9f24fa9f5a226e1b87110c26883389697218d875
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-07-31  Mark Lam  <mark.lam@apple.com>
2
3         Rename DOMJIT safe/unsafeFunction to functionWithTypeChecks and functionWithoutTypeChecks.
4         https://bugs.webkit.org/show_bug.cgi?id=200323
5
6         Reviewed by Yusuke Suzuki.
7
8         The DOMJIT has a notion of a safeFunction and an unsafeFunction.  The safeFunction
9         is effectively the same as the unsafeFunction with added type check.  The DFG/FTL
10         will emit code to call the unsafeFunction if it has already emitted the needed
11         type check or proven that it isn't needed.  Otherwise, the DFG/FTL will emit
12         code to call the safeFunction (which does its own type check) instead.
13
14         This patch renames these functions to better describe their difference.
15
16         * dfg/DFGSpeculativeJIT.cpp:
17         (JSC::DFG::SpeculativeJIT::compileCallDOM):
18         * domjit/DOMJITSignature.h:
19         (JSC::DOMJIT::Signature::Signature):
20         * ftl/FTLLowerDFGToB3.cpp:
21         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
22         * tools/JSDollarVM.cpp:
23         (JSC::DOMJITFunctionObject::functionWithTypeCheck):
24         (JSC::DOMJITFunctionObject::functionWithoutTypeCheck):
25         (JSC::DOMJITFunctionObject::finishCreation):
26         (JSC::DOMJITCheckSubClassObject::functionWithTypeCheck):
27         (JSC::DOMJITCheckSubClassObject::functionWithoutTypeCheck):
28         (JSC::DOMJITCheckSubClassObject::finishCreation):
29         (JSC::DOMJITFunctionObject::safeFunction): Deleted.
30         (JSC::DOMJITFunctionObject::unsafeFunction): Deleted.
31         (JSC::DOMJITCheckSubClassObject::safeFunction): Deleted.
32         (JSC::DOMJITCheckSubClassObject::unsafeFunction): Deleted.
33
34 2019-07-31  Alex Christensen  <achristensen@webkit.org>
35
36         Begin organizing b3 tests
37         https://bugs.webkit.org/show_bug.cgi?id=200330
38
39         Reviewed by Keith Miller.
40
41         * b3/testb3.h:
42         * b3/testb3_1.cpp:
43         (run):
44         (zero): Deleted.
45         (negativeZero): Deleted.
46         * b3/testb3_2.cpp:
47         (testBitXorTreeArgs):
48         (testBitXorTreeArgsEven):
49         (testBitXorTreeArgImm):
50         (testBitAndTreeArg32):
51         (testBitOrTreeArg32):
52         (testBitAndArgs):
53         (testBitAndSameArg):
54         (testBitAndNotNot):
55         (testBitAndNotImm):
56         (testBitAndImms):
57         (testBitAndArgImm):
58         (testBitAndImmArg):
59         (testBitAndBitAndArgImmImm):
60         (testBitAndImmBitAndArgImm):
61         (testBitAndArgs32):
62         (testBitAndSameArg32):
63         (testBitAndImms32):
64         (testBitAndArgImm32):
65         (testBitAndImmArg32):
66         (testBitAndBitAndArgImmImm32):
67         (testBitAndImmBitAndArgImm32):
68         (testBitAndWithMaskReturnsBooleans):
69         (testBitAndArgDouble):
70         (testBitAndArgsDouble):
71         (testBitAndArgImmDouble):
72         (testBitAndImmsDouble):
73         (testBitAndArgFloat):
74         (testBitAndArgsFloat):
75         (testBitAndArgImmFloat):
76         (testBitAndImmsFloat):
77         (testBitAndArgsFloatWithUselessDoubleConversion):
78         (testBitOrArgs):
79         (testBitOrSameArg):
80         (testBitOrAndAndArgs):
81         (testBitOrAndSameArgs):
82         (testBitOrNotNot):
83         (testBitOrNotImm):
84         (testBitOrImms):
85         (testBitOrArgImm):
86         (testBitOrImmArg):
87         (testBitOrBitOrArgImmImm):
88         (testBitOrImmBitOrArgImm):
89         (testBitOrArgs32):
90         (testBitOrSameArg32):
91         (testBitOrImms32):
92         (testBitOrArgImm32):
93         (testBitOrImmArg32):
94         (addBitTests):
95         * b3/testb3_3.cpp:
96         (testSShrArgs):
97         (testSShrImms):
98         (testSShrArgImm):
99         (testSShrArg32):
100         (testSShrArgs32):
101         (testSShrImms32):
102         (testSShrArgImm32):
103         (testZShrArgs):
104         (testZShrImms):
105         (testZShrArgImm):
106         (testZShrArg32):
107         (testZShrArgs32):
108         (testZShrImms32):
109         (testZShrArgImm32):
110         (zero):
111         (negativeZero):
112         (addArgTests):
113         (addCallTests):
114         (addShrTests):
115         * b3/testb3_4.cpp:
116         (addSExtTests):
117         * b3/testb3_6.cpp:
118         (testSShrShl32):
119         (testSShrShl64):
120         (addSShrShTests):
121
122 2019-07-31  Devin Rousso  <drousso@apple.com>
123
124         Web Inspector: Debugger: support emulateUserGesture parameter in Debugger.evaluateOnCallFrame
125         https://bugs.webkit.org/show_bug.cgi?id=200272
126
127         Reviewed by Joseph Pecoraro.
128
129         When paused, evaluating in the console should still respect the "Emulate User Gesture" checkbox.
130
131         * inspector/protocol/Debugger.json:
132         * inspector/agents/InspectorDebuggerAgent.h:
133         * inspector/agents/InspectorDebuggerAgent.cpp:
134         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
135
136 2019-07-31  Alex Christensen  <achristensen@webkit.org>
137
138         Split testb3 into multiple files
139         https://bugs.webkit.org/show_bug.cgi?id=200326
140
141         Reviewed by Keith Miller.
142
143         * JavaScriptCore.xcodeproj/project.pbxproj:
144         * b3/testb3.cpp: Removed.
145         * b3/testb3.h: Added.
146         (hiddenTruthBecauseNoReturnIsStupid):
147         (usage):
148         (shouldBeVerbose):
149         (compileProc):
150         (invoke):
151         (compileAndRun):
152         (lowerToAirForTesting):
153         (checkDisassembly):
154         (checkUsesInstruction):
155         (checkDoesNotUseInstruction):
156         (populateWithInterestingValues):
157         (floatingPointOperands):
158         (int64Operands):
159         (int32Operands):
160         (add32):
161         (modelLoad):
162         (float>):
163         (double>):
164         * b3/testb3_1.cpp: Added.
165         (zero):
166         (negativeZero):
167         (shouldRun):
168         (testRotR):
169         (testRotL):
170         (testRotRWithImmShift):
171         (testRotLWithImmShift):
172         (testComputeDivisionMagic):
173         (run):
174         (main):
175         (dllLauncherEntryPoint):
176         * b3/testb3_2.cpp: Added.
177         (test42):
178         (testLoad42):
179         (testLoadAcq42):
180         (testLoadWithOffsetImpl):
181         (testLoadOffsetImm9Max):
182         (testLoadOffsetImm9MaxPlusOne):
183         (testLoadOffsetImm9MaxPlusTwo):
184         (testLoadOffsetImm9Min):
185         (testLoadOffsetImm9MinMinusOne):
186         (testLoadOffsetScaledUnsignedImm12Max):
187         (testLoadOffsetScaledUnsignedOverImm12Max):
188         (testBitXorTreeArgs):
189         (testBitXorTreeArgsEven):
190         (testBitXorTreeArgImm):
191         (testAddTreeArg32):
192         (testMulTreeArg32):
193         (testBitAndTreeArg32):
194         (testBitOrTreeArg32):
195         (testArg):
196         (testReturnConst64):
197         (testReturnVoid):
198         (testAddArg):
199         (testAddArgs):
200         (testAddArgImm):
201         (testAddImmArg):
202         (testAddArgMem):
203         (testAddMemArg):
204         (testAddImmMem):
205         (testAddArg32):
206         (testAddArgs32):
207         (testAddArgMem32):
208         (testAddMemArg32):
209         (testAddImmMem32):
210         (testAddNeg1):
211         (testAddNeg2):
212         (testAddArgZeroImmZDef):
213         (testAddLoadTwice):
214         (testAddArgDouble):
215         (testAddArgsDouble):
216         (testAddArgImmDouble):
217         (testAddImmArgDouble):
218         (testAddImmsDouble):
219         (testAddArgFloat):
220         (testAddArgsFloat):
221         (testAddFPRArgsFloat):
222         (testAddArgImmFloat):
223         (testAddImmArgFloat):
224         (testAddImmsFloat):
225         (testAddArgFloatWithUselessDoubleConversion):
226         (testAddArgsFloatWithUselessDoubleConversion):
227         (testAddArgsFloatWithEffectfulDoubleConversion):
228         (testAddMulMulArgs):
229         (testMulArg):
230         (testMulArgStore):
231         (testMulAddArg):
232         (testMulArgs):
233         (testMulArgNegArg):
234         (testMulNegArgArg):
235         (testMulArgImm):
236         (testMulImmArg):
237         (testMulArgs32):
238         (testMulArgs32SignExtend):
239         (testMulImm32SignExtend):
240         (testMulLoadTwice):
241         (testMulAddArgsLeft):
242         (testMulAddArgsRight):
243         (testMulAddArgsLeft32):
244         (testMulAddArgsRight32):
245         (testMulSubArgsLeft):
246         (testMulSubArgsRight):
247         (testMulSubArgsLeft32):
248         (testMulSubArgsRight32):
249         (testMulNegArgs):
250         (testMulNegArgs32):
251         (testMulArgDouble):
252         (testMulArgsDouble):
253         (testMulArgImmDouble):
254         (testMulImmArgDouble):
255         (testMulImmsDouble):
256         (testMulArgFloat):
257         (testMulArgsFloat):
258         (testMulArgImmFloat):
259         (testMulImmArgFloat):
260         (testMulImmsFloat):
261         (testMulArgFloatWithUselessDoubleConversion):
262         (testMulArgsFloatWithUselessDoubleConversion):
263         (testMulArgsFloatWithEffectfulDoubleConversion):
264         (testDivArgDouble):
265         (testDivArgsDouble):
266         (testDivArgImmDouble):
267         (testDivImmArgDouble):
268         (testDivImmsDouble):
269         (testDivArgFloat):
270         (testDivArgsFloat):
271         (testDivArgImmFloat):
272         (testDivImmArgFloat):
273         (testDivImmsFloat):
274         (testModArgDouble):
275         (testModArgsDouble):
276         (testModArgImmDouble):
277         (testModImmArgDouble):
278         (testModImmsDouble):
279         (testModArgFloat):
280         (testModArgsFloat):
281         (testModArgImmFloat):
282         (testModImmArgFloat):
283         (testModImmsFloat):
284         (testDivArgFloatWithUselessDoubleConversion):
285         (testDivArgsFloatWithUselessDoubleConversion):
286         (testDivArgsFloatWithEffectfulDoubleConversion):
287         (testUDivArgsInt32):
288         (testUDivArgsInt64):
289         (testUModArgsInt32):
290         (testUModArgsInt64):
291         (testSubArg):
292         (testSubArgs):
293         (testSubArgImm):
294         (testSubNeg):
295         (testNegSub):
296         (testNegValueSubOne):
297         (testSubSub):
298         (testSubSub2):
299         (testSubAdd):
300         (testSubFirstNeg):
301         (testSubImmArg):
302         (testSubArgMem):
303         (testSubMemArg):
304         (testSubImmMem):
305         (testSubMemImm):
306         (testSubArgs32):
307         (testSubArgImm32):
308         (testSubImmArg32):
309         (testSubMemArg32):
310         (testSubArgMem32):
311         (testSubImmMem32):
312         (testSubMemImm32):
313         (testNegValueSubOne32):
314         (testNegMulArgImm):
315         (testSubMulMulArgs):
316         (testSubArgDouble):
317         (testSubArgsDouble):
318         (testSubArgImmDouble):
319         (testSubImmArgDouble):
320         (testSubImmsDouble):
321         (testSubArgFloat):
322         (testSubArgsFloat):
323         (testSubArgImmFloat):
324         (testSubImmArgFloat):
325         (testSubImmsFloat):
326         (testSubArgFloatWithUselessDoubleConversion):
327         (testSubArgsFloatWithUselessDoubleConversion):
328         (testSubArgsFloatWithEffectfulDoubleConversion):
329         (testTernarySubInstructionSelection):
330         (testNegDouble):
331         (testNegFloat):
332         (testNegFloatWithUselessDoubleConversion):
333         (testBitAndArgs):
334         (testBitAndSameArg):
335         (testBitAndNotNot):
336         (testBitAndNotImm):
337         (testBitAndImms):
338         (testBitAndArgImm):
339         (testBitAndImmArg):
340         (testBitAndBitAndArgImmImm):
341         (testBitAndImmBitAndArgImm):
342         (testBitAndArgs32):
343         (testBitAndSameArg32):
344         (testBitAndImms32):
345         (testBitAndArgImm32):
346         (testBitAndImmArg32):
347         (testBitAndBitAndArgImmImm32):
348         (testBitAndImmBitAndArgImm32):
349         (testBitAndWithMaskReturnsBooleans):
350         (bitAndDouble):
351         (testBitAndArgDouble):
352         (testBitAndArgsDouble):
353         (testBitAndArgImmDouble):
354         (testBitAndImmsDouble):
355         (bitAndFloat):
356         (testBitAndArgFloat):
357         (testBitAndArgsFloat):
358         (testBitAndArgImmFloat):
359         (testBitAndImmsFloat):
360         (testBitAndArgsFloatWithUselessDoubleConversion):
361         (testBitOrArgs):
362         (testBitOrSameArg):
363         (testBitOrAndAndArgs):
364         (testBitOrAndSameArgs):
365         (testBitOrNotNot):
366         (testBitOrNotImm):
367         (testBitOrImms):
368         (testBitOrArgImm):
369         (testBitOrImmArg):
370         (testBitOrBitOrArgImmImm):
371         (testBitOrImmBitOrArgImm):
372         (testBitOrArgs32):
373         (testBitOrSameArg32):
374         (testBitOrImms32):
375         (testBitOrArgImm32):
376         (testBitOrImmArg32):
377         * b3/testb3_3.cpp: Added.
