGlobalObject):
2752         (JSC::functionCreateProxy):
2753         (JSC::functionCreateRuntimeArray):
2754         (JSC::functionCreateNullRopeString):
2755         (JSC::functionCreateImpureGetter):
2756         (JSC::functionCreateCustomGetterObject):
2757         (JSC::functionCreateDOMJITNodeObject):
2758         (JSC::functionCreateDOMJITGetterObject):
2759         (JSC::functionCreateDOMJITGetterComplexObject):
2760         (JSC::functionCreateDOMJITFunctionObject):
2761         (JSC::functionCreateDOMJITCheckSubClassObject):
2762         (JSC::functionCreateDOMJITGetterBaseJSObject):
2763         (JSC::functionCreateWasmStreamingParser):
2764         (JSC::functionSetImpureGetterDelegate):
2765         (JSC::functionCreateBuiltin):
2766         (JSC::functionGetPrivateProperty):
2767         (JSC::functionCreateRoot):
2768         (JSC::functionCreateElement):
2769         (JSC::functionGetElement):
2770         (JSC::functionCreateSimpleObject):
2771         (JSC::functionGetHiddenValue):
2772         (JSC::functionSetHiddenValue):
2773         (JSC::functionShadowChickenFunctionsOnStack):
2774         (JSC::functionSetGlobalConstRedeclarationShouldNotThrow):
2775         (JSC::functionFindTypeForExpression):
2776         (JSC::functionReturnTypeFor):
2777         (JSC::functionFlattenDictionaryObject):
2778         (JSC::functionDumpBasicBlockExecutionRanges):
2779         (JSC::functionHasBasicBlockExecuted):
2780         (JSC::functionBasicBlockExecutionCount):
2781         (JSC::functionEnableExceptionFuzz):
2782         (JSC::changeDebuggerModeWhenIdle):
2783         (JSC::functionEnableDebuggerModeWhenIdle):
2784         (JSC::functionDisableDebuggerModeWhenIdle):
2785         (JSC::functionDeleteAllCodeWhenIdle):
2786         (JSC::functionGlobalObjectCount):
2787         (JSC::functionGlobalObjectForObject):
2788         (JSC::functionGetGetterSetter):
2789         (JSC::functionLoadGetterFromGetterSetter):
2790         (JSC::functionCreateCustomTestGetterSetter):
2791         (JSC::functionDeltaBetweenButterflies):
2792         (JSC::functionTotalGCTime):
2793         (JSC::functionParseCount):
2794         (JSC::functionIsWasmSupported):
2795         (JSC::JSDollarVM::finishCreation):
2796         (JSC::JSDollarVM::addFunction):
2797         (JSC::JSDollarVM::addConstructibleFunction):
2798         * tools/JSDollarVM.h:
2799         (JSC::DollarVMAssertScope::DollarVMAssertScope):
2800         (JSC::DollarVMAssertScope::~DollarVMAssertScope):
2801
2802 2019-09-13  Joseph Pecoraro  <pecoraro@apple.com>
2803
2804         Web Inspector: Formatter: Pretty Print HTML resources (including inline <script>/<style>)
2805         https://bugs.webkit.org/show_bug.cgi?id=201535
2806         <rdar://problem/29119232>
2807
2808         Reviewed by Devin Rousso.
2809
2810         * debugger/Debugger.cpp:
2811         (JSC::Debugger::resolveBreakpoint):
2812         When resolving a breakpoint inside of an inline <script> we need to adjust
2813         based on the starting position of the <script> in the HTML resource.
2814
2815 2019-09-13  Yusuke Suzuki  <ysuzuki@apple.com>
2816
2817         [JSC] X86Registers.h callee-save register definition is wrong
2818         https://bugs.webkit.org/show_bug.cgi?id=201756
2819
2820         Reviewed by Mark Lam.
2821
2822         I think nobody is using X86 JIT backend, but it is simply wrong.
2823         edi and esi should be callee-save.
2824
2825         * assembler/X86Registers.h:
2826
2827 2019-09-12  Mark Lam  <mark.lam@apple.com>
2828
2829         Harden JSC against the abuse of runtime options.
2830         https://bugs.webkit.org/show_bug.cgi?id=201597
2831         <rdar://problem/55167068>
2832
2833         Reviewed by Filip Pizlo.
2834
2835         Linux parts contributed by Carlos Garcia Campos <cgarcia@igalia.com>.
2836
2837         1. Introduce a JSC::Config struct that will be protected as ReadOnly once the
2838            first VM instance is constructed.  The end of the VM constructor calls
2839            Config::permanentlyFreeze() which will make the Config ReadOnly.
2840
2841            Note: this is currently only supported for OS(DARWIN) and OS(LINUX).
2842            OS(WINDOWS) will need to implement some missing pieces before it can enable
2843            this hardening (see FIXME in JSCConfig.cpp).
2844
2845            The hardening strategy here is to put immutable global values into the Config.
2846            Any modifications that need to be made to these values must be done before the
2847            first VM instance is done instantiating.  This ensures that no script will
2848            ever run while the Config is still writable.
2849
2850            Also, the policy for this hardening is that a process is opted in by default.
2851            If there's a valid need to disable this hardening (e.g. for some test
2852            environments), the relevant process will need to opt itself out by calling
2853            Config::configureForTesting().
2854
2855            The jsc shell, WK2 UI and WebContent processes are opted in by default.
2856            Only test processes may be opt out.
2857
2858         2. Put all JSC::Options in the Config.  This enforces the invariant that options
2859            can only be changed before we instantiate a VM.  Once a VM is instantiated,
2860            the options are immutable.
2861
2862         3. Remove functionForceGCSlowPaths() from the jsc shell.  Setting
2863            Options::forceGCSlowPaths this way is no longer allowed.
2864
2865         4. Re-factored the Options code (Options.h) into:
2866            - OptionEntry.h: the data structure that stores the option values.
2867            - OptionsList.h: the list of options.
2868            - Options.h: the Options singleton object which is the interface for accessing options.
2869
2870            Renamed the JSC_OPTIONS macro to FOR_EACH_JSC_OPTION, because
2871            "FOR_EACH_JSC_OPTION(SET_OPTION_VALUE)" reads a lot better than
2872            "JSC_OPTIONS(FOR_EACH_OPTION)".
2873
2874         5. Change testapi to call Config::configureForTesting().  Parts of testapi makes
2875            use of setting options in its tests.  Hence, this hardening is disabled for
2876            testapi.
2877
2878            Note: the jsc shell does enable this hardening.
2879
2880         6. Put ExecutableAllocator's immutable globals in the Config.
2881
2882         7. RELEASE_ASSERT that restrictedOptionsEnabled in order to use the
2883            FunctionOverrides test utility.
2884
2885         8. RELEASE_ASSERT that Options::useDollarVM() is enabled in order to use the $vm.
2886
2887            We must RELEASE_ASSERT(Options::useDollarVM()) in all JSDollarVM functions
2888            that are non-trivial at an eye's glance.  This includes (but is not limited to):
2889                constructors
2890                create() factory
2891                createStructure() factory
2892                finishCreation()
2893                HOST_CALL or operation functions
2894                Constructors and methods of utility and test classes
2895
2896            The only exception are some constexpr constructors used for instantiating
2897            globals (since these must have trivial constructors) e.g. DOMJITAttribute.
