83fb7d707059af7c39d4ae19a2e6dbde5f9ca246
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2020-09-24  Ross Kirsling  <ross.kirsling@sony.com>
2
3         %TypedArray%.prototype.toLocaleString must make conscious use of @toString
4         https://bugs.webkit.org/show_bug.cgi?id=216956
5
6         Reviewed by Yusuke Suzuki.
7
8         A fascinating bug: if we override Number.prototype.toLocaleString to return { valueOf() { ... } },
9         then we can observe our %TypedArray%.prototype.toLocaleString resolving its element values in the wrong order.
10
11         * builtins/TypedArrayPrototype.js:
12         (toLocaleString):
13         Wrap the toLocaleString call for each element in @toString(), as the spec indicates.
14
15 2020-09-24  Ross Kirsling  <ross.kirsling@sony.com>
16
17         %TypedArray%.prototype.sort must throw if comparator is defined and uncallable
18         https://bugs.webkit.org/show_bug.cgi?id=216952
19
20         Reviewed by Yusuke Suzuki.
21
22         * builtins/TypedArrayPrototype.js:
23         (sort):
24
25 2020-09-24  Ross Kirsling  <ross.kirsling@sony.com>
26
27         %TypedArray% methods should perform TypedArraySpeciesCreate correctly
28         https://bugs.webkit.org/show_bug.cgi?id=216938
29
30         Reviewed by Yusuke Suzuki.
31
32         map, filter, and slice are obliged to throw when:
33         1. this.constructor is defined but not an object
34         2. the species constructor produces a valid typed array which is shorter than the expected length
35
36         * builtins/TypedArrayPrototype.js:
37         (map):
38         (filter):
39         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
40         (JSC::genericTypedArrayViewProtoFuncSlice):
41
42 2020-09-24  Basuke Suzuki  <basuke.suzuki@sony.com>
43
44         [PlayStation] Stop raising SIGPIPE when client side of RemoteInspector dies
45         https://bugs.webkit.org/show_bug.cgi?id=216805
46
47         Reviewed by Don Olmstead.
48
49         When communication is stopped caused by peer crash or non-polite close, SIGPIPE will be
50         raised on BSD (and maybe on Linux). We prefer to handle those events by returning error.
51
52         On Windows, there's no such fancy feature from the beginning.
53
54         * inspector/remote/socket/posix/RemoteInspectorSocketPOSIX.cpp:
55         (Inspector::Socket::read):
56         (Inspector::Socket::write):
57
58 2020-09-24  Angelos Oikonomopoulos  <angelos@igalia.com>
59
60         [MIPS] Broken build after r267371
61         https://bugs.webkit.org/show_bug.cgi?id=216893
62
63         Reviewed by Adrian Perez de Castro.
64
65         This addresses two issues.
66
67         First, the fix in https://bugs.webkit.org/show_bug.cgi?id=216772 was not
68         getting exercised, because the LabelReference offset was always zero.
69
70         The reason the offset was zero is that LabelReference.mapChildren would discard
71         the offset when generating a new LabelReference to wrap the Label returned by
72         the code block it yielded to.
73
74         The reason this was only an issue on MIPS is because only MIPS was using the
75         result of calls to LabelReference.mapChildren (in its lowering phase,
76         assignRegistersToTemporaries -> replaceTemporariesWithRegisters ->
77         mapChildren). Other archs, e.g. X86_64 only call mapChildren in earlier phases
78         (specifically, subsequent to a call to isASTErroneous), in which the new
79         LabelReferences returned by mapChildren are later discarded. Even though ARM
80         32/64 contains indirect calls to mapChildren, those are made after the
81         arm{,64}LowerLabelReferences transformation which doesn't leave any
82         LabelReference nodes around for .mapChildren to be called on.
83
84         So this is not an issue for architectures other than MIPS because
85         (a) AddImmediates.fold correctly constructs a LabelReference with an offset by
86         calling LabelReference.plusOffset and
87         (b) they don't call (and therefore don't use the result of)
88         LabelReference.mapChildren in their lowering code.
89
90         Second, the code we generate needs to look up the /label/ in the GOT, not the
91         computed address. After the lookup, we simply need to add the offset.
92
93         * offlineasm/ast.rb:
94         * offlineasm/mips.rb:
95
96 2020-09-24  Ross Kirsling  <ross.kirsling@sony.com>
97
98         %TypedArray%.prototype.fill must only evaluate its argument once
99         https://bugs.webkit.org/show_bug.cgi?id=216912
100
101         Reviewed by Yusuke Suzuki.
102
103         Currently, we evaluate the argument in `typedArray.fill({ valueOf() { ... } })` once per filled element,
104         but it should only be evaluated once in total.
105
106         * builtins/TypedArrayPrototype.js:
107         (fill):
108
109 2020-09-23  Ross Kirsling  <ross.kirsling@sony.com>
110
111         %ArrayIteratorPrototype%.next must check for detached buffers
112         https://bugs.webkit.org/show_bug.cgi?id=216904
113
114         Reviewed by Yusuke Suzuki.
115
116         Per https://tc39.es/ecma262/#sec-%arrayiteratorprototype%.next:
117           8. If a has a [[TypedArrayName]] internal slot, then
118             a. If IsDetachedBuffer(a.[[ViewedArrayBuffer]]) is true, throw a TypeError exception.
119
120         * builtins/ArrayIteratorPrototype.js:
121         (next):
122         * builtins/BuiltinNames.h:
123         * bytecode/LinkTimeConstant.h:
124         * runtime/JSGlobalObject.cpp:
125         (JSC::JSGlobalObject::init):
126         * runtime/JSTypedArrayViewPrototype.cpp:
127         (JSC::typedArrayViewPrivateFuncIsNeutered):
128         * runtime/JSTypedArrayViewPrototype.h:
129
130 2020-09-23  Yusuke Suzuki  <ysuzuki@apple.com>
131
132         [JSC] Simply some of template-specialized host functions by defining each function
133         https://bugs.webkit.org/show_bug.cgi?id=216907
134
135         Reviewed by Saam Barati.
136
137         This makes automatically-registering these functions in JIT-caging easy.
138
139         * API/APICallbackFunction.h:
140         (JSC::APICallbackFunction::callImpl):
141         (JSC::APICallbackFunction::constructImpl):
142         (JSC::APICallbackFunction::call): Deleted.
143         (JSC::APICallbackFunction::construct): Deleted.
144         * API/JSCallbackConstructor.cpp:
145         (JSC::constructJSCallbackConstructor):
146         (JSC::JSCallbackConstructor::getConstructData):
147         * API/JSCallbackFunction.cpp:
148         (JSC::callJSCallbackFunction):
149         (JSC::JSCallbackFunction::JSCallbackFunction):
150         * API/ObjCCallbackFunction.mm:
151         (JSC::callObjCCallbackFunction):
152         (JSC::constructObjCCallbackFunction):
153         (JSC::ObjCCallbackFunction::ObjCCallbackFunction):
154         * API/glib/JSCCallbackFunction.cpp:
155         (JSC::callJSCCallbackFunction):
156         (JSC::constructJSCCallbackFunction):
157         (JSC::JSCCallbackFunction::JSCCallbackFunction):
158         * dfg/DFGOperations.h:
159         * jit/JITOperations.cpp:
160         * jit/JITOperations.h:
161         * jsc.cpp:
162         (accessorMakeMasquerader):
163         * runtime/JSArrayBufferConstructor.cpp:
164         (JSC::JSGenericArrayBufferConstructor<sharingMode>::JSGenericArrayBufferConstructor):
165         (JSC::JSGenericArrayBufferConstructor<sharingMode>::constructImpl):
166         (JSC::constructArrayBuffer):
167         (JSC::constructSharedArrayBuffer):
168         (JSC::JSGenericArrayBufferConstructor<sharingMode>::constructArrayBuffer): Deleted.
169         * runtime/JSArrayBufferConstructor.h:
170         * runtime/JSCustomGetterSetterFunction.cpp:
171         (JSC::customGetterSetterFunctionCall):
172         (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall): Deleted.
173         * runtime/JSCustomGetterSetterFunction.h:
174         * runtime/NativeErrorConstructor.cpp:
175         (JSC::NativeErrorConstructor<errorType>::constructImpl):
176         (JSC::NativeErrorConstructor<errorType>::callImpl):
177         (JSC::callEvalError):
178         (JSC::constructEvalError):
179         (JSC::callRangeError):
180         (JSC::constructRangeError):
181         (JSC::callReferenceError):
182         (JSC::constructReferenceError):
183         (JSC::callSyntaxError):
184         (JSC::constructSyntaxError):
185         (JSC::callTypeError):
186         (JSC::constructTypeError):
187         (JSC::callURIError):
188         (JSC::constructURIError):
189         (JSC::callFunction):
190         (JSC::constructFunction):
191         (JSC::NativeErrorConstructor<errorType>::NativeErrorConstructor):
192         (JSC::NativeErrorConstructorBase::finishCreation):
193         (JSC::NativeErrorConstructor<errorType>::constructNativeErrorConstructor): Deleted.
194         (JSC::NativeErrorConstructor<errorType>::callNativeErrorConstructor): Deleted.
195         * runtime/NativeErrorConstructor.h:
196         * runtime/RegExpConstructor.cpp:
197         (JSC::regExpConstructorDollarImpl):
198         (JSC::regExpConstructorDollar1):
199         (JSC::regExpConstructorDollar2):
200         (JSC::regExpConstructorDollar3):
201         (JSC::regExpConstructorDollar4):
202         (JSC::regExpConstructorDollar5):
203         (JSC::regExpConstructorDollar6):
204         (JSC::regExpConstructorDollar7):
205         (JSC::regExpConstructorDollar8):
206         (JSC::regExpConstructorDollar9):
207         (JSC::regExpConstructorInput):
208         (JSC::regExpConstructorMultiline):
209         (JSC::regExpConstructorLastMatch):
210         (JSC::regExpConstructorLastParen):
211         (JSC::regExpConstructorLeftContext):
212         (JSC::regExpConstructorRightContext):
213         (JSC::setRegExpConstructorInput):
214         (JSC::setRegExpConstructorMultiline):
215         (JSC::regExpConstructorDollar): Deleted.
216         * tools/JSDollarVM.cpp:
217
218 2020-09-23  Alexey Shvayka  <shvaikalesh@gmail.com>
219
220         Update Array.prototype.sort to be consistent with tightened spec
221         https://bugs.webkit.org/show_bug.cgi?id=202582
222
223         Reviewed by Yusuke Suzuki and Keith Miller.
224
225         This patch implements the spec change [1] that reduces amount of cases resulting
226         in an implementation-defined sort order, aligning JSC with V8 and SpiderMonkey.
227
228         To achieve this, we collect all existing non-undefined receiver elements to a
229         temporary array, sort it, and write back sorted items, followed by `undefined`
230         values and holes.
231
232         This change is proven to be web-compatible (shipping since Chrome 76) and neutral
233         on peak memory consumption in the wild.
234
235         Although we can unobservably detect sparse receivers, we can't avoid creating a
236         temporary array for common case since userland comparators may throw; string
237         sorting won't measurably benefit from this, only increasing code complexity.
238
239         This change uses @putByValDirect unless the spec requires [[Set]], avoids using
240         closure variables, and adds a few drive-by optimizations, resulting in ~22%
241         faster string sorting and 13% speed-up for userland comparators.
242         Dromaeo/jslib is neutral.
243
244         [1]: https://github.com/tc39/ecma262/pull/1585
245
246         * builtins/ArrayPrototype.js:
247         (sort.stringComparator):
248         Optimization #1: replace char-by-char comparison loop with > operator, aligning
249         JSC with V8 and SpiderMonkey. This semantically equivalent change alone is a ~15%
250         progression for string sort.
251
252         (sort.compact):
253         (sort.commit):
254         Optimization #2: copy large non-numeric arrays in a loop rather than @appendMemcpy.
255         Using the latter unconditionally regresses provided microbenchmarks.
256
257         (sort.merge):
258         Optimization #3: replace `typeof` check and negation with strict equality.
259
260         (sort.mergeSort):
261         Optimization #4: always return sorted array instead of copying, even if it's the buffer.
262         Tweak: create the buffer with correct length.
263
264         (sort.bucketSort):
265         Optimization #5: avoid emitting 2 extra get_by_val ops by saving bucket lookup to a variable.
266         Tweak: create new bucket via array literal.
267
268         (sort): Fix typo in error message.
269         (sort.compactSparse): Deleted.
270         (sort.compactSlow): Deleted.
271         (sort.comparatorSort): Deleted.
272         (sort.stringSort): Deleted.
273         * runtime/ObjectConstructor.cpp:
274         (JSC::ObjectConstructor::finishCreation):
275         Remove @Object.@getPrototypeOf as it's now unused and we have @getPrototypeOf intrinsic anyway.
276
277 2020-09-23  Yusuke Suzuki  <ysuzuki@apple.com>
278
279         [JSC] Intl spec update: handle awkward rounding behavior
280         https://bugs.webkit.org/show_bug.cgi?id=216760
281
282         Reviewed by Ross Kirsling.
283
284         This patch supports new spec change of "handle awkward rounding behavior"[1].
285         This changes minimumFractionDigits / maximumFractionDigits calculation when the specified ones are less than currency-digits.
286
287         [1]: https://github.com/tc39/ecma402/pull/471
288
289         * runtime/CommonIdentifiers.h:
290         * runtime/IntlNumberFormat.cpp:
291         (JSC::IntlNumberFormat::resolvedOptions const):
292         * runtime/IntlNumberFormatInlines.h:
293         (JSC::setNumberFormatDigitOptions):
294         * runtime/IntlPluralRules.cpp:
295         (JSC::IntlPluralRules::resolvedOptions const):
296
297 2020-09-23  Caio Lima  <ticaiolima@gmail.com>
298
299         [JSC][ESNext] Create a new opcode to handle private fields store/define
300         https://bugs.webkit.org/show_bug.cgi?id=213372
301
302         Reviewed by Yusuke Suzuki.
303
304         This patch is adding a new opcode to handle private field storage.
305         Before this change, we were using `put_by_val_direct` and including
306         the information of `PutKind` into `PutByValFlags`. We initially decided
307         to use `put_by_val_direct` to take advantage of all IC mechanism already
308         implemented for this instruction, however the semantics of private field
309         is different enough to complicate the understanding of
310         `put_by_val_direct`.
311
312         The new instruction is called `put_private_name` and has as its operands
313         `baseObject` where the put is going to be placed, the `property`
314         that's going to be installed (it is always a private symbol of a
315         private field), the `value` we are going to store and the
316         `PrivateFieldPutKind` that can be `Define` or `Set`.
317         The difference of each `PrivateFieldPutKind` is the following:
318         
319         - Define: It defines a new private field. If this field is already
320         present, it throws a `TypeError`.
321         - Set: It sets the value of a private field. If the field is not
322         present at the moment of set, it throws a `TypeError`.
323
324         This patch includes support of IC for all tiers. For DFG and FTL, we
325         are only emmiting IC when we are able to emit `CheckConstant`
326         for subscript identifier during Bytecode parsing. We are adding a new
327         DFG node called `PutPrivateNameById` that handles such cases when we
328         have constant identifiers.
329         We are also adding a new DFG node `PutPrivateName` that handles generic
330         case of `put_private_name`. The strategy used to compile
331         `put_private_name` is very similar with what we are using with
332         `put_by_val[_direct]`. We first try to compile it as `[Multi]PutByOffset`
333         using profiled information from LLInt and Baseline execution. If it
334         is not possible, we then emit `PutPrivateName[ById]` node. We get another
335         chance to transform `PutPrivateNameById` into `PutByOffset` if we can prove
336         its structure set at constant folding phase.
337
338         * CMakeLists.txt:
339         * JavaScriptCore.xcodeproj/project.pbxproj:
340         * Sources.txt:
341         * bytecode/BytecodeList.rb:
342         * bytecode/BytecodeUseDef.cpp:
343         (JSC::computeUsesForBytecodeIndexImpl):
344         (JSC::computeDefsForBytecodeIndexImpl):
345         * bytecode/CodeBlock.cpp:
346         (JSC::CodeBlock::finishCreation):
347         (JSC::CodeBlock::propagateTransitions):
348         (JSC::CodeBlock::finalizeLLIntInlineCaches):
349         * bytecode/Fits.h:
350         * bytecode/PutByIdStatus.cpp:
351         (JSC::PutByIdStatus::computeFromLLInt):
352         (JSC::PutByIdStatus::computeFor):
353         * bytecode/PutByIdStatus.h:
354         * bytecode/PutByValFlags.cpp: Removed.
355         * bytecode/PutByValFlags.h: Removed.
356         * bytecode/PutKind.h:
357         (): Deleted.
358         * bytecompiler/BytecodeGenerator.cpp:
359         (JSC::BytecodeGenerator::emitDirectPutByVal):
360         (JSC::BytecodeGenerator::emitDefinePrivateField):
361         (JSC::BytecodeGenerator::emitPrivateFieldPut):
362         * dfg/DFGAbstractInterpreterInlines.h:
363         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
364         * dfg/DFGByteCodeParser.cpp:
365         (JSC::DFG::ByteCodeParser::handlePutPrivateNameById):
366         (JSC::DFG::ByteCodeParser::parseBlock):
367         (JSC::DFG::ByteCodeParser::handlePutByVal):
368         (JSC::DFG::ecmaMode): Deleted.
369         (JSC::DFG::ecmaMode<OpPutByValDirect>): Deleted.
370         * dfg/DFGCapabilities.cpp:
371         (JSC::DFG::capabilityLevel):
372         * dfg/DFGClobberize.h:
373         (JSC::DFG::clobberize):
374         * dfg/DFGConstantFoldingPhase.cpp:
375         (JSC::DFG::ConstantFoldingPhase::foldConstants):
376         (JSC::DFG::ConstantFoldingPhase::tryFoldAsPutByOffset):
377         * dfg/DFGDoesGC.cpp:
378         (JSC::DFG::doesGC):
379         * dfg/DFGFixupPhase.cpp:
380         (JSC::DFG::FixupPhase::fixupNode):
381         * dfg/DFGNode.h:
382         (JSC::DFG::Node::convertToPutByOffset):
383         (JSC::DFG::Node::convertToMultiPutByOffset):
384         (JSC::DFG::Node::hasCacheableIdentifier):
385         (JSC::DFG::Node::hasPrivateFieldPutKind):
386         (JSC::DFG::Node::privateFieldPutKind):
387         * dfg/DFGNodeType.h:
388         * dfg/DFGOpInfo.h:
389         (JSC::DFG::OpInfo::OpInfo):
390         * dfg/DFGPredictionPropagationPhase.cpp:
391         * dfg/DFGSafeToExecute.h:
392         (JSC::DFG::safeToExecute):
393         * dfg/DFGSpeculativeJIT.cpp:
394         (JSC::DFG::SpeculativeJIT::compilePutPrivateName):
395         (JSC::DFG::SpeculativeJIT::compilePutPrivateNameById):
396         (JSC::DFG::SpeculativeJIT::compilePutByIdFlush):
397         (JSC::DFG::SpeculativeJIT::compilePutById):
398         (JSC::DFG::SpeculativeJIT::compilePutByIdDirect):
399         (JSC::DFG::SpeculativeJIT::cachedPutById):
400         * dfg/DFGSpeculativeJIT.h:
401         * dfg/DFGSpeculativeJIT32_64.cpp:
402         (JSC::DFG::SpeculativeJIT::compile):
403         * dfg/DFGSpeculativeJIT64.cpp:
404         (JSC::DFG::SpeculativeJIT::compile):
405         * dfg/DFGStoreBarrierInsertionPhase.cpp:
406         * ftl/FTLCapabilities.cpp:
407         (JSC::FTL::canCompile):
408         * ftl/FTLLowerDFGToB3.cpp:
409         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
410         (JSC::FTL::DFG::LowerDFGToB3::compilePutPrivateNameById):
411         (JSC::FTL::DFG::LowerDFGToB3::compilePutPrivateName):
412         (JSC::FTL::DFG::LowerDFGToB3::cachedPutById):
413         (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
414         * generator/DSL.rb:
415         * jit/JIT.cpp:
416         (JSC::JIT::privateCompileMainPass):
417         (JSC::JIT::privateCompileSlowCases):
418         (JSC::JIT::link):
419         * jit/JIT.h:
420         (JSC::ByValCompilationInfo::ByValCompilationInfo):
421         * jit/JITInlineCacheGenerator.cpp:
422         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
423         (JSC::JITPutByIdGenerator::slowPathFunction):
424         * jit/JITInlineCacheGenerator.h:
425         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
426         * jit/JITInlines.h:
427         (JSC::JIT::ecmaMode<OpPutPrivateName>):
428         (JSC::JIT::ecmaMode<OpPutByValDirect>): Deleted.
429         (JSC::JIT::privateFieldAccessKind): Deleted.
430         (JSC::JIT::privateFieldAccessKind<OpPutByValDirect>): Deleted.
431         * jit/JITOperations.cpp:
432         (JSC::setPrivateField):
433         (JSC::putPrivateField): Deleted.
434         * jit/JITOperations.h:
435         * jit/JITPropertyAccess.cpp:
436         (JSC::JIT::emitPutByValWithCachedId):
437         (JSC::JIT::emitSlow_op_put_by_val):
438         (JSC::JIT::emit_op_put_private_name):
439         (JSC::JIT::emitSlow_op_put_private_name):
440         (JSC::JIT::emit_op_put_by_id):
441         (JSC::JIT::emitPutPrivateNameWithCachedId):
442         (JSC::JIT::privateCompilePutPrivateNameWithCachedId):
443         (JSC::JIT::privateCompilePutByValWithCachedId):
444         * jit/JITPropertyAccess32_64.cpp:
445         (JSC::JIT::emit_op_put_private_name):
446         (JSC::JIT::emitSlow_op_put_private_name):
447         (JSC::JIT::emit_op_put_by_id):
448         * jit/Repatch.cpp:
449         (JSC::appropriateGenericPutByIdFunction):
450         (JSC::appropriateOptimizingPutByIdFunction):
451         (JSC::tryCachePutByID):
452         (JSC::resetPutByID):
453         * llint/LLIntOffsetsExtractor.cpp:
454         * llint/LLIntSlowPaths.cpp:
455         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
456         * llint/LLIntSlowPaths.h:
457         * llint/LowLevelInterpreter32_64.asm:
458         * llint/LowLevelInterpreter64.asm:
459         * runtime/JSObject.h:
460         * runtime/JSObjectInlines.h:
461         (JSC::JSObject::setPrivateField):
462         (JSC::JSObject::putPrivateField): Deleted.
463         * runtime/PrivateFieldPutKind.cpp: Added.
464         (JSC::PrivateFieldPutKind::dump const):
465         * runtime/PrivateFieldPutKind.h: Added.
466         (JSC::PrivateFieldPutKind::fromByte):
467         (JSC::PrivateFieldPutKind::none):
468         (JSC::PrivateFieldPutKind::set):
469         (JSC::PrivateFieldPutKind::define):
470         (JSC::PrivateFieldPutKind::isNone const):
471         (JSC::PrivateFieldPutKind::isSet const):
472         (JSC::PrivateFieldPutKind::isDefine const):
473         (JSC::PrivateFieldPutKind::value const):
474         (JSC::PrivateFieldPutKind::PrivateFieldPutKind):
475
476 2020-09-22  Yusuke Suzuki  <ysuzuki@apple.com>
477
478         [JSC] Enable Intl.DateTimeFormat dayPeriod
479         https://bugs.webkit.org/show_bug.cgi?id=216845
480
481         Reviewed by Mark Lam.
482
483         Since we already have consensus, let's enable it.
484         For now, we keep this flag since it is possible that something
485         happens before the change is integrated into the spec.
486
487         * runtime/OptionsList.h:
488
489 2020-09-22  HyeockJin Kim  <kherootz@gmail.com>
490
491         Coerce computed property before adding to |excludedList|
492         https://bugs.webkit.org/show_bug.cgi?id=216437
493
494         Reviewed by Yusuke Suzuki.
495
496         * bytecompiler/NodesCodegen.cpp:
497         (JSC::ObjectPatternNode::bindValue const):
498
499 2020-09-21  Paulo Matos  <pmatos@igalia.com>
500
501         Fix MIPS leai,leap when offset is nonzero
502         https://bugs.webkit.org/show_bug.cgi?id=216772
503
504         Reviewed by Mark Lam.
505
506         Fix required by change from webkit#216685
507         * offlineasm/mips.rb:
508
509 2020-09-21  Yusuke Suzuki  <ysuzuki@apple.com>
510
511         [JSC] BigInt should work with Map / Set
512         https://bugs.webkit.org/show_bug.cgi?id=216667
513
514         Reviewed by Robin Morisset.
515
516         This patch makes BigInt supported in Map / Set.
517
518         1. In NormalizeMapKey, we always attempt to convert HeapBigInt to BigInt32 (if supported). So we ensure that,
519             normalized BigInt has one unique form for BigInt32 range. This allows us to use hashing for BigInt32 bit pattern directly.