378         (testBitOrBitOrArgImmImm32):
379         (testBitOrImmBitOrArgImm32):
380         (bitOrDouble):
381         (testBitOrArgDouble):
382         (testBitOrArgsDouble):
383         (testBitOrArgImmDouble):
384         (testBitOrImmsDouble):
385         (bitOrFloat):
386         (testBitOrArgFloat):
387         (testBitOrArgsFloat):
388         (testBitOrArgImmFloat):
389         (testBitOrImmsFloat):
390         (testBitOrArgsFloatWithUselessDoubleConversion):
391         (testBitXorArgs):
392         (testBitXorSameArg):
393         (testBitXorAndAndArgs):
394         (testBitXorAndSameArgs):
395         (testBitXorImms):
396         (testBitXorArgImm):
397         (testBitXorImmArg):
398         (testBitXorBitXorArgImmImm):
399         (testBitXorImmBitXorArgImm):
400         (testBitXorArgs32):
401         (testBitXorSameArg32):
402         (testBitXorImms32):
403         (testBitXorArgImm32):
404         (testBitXorImmArg32):
405         (testBitXorBitXorArgImmImm32):
406         (testBitXorImmBitXorArgImm32):
407         (testBitNotArg):
408         (testBitNotImm):
409         (testBitNotMem):
410         (testBitNotArg32):
411         (testBitNotImm32):
412         (testBitNotMem32):
413         (testNotOnBooleanAndBranch32):
414         (testBitNotOnBooleanAndBranch32):
415         (testShlArgs):
416         (testShlImms):
417         (testShlArgImm):
418         (testShlSShrArgImm):
419         (testShlArg32):
420         (testShlArgs32):
421         (testShlImms32):
422         (testShlArgImm32):
423         (testShlZShrArgImm32):
424         (testSShrArgs):
425         (testSShrImms):
426         (testSShrArgImm):
427         (testSShrArg32):
428         (testSShrArgs32):
429         (testSShrImms32):
430         (testSShrArgImm32):
431         (testZShrArgs):
432         (testZShrImms):
433         (testZShrArgImm):
434         (testZShrArg32):
435         (testZShrArgs32):
436         (testZShrImms32):
437         (testZShrArgImm32):
438         (countLeadingZero):
439         (testClzArg64):
440         (testClzMem64):
441         (testClzArg32):
442         (testClzMem32):
443         (testAbsArg):
444         (testAbsImm):
445         (testAbsMem):
446         (testAbsAbsArg):
447         (testAbsNegArg):
448         (testAbsBitwiseCastArg):
449         (testBitwiseCastAbsBitwiseCastArg):
450         (testAbsArgWithUselessDoubleConversion):
451         (testAbsArgWithEffectfulDoubleConversion):
452         (testCeilArg):
453         (testCeilImm):
454         (testCeilMem):
455         (testCeilCeilArg):
456         (testFloorCeilArg):
457         (testCeilIToD64):
458         (testCeilIToD32):
459         (testCeilArgWithUselessDoubleConversion):
460         (testCeilArgWithEffectfulDoubleConversion):
461         (testFloorArg):
462         (testFloorImm):
463         (testFloorMem):
464         (testFloorFloorArg):
465         (testCeilFloorArg):
466         (testFloorIToD64):
467         (testFloorIToD32):
468         (testFloorArgWithUselessDoubleConversion):
469         (testFloorArgWithEffectfulDoubleConversion):
470         (correctSqrt):
471         (testSqrtArg):
472         (testSqrtImm):
473         (testSqrtMem):
474         (testSqrtArgWithUselessDoubleConversion):
475         (testSqrtArgWithEffectfulDoubleConversion):
476         (testCompareTwoFloatToDouble):
477         (testCompareOneFloatToDouble):
478         (testCompareFloatToDoubleThroughPhi):
479         (testDoubleToFloatThroughPhi):
480         (testReduceFloatToDoubleValidates):
481         (testDoubleProducerPhiToFloatConversion):
482         (testDoubleProducerPhiToFloatConversionWithDoubleConsumer):
483         (testDoubleProducerPhiWithNonFloatConst):
484         (testDoubleArgToInt64BitwiseCast):
485         (testDoubleImmToInt64BitwiseCast):
486         (testTwoBitwiseCastOnDouble):
487         (testBitwiseCastOnDoubleInMemory):
488         (testBitwiseCastOnDoubleInMemoryIndexed):
489         (testInt64BArgToDoubleBitwiseCast):
490         (testInt64BImmToDoubleBitwiseCast):
491         (testTwoBitwiseCastOnInt64):
492         (testBitwiseCastOnInt64InMemory):
493         (testBitwiseCastOnInt64InMemoryIndexed):
494         (testFloatImmToInt32BitwiseCast):
495         (testBitwiseCastOnFloatInMemory):
496         (testInt32BArgToFloatBitwiseCast):
497         (testInt32BImmToFloatBitwiseCast):
498         (testTwoBitwiseCastOnInt32):
499         (testBitwiseCastOnInt32InMemory):
500         (testConvertDoubleToFloatArg):
501         (testConvertDoubleToFloatImm):
502         (testConvertDoubleToFloatMem):
503         (testConvertFloatToDoubleArg):
504         (testConvertFloatToDoubleImm):
505         (testConvertFloatToDoubleMem):
506         (testConvertDoubleToFloatToDoubleToFloat):
507         (testLoadFloatConvertDoubleConvertFloatStoreFloat):
508         (testFroundArg):
509         (testFroundMem):
510         (testIToD64Arg):
511         (testIToF64Arg):
512         (testIToD32Arg):
513         (testIToF32Arg):
514         (testIToD64Mem):
515         (testIToF64Mem):
516         (testIToD32Mem):
517         (testIToF32Mem):
518         (testIToD64Imm):
519         (testIToF64Imm):
520         (testIToD32Imm):
521         (testIToF32Imm):
522         (testIToDReducedToIToF64Arg):
523         (testIToDReducedToIToF32Arg):
524         (testStore32):
525         (testStoreConstant):
526         (testStoreConstantPtr):
527         (testStore8Arg):
528         (testStore8Imm):
529         (testStorePartial8BitRegisterOnX86):
530         (testStore16Arg):
531         (testStore16Imm):
532         (testTrunc):
533         (testAdd1):
534         (testAdd1Ptr):
535         (testNeg32):
536         (testNegPtr):
537         (testStoreAddLoad32):
538         * b3/testb3_4.cpp: Added.
539         (testStoreRelAddLoadAcq32):
540         (testStoreAddLoadImm32):
541         (testStoreAddLoad8):
542         (testStoreRelAddLoadAcq8):
543         (testStoreRelAddFenceLoadAcq8):
544         (testStoreAddLoadImm8):
545         (testStoreAddLoad16):
546         (testStoreRelAddLoadAcq16):
547         (testStoreAddLoadImm16):
548         (testStoreAddLoad64):
549         (testStoreRelAddLoadAcq64):
550         (testStoreAddLoadImm64):
551         (testStoreAddLoad32Index):
552         (testStoreAddLoadImm32Index):
553         (testStoreAddLoad8Index):
554         (testStoreAddLoadImm8Index):
555         (testStoreAddLoad16Index):
556         (testStoreAddLoadImm16Index):
557         (testStoreAddLoad64Index):
558         (testStoreAddLoadImm64Index):
559         (testStoreSubLoad):
560         (testStoreAddLoadInterference):
561         (testStoreAddAndLoad):
562         (testStoreNegLoad32):
563         (testStoreNegLoadPtr):
564         (testAdd1Uncommuted):
565         (testLoadOffset):
566         (testLoadOffsetNotConstant):
567         (testLoadOffsetUsingAdd):
568         (testLoadOffsetUsingAddInterference):
569         (testLoadOffsetUsingAddNotConstant):
570         (testLoadAddrShift):
571         (testFramePointer):
572         (testOverrideFramePointer):
573         (testStackSlot):
574         (testLoadFromFramePointer):
575         (testStoreLoadStackSlot):
576         (testStoreFloat):
577         (testStoreDoubleConstantAsFloat):
578         (testSpillGP):
579         (testSpillFP):
580         (testInt32ToDoublePartialRegisterStall):
581         (testInt32ToDoublePartialRegisterWithoutStall):
582         (testBranch):
583         (testBranchPtr):
584         (testDiamond):
585         (testBranchNotEqual):
586         (testBranchNotEqualCommute):
587         (testBranchNotEqualNotEqual):
588         (testBranchEqual):
589         (testBranchEqualEqual):
590         (testBranchEqualCommute):
591         (testBranchEqualEqual1):
592         (testBranchEqualOrUnorderedArgs):
593         (testBranchNotEqualAndOrderedArgs):
594         (testBranchEqualOrUnorderedDoubleArgImm):
595         (testBranchEqualOrUnorderedFloatArgImm):
596         (testBranchEqualOrUnorderedDoubleImms):
597         (testBranchEqualOrUnorderedFloatImms):
598         (testBranchEqualOrUnorderedFloatWithUselessDoubleConversion):
599         (testBranchFold):
600         (testDiamondFold):
601         (testBranchNotEqualFoldPtr):
602         (testBranchEqualFoldPtr):
603         (testBranchLoadPtr):
604         (testBranchLoad32):
605         (testBranchLoad8S):
606         (testBranchLoad8Z):
607         (testBranchLoad16S):
608         (testBranchLoad16Z):
609         (testBranch8WithLoad8ZIndex):
610         (testComplex):
611         (testBranchBitTest32TmpImm):
612         (testBranchBitTest32AddrImm):
613         (testBranchBitTest32TmpTmp):
614         (testBranchBitTest64TmpTmp):
615         (testBranchBitTest64AddrTmp):
616         (testBranchBitTestNegation):
617         (testBranchBitTestNegation2):
618         (testSimplePatchpoint):
619         (testSimplePatchpointWithoutOuputClobbersGPArgs):
620         (testSimplePatchpointWithOuputClobbersGPArgs):
621         (testSimplePatchpointWithoutOuputClobbersFPArgs):
622         (testSimplePatchpointWithOuputClobbersFPArgs):
623         (testPatchpointWithEarlyClobber):
624         (testPatchpointCallArg):
625         (testPatchpointFixedRegister):
626         (testPatchpointAny):
627         (testPatchpointGPScratch):
628         (testPatchpointFPScratch):
629         (testPatchpointLotsOfLateAnys):
630         (testPatchpointAnyImm):
631         * b3/testb3_5.cpp: Added.