2898            Instead, these constructors should always be ALWAYS_INLINE.
2899
2900         * API/glib/JSCOptions.cpp:
2901         (jscOptionsSetValue):
2902         (jscOptionsGetValue):
2903         (jsc_options_foreach):
2904         (jsc_options_get_option_group):
2905         * API/tests/testapi.c:
2906         (main):
2907         * API/tests/testapi.cpp:
2908         (configureJSCForTesting):
2909         * CMakeLists.txt:
2910         * JavaScriptCore.xcodeproj/project.pbxproj:
2911         * Sources.txt:
2912         * jit/ExecutableAllocator.cpp:
2913         (JSC::isJITEnabled):
2914         (JSC::ExecutableAllocator::setJITEnabled):
2915         (JSC::ExecutableAllocator::initializeUnderlyingAllocator):
2916         (JSC::ExecutableAllocator::isValid const):
2917         (JSC::ExecutableAllocator::underMemoryPressure):
2918         (JSC::ExecutableAllocator::memoryPressureMultiplier):
2919         (JSC::ExecutableAllocator::allocate):
2920         (JSC::ExecutableAllocator::isValidExecutableMemory):
2921         (JSC::ExecutableAllocator::getLock const):
2922         (JSC::ExecutableAllocator::committedByteCount):
2923         (JSC::ExecutableAllocator::dumpProfile):
2924         (JSC::startOfFixedExecutableMemoryPoolImpl):
2925         (JSC::endOfFixedExecutableMemoryPoolImpl):
2926         (JSC::isJITPC):
2927         (JSC::dumpJITMemory):
2928         (JSC::ExecutableAllocator::initialize):
2929         (JSC::ExecutableAllocator::singleton):
2930         * jit/ExecutableAllocator.h:
2931         (JSC::performJITMemcpy):
2932         * jsc.cpp:
2933         (GlobalObject::finishCreation):
2934         (functionJSCOptions):
2935         (jscmain):
2936         (functionForceGCSlowPaths): Deleted.
2937         * runtime/ConfigFile.cpp:
2938         (JSC::ConfigFile::parse):
2939         * runtime/InitializeThreading.cpp:
2940         (JSC::initializeThreading):
2941         * runtime/JSCConfig.cpp: Added.
2942         (JSC::Config::disableFreezingForTesting):
2943         (JSC::Config::enableRestrictedOptions):
2944         (JSC::Config::permanentlyFreeze):
2945         * runtime/JSCConfig.h: Added.
2946         (JSC::Config::configureForTesting):
2947         * runtime/JSGlobalObject.cpp:
2948         (JSC::JSGlobalObject::exposeDollarVM):
2949         * runtime/OptionEntry.h: Added.
2950         (JSC::OptionRange::operator= ):
2951         (JSC::OptionRange::rangeString const):
2952         * runtime/Options.cpp:
2953         (JSC::Options::isAvailable):
2954         (JSC::scaleJITPolicy):
2955         (JSC::Options::initialize):
2956         (JSC::Options::setOptions):
2957         (JSC::Options::setOptionWithoutAlias):
2958         (JSC::Options::setAliasedOption):
2959         (JSC::Option::dump const):
2960         (JSC::Option::operator== const):
2961         (): Deleted.
2962         (JSC::Options::enableRestrictedOptions): Deleted.
2963         * runtime/Options.h:
2964         (JSC::Option::Option):
2965         (JSC::Option::defaultOption const):
2966         (JSC::Option::boolVal):
2967         (JSC::Option::unsignedVal):
2968         (JSC::Option::doubleVal):
2969         (JSC::Option::int32Val):
2970         (JSC::Option::optionRangeVal):
2971         (JSC::Option::optionStringVal):
2972         (JSC::Option::gcLogLevelVal):
2973         (JSC::OptionRange::operator= ): Deleted.
2974         (JSC::OptionRange::rangeString const): Deleted.
2975         * runtime/OptionsList.h: Added.
2976         (JSC::countNumberOfJSCOptions):
2977         * runtime/VM.cpp:
2978         (JSC::VM::VM):
2979         * tools/FunctionOverrides.cpp:
2980         (JSC::FunctionOverrides::FunctionOverrides):
2981         (JSC::FunctionOverrides::reinstallOverrides):
2982         (JSC::FunctionOverrides::initializeOverrideFor):
2983         (JSC::FunctionOverrides::parseOverridesInFile):
2984         * tools/JSDollarVM.cpp:
2985         (JSC::JSDollarVMCallFrame::JSDollarVMCallFrame):
2986         (JSC::JSDollarVMCallFrame::createStructure):
2987         (JSC::JSDollarVMCallFrame::create):
2988         (JSC::JSDollarVMCallFrame::finishCreation):
2989         (JSC::JSDollarVMCallFrame::addProperty):
2990         (JSC::Element::Element):
2991         (JSC::Element::create):
2992         (JSC::Element::createStructure):
2993         (JSC::Root::Root):
2994         (JSC::Root::create):
2995         (JSC::Root::createStructure):
2996         (JSC::SimpleObject::SimpleObject):
2997         (JSC::SimpleObject::create):
2998         (JSC::SimpleObject::createStructure):
2999         (JSC::ImpureGetter::ImpureGetter):
3000         (JSC::ImpureGetter::createStructure):
3001         (JSC::ImpureGetter::create):
3002         (JSC::ImpureGetter::finishCreation):
3003         (JSC::ImpureGetter::getOwnPropertySlot):
3004         (JSC::CustomGetter::CustomGetter):
3005         (JSC::CustomGetter::createStructure):
3006         (JSC::CustomGetter::create):
3007         (JSC::CustomGetter::getOwnPropertySlot):
3008         (JSC::CustomGetter::customGetter):
3009         (JSC::CustomGetter::customGetterAcessor):
3010         (JSC::RuntimeArray::create):
3011         (JSC::RuntimeArray::destroy):
3012         (JSC::RuntimeArray::getOwnPropertySlot):
3013         (JSC::RuntimeArray::getOwnPropertySlotByIndex):
3014         (JSC::RuntimeArray::createPrototype):
3015         (JSC::RuntimeArray::createStructure):
3016         (JSC::RuntimeArray::finishCreation):
3017         (JSC::RuntimeArray::RuntimeArray):
3018         (JSC::RuntimeArray::lengthGetter):
3019         (JSC::DOMJITNode::DOMJITNode):
3020         (JSC::DOMJITNode::createStructure):
3021         (JSC::DOMJITNode::checkSubClassSnippet):
3022         (JSC::DOMJITNode::create):
3023         (JSC::DOMJITGetter::DOMJITGetter):
3024         (JSC::DOMJITGetter::createStructure):
3025         (JSC::DOMJITGetter::create):
3026         (JSC::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
3027         (JSC::DOMJITGetter::DOMJITAttribute::slowCall):
3028         (JSC::DOMJITGetter::DOMJITAttribute::callDOMGetter):
3029         (JSC::DOMJITGetter::customGetter):
3030         (JSC::DOMJITGetter::finishCreation):
3031         (JSC::DOMJITGetterComplex::DOMJITGetterComplex):
3032         (JSC::DOMJITGetterComplex::createStructure):
3033         (JSC::DOMJITGetterComplex::create):
3034         (JSC::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
3035         (JSC::DOMJITGetterComplex::DOMJITAttribute::slowCall):
3036         (JSC::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
3037         (JSC::DOMJITGetterComplex::functionEnableException):
3038         (JSC::DOMJITGetterComplex::customGetter):