520         2. In MapHash, for BigInt32, we directly has the JSValue bits. For HeapBigInt, we calculate hash via Hasher.
521         3. In GetMapBucket, we consider HeapBigInt case correctly.
522
523         * dfg/DFGAbstractInterpreterInlines.h:
524         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
525         * dfg/DFGConstantFoldingPhase.cpp:
526         (JSC::DFG::ConstantFoldingPhase::foldConstants):
527         * dfg/DFGDoesGC.cpp:
528         (JSC::DFG::doesGC):
529         * dfg/DFGFixupPhase.cpp:
530         (JSC::DFG::FixupPhase::fixupNode):
531         (JSC::DFG::FixupPhase::fixupNormalizeMapKey):
532         * dfg/DFGOperations.cpp:
533         * dfg/DFGOperations.h:
534         * dfg/DFGSpeculativeJIT.cpp:
535         (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
536         * dfg/DFGSpeculativeJIT64.cpp:
537         (JSC::DFG::SpeculativeJIT::compile):
538         * ftl/FTLLowerDFGToB3.cpp:
539         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
540         (JSC::FTL::DFG::LowerDFGToB3::compileNormalizeMapKey):
541         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
542         * runtime/HashMapImpl.h:
543         (JSC::normalizeMapKey):
544         (JSC::jsMapHash):
545         (JSC::concurrentJSMapHash):
546         * runtime/JSBigInt.cpp:
547         (JSC::JSBigInt::concurrentHash):
548         * runtime/JSBigInt.h:
549         (JSC::tryConvertToBigInt32):
550
551 2020-09-21  Mark Lam  <mark.lam@apple.com>
552
553         Move some LLInt globals into JSC::Config.
554         https://bugs.webkit.org/show_bug.cgi?id=216685
555         rdar://68964544
556
557         Reviewed by Keith Miller.
558
559         1. Moved the following into g_jscConfig:
560
561            Data::s_exceptionInstructions ==> g_jscConfig.llint.exceptionInstructions
562            Data::s_wasmExceptionInstructions ==> g_jscConfig.llint.wasmExceptionInstructions
563            g_opcodeMap ==> g_jscConfig.llint.opcodeMap
564            g_opcodeMapWide16 ==> g_jscConfig.llint.opcodeMapWide16
565            g_opcodeMapWide32 ==> g_jscConfig.llint.opcodeMapWide32
566
567         2. Fixed cloop.rb so that it can take an offset for the leap offlineasm instruction.
568         3. Fixed x86.rb so that it can take an offset for the leap offlineasm instruction.
569         4. Fixed arm.rb so that it can take an offset for the leap offlineasm instruction.
570
571            Note: arm64.rb already does this right.
572
573         5. Added JSC::Config::singleton() to return a reference to g_jscConfig.
574            This is useful when debugging with lldb since g_jscConfig is not an actual
575            label, but is a macro that computes the address of the Config record.
576
577         This patch has been smoke tested on arm64e, x86_64, and cloop (on x86_64 and armv7k).
578
579         * llint/LLIntData.cpp:
580         (JSC::LLInt::LLIntInitializeAssertScope::LLIntInitializeAssertScope):
581         (JSC::LLInt::LLIntInitializeAssertScope::~LLIntInitializeAssertScope):
582         (JSC::LLInt::LLIntInitializeAssertScope::assertInitializationIsAllowed):
583         (JSC::LLInt::initialize):
584         * llint/LLIntData.h:
585         (JSC::LLInt::exceptionInstructions):
586         (JSC::LLInt::wasmExceptionInstructions):
587         (JSC::LLInt::opcodeMap):
588         (JSC::LLInt::opcodeMapWide16):
589         (JSC::LLInt::opcodeMapWide32):
590         (JSC::LLInt::getOpcode):
591         (JSC::LLInt::getOpcodeWide16):
592         (JSC::LLInt::getOpcodeWide32):
593         * llint/LowLevelInterpreter.asm:
594         * llint/LowLevelInterpreter.cpp:
595         * llint/LowLevelInterpreter64.asm:
596         * llint/WebAssembly.asm:
597         * offlineasm/arm.rb:
598         * offlineasm/cloop.rb:
599         * offlineasm/x86.rb:
600         * runtime/JSCConfig.cpp:
601         (JSC::Config::singleton):
602         * runtime/JSCConfig.h:
603
604 2020-09-21  Basuke Suzuki  <basuke.suzuki@sony.com>
605
606         [WinCairo][PlayStation] Support different instances of listener client.
607         https://bugs.webkit.org/show_bug.cgi?id=216733
608
609         Reviewed by Don Olmstead.
610
611         Currently RemoteInspectorSocketEndpoint support one client instance for all
612         listeners. This patch allows listeners to create its own listener client on
613         accept timing.
614
615         * inspector/remote/RemoteControllableTarget.h:
616         * inspector/remote/RemoteInspector.h:
617         * inspector/remote/socket/RemoteInspectorConnectionClient.cpp:
618         (Inspector::RemoteInspectorConnectionClient::didReceive):
619         * inspector/remote/socket/RemoteInspectorConnectionClient.h:
620         * inspector/remote/socket/RemoteInspectorServer.cpp:
621         (Inspector::RemoteInspectorServer::start):
622         (Inspector::RemoteInspectorServer::doAccept):
623         * inspector/remote/socket/RemoteInspectorServer.h:
624         * inspector/remote/socket/RemoteInspectorSocket.cpp:
625         (Inspector::RemoteInspector::didClose):
626         * inspector/remote/socket/RemoteInspectorSocket.h:
627         * inspector/remote/socket/RemoteInspectorSocketEndpoint.cpp:
628         (Inspector::RemoteInspectorSocketEndpoint::RemoteInspectorSocketEndpoint):
629         (Inspector::RemoteInspectorSocketEndpoint::~RemoteInspectorSocketEndpoint):
630         (Inspector::RemoteInspectorSocketEndpoint::listenInet):
631         (Inspector::RemoteInspectorSocketEndpoint::workerThread):
632         (Inspector::RemoteInspectorSocketEndpoint::generateConnectionID):
633         (Inspector::RemoteInspectorSocketEndpoint::createClient):
634         (Inspector::RemoteInspectorSocketEndpoint::disconnect):
635         (Inspector::RemoteInspectorSocketEndpoint::createListener):
636         (Inspector::RemoteInspectorSocketEndpoint::invalidateClient):
637         (Inspector::RemoteInspectorSocketEndpoint::invalidateListener):
638         (Inspector::RemoteInspectorSocketEndpoint::getPort const):
639         (Inspector::RemoteInspectorSocketEndpoint::recvIfEnabled):
640         (Inspector::RemoteInspectorSocketEndpoint::sendIfEnabled):
641         (Inspector::RemoteInspectorSocketEndpoint::send):
642         (Inspector::RemoteInspectorSocketEndpoint::acceptInetSocketIfEnabled):
643         * inspector/remote/socket/RemoteInspectorSocketEndpoint.h:
644
645 2020-09-21  Keith Miller  <keith_miller@apple.com>
646
647         Functions should consistently enumerate length before name
648         https://bugs.webkit.org/show_bug.cgi?id=216789
649
650         Reviewed by Yusuke Suzuki.
651
652         In https://github.com/tc39/ecma262/pull/2116, which has been
653         approved to be merged into the main JS spec, it's expected that
654         all functions should have their length property enumerated before
655         the name property. To ensure this invariant, this patch moves the
656         length set into InternalFunction::finishCreation.
657
658         There are no new tests since tests will be added to test262 when
659         the spec PR is merged. Adding tests to stress just means we will
660         have the same test twice, which seems like a waste.
661
662         * API/JSCallbackFunction.cpp:
663         (JSC::JSCallbackFunction::finishCreation):
664         * API/ObjCCallbackFunction.mm:
665         (JSC::ObjCCallbackFunction::create):
666         * API/glib/JSCCallbackFunction.cpp:
667         (JSC::JSCCallbackFunction::create):
668         * runtime/AggregateErrorConstructor.cpp:
669         (JSC::AggregateErrorConstructor::finishCreation):
670         * runtime/ArrayConstructor.cpp:
671         (JSC::ArrayConstructor::finishCreation):
672         * runtime/AsyncFunctionConstructor.cpp:
673         (JSC::AsyncFunctionConstructor::finishCreation):
674         * runtime/AsyncGeneratorFunctionConstructor.cpp:
675         (JSC::AsyncGeneratorFunctionConstructor::finishCreation):
676         * runtime/BigIntConstructor.cpp:
677         (JSC::BigIntConstructor::finishCreation):
678         * runtime/BooleanConstructor.cpp:
679         (JSC::BooleanConstructor::finishCreation):
680         * runtime/DateConstructor.cpp:
681         (JSC::DateConstructor::finishCreation):
682         * runtime/ErrorConstructor.cpp:
683         (JSC::ErrorConstructor::finishCreation):
684         * runtime/FinalizationRegistryConstructor.cpp:
685         (JSC::FinalizationRegistryConstructor::finishCreation):
686         * runtime/FunctionConstructor.cpp:
687         (JSC::FunctionConstructor::finishCreation):
688         * runtime/FunctionPrototype.cpp:
689         (JSC::FunctionPrototype::finishCreation):
690         * runtime/GeneratorFunctionConstructor.cpp:
691         (JSC::GeneratorFunctionConstructor::finishCreation):
692         * runtime/InternalFunction.cpp:
693         (JSC::InternalFunction::finishCreation):
694         (JSC::InternalFunction::createFunctionThatMasqueradesAsUndefined):
695         * runtime/InternalFunction.h:
696         * runtime/IntlCollatorConstructor.cpp:
697         (JSC::IntlCollatorConstructor::finishCreation):
698         * runtime/IntlDateTimeFormatConstructor.cpp:
699         (JSC::IntlDateTimeFormatConstructor::finishCreation):
700         * runtime/IntlDisplayNamesConstructor.cpp:
701         (JSC::IntlDisplayNamesConstructor::finishCreation):
702         * runtime/IntlLocaleConstructor.cpp:
703         (JSC::IntlLocaleConstructor::finishCreation):
704         * runtime/IntlNumberFormatConstructor.cpp:
705         (JSC::IntlNumberFormatConstructor::finishCreation):
706         * runtime/IntlPluralRulesConstructor.cpp:
707         (JSC::IntlPluralRulesConstructor::finishCreation):
708         * runtime/IntlRelativeTimeFormatConstructor.cpp:
709         (JSC::IntlRelativeTimeFormatConstructor::finishCreation):
710         * runtime/IntlSegmenterConstructor.cpp:
711         (JSC::IntlSegmenterConstructor::finishCreation):
712         * runtime/JSArrayBufferConstructor.cpp:
713         (JSC::JSGenericArrayBufferConstructor<sharingMode>::finishCreation):
714         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
715         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation):
716         * runtime/JSTypedArrayViewConstructor.cpp:
717         (JSC::JSTypedArrayViewConstructor::finishCreation):
718         * runtime/MapConstructor.cpp:
719         (JSC::MapConstructor::finishCreation):
720         * runtime/NativeErrorConstructor.cpp:
721         (JSC::NativeErrorConstructorBase::finishCreation):
722         * runtime/NullGetterFunction.h:
723         * runtime/NullSetterFunction.h:
724         * runtime/NumberConstructor.cpp:
725         (JSC::NumberConstructor::finishCreation):
726         * runtime/ObjectConstructor.cpp:
727         (JSC::ObjectConstructor::finishCreation):
728         * runtime/ProxyConstructor.cpp:
729         (JSC::ProxyConstructor::finishCreation):
730         * runtime/ProxyRevoke.cpp:
731         (JSC::ProxyRevoke::finishCreation):
732         * runtime/RegExpConstructor.cpp:
733         (JSC::RegExpConstructor::finishCreation):
734         * runtime/SetConstructor.cpp:
735         (JSC::SetConstructor::finishCreation):
736         * runtime/StringConstructor.cpp:
737         (JSC::StringConstructor::finishCreation):
738         * runtime/SymbolConstructor.cpp:
739         (JSC::SymbolConstructor::finishCreation):
740         * runtime/WeakMapConstructor.cpp:
741         (JSC::WeakMapConstructor::finishCreation):
742         * runtime/WeakObjectRefConstructor.cpp:
743         (JSC::WeakObjectRefConstructor::finishCreation):
744         * runtime/WeakSetConstructor.cpp:
745         (JSC::WeakSetConstructor::finishCreation):
746         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
747         (JSC::WebAssemblyCompileErrorConstructor::finishCreation):
748         * wasm/js/WebAssemblyGlobalConstructor.cpp:
749         (JSC::WebAssemblyGlobalConstructor::finishCreation):
750         * wasm/js/WebAssemblyInstanceConstructor.cpp:
751         (JSC::WebAssemblyInstanceConstructor::finishCreation):
752         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
753         (JSC::WebAssemblyLinkErrorConstructor::finishCreation):
754         * wasm/js/WebAssemblyMemoryConstructor.cpp:
755         (JSC::WebAssemblyMemoryConstructor::finishCreation):
756         * wasm/js/WebAssemblyModuleConstructor.cpp:
757         (JSC::WebAssemblyModuleConstructor::finishCreation):
758         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
759         (JSC::WebAssemblyRuntimeErrorConstructor::finishCreation):
760         * wasm/js/WebAssemblyTableConstructor.cpp:
761         (JSC::WebAssemblyTableConstructor::finishCreation):
762
763 2020-09-21  Yusuke Suzuki  <ysuzuki@apple.com>
764
765         [JSC] Proxy should be trapped if base value is primitive
766         https://bugs.webkit.org/show_bug.cgi?id=216764
767
768         Reviewed by Darin Adler.
769
770         While we have special care in JSObject::putInline etc., we missed it in JSValue::putToPrimitive.
771         So, if proxy exists in the prototype chain for the primitive values (e.g. StringPrototype -> Proxy chain),
772         we miss the Proxy trap. We should have ProxyObject special check in JSValue::putToPrimitive too.
773
774         * runtime/JSCJSValue.cpp:
775         (JSC::JSValue::putToPrimitive):
776
777 2020-09-20  Yusuke Suzuki  <ysuzuki@apple.com>
778
779         [JSC] Drop Options::useBigInt
780         https://bugs.webkit.org/show_bug.cgi?id=216743
781
782         Reviewed by Darin Adler.
783
784         Now BigInt is shipped. Let's just remove Options::useBigInt.
785
786         * bytecompiler/BytecodeGenerator.cpp:
787         (JSC::BytecodeGenerator::emitEqualityOpImpl):
788         * parser/Lexer.cpp:
789         (JSC::Lexer<T>::parseHex):
790         (JSC::Lexer<T>::parseBinary):
791         (JSC::Lexer<T>::parseOctal):
792         (JSC::Lexer<T>::parseDecimal):
793         * runtime/JSGlobalObject.h:
794         * runtime/OptionsList.h:
795
796 2020-09-20  Yusuke Suzuki  <ysuzuki@apple.com>
797
798         Unreviewed, use RELEASE_AND_RETURN to suppress exception verification failure
799         https://bugs.webkit.org/show_bug.cgi?id=216686
800         <rdar://problem/69157632>
801
802         * runtime/JSModuleNamespaceObject.cpp:
803         (JSC::JSModuleNamespaceObject::defineOwnProperty):
804
805 2020-09-18  Yusuke Suzuki  <ysuzuki@apple.com>
806
807         [JSC] Generator declaration should not be allowed in single statement context
808         https://bugs.webkit.org/show_bug.cgi?id=216720
809
810         Reviewed by Ross Kirsling.
811
812         Generator declaration in single statement context (like the following code) should be syntax error.
813         We already made async function / async generator function syntax error. We should apply the same rule
814         to generator declaration too.
815
816             if (false)
817                 function * gen() { }
818
819         * parser/Parser.cpp:
820         (JSC::Parser<LexerType>::parseSingleFunction):
821         (JSC::Parser<LexerType>::parseStatement):
822         (JSC::Parser<LexerType>::parseFunctionDeclarationStatement):
823         (JSC::Parser<LexerType>::parseFunctionDeclaration):
824         (JSC::Parser<LexerType>::parseExportDeclaration):
825         * parser/Parser.h:
826
827 2020-09-18  Yusuke Suzuki  <ysuzuki@apple.com>
828
829         [JSC] PreciseAllocation's isNewlyAllocated flag should be propagated from isMarked at GC begin phase to make isLive correct
830         https://bugs.webkit.org/show_bug.cgi?id=216717
831
832         Reviewed by Mark Lam.
833
834         When starting full GC, at beginMarking, PreciseAllocation's mark bit is cleared to be usable for upcoming marking.
835         However, this means that HeapCell::isLive will see this object as dead until it is marked.
836         Let's consider that this object is not newly allocated one. Then, its isNewlyAllocated is false. And now mark bit
837         is also cleared. Since PreciseAllocation::isLive is isNewlyAllocated || isMarked, then it looks dead, while it is live.
838         This confuses HeapCell:isLive function and makes some of watchpoints perform wrong decisions (e.g. this condition is
839         no longer valid, let's just discard it).
840         At the beginning of full collection, we should propagate the old mark bit to isNewlyAllocated so that it looks live
841         during marking. This is similar trick to MarkedBlock::aboutToMark.
842
843         * heap/PreciseAllocation.cpp:
844         (JSC::PreciseAllocation::flip):
845
846 2020-09-18  Saam Barati  <sbarati@apple.com>
847
848         console APIs shouldn't crash making a string that's too long for a console warning when using user provided labels
849         https://bugs.webkit.org/show_bug.cgi?id=216709
850         <rdar://problem/68275357>
851
852         Reviewed by Mark Lam and Devin Rousso.
853
854         Various console APIs send warnings when a label can't be found. These warnings
855         include the label itself. If this label has a long enough length, when we make
856         these warning strings, we can crash, because we exceed max string length.
857         This patch fixes this by truncating the label everywhere it's used if it
858         exceeds a length of 10000.
859
860         * inspector/JSGlobalObjectConsoleClient.cpp:
861         (Inspector::JSGlobalObjectConsoleClient::profile):
862         * inspector/ScriptArguments.h:
863         * inspector/agents/InspectorConsoleAgent.cpp:
864         (Inspector::InspectorConsoleAgent::startTiming):
865         (Inspector::InspectorConsoleAgent::logTiming):
866         (Inspector::InspectorConsoleAgent::stopTiming):
867         (Inspector::InspectorConsoleAgent::count):
868         (Inspector::InspectorConsoleAgent::countReset):
869
870 2020-09-18  Keith Miller  <keith_miller@apple.com>
871
872         DFG should ensure there are PhantomLocals for the taken block of op_jneq_ptr
873         https://bugs.webkit.org/show_bug.cgi?id=216669
874
875         Reviewed by Saam Barati.
876
877         Right now, if there is a local that is live on the taken branch but dead on
878         not-taken branch then nothing will preserve it for OSR exit. This patch simply
879         adds a PhantomLocal for each live operand for the first bytecode of the taken block.
880
881         * dfg/DFGByteCodeParser.cpp:
882         (JSC::DFG::ByteCodeParser::parseBlock):
883
884 2020-09-18  Paulo Matos  <pmatos@igalia.com>
885
886         Unified build fixes from ARMv7 build failures
887         https://bugs.webkit.org/show_bug.cgi?id=216698
888
889         Reviewed by Adrian Perez de Castro.
890
891         * llint/LLIntThunks.cpp:
892         * runtime/FileBasedFuzzerAgent.cpp:
893         * runtime/FunctionExecutableDump.cpp:
894         * runtime/NativeExecutable.cpp:
895         * runtime/WeakMapImpl.cpp:
896
897 2020-09-17  Mark Lam  <mark.lam@apple.com>
898
899         Use OS_CONSTANT(EFFECTIVE_ADDRESS_WIDTH) in speculationFromCell()'s isSanePointer().
900         https://bugs.webkit.org/show_bug.cgi?id=216638
901
902         Reviewed by Saam Barati.
903
904         We should be using OS_CONSTANT(EFFECTIVE_ADDRESS_WIDTH) instead of assuming the
905         width of the pointer address bits.
906
907         * bytecode/SpeculatedType.cpp:
908         (JSC::isSanePointer):
909
910 2020-09-17  Devin Rousso  <drousso@apple.com>
911
912         Web Inspector: REGRESSION(r266885): fix open source build
913         https://bugs.webkit.org/show_bug.cgi?id=216675
914
915         Reviewed by Timothy Hatcher.
916
917         Add back methods used by `WebInspector.framework`.
918
919         * inspector/InspectorBackendDispatcher.cpp:
920         (Inspector::BackendDispatcher::getInteger): Added.
921         (Inspector::BackendDispatcher::getDouble): Added.
922         (Inspector::BackendDispatcher::getString): Added.
923
924 2020-09-17  Tadeu Zagallo  <tzagallo@apple.com>
925
926         Inconsistent loop exit assertion in B3ReduceLoopStrength
927         https://bugs.webkit.org/show_bug.cgi?id=216274
928         <rdar://problem/68513573>
929
930         Reviewed by Keith Miller.
931
932         On B3ReduceLoopStrength, we first calculate where the loop exits to, and ensure there's only
933         one exit target. Later on, we compute how many places within the loop exit to that single exit
934         target. Currently, we assume that having a single target implies that we'll only ever have one
935         exit point, which is incorrect. To fix it, instead of asserting there should only be one exit
936         point, we just bail if we find more than one.
937
938         * b3/B3ReduceLoopStrength.cpp:
939         (JSC::B3::ReduceLoopStrength::reduceByteCopyLoopsToMemcpy):
940
941 2020-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
942
943         [JSC] Async generator default-export is not handled
944         https://bugs.webkit.org/show_bug.cgi?id=216643
945
946         Reviewed by Ross Kirsling.
947
948         `export default async function * test() { }` syntax should be correctly handled.
949         This patch adds the code retrieving "test" name from the above declaration correctly.
950
951         * parser/Parser.cpp:
952         (JSC::Parser<LexerType>::parseExportDeclaration):
953
954 2020-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
955
956         [JSC] Update JSModuleNamespaceObject::defineOwnProperty
957         https://bugs.webkit.org/show_bug.cgi?id=216640
958
959         Reviewed by Ross Kirsling.
960
961         This patch implements spec update of JSModuleNamespaceObject::defineOwnProperty.
962         We implement https://tc39.es/ecma262/#sec-module-namespace-exotic-objects-defineownproperty-p-desc precisely.
963
964         * runtime/JSModuleNamespaceObject.cpp:
965         (JSC::JSModuleNamespaceObject::getOwnPropertySlotCommon):
966         (JSC::JSModuleNamespaceObject::deleteProperty):
967         (JSC::JSModuleNamespaceObject::getOwnPropertyNames):
968         (JSC::JSModuleNamespaceObject::defineOwnProperty):
969
970 2020-09-17  Mark Lam  <mark.lam@apple.com>
971
972         Add some pointer sanity checks to speculationFromCell().
973         https://bugs.webkit.org/show_bug.cgi?id=216638
974         rdar://23226333
975
976         Reviewed by Yusuke Suzuki.
977
978         Add some sanity checks to mitigate against some potential pointer corruptions
979         from profiling data.  The goal here is not to exhaustively filter out all possible
980         bad pointers, but simply to filter out as many as possible to reduce crashes from
981         such bad pointers, and to do so with the least possible performance impact.
982
983         It is OK to do such filtering here because we're only trying to compute a
984         SpeculatedType from the pointer.  If the pointer is bad, we can just return
985         SpecNone indicating that we don't have any info to speculate on.
986
987         * bytecode/SpeculatedType.cpp:
988         (JSC::isSanePointer):
989         (JSC::speculationFromCell):
990         * runtime/StructureIDTable.h:
991         (JSC::StructureIDTable::tryGet):
992         * runtime/VM.h:
993         (JSC::VM::tryGetStructure):
994
995 2020-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
996
997         Support export namespace `export * as ns`
998         https://bugs.webkit.org/show_bug.cgi?id=214379
999
1000         Reviewed by Ross Kirsling.
1001
1002         This patch supports `export * as ns from "module"` syntax. If it is used, we expose "module"'s namespace object as "ns".
1003         For each module environment, we create *namespace* (starNamespace) private symbol scope variable. And we fill it later
1004         with module namespace object. This way allows us to use module namespace object IC and super fast imported module binding
1005         lookup though environment variable lookup mechanism.