632         (testPatchpointManyImms):
633         (testPatchpointWithRegisterResult):
634         (testPatchpointWithStackArgumentResult):
635         (testPatchpointWithAnyResult):
636         (testSimpleCheck):
637         (testCheckFalse):
638         (testCheckTrue):
639         (testCheckLessThan):
640         (testCheckMegaCombo):
641         (testCheckTrickyMegaCombo):
642         (testCheckTwoMegaCombos):
643         (testCheckTwoNonRedundantMegaCombos):
644         (testCheckAddImm):
645         (testCheckAddImmCommute):
646         (testCheckAddImmSomeRegister):
647         (testCheckAdd):
648         (testCheckAdd64):
649         (testCheckAddFold):
650         (testCheckAddFoldFail):
651         (testCheckAddArgumentAliasing64):
652         (testCheckAddArgumentAliasing32):
653         (testCheckAddSelfOverflow64):
654         (testCheckAddSelfOverflow32):
655         (testCheckSubImm):
656         (testCheckSubBadImm):
657         (testCheckSub):
658         (doubleSub):
659         (testCheckSub64):
660         (testCheckSubFold):
661         (testCheckSubFoldFail):
662         (testCheckNeg):
663         (testCheckNeg64):
664         (testCheckMul):
665         (testCheckMulMemory):
666         (testCheckMul2):
667         (testCheckMul64):
668         (testCheckMulFold):
669         (testCheckMulFoldFail):
670         (testCheckMulArgumentAliasing64):
671         (testCheckMulArgumentAliasing32):
672         (testCheckMul64SShr):
673         (genericTestCompare):
674         (modelCompare):
675         (testCompareLoad):
676         (testCompareImpl):
677         (testCompare):
678         (testEqualDouble):
679         (simpleFunction):
680         (testCallSimple):
681         (testCallRare):
682         (testCallRareLive):
683         (testCallSimplePure):
684         (functionWithHellaArguments):
685         (testCallFunctionWithHellaArguments):
686         (functionWithHellaArguments2):
687         (testCallFunctionWithHellaArguments2):
688         (functionWithHellaArguments3):
689         (testCallFunctionWithHellaArguments3):
690         (testReturnDouble):
691         (testReturnFloat):
692         (simpleFunctionDouble):
693         (testCallSimpleDouble):
694         (simpleFunctionFloat):
695         (testCallSimpleFloat):
696         (functionWithHellaDoubleArguments):
697         (testCallFunctionWithHellaDoubleArguments):
698         (functionWithHellaFloatArguments):
699         (testCallFunctionWithHellaFloatArguments):
700         (testLinearScanWithCalleeOnStack):
701         (testChillDiv):
702         (testChillDivTwice):
703         (testChillDiv64):
704         (testModArg):
705         (testModArgs):
706         (testModImms):
707         (testModArg32):
708         (testModArgs32):
709         (testModImms32):
710         (testChillModArg):
711         (testChillModArgs):
712         (testChillModImms):
713         (testChillModArg32):
714         (testChillModArgs32):
715         (testChillModImms32):
716         (testLoopWithMultipleHeaderEdges):
717         (testSwitch):
718         (testSwitchSameCaseAsDefault):
719         (testSwitchChillDiv):
720         (testSwitchTargettingSameBlock):
721         (testSwitchTargettingSameBlockFoldPathConstant):
722         (testTruncFold):
723         (testZExt32):
724         (testZExt32Fold):
725         (testSExt32):
726         (testSExt32Fold):
727         (testTruncZExt32):
728         (testTruncSExt32):
729         (testSExt8):
730         (testSExt8Fold):
731         (testSExt8SExt8):
732         (testSExt8SExt16):
733         (testSExt8BitAnd):
734         (testBitAndSExt8):
735         (testSExt16):
736         (testSExt16Fold):
737         (testSExt16SExt16):
738         (testSExt16SExt8):
739         (testSExt16BitAnd):
740         (testBitAndSExt16):
741         (testSExt32BitAnd):
742         * b3/testb3_6.cpp: Added.
743         (testBitAndSExt32):
744         (testBasicSelect):
745         (testSelectTest):
746         (testSelectCompareDouble):
747         (testSelectCompareFloat):
748         (testSelectCompareFloatToDouble):
749         (testSelectDouble):
750         (testSelectDoubleTest):
751         (testSelectDoubleCompareDouble):
752         (testSelectDoubleCompareFloat):
753         (testSelectFloatCompareFloat):
754         (testSelectDoubleCompareDoubleWithAliasing):
755         (testSelectFloatCompareFloatWithAliasing):
756         (testSelectFold):
757         (testSelectInvert):
758         (testCheckSelect):
759         (testCheckSelectCheckSelect):
760         (testCheckSelectAndCSE):
761         (b3Pow):
762         (testPowDoubleByIntegerLoop):
763         (testTruncOrHigh):
764         (testTruncOrLow):
765         (testBitAndOrHigh):
766         (testBitAndOrLow):
767         (testBranch64Equal):
768         (testBranch64EqualImm):
769         (testBranch64EqualMem):
770         (testBranch64EqualMemImm):
771         (testStore8Load8Z):
772         (testStore16Load16Z):
773         (testSShrShl32):
774         (testSShrShl64):
775         (testTrivialInfiniteLoop):
776         (testFoldPathEqual):
777         (testLShiftSelf32):
778         (testRShiftSelf32):
779         (testURShiftSelf32):
780         (testLShiftSelf64):
781         (testRShiftSelf64):
782         (testURShiftSelf64):
783         (testPatchpointDoubleRegs):
784         (testSpillDefSmallerThanUse):
785         (testSpillUseLargerThanDef):
786         (testLateRegister):
787         (interpreterPrint):
788         (testInterpreter):
789         (testReduceStrengthCheckBottomUseInAnotherBlock):
790         (testResetReachabilityDanglingReference):
791         (testEntrySwitchSimple):
792         (testEntrySwitchNoEntrySwitch):
793         (testEntrySwitchWithCommonPaths):
794         (testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
795         (testEntrySwitchLoop):
796         (testSomeEarlyRegister):
797         (testBranchBitAndImmFusion):
798         (testTerminalPatchpointThatNeedsToBeSpilled):
799         (testTerminalPatchpointThatNeedsToBeSpilled2):
800         (testPatchpointTerminalReturnValue):
801         (testMemoryFence):
802         (testStoreFence):
803         (testLoadFence):
804         (testTrappingLoad):
805         (testTrappingStore):
806         (testTrappingLoadAddStore):
807         (testTrappingLoadDCE):
808         (testTrappingStoreElimination):
809         (testMoveConstants):
810         (testPCOriginMapDoesntInsertNops):
811         * b3/testb3_7.cpp: Added.
812         (testPinRegisters):
813         (testX86LeaAddAddShlLeft):
814         (testX86LeaAddAddShlRight):
815         (testX86LeaAddAdd):
816         (testX86LeaAddShlRight):
817         (testX86LeaAddShlLeftScale1):
818         (testX86LeaAddShlLeftScale2):
819         (testX86LeaAddShlLeftScale4):
820         (testX86LeaAddShlLeftScale8):
821         (testAddShl32):
822         (testAddShl64):
823         (testAddShl65):
824         (testReduceStrengthReassociation):
825         (testLoadBaseIndexShift2):
826         (testLoadBaseIndexShift32):
827         (testOptimizeMaterialization):
828         (generateLoop):
829         (makeArrayForLoops):
830         (generateLoopNotBackwardsDominant):
831         (oneFunction):
832         (noOpFunction):
833         (testLICMPure):
834         (testLICMPureSideExits):
835         (testLICMPureWritesPinned):
836         (testLICMPureWrites):
837         (testLICMReadsLocalState):
838         (testLICMReadsPinned):
839         (testLICMReads):
840         (testLICMPureNotBackwardsDominant):
841         (testLICMPureFoiledByChild):
842         (testLICMPureNotBackwardsDominantFoiledByChild):
843         (testLICMExitsSideways):
844         (testLICMWritesLocalState):
845         (testLICMWrites):
846         (testLICMFence):
847         (testLICMWritesPinned):
848         (testLICMControlDependent):
849         (testLICMControlDependentNotBackwardsDominant):
850         (testLICMControlDependentSideExits):
851         (testLICMReadsPinnedWritesPinned):
852         (testLICMReadsWritesDifferentHeaps):
853         (testLICMReadsWritesOverlappingHeaps):
854         (testLICMDefaultCall):
855         (testDepend32):
856         (testDepend64):
857         (testWasmBoundsCheck):
858         (testWasmAddress):
859         (testFastTLSLoad):
860         (testFastTLSStore):
861         (doubleEq):
862         (doubleNeq):
863         (doubleGt):
864         (doubleGte):
865         (doubleLt):
866         (doubleLte):
867         (testDoubleLiteralComparison):
868         (testFloatEqualOrUnorderedFolding):
869         (testFloatEqualOrUnorderedFoldingNaN):
870         (testFloatEqualOrUnorderedDontFold):
871         (functionNineArgs):
872         (testShuffleDoesntTrashCalleeSaves):
873         (testDemotePatchpointTerminal):
874         (testReportUsedRegistersLateUseFollowedByEarlyDefDoesNotMarkUseAsDead):
875         (testInfiniteLoopDoesntCauseBadHoisting):
876         * b3/testb3_8.cpp: Added.
877         (testAtomicWeakCAS):
878         (testAtomicStrongCAS):
879         (testAtomicXchg):
880         (addAtomicTests):
881         (testLoad):
882         (addLoadTests):
883
884 2019-07-30  Yusuke Suzuki  <ysuzuki@apple.com>
885
886         [JSC] Emit write barrier after storing instead of before storing
887         https://bugs.webkit.org/show_bug.cgi?id=200193
888
889         Reviewed by Saam Barati.
890
891         I reviewed tricky GC-related code including visitChildren and manual writeBarrier, and I found that we have several problems with write-barriers.
892
893         1. Some write-barriers are emitted before stores happen
894
895             Some code like LazyProperty emits write-barrier before we store the value. This is wrong since JSC has concurrent collector. Let's consider the situation like this.
896
897                 1. Cell "A" is not marked yet
898                 2. Write-barrier is emitted onto "A"
899                 3. Concurrent collector scans "A"
900                 4. Store to "A"'s field happens
901                 5. (4)'s field is not rescaned
902
903             We should emit write-barrier after stores. This patch places write-barriers after stores happen.
904
905         2. Should emit write-barrier after the stored fields are reachable from the owner.
906
907             We have code that is logically the same to the following.
908
909                 ```
910                 auto data = std::make_unique<XXX>();
911                 data->m_field.set(vm, owner, value);
912
913                 storeStoreBarrier();
914                 owner->m_data = WTFMove(data);
915                 ```
916
917             This is not correct. When write-barrier is emitted, the owner cannot reach to the field that is stored.
918             The actual example is AccessCase. We are emitting write-barriers with owner when creating AccessCase, but this is not
919             effective until this AccessCase is chained to StructureStubInfo, which is reachable from CodeBlock.
920
921             I don't think this is actually an issue because currently AccessCase generation is guarded by CodeBlock->m_lock. And CodeBlock::visitChildren takes this lock.