3039         (JSC::DOMJITGetterComplex::finishCreation):
3040         (JSC::DOMJITFunctionObject::DOMJITFunctionObject):
3041         (JSC::DOMJITFunctionObject::createStructure):
3042         (JSC::DOMJITFunctionObject::create):
3043         (JSC::DOMJITFunctionObject::functionWithTypeCheck):
3044         (JSC::DOMJITFunctionObject::functionWithoutTypeCheck):
3045         (JSC::DOMJITFunctionObject::checkSubClassSnippet):
3046         (JSC::DOMJITFunctionObject::finishCreation):
3047         (JSC::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
3048         (JSC::DOMJITCheckSubClassObject::createStructure):
3049         (JSC::DOMJITCheckSubClassObject::create):
3050         (JSC::DOMJITCheckSubClassObject::functionWithTypeCheck):
3051         (JSC::DOMJITCheckSubClassObject::functionWithoutTypeCheck):
3052         (JSC::DOMJITCheckSubClassObject::finishCreation):
3053         (JSC::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject):
3054         (JSC::DOMJITGetterBaseJSObject::createStructure):
3055         (JSC::DOMJITGetterBaseJSObject::create):
3056         (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute):
3057         (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
3058         (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter):
3059         (JSC::DOMJITGetterBaseJSObject::customGetter):
3060         (JSC::DOMJITGetterBaseJSObject::finishCreation):
3061         (JSC::JSTestCustomGetterSetter::JSTestCustomGetterSetter):
3062         (JSC::JSTestCustomGetterSetter::create):
3063         (JSC::JSTestCustomGetterSetter::createStructure):
3064         (JSC::customSetAccessor):
3065         (JSC::customSetValue):
3066         (JSC::JSTestCustomGetterSetter::finishCreation):
3067         (JSC::Element::handleOwner):
3068         (JSC::Element::finishCreation):
3069         (JSC::WasmStreamingParser::WasmStreamingParser):
3070         (JSC::WasmStreamingParser::create):
3071         (JSC::WasmStreamingParser::createStructure):
3072         (JSC::WasmStreamingParser::finishCreation):
3073         (JSC::functionWasmStreamingParserAddBytes):
3074         (JSC::functionWasmStreamingParserFinalize):
3075         (JSC::functionCrash):
3076         (JSC::functionBreakpoint):
3077         (JSC::functionDFGTrue):
3078         (JSC::functionFTLTrue):
3079         (JSC::functionCpuMfence):
3080         (JSC::functionCpuRdtsc):
3081         (JSC::functionCpuCpuid):
3082         (JSC::functionCpuPause):
3083         (JSC::functionCpuClflush):
3084         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
3085         (JSC::getExecutableForFunction):
3086         (JSC::functionLLintTrue):
3087         (JSC::functionJITTrue):
3088         (JSC::functionNoInline):
3089         (JSC::functionGC):
3090         (JSC::functionEdenGC):
3091         (JSC::functionDumpSubspaceHashes):
3092         (JSC::functionCallFrame):
3093         (JSC::functionCodeBlockForFrame):
3094         (JSC::codeBlockFromArg):
3095         (JSC::functionCodeBlockFor):
3096         (JSC::functionDumpSourceFor):
3097         (JSC::functionDumpBytecodeFor):
3098         (JSC::doPrint):
3099         (JSC::functionDataLog):
3100         (JSC::functionPrint):
3101         (JSC::functionDumpCallFrame):
3102         (JSC::functionDumpStack):
3103         (JSC::functionDumpRegisters):
3104         (JSC::functionDumpCell):
3105         (JSC::functionIndexingMode):
3106         (JSC::functionInlineCapacity):
3107         (JSC::functionValue):
3108         (JSC::functionGetPID):
3109         (JSC::functionHaveABadTime):
3110         (JSC::functionIsHavingABadTime):
3111         (JSC::functionCreateGlobalObject):
3112         (JSC::functionCreateProxy):
3113         (JSC::functionCreateRuntimeArray):
3114         (JSC::functionCreateNullRopeString):
3115         (JSC::functionCreateImpureGetter):
3116         (JSC::functionCreateCustomGetterObject):
3117         (JSC::functionCreateDOMJITNodeObject):
3118         (JSC::functionCreateDOMJITGetterObject):
3119         (JSC::functionCreateDOMJITGetterComplexObject):
3120         (JSC::functionCreateDOMJITFunctionObject):
3121         (JSC::functionCreateDOMJITCheckSubClassObject):
3122         (JSC::functionCreateDOMJITGetterBaseJSObject):
3123         (JSC::functionCreateWasmStreamingParser):
3124         (JSC::functionSetImpureGetterDelegate):
3125         (JSC::functionCreateBuiltin):
3126         (JSC::functionGetPrivateProperty):
3127         (JSC::functionCreateRoot):
3128         (JSC::functionCreateElement):
3129         (JSC::functionGetElement):
3130         (JSC::functionCreateSimpleObject):
3131         (JSC::functionGetHiddenValue):
3132         (JSC::functionSetHiddenValue):
3133         (JSC::functionShadowChickenFunctionsOnStack):
3134         (JSC::functionSetGlobalConstRedeclarationShouldNotThrow):
3135         (JSC::functionFindTypeForExpression):
3136         (JSC::functionReturnTypeFor):
3137         (JSC::functionFlattenDictionaryObject):
3138         (JSC::functionDumpBasicBlockExecutionRanges):
3139         (JSC::functionHasBasicBlockExecuted):
3140         (JSC::functionBasicBlockExecutionCount):
3141         (JSC::functionEnableExceptionFuzz):
3142         (JSC::changeDebuggerModeWhenIdle):
3143         (JSC::functionEnableDebuggerModeWhenIdle):
3144         (JSC::functionDisableDebuggerModeWhenIdle):
3145         (JSC::functionDeleteAllCodeWhenIdle):
3146         (JSC::functionGlobalObjectCount):
3147         (JSC::functionGlobalObjectForObject):
3148         (JSC::functionGetGetterSetter):
3149         (JSC::functionLoadGetterFromGetterSetter):
3150         (JSC::functionCreateCustomTestGetterSetter):
3151         (JSC::functionDeltaBetweenButterflies):
3152         (JSC::functionTotalGCTime):
3153         (JSC::functionParseCount):
3154         (JSC::functionIsWasmSupported):
3155         (JSC::JSDollarVM::finishCreation):
3156         (JSC::JSDollarVM::addFunction):
3157         (JSC::JSDollarVM::addConstructibleFunction):
3158         * tools/JSDollarVM.h:
3159
3160 2019-09-11  Devin Rousso  <drousso@apple.com>
3161
3162         Web Inspector: Canvas: instrument WebGPUDevice instead of GPUCanvasContext
3163         https://bugs.webkit.org/show_bug.cgi?id=201650
3164
3165         Reviewed by Joseph Pecoraro.
3166
3167         Most of the actual "work" done with Web GPU actually uses a `WebGPUDevice`.
3168
3169         A `GPUCanvasContext` is basically just a display "client" of the device, and isn't even
3170         required (e.g. compute pipeline).  We should treat the `GPUCanvasContext` almost like a
3171         `-webkit-canvas` client of a `WebGPUDevice`.