1006
1007         * builtins/BuiltinNames.h:
1008         * bytecompiler/BytecodeGenerator.cpp:
1009         (JSC::BytecodeGenerator::BytecodeGenerator):
1010         * parser/NodesAnalyzeModule.cpp:
1011         (JSC::ExportNamedDeclarationNode::analyzeModule):
1012         * parser/Parser.cpp:
1013         (JSC::Parser<LexerType>::parseExportDeclaration):
1014         * runtime/AbstractModuleRecord.cpp:
1015         (JSC::AbstractModuleRecord::ExportEntry::createNamespace):
1016         (JSC::AbstractModuleRecord::resolveExportImpl):
1017         (JSC::AbstractModuleRecord::getModuleNamespace):
1018         (JSC::AbstractModuleRecord::setModuleEnvironment):
1019         (JSC::AbstractModuleRecord::dump):
1020         * runtime/AbstractModuleRecord.h:
1021         * runtime/CommonIdentifiers.h:
1022         * runtime/JSFunction.cpp:
1023         (JSC::JSFunction::name):
1024         (JSC::JSFunction::reifyName):
1025         * runtime/JSModuleNamespaceObject.cpp:
1026         (JSC::JSModuleNamespaceObject::getOwnPropertySlotCommon):
1027         * runtime/JSModuleRecord.cpp:
1028         (JSC::JSModuleRecord::instantiateDeclarations):
1029         (JSC::JSModuleRecord::evaluate):
1030         * wasm/js/JSWebAssemblyModule.cpp:
1031         (JSC::JSWebAssemblyModule::finishCreation):
1032         * wasm/js/WebAssemblyModuleRecord.cpp:
1033         (JSC::WebAssemblyModuleRecord::link):
1034
1035 2020-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
1036
1037         [JSC] Optimize Promise#finally by avoiding creating multiple environments
1038         https://bugs.webkit.org/show_bug.cgi?id=216637
1039
1040         Reviewed by Ross Kirsling.
1041
1042         Let's just create functions inside Promise#finally. This avoids creating
1043         multiple lexical environments that are captured by each function.
1044
1045         * builtins/PromisePrototype.js:
1046         (finally):
1047         (globalPrivate.getThenFinally): Deleted.
1048         (globalPrivate.getCatchFinally): Deleted.
1049
1050 2020-09-16  Saam Barati  <sbarati@apple.com>
1051
1052         Don't IC a null custom accessor/value setter
1053         https://bugs.webkit.org/show_bug.cgi?id=216620
1054         <rdar://problem/68976066>
1055
1056         Reviewed by Mark Lam.
1057
1058         Our runtime allows CustomGetterSetter objects setter field to not contain an
1059         actual C function to call. In such a scenario, the runtime just does nothing
1060         except return false to the ::put code (which may result in throwing an
1061         exception in strict mode code). 
1062         
1063         However, our IC code never considered whether this function could be nullptr.
1064         The fix here is simple: don't IC such custom accessor/value setters.
1065
1066         * runtime/PutPropertySlot.h:
1067         (JSC::PutPropertySlot::isCacheableCustom const):
1068
1069 2020-09-16  Philippe Normand  <pnormand@igalia.com>
1070
1071         [Flatpak SDK][WPE] Launching the remote inspector kills MB
1072         https://bugs.webkit.org/show_bug.cgi?id=213899
1073
1074         Reviewed by Adrian Perez de Castro.
1075
1076         Load inspector resources from developer build artefacts, when the inspector server is
1077         running in this configuration. Fall back to system libraries loading mechanism otherwise.
1078
1079         * inspector/remote/glib/RemoteInspectorUtils.cpp:
1080         (Inspector::backendCommands):
1081
1082 2020-09-16  Adrian Perez de Castro  <aperez@igalia.com>
1083
1084         Non-unified build fixes, early September 2020 edition
1085         https://bugs.webkit.org/show_bug.cgi?id=216599
1086
1087         Unreviewed build fix.
1088
1089         Largely based on a patch by Lauro Moura <lmoura@igalia.com>
1090
1091         * runtime/IntlCache.cpp: Add missing wtf/Vector.h include.
1092         * runtime/IntlCache.h: Add missing wtf/text/CString.h include.
1093         * runtime/IntlNumberFormatPrototype.cpp: Replace IntlNumberFormat.h
1094         include with IntlNumberFormatInlines.h to fix linking.
1095
1096 2020-09-15  Saam Barati  <sbarati@apple.com>
1097
1098         JSImmutableButterfly::get needs to return jsDoubleNumber for double arrays
1099         https://bugs.webkit.org/show_bug.cgi?id=216589
1100         <rdar://problem/68061245>
1101
1102         Reviewed by Yusuke Suzuki.
1103
1104         We are using JSImmutableButterfly::get in AI to constant fold GetByVal,
1105         but we were failing to always return a boxed double value for double loads.
1106         We were calling jsNumber instead of jsDooubleNumber. This is in contrast to
1107         the runtime, which always returns a double boxed value. This would lead AI
1108         to disagree with the runtime, and miscompile code.
1109
1110         * runtime/JSImmutableButterfly.h:
1111         (JSC::JSImmutableButterfly::get const):
1112
1113 2020-09-15  Yusuke Suzuki  <ysuzuki@apple.com>
1114
1115         [JSC] Cache UDateTimePatternGenerator
1116         https://bugs.webkit.org/show_bug.cgi?id=213454
1117
1118         Reviewed by Ross Kirsling.
1119
1120         ICU udatpg_open function is particularly slow. As a result, 80~% of time is used by this function when calling Date#toLocaleString.
1121         We should have last-used cache in VM, which covers major cases like, "One locale (possibly default locale) is used and continuously
1122         use toLocaleString with that locale".
1123
1124         This significantly improves toLocaleString / toLocaleDateString / toLocaleTimeString performance.
1125
1126                                                    ToT                     Patched
1127
1128             date-to-locale-string           392.0092+-0.6811     ^     87.3196+-3.1598        ^ definitely 4.4894x faster
1129             date-to-locale-date-string      377.9117+-7.8701     ^     70.4155+-3.6661        ^ definitely 5.3669x faster
1130             date-to-locale-time-string      373.1970+-3.0142     ^     67.3790+-2.8952        ^ definitely 5.5388x faster
1131
1132
1133         * JavaScriptCore.xcodeproj/project.pbxproj:
1134         * Sources.txt:
1135         * runtime/IntlCache.cpp: Added.
1136         (JSC::IntlCache::cacheSharedPatternGenerator):
1137         (JSC::IntlCache::getBestDateTimePattern):
1138         * runtime/IntlCache.h: Added.
1139         (JSC::IntlCache::getSharedPatternGenerator):
1140         * runtime/IntlDateTimeFormat.cpp:
1141         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1142         * runtime/VM.cpp:
1143         (JSC::VM::VM):
1144         * runtime/VM.h:
1145         (JSC::VM::intlCache):
1146
1147 2020-09-15  HyeockJin Kim  <kherootz@gmail.com>
1148
1149         Check whether the iterator is callable in spread
1150         https://bugs.webkit.org/show_bug.cgi?id=215974
1151
1152         Reviewed by Darin Adler.
1153
1154         * builtins/IteratorHelpers.js:
1155         (performIteration):
1156
1157 2020-09-15  Tadeu Zagallo  <tzagallo@apple.com>
1158
1159         Object allocation sinking forgets escaped nodes when structure changes
1160         https://bugs.webkit.org/show_bug.cgi?id=216214
1161         <rdar://problem/68518460>
1162
1163         Reviewed by Saam Barati.
1164
1165         Consider the following program:
1166             bb0:
1167                 a: NewObject
1168                 b: CreateActivation()
1169                 _: Branch(bb2, bb1)
1170             bb1:
1171                 _: PutByOffset(a, 'x', 42)
1172                 _: PutStrucute(a, {x: 0})
1173                 _: Branch(bb2, bb1)
1174             bb2:
1175                 _: CheckStructure(a, {x: 0})
1176                 _: PutClosureVar(b, 0, Kill:a)
1177                 _: Branch(bb3, bb2)
1178             bb3:
1179                 c: GetClosureVar(b, 0)
1180                 _: PutByOffset(global, 'y', c)
1181                 _: Return
1182
1183         Due to the order we visit the program, we'll visit bb2 before bb1. The first time we visit bb2, heapAtHead will be:
1184             #@a: ObjectAllocation({})
1185             #@b: ActivationAllocation()
1186             @a => #@a
1187             @b => #@b
1188
1189         Now CheckStructure would always fail, so it will escape @a and heapAtTail will be:
1190             #@a: EscapedAllocation()
1191             #@b: ActivationAllocation()
1192             @a => #@a
1193             @b => #@b
1194
1195         And after pruning:
1196             #@b: ActivationAllocation()
1197             @b => #@b
1198
1199         Now, we'll visit bb3 and then bb1. When we visit bb1 we'll set the structure {x: 0} for the #@a and eventually visit bb2 again. This time around CheckStructure will no longer escape @a, since the allocation has the right structure, and heapAtTail will be:
1200             #@a: ObjectAllocation({x: 0})
1201             #@b: ActivationAllocation(0: #@a)
1202             @b => #@b
1203
1204         However, we now have to merge into bb3, which has heapAtHead:
1205             #@b: ActivationAllocation()
1206             @b => #@b
1207
1208         Since we can't add the extra field to the activation, we'll end up escaping @a at the edge and therefore pruning #@b, which will leave the heap for bb3 unchanged.
1209         That's a problem, since PutClosureVar didn't see the escaped object, but GetClosureVar thinks it's escaped. The materialization for @a will be placed after the
1210         PutClosureVar, at end of bb2, when the node is already dead. When computing the SSA defs, the PutByOffset at bb3 will then see @a (which at this point will be a
1211         PhantomNewObject) instead of its materialization.
1212
1213         The issue happens because we don't allow allocations to add extra fields while merging, but we do allow adding new structures. This results in different decisions
1214         being made about what escapes in CheckStructure and MultiGetByOffset. To avoid this problem, we track two sets of structures: structures and structuresForMaterialization.
1215         The first is used for checks and should never grow while the second is used for materialization and is allowed to grow.
1216
1217         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1218
1219 2020-09-15  Saam Barati  <sbarati@apple.com>
1220
1221         CustomFunctionEquivalence PropertyCondition needs to check if the structure has the property
1222         https://bugs.webkit.org/show_bug.cgi?id=216575
1223         <rdar://problem/68286930>
1224
1225         Reviewed by Yusuke Suzuki.
1226
1227         The CustomFunctionEquivalence PropertyCondition would only return false to
1228         isStillValidAssumingImpurePropertyWatchpoint if the Structure's static
1229         property table was reified or if the static property table did not contain the
1230         property. However, this missed the obvious case of where we store to this
1231         property in normal object storage without reifying the static property table.
1232         The fix here is simple: we first check if the Structure's property table
1233         has this property, and if so, return false.
1234         
1235         This patch also renames CustomFunctionEquivalence to HasStaticProperty to
1236         better capture what we're doing.
1237
1238         * bytecode/ObjectPropertyCondition.h:
1239         (JSC::ObjectPropertyCondition::hasStaticProperty):
1240         (JSC::ObjectPropertyCondition::customFunctionEquivalence): Deleted.
1241         * bytecode/ObjectPropertyConditionSet.cpp:
1242         (JSC::ObjectPropertyConditionSet::hasOneSlotBaseCondition const):
1243         (JSC::ObjectPropertyConditionSet::slotBaseCondition const):
1244         (JSC::generateConditionsForPrototypePropertyHitCustom):
1245         * bytecode/PropertyCondition.cpp:
1246         (JSC::PropertyCondition::dumpInContext const):
1247         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
1248         (JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint const):
1249         (JSC::PropertyCondition::isStillValid const):
1250         (JSC::PropertyCondition::isWatchableWhenValid const):
1251         (WTF::printInternal):
1252         * bytecode/PropertyCondition.h:
1253         (JSC::PropertyCondition::hasStaticProperty):
1254         (JSC::PropertyCondition::hash const):
1255         (JSC::PropertyCondition::operator== const):
1256         (JSC::PropertyCondition::customFunctionEquivalence): Deleted.
1257         * tools/JSDollarVM.cpp:
1258         (JSC::functionCreateStaticCustomValue):
1259         (JSC::JSDollarVM::finishCreation):
1260
1261 2020-09-15  Yusuke Suzuki  <ysuzuki@apple.com>
1262
1263         [JSC] Apply Intl.DateTimeFormat hour-cycle correctly when timeStyle is used
1264         https://bugs.webkit.org/show_bug.cgi?id=216521
1265
1266         Reviewed by Ross Kirsling.
1267
1268         When specifying timeStyle in Intl.DateTimeFormat, we need to check that the generated format also follows to the hourCycle / hour12 options
1269         specified in the constructor. Because dayPeriod can be included automatically, just replacing symbols after generating a pattern can dump strange result.
1270         For example, the generated one is something like "02:12:47 PM Coordinated Universal Time". And we adjust the pattern to make it "14:12:47 PM Coordinated Universal Time"
1271         when hourCycle H23 / H24 is specified. But this looks strange since dayPeriod "PM" should not exist when using H23 / H24.
1272
1273         In this patch, we revise our hour-cycle handling in Intl.DateTimeFormat. We align our behavior to SpiderMonkey's one[1] rather than the spec's one: when hour12 is specified,
1274         we will just use 'H' or 'h' skeleton and do not enforce hour-cycle after generating pattern in hour12 case. If hour12 is not specified, then we use 'h' or 'H' skeleton
1275         symbols based on hour-cycle, and later we modify the pattern based on hour-cycle. If both are not offered, we use 'j' which allows ICU to pick preferable one.
1276         This is slightly different behavior to the spec (hcDefault etc.) but the spec's behavior can cause a bit surprising result[2,3], and SpiderMonkey like behavior will be
1277         integrated into the spec eventually[4].
1278
1279         [1]: https://github.com/tc39/ecma402/issues/402#issuecomment-623628320
1280         [2]: https://github.com/tc39/ecma402/issues/402
1281         [3]: https://bugs.chromium.org/p/chromium/issues/detail?id=1045791
1282         [4]: https://github.com/tc39/ecma402/pull/436
1283
1284         * runtime/IntlDateTimeFormat.cpp:
1285         (JSC::IntlDateTimeFormat::setFormatsFromPattern):
1286         (JSC::IntlDateTimeFormat::parseHourCycle):
1287         (JSC::IntlDateTimeFormat::hourCycleFromPattern):
1288         (JSC::IntlDateTimeFormat::replaceHourCycleInSkeleton):
1289         (JSC::IntlDateTimeFormat::replaceHourCycleInPattern):
1290         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1291         (JSC::IntlDateTimeFormat::hourCycleString):
1292         (JSC::IntlDateTimeFormat::resolvedOptions const):
1293         (JSC::IntlDateTimeFormat::createDateIntervalFormatIfNecessary):
1294         * runtime/IntlDateTimeFormat.h:
1295
1296 2020-09-14  Yusuke Suzuki  <ysuzuki@apple.com>
1297
1298         [JSC] Intl.Collator should take collation option
1299         https://bugs.webkit.org/show_bug.cgi?id=216529
1300
1301         Reviewed by Ross Kirsling.
1302
1303         This patch adds "collation" option to Intl.Collator. We are already getting consensus[1], and will be integrated into the spec.
1304         Previously, passing "collation" is only available through "-u-co-" unicode extension in the passed locale. The proposal exposes
1305         collation option as an option to Intl.Collator so that we can set it easily.
1306         "collation" is used only when "usage" is "sort". "search" usage will filter out collation options since "search" itself is one of
1307         the "collation" option.
1308
1309         [1]: https://github.com/tc39/ecma402/pull/459
1310
1311         * runtime/IntlCollator.cpp:
1312         (JSC::IntlCollator::sortLocaleData):
1313         (JSC::IntlCollator::initializeCollator):
1314
1315 2020-09-15  Joonghun Park  <jh718.park@samsung.com>
1316
1317         Unreviewed. Remove the build warning below since r228533.
1318         warning: ‘%40s’ directive argument is null [-Wformat-overflow=]
1319
1320         Since gcc which has version >= 9 is stricter about passing null string
1321         pointers to printf-like functions, add null string pointer check
1322         to fix the warning proactively.
1323
1324         * jsc.cpp:
1325         (runJSC):
1326
1327 2020-09-14  Keith Miller  <keith_miller@apple.com>
1328
1329         BytecodeParser should GetLocal op_ret's value even if it's unused by the caller
1330         https://bugs.webkit.org/show_bug.cgi?id=216506
1331
1332         Reviewed by Mark Lam.
1333
1334         We have to unconditionally GetLocal operands each bytecode claims to use
1335         regardless of true liveness. This is important to keep OSRAvailability simple.
1336         However, op_ret would only GetLocal the return value if we knew the value
1337         was going to be used by an inline caller.
1338
1339         * dfg/DFGByteCodeParser.cpp:
1340         (JSC::DFG::ByteCodeParser::parseBlock):
1341
1342 2020-09-14  Alexey Shvayka  <shvaikalesh@gmail.com>
1343
1344         Proxy's "ownKeys" trap result should not be sorted
1345         https://bugs.webkit.org/show_bug.cgi?id=216227
1346
1347         Reviewed by Yusuke Suzuki.
1348
1349         Given that we can't know whether ownPropertyKeys() received property names from
1350         userland Proxy's "ownKeys" trap, this patch moves symbols after strings sorting [1]
1351         to Structure::getPropertyNamesFromStructure(), aligning observed property order
1352         (via Proxy's "getOwnPropertyDescriptor" trap) with V8 and SpiderMonkey.
1353
1354         Also, removes sorting logic duplication in objectConstructorAssign().
1355
1356         This change is neutral on provided Reflect.ownKeys microbenchmark. Although property
1357         name collection besides PropertyNameMode::StringsAndSymbols cases is unaffected,
1358         Object.{keys,getOwnPropertySymbols} microbenchmarks regress by 6-12% due to
1359         increased Structure::getPropertyNamesFromStructure() code size.
1360
1361         [1]: https://tc39.es/ecma262/#sec-ordinaryownpropertykeys (steps 3-4)
1362
1363         * runtime/ObjectConstructor.cpp:
1364         (JSC::objectConstructorAssign):
1365         (JSC::ownPropertyKeys):
1366         * runtime/Structure.cpp:
1367         (JSC::Structure::getPropertyNamesFromStructure):
1368
1369 2020-09-14  Alexey Shvayka  <shvaikalesh@gmail.com>
1370
1371         ArraySetLength should coerce [[Value]] before descriptor validation
1372         https://bugs.webkit.org/show_bug.cgi?id=158791
1373
1374         Reviewed by Darin Adler.
1375
1376         This patch:
1377
1378         1. Moves [[Value]] coercion before descriptor validation as per spec [1],
1379            which fixes ASSERT() failure and aligns JSC with V8 & SpiderMonkey.
1380
1381         2. Prevents JSArray::setLengthWithArrayStorage() from throwing if the length
1382            is unchanged, even if it's read-only [2].
1383
1384         3. Refactors JSArray::defineOwnProperty() leveraging #2 to always perform
1385            setLength(), which greatly reduces the number of checks, branches,
1386            and setLengthWritable() calls.
1387
1388         Following the ArraySetLength spec steps precisely [1] would result in
1389         more difficult-to-follow code because descriptor validation [2] is inlined
1390         and [[Delete]] failures are handled in setLength().
1391
1392         This change is performance-neutral as it doesn't affect JSArray::put(),
1393         which was vetted to be spec-correct and is covered by test262 suite.
1394
1395         [1]: https://tc39.es/ecma262/#sec-arraysetlength (steps 3-4)
1396         [2]: https://tc39.es/ecma262/#sec-validateandapplypropertydescriptor (step 7.a.ii)
1397
1398         * runtime/JSArray.cpp:
1399         (JSC::JSArray::defineOwnProperty):
1400         (JSC::JSArray::setLengthWithArrayStorage):
1401
1402 2020-09-14  Saam Barati  <sbarati@apple.com>
1403
1404         Remove bogus asserts in FTLLower that assume programs are compiled with sensible speculations
1405         https://bugs.webkit.org/show_bug.cgi?id=216485
1406         <rdar://problem/68562804>
1407
1408         Reviewed by Keith Miller.
1409
1410         We had an assert inside lowCell that if a value was not part of the JSValue
1411         hashmap of values, then the type must not conform to being a cell. However,
1412         consider a program like this:
1413         
1414         ```
1415         x = ArithAdd(i32, i32) <-- x is an i32 here
1416         if (b) {
1417             Check(Cell:@x)
1418             ArrayifyToStructure(@x, thingy)
1419         }
1420         <-- HERE
1421         ```
1422         
1423         @x will live in FTLLower's i32 hashmap, but because of the AI rule for
1424         ArrayifyToStructure, it will also have SpecCell in its type. This is totally
1425         valid, and asserting that this isn't possible is wrong. (Obviously the above
1426         speculation is stupid, as we will always exit at the Check, but it's valid IR.)
1427         
1428         This patch removes this assertion from lowCell, and removes similar assertions
1429         from other low* functions.
1430
1431         * ftl/FTLLowerDFGToB3.cpp:
1432         (JSC::FTL::DFG::LowerDFGToB3::lowInt32):
1433         (JSC::FTL::DFG::LowerDFGToB3::lowInt52):
1434         (JSC::FTL::DFG::LowerDFGToB3::lowCell):
1435         (JSC::FTL::DFG::LowerDFGToB3::lowBoolean):
1436         (JSC::FTL::DFG::LowerDFGToB3::lowDouble):
1437
1438 2020-09-14  Alexey Shvayka  <shvaikalesh@gmail.com>
1439
1440         Make a few built-in methods throw if called as top-level functions
1441         https://bugs.webkit.org/show_bug.cgi?id=216467
1442
1443         Reviewed by Darin Adler.
1444
1445         Non-strict userland functions substitute undefined & null `this` values
1446         with the global object [1], while built-in functions do not [2].
1447
1448         This patch adds 5 missing toThis(globalObject, ECMAMode::strict()) calls,
1449         preventing built-in methods from being called as top-level functions:
1450
1451         ```
1452         let {toString} = Error.prototype;
1453         toString(); // now throws TypeError
1454         ```
1455
1456         Aligns JSC with V8 and SpiderMonkey.
1457         This change is performance-neutral due to DFG inlining of OpToThis.
1458         All other callFrame->thisValue() usages were vetted to be spec-correct.
1459
1460         [1]: https://tc39.es/ecma262/#sec-ordinarycallbindthis (step 6.a.iii)
1461         [2]: https://tc39.es/ecma262/#sec-built-in-function-objects-call-thisargument-argumentslist (step 10)
1462
1463         * runtime/ArrayPrototype.cpp:
1464         (JSC::createArrayIteratorObject):
1465         * runtime/DatePrototype.cpp:
1466         (JSC::dateProtoFuncToPrimitiveSymbol):
1467         (JSC::dateProtoFuncToJSON):
1468         * runtime/ErrorPrototype.cpp:
1469         (JSC::errorProtoFuncToString):
1470         * runtime/RegExpPrototype.cpp:
1471         (JSC::regExpProtoFuncToString):
1472
1473 2020-09-14  Devin Rousso  <drousso@apple.com>
1474
1475         Web Inspector: REGRESSION(r266885): dyld: Symbol not found: __ZN9Inspector17BackendDispatcher12sendResponseElON3WTF6RefPtrINS1_8JSONImpl6ObjectENS1_13DumbPtrTraitsIS4_EEEEb
1476         https://bugs.webkit.org/show_bug.cgi?id=216486
1477
1478         Reviewed by Joseph Pecoraro.
1479
1480         * inspector/InspectorBackendDispatcher.h:
1481         * inspector/InspectorBackendDispatcher.cpp:
1482         (Inspector::BackendDispatcher::sendResponse):
1483         Add back overloads removed in r266885 so that the symbols exist.
1484
1485 2020-09-14  Saam Barati  <sbarati@apple.com>
1486
1487         Don't assume byte code operands are uint32 JSValues
1488         https://bugs.webkit.org/show_bug.cgi?id=216386
1489
1490         Reviewed by Yusuke Suzuki.
1491
1492         The slow path for enumerator_generic_pname was assuming that its input index operand
1493         would always be a UInt32 JSValue boxed as int32. However, this assumption isn't true
1494         because that value can have double format in the DFG, and remain in that format when
1495         we exit from the DFG to baseline/LLInt code.