922             But emitting a write-barrier at the right place is still better. This patch places write-barriers when StructureStubInfo::addAccessCase is called.
923
924         Speculative GC fix, it was hard to reproduce the crash since we need to control concurrent collector and main thread's scheduling in an instruction-level.
925
926         * bytecode/BytecodeList.rb:
927         * bytecode/CodeBlock.cpp:
928         (JSC::CodeBlock::finishCreation):
929         * bytecode/StructureStubInfo.cpp:
930         (JSC::StructureStubInfo::addAccessCase):
931         * bytecode/StructureStubInfo.h:
932         (JSC::StructureStubInfo::considerCaching):
933         * dfg/DFGPlan.cpp:
934         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
935         * jit/JITOperations.cpp:
936         * llint/LLIntSlowPaths.cpp:
937         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
938         (JSC::LLInt::setupGetByIdPrototypeCache):
939         * runtime/CommonSlowPaths.cpp:
940         (JSC::SLOW_PATH_DECL):
941         * runtime/LazyPropertyInlines.h:
942         (JSC::ElementType>::setMayBeNull):
943         * runtime/RegExpCachedResult.h:
944         (JSC::RegExpCachedResult::record):
945
946 2019-07-30  Yusuke Suzuki  <ysuzuki@apple.com>
947
948         [JSC] Make StructureChain less-tricky by using Auxiliary Buffer
949         https://bugs.webkit.org/show_bug.cgi?id=200192
950
951         Reviewed by Saam Barati.
952
953         StructureChain has a bit tricky write barrier / mutator fence to use UniqueArray for its underlying storage.
954         But, since the size of StructureChain is fixed at initialization, we should allocate an underlying storage from auxiliary memory and
955         set it in its constructor instead of finishCreation. We can store values in the finishCreation so that we do not need to have
956         a hacky write-barrier and mutator fence. Furthermore, we can make StructureChain non-destructible.
957
958         This patch leverages auxiliary buffer for the implementation of StructureChain. And it also adds a test that stresses StructureChain creation.
959
960         * runtime/StructureChain.cpp:
961         (JSC::StructureChain::StructureChain):
962         (JSC::StructureChain::create):
963         (JSC::StructureChain::finishCreation):
964         (JSC::StructureChain::visitChildren):
965         (JSC::StructureChain::destroy): Deleted.
966         * runtime/StructureChain.h:
967
968 2019-07-29  Yusuke Suzuki  <ysuzuki@apple.com>
969
970         [JSC] Increment bytecode age only when SlotVisitor is first-visit
971         https://bugs.webkit.org/show_bug.cgi?id=200196
972
973         Reviewed by Robin Morisset.
974
975         WriteBarrier can cause multiple visits for the same UnlinkedCodeBlock. But this does not mean that we are having multiple cycles of GC.
976         We should increment the age of the UnlinkedCodeBlock only when the SlotVisitor is saying that this is the first visit.
977
978         In practice,this almost never happens. Multiple visits can happen only when the marked UnlinkedCodeBlock gets a write-barrier. But, mutation
979         of UnlinkedCodeBlock is rare or none after it is initialized. I ran all the JSTests and I cannot find any tests that get re-visiting of UnlinkedCodeBlock.
980         This patch extends JSTests/stress/reparsing-unlinked-codeblock.js to ensure that UnlinkedCodeBlockJettisoning feature is working after this change.
981
982         * bytecode/UnlinkedCodeBlock.cpp:
983         (JSC::UnlinkedCodeBlock::visitChildren):
984         * heap/SlotVisitor.h:
985         (JSC::SlotVisitor::isFirstVisit const):
986         * parser/Parser.cpp:
987         * parser/Parser.h:
988         (JSC::parse):
989         (JSC::parseFunctionForFunctionConstructor):
990         * runtime/Options.h:
991         * tools/JSDollarVM.cpp:
992         (JSC::functionParseCount):
993         (JSC::JSDollarVM::finishCreation):
994
995 2019-07-28  Commit Queue  <commit-queue@webkit.org>
996
997         Unreviewed, rolling out r247886.
998         https://bugs.webkit.org/show_bug.cgi?id=200214
999
1000         "Causes PLT5 regression on some machines" (Requested by mlam|a
1001         on #webkit).
1002
1003         Reverted changeset:
1004
1005         "Add crash diagnostics for debugging unexpected zapped cells."
1006         https://bugs.webkit.org/show_bug.cgi?id=200149
1007         https://trac.webkit.org/changeset/247886
1008
1009 2019-07-27  Justin Michaud  <justin_michaud@apple.com>
1010
1011         [X86] Emit BT instruction for shift + mask in B3
1012         https://bugs.webkit.org/show_bug.cgi?id=199891
1013
1014         Reviewed by Keith Miller.
1015
1016         - Add a new BranchTestBit air opcode, matching the intel bt instruction
1017         - Select this instruction for the following patterns:
1018           if (a & (1<<b))
1019           if ((a>>b)&1)
1020           if ((~a>>b)&1)
1021           if (~a & (1<<b))
1022         - 15% perf progression on the nonconstant microbenchmark, neutral otherwise.
1023         - Note: we cannot fuse loads when we have bitBase=Load, bitOffset=Tmp, since the X86 instruction has 
1024           different behaviour in this mode. It will read past the current dword/qword instead of wrapping around.
1025
1026         * assembler/MacroAssemblerX86Common.h:
1027         (JSC::MacroAssemblerX86Common::branchTestBit32):
1028         * assembler/MacroAssemblerX86_64.h:
1029         (JSC::MacroAssemblerX86_64::branchTestBit64):
1030         * assembler/X86Assembler.h:
1031         (JSC::X86Assembler::bt_ir):
1032         (JSC::X86Assembler::bt_im):
1033         (JSC::X86Assembler::btw_ir):
1034         (JSC::X86Assembler::btw_im):
1035         * assembler/testmasm.cpp:
1036         (JSC::int64Operands):
1037         (JSC::testBranchTestBit32RegReg):
1038         (JSC::testBranchTestBit32RegImm):
1039         (JSC::testBranchTestBit32AddrImm):
1040         (JSC::testBranchTestBit64RegReg):
1041         (JSC::testBranchTestBit64RegImm):
1042         (JSC::testBranchTestBit64AddrImm):
1043         (JSC::run):
1044         * b3/B3LowerToAir.cpp:
1045         * b3/air/AirOpcode.opcodes:
1046         * b3/testb3.cpp:
1047         (JSC::B3::testBranchBitTest32TmpImm):
1048         (JSC::B3::testBranchBitTest32AddrImm):
1049         (JSC::B3::testBranchBitTest32TmpTmp):
1050         (JSC::B3::testBranchBitTest64TmpTmp):
1051         (JSC::B3::testBranchBitTest64AddrTmp):
1052         (JSC::B3::run):
1053
1054 2019-07-26  Yusuke Suzuki  <ysuzuki@apple.com>
1055
1056         [JSC] Potential GC fix for JSPropertyNameEnumerator
1057         https://bugs.webkit.org/show_bug.cgi?id=200151
1058
1059         Reviewed by Mark Lam.
1060
1061         We have been seeing some JSPropertyNameEnumerator::visitChildren crashes for a long time. The crash frequency itself is not high, but it has existed for a long time.
1062         The crash happens when visiting m_propertyNames. It is also possible that this crash is caused by random corruption somewhere, but JSPropertyNameEnumerator
1063         has some tricky (and potentially dangerous) implementations anyway.
1064
1065         1. JSPropertyNameEnumerator have Vector<WriteBarrier<JSString>> and it is extended in finishCreation with a lock.
1066            We should use Auxiliary memory for this use case. And we should set this memory in the constructor so that
1067            we do not extend it in finishCreation, and we do not need a lock.
1068         2. JSPropertyNameEnumerator gets StructureID before allocating JSPropertyNameEnumerator. This is potentially dangerous because the conservative scan
1069            cannot find the Structure* since we could only have StructureID. Since allocation code happens after StructureID is retrieved, it is possible that
1070            the allocation causes GC and Structure* is collected.
1071
1072         In this patch, we align JSPropertyNameEnumerator implementation to the modern one to avoid using Vector<WriteBarrier<JSString>>. And we can make JSPropertyNameEnumerator
1073         a non-destructible cell. Since JSCell's destructor is one of the cause of various issues, we should avoid it if we can.
1074
1075         No behavior change. This patch adds a test stressing JSPropertyNameEnumerator.
1076
1077         * dfg/DFGOperations.cpp:
1078         * runtime/CommonSlowPaths.cpp:
1079         (JSC::SLOW_PATH_DECL):
1080         * runtime/JSPropertyNameEnumerator.cpp:
1081         (JSC::JSPropertyNameEnumerator::create):
1082         (JSC::JSPropertyNameEnumerator::JSPropertyNameEnumerator):
1083         (JSC::JSPropertyNameEnumerator::finishCreation):
1084         (JSC::JSPropertyNameEnumerator::visitChildren):
1085         (JSC::JSPropertyNameEnumerator::destroy): Deleted.
1086         * runtime/JSPropertyNameEnumerator.h:
1087         * runtime/VM.cpp:
1088         (JSC::VM::emptyPropertyNameEnumeratorSlow):
1089         * runtime/VM.h:
1090         (JSC::VM::emptyPropertyNameEnumerator):
1091
1092 2019-07-26  Mark Lam  <mark.lam@apple.com>
1093
1094         Add crash diagnostics for debugging unexpected zapped cells.
1095         https://bugs.webkit.org/show_bug.cgi?id=200149
1096         <rdar://problem/53570112>
1097
1098         Reviewed by Yusuke Suzuki, Saam Barati, and Michael Saboff.
1099
1100         Add a check for zapped cells in SlotVisitor::appendToMarkStack() and
1101         SlotVisitor::visitChildren().  If a zapped cell is detected, we will crash with
1102         some diagnostic info.
1103
1104         To facilitate this, we've made the following changes:
1105         1. Changed FreeCell to preserve the 1st 8 bytes.  This is fine to do because all
1106            cells are at least 16 bytes long.
1107         2. Changed HeapCell::zap() to only zap the structureID.  Leave the rest of the
1108            cell header info intact (including the cell JSType).
1109         3. Changed HeapCell::zap() to record the reason for zapping the cell.  We stash
1110            the reason immediately after the first 8 bytes.  This is the same location as
1111            FreeCell::scrambledNext.  However, since a cell is not expected to be zapped
1112            and on the free list at the same time, it is also fine to do this.
1113         4. Added a few utility functions to MarkedBlock for checking if a cell points
1114            into the block.
1115         5. Added VMInspector and JSDollarVM utilities to dump in-use subspace hashes.
1116         6. Added some comments to document the hashes of known subspaces.