3172
3173         * inspector/protocol/Canvas.json:
3174          - Add `powerPreference` key to `ContextAttributes` type.
3175          - Rename `requestCSSCanvasClientNodes` command to `requestClientNodes` for the above reason.
3176          - Rename `cssCanvasClientNodesChanged` event to `clientNodesChanged` for the above reason.
3177          - Rename `resolveCanvasContext` command to `resolveContext` since a `WebGPUDevice` isn't
3178            really a "canvas".
3179
3180 2019-09-11  Yusuke Suzuki  <ysuzuki@apple.com>
3181
3182         [JSC] Add StringCodePointAt intrinsic
3183         https://bugs.webkit.org/show_bug.cgi?id=201673
3184
3185         Reviewed by Michael Saboff.
3186
3187         JetStream2/UniPoker executes String#codePointAt frequently. We should handle it in ThunkGenerator, DFG, and FTL like we are doing so for String#charCodeAt.
3188         This patch adds these supports for String#codePointAt to get ~10% score improvement in JetStream2/UniPoker.
3189
3190         In ThunkGenerator, we add a thunk for String#codePointAt, which accelerates LLInt and Baseline. In DFG, we handle this as StringCodePointAt node, and emit
3191         inlined code in DFG and FTL. The characteristics of StringCodePointAt node is basically the same to StringCharAt. It has String array-mode, so it emits
3192         preceding CheckArray. This ensures that (1) StringCodePointAt node itself does not do GC since the string is always resolved, and (2) we can skip the rope
3193         check. This thing is just the same to the existing StringCharCodeAt mechanism.
3194
3195         * dfg/DFGAbstractInterpreterInlines.h:
3196         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3197         * dfg/DFGBackwardsPropagationPhase.cpp:
3198         (JSC::DFG::BackwardsPropagationPhase::propagate):
3199         * dfg/DFGByteCodeParser.cpp:
3200         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3201         * dfg/DFGClobberize.h:
3202         (JSC::DFG::clobberize):
3203         * dfg/DFGDoesGC.cpp:
3204         (JSC::DFG::doesGC):
3205         * dfg/DFGFixupPhase.cpp:
3206         (JSC::DFG::FixupPhase::fixupNode):
3207         * dfg/DFGNode.h:
3208         (JSC::DFG::Node::hasArrayMode):
3209         * dfg/DFGNodeType.h:
3210         * dfg/DFGPredictionPropagationPhase.cpp:
3211         * dfg/DFGSafeToExecute.h:
3212         (JSC::DFG::safeToExecute):
3213         * dfg/DFGSpeculativeJIT.h:
3214         * dfg/DFGSpeculativeJIT32_64.cpp:
3215         (JSC::DFG::SpeculativeJIT::compile):
3216         * dfg/DFGSpeculativeJIT64.cpp:
3217         (JSC::DFG::SpeculativeJIT::compile):
3218         (JSC::DFG::SpeculativeJIT::compileStringCodePointAt):
3219         * ftl/FTLCapabilities.cpp:
3220         (JSC::FTL::canCompile):
3221         * ftl/FTLLowerDFGToB3.cpp:
3222         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3223         (JSC::FTL::DFG::LowerDFGToB3::compileStringCodePointAt):
3224         * jit/JITInlines.h:
3225         (JSC::JIT::emitLoadCharacterString):
3226         * jit/ThunkGenerators.cpp:
3227         (JSC::stringGetByValGenerator):
3228         (JSC::stringCharLoad):
3229         (JSC::stringPrototypeCodePointAtThunkGenerator):
3230         * jit/ThunkGenerators.h:
3231         * runtime/Intrinsic.cpp:
3232         (JSC::intrinsicName):
3233         * runtime/Intrinsic.h:
3234         * runtime/StringPrototype.cpp:
3235         (JSC::StringPrototype::finishCreation):
3236         * runtime/VM.cpp:
3237         (JSC::thunkGeneratorForIntrinsic):
3238
3239 2019-09-11  Michael Saboff  <msaboff@apple.com>
3240
3241         JSC crashes due to stack overflow while building RegExp
3242         https://bugs.webkit.org/show_bug.cgi?id=201649
3243
3244         Reviewed by Yusuke Suzuki.
3245
3246         Check for running out of stack when we are optimizing RegExp containing BOL terms or
3247         other deep copying of disjunctions.
3248
3249         * yarr/YarrPattern.cpp:
3250         (JSC::Yarr::YarrPatternConstructor::copyDisjunction):
3251         (JSC::Yarr::YarrPatternConstructor::copyTerm):
3252         (JSC::Yarr::YarrPatternConstructor::error):
3253         (JSC::Yarr::YarrPattern::compile):
3254
3255 2019-09-11  Truitt Savell  <tsavell@apple.com>
3256
3257         Unreviewed, rolling out r249753.
3258
3259         caused inspector/canvas/shaderProgram-add-remove-webgl.html to
3260         crash on all Mac platforms.
3261
3262         Reverted changeset:
3263
3264         "Web Inspector: Canvas: instrument WebGPUDevice instead of
3265         GPUCanvasContext"
3266         https://bugs.webkit.org/show_bug.cgi?id=201650
3267         https://trac.webkit.org/changeset/249753
3268
3269 2019-09-10  Devin Rousso  <drousso@apple.com>
3270
3271         Web Inspector: Canvas: instrument WebGPUDevice instead of GPUCanvasContext
3272         https://bugs.webkit.org/show_bug.cgi?id=201650
3273
3274         Reviewed by Joseph Pecoraro.
3275
3276         Most of the actual "work" done with Web GPU actually uses a `WebGPUDevice`.
3277
3278         A `GPUCanvasContext` is basically just a display "client" of the device, and isn't even
3279         required (e.g. compute pipeline).  We should treat the `GPUCanvasContext` almost like a
3280         `-webkit-canvas` client of a `WebGPUDevice`.
3281
3282         * inspector/protocol/Canvas.json:
3283          - Add `powerPreference` key to `ContextAttributes` type.
3284          - Rename `requestCSSCanvasClientNodes` command to `requestClientNodes` for the above reason.
3285          - Rename `cssCanvasClientNodesChanged` event to `clientNodesChanged` for the above reason.
3286          - Rename `resolveCanvasContext` command to `resolveContext` since a `WebGPUDevice` isn't
3287            really a "canvas".
3288
3289 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
3290
3291         [JSC] 32bit bitwide operation with all-one (-1) is wrong in B3
3292         https://bugs.webkit.org/show_bug.cgi?id=201634
3293
3294         Reviewed by Mark Lam and Robin Morisset.
3295
3296         This patch includes two things. One is fixing 32bit bitwise operation with allOne constants. Another is fixing the existing bug in BitAnd strength reduction.