1496         
1497         This was found via the widening number fuzzing agent.
1498         
1499         I also audited two more places that seem like they suffer from the same issue,
1500         and also switched them to using the asUInt32AsAnyInt function:
1501         - enumerator_structure_pname
1502         - create_rest
1503
1504         * runtime/CommonSlowPaths.cpp:
1505         (JSC::SLOW_PATH_DECL):
1506
1507 2020-09-11  Yusuke Suzuki  <ysuzuki@apple.com>
1508
1509         [JSC] Canonicalize "true" unicode extension type value to ""
1510         https://bugs.webkit.org/show_bug.cgi?id=216224
1511
1512         Reviewed by Ross Kirsling.
1513
1514         Unicode Technical Standard #35 defines that unicode extension type's "true" should be converged to "".
1515         This patch implements it by extracting unicode extension subtags and replacing "true" to "".
1516
1517         * runtime/IntlLocale.cpp:
1518         (JSC::LocaleIDBuilder::toCanonical):
1519         (JSC::IntlLocale::keywordValue const):
1520         (JSC::IntlLocale::calendar):
1521         (JSC::IntlLocale::caseFirst):
1522         (JSC::IntlLocale::collation):
1523         (JSC::IntlLocale::hourCycle):
1524         (JSC::IntlLocale::numberingSystem):
1525         (JSC::IntlLocale::numeric):
1526         * runtime/IntlLocale.h:
1527         * runtime/IntlLocalePrototype.cpp:
1528         (JSC::IntlLocalePrototypeGetterCalendar):
1529         (JSC::IntlLocalePrototypeGetterCaseFirst):
1530         (JSC::IntlLocalePrototypeGetterCollation):
1531         (JSC::IntlLocalePrototypeGetterHourCycle):
1532         (JSC::IntlLocalePrototypeGetterNumberingSystem):
1533         * runtime/IntlObject.cpp:
1534         (JSC::unicodeExtensionSubTags):
1535         (JSC::canonicalizeUnicodeExtensionsAfterICULocaleCanonicalization):
1536         (JSC::languageTagForLocaleID):
1537         (JSC::resolveLocale):
1538         * runtime/IntlObject.h:
1539         * runtime/IntlObjectInlines.h:
1540         (JSC::computeTwoCharacters16Code):
1541         * runtime/StringPrototype.cpp:
1542         (JSC::computeTwoCharacters16Code): Deleted.
1543
1544 2020-09-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1545
1546         [JSC] attribute-change transition should not pin Structure
1547         https://bugs.webkit.org/show_bug.cgi?id=215528
1548
1549         Reviewed by Saam Barati.
1550
1551         This patch avoids using pin in attribute-change transition. To achieve this, attribute-change transition is now fully supported
1552         transition chain in forEachPropertyConcurrently etc.: we can retrieve properties with changed attributes correctly via traversing
1553         transition chain. And we also support attribute-change transition in materializePropertyTable, so we do not need to pin structure.
1554
1555         The design largely mimics existing removePropertyTransition and addPropertyTransition. This patch also adds `hasBeenDictionary()`
1556         check before adding structure to the transition so that we can avoid adding unnecessary structure entry to the transition table.
1557
1558         * bytecode/AccessCase.cpp:
1559         (JSC::AccessCase::generateImpl):
1560         * dfg/DFGClobberize.h:
1561         (JSC::DFG::clobberize):
1562         * ftl/FTLLowerDFGToB3.cpp:
1563         (JSC::FTL::DFG::LowerDFGToB3::compilePutStructure):
1564         * jit/Repatch.cpp:
1565         (JSC::tryCacheDeleteBy):
1566         * runtime/Structure.cpp:
1567         (JSC::Structure::materializePropertyTable):
1568         (JSC::Structure::addPropertyTransitionToExistingStructureImpl):
1569         (JSC::Structure::addPropertyTransition):
1570         (JSC::Structure::addNewPropertyTransition):
1571         (JSC::Structure::removePropertyTransitionFromExistingStructureImpl):
1572         (JSC::Structure::removeNewPropertyTransition):
1573         (JSC::Structure::attributeChangeTransitionToExistingStructure):
1574         (JSC::Structure::attributeChangeTransition):
1575         (JSC::Structure::nonPropertyTransitionSlow):
1576         (JSC::Structure::attributeChange):
1577         * runtime/Structure.h:
1578         * runtime/StructureInlines.h:
1579         (JSC::Structure::forEachPropertyConcurrently):
1580         (JSC::Structure::attributeChange):
1581         (JSC::Structure::attributeChangeWithoutTransition):
1582         * tools/JSDollarVM.cpp:
1583         (JSC::JSDollarVMHelper::functionGetStructureTransitionList):
1584
1585 2020-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
1586
1587         [JSC] customGetterSetterFunctionCall should have proper exception checking
1588         https://bugs.webkit.org/show_bug.cgi?id=216391
1589         <rdar://problem/68631643>
1590
1591         Reviewed by Mark Lam.
1592
1593         Add appropriate exception checking to customGetterSetterFunctionCall.
1594
1595         * runtime/JSCustomGetterSetterFunction.cpp:
1596         (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
1597
1598 2020-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
1599
1600         [JSC] Add exception checks to JSCallbackObject
1601         https://bugs.webkit.org/show_bug.cgi?id=216384
1602         <rdar://problem/68632190>
1603
1604         Reviewed by Saam Barati.
1605
1606         This patch adds necessary exception checks to JSCallbackObject to suppress exception verifier crash in Debug build.
1607
1608         * API/JSCallbackObjectFunctions.h:
1609         (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
1610         (JSC::JSCallbackObject<Parent>::defaultValue):
1611         (JSC::JSCallbackObject<Parent>::put):
1612         (JSC::JSCallbackObject<Parent>::putByIndex):
1613         (JSC::JSCallbackObject<Parent>::deleteProperty):
1614         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
1615
1616 2020-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
1617
1618         [JSC] agent start function should move isolated copy of source
1619         https://bugs.webkit.org/show_bug.cgi?id=216383
1620         <rdar://problem/66371008>
1621
1622         Reviewed by Saam Barati.
1623
1624         We are calling `isolatedCopy()` and setting it to variable in caller thread. And we are copying it to the thread.
1625         This means that ref-count will happen in caller thread and callee thread, this is wrong.
1626         We should pass isolatedCopy string directly to the callee thread.
1627
1628         * jsc.cpp:
1629         (functionDollarAgentStart):
1630
1631 2020-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
1632
1633         [JSC] unshift / shift should take structure lock
1634         https://bugs.webkit.org/show_bug.cgi?id=216378
1635         <rdar://problem/68496096>
1636
1637         Reviewed by Mark Lam.
1638
1639         When unshifting / shifting butterfly, we need to move property storage values too.
1640         If property storage values are moved while concurrent JIT compiler is accessing it, it could include garbage value.
1641
1642         For example, concurrent JIT compiler is accessing [2] property storage.
1643
1644                             1          2         3
1645                        [ JSValue ][ JSValue ][ Header ]
1646
1647         But unshift moved it like this.
1648
1649                             1          2         3
1650             [ JSValue ][ JSValue ][ Header ]
1651
1652         Since butterfly pointer held by JSObject is not updated yet, concurrent JIT compiler will read [ Header ] as JSValue and crash.
1653         In this patch, we take structure lock when shifting existing butterfly since this affect on property storage. Since JSObject::getDirectConcurrently
1654         takes a structure lock, this locking prevents concurrent compilers from getting an invalid value.
1655
1656         * runtime/JSArray.cpp:
1657         (JSC::JSArray::unshiftCountSlowCase):
1658         (JSC::JSArray::shiftCountWithArrayStorage):
1659         (JSC::JSArray::unshiftCountWithArrayStorage):
1660
1661 2020-09-10  Joonghun Park  <jh718.park@samsung.com>
1662
1663         Unreviewed. Remove the build warning below since r266885.
1664         warning: redundant move in return statement [-Wredundant-move]
1665
1666         Because return statement already returns rvalue reference,
1667         we don't need WTFMove at return.
1668
1669         * inspector/agents/InspectorRuntimeAgent.cpp:
1670         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1671         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
1672
1673 2020-09-10  Alexey Shvayka  <shvaikalesh@gmail.com>
1674
1675         Promise.prototype.finally should perform PromiseResolve
1676         https://bugs.webkit.org/show_bug.cgi?id=176006
1677
1678         Reviewed by Yusuke Suzuki.
1679
1680         This patch extracts @promiseResolve global private function and utilizes it in
1681         Promise.prototype.finally then/catch functions [1] to avoid creating an extra
1682         Promise Capability. Aligns JSC with V8 and SpiderMonkey.
1683
1684         [1]: https://tc39.es/ecma262/#sec-thenfinallyfunctions (step 7)
1685
1686         * builtins/PromiseConstructor.js:
1687         (resolve):
1688         * builtins/PromiseOperations.js:
1689         (globalPrivate.promiseResolve):
1690         * builtins/PromisePrototype.js:
1691         (globalPrivate.getThenFinally):
1692         (globalPrivate.getCatchFinally):
1693
1694 2020-09-10  Devin Rousso  <drousso@apple.com>
1695
1696         Web Inspector: modernize generated backend protocol code
1697         https://bugs.webkit.org/show_bug.cgi?id=216302
1698         <rdar://problem/68547649>
1699
1700         Reviewed by Brian Burg.
1701
1702         Previously, the inspector protocol was expressed in code in a somewhat confusing way:
1703          - the error string was the first argument
1704          - required parameters were `T` or `const T&`
1705          - optional parameters were `const T*`
1706          - enum parameters were the underlying type requiring the backend dispatcher handler to
1707            process it instead of it being preprocessed
1708          - required returns were `T&`
1709          - optional returns were `T*`
1710         This doesn't really make for easy/obvious reading of code since the order of arguments is
1711         not weird (e.g. error string first), and that there are references/pointers to primitive
1712         types.
1713
1714         This patch cleans up the generated inspector protocol code to be:
1715          - required parameters are `T` or `Ref<T>&&`
1716          - optional parameters are `Optional<T>&&` or `RefPtr<T>&&`
1717          - enum parameters are preprocessed and passed to the backend dispatcher handler if valid
1718          - synchronous commands return `Expected<X, ErrorString>` using the same types/rules above
1719            where `X` is either a single return or a `std::tuple` of multiple returns
1720
1721         The one exception to the above is `String`, which is already a tri-state of `nullString()`,
1722         `emptyString()`, and something set, so there's no need to use `Optional<String>`.
1723
1724         Also use `Protocol` objects/`typedefs` wherever possible to further relate the protocol
1725         JSON and the actual backend dispatcher handler implementation.
1726
1727         * inspector/scripts/codegen/generator.py:
1728         (Generator.generate_includes_from_entries):
1729         * inspector/scripts/codegen/cpp_generator_templates.py:
1730         * inspector/scripts/codegen/cpp_generator.py:
1731         (CppGenerator.helpers_namespace):
1732         (CppGenerator.cpp_getter_method_for_type):
1733         (CppGenerator.cpp_setter_method_for_type):
1734         (CppGenerator.cpp_protocol_type_for_type):
1735         (CppGenerator.cpp_type_for_type_member_argument): Added.
1736         (CppGenerator.cpp_type_for_command_parameter): Added.
1737         (CppGenerator.cpp_type_for_command_return_declaration): Added.
1738         (CppGenerator.cpp_type_for_command_return_argument): Added.
1739         (CppGenerator.cpp_type_for_event_parameter): Added.
1740         (CppGenerator.cpp_type_for_enum): Added.
1741         (CppGenerator.should_move_argument): Added.
1742         (CppGenerator.should_release_argument): Added.
1743         (CppGenerator.should_dereference_argument): Added.
1744         (CppGenerator.cpp_protocol_type_for_type_member): Deleted.
1745         (CppGenerator.cpp_type_for_unchecked_formal_in_parameter): Deleted.
1746         (CppGenerator.cpp_type_for_checked_formal_event_parameter): Deleted.
1747         (CppGenerator.cpp_type_for_type_member): Deleted.
1748         (CppGenerator.cpp_type_for_type_with_name): Deleted.
1749         (CppGenerator.cpp_type_for_formal_out_parameter): Deleted.
1750         (CppGenerator.cpp_type_for_formal_async_parameter): Deleted.
1751         (CppGenerator.cpp_type_for_stack_in_parameter): Deleted.
1752         (CppGenerator.cpp_type_for_stack_out_parameter): Deleted.
1753         (CppGenerator.cpp_assertion_method_for_type_member): Deleted.
1754         (CppGenerator.cpp_assertion_method_for_type_member.assertion_method_for_type): Deleted.
1755         (CppGenerator.should_use_wrapper_for_return_type): Deleted.
1756         (CppGenerator.should_use_references_for_type): Deleted.
1757         (CppGenerator.should_pass_by_copy_for_return_type): Deleted.
1758         * inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py:
1759         (CppAlternateBackendDispatcherHeaderGenerator._generate_secondary_header_includes):
1760         (CppAlternateBackendDispatcherHeaderGenerator._generate_handler_declaration_for_command):
1761         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
1762         (CppBackendDispatcherHeaderGenerator.generate_output):
1763         (CppBackendDispatcherHeaderGenerator._generate_secondary_header_includes):
1764         (CppBackendDispatcherHeaderGenerator._generate_handler_declarations_for_domain):
1765         (CppBackendDispatcherHeaderGenerator._generate_handler_declaration_for_command):
1766         (CppBackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command):
1767         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
1768         (CppBackendDispatcherHeaderGenerator._generate_anonymous_enum_for_parameter): Deleted.
1769         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
1770         (CppBackendDispatcherImplementationGenerator._generate_secondary_header_includes):
1771         (CppBackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
1772         (CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
1773         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
1774         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
1775         (CppFrontendDispatcherHeaderGenerator._generate_secondary_header_includes):
1776         (CppFrontendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_event):
1777         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
1778         (CppFrontendDispatcherImplementationGenerator._generate_secondary_header_includes):
1779         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
1780         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
1781         (CppProtocolTypesHeaderGenerator._generate_secondary_header_includes):
1782         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
1783         (CppProtocolTypesImplementationGenerator._generate_secondary_header_includes):
1784         (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain):
1785         (CppProtocolTypesImplementationGenerator._generate_open_field_names):
1786         (CppProtocolTypesImplementationGenerator._generate_assertion_for_enum):
1787         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
1788         (ObjCBackendDispatcherHeaderGenerator._generate_objc_handler_declaration_for_command):
1789         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
1790         (ObjCBackendDispatcherImplementationGenerator._generate_handler_implementation_for_command):
1791         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
1792         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command.and):
1793         (ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command.in_param_expression):
1794         (ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command):
1795         (ObjCBackendDispatcherImplementationGenerator._generate_invocation_for_command):
1796         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
1797         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
1798         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
1799         * inspector/scripts/codegen/objc_generator_templates.py:
1800         * inspector/scripts/codegen/objc_generator.py:
1801         (ObjCGenerator.protocol_type_for_type):
1802         (ObjCGenerator.objc_type_for_param_internal):
1803         (ObjCGenerator.objc_protocol_import_expression_for_parameter):
1804
1805         * inspector/protocol/Page.json:
1806         Now that enums are processed before being passed to backend dispacher handlers, the
1807         `appearance` parameter of `Page.setForcedAppearance` must be marked `optional` as
1808         there's no way for it to accept an empty string, as that's not possible for an enum.
1809
1810         * inspector/agents/InspectorAgent.h:
1811         * inspector/agents/InspectorAgent.cpp:
1812         * inspector/agents/InspectorAuditAgent.h:
1813         * inspector/agents/InspectorAuditAgent.cpp:
1814         * inspector/agents/InspectorConsoleAgent.h:
1815         * inspector/agents/InspectorConsoleAgent.cpp:
1816         * inspector/agents/InspectorDebuggerAgent.h:
1817         * inspector/agents/InspectorDebuggerAgent.cpp:
1818         * inspector/agents/InspectorHeapAgent.h:
1819         * inspector/agents/InspectorHeapAgent.cpp:
1820         * inspector/agents/InspectorRuntimeAgent.h:
1821         * inspector/agents/InspectorRuntimeAgent.cpp:
1822         * inspector/agents/InspectorScriptProfilerAgent.h:
1823         * inspector/agents/InspectorScriptProfilerAgent.cpp:
1824         * inspector/agents/InspectorTargetAgent.h:
1825         * inspector/agents/InspectorTargetAgent.cpp:
1826         * inspector/agents/JSGlobalObjectAuditAgent.h:
1827         * inspector/agents/JSGlobalObjectAuditAgent.cpp:
1828         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
1829         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
1830         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
1831         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
1832         * inspector/JSGlobalObjectConsoleClient.cpp:
1833         * inspector/JSGlobalObjectInspectorController.cpp:
1834         Elided backend dispatcher handler changes describe above.
1835
1836         * bindings/ScriptValue.cpp:
1837         (Inspector::jsToInspectorValue):
1838         * inspector/AsyncStackTrace.h:
1839         * inspector/AsyncStackTrace.cpp:
1840         (Inspector::AsyncStackTrace::buildInspectorObject const):
1841         * inspector/ConsoleMessage.cpp:
1842         (Inspector::ConsoleMessage::addToFrontend):
1843         * inspector/InjectedScriptBase.h:
1844         * inspector/InjectedScriptBase.cpp:
1845         (Inspector::InjectedScriptBase::makeEvalCall):
1846         (Inspector::InjectedScriptBase::checkCallResult):
1847         (Inspector::InjectedScriptBase::checkAsyncCallResult):
1848         * inspector/InjectedScript.h:
1849         * inspector/InjectedScript.cpp:
1850         (Inspector::InjectedScript::execute):
1851         (Inspector::InjectedScript::evaluate):
1852         (Inspector::InjectedScript::callFunctionOn):
1853         (Inspector::InjectedScript::evaluateOnCallFrame):
1854         (Inspector::InjectedScript::getFunctionDetails):
1855         (Inspector::InjectedScript::functionDetails):
1856         (Inspector::InjectedScript::getPreview):
1857         (Inspector::InjectedScript::getProperties):
1858         (Inspector::InjectedScript::getDisplayableProperties):
1859         (Inspector::InjectedScript::getInternalProperties):
1860         (Inspector::InjectedScript::getCollectionEntries):
1861         (Inspector::InjectedScript::saveResult):
1862         (Inspector::InjectedScript::wrapCallFrames const):
1863         (Inspector::InjectedScript::wrapObject const):
1864         (Inspector::InjectedScript::wrapJSONString const):
1865         (Inspector::InjectedScript::wrapTable const):
1866         (Inspector::InjectedScript::previewValue const):
1867         * inspector/InjectedScriptManager.cpp:
1868         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
1869         * inspector/InspectorBackendDispatcher.h:
1870         * inspector/InspectorBackendDispatcher.cpp:
1871         (Inspector::BackendDispatcher::CallbackBase::sendSuccess):
1872         (Inspector::BackendDispatcher::dispatch):
1873         (Inspector::BackendDispatcher::sendResponse):
1874         (Inspector::BackendDispatcher::getPropertyValue):
1875         (Inspector::BackendDispatcher::getBoolean):
1876         (Inspector::BackendDispatcher::getInteger):
1877         (Inspector::BackendDispatcher::getDouble):
1878         (Inspector::BackendDispatcher::getString):
1879         (Inspector::BackendDispatcher::getValue):
1880         (Inspector::BackendDispatcher::getObject):
1881         (Inspector::BackendDispatcher::getArray):
1882         (Inspector::castToInteger): Deleted.
1883         (Inspector::castToNumber): Deleted.
1884         * inspector/InspectorProtocolTypes.h:
1885         (Inspector::Protocol::BindingTraits<JSON::ArrayOf<T>>::runtimeCast):
1886         (Inspector::Protocol::BindingTraits<JSON::ArrayOf<T>>::assertValueHasExpectedType):
1887         * inspector/remote/socket/RemoteInspectorConnectionClient.cpp:
1888         (Inspector::RemoteInspectorConnectionClient::extractEvent):
1889         * inspector/remote/socket/RemoteInspectorSocket.cpp:
1890         (Inspector::RemoteInspector::pushListingsNow):
1891         * runtime/TypeSet.cpp:
1892         (JSC::StructureShape::inspectorRepresentation):
1893         `JSON` classes now use `Ref&&` wherever possible and `Optional` instead of an out parameter
1894         for `get*`/`as*` so that values can be more easily manipulated and can be confidently known
1895         to exist.
1896
1897         * inspector/scripts/tests/enum-values.json:
1898         * inspector/scripts/tests/expected/command-targetType-matching-domain-debuggableType.json-result:
1899         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1900         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1901         * inspector/scripts/tests/expected/definitions-with-mac-platform.json-result:
1902         * inspector/scripts/tests/expected/domain-debuggableTypes.json-result:
1903         * inspector/scripts/tests/expected/domain-targetType-matching-domain-debuggableType.json-result:
1904         * inspector/scripts/tests/expected/domain-targetTypes.json-result:
1905         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1906         * inspector/scripts/tests/expected/enum-values.json-result:
1907         * inspector/scripts/tests/expected/event-targetType-matching-domain-debuggableType.json-result:
1908         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1909         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1910         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1911         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1912         * inspector/scripts/tests/expected/should-strip-comments.json-result:
1913         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1914         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1915         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1916         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1917         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1918         * inspector/scripts/tests/expected/type-with-open-parameters.json-result:
1919         * inspector/scripts/tests/expected/version.json-result:
1920
1921 2020-09-09  Saam Barati  <sbarati@apple.com>
1922
1923         OutOfBoundsSaneChain operations should use their own heap locations
1924         https://bugs.webkit.org/show_bug.cgi?id=216328
1925         <rdar://problem/68568039>
1926
1927         Reviewed by Keith Miller.
1928
1929         There is code in local CSE that does some basic bounds check elimination
1930         for PutByVal. It does this analysis by seeing if a particular heap location
1931         is already defined, and if so, it eliminates the bounds check for the
1932         PutByVal. This doesn't work for OutOfBoundsSaneChain for the obvious reason
1933         that these GetByVals are not proven to be in bounds. So GetByVal's in the
1934         OutOfBoundsSaneChain mode reusing non OutOfBoundsSaneChain heap locations
1935         can lead to a bug where we mistakenly remove a bounds check. The fix is to
1936         have all OutOfBoundsSaneChain operations use distinct heaps, and for CSE to
1937         not query those heaps.
1938
1939         * dfg/DFGArrayMode.h:
1940         (JSC::DFG::ArrayMode::isAnySaneChain const): Deleted.
1941         * dfg/DFGClobberize.h:
1942         (JSC::DFG::clobberize):
1943         * dfg/DFGHeapLocation.cpp:
1944         (WTF::printInternal):
1945         * dfg/DFGHeapLocation.h:
1946
1947 2020-09-09  Keith Miller  <keith_miller@apple.com>
1948
1949         BigInt should PACCage its data pointer
1950         https://bugs.webkit.org/show_bug.cgi?id=216319
1951
1952         Reviewed by Yusuke Suzuki.
1953
1954         * runtime/JSBigInt.h:
1955
1956 2020-09-09  Alexey Shvayka  <shvaikalesh@gmail.com>
1957
1958         Don't emitDirectBinding() if there is a [...rest] element binding
1959         https://bugs.webkit.org/show_bug.cgi?id=216228
1960
1961         Reviewed by Darin Adler.
1962
1963         emitDirectBinding() is up for removal due to not respecting overriden or removed
1964         Array.prototype[Symbol.iterator]. However, dropping it slows down popular swap pattern
1965         `[a, b] = [b, a]` by 40% with DFG/FTL, and by a factor of 6 with baseline JIT only.
1966
1967         Until we figure out the best way to preserve common case performance, this patch
1968         prevents `let [...rest] = [1]` from ending up as a number instead of an array,
1969         aligning JSC with V8 and SpiderMonkey.
1970
1971         * bytecompiler/NodesCodegen.cpp:
1972         (JSC::ArrayPatternNode::emitDirectBinding):
1973
1974 2020-09-08  Yusuke Suzuki  <ysuzuki@apple.com>
1975
1976         [JSC] returnEarlyFromInfiniteLoopsForFuzzing should return object
1977         https://bugs.webkit.org/show_bug.cgi?id=216289
1978         <rdar://problem/68496533>
1979
1980         Reviewed by Saam Barati.
1981
1982         When returning early with returnEarlyFromInfiniteLoopsForFuzzing, we are returning with undefined.
1983         But this is wrong when the callee is constructor since constructor is strongly assumed that it returns an object.