1117
1118         * heap/FreeList.h:
1119         (JSC::FreeCell::offsetOfScrambledNext):
1120         * heap/HeapCell.h:
1121         (JSC::HeapCell::zap):
1122         (JSC::HeapCell::isZapped const):
1123         * heap/MarkedBlock.cpp:
1124         (JSC::MarkedBlock::Handle::stopAllocating):
1125         * heap/MarkedBlock.h:
1126         (JSC::MarkedBlock::Handle::start const):
1127         (JSC::MarkedBlock::Handle::end const):
1128         (JSC::MarkedBlock::Handle::contains const):
1129         * heap/MarkedBlockInlines.h:
1130         (JSC::MarkedBlock::Handle::specializedSweep):
1131         * heap/MarkedSpace.h:
1132         (JSC::MarkedSpace::forEachSubspace):
1133         * heap/SlotVisitor.cpp:
1134         (JSC::SlotVisitor::appendToMarkStack):
1135         (JSC::SlotVisitor::visitChildren):
1136         (JSC::SlotVisitor::reportZappedCellAndCrash):
1137         * heap/SlotVisitor.h:
1138         * jit/AssemblyHelpers.cpp:
1139         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
1140         * runtime/VM.cpp:
1141         (JSC::VM::VM):
1142         * tools/JSDollarVM.cpp:
1143         (JSC::functionDumpSubspaceHashes):
1144         (JSC::JSDollarVM::finishCreation):
1145         * tools/VMInspector.cpp:
1146         (JSC::VMInspector::dumpSubspaceHashes):
1147         * tools/VMInspector.h:
1148
1149 2019-07-25  Yusuke Suzuki  <ysuzuki@apple.com>
1150
1151         [JSC] Use unalignedLoad for JSRopeString fiber accesses
1152         https://bugs.webkit.org/show_bug.cgi?id=200148
1153
1154         Reviewed by Mark Lam.
1155
1156         JSRopeString always have some subsequent bytes that can be accessible because MarkedBlock has Footer.
1157         We use WTF::unalignedLoad to get fibers. And it will be converted to one load CPU instruction.
1158
1159         * heap/MarkedBlock.h:
1160         * runtime/JSString.h:
1161
1162 2019-07-25  Ross Kirsling  <ross.kirsling@sony.com>
1163
1164         Legacy numeric literals should not permit separators or BigInt
1165         https://bugs.webkit.org/show_bug.cgi?id=199984
1166
1167         Reviewed by Keith Miller.
1168
1169         * parser/Lexer.cpp:
1170         (JSC::Lexer<T>::parseOctal):
1171         (JSC::Lexer<T>::parseDecimal):
1172
1173 2019-07-25  Yusuke Suzuki  <ysuzuki@apple.com>
1174
1175         Unreviewed, build fix due to C++17's std::invoke_result_t
1176         https://bugs.webkit.org/show_bug.cgi?id=200139
1177
1178         Use std::result_of for now until all the supported environments implement it.
1179
1180         * heap/IsoSubspace.h:
1181
1182 2019-07-25  Yusuke Suzuki  <ysuzuki@apple.com>
1183
1184         [JSC] Ensure PackedCellPtr only takes non-large-allocation pointers
1185         https://bugs.webkit.org/show_bug.cgi?id=200139
1186
1187         Reviewed by Mark Lam.
1188
1189         PackedCellPtr will compact a pointer by leveraging the fact that JSCell pointers are 16byte aligned.
1190         But this fact only holds when the JSCell is not large allocation. Currently, we are using PackedCellPtr
1191         only for the cell types which meets the above requirement. But we would like to ensure that statically.
1192
1193         In this patch, we add additional static/runtime assertions to ensure this invariant. We accept a cell
1194         type of either (1) it is "final" annotated and sizeof(T) is <= MarkedSpace::largeCutoff or (2) it
1195         is allocated from IsoSubspace.
1196
1197         This patch does not change any behaviors. It just adds extra static/runtime assertions.
1198
1199         * bytecode/CodeBlock.h:
1200         (JSC::CodeBlock::subspaceFor):
1201         * bytecode/CodeBlockJettisoningWatchpoint.h:
1202         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
1203         * dfg/DFGAdaptiveStructureWatchpoint.h:
1204         * heap/IsoSubspace.h:
1205         * heap/PackedCellPtr.h:
1206         (JSC::PackedCellPtr::PackedCellPtr):
1207         * runtime/FunctionRareData.h:
1208         (JSC::FunctionRareData::createAllocationProfileClearingWatchpoint):
1209         * runtime/ObjectToStringAdaptiveStructureWatchpoint.h:
1210
1211 2019-07-25  Yusuke Suzuki  <ysuzuki@apple.com>
1212
1213         [JSC] Make visitChildren implementation more idiomatic
1214         https://bugs.webkit.org/show_bug.cgi?id=200121
1215
1216         Reviewed by Mark Lam.
1217
1218         This patch makes visitChildren implementations more idiomatic: cast, assert, and calling Base::visitChildren.
1219         While this does not find interesting issues, it is still nice to have consistent implementations.
1220         StructureChain::visitChildren missed Base::visitChildren, but it does not have much effect since StructureChain
1221         is immortal cell.
1222
1223         * bytecode/ExecutableToCodeBlockEdge.cpp:
1224         (JSC::ExecutableToCodeBlockEdge::visitChildren):
1225         * runtime/AbstractModuleRecord.cpp:
1226         (JSC::AbstractModuleRecord::visitChildren):
1227         * runtime/FunctionRareData.cpp:
1228         (JSC::FunctionRareData::visitChildren):
1229         * runtime/JSArrayBufferView.cpp:
1230         (JSC::JSArrayBufferView::visitChildren):
1231         * runtime/JSGenericTypedArrayViewInlines.h:
1232         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
1233         * runtime/JSImmutableButterfly.cpp:
1234         (JSC::JSImmutableButterfly::visitChildren):
1235         * runtime/JSModuleEnvironment.cpp:
1236         (JSC::JSModuleEnvironment::visitChildren):
1237         * runtime/JSModuleRecord.cpp:
1238         (JSC::JSModuleRecord::visitChildren):
1239         * runtime/JSPropertyNameEnumerator.cpp:
1240         (JSC::JSPropertyNameEnumerator::visitChildren):
1241         * runtime/JSString.cpp:
1242         (JSC::JSString::visitChildren):
1243         * runtime/SparseArrayValueMap.cpp:
1244         (JSC::SparseArrayValueMap::visitChildren):
1245         * runtime/StructureChain.cpp:
1246         (JSC::StructureChain::visitChildren):
1247         * runtime/SymbolTable.cpp:
1248         (JSC::SymbolTable::visitChildren):
1249         * tools/JSDollarVM.cpp:
1250         (JSC::Root::visitChildren):
1251         (JSC::ImpureGetter::visitChildren):
1252         * wasm/js/WebAssemblyModuleRecord.cpp:
1253         (JSC::WebAssemblyModuleRecord::visitChildren):
1254
1255 2019-07-25  Ross Kirsling  <ross.kirsling@sony.com>
1256
1257         [ESNext] Implement nullish coalescing
1258         https://bugs.webkit.org/show_bug.cgi?id=200072
1259
1260         Reviewed by Darin Adler.
1261
1262         Implement the nullish coalescing proposal, which has now reached Stage 3 at TC39.
1263
1264         This introduces a ?? operator which:
1265           - acts like || but checks for nullishness instead of truthiness
1266           - has a precedence lower than || (or any other binary operator)
1267           - must be disambiguated with parentheses when combined with || or &&
1268
1269         * bytecompiler/NodesCodegen.cpp:
1270         (JSC::CoalesceNode::emitBytecode): Added.
1271         Bytecode must use OpIsUndefinedOrNull and not OpNeqNull because of document.all.
1272
1273         * parser/ASTBuilder.h:
1274         (JSC::ASTBuilder::makeBinaryNode):
1275         * parser/Lexer.cpp:
1276         (JSC::Lexer<T>::lexWithoutClearingLineTerminator):
1277         * parser/NodeConstructors.h:
1278         (JSC::CoalesceNode::CoalesceNode): Added.
1279         * parser/Nodes.h:
1280         Introduce new token and AST node.
1281
1282         * parser/Parser.cpp:
1283         (JSC::Parser<LexerType>::parseBinaryExpression):
1284         Implement early error.
1285
1286         * parser/ParserTokens.h:
1287         Since this patch needs to shift the value of every binary operator token anyway,
1288         let's only bother to increment their LSBs when we actually have a precedence conflict.
1289
1290         * parser/ResultType.h:
1291         (JSC::ResultType::definitelyIsNull const): Added.
1292         (JSC::ResultType::mightBeUndefinedOrNull const): Added.
1293         (JSC::ResultType::forCoalesce): Added.
1294         We can do better than forLogicalOp here; let's be as accurate as possible.
1295
1296         * runtime/Options.h:
1297         Add runtime feature flag.
1298
1299 2019-07-24  Alexey Shvayka  <shvaikalesh@gmail.com>
1300
1301         Three checks are missing in Proxy internal methods
1302         https://bugs.webkit.org/show_bug.cgi?id=198630
1303
1304         Reviewed by Darin Adler.
1305
1306         Add three missing checks in Proxy internal methods.
1307         These checks are necessary to maintain the invariants of the essential internal methods.
1308         (https://github.com/tc39/ecma262/pull/666)
1309
1310         1. [[GetOwnProperty]] shouldn't return non-configurable and non-writable descriptor when the target's property is writable.
1311         2. [[Delete]] should return `false` when the target has property and is not extensible.
1312         3. [[DefineOwnProperty]] should return `true` for a non-writable input descriptor when the target's property is non-configurable and writable.
1313
1314         Shipping in SpiderMonkey since https://hg.mozilla.org/integration/autoland/rev/3a06bc818bc4 (version 69)
1315         Shipping in V8 since https://chromium.googlesource.com/v8/v8.git/+/e846ad9fa5109428be50b1989314e0e4e7267919
1316
1317         * runtime/ProxyObject.cpp:
1318         (JSC::ProxyObject::performInternalMethodGetOwnProperty): Add writability check.
1319         (JSC::ProxyObject::performDelete): Add extensibility check.
1320         (JSC::ProxyObject::performDefineOwnProperty): Add writability check.
1321
1322 2019-07-24  Mark Lam  <mark.lam@apple.com>
1323
1324         Remove some unused code.
1325         https://bugs.webkit.org/show_bug.cgi?id=200101
1326
1327         Reviewed by Yusuke Suzuki.
1328
1329         * heap/MarkedBlock.cpp:
1330         (JSC::MarkedBlock::Handle::zap): Deleted.
1331         * heap/MarkedBlock.h:
1332         * heap/SlotVisitor.cpp:
1333         (JSC::SlotVisitor::appendToMutatorMarkStack): Deleted.
1334         * heap/SlotVisitor.h:
1335
1336 2019-07-24  Mark Lam  <mark.lam@apple.com>
1337
1338         performJITMemcpy should be PACed with a non-zero diversifier when passed and called via a pointer.
1339         https://bugs.webkit.org/show_bug.cgi?id=200100
1340         <rdar://problem/53474939>
1341
1342         Reviewed by Yusuke Suzuki.
1343
1344         * assembler/ARM64Assembler.h:
1345         (JSC::ARM64Assembler::CopyFunction::CopyFunction):
1346         (JSC::ARM64Assembler::CopyFunction::operator()):
1347         - I choose to use ptrauth_auth_function() here instead of retagCodePtr() because
1348           retagCodePtr() would auth, assert, and re-pac the pointer.  This is needed in
1349           general because retagCodePtr() doesn't know that you will consume the pointer
1350           immediately (and therefore crash imminently if a failed auth is encountered).
1351           Since we know here that we will call with the auth'ed pointer immediately, we
1352           can skip the assert.
1353
1354           This also has the benefit of letting Clang do a peephole optimization to emit
1355           a blrab instruction with the intended diversifier, instead of emitting multiple
1356           instructions to auth the pointer into a C function, and then using a blraaz to
1357           do a C function call.
1358
1359         (JSC::ARM64Assembler::linkJumpOrCall):
1360         (JSC::ARM64Assembler::linkCompareAndBranch):
1361         (JSC::ARM64Assembler::linkConditionalBranch):
1362         (JSC::ARM64Assembler::linkTestAndBranch):
1363         * assembler/LinkBuffer.cpp:
1364         (JSC::LinkBuffer::copyCompactAndLinkCode):
1365         * runtime/JSCPtrTag.h:
1366
1367 2019-07-24  Devin Rousso  <drousso@apple.com>
1368
1369         Web Inspector: print the target of `console.screenshot` last so the target is the closest item to the image
1370         https://bugs.webkit.org/show_bug.cgi?id=199308
1371
1372         Reviewed by Joseph Pecoraro.
1373
1374         * inspector/ConsoleMessage.h:
1375         (Inspector::ConsoleMessage::arguments const):
1376
1377         * inspector/ScriptArguments.h:
1378         * inspector/ScriptArguments.cpp:
1379         (Inspector::ScriptArguments::getFirstArgumentAsString const): Added.
1380         (Inspector::ScriptArguments::getFirstArgumentAsString): Deleted.