3297
3298         1. 32bit bitwise operation with allOne constants
3299
3300             Accidentally, the B3::Value is ConstInt32(-1), `value->isInt(std::numeric_limits<uint32_t>::max())` returns `false`!
3301             For example, in BitAnd strength reduction,
3302
3303                 1034             // Turn this: BitAnd(value, all-ones)
3304                 1035             // Into this: value.
3305                 1036             if ((m_value->type() == Int64 && m_value->child(1)->isInt(std::numeric_limits<uint64_t>::max()))
3306                 1037                 || (m_value->type() == Int32 && m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max()))) {
3307                 1038                 replaceWithIdentity(m_value->child(0));
3308                 1039                 break;
3309                 1040             }
3310
3311             We use `m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max())`. However, Value::isInt is,
3312
3313                 262 inline bool Value::isInt(int64_t value) const
3314                 263 {
3315                 264     return hasInt() && asInt() == value;
3316                 265 }
3317
3318             So, UINT32_MAX is expanded to int64_t, but it is not -1 since UINT32_MAX can be representable in int64_t. And Value::asInt implementation is,
3319
3320                 257 inline int64_t Value::asInt() const
3321                 258 {
3322                 259     return hasInt32() ? asInt32() : asInt64();
3323                 260 }
3324
3325             So, we perform `static_cast<int64_t>(-1) == static_cast<int64_t>(UINT32_MAX)`. This is false, but this comparison is not what we want!
3326             We should use `isInt32` and `isInt64` for bit patterns (like, operands for Bitwise opcodes).
3327
3328         2. BitAnd and BitOr strength reduction bug
3329
3330             We also fix the following optimization.
3331
3332                 // Turn this: BitAnd(Op(value, constant1), constant2)
3333                 //     where !(constant1 & constant2)
3334                 //       and Op is BitOr or BitXor
3335                 // into this: BitAnd(value, constant2)
3336
3337             Since we stop further optimization when we match `if (m_value->child(1)->hasInt())`, the following optimization is never taken.
3338
3339                 // Turn this: BitAnd(BitXor(x, allOnes), c)
3340                 // Into this: BitXor(BitOr(x, ~c), allOnes)
3341
3342             And we also found that this not-used optimization has a bug not inserting a newly produced constant B3::Value. This patch also fixes it.
3343
3344         For both, this patch adds tests. And (2) fix can be ensured that the testb3 does not crash with validate-graph option.
3345
3346         * b3/B3LowerToAir.cpp:
3347         * b3/B3ReduceStrength.cpp:
3348         * b3/testb3.h:
3349         * b3/testb3_2.cpp:
3350         (testBitAndNotNot32):
3351         (testBitAndNotImm):
3352         (testBitAndNotImm32):
3353         (testBitOrAndAndArgs32):
3354         (testBitOrAndSameArgs32):
3355         (testBitOrNotNot32):
3356         (testBitOrNotImm32):
3357         (addBitTests):
3358         * b3/testb3_3.cpp:
3359         (testBitXorAndAndArgs32):
3360         (testBitXorAndSameArgs32):
3361
3362 2019-09-10  Commit Queue  <commit-queue@webkit.org>
3363
3364         Unreviewed, rolling out r249721.
3365         https://bugs.webkit.org/show_bug.cgi?id=201667
3366
3367         Discovering existing bug (Requested by yusukesuzuki on
3368         #webkit).
3369
3370         Reverted changeset:
3371
3372         "[JSC] 32bit bitwide operation with all-one (-1) is wrong in
3373         B3"
3374         https://bugs.webkit.org/show_bug.cgi?id=201634
3375         https://trac.webkit.org/changeset/249721
3376
3377 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
3378
3379         [JSC] CodeBlock::calleeSaveRegisters should not see half-baked JITData
3380         https://bugs.webkit.org/show_bug.cgi?id=201664
3381         <rdar://problem/52126927>
3382
3383         Reviewed by Tadeu Zagallo.
3384
3385         We are hitting the crash accessing invalid-pointer as CodeBlock::calleeSaveRegisters result.
3386         This is because concurrent Baseline JIT compiler can access m_jitData without taking a lock through CodeBlock::calleeSaveRegisters.
3387         Since m_jitData can be initialized in the main thread while calling CodeBlock::calleeSaveRegisters from concurrent Baseline JIT compiler thread,
3388         we can see half-baked JITData structure which holds garbage pointers.
3389
3390         But we do not want to make CodeBlock::calleeSaveRegisters() call with CodeBlock::m_lock due to several reasons.
3391
3392         1. This function is very primitive one and it is called from various AssemblyHelpers functions and other code-generation functions. Some of these functions are
3393            called while taking this exact same lock, so dead-lock can happen.
3394         2. JITData::m_calleeSaveRegisters is filled only for DFG and FTL CodeBlock. And DFG and FTL code accesses these field after initializing properly. For Baseline JIT
3395            compiler case, only thing we should do is that JITData should say m_calleeSaveRegisters is nullptr and it won't be filled for this CodeBlock.
3396
3397         Instead of guarding CodeBlock::calleeSaveRegisters() function with CodeBlock::m_lock, this patch inserts WTF::storeStoreFence when filling m_jitData. This ensures that
3398         JITData::m_calleeSaveRegisters is initialized with nullptr when this JITData pointer is exposed to concurrent Baseline JIT compiler thread.
3399
3400         * bytecode/CodeBlock.cpp:
3401         (JSC::CodeBlock::ensureJITDataSlow):
3402
3403 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
3404
3405         [JSC] ResultType implementation is wrong for bit ops, and ends up making ArithDiv take the DFG Int32 fast path even if Baseline constantly produces Double result
3406         https://bugs.webkit.org/show_bug.cgi?id=198253
3407
3408         Reviewed by Mark Lam.
3409
3410         ResultType of bitwise operation needs to include TypeMaybeNumber. TypeInt32 is something like a flag indicating the number looks like a int32.
3411         When it is specified, TypeMaybeNumber must exist too. This issue compiles op_div in JetStream2/async-fs slow-path. And eventually DFG first mis-compiles
3412         it with Int32 ArithDiv while that div always produces double. And unnecessary OSR exit happens.
3413
3414         In this patch, we add TypeMaybeNumber to bigIntOrInt32Type correctly.
3415
3416         * parser/ResultType.h:
3417         (JSC::ResultType::bigIntOrInt32Type):
3418
3419 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
3420
3421         [JSC] 32bit bitwide operation with all-one (-1) is wrong in B3
3422         https://bugs.webkit.org/show_bug.cgi?id=201634
3423
3424         Reviewed by Mark Lam.
3425
3426         Accidentally, the B3::Value is ConstInt32(-1), `value->isInt(std::numeric_limits<uint32_t>::max())` returns `false`!
3427         For example, in BitAnd strength reduction,
3428
3429             1034             // Turn this: BitAnd(value, all-ones)
3430             1035             // Into this: value.