1984         We should return some object from returnEarlyFromInfiniteLoopsForFuzzing. In this patch, we return global object
1985         associated to this callee instead of undefined
1986
1987         * bytecode/CodeBlock.cpp:
1988         (JSC::CodeBlock::finishCreation):
1989         (JSC::CodeBlock::~CodeBlock):
1990         * dfg/DFGSpeculativeJIT64.cpp:
1991         (JSC::DFG::SpeculativeJIT::compile):
1992         * ftl/FTLLowerDFGToB3.cpp:
1993         (JSC::FTL::DFG::LowerDFGToB3::compileLoopHint):
1994         * jit/JITOpcodes.cpp:
1995         (JSC::JIT::emit_op_loop_hint):
1996         * llint/LowLevelInterpreter64.asm:
1997
1998 2020-09-08  Saam Barati  <sbarati@apple.com>
1999
2000         re-enable TCSM on all OSs
2001         https://bugs.webkit.org/show_bug.cgi?id=216281
2002
2003         Reviewed by Tadeu Zagallo.
2004
2005         * runtime/Options.cpp:
2006         (JSC::defaultTCSMValue):
2007
2008 2020-09-08  Yusuke Suzuki  <ysuzuki@apple.com>
2009
2010         [JSC] Special property caching should check Structure's cacheability
2011         https://bugs.webkit.org/show_bug.cgi?id=216222
2012
2013         Reviewed by Saam Barati.
2014
2015         While StructureRareData::cacheSpecialPropertySlow caches properties, the way it takes is incomplete.
2016         It is not checking Structure's cacheability. We were caching miss condition even if structure is !propertyAccessesAreCacheableForAbsence.
2017         We should perform the same check done in IC case. Strictly speaking, we can cache value for uncacheable-dictionary because we are setting
2018         property change watchpoint (which will fire). But it sounds not so profitable if this structure is uncacheable.
2019
2020         * runtime/JSObject.cpp:
2021         (JSC::JSObject::convertToUncacheableDictionary):
2022         * runtime/JSObject.h:
2023         * runtime/StructureRareData.cpp:
2024         (JSC::StructureRareData::cacheSpecialPropertySlow):
2025         * tools/JSDollarVM.cpp:
2026         (JSC::functionToUncacheableDictionary):
2027         (JSC::JSDollarVM::finishCreation):
2028
2029 2020-09-07  Joonghun Park  <jh718.park@samsung.com>
2030
2031         Unreviewed. Remove the build warning below since r266567.
2032         warning: parameter ‘hint’ set but not used [-Wunused-but-set-parameter]
2033
2034         * runtime/JSObject.cpp:
2035         (JSC::callToPrimitiveFunction):
2036
2037 2020-09-06  Darin Adler  <darin@apple.com>
2038
2039         TextCodec refinements
2040         https://bugs.webkit.org/show_bug.cgi?id=216219
2041
2042         Reviewed by Sam Weinig.
2043
2044         * parser/Lexer.h:
2045         (JSC::Lexer<UChar>::isWhiteSpace): Use byteOrderMark constant.
2046
2047 2020-09-05  Yusuke Suzuki  <ysuzuki@apple.com>
2048
2049         Unreviewed, suppress exception checking after unwrapForOldFunctions
2050         https://bugs.webkit.org/show_bug.cgi?id=216193
2051
2052         * runtime/IntlNumberFormatPrototype.cpp:
2053         (JSC::IntlNumberFormatPrototypeGetterFormat):
2054         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
2055
2056 2020-09-05  Devin Rousso  <drousso@apple.com>
2057
2058         Web Inspector: allow DOM breakpoints to be configured
2059         https://bugs.webkit.org/show_bug.cgi?id=215795
2060
2061         Reviewed by Brian Burg.
2062
2063         * inspector/protocol/DOMDebugger.json:
2064         Add an `options` parameter to `DOMDebugger.setDOMBreakpoint` to allow configuration.
2065
2066 2020-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
2067
2068         [JSC] Align legacy Intl constructor behavior to spec
2069         https://bugs.webkit.org/show_bug.cgi?id=216193
2070
2071         Reviewed by Darin Adler.
2072
2073         Legacy Intl constructors (Intl.DateTimeFormat and Intl.NumberFormat) have special handling when it is called via `Intl.DateTimeFormat()` form.
2074         This allowed legacy Intl constructors to be used with prototype-based inheritance without using class syntax. This legacy behavior is later specified
2075         explicitly in the spec. So we should align our implementation to the spec's one.
2076
2077             1. When defining fallback formats, we need to put them into the property which is visible via Symbol("IntlLegacyConstructedSymbol").
2078             2. Even if the provided thisValue is IntlDateTimeFormat* / IntlNumberFormat*, we should create another instance and put it to Symbol("IntlLegacyConstructedSymbol") field.
2079
2080         * JavaScriptCore.xcodeproj/project.pbxproj:
2081         * builtins/BuiltinNames.cpp:
2082         (JSC::BuiltinNames::BuiltinNames):
2083         * builtins/BuiltinNames.h:
2084         (JSC::BuiltinNames::intlLegacyConstructedSymbol const):
2085         * runtime/CommonIdentifiers.h:
2086         * runtime/IntlDateTimeFormat.h:
2087         * runtime/IntlDateTimeFormatConstructor.cpp:
2088         (JSC::IntlDateTimeFormatConstructor::finishCreation):
2089         (JSC::callIntlDateTimeFormat):
2090         * runtime/IntlDateTimeFormatInlines.h: Added.
2091         (JSC::IntlDateTimeFormat::unwrapForOldFunctions):
2092         * runtime/IntlDateTimeFormatPrototype.cpp:
2093         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
2094         (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts):
2095         (JSC::IntlDateTimeFormatPrototypeFuncFormatRange):
2096         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
2097         * runtime/IntlNumberFormat.h:
2098         * runtime/IntlNumberFormatConstructor.cpp:
2099         (JSC::IntlNumberFormatConstructor::finishCreation):
2100         (JSC::callIntlNumberFormat):
2101         * runtime/IntlNumberFormatInlines.h:
2102         (JSC::IntlNumberFormat::unwrapForOldFunctions):
2103         * runtime/IntlNumberFormatPrototype.cpp:
2104         (JSC::IntlNumberFormatPrototypeGetterFormat):
2105         (JSC::IntlNumberFormatPrototypeFuncFormatToParts):
2106         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
2107         * runtime/IntlObject.cpp:
2108         (JSC::createDateTimeFormatConstructor):
2109         (JSC::createNumberFormatConstructor):
2110         * runtime/IntlObjectInlines.h:
2111         (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
2112         (JSC::unwrapForLegacyIntlConstructor):
2113         * runtime/JSGlobalObject.cpp:
2114         (JSC::JSGlobalObject::init):
2115         (JSC::JSGlobalObject::visitChildren):
2116         * runtime/JSGlobalObject.h:
2117         (JSC::JSGlobalObject::dateTimeFormatConstructor):
2118         (JSC::JSGlobalObject::dateTimeFormatPrototype):
2119         (JSC::JSGlobalObject::numberFormatConstructor):
2120         (JSC::JSGlobalObject::numberFormatPrototype):
2121
2122 2020-09-04  Alexey Shvayka  <shvaikalesh@gmail.com>
2123
2124         Array.prototype.push should always perform [[Set]] in strict mode
2125         https://bugs.webkit.org/show_bug.cgi?id=216121
2126
2127         Unreviewed, address Darin's feedback on r266581.
2128
2129         * runtime/ArrayPrototype.cpp:
2130         (JSC::arrayProtoFuncPush): Remove unnecessary static_cast<uint64_t>.
2131
2132 2020-09-04  Alexey Shvayka  <shvaikalesh@gmail.com>
2133
2134         Array.prototype.push should always perform [[Set]] in strict mode
2135         https://bugs.webkit.org/show_bug.cgi?id=216121
2136
2137         Reviewed by Darin Adler.
2138
2139         This patch fixes arrayProtoFuncPush() to throw a TypeError if putting an
2140         index beyond UINT32_MAX has failed, aligning JSC with the spec [1], V8,
2141         and SpiderMonkey. Also, refactors the method leveraging putByIndexInline().
2142
2143         Array.prototype.push microbenchmarks, including varargs tests, are neutral.
2144
2145         [1]: https://tc39.es/ecma262/#sec-array.prototype.push (step 5.b)
2146
2147         * runtime/ArrayPrototype.cpp:
2148         (JSC::arrayProtoFuncPush):
2149
2150 2020-09-03  Carlos Garcia Campos  <cgarcia@igalia.com>
2151
2152         Unreviewed. [GLIB] Add missing return
2153
2154         There's no change in behavior because jsObjectCall() returns undefined in case of failure, but fixes a memory leak.
2155
2156         * API/glib/JSCValue.cpp:
2157         (jsc_value_object_invoke_methodv):
2158
2159 2020-09-02  Yusuke Suzuki  <ysuzuki@apple.com>
2160
2161         [JSC] Cache toString / valueOf / @@toPrimitive for major cases
2162         https://bugs.webkit.org/show_bug.cgi?id=216061
2163
2164         Reviewed by Saam Barati.
2165
2166         When toPrimitive is called, we need to look-up three properties at most to perform operation. And these special properties do not have caching mechanism at all.
2167         We found that Speedometer2/EmberJS-Debug-TodoMVC is using very much time for this property look-up. We should have caching mechanism in StructureRareData, which
2168         should be similar to @@toStringTag & Object#toString caching mechanism.
2169
2170         This patch generalizes @@toStringTag & Object#toString caching mechanism as SpecialPropertyCache. And we accelerate toString / valueOf / @@toPrimitive look-ups in
2171         toPrimitive with this caching mechanism.
2172
2173         This patch improved Speedometer2/EmberJS-Debug-TodoMVC by 10%.
2174
2175         * JavaScriptCore.xcodeproj/project.pbxproj:
2176         * Sources.txt:
2177         * bytecode/Watchpoint.cpp:
2178         * bytecode/Watchpoint.h:
2179         * runtime/CachedSpecialPropertyAdaptiveStructureWatchpoint.cpp: Renamed from Source/JavaScriptCore/runtime/ObjectToStringAdaptiveStructureWatchpoint.cpp.
2180         (JSC::CachedSpecialPropertyAdaptiveStructureWatchpoint::CachedSpecialPropertyAdaptiveStructureWatchpoint):
2181         (JSC::CachedSpecialPropertyAdaptiveStructureWatchpoint::install):
2182         (JSC::CachedSpecialPropertyAdaptiveStructureWatchpoint::fireInternal):
2183         * runtime/CachedSpecialPropertyAdaptiveStructureWatchpoint.h: Renamed from Source/JavaScriptCore/runtime/ObjectToStringAdaptiveStructureWatchpoint.h.
2184         * runtime/JSGlobalObject.cpp:
2185         (JSC::JSGlobalObject::init):
2186         (JSC::JSGlobalObject::visitChildren):
2187         * runtime/JSGlobalObject.h:
2188         (JSC::JSGlobalObject::objectProtoToStringFunction const):
2189         * runtime/JSObject.cpp:
2190         (JSC::callToPrimitiveFunction):
2191         (JSC::JSObject::ordinaryToPrimitive const):
2192         (JSC::JSObject::toPrimitive const):
2193         * runtime/ObjectPrototype.cpp:
2194         (JSC::ObjectPrototype::finishCreation):
2195         (JSC::objectProtoFuncToString):
2196         * runtime/Structure.h:
2197         * runtime/StructureInlines.h:
2198         (JSC::Structure::cacheSpecialProperty):
2199         (JSC::Structure::setObjectToStringValue): Deleted.
2200         * runtime/StructureRareData.cpp:
2201         (JSC::StructureRareData::visitChildren):
2202         (JSC::StructureRareData::ensureSpecialPropertyCacheSlow):
2203         (JSC::StructureRareData::giveUpOnSpecialPropertyCache):
2204         (JSC::StructureRareData::cacheSpecialPropertySlow):
2205         (JSC::StructureRareData::clearCachedSpecialProperty):
2206         (JSC::StructureRareData::finalizeUnconditionally):
2207         (JSC::CachedSpecialPropertyAdaptiveInferredPropertyValueWatchpoint::CachedSpecialPropertyAdaptiveInferredPropertyValueWatchpoint):
2208         (JSC::CachedSpecialPropertyAdaptiveInferredPropertyValueWatchpoint::isValid const):
2209         (JSC::CachedSpecialPropertyAdaptiveInferredPropertyValueWatchpoint::handleFire):
2210         (JSC::StructureRareData::setObjectToStringValue): Deleted.
2211         (JSC::StructureRareData::clearObjectToStringValue): Deleted.
2212         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::ObjectToStringAdaptiveInferredPropertyValueWatchpoint): Deleted.
2213         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::isValid const): Deleted.
2214         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire): Deleted.
2215         * runtime/StructureRareData.h:
2216         * runtime/StructureRareDataInlines.h:
2217         (JSC::StructureRareData::cachedSpecialProperty const):
2218         (JSC::StructureRareData::canCacheSpecialProperty):
2219         (JSC::StructureRareData::ensureSpecialPropertyCache):
2220         (JSC::StructureRareData::cacheSpecialProperty):
2221         (JSC::StructureRareData::objectToStringValue const): Deleted.
2222
2223 2020-09-03  Saam Barati  <sbarati@apple.com>
2224
2225         Sampling profiler should dump hash as part of the top function key to prevent incorrectly grouping nameless functions together
2226         https://bugs.webkit.org/show_bug.cgi?id=216087
2227
2228         Reviewed by Tadeu Zagallo.
2229
2230         * runtime/SamplingProfiler.cpp:
2231         (JSC::SamplingProfiler::reportTopFunctions):
2232
2233 2020-09-03  Devin Rousso  <drousso@apple.com>
2234
2235         Web Inspector: allow url breakpoints to be configured
2236         https://bugs.webkit.org/show_bug.cgi?id=215793
2237
2238         Reviewed by Brian Burg.
2239
2240         * inspector/protocol/DOMDebugger.json:
2241         Add an `options` parameter to `DOMDebugger.setURLBreakpoint` to allow configuration.
2242         Add an `isRegex` parameter to `DOMDebugger.removeURLBreakpoint` so that we know what
2243         type of URL breakpoint is being removed.
2244
2245 2020-09-03  Devin Rousso  <drousso@apple.com>
2246
2247         Web Inspector: allow special JavaScript breakpoints to be configured
2248         https://bugs.webkit.org/show_bug.cgi?id=215794
2249
2250         Reviewed by Brian Burg.
2251
2252         * inspector/protocol/Debugger.json:
2253         Add an `options` parameter to the following commands for configuring the related breakpoint:
2254          - `Debugger.setPauseOnDebuggerStatements`
2255          - `Debugger.setPauseOnExceptions`
2256          - `Debugger.setPauseOnAssertions`
2257          - `Debugger.setPauseOnMicrotasks`
2258
2259         * debugger/Debugger.h:
2260         (JSC::Debugger::needsExceptionCallbacks const):
2261         (JSC::Debugger::pauseOnAllExceptionsBreakpoint const): Added.
2262         (JSC::Debugger::setPauseOnAllExceptionsBreakpoint): Added.
2263         (JSC::Debugger::pauseOnUncaughtExceptionsBreakpoint const): Added.
2264         (JSC::Debugger::setPauseOnUncaughtExceptionsBreakpoint): Added.
2265         (JSC::Debugger::setPauseOnDebuggerStatementsBreakpoint): Added.
2266         (JSC::Debugger::pauseOnExceptionsState const): Deleted.
2267         (JSC::Debugger::setPauseOnDebuggerStatements): Deleted.
2268         * debugger/Debugger.cpp:
2269         (JSC::Debugger::TemporarilyDisableExceptionBreakpoints::TemporarilyDisableExceptionBreakpoints): Added.
2270         (JSC::Debugger::TemporarilyDisableExceptionBreakpoints::~TemporarilyDisableExceptionBreakpoints): Added.
2271         (JSC::Debugger::TemporarilyDisableExceptionBreakpoints::replace): Added.
2272         (JSC::Debugger::TemporarilyDisableExceptionBreakpoints::restore): Added.
2273         (JSC::Debugger::Debugger):
2274         (JSC::Debugger::breakProgram):
2275         (JSC::Debugger::exception):
2276         (JSC::Debugger::didReachDebuggerStatement):
2277         (JSC::Debugger::setPauseOnExceptionsState): Deleted.
2278         Add `JSC::Breakpoint` member variables for the Debugger Statements and Exceptions
2279         breakpoints. Split the Exceptions breakpoint into two `JSC::Breakpoint` now that
2280         All Exceptions and Uncaught Exceptions can be independently configured (the All
2281         Exceptions breakpoint still takes precedence).
2282
2283         * debugger/DebuggerCallFrame.h:
2284         * debugger/DebuggerCallFrame.cpp:
2285         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
2286         If there is no `CallFrame`, climb the backtrace until the first valid `CallFrame` is reached.
2287         This is needed when pausing in native code, such as for assertions/exceptions.
2288
2289         * debugger/Breakpoint.h:
2290         Export `JSC::Breakpoint::create` so that other parts of WebKit can create breakpoints.
2291
2292         * inspector/agents/InspectorDebuggerAgent.h:
2293         * inspector/agents/InspectorDebuggerAgent.cpp:
2294         (Inspector::InspectorDebuggerAgent::disable):
2295         (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
2296         (Inspector::InspectorDebuggerAgent::setPauseOnDebuggerStatements):
2297         (Inspector::InspectorDebuggerAgent::setPauseOnExceptions):
2298         (Inspector::InspectorDebuggerAgent::setPauseOnAssertions):
2299         (Inspector::InspectorDebuggerAgent::setPauseOnMicrotasks):
2300         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
2301         (Inspector::InspectorDebuggerAgent::scriptExecutionBlockedByCSP):
2302         (Inspector::InspectorDebuggerAgent::willRunMicrotask):
2303         (Inspector::InspectorDebuggerAgent::didRunMicrotask):
2304         (Inspector::InspectorDebuggerAgent::breakProgram):
2305         Add `JSC::Breakpoint` member variables for the Assertion Failures and All Microtasks
2306         breakpoints. Pass them to the `JSC::Debugger` when they are hit.
2307
2308         * inspector/agents/InspectorAuditAgent.cpp:
2309         (Inspector::InspectorAuditAgent::run):
2310         * inspector/agents/InspectorRuntimeAgent.cpp:
2311         (Inspector::InspectorRuntimeAgent::evaluate):
2312         (Inspector::InspectorRuntimeAgent::callFunctionOn):
2313         (Inspector::InspectorRuntimeAgent::getPreview):
2314         (Inspector::InspectorRuntimeAgent::getProperties):
2315         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
2316         (Inspector::setPauseOnExceptionsState): Deleted.
2317         Use `TemporarilyDisableExceptionBreakpoints` to save, override, and restore the exceptions
2318         breakpoints now that they've been separated into two `JSC::Breakpoint` instead of an `enum`.
2319
2320 2020-09-03  Keith Miller  <keith_miller@apple.com>
2321
2322         Finish comment describing the various *Stack SSA nodes in DFG
2323         https://bugs.webkit.org/show_bug.cgi?id=216110
2324
2325         Reviewed by Sam Weinig.
2326
2327         * dfg/DFGNodeType.h:
2328
2329 2020-09-03  David Kilzer  <ddkilzer@apple.com>
2330
2331         AbstractMacroAssembler::Jump class has uninitialized instance variables
2332         <https://webkit.org/b/216082>
2333
2334         Reviewed by Michael Saboff.
2335
2336         * assembler/AbstractMacroAssembler.h:
2337         (JSC::AbstractMacroAssembler::Jump):
2338         - Switch to default constructor syntax.
2339         - Provide defaults for instance variables.
2340
2341 2020-09-03  Ross Kirsling  <ross.kirsling@sony.com>
2342
2343         [JSC] Add missing detached buffer errors for DataView
2344         https://bugs.webkit.org/show_bug.cgi?id=216062
2345
2346         Reviewed by Yusuke Suzuki.
2347
2348         DataView methods are often expected to throw a TypeError if the underlying ArrayBuffer is detached
2349         (or neutered, in older terminology) -- this patch adds a slew of missing cases from the following spec section:
2350           - https://tc39.es/ecma262/#sec-properties-of-the-dataview-prototype-object
2351
2352         At the same time:
2353          - get rid of JSDataView::getOwnPropertySlot, which was turning dataViewProtoGetterByte{Length,Offset}
2354            into mostly unreachable code and erroneously causing byte{Length,Offset} to have property descriptors
2355          - perform some simple cleanup of neighboring error calls / messages
2356          - fix value of DataView.length (our only other DataView spec bug)
2357
2358         * runtime/JSDataView.cpp:
2359         (JSC::JSDataView::create):
2360         (JSC::JSDataView::getOwnPropertySlot): Deleted.
2361         * runtime/JSDataView.h:
2362         * runtime/JSDataViewPrototype.cpp:
2363         (JSC::getData):
2364         (JSC::setData):
2365         (JSC::dataViewProtoGetterByteLength):
2366         (JSC::dataViewProtoGetterByteOffset):
2367         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2368         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation):
2369
2370 2020-09-02  Michael Saboff  <msaboff@apple.com>
2371
2372         ASSERTION FAILED: value.isCell() && value.asCell()->type() == CustomGetterSetterType ./bytecode/ObjectPropertyConditionSet.cpp
2373         https://bugs.webkit.org/show_bug.cgi?id=216103
2374
2375         Reviewed by Saam Barati.
2376
2377         Changed the ASSERT to an if statement.  This checks to see if, the likely newly changed,
2378         property is still a custom getter setter before caching its access as such.
2379
2380         * bytecode/ObjectPropertyConditionSet.cpp:
2381         (JSC::generateConditionsForPrototypePropertyHitCustom):
2382         * tools/JSDollarVM.cpp: Added test helper function.
2383
2384 2020-09-01  Yusuke Suzuki  <ysuzuki@apple.com>
2385
2386         Skip fast/css-custom-paint/out-of-memory-while-adding-worklet-module.html if Gigacage is not enabled
2387         https://bugs.webkit.org/show_bug.cgi?id=216043
2388         <rdar://problem/66394369>
2389
2390         Reviewed by Mark Lam.
2391
2392         * tools/JSDollarVM.cpp:
2393         (JSC::functionIsGigacageEnabled):
2394         (JSC::JSDollarVM::finishCreation):
2395
2396 2020-08-31  Mark Lam  <mark.lam@apple.com>
2397
2398         Remove some PtrTag debugging code from release builds.
2399         https://bugs.webkit.org/show_bug.cgi?id=216025
2400         <rdar://problem/68098263>
2401
2402         Reviewed by Saam Barati.
2403
2404         Removed PtrTag name lookup debugging utility from release builds.
2405
2406         * runtime/JSCPtrTag.cpp:
2407         * runtime/JSCPtrTag.h:
2408
2409 2020-09-01  Carlos Garcia Campos  <cgarcia@igalia.com>
2410
2411         [Linux] Web Inspector: show per thread cpu usage
2412         https://bugs.webkit.org/show_bug.cgi?id=215883
2413
2414         Reviewed by Adrian Perez de Castro.
2415
2416         Remove platform specific getter machThread() and add thread() to return the Thread instead. The caller knows how
2417         to get the machThread or id from a Thread.
2418
2419         * runtime/SamplingProfiler.cpp:
2420         (JSC::SamplingProfiler::reportTopBytecodes):
2421         (JSC::SamplingProfiler::machThread): Deleted.
2422         * runtime/SamplingProfiler.h:
2423         (JSC::SamplingProfiler::thread):
2424
2425 2020-08-31  Yusuke Suzuki  <ysuzuki@apple.com>
2426
2427         [JSC] StructureStubInfo / CallLinkInfo / ByValInfo should set CodeOrigin or BytecodeIndex at construction
2428         https://bugs.webkit.org/show_bug.cgi?id=215987
2429         <rdar://problem/66370323>
2430
2431         Reviewed by Mark Lam.
2432
2433         We had race condition during construction of StructureStubInfo and CodeOrigin field setting.
2434
2435             1. The thread creates StructureStubInfo by calling CodeBlock::addStubInfo. This is guarded by the lock. But at this point we are not setting StructureStubInfo::codeOrigin.
2436             2. Then (1)'s thread attempts to set StructureStubInfo::codeOrigin. But at this point, it is not guarded by the lock.
2437             3. Before (2) is executed, DFG ByteCodeParser calls CodeBlock::getICStatusMap. It creates HashMap<CodeOrigin, StructureStubInfo*>.
2438             4. Since StructureStubInfo*'s codeOrigin is not configured yet, (3) sees invalid CodeOrigin. And storing invalid CodeOrigin as a HashMap key is not correct.
2439
2440         We should configure CodeOrigin at construction of StructureStubInfo, which is guarded by the lock. We have the same problem for CallLinkInfo and ByValInfo. This patch fixes them.