1381
1382 2019-07-23  Justin Michaud  <justin_michaud@apple.com>
1383
1384         Sometimes we miss removable CheckInBounds
1385         https://bugs.webkit.org/show_bug.cgi?id=200018
1386
1387         Reviewed by Saam Barati.
1388
1389         We failed to remove the CheckInBounds bounds because we did not see that the index was nonnegative. This is because we do not see the relationship between the two
1390         separate zero constants that appear in the IR for the given test case. This patch re-adds the hack to de-duplicate m_zero that was removed in 
1391         <https://trac.webkit.org/changeset/241228/webkit>.
1392
1393         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
1394
1395 2019-07-22  Yusuke Suzuki  <ysuzuki@apple.com>
1396
1397         [bmalloc] Each IsoPage gets 1MB VA because VMHeap::tryAllocateLargeChunk rounds up
1398         https://bugs.webkit.org/show_bug.cgi?id=200024
1399
1400         Reviewed by Saam Barati.
1401
1402         Discussed and we decided to use this VM tag for IsoHeap instead of CLoop stack.
1403
1404         * interpreter/CLoopStack.cpp:
1405         (JSC::CLoopStack::CLoopStack):
1406
1407 2019-07-22  Saam Barati  <sbarati@apple.com>
1408
1409         Turn off Wasm fast memory on iOS
1410         https://bugs.webkit.org/show_bug.cgi?id=200016
1411         <rdar://problem/53417726>
1412
1413         Reviewed by Yusuke Suzuki.
1414
1415         We turned them on when we disabled Gigacage on iOS. However, we re-enabled
1416         Gigacage on iOS, but forgot to turn wasm fast memories back off.
1417
1418         * runtime/Options.h:
1419
1420 2019-07-22  Ross Kirsling  <ross.kirsling@sony.com>
1421
1422         Unreviewed non-unified build fix.
1423
1424         * runtime/CachedTypes.h:
1425
1426 2019-07-20  Yusuke Suzuki  <ysuzuki@apple.com>
1427
1428         [JSC] Make DFG Local CSE and AI conservative for huge basic block
1429         https://bugs.webkit.org/show_bug.cgi?id=199929
1430         <rdar://problem/49309924>
1431
1432         Reviewed by Filip Pizlo.
1433
1434         In CNN page, the main thread hangs several seconds. On less-powerful devices (like iPhone7), it hangs for ~11 seconds. This is not an acceptable behavior.
1435         The reason of this is that the DFG compiler takes too long time in the compilation for a particular function. It takes 8765 ms even in powerful x64 machine!
1436         DFG compiler is concurrent one. However, when GC requires all the peripheral threads to be stopped, the main thread needs to wait for the DFG compiler's stop.
1437         DFG compiler stops at GC safepoints, and they are inserted between DFG phases. So, if some of DFG phases take very long time, the main thread is blocked during that.
1438         As a result, the main thread is blocked due to this pathological compilation.
1439
1440         By measuring the time taken in each DFG phase, we found that our AI and CSE phase have a problem having quadratic complexity for # of DFG nodes in a basic block.
1441         In this patch, we add a threshold for # of DFG nodes in a basic block. If a basic block exceeds this threshold, we use conservative but O(1) algorithm for AI and Local CSE phase.
1442         We did not add this threshold for Global CSE since FTL has another bytecode cost threshold which prevents us from compiling the large functions. But on the other hand,
1443         DFG should compile them because DFG is intended to be a fast compiler even for a bit larger CodeBlock.
1444
1445         We first attempted to reduce the threshold for DFG compilation. We are using 100000 bytecode cost for DFG compilation and it is very large. However, we found that bytecode cost
1446         is not the problem in CNN page. The problematic function has 67904 cost, and it takes 8765 ms in x64 machine. However, JetStream2/octane-zlib has 61949 function and it only takes
1447         ~400 ms. This difference comes from the # of DFG nodes in a basic block. The problematic function has 43297 DFG nodes in one basic block and it makes AI and Local CSE super time-consuming.
1448         Rather than relying on the bytecode cost which a bit indirectly related to this pathological compile-time, we should look into # of DFG nodes in a basic block which is more directly
1449         related to this problem. And we also found that 61949's Octane-zlib function is very critical for performance. This fact makes a bit hard to pick a right threshold: 67904 causes the problem,
1450         and 61949 must be compiled. This is why this patch is introducing conservative analysis instead of adjusting the threshold for DFG.
1451
1452         This patch has two changes.
1453
1454         1. DFG AI has structure transition tracking which has quadratic complexity
1455
1456         Structure transition tracking takes very long time since its complexity is O(N^2) where N is # of DFG nodes in a basic block.
1457         CNN has very pathological script and it shows 43297 DFG nodes. We should reduce the complexity of this algorithm.
1458         For now, we just say "structures are clobbered" if # of DFG nodes in a basic block exceeds the threshold (20000).
1459         We could improve the current algorithm from O(N^2) to O(2N) without being conservative, and I'm tracking this in [1].
1460
1461         2. DFG Local CSE has quadratic complexity
1462
1463         Local CSE's clobbering iterates all the impure heap values to remove the clobbered one. Since # of impure heap values tend to be proportional to # of DFG nodes we visited,
1464         each CSE for a basic block gets O(N^2) complexity. To avoid this, we introduce HugeMap. This has the same interface to LargeMap and SmallMap in CSE, but its clobbering
1465         implementation just clears the map completely. We can further make this O(N) without introducing conservative behavior by using epochs. For now, we do not see such a huge basic block in
1466         JetStream2 and Speedometer2 so I'll track it in a separate bug[2].
1467
1468         This patch reduces the compilation time from ~11 seconds to ~200 ms.
1469
1470         [1]: https://bugs.webkit.org/show_bug.cgi?id=199959
1471         [2]: https://bugs.webkit.org/show_bug.cgi?id=200014
1472
1473         * dfg/DFGAbstractInterpreterInlines.h:
1474         (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
1475         (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
1476         * dfg/DFGCSEPhase.cpp:
1477         * runtime/Options.h:
1478
1479 2019-07-22  Zhifei Fang  <zhifei_fang@apple.com>
1480
1481         Need to skip test cache directory data vault for non internal build
1482         https://bugs.webkit.org/show_bug.cgi?id=199951
1483
1484         Reviewed by Alexey Proskuryakov.
1485
1486         * API/tests/testapi.mm:
1487         (testBytecodeCacheValidation): "Cache directory `/private/tmp` is not a data vault" this error message will only be created for internal build see JSScript.mm:97
1488
1489 2019-07-17  Antoine Quint  <graouts@apple.com>
1490
1491         Disable Pointer Events prior to watchOS 6
1492         https://bugs.webkit.org/show_bug.cgi?id=199890
1493         <rdar://problem/53206113>
1494
1495         Reviewed by Dean Jackson.
1496
1497         * Configurations/FeatureDefines.xcconfig:
1498
1499 2019-07-17  Keith Miller  <keith_miller@apple.com>
1500
1501         Force useLLInt to true on arm64_32
1502         https://bugs.webkit.org/show_bug.cgi?id=199882
1503         <rdar://problem/53207586>
1504
1505         Reviewed by Yusuke Suzuki.
1506
1507         Some jsc tests set useLLInt=false but on arm64_32 we don't support the JIT.
1508         This causes the option coherency checker to get angry. We should force
1509         useLLInt=true on arm64_32 unless useJIT=true.
1510
1511         * runtime/Options.cpp:
1512         (JSC::recomputeDependentOptions):
1513
1514 2019-07-17  Christopher Reid  <chris.reid@sony.com>
1515
1516         Bytecode cache should use FileSystem
1517         https://bugs.webkit.org/show_bug.cgi?id=199759
1518
1519         Reviewed by Yusuke Suzuki.
1520
1521         Update bytecode cache to use platform generic FileSystem calls.
1522
1523         * API/JSScript.mm:
1524         * CMakeLists.txt:
1525         * jsc.cpp:
1526         * runtime/CachePayload.cpp:
1527         * runtime/CachePayload.h:
1528         * runtime/CachedBytecode.h:
1529         * runtime/CachedTypes.cpp:
1530         * runtime/CachedTypes.h:
1531         * runtime/CodeCache.cpp:
1532         * runtime/CodeCache.h:
1533         * runtime/Completion.cpp:
1534         * runtime/Completion.h:
1535
1536 2019-07-17  Mark Lam  <mark.lam@apple.com>
1537
1538         ArgumentsEliminationPhase should insert KillStack nodes before PutStack nodes that it adds.
1539         https://bugs.webkit.org/show_bug.cgi?id=199821
1540         <rdar://problem/52452328>
1541
1542         Reviewed by Filip Pizlo.
1543
1544         Excluding the ArgumentsEliminationPhase, PutStack nodes are converted from SetLocal
1545         nodes in the SSAConversionPhase.  SetLocal nodes are always preceded by MovHint nodes,
1546         and the SSAConversionPhase always inserts a KillStack node before a MovHint node.
1547         Hence, a PutStack node is always preceded by a KillStack node.
1548
1549         However, the ArgumentsEliminationPhase can convert LoadVarargs nodes into a series
1550         of one or more PutStacks nodes, and it prepends MovHint nodes before the PutStack
1551         nodes.  However, it neglects to prepend KillStack nodes as well.  Since the
1552         ArgumentsEliminationPhase runs after the SSAConversionPhase, the PutStack nodes
1553         added during ArgumentsElimination will not be preceded by KillStack nodes.
1554
1555         This patch fixes this by inserting a KillStack in the ArgumentsEliminationPhase
1556         before it inserts a MovHint and a PutStack node.
1557
1558         Consider this test case which can manifest the above issue as a crash:
1559
1560             function inlinee(value) {
1561                 ...
1562                 let tmp = value + 1;
1563             }
1564
1565             function reflect() {
1566                 return inlinee.apply(undefined, arguments);
1567             }
1568
1569             function test(arr) {
1570                 let object = inlinee.apply(undefined, arr);   // Uses a lot of SetArgumentMaybe nodes.
1571                 reflect();    // Calls with a LoadVararg, which gets converted into a PutStack of a constant.
1572             }
1573
1574         In this test case, we have a scenario where a SetArgumentMaybe's stack
1575         slot is reused as the stack slot for a PutStack later.  Here, the PutStack will
1576         put a constant undefined value.  Coincidentally, the SetArgumentMaybe may also
1577         initialize that stack slot to a constant undefined value.  Note that by the time
1578         the PutStack executes, the SetArgumentMaybe's stack slot is dead.  The liveness of
1579         these 2 values are distinct.
1580
1581         However, because we were missing a KillStack before the PutStack, OSR availability
1582         analysis gets misled into thinking that the PutStack constant value is still in the
1583         stack slot because the value left there by the SetArgumentMaybe hasn't been killed
1584         off yet.  As a result, OSR exit code will attempt to recover the PutStack's undefined
1585         constant by loading from the stack slot instead of materializing it.  Since
1586         SetArgumentMaybe may not actually initialize the stack slot, we get a crash in OSR
1587         exit when we try to recover the PutStack constant value from the stack slot, and
1588         end up using what ever junk value we read from there.
1589
1590         Fixing the ArgumentsEliminationPhase to insert KillStack before the PutStack
1591         removes this conflation of the PutStack's constant value with the SetArgumentMaybe's
1592         constant value in the same stack slot.  And, OSR availability analysis will no
1593         longer be misled to load the PutStack's constant value from the stack, but will
1594         materialize the constant instead.
1595
1596         * dfg/DFGArgumentsEliminationPhase.cpp:
1597
1598 2019-07-17  Commit Queue  <commit-queue@webkit.org>
1599
1600         Unreviewed, rolling out r247505.
1601         https://bugs.webkit.org/show_bug.cgi?id=199871
1602
1603         "Caused failed ASSERT in stress test" (Requested by creid on
1604         #webkit).