3431             1036             if ((m_value->type() == Int64 && m_value->child(1)->isInt(std::numeric_limits<uint64_t>::max()))
3432             1037                 || (m_value->type() == Int32 && m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max()))) {
3433             1038                 replaceWithIdentity(m_value->child(0));
3434             1039                 break;
3435             1040             }
3436
3437         We use `m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max())`. However, Value::isInt is,
3438
3439             262 inline bool Value::isInt(int64_t value) const
3440             263 {
3441             264     return hasInt() && asInt() == value;
3442             265 }
3443
3444         So, UINT32_MAX is expanded to int64_t, but it is not -1 since UINT32_MAX can be representable in int64_t. And Value::asInt implementation is,
3445
3446             257 inline int64_t Value::asInt() const
3447             258 {
3448             259     return hasInt32() ? asInt32() : asInt64();
3449             260 }
3450
3451         So, we perform `static_cast<int64_t>(-1) == static_cast<int64_t>(UINT32_MAX)`. This is false, but this comparison is not what we want!
3452         We should use `isInt32` and `isInt64` for bit patterns (like, operands for Bitwise opcodes).
3453
3454         We also fix the following optimization.
3455
3456             // Turn this: BitAnd(Op(value, constant1), constant2)
3457             //     where !(constant1 & constant2)
3458             //       and Op is BitOr or BitXor
3459             // into this: BitAnd(value, constant2)
3460
3461         Since we stop further optimization when we match `if (m_value->child(1)->hasInt())`, the following optimization is never taken.
3462
3463             // Turn this: BitAnd(BitXor(x, allOnes), c)
3464             // Into this: BitXor(BitOr(x, ~c), allOnes)
3465
3466         We add 32bit version of B3 tests for these optimizations.
3467
3468         * b3/B3LowerToAir.cpp:
3469         * b3/B3ReduceStrength.cpp:
3470         * b3/testb3.h:
3471         * b3/testb3_2.cpp:
3472         (testBitAndNotNot32):
3473         (testBitAndNotImm):
3474         (testBitAndNotImm32):
3475         (testBitOrAndAndArgs32):
3476         (testBitOrAndSameArgs32):
3477         (testBitOrNotNot32):
3478         (testBitOrNotImm32):
3479         (addBitTests):
3480         * b3/testb3_3.cpp:
3481         (testBitXorAndAndArgs32):
3482         (testBitXorAndSameArgs32):
3483
3484 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
3485
3486         [WebAssembly] Use StreamingParser in existing Wasm::BBQPlan
3487         https://bugs.webkit.org/show_bug.cgi?id=189043
3488
3489         Reviewed by Keith Miller.
3490
3491         This patch integrates Wasm::StreamingParser into the existing Wasm::BBQPlan.
3492         And remove Wasm::ModuleParser. This patch paves the way to implementing Wasm streaming features by
3493         using Wasm::StreamingParser.
3494
3495         Currently, we are not using streaming feature of StreamingParser. In a subsequent patch, we will
3496         create a mechanism to pipe a chunk of data to streaming parser to enable WebAssembly.compileStreaming
3497         and instantiateStreaming.
3498
3499         * JavaScriptCore.xcodeproj/project.pbxproj:
3500         * Sources.txt:
3501         * tools/JSDollarVM.cpp:
3502         (JSC::WasmStreamingParser::WasmStreamingParser):
3503         * wasm/WasmAirIRGenerator.cpp:
3504         (JSC::Wasm::parseAndCompileAir):
3505         * wasm/WasmAirIRGenerator.h:
3506         * wasm/WasmB3IRGenerator.cpp:
3507         (JSC::Wasm::parseAndCompile): Use FunctionData, it is good since it is more strongly typed.
3508         * wasm/WasmB3IRGenerator.h:
3509         * wasm/WasmBBQPlan.cpp:
3510         (JSC::Wasm::BBQPlan::BBQPlan):
3511         (JSC::Wasm::BBQPlan::didReceiveFunctionData): Add a callback, which invokes validation.
3512         (JSC::Wasm::BBQPlan::parseAndValidateModule): Use StreamingParser instead of old ModuleParser.
3513         (JSC::Wasm::BBQPlan::compileFunctions):
3514         (JSC::Wasm::BBQPlan::complete):
3515         * wasm/WasmBBQPlan.h:
3516         * wasm/WasmModuleParser.cpp: Removed.
3517         * wasm/WasmModuleParser.h: Removed.
3518         * wasm/WasmOMGForOSREntryPlan.cpp:
3519         (JSC::Wasm::OMGForOSREntryPlan::work):
3520         * wasm/WasmOMGPlan.cpp:
3521         (JSC::Wasm::OMGPlan::work):
3522         * wasm/WasmPlan.cpp:
3523         (JSC::Wasm::Plan::fail): Make fail function callable multiple times. The first error will be used.
3524         * wasm/WasmSectionParser.cpp:
3525         (JSC::Wasm::SectionParser::parseCode): Since the Code section is specially handled in StreamingParser, this code is never used.
3526         * wasm/WasmStreamingParser.cpp:
3527         (JSC::Wasm::StreamingParser::StreamingParser):
3528         (JSC::Wasm::StreamingParser::parseCodeSectionSize):
3529         (JSC::Wasm::StreamingParser::parseFunctionPayload):
3530         (JSC::Wasm::StreamingParser::parseSectionPayload):
3531         (JSC::Wasm::StreamingParser::finalize): Call client's callbacks at appropriate timings.
3532         * wasm/WasmStreamingParser.h:
3533         (JSC::Wasm::StreamingParserClient::didReceiveSectionData):
3534         (JSC::Wasm::StreamingParserClient::didReceiveFunctionData):
3535         (JSC::Wasm::StreamingParserClient::didFinishParsing): Add StreamingParserClient,
3536         which has 3 callbacks right now. StreamingParser gets this client and call these callbacks
3537         at appropriate timings.
3538         * wasm/WasmValidate.cpp:
3539         (JSC::Wasm::validateFunction):
3540         * wasm/WasmValidate.h: Use FunctionData, it is good since it is more strongly typed.
3541
3542 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
3543
3544         [JSC] CodeBlock::m_constantRegisters should be guarded by ConcurrentJSLock when Vector reallocate memory
3545         https://bugs.webkit.org/show_bug.cgi?id=201622
3546
3547         Reviewed by Mark Lam.
3548
3549         CodeBlock::visitChildren takes ConcurrentJSLock while iterating m_constantRegisters, some of the places reallocate
3550         this Vector without taking a lock. If a Vector memory is reallocated while iterating it in concurrent collector,
3551         the concurrent collector can see a garbage. This patch guards m_constantRegisters reallocation with ConcurrentJSLock.