2441         To reproduce this, we need to execute a script 2~ days repeatedly. So it is difficult to add a test.
2442
2443         * bytecode/AccessCase.cpp:
2444         (JSC::AccessCase::generateImpl):
2445         * bytecode/ByValInfo.h:
2446         (JSC::ByValInfo::ByValInfo):
2447         (JSC::ByValInfo::setUp):
2448         * bytecode/CallLinkInfo.cpp:
2449         (JSC::CallLinkInfo::CallLinkInfo):
2450         * bytecode/CallLinkInfo.h:
2451         (JSC::CallLinkInfo::setUpCall):
2452         (JSC::CallLinkInfo::setCodeOrigin): Deleted.
2453         * bytecode/CodeBlock.cpp:
2454         (JSC::CodeBlock::addStubInfo):
2455         (JSC::CodeBlock::addByValInfo):
2456         (JSC::CodeBlock::addCallLinkInfo):
2457         * bytecode/CodeBlock.h:
2458         * bytecode/StructureStubInfo.cpp:
2459         (JSC::StructureStubInfo::StructureStubInfo):
2460         * bytecode/StructureStubInfo.h:
2461         * dfg/DFGSpeculativeJIT32_64.cpp:
2462         (JSC::DFG::SpeculativeJIT::emitCall):
2463         * dfg/DFGSpeculativeJIT64.cpp:
2464         (JSC::DFG::SpeculativeJIT::emitCall):
2465         * ftl/FTLLowerDFGToB3.cpp:
2466         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
2467         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
2468         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
2469         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
2470         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
2471         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
2472         * jit/JIT.cpp:
2473         (JSC::JIT::link):
2474         * jit/JITCall.cpp:
2475         (JSC::JIT::compileCallEvalSlowCase):
2476         (JSC::JIT::compileOpCall):
2477         * jit/JITCall32_64.cpp:
2478         (JSC::JIT::compileCallEvalSlowCase):
2479         (JSC::JIT::compileOpCall):
2480         * jit/JITInlineCacheGenerator.cpp:
2481         (JSC::garbageStubInfo):
2482         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
2483         * jit/JITOpcodes.cpp:
2484         (JSC::JIT::emit_op_has_indexed_property):
2485         * jit/JITOpcodes32_64.cpp:
2486         (JSC::JIT::emit_op_has_indexed_property):
2487         * jit/JITPropertyAccess.cpp:
2488         (JSC::JIT::emit_op_put_by_val):
2489         * jit/JITPropertyAccess32_64.cpp:
2490         (JSC::JIT::emit_op_put_by_val):
2491         * wasm/js/WasmToJS.cpp:
2492         (JSC::Wasm::wasmToJS):
2493
2494 2020-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
2495
2496         [JSC] @defaultPromiseThen fast path should check species constructor
2497         https://bugs.webkit.org/show_bug.cgi?id=215996
2498
2499         Reviewed by Ross Kirsling.
2500
2501         When executing @defaultPromiseThen fast path, we assumed that this execution is not observable.
2502         This is wrong only for species constructor part: this @@species access & derived constructor calls
2503         can be observable. In this patch,
2504
2505             1. We extract part of Promise#then as @performPromiseThen, which corresponds to the spec's PerformPromiseThen.
2506             2. In promise fast path, we check @speciesConstructor is @Promise or @InternalPromise. If it is not, then we go to the slow path.
2507
2508         This fixes Promise#finally failures in test262.
2509
2510         * builtins/PromiseOperations.js:
2511         (globalPrivate.promiseResolveThenableJobFast):
2512         (globalPrivate.promiseResolveThenableJobWithoutPromiseFast):
2513         (globalPrivate.promiseResolveThenableJobWithDerivedPromise):
2514         (onFulfilled):
2515         (onRejected):
2516         (globalPrivate.performPromiseThen):
2517         * builtins/PromisePrototype.js:
2518         (then):
2519         (onFulfilled): Deleted.
2520         (onRejected): Deleted.
2521
2522 2020-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
2523
2524         [JSC] Use -2 for grouping options in IntlRelativeTimeFormat
2525         https://bugs.webkit.org/show_bug.cgi?id=215984
2526
2527         Reviewed by Ross Kirsling.
2528
2529         Several test262 tests are failing after ICU 67. This is because Intl.RelativeTimeFormat is not using locale-sensitive grouping option.
2530         There are hidden option -2 for UNumberFormat. It is supported so long, but it is not explicitly documented. After ICU 68, it is exposed as a constant,
2531         we should pass -2 to UNumberFormat's grouping options to use locale-sensitive grouping option here.
2532
2533         * runtime/IntlRelativeTimeFormat.cpp:
2534         (JSC::IntlRelativeTimeFormat::initializeRelativeTimeFormat):
2535
2536 2020-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
2537
2538         [JSC] async function cannot appear in single-statement context
2539         https://bugs.webkit.org/show_bug.cgi?id=215993
2540
2541         Reviewed by Darin Adler.
2542
2543         The following code is syntax error[1] because ExpressionStatement has `async [no LineTerminator here] function` lookahead.
2544
2545             if (false)
2546                 async function t() { }
2547
2548         [1]: https://tc39.es/ecma262/#sec-expression-statement
2549
2550         * parser/Parser.cpp:
2551         (JSC::Parser<LexerType>::parseStatement):
2552         (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement): Deleted.
2553         * parser/Parser.h:
2554
2555 2020-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
2556
2557         [JSC] `let [` sequence cannot appear in ExpressionStatement context
2558         https://bugs.webkit.org/show_bug.cgi?id=215977
2559
2560         Reviewed by Ross Kirsling.
2561
2562         Because of ambiguity between destructuring assignment and member access (let IDENTIFIER), ECMA262 does not allow `let [` sequence in ExpressionStatement context[1].
2563         We should throw SyntaxError when we see something like this.
2564
2565             if (false)
2566                 let [ok] = [42];
2567
2568         [1]: https://tc39.es/ecma262/#sec-expression-statement
2569
2570         * parser/Parser.cpp:
2571         (JSC::Parser<LexerType>::parseStatement):
2572
2573 2020-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
2574
2575         [JSC] for-of uses AssignmentExpression while for-in uses Expression
2576         https://bugs.webkit.org/show_bug.cgi?id=215975
2577
2578         Reviewed by Ross Kirsling.
2579
2580         While for-in uses Expression, for-of and for-await-of use AssignmentExpression which does not accept comma-expression.
2581         We should align our implementation to that.
2582
2583             for (LeftHandSideExpression in Expression) Statement
2584             for (LeftHandSideExpression of AssignmentExpression) Statement
2585             for await(LeftHandSideExpression of AssignmentExpression) Statement
2586
2587         * parser/Parser.cpp:
2588         (JSC::Parser<LexerType>::parseForStatement):
2589
2590 2020-08-28  Yusuke Suzuki  <ysuzuki@apple.com>
2591
2592         [JSC] for-of / for-in left-hand-side target should be simple-assignment-target
2593         https://bugs.webkit.org/show_bug.cgi?id=215969
2594
2595         Reviewed by Ross Kirsling.
2596
2597         Left-hand-side of `for-in`, `for-of`, and `for-await-of` should be simple assignment target[1]
2598         if the target is not declaration and not destructuring pattern.
2599
2600         [1]: https://tc39.es/ecma262/#sec-for-in-and-for-of-statements-static-semantics-early-errors
2601
2602         * parser/Parser.cpp:
2603         (JSC::Parser<LexerType>::parseForStatement):
2604         * parser/SyntaxChecker.h:
2605         (JSC::SyntaxChecker::createCommaExpr): Should return CommaExpr to align it to ASTBuilder.
2606         (JSC::SyntaxChecker::appendToCommaExpr):
2607         (JSC::SyntaxChecker::appendStatement):
2608         (JSC::SyntaxChecker::combineCommaNodes): Deleted since it is not used.
2609
2610 2020-08-28  Yusuke Suzuki  <ysuzuki@apple.com>
2611
2612         [JSC] Implement Intl.DateTimeFormat dayPeriod
2613         https://bugs.webkit.org/show_bug.cgi?id=215839
2614
2615         Reviewed by Ross Kirsling.
2616
2617         This patch implements Intl.DateTimeFormat dayPeriod option[1]. We can use "narrow", "short", or "long" for dayPeriod,
2618         and it determines how "AM" etc. is represented.
2619
2620         [1]: https://github.com/tc39/ecma402/pull/346
2621
2622         * builtins/DatePrototype.js:
2623         (toLocaleString.toDateTimeOptionsAnyAll):
2624         (toLocaleString):
2625         (toLocaleTimeString.toDateTimeOptionsTimeTime):
2626         (toLocaleTimeString):
2627         * bytecode/BytecodeIntrinsicRegistry.cpp:
2628         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
2629         * bytecode/BytecodeIntrinsicRegistry.h:
2630         * runtime/CommonIdentifiers.h:
2631         * runtime/IntlDateTimeFormat.cpp:
2632         (JSC::toDateTimeOptionsAnyDate):
2633         (JSC::IntlDateTimeFormat::setFormatsFromPattern):
2634         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2635         (JSC::IntlDateTimeFormat::dayPeriodString):
2636         (JSC::IntlDateTimeFormat::resolvedOptions const):
2637         * runtime/IntlDateTimeFormat.h:
2638         * runtime/OptionsList.h:
2639
2640 2020-08-28  Yusuke Suzuki  <ysuzuki@apple.com>
2641
2642         [JSC] super property with new should be accepted
2643         https://bugs.webkit.org/show_bug.cgi?id=215966
2644
2645         Reviewed by Ross Kirsling.
2646
2647         While we should reject `new super` / `new super()`, we should accept `new super.property`.
2648         https://tc39.es/ecma262/#prod-SuperProperty is a child production of https://tc39.es/ecma262/#prod-MemberExpression,
2649         unlike https://tc39.es/ecma262/#prod-SuperCall. So `new` should accept SuperProperty (e.g. `super.xxx`).
2650
2651         * parser/Parser.cpp:
2652         (JSC::Parser<LexerType>::parseMemberExpression):
2653
2654 2020-08-28  Yusuke Suzuki  <ysuzuki@apple.com>
2655
2656         [JSC] `new import.meta()` is acceptable
2657         https://bugs.webkit.org/show_bug.cgi?id=215915
2658
2659         Reviewed by Ross Kirsling.
2660
2661         `new import.meta()` is valid in terms of syntax while it throws runtime error.
2662         We should accept this code, while `new import()` is not correct syntax.
2663
2664         * parser/Parser.cpp:
2665         (JSC::Parser<LexerType>::parseMemberExpression):
2666
2667 2020-08-27  Alexey Shvayka  <shvaikalesh@gmail.com>
2668
2669         __proto__ in object literal should perform [[SetPrototypeOf]] directly
2670         https://bugs.webkit.org/show_bug.cgi?id=215769
2671
2672         Reviewed by Ross Kirsling.
2673
2674         To fix __proto__ usage in object literals if Object.prototype.__proto__ is overridden
2675         or removed, this patch sets the [[Prototype]] directly, aligning JSC with V8 and
2676         SpiderMonkey. We are safe to skip method table lookups and cycle checks, as the
2677         spec [1] calls [[SetPrototypeOf]] on newly created (unreferenced) ordinary objects.
2678
2679         This change removes PropertyNode::PutType because its only purpose was to accomodate
2680         __proto__ in object literals. Since emitPutConstantProperty() handles static public
2681         class fields, which don't need `super` binding, PropertyNode::isUnderscoreProtoSetter()
2682         is extended to reject class properties.
2683
2684         This patch speeds up creating object literals with __proto__ by 25%.
2685
2686         [1]: https://tc39.es/ecma262/#sec-__proto__-property-names-in-object-initializers (step 7.a)
2687
2688         * bytecompiler/BytecodeGenerator.cpp:
2689         (JSC::BytecodeGenerator::emitDirectPutById):
2690         (JSC::BytecodeGenerator::emitDirectSetPrototypeOf):
2691         1. Remove unused `dst` parameter to align with other `put` methods.
2692         2. Remove `divot*` parameters as it's cumbersome to pass them through,
2693            and globalFuncSetPrototypeDirect() never throws anyway.
2694
2695         * bytecompiler/BytecodeGenerator.h:
2696         * bytecompiler/NodesCodegen.cpp:
2697         (JSC::PropertyListNode::emitPutConstantProperty):
2698         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirect):
2699         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
2700         (JSC::ClassExprNode::emitBytecode):
2701         * parser/ASTBuilder.h:
2702         (JSC::ASTBuilder::createGetterOrSetterProperty):
2703         (JSC::ASTBuilder::createProperty):
2704         (JSC::ASTBuilder::isUnderscoreProtoSetter const):
2705         * parser/NodeConstructors.h:
2706         (JSC::PropertyNode::PropertyNode):
2707         * parser/Nodes.h:
2708         * parser/Parser.cpp:
2709         (JSC::Parser<LexerType>::parseClass):
2710         (JSC::Parser<LexerType>::parseProperty):
2711         * parser/SyntaxChecker.h:
2712         (JSC::SyntaxChecker::createProperty):
2713         * runtime/JSGlobalObjectFunctions.cpp:
2714         (JSC::globalFuncSetPrototypeDirect):
2715         1. Ignore a prototype value of incorrect type as per spec [1],
2716            which is unobservable for call sites in ClassExprNode::emitBytecode().
2717         2. Assert that JSObject::setPrototypeDirect() doesn't throw.
2718
2719 2020-08-27  Yusuke Suzuki  <ysuzuki@apple.com>
2720
2721         [JSC] setLength in Array#push could get very large length
2722         https://bugs.webkit.org/show_bug.cgi?id=215897
2723         <rdar://problem/67859149>
2724
2725         Reviewed by Keith Miller.
2726
2727         Array#push can get length larger than UINT32_MAX. And in this case, we should throw a RangeError.
2728         Before r266215, it was using putLength which throws an error. But it was replaced with setLength,
2729         and JSC::setLength assumes that it never gets a length greater than UINT32_MAX by asserting. We
2730         should fix it so that Array#push should thrown an error correctly.
2731
2732         * runtime/ArrayPrototype.cpp:
2733         (JSC::setLength):
2734
2735 2020-08-27  Saam Barati  <sbarati@apple.com>
2736
2737         GetByVal constant folding over a Double OutOfBoundsSaneChain array with no BytecodeUsesAsOther should constant fold to PNaN, not undefined
2738         https://bugs.webkit.org/show_bug.cgi?id=215894
2739         <rdar://problem/67669696>
2740
2741         Reviewed by Michael Saboff and Keith Miller.
2742
2743         GetByVals of the form { OutOfBoundsSaneChain, Double } where there are no
2744         BytecodeUsesAsOther return PNaN for holes and OOB accesses, not jsUndefined().
2745         The constant folding for this though was folding to jsUndefined(). I forgot
2746         to update that code to constant fold to PNaN when I wrote the OutOfBoundsSaneChain
2747         implementation.
2748
2749         * dfg/DFGAbstractInterpreterInlines.h:
2750         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2751
2752 2020-08-27  Keith Miller  <keith_miller@apple.com>
2753
2754         structureOrNull should take VM instead of getting it from the marked block
2755         https://bugs.webkit.org/show_bug.cgi?id=215899
2756
2757         Reviewed by Yusuke Suzuki.
2758
2759         It's slightly faster use an existing VM over recomputing the address. It probably doesn't
2760         happen to matter here for performance but it's good hygiene.
2761
2762         * API/tests/JSWrapperMapTests.mm:
2763         (+[JSWrapperMapTests testStructureIdentity]):
2764         * jit/JITOperations.cpp:
2765         * runtime/JSCJSValue.h:
2766         * runtime/JSCJSValueInlines.h:
2767         (JSC::JSValue::structureOrNull const):
2768         (JSC::JSValue::structureOrUndefined const): Deleted.
2769
2770 2020-08-27  Yusuke Suzuki  <ysuzuki@apple.com>
2771
2772         [JSC] Use auxiliary memory for JSBigInt storage
2773         https://bugs.webkit.org/show_bug.cgi?id=215876
2774
2775         Reviewed by Mark Lam.
2776
2777         This makes JSBigInt non-destructible cell. And it makes allocating JSBigInt from JIT easy.
2778
2779         * runtime/JSBigInt.cpp:
2780         (JSC::JSBigInt::JSBigInt):
2781         (JSC::JSBigInt::visitChildren):
2782         (JSC::JSBigInt::createWithLength):
2783         (JSC::JSBigInt::destroy): Deleted.
2784         * runtime/JSBigInt.h:
2785         * runtime/VM.cpp:
2786         (JSC::VM::VM):
2787
2788 2020-08-27  Keith Miller  <keith_miller@apple.com>
2789
2790         OSR availability validation should run for any node with exitOK
2791         https://bugs.webkit.org/show_bug.cgi?id=215672
2792
2793         Reviewed by Saam Barati.
2794
2795         Currently we only validate OSR exit availability if a node would
2796         say `mayExit(graph, node) != DoesNotExit` and the node is marked
2797         as exitOK. However, it would be perfectly valid to insert a node
2798         that exits anywhere we have a node marked exitOK. So with this
2799         patch we now validate all places where it would ever be possible
2800         to OSR exit.
2801
2802         Relaxing our criteria revealed a number of bugs however. Which I
2803         will describe below in, IMO, increasing complexity/subtly.
2804
2805         First, we currently don't mark arity fixup during inlining as not
2806         exitOK. However, since our arity code says its code origin is
2807         OpEnter, we assume arity fixup has already happened.
2808
2809         Second, OpGetScope, should not mark its first argument as used
2810         since it's not actually used. This is problematic because we could
2811         have a loop where OpGetScope is the first bytecode, namely when
2812         doing tail recursive inlining. If we were in that position, there
2813         could be a local that was used at a merge point at the loop
2814         backedge that had two MovHint defs from both predecessors. In DFG
2815         IR this would look like:
2816
2817         BB#1:
2818         @1: MovHint(Undefined, loc1)
2819         ...
2820         Jump(#2)
2821
2822         BB#2:
2823         ... // loc1 is live here in bytecode
2824         @2: MovHint(@scopeObject, loc1)
2825         @3: SetLocal(@scopeObject, loc1)
2826         Branch(#3, #4) // #4 is the successor of the tail call loop
2827
2828         BB#3:
2829         @4 MovHint(Undefined, loc1)
2830         ...
2831         Jump(#2)
2832
2833         When we do CPS conversion the MovHints at @1 and @4 will be seen
2834         as different variables (there's no GetLocal). Then, after, during
2835         SSA conversion we won't insert a phi connecting them, making the
2836         argument to OpGetScope, in this case loc1, unrecoverable there are
2837         conflicting nodes and the value isn't saved on the stack.
2838
2839         There were also issues with MovHintRemoval Phase but rather than
2840         fix them we opted to just remove the phase as it didn't show any
2841         performance impact. I'll describe the issues I found below for
2842         completeness, however.
2843
2844         Third, MovHint removal phase had a bug where it would not mark
2845         sections where a zombied MovHint has yet to be killed as not
2846         exitOK. So in theory another phase could come along and insert an
2847         exiting node there.
2848
2849         Fourth, MovHint removal phase had a second bug where a MovHint
2850         that was not killed in the current block would be zombied, which
2851         is wrong for SSA. It's wrong because the MovHinted value could
2852         still be live for OSR exit in a successor block.
2853
2854         Lastly, this patch adds some new verbose options as well as the ability to
2855         dump a DFG::BasicBlock without dereferencing it.
2856
2857         * bytecode/BytecodeUseDef.cpp:
2858         (JSC::computeUsesForBytecodeIndexImpl):
2859         * dfg/DFGBasicBlock.cpp:
2860         (WTF::printInternal):
2861         * dfg/DFGBasicBlock.h:
2862         * dfg/DFGByteCodeParser.cpp:
2863         (JSC::DFG::ByteCodeParser::inlineCall):
2864         * dfg/DFGCPSRethreadingPhase.cpp:
2865         (JSC::DFG::CPSRethreadingPhase::propagatePhis):
2866         * dfg/DFGEpoch.h:
2867         (JSC::DFG::Epoch::operator bool const):
2868         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2869         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
2870         * dfg/DFGSSACalculator.cpp:
2871         (JSC::DFG::SSACalculator::dump const):
2872
2873 2020-08-27  Keith Miller  <keith_miller@apple.com>
2874
2875         JSClassRef should work with JS class syntax.
2876         https://bugs.webkit.org/show_bug.cgi?id=215047
2877
2878         Reviewed by Darin Adler.
2879
2880         This is done by checking if value returned by the
2881         callAsConstructor parameter to JSObjectMakeConstructor returns an
2882         object allocated as the jsClass parameter. When that happens we
2883         replace the prototype of the returned object with the prototype of
2884         the new.target. Ideally we would have passed the derived classes
2885         constructor from the beginning of our support for JS subclassing
2886         but at this point that's probably not compatible with too many
2887         applications.
2888
2889         * API/APICallbackFunction.h:
2890         (JSC::APICallbackFunction::construct):
2891         * API/JSObjectRef.h:
2892         * API/tests/testapi.cpp:
2893         (APIString::APIString):
2894         (TestAPI::markedJSValueArrayAndGC):
2895         (TestAPI::classDefinitionWithJSSubclass):
2896         (testCAPIViaCpp):
2897         * API/tests/testapi.mm:
2898         (testObjectiveCAPI):
2899
2900 2020-08-26  Alexey Shvayka  <shvaikalesh@gmail.com>
2901
2902         Use jsTypeofIsObject() in DFG AI and operationTypeOfIsObject()
2903         https://bugs.webkit.org/show_bug.cgi?id=144457
2904
2905         Reviewed by Saam Barati.
2906
2907         This patch refactors jsTypeofIsObject(), leveraging fast path of isCallable(),
2908         moves it to the header, and utilizes it in operationTypeOfIsObject() & DFG AI
2909         (minding concurrency) to eliminate code duplication.
2910
2911         Also, removes orphaned slow_path_is_object declaration.
2912
2913         No behavior change, `typeof` microbenchmarks are neutral.
2914
2915         * dfg/DFGAbstractInterpreterInlines.h:
2916         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2917         * dfg/DFGOperations.cpp:
2918         * runtime/CommonSlowPaths.h:
2919         * runtime/Operations.cpp:
2920         (JSC::jsTypeofIsObject): Deleted.
2921         * runtime/Operations.h:
2922         (JSC::jsTypeofIsObjectWithConcurrency):
2923         (JSC::jsTypeofIsObject):
2924
2925 2020-08-26  Alexey Shvayka  <shvaikalesh@gmail.com>
2926
2927         Merge putLength() into setLength()
2928         https://bugs.webkit.org/show_bug.cgi?id=211279
2929
2930         Reviewed by Darin Adler and Saam Barati.
2931
2932         This patch:
2933
2934         1. Replaces all putLength() call sites with setLength(), saving two JSValue
2935            instantiations in arrayProtoFuncPop() and two in arrayProtoFuncShift().
2936
2937         2. Merges putLength() into setLength(), removing superfluous put() call for
2938            JSArray. Also, performs put() in strict mode to preserve the original
2939            error messages, like ones in ProxyObject::performPut().
2940
2941         3. Inlines performPop(), which avoided an extra index check and Identifier
2942            creation, as it was on the slow path anyway (note JSArray::pop() call).
2943
2944         This change advances provided setLength()-heavy microbenchmark by ~40%,
2945         while existing Array tests are neutral.
2946
2947         * runtime/ArrayPrototype.cpp:
2948         (JSC::setLength):
2949         (JSC::arrayProtoFuncPop):
2950         (JSC::arrayProtoFuncPush):
2951         (JSC::arrayProtoFuncShift):
2952         (JSC::arrayProtoFuncUnShift):
2953         (JSC::putLength): Deleted.
2954
2955 2020-08-26  Saam Barati  <sbarati@apple.com>
2956
2957         Make isIndex use MAX_ARRAY_INDEX
2958         https://bugs.webkit.org/show_bug.cgi?id=215872
2959
2960         Reviewed by Darin Adler.
2961
2962         It's already written in such a way where it relies on what MAX_ARRAY_INDEX
2963         is defined as. But instead of MAX_ARRAY_INDEX, the function was hardcoding
2964         MAX_ARRAY_INDEX + 1.
2965
2966         * runtime/Identifier.h:
2967         (JSC::isIndex):
2968
2969 2020-08-26  Alexey Shvayka  <shvaikalesh@gmail.com>
2970
2971         Use unsigned type for `length` of JSFunction
2972         https://bugs.webkit.org/show_bug.cgi?id=215870
2973
2974         Reviewed by Darin Adler.
2975
2976         Since the `length` value of a built-in function is its arity,
2977         we can communicate it's always non-negative via method signatures.