1605
1606         Reverted changeset:
1607
1608         "Bytecode cache should use FileSystem"
1609         https://bugs.webkit.org/show_bug.cgi?id=199759
1610         https://trac.webkit.org/changeset/247505
1611
1612 2019-07-16  Christopher Reid  <chris.reid@sony.com>
1613
1614         Bytecode cache should use FileSystem
1615         https://bugs.webkit.org/show_bug.cgi?id=199759
1616
1617         Reviewed by Yusuke Suzuki.
1618
1619         Update bytecode cache to use platform generic FileSystem calls.
1620
1621         * API/JSScript.mm:
1622         * CMakeLists.txt:
1623         * jsc.cpp:
1624         * runtime/CachePayload.cpp:
1625         * runtime/CachePayload.h:
1626         * runtime/CachedBytecode.h:
1627         * runtime/CachedTypes.cpp:
1628         * runtime/CachedTypes.h:
1629         * runtime/CodeCache.cpp:
1630         * runtime/CodeCache.h:
1631         * runtime/Completion.cpp:
1632         * runtime/Completion.h:
1633
1634 2019-07-16  Joonghun Park  <pjh0718@gmail.com>
1635
1636         [GTK] Fix a build warning in JavaScriptCore/API/tests/testapi.c
1637         https://bugs.webkit.org/show_bug.cgi?id=199824
1638
1639         Reviewed by Alex Christensen.
1640
1641         * API/tests/testapi.c:
1642         (main):
1643
1644 2019-07-15  Keith Miller  <keith_miller@apple.com>
1645
1646         JSGlobalObject type macros should support feature flags and WeakRef should have one
1647         https://bugs.webkit.org/show_bug.cgi?id=199601
1648
1649         Reviewed by Mark Lam.
1650
1651         This patch refactors the various builtin type macros to have a
1652         parameter, which is the feature flag enabling it.  Since most
1653         builtin types are enabled by default this patch adds a new global
1654         bool typeExposedByDefault for clarity. Note, because static hash
1655         tables have no concept of feature flags we can't use feature flags
1656         with lazy properties. This is probably not a big deal as features
1657         that are off by default won't be allocated anywhere we care about
1658         memory usage anyway.
1659
1660         * runtime/CommonIdentifiers.h:
1661         * runtime/JSGlobalObject.cpp:
1662         (JSC::JSGlobalObject::init):
1663         (JSC::JSGlobalObject::visitChildren):
1664         * runtime/JSGlobalObject.h:
1665         (JSC::JSGlobalObject::stringObjectStructure const):
1666         (JSC::JSGlobalObject::bigIntObjectStructure const): Deleted.
1667         * runtime/Options.h:
1668         * wasm/js/JSWebAssembly.cpp:
1669
1670 2019-07-15  Keith Miller  <keith_miller@apple.com>
1671
1672         A Possible Issue of Object.create method
1673         https://bugs.webkit.org/show_bug.cgi?id=199744
1674
1675         Reviewed by Yusuke Suzuki.
1676
1677         We should call toObject on the properties argument if it was not undefined.
1678         See: https://tc39.es/ecma262/#sec-object.create
1679
1680         * runtime/ObjectConstructor.cpp:
1681         (JSC::objectConstructorCreate):
1682
1683 2019-07-15  Saagar Jha  <saagarjha@apple.com>
1684
1685         Keyword lookup can use memcmp to get around unaligned load undefined behavior
1686         https://bugs.webkit.org/show_bug.cgi?id=199650
1687
1688         Reviewed by Yusuke Suzuki.
1689
1690         Replace KeywordLookup's hand-rolled "memcmp" with the standard version, which reduces the need to deal with
1691         endianness and unaligned loads.
1692
1693         * KeywordLookupGenerator.py:
1694         (Trie.printSubTreeAsC): Use memcmp instead of macros to test for matches.
1695         (Trie.printAsC): Unspecialize Lexer::parseKeyword as templating over the character type reduces the amount of
1696         code we need to generate and moves this task out of the Python script and into the C++ compiler.
1697
1698 2019-07-15  Yusuke Suzuki  <ysuzuki@apple.com>
1699
1700         [JSC] Improve wasm wpt test results by fixing miscellaneous issues
1701         https://bugs.webkit.org/show_bug.cgi?id=199783
1702
1703         Reviewed by Mark Lam.
1704
1705         This patch fixes miscellaneous issues in our Wasm JS API implementation to improve WPT score.
1706         I picked trivial ones in this patch to make this easily reviewable.
1707
1708         1. Remove WebAssemblyPrototype. It does not exist in the spec. Merging WebAssemblyPrototype into JSWebAssembly.
1709         2. Fix various attributes. It does not match to the usual JSC builtin's convention. But this change
1710            is correct because they are changed to be matched against WebIDL definition, and WebAssembly implementation
1711            follows WebIDL. In the future, we could move WebCore WebIDL things into WTF layer and even use (or leverage
1712            some of utility functions) in our WebAssembly JS API implementation.
1713         3. Fix how we interpret "present" in WebAssembly spec. This does not mean [[HasProperty]] result. It follows to
1714            WebIDL spec, and it means that [[Get]] result is not undefined.
1715         4. Add argument count check to Module.customSections, which is required because the method is defined in WebIDL.
1716         5. Fix toNonWrappingUint32 to match it to WebIDL's conversion rule.
1717
1718         * CMakeLists.txt:
1719         * DerivedSources-input.xcfilelist:
1720         * DerivedSources-output.xcfilelist:
1721         * DerivedSources.make:
1722         * JavaScriptCore.xcodeproj/project.pbxproj:
1723         * Sources.txt:
1724         * builtins/WebAssembly.js: Renamed from Source/JavaScriptCore/builtins/WebAssemblyPrototype.js.
1725         * jit/Repatch.cpp:
1726         * runtime/JSGlobalObject.cpp:
1727         (JSC::JSGlobalObject::init):
1728         * runtime/JSModuleLoader.cpp:
1729         (JSC::moduleLoaderParseModule):
1730         * wasm/js/JSWebAssembly.cpp:
1731         (JSC::JSWebAssembly::create):
1732         (JSC::JSWebAssembly::finishCreation):
1733         (JSC::reject):
1734         (JSC::webAssemblyModuleValidateAsyncInternal):
1735         (JSC::webAssemblyCompileFunc):
1736         (JSC::resolve):
1737         (JSC::JSWebAssembly::webAssemblyModuleValidateAsync):
1738         (JSC::instantiate):
1739         (JSC::compileAndInstantiate):
1740         (JSC::JSWebAssembly::instantiate):
1741         (JSC::webAssemblyModuleInstantinateAsyncInternal):
1742         (JSC::JSWebAssembly::webAssemblyModuleInstantinateAsync):
1743         (JSC::webAssemblyInstantiateFunc):
1744         (JSC::webAssemblyValidateFunc):
1745         (JSC::webAssemblyCompileStreamingInternal):
1746         (JSC::webAssemblyInstantiateStreamingInternal):
1747         * wasm/js/JSWebAssembly.h:
1748         * wasm/js/JSWebAssemblyHelpers.h:
1749         (JSC::toNonWrappingUint32):
1750         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
1751         (JSC::WebAssemblyCompileErrorConstructor::finishCreation):
1752         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1753         (JSC::WebAssemblyInstanceConstructor::finishCreation):
1754         * wasm/js/WebAssemblyInstancePrototype.cpp:
1755         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
1756         (JSC::WebAssemblyLinkErrorConstructor::finishCreation):
1757         * wasm/js/WebAssemblyMemoryConstructor.cpp:
1758         (JSC::constructJSWebAssemblyMemory):
1759         (JSC::WebAssemblyMemoryConstructor::finishCreation):
1760         * wasm/js/WebAssemblyMemoryPrototype.cpp:
1761         * wasm/js/WebAssemblyModuleConstructor.cpp:
1762         (JSC::webAssemblyModuleCustomSections):
1763         (JSC::WebAssemblyModuleConstructor::finishCreation):
1764         * wasm/js/WebAssemblyPrototype.cpp: Removed.
1765         * wasm/js/WebAssemblyPrototype.h: Removed.
1766         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
1767         (JSC::WebAssemblyRuntimeErrorConstructor::finishCreation):
1768         * wasm/js/WebAssemblyTableConstructor.cpp:
1769         (JSC::constructJSWebAssemblyTable):
1770         (JSC::WebAssemblyTableConstructor::finishCreation):
1771         * wasm/js/WebAssemblyTablePrototype.cpp:
1772
1773 2019-07-15  Michael Catanzaro  <mcatanzaro@igalia.com>
1774
1775         Unreviewed, rolling out r247440.
1776
1777         Broke builds
1778
1779         Reverted changeset:
1780
1781         "[JSC] Improve wasm wpt test results by fixing miscellaneous
1782         issues"
1783         https://bugs.webkit.org/show_bug.cgi?id=199783
1784         https://trac.webkit.org/changeset/247440
1785
1786 2019-07-15  Yusuke Suzuki  <ysuzuki@apple.com>
1787
1788         [JSC] Improve wasm wpt test results by fixing miscellaneous issues
1789         https://bugs.webkit.org/show_bug.cgi?id=199783
1790
1791         Reviewed by Mark Lam.
1792
1793         This patch fixes miscellaneous issues in our Wasm JS API implementation to improve WPT score.
1794         I picked trivial ones in this patch to make this easily reviewable.
1795
1796         1. Remove WebAssemblyPrototype. It does not exist in the spec. Merging WebAssemblyPrototype into JSWebAssembly.
1797         2. Fix various attributes. It does not match to the usual JSC builtin's convention. But this change
1798            is correct because they are changed to be matched against WebIDL definition, and WebAssembly implementation
1799            follows WebIDL. In the future, we could move WebCore WebIDL things into WTF layer and even use (or leverage
1800            some of utility functions) in our WebAssembly JS API implementation.
1801         3. Fix how we interpret "present" in WebAssembly spec. This does not mean [[HasProperty]] result. It follows to
1802            WebIDL spec, and it means that [[Get]] result is not undefined.
1803         4. Add argument count check to Module.customSections, which is required because the method is defined in WebIDL.
1804         5. Fix toNonWrappingUint32 to match it to WebIDL's conversion rule.
1805
1806         * CMakeLists.txt:
1807         * DerivedSources-input.xcfilelist:
1808         * DerivedSources-output.xcfilelist:
1809         * DerivedSources.make:
1810         * JavaScriptCore.xcodeproj/project.pbxproj:
1811         * Sources.txt:
1812         * builtins/WebAssembly.js: Renamed from Source/JavaScriptCore/builtins/WebAssemblyPrototype.js.
1813         * jit/Repatch.cpp:
1814         * runtime/JSGlobalObject.cpp:
1815         (JSC::JSGlobalObject::init):
1816         * runtime/JSModuleLoader.cpp:
1817         (JSC::moduleLoaderParseModule):
1818         * wasm/js/JSWebAssembly.cpp:
1819         (JSC::JSWebAssembly::create):
1820         (JSC::JSWebAssembly::finishCreation):
1821         (JSC::reject):
1822         (JSC::webAssemblyModuleValidateAsyncInternal):
1823         (JSC::webAssemblyCompileFunc):
1824         (JSC::resolve):
1825         (JSC::JSWebAssembly::webAssemblyModuleValidateAsync):
1826         (JSC::instantiate):
1827         (JSC::compileAndInstantiate):
1828         (JSC::JSWebAssembly::instantiate):
1829         (JSC::webAssemblyModuleInstantinateAsyncInternal):
1830         (JSC::JSWebAssembly::webAssemblyModuleInstantinateAsync):
1831         (JSC::webAssemblyInstantiateFunc):
1832         (JSC::webAssemblyValidateFunc):
1833         (JSC::webAssemblyCompileStreamingInternal):
1834         (JSC::webAssemblyInstantiateStreamingInternal):
1835         * wasm/js/JSWebAssembly.h:
1836         * wasm/js/JSWebAssemblyHelpers.h:
1837         (JSC::toNonWrappingUint32):
1838         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
1839         (JSC::WebAssemblyCompileErrorConstructor::finishCreation):
1840         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1841         (JSC::WebAssemblyInstanceConstructor::finishCreation):
1842         * wasm/js/WebAssemblyInstancePrototype.cpp:
1843         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
1844         (JSC::WebAssemblyLinkErrorConstructor::finishCreation):
1845         * wasm/js/WebAssemblyMemoryConstructor.cpp:
1846         (JSC::constructJSWebAssemblyMemory):
1847         (JSC::WebAssemblyMemoryConstructor::finishCreation):
1848         * wasm/js/WebAssemblyMemoryPrototype.cpp:
1849         * wasm/js/WebAssemblyModuleConstructor.cpp:
1850         (JSC::webAssemblyModuleCustomSections):
1851         (JSC::WebAssemblyModuleConstructor::finishCreation):
1852         * wasm/js/WebAssemblyPrototype.cpp: Removed.