3552
3553         * bytecode/CodeBlock.cpp:
3554         (JSC::CodeBlock::finishCreation):
3555         (JSC::CodeBlock::setConstantRegisters):
3556         * bytecode/CodeBlock.h:
3557         (JSC::CodeBlock::addConstant):
3558         (JSC::CodeBlock::addConstantLazily):
3559         * dfg/DFGDesiredWatchpoints.cpp:
3560         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
3561         (JSC::DFG::SymbolTableAdaptor::add):
3562         (JSC::DFG::FunctionExecutableAdaptor::add):
3563         * dfg/DFGGraph.cpp:
3564         (JSC::DFG::Graph::registerFrozenValues):
3565         * dfg/DFGJITFinalizer.cpp:
3566         (JSC::DFG::JITFinalizer::finalizeCommon):
3567         * dfg/DFGLazyJSValue.cpp:
3568         (JSC::DFG::LazyJSValue::emit const):
3569
3570 2019-09-09  Robin Morisset  <rmorisset@apple.com>
3571
3572         [Air] highOrderAdjacents in AbstractColoringAllocator::conservativeHeuristic should be some kind of array
3573         https://bugs.webkit.org/show_bug.cgi?id=197305
3574
3575         Reviewed by Keith Miller.
3576
3577         Currently it is a HashSet, but it only ever holds at most registerCount() items. And linear search tends to be faster on such a small collection than hashing + searching in a HashSet.
3578         Further benefits include avoiding the allocation of the HashSet, not actually adding the nodes adjacent to V (since there are no duplicates in the adjacency lists).
3579
3580         This patch also contains a trivial optimization: if the remaining number of nodes to consider + the number of highOrderAdjacents already seen is smaller than registerCount() we can return true directly.
3581         Apart from that, the patch got some trivial cleanup of GraphColoringRegisterAllocation::allocateOnBank() (that for example was only logging the number of iterations for FP registers, and not the more interesting number for GP registers).
3582
3583         The time spent in the register allocator throughout JetStream2 on this MacBook Pro moves from 3767 / 3710 / 3785 ms to 3551 / 3454 / 3503 ms.
3584         So about a 6% speedup for that phase, and between 1 and 1.5% speedup for FTL/OMG compilation overall.
3585
3586         No new tests as there is no intended change to the code being generated, and this was already tested by running testb3 + JetStream2.
3587
3588         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
3589
3590 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
3591
3592         [JSC] Use metadata table to iterate specific bytecode metadata instead of propertyAccessInstructions vector
3593         https://bugs.webkit.org/show_bug.cgi?id=201613
3594
3595         Reviewed by Mark Lam.
3596
3597         We do not need to maintain propertyAccessInstructions vector to access metadata tied to a specific bytecode opcode
3598         since we have MetadataTable::forEach<Op> feature. This removes propertyAccessInstructions entirely, and fixes the
3599         issue that `op_create_promise` missed propertyAccessInstructions registration (a name "propertyAccessInstructions" is
3600         misleading, it is like "instructions-requires-llint-finalize").
3601
3602         * bytecode/CodeBlock.cpp:
3603         (JSC::CodeBlock::propagateTransitions):
3604         (JSC::CodeBlock::finalizeLLIntInlineCaches):
3605         * bytecode/UnlinkedCodeBlock.cpp:
3606         (JSC::UnlinkedCodeBlock::applyModification):
3607         (JSC::UnlinkedCodeBlock::shrinkToFit):
3608         * bytecode/UnlinkedCodeBlock.h:
3609         (JSC::UnlinkedCodeBlock::addPropertyAccessInstruction): Deleted.
3610         (JSC::UnlinkedCodeBlock::numberOfPropertyAccessInstructions const): Deleted.
3611         (JSC::UnlinkedCodeBlock::propertyAccessInstructions const): Deleted.
3612         * bytecompiler/BytecodeGenerator.cpp:
3613         (JSC::BytecodeGenerator::emitResolveScope):
3614         (JSC::BytecodeGenerator::emitGetFromScope):
3615         (JSC::BytecodeGenerator::emitPutToScope):
3616         (JSC::BytecodeGenerator::emitGetById):
3617         (JSC::BytecodeGenerator::emitDirectGetById):
3618         (JSC::BytecodeGenerator::emitPutById):
3619         (JSC::BytecodeGenerator::emitDirectPutById):
3620         (JSC::BytecodeGenerator::emitCreateThis):
3621         (JSC::BytecodeGenerator::emitToThis):
3622         * runtime/CachedTypes.cpp:
3623         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
3624         (JSC::CachedCodeBlock<CodeBlockType>::encode):
3625
3626 2019-09-07  Keith Miller  <keith_miller@apple.com>
3627
3628         OSR entry into wasm misses some contexts
3629         https://bugs.webkit.org/show_bug.cgi?id=201569
3630
3631         Reviewed by Yusuke Suzuki.
3632
3633         This patch fixes an issue where we could fail to capture some of
3634         our contexts when OSR entering into wasm code. Before we would
3635         only capture the state of the block immediately surrounding the
3636         entrance loop block header. We actually need to capture all
3637         enclosed stacks.
3638
3639         Additionally, we don't need to use variables for all the captured
3640         values. We can use a Phi and insert an upsilon just below the
3641         captured value.
3642
3643         * interpreter/CallFrame.h:
3644         * jsc.cpp:
3645         (GlobalObject::finishCreation):
3646         (functionCallerIsOMGCompiled):
3647         * wasm/WasmAirIRGenerator.cpp:
3648         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
3649         (JSC::Wasm::AirIRGenerator::emitEntryTierUpCheck):
3650         (JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck):
3651         (JSC::Wasm::AirIRGenerator::addLoop):
3652         * wasm/WasmB3IRGenerator.cpp:
3653         (JSC::Wasm::B3IRGenerator::createStack):
3654         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
3655         (JSC::Wasm::B3IRGenerator::addConstant):
3656         (JSC::Wasm::B3IRGenerator::emitEntryTierUpCheck):
3657         (JSC::Wasm::B3IRGenerator::emitLoopTierUpCheck):
3658         (JSC::Wasm::B3IRGenerator::addLoop):
3659         (JSC::Wasm::B3IRGenerator::addEndToUnreachable):
3660         (JSC::Wasm::dumpExpressionStack):
3661         (JSC::Wasm::B3IRGenerator::dump):
3662         (JSC::Wasm::B3IRGenerator::Stack::Stack): Deleted.
3663         (JSC::Wasm::B3IRGenerator::Stack::append): Deleted.
3664         (JSC::Wasm::B3IRGenerator::Stack::takeLast): Deleted.
3665         (JSC::Wasm::B3IRGenerator::Stack::last): Deleted.
3666         (JSC::Wasm::B3IRGenerator::Stack::size const): Deleted.
3667         (JSC::Wasm::B3IRGenerator::Stack::isEmpty const): Deleted.
3668         (JSC::Wasm::B3IRGenerator::Stack::convertToExpressionList): Deleted.
3669         (JSC::Wasm::B3IRGenerator::Stack::at const): Deleted.
3670         (JSC::Wasm::B3IRGenerator::Stack::variableAt const): Deleted.
3671         (JSC::Wasm::B3IRGenerator::Stack::shrink): Deleted.
3672         (JSC::Wasm::B3IRGenerator::Stack::swap): Deleted.
3673         (JSC::Wasm::B3IRGenerator::Stack::dump const): Deleted.