2978
2979         No behavior change: `length` values redefined by user code are unaffected.
2980
2981         * runtime/InternalFunction.cpp:
2982         (JSC::InternalFunction::createFunctionThatMasqueradesAsUndefined):
2983         * runtime/InternalFunction.h:
2984         * runtime/JSFunction.cpp:
2985         (JSC::JSFunction::create):
2986         (JSC::JSFunction::finishCreation):
2987         * runtime/JSFunction.h:
2988         * runtime/JSNativeStdFunction.cpp:
2989         (JSC::JSNativeStdFunction::finishCreation):
2990         (JSC::JSNativeStdFunction::create):
2991         * runtime/JSNativeStdFunction.h:
2992
2993 2020-08-26  Yusuke Suzuki  <ysuzuki@apple.com>
2994
2995         [JSC] Enable Intl.Segmenter
2996         https://bugs.webkit.org/show_bug.cgi?id=215854
2997
2998         Reviewed by Ross Kirsling.
2999
3000         This is already stage-3 and all the features are implemented. Let's just enable it.
3001
3002         * runtime/IntlObject.cpp:
3003         (JSC::IntlObject::finishCreation):
3004         * runtime/OptionsList.h:
3005
3006 2020-08-26  Yusuke Suzuki  <ysuzuki@apple.com>
3007
3008         [JSC] Add ASCII comparison fast path for IntlCollator
3009         https://bugs.webkit.org/show_bug.cgi?id=215798
3010
3011         Reviewed by Darin Adler, Ross Kirsling, and Saam Barati.
3012
3013         The idea behind this change is the following: ICU Collator's comparison is too slow. We should have fast path for ASCII strings when we know this equals to ICU Collator's result.
3014         The problem is that even for ASCII strings, collation is super complicated!
3015
3016             1. Unicode defines Unicode Collation Algorithm (UCA). To perform collation, it uses collation element tables which defines weights on various levels per code point. UCA also offers
3017                the Default Unicode Collation Element Table (DUCET). This UCA with DUCET is used when using ICU Root Collator.
3018             2. UCA collation consists of rules, which defines how collation works. And ICU locales define customized collations by adding special rules to that.
3019             3. UCA behaves differently by using different options.
3020
3021         Based on that, our observation is that some of major locales are not defining additional rules in (2). This means that they behaves the same to UCA with DUCET.
3022         This patch implements a simplified version of comparison which generates the same results for ASCII strings (excluding control characters) to UCA with DUCET. This fast path can be usable only when the following conditions are met.
3023
3024             1. The collator does not have additional rules to ICU Root Colator.
3025             2. The collator is using default options.
3026
3027         These checks are very important since there are a lot of edge-case locales. For example,
3028
3029             1. th (Thai language) ignores punctuations (even including ASCII punctuations) by default. This is defined as ignore-punctuations option is enabled by default, so without (2)'s check, th comparison becomes wrong.
3030             2. There are contraction concept (multiple letters behave as a single letter). "ch" letters are ordered interestingly in Czech language. So even in ASCII, Czech shows very interesting collation behavior.
3031
3032         So we cannot safely take this fast path without carefully querying the information to ICU.
3033
3034         This shows 37% improvement in JetStream2/cdjs in en-US environment.
3035
3036         * runtime/IntlCollator.cpp:
3037         (JSC::IntlCollator::initializeCollator):
3038         (JSC::IntlCollator::compareStrings const):
3039         (JSC::canDoASCIIUCADUCETComparisonWithUCollator):
3040         (JSC::IntlCollator::updateCanDoASCIIUCADUCETComparison const):
3041         (JSC::IntlCollator::checkICULocaleInvariants):
3042         * runtime/IntlCollator.h:
3043         * runtime/IntlObject.cpp:
3044         (JSC::intlCollatorAvailableLocales):
3045         * runtime/IntlObject.h:
3046         * runtime/IntlObjectInlines.h:
3047         (JSC::canUseASCIIUCADUCETComparison):
3048         (JSC::compareASCIIWithUCADUCET):
3049
3050 2020-08-26  Yusuke Suzuki  <ysuzuki@apple.com>
3051
3052         [JSC] Implement Intl.DateTimeFormat fractionalSecondDigits
3053         https://bugs.webkit.org/show_bug.cgi?id=215840
3054
3055         Reviewed by Ross Kirsling.
3056
3057         This patch implements fractionalSecondDigits option for Intl.DateTimeFormat. If it is
3058         specified, milliseconds in N digits are represented in the formatted output.
3059         This extension is about to be merged into the spec[1]. SpiderMonkey and V8 support it,
3060         and V8 shipped it without flags.
3061
3062         [1]: https://github.com/tc39/ecma402/pull/347
3063
3064         * builtins/DatePrototype.js:
3065         (toLocaleString.toDateTimeOptionsAnyAll):
3066         (toLocaleString):
3067         (toLocaleTimeString.toDateTimeOptionsTimeTime):
3068         (toLocaleTimeString):
3069         * runtime/CommonIdentifiers.h:
3070         * runtime/IntlDateTimeFormat.cpp:
3071         (JSC::toDateTimeOptionsAnyDate):
3072         (JSC::IntlDateTimeFormat::setFormatsFromPattern):
3073         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
3074         (JSC::IntlDateTimeFormat::resolvedOptions const):
3075         (JSC::partTypeString):
3076         * runtime/IntlDateTimeFormat.h:
3077
3078 2020-08-25  Yusuke Suzuki  <ysuzuki@apple.com>
3079
3080         [JSC] FTL should use m_origin instead of m_node->origin since m_node can be nullptr
3081         https://bugs.webkit.org/show_bug.cgi?id=215833
3082
3083         Reviewed by Mark Lam.
3084
3085         While we are using m_node->origin, m_node can be nullptr (at the entry of the FTL function).
3086         m_origin is always pointing appropriate origin. We should use it instead.
3087
3088         * ftl/FTLLowerDFGToB3.cpp:
3089         (JSC::FTL::DFG::LowerDFGToB3::compileToObjectOrCallObjectConstructor):
3090         (JSC::FTL::DFG::LowerDFGToB3::compileToThis):
3091         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
3092         (JSC::FTL::DFG::LowerDFGToB3::compileValueSub):
3093         (JSC::FTL::DFG::LowerDFGToB3::compileValueMul):
3094         (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC):
3095         (JSC::FTL::DFG::LowerDFGToB3::compileStrCat):
3096         (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
3097         (JSC::FTL::DFG::LowerDFGToB3::compileArithClz32):
3098         (JSC::FTL::DFG::LowerDFGToB3::compileValueDiv):
3099         (JSC::FTL::DFG::LowerDFGToB3::compileValueMod):
3100         (JSC::FTL::DFG::LowerDFGToB3::compileArithAbs):
3101         (JSC::FTL::DFG::LowerDFGToB3::compileArithUnary):
3102         (JSC::FTL::DFG::LowerDFGToB3::compileValuePow):
3103         (JSC::FTL::DFG::LowerDFGToB3::compileArithRandom):
3104         (JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
3105         (JSC::FTL::DFG::LowerDFGToB3::compileArithFloor):
3106         (JSC::FTL::DFG::LowerDFGToB3::compileArithCeil):
3107         (JSC::FTL::DFG::LowerDFGToB3::compileArithTrunc):
3108         (JSC::FTL::DFG::LowerDFGToB3::compileArithSqrt):
3109         (JSC::FTL::DFG::LowerDFGToB3::compileArithFRound):
3110         (JSC::FTL::DFG::LowerDFGToB3::compileIncOrDec):
3111         (JSC::FTL::DFG::LowerDFGToB3::compileValueNegate):
3112         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitNot):
3113         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitAnd):
3114         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitOr):
3115         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitXor):
3116         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitRShift):
3117         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitLShift):
3118         (JSC::FTL::DFG::LowerDFGToB3::compileGetById):
3119         (JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis):
3120         (JSC::FTL::DFG::LowerDFGToB3::compileGetByValWithThis):
3121         (JSC::FTL::DFG::LowerDFGToB3::compilePutByIdWithThis):
3122         (JSC::FTL::DFG::LowerDFGToB3::compilePutByValWithThis):
3123         (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
3124         (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsIsLockFree):
3125         (JSC::FTL::DFG::LowerDFGToB3::compileDefineDataProperty):
3126         (JSC::FTL::DFG::LowerDFGToB3::compileDefineAccessorProperty):
3127         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
3128         (JSC::FTL::DFG::LowerDFGToB3::compileGetPrototypeOf):
3129         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
3130         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
3131         (JSC::FTL::DFG::LowerDFGToB3::compilePutAccessorById):
3132         (JSC::FTL::DFG::LowerDFGToB3::compilePutGetterSetterById):
3133         (JSC::FTL::DFG::LowerDFGToB3::compilePutAccessorByVal):
3134         (JSC::FTL::DFG::LowerDFGToB3::compileDeleteById):
3135         (JSC::FTL::DFG::LowerDFGToB3::compileDeleteByVal):
3136         (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
3137         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
3138         (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf):
3139         (JSC::FTL::DFG::LowerDFGToB3::compileArrayPop):
3140         (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope):
3141         (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
3142         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
3143         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
3144         (JSC::FTL::DFG::LowerDFGToB3::compileCreateScopedArguments):
3145         (JSC::FTL::DFG::LowerDFGToB3::compileCreateClonedArguments):
3146         (JSC::FTL::DFG::LowerDFGToB3::compileCreateArgumentsButterfly):
3147         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
3148         (JSC::FTL::DFG::LowerDFGToB3::compileObjectKeysOrObjectGetOwnPropertyNames):
3149         (JSC::FTL::DFG::LowerDFGToB3::compileObjectCreate):
3150         (JSC::FTL::DFG::LowerDFGToB3::compileNewSymbol):
3151         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
3152         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
3153         (JSC::FTL::DFG::LowerDFGToB3::compileCreateThis):
3154         (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
3155         (JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject):
3156         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
3157         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
3158         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
3159         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
3160         (JSC::FTL::DFG::LowerDFGToB3::compileToNumber):
3161         (JSC::FTL::DFG::LowerDFGToB3::compileToNumeric):
3162         (JSC::FTL::DFG::LowerDFGToB3::compileCallNumberConstructor):
3163         (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructorOrStringValueOf):
3164         (JSC::FTL::DFG::LowerDFGToB3::compileToPrimitive):
3165         (JSC::FTL::DFG::LowerDFGToB3::compileToPropertyKey):
3166         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
3167         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
3168         (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
3169         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
3170         (JSC::FTL::DFG::LowerDFGToB3::compileGetGlobalThis):
3171         (JSC::FTL::DFG::LowerDFGToB3::compileGetArgument):
3172         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
3173         (JSC::FTL::DFG::LowerDFGToB3::compileSameValue):
3174         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
3175         (JSC::FTL::DFG::LowerDFGToB3::compileVarargsLength):
3176         (JSC::FTL::DFG::LowerDFGToB3::compileLoadVarargs):
3177         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargs):
3178         (JSC::FTL::DFG::LowerDFGToB3::compileSwitch):
3179         (JSC::FTL::DFG::LowerDFGToB3::compileThrow):
3180         (JSC::FTL::DFG::LowerDFGToB3::compileThrowStaticError):
3181         (JSC::FTL::DFG::LowerDFGToB3::mapHashString):
3182         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
3183         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
3184         (JSC::FTL::DFG::LowerDFGToB3::compileSetAdd):
3185         (JSC::FTL::DFG::LowerDFGToB3::compileMapSet):
3186         (JSC::FTL::DFG::LowerDFGToB3::compileTypeOfIsObject):
3187         (JSC::FTL::DFG::LowerDFGToB3::compileIsCallable):
3188         (JSC::FTL::DFG::LowerDFGToB3::compileIsConstructor):
3189         (JSC::FTL::DFG::LowerDFGToB3::compileInByVal):
3190         (JSC::FTL::DFG::LowerDFGToB3::compileHasOwnProperty):
3191         (JSC::FTL::DFG::LowerDFGToB3::compileParseInt):
3192         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOfCustom):
3193         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
3194         (JSC::FTL::DFG::LowerDFGToB3::compileHasGenericProperty):
3195         (JSC::FTL::DFG::LowerDFGToB3::compileHasStructurePropertyImpl):
3196         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
3197         (JSC::FTL::DFG::LowerDFGToB3::compileGetPropertyEnumerator):
3198         (JSC::FTL::DFG::LowerDFGToB3::compileToIndexString):
3199         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
3200         (JSC::FTL::DFG::LowerDFGToB3::compileCheckTraps):
3201         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
3202         (JSC::FTL::DFG::LowerDFGToB3::compileSetFunctionName):
3203         (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace):
3204         (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenTail):
3205         (JSC::FTL::DFG::LowerDFGToB3::getArgumentsLength):
3206         (JSC::FTL::DFG::LowerDFGToB3::getCurrentCallee):
3207         (JSC::FTL::DFG::LowerDFGToB3::getArgumentsStart):
3208         (JSC::FTL::DFG::LowerDFGToB3::compare):
3209         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
3210         (JSC::FTL::DFG::LowerDFGToB3::compileToLowerCase):
3211         (JSC::FTL::DFG::LowerDFGToB3::compileNumberToStringWithRadix):
3212         (JSC::FTL::DFG::LowerDFGToB3::compileNumberToStringWithValidRadixConstant):
3213         (JSC::FTL::DFG::LowerDFGToB3::compileResolveScopeForHoistingFuncDeclInEval):
3214         (JSC::FTL::DFG::LowerDFGToB3::compileResolveScope):
3215         (JSC::FTL::DFG::LowerDFGToB3::compileGetDynamicVar):
3216         (JSC::FTL::DFG::LowerDFGToB3::compilePutDynamicVar):
3217         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
3218         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
3219         (JSC::FTL::DFG::LowerDFGToB3::compileLoopHint):
3220         (JSC::FTL::DFG::LowerDFGToB3::genericJSValueCompare):
3221         (JSC::FTL::DFG::LowerDFGToB3::stringsEqual):
3222         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
3223         (JSC::FTL::DFG::LowerDFGToB3::boolify):
3224         (JSC::FTL::DFG::LowerDFGToB3::equalNullOrUndefined):
3225         (JSC::FTL::DFG::LowerDFGToB3::contiguousPutByValOutOfBounds):
3226         (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow):
3227         (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf):
3228         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
3229         (JSC::FTL::DFG::LowerDFGToB3::masqueradesAsUndefinedWatchpointIsStillValid):
3230         (JSC::FTL::DFG::LowerDFGToB3::codeOriginDescriptionOfCallSite const):
3231         (JSC::FTL::DFG::LowerDFGToB3::callCheck):
3232         (JSC::FTL::DFG::LowerDFGToB3::appendOSRExit):
3233         * jsc.cpp:
3234         (runJSC):
3235         * runtime/OptionsList.h:
3236
3237 2020-08-25  Devin Rousso  <drousso@apple.com>
3238
3239         Web Inspector: breakpoint condition should be evaluated before the ignore count
3240         https://bugs.webkit.org/show_bug.cgi?id=215364
3241         <rdar://problem/67310703>
3242
3243         Reviewed by Joseph Pecoraro.
3244
3245         Previously, when pausing, `JSC::Breakpoint` would check that it's `ignoreCount` before it
3246         would even attempt to evaluate it's `condition`. This meant that a `JSC::Breakpoint` with
3247         a `condition` of `foo === 42` and an `ignoreCount` of `3` would ignore the first three
3248         pauses and then only pause if `foo === 42`. This is likely contrary to the expectation of
3249         most users (especially since the `condition` input is before the `ignoreCount` input in
3250         the Web Inspector frontend UI) in that they would probably expect to ignore the first
3251         three pauses if `foo === 42`.
3252
3253         * debugger/Breakpoint.cpp:
3254         (JSC::Breakpoint::shouldPause):
3255
3256 2020-08-25  Alexey Shvayka  <shvaikalesh@gmail.com>
3257
3258         Invalid early error for object literal method named "__proto__"
3259         https://bugs.webkit.org/show_bug.cgi?id=215760
3260
3261         Reviewed by Ross Kirsling.
3262
3263         According to Annex B [1], `{ __proto__: null, __proto__() {} }` is a valid object literal as the second
3264         `__proto__` wasn't obtained from `PropertyDefinition : PropertyName : AssignmentExpression` production.
3265         Currently, JSC throws an early SyntaxError, unlike V8 and SpiderMonkey.
3266
3267         Since a method needs `super` binding, the most straightforward fix would be adding SuperBinding field
3268         to SyntaxChecker::Property and exposing it via an accessor. However, given that Property is a very
3269         common structure, this approach would noticeably increase memory pressure during parsing.
3270
3271         Instead, this patch reworks SyntaxChecker::Property to accept `isUnderscoreProtoSetter` parameter,
3272         removing optional `name` field, its accessor, and shouldCheckPropertyForUnderscoreProtoDuplicate(),
3273         which reduces sizeof(SyntaxChecker::Property) by a factor of 8: from 16 to 2 bytes.
3274         Also, this change avoids two extra makeNumericIdentifier() calls, speeding up numeric keys parsing.
3275
3276         This approach is feasible because "__proto__" is the only identifier-based early error for object
3277         literals [2], with no such errors being added in upcoming stage 2-4 proposals.
3278
3279         Additionally, this patch removes `strict` / `complete` bool parameter from {parse,create}Property()
3280         signatures as a) it was always `true`, b) is now unused, and c) strict mode can be checked via scope.
3281
3282         [1]: https://tc39.es/ecma262/#sec-__proto__-property-names-in-object-initializers
3283         [2]: https://tc39.es/ecma262/#sec-object-initializer-static-semantics-early-errors
3284
3285         * parser/ASTBuilder.h:
3286         (JSC::ASTBuilder::createGetterOrSetterProperty):
3287         (JSC::ASTBuilder::createProperty):
3288         (JSC::ASTBuilder::isUnderscoreProtoSetter const):
3289         (JSC::ASTBuilder::getName const): Deleted.
3290         * parser/Nodes.h:
3291         * parser/Parser.cpp:
3292         (JSC::Parser<LexerType>::parseClass):
3293         (JSC::Parser<LexerType>::parseProperty):
3294         (JSC::Parser<LexerType>::parseGetterSetter):
3295         (JSC::Parser<LexerType>::parseObjectLiteral):
3296         (JSC::Parser<LexerType>::shouldCheckPropertyForUnderscoreProtoDuplicate): Deleted.
3297         * parser/Parser.h:
3298         * parser/SyntaxChecker.h:
3299         (JSC::SyntaxChecker::SyntaxChecker):
3300         (JSC::SyntaxChecker::Property::Property):
3301         (JSC::SyntaxChecker::Property::operator!):
3302         (JSC::SyntaxChecker::createProperty):
3303         (JSC::SyntaxChecker::createGetterOrSetterProperty):
3304         (JSC::SyntaxChecker::operatorStackPop):
3305
3306 2020-08-25  Yusuke Suzuki  <ysuzuki@apple.com>
3307
3308         [JSC] Add concurrency-aware version of isCallable / isConstructor to make it usable in DFG compiler
3309         https://bugs.webkit.org/show_bug.cgi?id=215746
3310
3311         Reviewed by Saam Barati.
3312
3313         This patch adds isCallableWithConcurrency and isConstructorWithConcurrency to JSCell, JSValue etc.
3314         This can work even if it is called from concurrent compiler threads. We also add jsTypeStringForValueWithConcurrency
3315         and jsTypeofIsFunctionWithConcurrency which are using the above WithConcurrency functionalities.
3316
3317         * CMakeLists.txt:
3318         * JavaScriptCore.xcodeproj/project.pbxproj:
3319         * dfg/DFGAbstractInterpreterInlines.h:
3320         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3321         * runtime/Concurrency.h: Added.
3322         (WTF::printInternal):
3323         * runtime/InternalFunction.cpp:
3324         (JSC::InternalFunction::finishCreation):
3325         (JSC::InternalFunction::getCallData):
3326         (JSC::InternalFunction::getConstructData):
3327         * runtime/JSCJSValue.h:
3328         * runtime/JSCJSValueInlines.h:
3329         (JSC::JSValue::isCallableWithConcurrency const):
3330         (JSC::JSValue::isConstructorWithConcurrency const):
3331         * runtime/JSCell.h:
3332         * runtime/JSCellInlines.h:
3333         (JSC::JSCell::isCallableWithConcurrency):
3334         (JSC::JSCell::isConstructorWithConcurrency):
3335         (JSC::JSCell::isCallable):
3336         (JSC::JSCell::isConstructor):
3337         * runtime/JSFunction.cpp:
3338         (JSC::JSFunction::finishCreation):
3339         (JSC::JSFunction::getCallData):
3340         (JSC::JSFunction::getConstructData):
3341         * runtime/NumberPrototype.cpp:
3342         (JSC::throwVMToThisNumberError):
3343         * runtime/Operations.cpp:
3344         (JSC::jsTypeStringForValueWithConcurrency):
3345         (JSC::jsTypeStringForValue): Deleted.
3346         * runtime/Operations.h:
3347         (JSC::jsTypeofIsFunctionWithConcurrency):
3348         (JSC::jsTypeStringForValue):
3349         (JSC::jsTypeofIsFunction):
3350
3351 2020-08-25  Alexey Shvayka  <shvaikalesh@gmail.com>
3352
3353         Implementation of the class "extends" clause incorrectly uses __proto__ for setting prototypes
3354         https://bugs.webkit.org/show_bug.cgi?id=205848
3355
3356         Reviewed by Keith Miller.
3357
3358         To prevent `class extends` from breaking if Object.prototype.__proto__ is overridden
3359         or removed, this patch replaces OpPutById bytecodes in ClassExprNode::emitBytecode()
3360         with JSObject::setPrototypeDirect() invocations via OpCall.
3361
3362         Since the spec sets [[Prototype]] values directly [1], we are safe to skip method
3363         table lookups and cycle checks.
3364
3365         Although this approach adds 4 `mov` ops to emitted bytecode for `class extends` creation,
3366         increasing instruction count to 35, I prefer it over introducing a slow path only op.
3367         To avoid emitting 2 extra `mov` ops, globalFuncSetPrototypeDirect() uses thisRegister().
3368
3369         Aligns JSC with V8 and SpiderMonkey. Derived class creation microbenchmark is neutral.
3370
3371         [1]: https://tc39.es/ecma262/#sec-createbuiltinfunction (step 7)
3372
3373         * builtins/BuiltinNames.h:
3374         * bytecode/BytecodeDumper.cpp:
3375         (JSC::CodeBlockBytecodeDumper<Block>::dumpConstants): Fix typo.
3376         * bytecode/LinkTimeConstant.h:
3377         * bytecompiler/BytecodeGenerator.cpp:
3378         (JSC::BytecodeGenerator::emitSetPrototypeOf):
3379         * bytecompiler/BytecodeGenerator.h:
3380         * bytecompiler/NodesCodegen.cpp:
3381         (JSC::ClassExprNode::emitBytecode):
3382         * parser/Nodes.h:
3383         * runtime/JSGlobalObject.cpp:
3384         (JSC::JSGlobalObject::init):
3385
3386 2020-08-24  Keith Miller  <keith_miller@apple.com>
3387
3388         DFG should always run CFG Simplification after Constant Folding.
3389         https://bugs.webkit.org/show_bug.cgi?id=215286
3390
3391         Reviewed by Robin Morisset.
3392
3393         We didn't do this originally because LICM, many years ago, was
3394         unsound if the CFG didn't have exactly the right shape around
3395         loops. This is no longer true so we don't have to worry about
3396         changing the CFG anymore. While, this doesn't appear to be a
3397         speedup on JetStream 2 CFG, probably because we'd eventually
3398         simplify the graph in B3, CFG Simplification is very cheap and
3399         make other DFG optimizations easier in the future.
3400
3401         Also, remove unecessary validation rule that no exitOKs can come
3402         before any Phi nodes in DFG. This isn't required and fails after
3403         merging two basic blocks where the latter block has a Phi.
3404
3405         * dfg/DFGCFGSimplificationPhase.cpp:
3406         (JSC::DFG::CFGSimplificationPhase::run):
3407         * dfg/DFGPlan.cpp:
3408         (JSC::DFG::Plan::compileInThreadImpl):
3409         * dfg/DFGValidate.cpp:
3410
3411 2020-08-24  Keith Miller  <keith_miller@apple.com>
3412
3413         Remove MovHintRemoval phase
3414         https://bugs.webkit.org/show_bug.cgi?id=215785
3415
3416         Reviewed by Saam Barati.
3417
3418         The MovHintRemoval phase doesn't play nicely with our OSR
3419         Availability. Specifically, it needs to do a tricky dance where it
3420         marks all the live ranges of the ZombieHints as not
3421         exitOK. There's also an issue because we treated unused locals as
3422         kill in this block, which is wrong for SSA when a MovHint is
3423         used in another block. Since removing MovHintRemoval isn't a
3424         performance regression, we are removing it rather than fixing bugs
3425         related to it. Relatedly, since the only place we produce
3426         ZombieHints is MovHintRemoval this patch also removes that node
3427         type.