3674         * wasm/WasmFunctionParser.h:
3675         (JSC::Wasm::FunctionParser::controlStack):
3676
3677 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
3678
3679         [JSC] Promise resolve/reject functions should be created more efficiently
3680         https://bugs.webkit.org/show_bug.cgi?id=201488
3681
3682         Reviewed by Mark Lam.
3683
3684         While r246553 fixed an important issue, it makes anonymous-builtin-function creation costly since it enforces FunctionRareData allocations.
3685         Unfortunately, anonymous-builtin-function function can be created frequently since this type of function is used
3686         for `resolve` and `reject` arguments of Promise's executor (e.g. `new Promise((resolve, reject) => ...)`'s resolve and reject).
3687         Since we are now always creating FunctionRareData for these functions, this additional allocation makes promise creation slower.
3688
3689         In this patch, we use `isAnonymousBuiltinFunction` information for `hasReifiedName` correctly. And we propagate `isAnonymousBuiltinFunction` information
3690         to FunctionRareData to initialize `m_hasReifiedName` correctly. Then we can avoid unnecessary FunctionRareData allocation, which makes
3691         anonymous-builtin-function creation faster.
3692
3693         We can ensure that this patch does not revert r246553's fix by running JSTests/stress/builtin-private-function-name.js test.
3694         The simple microbenchmark shows 1.7x improvement.
3695
3696                                               ToT                     Patched
3697
3698             promise-creation-many       45.6701+-0.1488     ^     26.8663+-1.8336        ^ definitely 1.6999x faster
3699
3700         * dfg/DFGSpeculativeJIT.cpp:
3701         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
3702         * ftl/FTLLowerDFGToB3.cpp:
3703         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
3704         * runtime/FunctionRareData.cpp:
3705         (JSC::FunctionRareData::create):
3706         (JSC::FunctionRareData::FunctionRareData):
3707         * runtime/FunctionRareData.h:
3708         * runtime/JSFunction.cpp:
3709         (JSC::JSFunction::finishCreation):
3710         (JSC::JSFunction::allocateRareData):
3711         (JSC::JSFunction::allocateAndInitializeRareData):
3712         * runtime/JSFunctionInlines.h:
3713         (JSC::JSFunction::hasReifiedName const):
3714
3715 2019-09-07  Mark Lam  <mark.lam@apple.com>
3716
3717         performJITMemcpy() source buffer should not be in the Gigacage.
3718         https://bugs.webkit.org/show_bug.cgi?id=201577
3719         <rdar://problem/55142606>
3720
3721         Reviewed by Michael Saboff.
3722
3723         Add a RELEASE_ASSERT in performJITMemcpy() to ensure that the passed in source
3724         buffer is not in the Gigacage.
3725
3726         * jit/ExecutableAllocator.h:
3727         (JSC::performJITMemcpy):
3728
3729 2019-09-07  Mark Lam  <mark.lam@apple.com>
3730
3731         The jsc shell should allow disabling of the Gigacage for testing purposes.
3732         https://bugs.webkit.org/show_bug.cgi?id=201579
3733
3734         Reviewed by Michael Saboff.
3735
3736         Check for the same GIGACAGE_ENABLED env var that is checked by Gigacage code.  If
3737         this env var is present and it has a falsy value, then do not
3738         forbidDisablingPrimitiveGigacage() in the jsc shell.
3739
3740         * jsc.cpp:
3741         (jscmain):
3742
3743 2019-09-06  Mark Lam  <mark.lam@apple.com>
3744
3745         Harden protection of the Gigacage Config parameters.
3746         https://bugs.webkit.org/show_bug.cgi?id=201570
3747         <rdar://problem/55134229>
3748
3749         Reviewed by Saam Barati.
3750
3751         Just renaming some function names here.
3752
3753         * assembler/testmasm.cpp:
3754         (JSC::testCagePreservesPACFailureBit):
3755         * jit/AssemblyHelpers.h:
3756         (JSC::AssemblyHelpers::cageConditionally):
3757         * jsc.cpp:
3758         (jscmain):
3759
3760 2019-09-06  Ross Kirsling  <ross.kirsling@sony.com>
3761
3762         Math.round() produces wrong result for value prior to 0.5
3763         https://bugs.webkit.org/show_bug.cgi?id=185115
3764
3765         Reviewed by Saam Barati.
3766
3767         Our Math.round implementation goes in the wrong direction for double values like 0.49999999999999994.
3768         This requires just a subtle adjustment for three of our four versions; only baseline JIT needed a full rewrite.
3769
3770         Specifically:
3771           - While 0.49999999999999994 is representable, 1 - 0.49999999999999994 is not (it turns into 0.5),
3772             so taking the difference between ceil(value)` and `value` is problematic.
3773           - The baseline implementation was doing `floor(x + 0.5)` for positive doubles and slowpathing negative ones
3774             (by falling back to jsRound). This patch gives baseline a legitimate implementation too.
3775
3776         * dfg/DFGSpeculativeJIT.cpp:
3777         (JSC::DFG::SpeculativeJIT::compileArithRounding):
3778         * ftl/FTLLowerDFGToB3.cpp:
3779         (JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
3780         * jit/ThunkGenerators.cpp:
3781         (JSC::roundThunkGenerator):
3782         * runtime/MathCommon.cpp:
3783
3784 2019-09-05  Joseph Pecoraro  <pecoraro@apple.com>
3785
3786         Tail Deleted Frames shown in Web Inspector are sometimes incorrect (Shadow Chicken)
3787         https://bugs.webkit.org/show_bug.cgi?id=201366
3788
3789         Reviewed by Saam Barati.
3790
3791         It is possible for the log buffer to be full right as someone is trying to
3792         log a function prologue. In such a case the machine stack has already been
3793         updated to include the new JavaScript call frame, but the prologue packet
3794         cannot be included in the update because the log is full. This would mean
3795         that the update fails to rationalize the machine stack with the shadow
3796         log / stack. Namely, the current JavaScript call frame is unable to
3797         find a matching prologue (the one we are holding to include after the update)
3798         and inserts a questionable value into the stack; and in the process
3799         missing and removing real potential tail calls.
3800
3801         For example:
3802         
3803             "use strict";
3804             function third() { return 1; }
3805             function second() { return third(); }
3806             function first() { return second(); }
3807             function start() { return first(); }
3808
3809         If the the log fills up just as we are entering `b` then we may have a list
3810         full log of packets looking like:
3811
3812           Shadow Log:
3813             ...
3814             { prologue-packet: entering `start` ... }
3815             { prologue-packet: entering `first` ... }
3816             { tail-packet: leaving `first` with a tail call }
3817
3818           Incoming Packet:
3819             { prologue-packet: entering `second` ... }
3820
3821           Current JS Stack:
3822             second
3823             start
3824
3825         Since the Current JavaScript stack already has `second`, if we process the
3826         log without the prologue for `second` then we push a confused entry on the
3827         shadow stack and clear the log such that we eventually lose the tail-call
3828         information for `first` to `second`.
3829
3830         This patch solves this issue by providing enough extra space in the log
3831         to always process the incoming packet when that forces an update. This way
3832         clients can continue to behave exactly as they are.
3833
3834         --
3835
3836         We also document a corner case in some circumstances where the shadow
3837         log may currently be insufficient to know how to reconcile:
3838         
3839         For example:
3840
3841             "use strict";