3428
3429         * Sources.txt:
3430         * dfg/DFGAbstractInterpreterInlines.h:
3431         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3432         * dfg/DFGClobberize.h:
3433         (JSC::DFG::clobberize):
3434         * dfg/DFGClobbersExitState.cpp:
3435         (JSC::DFG::clobbersExitState):
3436         * dfg/DFGDoesGC.cpp:
3437         (JSC::DFG::doesGC):
3438         * dfg/DFGFixupPhase.cpp:
3439         (JSC::DFG::FixupPhase::fixupNode):
3440         * dfg/DFGMayExit.cpp:
3441         * dfg/DFGMovHintRemovalPhase.cpp: Removed.
3442         * dfg/DFGMovHintRemovalPhase.h: Removed.
3443         * dfg/DFGNode.h:
3444         (JSC::DFG::Node::containsMovHint):
3445         (JSC::DFG::Node::hasUnlinkedOperand):
3446         * dfg/DFGNodeType.h:
3447         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
3448         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
3449         * dfg/DFGPhantomInsertionPhase.cpp:
3450         * dfg/DFGPlan.cpp:
3451         (JSC::DFG::Plan::compileInThreadImpl):
3452         * dfg/DFGPredictionPropagationPhase.cpp:
3453         * dfg/DFGSafeToExecute.h:
3454         (JSC::DFG::safeToExecute):
3455         * dfg/DFGSpeculativeJIT.cpp:
3456         (JSC::DFG::SpeculativeJIT::compileMovHint):
3457         * dfg/DFGSpeculativeJIT32_64.cpp:
3458         (JSC::DFG::SpeculativeJIT::compile):
3459         * dfg/DFGSpeculativeJIT64.cpp:
3460         (JSC::DFG::SpeculativeJIT::compile):
3461         * dfg/DFGVarargsForwardingPhase.cpp:
3462         * ftl/FTLCapabilities.cpp:
3463         (JSC::FTL::canCompile):
3464         * ftl/FTLLowerDFGToB3.cpp:
3465         (JSC::FTL::DFG::LowerDFGToB3::validateAIState):
3466         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3467         * runtime/OptionsList.h:
3468
3469 2020-08-24  Devin Rousso  <drousso@apple.com>
3470
3471         Web Inspector: rename `ScriptDebugServer` subclasses/methods
3472         https://bugs.webkit.org/show_bug.cgi?id=215363
3473         <rdar://problem/67310441>
3474
3475         Reviewed by Brian Burg.
3476
3477         r266074 merged `Inspector::ScriptDebugServer` into `JSC::Debugger`. All subclasses and
3478         functions should be renamed to match this change.
3479
3480         * JavaScriptCore.xcodeproj/project.pbxproj:
3481         * Sources.txt:
3482         * inspector/InspectorEnvironment.h:
3483         * inspector/JSGlobalObjectDebugger.h: Renamed from Source/JavaScriptCore/inspector/JSGlobalObjectScriptDebugServer.h.
3484         * inspector/JSGlobalObjectDebugger.cpp: Renamed from Source/JavaScriptCore/inspector/JSGlobalObjectScriptDebugServer.cpp.
3485         * inspector/JSGlobalObjectInspectorController.h:
3486         * inspector/JSGlobalObjectInspectorController.cpp:
3487         * inspector/agents/InspectorAuditAgent.h:
3488         * inspector/agents/InspectorAuditAgent.cpp:
3489         * inspector/agents/InspectorDebuggerAgent.h:
3490         * inspector/agents/InspectorDebuggerAgent.cpp:
3491         * inspector/agents/InspectorRuntimeAgent.h:
3492         * inspector/agents/InspectorRuntimeAgent.cpp:
3493         * inspector/agents/InspectorScriptProfilerAgent.cpp:
3494         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
3495         * inspector/remote/RemoteInspectionTarget.cpp:
3496         * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:
3497
3498 2020-08-24  Devin Rousso  <drousso@apple.com>
3499
3500         Web Inspector: allow event breakpoints to be configured
3501         https://bugs.webkit.org/show_bug.cgi?id=215362
3502         <rdar://problem/66932921>
3503
3504         Reviewed by Brian Burg.
3505
3506         This allows developers to do things like:
3507          - only pause when `window.event.type` is a certain value
3508          - ignore the first N pauses
3509          - evaluate JavaScript whenever an event listener is invoked without pausing
3510
3511         * inspector/protocol/DOM.json:
3512         Add an `options` paramater to `DOM.setBreakpointForEventListener` to allow configuration.
3513
3514         * inspector/protocol/DOMDebugger.json:
3515         Add an `options` paramater to `DOMDebugger.setEventBreakpoint` to allow configuration.
3516
3517         * debugger/Breakpoint.h:
3518         (JSC::Breakpoint::id const): Added.
3519         (JSC::Breakpoint::sourceID const): Added.
3520         (JSC::Breakpoint::lineNumber const): Added.
3521         (JSC::Breakpoint::columnNumber const): Added.
3522         (JSC::Breakpoint::condition const): Added.
3523         (JSC::Breakpoint::actions const): Added.
3524         (JSC::Breakpoint::isAutoContinue const): Added.
3525         (JSC::Breakpoint::resetHitCount): Added.
3526         (JSC::Breakpoint::isLinked const): Added.
3527         (JSC::Breakpoint::isResolved const): Added.
3528         (JSC::BreakpointsList::~BreakpointsList): Deleted.
3529         * debugger/Breakpoint.cpp: Added.
3530         (JSC::Breakpoint::Action::Action): Added.
3531         (JSC::Breakpoint::create): Added.
3532         (JSC::Breakpoint::Breakpoint): Added.
3533         (JSC::Breakpoint::link): Added.
3534         (JSC::Breakpoint::resolve): Added.
3535         (JSC::Breakpoint::shouldPause): Added.
3536         Unify `JSC::Breakpoint` and `Inspector::ScriptBreakpoint`.
3537
3538         * debugger/DebuggerPrimitives.h:
3539         * debugger/Debugger.h:
3540         * debugger/Debugger.cpp:
3541         (JSC::Debugger::Debugger):
3542         (JSC::Debugger::addObserver): Added.
3543         (JSC::Debugger::removeObserver): Added.
3544         (JSC::Debugger::canDispatchFunctionToObservers const): Added.
3545         (JSC::Debugger::dispatchFunctionToObservers): Added.
3546         (JSC::Debugger::sourceParsed): Added.
3547         (JSC::Debugger::toggleBreakpoint):
3548         (JSC::Debugger::applyBreakpoints):
3549         (JSC::Debugger::resolveBreakpoint):
3550         (JSC::Debugger::setBreakpoint):
3551         (JSC::Debugger::removeBreakpoint):
3552         (JSC::Debugger::didHitBreakpoint): Added.
3553         (JSC::Debugger::clearBreakpoints):
3554         (JSC::Debugger::evaluateBreakpointCondition): Added.
3555         (JSC::Debugger::evaluateBreakpointActions): Added.
3556         (JSC::Debugger::schedulePauseAtNextOpportunity): Added.
3557         (JSC::Debugger::cancelPauseAtNextOpportunity): Added.
3558         (JSC::Debugger::schedulePauseForSpecialBreakpoint): Added.
3559         (JSC::Debugger::cancelPauseForSpecialBreakpoint): Added.
3560         (JSC::Debugger::continueProgram):
3561         (JSC::Debugger::stepNextExpression):
3562         (JSC::Debugger::stepIntoStatement):
3563         (JSC::Debugger::stepOverStatement):
3564         (JSC::Debugger::stepOutOfFunction):
3565         (JSC::Debugger::pauseIfNeeded):
3566         (JSC::Debugger::handlePause): Added.
3567         (JSC::Debugger::exceptionOrCaughtValue): Added.
3568         (JSC::Debugger::atExpression):
3569         (JSC::Debugger::clearNextPauseState):
3570         (JSC::Debugger::willRunMicrotask): Added.
3571         (JSC::Debugger::didRunMicrotask): Added.
3572         (JSC::Debugger::hasBreakpoint): Deleted.
3573         (JSC::Debugger::setPauseOnNextStatement): Deleted.
3574         Unify `JSC::Debugger` and `Inspector::ScriptDebugServer` to simplify breakpoint logic.
3575         Introduce the concept of a "special breakpoint", which is essentially a `JSC::Breakpoint`
3576         that is expected to pause at the next opportunity but isn't tied to a particular location.
3577         As an example, whenever an event breakpoint is hit, instead of just pausing at the next
3578         opportunity, the newly managed `JSC::Breakpoint` is used as a "special breakpoint", allowing
3579         for it's configuration (ie.g. condition, ignore count, actions, auto-continue) to be used.
3580
3581         * inspector/agents/InspectorDebuggerAgent.h:
3582         * inspector/agents/InspectorDebuggerAgent.cpp:
3583         (Inspector::objectGroupForBreakpointAction):
3584         (Inspector::breakpointActionTypeForString): Added.
3585         (Inspector::parseBreakpointOptions): Added.
3586         (Inspector::InspectorDebuggerAgent::ProtocolBreakpoint::fromPayload): Added.
3587         (Inspector::InspectorDebuggerAgent::ProtocolBreakpoint::ProtocolBreakpoint): Added.
3588         (Inspector::InspectorDebuggerAgent::ProtocolBreakpoint::createDebuggerBreakpoint const): Added.
3589         (Inspector::InspectorDebuggerAgent::ProtocolBreakpoint::matchesScriptURL const): Added.
3590         (Inspector::InspectorDebuggerAgent::debuggerBreakpointFromPayload): Added.
3591         (Inspector::InspectorDebuggerAgent::enable):
3592         (Inspector::InspectorDebuggerAgent::disable):
3593         (Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason):
3594         (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
3595         (Inspector::InspectorDebuggerAgent::didScheduleAsyncCall):
3596         (Inspector::buildDebuggerLocation):
3597         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
3598         (Inspector::InspectorDebuggerAgent::setBreakpoint):
3599         (Inspector::InspectorDebuggerAgent::didSetBreakpoint):
3600         (Inspector::InspectorDebuggerAgent::resolveBreakpoint):
3601         (Inspector::InspectorDebuggerAgent::removeBreakpoint):
3602         (Inspector::InspectorDebuggerAgent::continueToLocation):
3603         (Inspector::InspectorDebuggerAgent::schedulePauseAtNextOpportunity): Added.
3604         (Inspector::InspectorDebuggerAgent::cancelPauseAtNextOpportunity): Added.
3605         (Inspector::InspectorDebuggerAgent::schedulePauseForSpecialBreakpoint): Added.
3606         (Inspector::InspectorDebuggerAgent::cancelPauseForSpecialBreakpoint): Added.
3607         (Inspector::InspectorDebuggerAgent::pause):
3608         (Inspector::InspectorDebuggerAgent::resume):
3609         (Inspector::InspectorDebuggerAgent::didBecomeIdle):
3610         (Inspector::InspectorDebuggerAgent::sourceMapURLForScript):
3611         (Inspector::InspectorDebuggerAgent::didParseSource):
3612         (Inspector::InspectorDebuggerAgent::willRunMicrotask):
3613         (Inspector::InspectorDebuggerAgent::didRunMicrotask):
3614         (Inspector::InspectorDebuggerAgent::didPause):
3615         (Inspector::InspectorDebuggerAgent::breakpointActionSound):
3616         (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
3617         (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
3618         (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
3619         (Inspector::matches): Deleted.
3620         (Inspector::buildObjectForBreakpointCookie): Deleted.
3621         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol): Deleted.
3622         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement): Deleted.
3623         (Inspector::InspectorDebuggerAgent::cancelPauseOnNextStatement): Deleted.
3624         Create a private `ProtocolBreakpoint` class that holds the data sent by the frontend. This
3625         is necessary because breakpoints in the frontend have a potentially one-to-many relationship
3626         with breakpoints in the backend, as the same script can be loaded many times on a page. Each
3627         of those scripts is independent, however, and can execute differently, meaning that the same
3628         breakpoint for each script also needs a different state (e.g. ignore count). As such, the
3629         `ProtocolBreakpoint` is effectively a template that is actualized whenever a new script is
3630         parsed that matches the URL of the `ProtocolBreakpoint` to create a `JSC::Breakpoint` that
3631         is used by the `JSC::Debugger`. `ProtocolBreakpoint` also parses breakpoint configurations.
3632
3633         * inspector/InspectorEnvironment.h:
3634         * inspector/JSGlobalObjectScriptDebugServer.h:
3635         * inspector/JSGlobalObjectScriptDebugServer.cpp:
3636         (Inspector::JSGlobalObjectScriptDebugServer::JSGlobalObjectScriptDebugServer):
3637         (Inspector::JSGlobalObjectScriptDebugServer::attachDebugger):
3638         (Inspector::JSGlobalObjectScriptDebugServer::detachDebugger):
3639         (Inspector::JSGlobalObjectScriptDebugServer::runEventLoopWhilePaused):
3640         * inspector/agents/InspectorAuditAgent.h:
3641         * inspector/agents/InspectorAuditAgent.cpp:
3642         (Inspector::InspectorAuditAgent::run):
3643         * inspector/agents/InspectorRuntimeAgent.h:
3644         * inspector/agents/InspectorRuntimeAgent.cpp:
3645         (Inspector::setPauseOnExceptionsState):
3646         (Inspector::InspectorRuntimeAgent::evaluate):
3647         (Inspector::InspectorRuntimeAgent::callFunctionOn):
3648         (Inspector::InspectorRuntimeAgent::getPreview):
3649         (Inspector::InspectorRuntimeAgent::getProperties):
3650         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
3651         * inspector/agents/InspectorScriptProfilerAgent.cpp:
3652         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
3653         Replace `Inspector::ScriptDebugServer` with `JSC::Debugger`.
3654
3655         * runtime/JSMicrotask.cpp:
3656         (JSC::JSMicrotask::run):
3657         Drive-by: r248894 mistakenly omitted the call to notify the debugger that the microtask ran.
3658
3659         * inspector/ScriptBreakpoint.h: Removed.
3660         * inspector/ScriptDebugListener.h: Removed.
3661         * inspector/ScriptDebugServer.h: Removed.
3662         * inspector/ScriptDebugServer.cpp: Removed.
3663         * CMakeLists.txt:
3664         * JavaScriptCore.xcodeproj/project.pbxproj:
3665         * Sources.txt:
3666
3667 2020-08-24  Devin Rousso  <drousso@apple.com>
3668
3669         Web Inspector: remove "extra domains" concept now that domains can be added based on the debuggable type
3670         https://bugs.webkit.org/show_bug.cgi?id=201150
3671         <rdar://problem/56545911>
3672
3673         Reviewed by Brian Burg.
3674
3675         * inspector/scripts/codegen/objc_generator_templates.py:
3676         * inspector/augmentable/AugmentableInspectorController.h:
3677
3678         * inspector/JSGlobalObjectInspectorController.h:
3679         * inspector/JSGlobalObjectInspectorController.cpp:
3680         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
3681         (Inspector::JSGlobalObjectInspectorController::registerAlternateAgent): Added.
3682         (Inspector::JSGlobalObjectInspectorController::appendExtraAgent): Deleted.
3683
3684         * inspector/InspectorAgentRegistry.h:
3685         * inspector/InspectorAgentRegistry.cpp:
3686         (Inspector::AgentRegistry::appendExtraAgent): Deleted.
3687
3688         * inspector/protocol/Inspector.json:
3689         * inspector/agents/InspectorAgent.h:
3690         * inspector/agents/InspectorAgent.cpp:
3691         (Inspector::InspectorAgent::activateExtraDomain): Deleted.
3692         (Inspector::InspectorAgent::activateExtraDomains): Deleted.
3693
3694         * inspector/scripts/tests/expected/command-targetType-matching-domain-debuggableType.json-result:
3695         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
3696         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
3697         * inspector/scripts/tests/expected/definitions-with-mac-platform.json-result:
3698         * inspector/scripts/tests/expected/domain-debuggableTypes.json-result:
3699         * inspector/scripts/tests/expected/domain-targetType-matching-domain-debuggableType.json-result:
3700         * inspector/scripts/tests/expected/domain-targetTypes.json-result:
3701         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
3702         * inspector/scripts/tests/expected/enum-values.json-result:
3703         * inspector/scripts/tests/expected/event-targetType-matching-domain-debuggableType.json-result:
3704         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
3705         Rebase protocol tests.
3706
3707 2020-08-23  Yusuke Suzuki  <ysuzuki@apple.com>
3708
3709         Unreviewed, wrong merge resolution between r266031 and r263837
3710         https://bugs.webkit.org/show_bug.cgi?id=209774
3711
3712         r263837 is landed after r266031 is configured. OSS buildbots didn't catch this since they are using old ICU headers.
3713
3714         * runtime/IntlNumberFormat.cpp:
3715         (JSC::IntlNumberFormat::initializeNumberFormat):
3716
3717 2020-08-22  Yusuke Suzuki  <ysuzuki@apple.com>
3718
3719         Unreviewed, assertion was opposite
3720         https://bugs.webkit.org/show_bug.cgi?id=215058
3721
3722         We should ensure that this is *not* zero.
3723
3724         * runtime/IntlObject.cpp:
3725         (JSC::parseVariantCode):
3726
3727 2020-08-22  Yusuke Suzuki  <ysuzuki@apple.com>
3728
3729         [JSC] Implement Intl Language Tag Parser
3730         https://bugs.webkit.org/show_bug.cgi?id=215058
3731
3732         Reviewed by Ross Kirsling and Darin Adler.
3733
3734         This patch adds LanguageTagParser which performs isStructurallyValidLanguageTag[1] validation precisely.
3735         The spec strictly defines acceptable format as language-tag and this is not the same to ICU's one and this
3736         is even tested in test262. We should have LanguageTagParser to validate the input.
3737
3738         [1]: https://tc39.es/ecma402/#sec-isstructurallyvalidlanguagetag
3739
3740         * runtime/IntlLocale.cpp:
3741         (JSC::LocaleIDBuilder::initialize):
3742         (JSC::IntlLocale::initializeLocale):
3743         * runtime/IntlObject.cpp:
3744         (JSC::canonicalizeLocaleList):
3745         (JSC::parseVariantCode):
3746         (JSC::convertToUnicodeSingletonIndex):
3747         (JSC::isUnicodeExtensionAttribute):
3748         (JSC::isUnicodeExtensionKey):
3749         (JSC::isUnicodeExtensionTypeComponent):
3750         (JSC::isUnicodePUExtensionValue):
3751         (JSC::isUnicodeOtherExtensionValue):
3752         (JSC::isUnicodeTKey):
3753         (JSC::isUnicodeTValueComponent):
3754         (JSC::LanguageTagParser::LanguageTagParser):
3755         (JSC::LanguageTagParser::isEOS):
3756         (JSC::LanguageTagParser::next):
3757         (JSC::LanguageTagParser::parseUnicodeLocaleId):
3758         (JSC::LanguageTagParser::parseUnicodeLanguageId):
3759         (JSC::LanguageTagParser::parseUnicodeExtensionAfterPrefix):
3760         (JSC::LanguageTagParser::parseTransformedExtensionAfterPrefix):
3761         (JSC::LanguageTagParser::parseOtherExtensionAfterPrefix):
3762         (JSC::LanguageTagParser::parsePUExtensionAfterPrefix):
3763         (JSC::LanguageTagParser::parseExtensionsAndPUExtensions):
3764         (JSC::isStructurallyValidLanguageTag):
3765         (JSC::isUnicodeLanguageId):
3766         * runtime/IntlObject.h:
3767
3768 2020-08-22  Yusuke Suzuki  <ysuzuki@apple.com>
3769
3770         Unreviewed, workaround for old ICU headers in macOS Catalina bots
3771         https://bugs.webkit.org/show_bug.cgi?id=209774
3772
3773         EWS and Catalina bots are inconsistent in terms of ICU header versions.
3774         This patch adds a workaround which checks ICU header version too at runtime.
3775
3776         * tools/JSDollarVM.cpp:
3777         (JSC::functionICUHeaderVersion):
3778         (JSC::JSDollarVM::finishCreation):
3779
3780 2020-08-22  Alexey Shvayka  <shvaikalesh@gmail.com>
3781
3782         The [[ThrowTypeError]] function object must not be extensible
3783         https://bugs.webkit.org/show_bug.cgi?id=108873
3784
3785         Reviewed by Yusuke Suzuki.
3786
3787         This patch:
3788
3789         1. Sets the value of %ThrowTypeError% "name" property to the empty string,
3790            as required [1] for anonymous built-in functions.
3791
3792         2. Calls JSObject::freeze() on %ThrowTypeError%, making it non-extensible and
3793            its "name" and "length" properties non-configurable to match the spec [2].
3794
3795         Both changes align JSC with V8 and SpiderMonkey.
3796
3797         [1]: https://tc39.es/ecma262/#sec-ecmascript-standard-built-in-objects
3798         [2]: https://tc39.es/ecma262/#sec-%throwtypeerror%
3799
3800         * runtime/JSGlobalObject.cpp:
3801         (JSC::JSGlobalObject::init):
3802
3803 2020-08-22  Yusuke Suzuki  <ysuzuki@apple.com>
3804
3805         [ECMA-402] Intl.DateTimeFormat dateStyle/timeStyle missing in WebKit
3806         https://bugs.webkit.org/show_bug.cgi?id=209776
3807
3808         Reviewed by Darin Adler and Ross Kirsling.
3809
3810         This patch implements Intl.DateTimeFormat dateStyle and timeStyle options. When it is specified,
3811         we query the best date-time format with these options to ICU instead of configuring each date-time
3812         formats.
3813
3814         Since ECMA402 requires enforcement of hourCycle specified from the option, even if ICU ignores that.
3815         So, after getting the appropriate pattern from ICU, we modify this pattern and re-create UDateFormat
3816         from the modified pattern.
3817
3818         * builtins/DatePrototype.js:
3819         (toLocaleString.toDateTimeOptionsAnyAll):
3820         (toLocaleString):
3821         (toLocaleDateString.toDateTimeOptionsDateDate):
3822         (toLocaleDateString):
3823         (toLocaleTimeString.toDateTimeOptionsTimeTime):
3824         (toLocaleTimeString):
3825         * runtime/CommonIdentifiers.h:
3826         * runtime/IntlDateTimeFormat.cpp:
3827         (JSC::toDateTimeOptionsAnyDate):
3828         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
3829         (JSC::IntlDateTimeFormat::formatStyleString):
3830         (JSC::IntlDateTimeFormat::resolvedOptions const):
3831         * runtime/IntlDateTimeFormat.h:
3832
3833 2020-08-22  Yusuke Suzuki  <ysuzuki@apple.com>
3834
3835         [ECMA-402] Implement Intl.DateTimeFormat.prototype.formatRange
3836         https://bugs.webkit.org/show_bug.cgi?id=209778
3837
3838         Reviewed by Ross Kirsling.
3839
3840         This patch adds Intl.DateTimeFormat#formatRange. It takes two dates, and
3841         generates formatted text which represents interval between these two dates.
3842         We skip the implementation of Intl.DateTimeFormat#formatRangeToParts since
3843         ICU udtitvfmt_formatToResult API is not getting stable state yet. We retrieve
3844         pattern from UDateFormat, get skeleton from that pattern, and construct
3845         UDateIntervalFormat from this skeleton.
3846
3847         * runtime/IntlDateTimeFormat.cpp:
3848         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
3849         (JSC::IntlDateTimeFormat::createDateIntervalFormatIfNecessary):
3850         (JSC::IntlDateTimeFormat::formatRange):
3851         (JSC::IntlDateTimeFormat::UDateFormatDeleter::operator() const): Deleted.
3852         * runtime/IntlDateTimeFormat.h:
3853         * runtime/IntlDateTimeFormatPrototype.cpp:
3854         (JSC::IntlDateTimeFormatPrototypeFuncFormatRange):
3855
3856 2020-08-22  Yusuke Suzuki  <ysuzuki@apple.com>
3857
3858         [JSC] Add Intl.Segmenter
3859         https://bugs.webkit.org/show_bug.cgi?id=213638
3860
3861         Reviewed by Ross Kirsling.
3862
3863        &nbs