1853         * wasm/js/WebAssemblyPrototype.h: Removed.
1854         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
1855         (JSC::WebAssemblyRuntimeErrorConstructor::finishCreation):
1856         * wasm/js/WebAssemblyTableConstructor.cpp:
1857         (JSC::constructJSWebAssemblyTable):
1858         (JSC::WebAssemblyTableConstructor::finishCreation):
1859         * wasm/js/WebAssemblyTablePrototype.cpp:
1860
1861 2019-07-15  Youenn Fablet  <youenn@apple.com>
1862
1863         Enable a debug WebRTC mode without any encryption
1864         https://bugs.webkit.org/show_bug.cgi?id=199177
1865         <rdar://problem/52074986>
1866
1867         Reviewed by Eric Carlson.
1868
1869         * inspector/protocol/Page.json:
1870
1871 2019-07-15  Ryan Haddad  <ryanhaddad@apple.com>
1872
1873         Unreviewed, attempt to fix production builds after r247403.
1874
1875         * JavaScriptCore.xcodeproj/project.pbxproj:
1876
1877 2019-07-15  Tadeu Zagallo  <tzagallo@apple.com>
1878
1879         Concurrent GC should not rely on current phase to determine if it's safe to steal conn
1880         https://bugs.webkit.org/show_bug.cgi?id=199786
1881         <rdar://problem/52505197>
1882
1883         Reviewed by Saam Barati.
1884
1885         In r246507, we fixed a race condition in the concurrent GC where the mutator might steal
1886         the conn from the collector thread while it transitions from the End phase to NotRunning.
1887         However, that fix was not sufficient. In the case that the mutator steals the conn, and the
1888         execution interleaves long enough for the mutator to progress to a different collection phase,
1889         the collector will resume in a phase other than NotRunning, and hence the check added to
1890         NotRunning will not suffice. To fix that, we add a new variable to track whether the collector
1891         thread is running (m_collectorThreadIsRunning) and use it to determine whether it's safe to
1892         steal the conn, rather than relying on m_currentPhase.
1893
1894         * heap/Heap.cpp:
1895         (JSC::Heap::runNotRunningPhase):
1896         (JSC::Heap::requestCollection):
1897         * heap/Heap.h:
1898
1899 2019-07-12  Keith Miller  <keith_miller@apple.com>
1900
1901         Add API to get all the dependencies of a given JSScript
1902         https://bugs.webkit.org/show_bug.cgi?id=199746
1903
1904         Reviewed by Saam Barati.
1905
1906         The method only returns the dependencies if the module was
1907         actually evaluated. Technically, we know what the dependencies are
1908         at the satisfy phase but for API simplicity we only provide that
1909         information if the module graph was complete enough to at least
1910         run.
1911
1912         This patch also fixes an issue where we would allow import
1913         specifiers that didn't start "./" or "/". For reference, We have
1914         this restriction to be consistent with the web/node. The
1915         restriction exists in order to preserve namespace for
1916         builtin-modules.
1917
1918         Lastly, this patch makes it so that we copy all scripts in the
1919         API/tests/testapiScripts directory so they don't have to be
1920         individually added to the xcode project.
1921
1922         * API/JSAPIGlobalObject.mm:
1923         (JSC::computeValidImportSpecifier):
1924         (JSC::JSAPIGlobalObject::moduleLoaderResolve):
1925         (JSC::JSAPIGlobalObject::moduleLoaderImportModule):
1926         * API/JSContext.mm:
1927         (-[JSContext dependencyIdentifiersForModuleJSScript:]):
1928         * API/JSContextPrivate.h:
1929         * API/JSScript.h:
1930         * API/tests/testapi.mm:
1931         (testFetchWithTwoCycle):
1932         (testFetchWithThreeCycle):
1933         (testModuleBytecodeCache):
1934         (+[JSContextFileLoaderDelegate newContext]):
1935         (-[JSContextFileLoaderDelegate fetchModuleScript:]):
1936         (-[JSContextFileLoaderDelegate findScriptForKey:]):
1937         (-[JSContextFileLoaderDelegate context:fetchModuleForIdentifier:withResolveHandler:andRejectHandler:]):
1938         (testDependenciesArray):
1939         (testDependenciesEvaluationError):
1940         (testDependenciesSyntaxError):
1941         (testDependenciesBadImportId):
1942         (testDependenciesMissingImport):
1943         (testObjectiveCAPI):
1944         * API/tests/testapiScripts/dependencyListTests/badModuleImportId.js: Added.
1945         * API/tests/testapiScripts/dependencyListTests/bar.js: Added.
1946         * API/tests/testapiScripts/dependencyListTests/dependenciesEntry.js: Added.
1947         * API/tests/testapiScripts/dependencyListTests/foo.js: Added.
1948         * API/tests/testapiScripts/dependencyListTests/missingImport.js: Added.
1949         * API/tests/testapiScripts/dependencyListTests/referenceError.js: Added.
1950         * API/tests/testapiScripts/dependencyListTests/syntaxError.js: Added.
1951         * API/tests/testapiScripts/testapi-function-overrides.js: Renamed from Source/JavaScriptCore/API/tests/testapi-function-overrides.js.
1952         * API/tests/testapiScripts/testapi.js: Renamed from Source/JavaScriptCore/API/tests/testapi.js.
1953         * JavaScriptCore.xcodeproj/project.pbxproj:
1954         * builtins/ModuleLoader.js:
1955         (dependencyKeysIfEvaluated):
1956         * runtime/JSModuleLoader.cpp:
1957         (JSC::JSModuleLoader::dependencyKeysIfEvaluated):
1958         * runtime/JSModuleLoader.h:
1959         * shell/CMakeLists.txt:
1960
1961 2019-07-12  Justin Michaud  <justin_michaud@apple.com>
1962
1963         B3 should reduce (integer) Sub(Neg(x), y) to Neg(Add(x, y))
1964         https://bugs.webkit.org/show_bug.cgi?id=196371
1965
1966         Reviewed by Keith Miller.
1967
1968         Adding these strength reductions gives 2x a (x86) and 3x (arm64) performance improvement
1969         on the microbenchmark.
1970
1971         * b3/B3ReduceStrength.cpp:
1972         * b3/testb3.cpp:
1973         (JSC::B3::testSubSub):
1974         (JSC::B3::testSubSub2):
1975         (JSC::B3::testSubAdd):
1976         (JSC::B3::testSubFirstNeg):
1977         (JSC::B3::run):
1978
1979 2019-07-12  Caio Lima  <ticaiolima@gmail.com>
1980
1981         [BigInt] Add ValueBitLShift into DFG
1982         https://bugs.webkit.org/show_bug.cgi?id=192664
1983
1984         Reviewed by Saam Barati.
1985
1986         This patch is splitting the `BitLShift` into `ArithBitLShift` and
1987         `ValueBitLShift` to handle BigInt speculation more efficiently during
1988         DFG and FTL layers. Following the same approach of other `ValueBitOps`,
1989         `ValueBitLShift` handles Untyped and BigInt speculations, while
1990         `ArithBitLShift` handles number and boolean operands and always results into
1991         Int32. 
1992
1993         * bytecode/BytecodeList.rb:
1994         * bytecode/CodeBlock.cpp:
1995         (JSC::CodeBlock::finishCreation):
1996         * bytecode/Opcode.h:
1997         * dfg/DFGAbstractInterpreter.h:
1998         * dfg/DFGAbstractInterpreterInlines.h:
1999         (JSC::DFG::AbstractInterpreter<AbstractStateType>::handleConstantBinaryBitwiseOp):
2000         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2001
2002         We moved `BitLShift` constant fold rules to a new method
2003         `handleConstantBinaryBitwiseOp` to be reused by `ArithBitLShift` and
2004         `ValueBitLShift`. This also enables support of constant folding on other
2005         bitwise operations like `ValueBitAnd`, `ValueBitOr` and `ValueBitXor`, when
2006         their binary use kind is UntypedUse. Such cases can happen on those
2007         nodes because fixup phase is conservative.
2008
2009         * dfg/DFGBackwardsPropagationPhase.cpp:
2010         (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
2011         (JSC::DFG::BackwardsPropagationPhase::propagate):
2012         * dfg/DFGByteCodeParser.cpp:
2013         (JSC::DFG::ByteCodeParser::handleIntrinsicGetter):
2014         (JSC::DFG::ByteCodeParser::parseBlock):
2015
2016         We parse `op_lshift` as `ArithBitLShift` when its operands are numbers.
2017         Otherwise, we fallback to `ValueBitLShift` and rely on fixup phase to
2018         convert `ValueBitLShift` into `ArithBitLShift` when possible.
2019
2020         * dfg/DFGClobberize.h:
2021         (JSC::DFG::clobberize):
2022
2023         `ArithBitLShift` has the same clobberize rules as former `BitLShift`.
2024         `ValueBitLShift` only clobberize world when it is UntypedUse.
2025
2026         * dfg/DFGDoesGC.cpp:
2027         (JSC::DFG::doesGC):
2028
2029         `ValueBitLShift` can GC when `BigIntUse` because it allocates new
2030         JSBigInts to perform this operation. It also can GC on UntypedUse
2031         because of observable user code.
2032
2033         * dfg/DFGFixupPhase.cpp:
2034         (JSC::DFG::FixupPhase::fixupNode):
2035
2036         `ValueBitLShift` and `ArithBitLShift` has the same fixup rules of
2037         other binary bitwise operations. In the case of `ValueBitLShift`
2038         We check if we should speculate on BigInt or Untyped and fallback to
2039         `ArithBitLShift` when both cheks fail.
2040
2041         * dfg/DFGNode.h:
2042         (JSC::DFG::Node::hasHeapPrediction):
2043         * dfg/DFGNodeType.h:
2044         * dfg/DFGOperations.cpp:
2045
2046         We updated `operationValueBitLShift` to handle BigInt cases. Also, we
2047         added `operationBitLShiftBigInt` that is used when we compile
2048         `ValueBitLValueBitLShift(BigIntUse)`.
2049
2050         * dfg/DFGOperations.h:
2051         * dfg/DFGPredictionPropagationPhase.cpp:
2052
2053         `ValueBitLShift`'s prediction propagation rules differs from other
2054         bitwise operations, because using only heap prediction for this node causes
2055         significant performance regression on Octane's zlib and mandreel.
2056         The reason is because of cases where a function is compiled but the
2057         instruction `op_lshift` was never executed before. If we use
2058         `getPrediction()` we will emit a `ForceOSRExit`, resulting in more OSR
2059         than desired. To solve such issue, we are then using
2060         `getPredictionWithoutOSR()` and falling back to `getHeapPrediction()`
2061         only on cases where we can't rely on node's input types.
2062
2063         * dfg/DFGSafeToExecute.h:
2064         (JSC::DFG::safeToExecute):
2065         * dfg/DFGSpeculativeJIT.cpp:
2066         (JSC::DFG::SpeculativeJIT::compileValueLShiftOp):
2067         (JSC::DFG::SpeculativeJIT::compileShiftOp):
2068         * dfg/DFGSpeculativeJIT.h:
2069         (JSC::DFG::SpeculativeJIT::shiftOp):
2070         * dfg/DFGSpeculativeJIT32_64.cpp:
2071         (JSC::DFG::SpeculativeJIT::compile):
2072         * dfg/DFGSpeculativeJIT64.cpp:
2073         (JSC::DFG::SpeculativeJIT::compile):
2074         * dfg/DFGStrengthReductionPhase.cpp:
2075         (JSC::DFG::StrengthReductionPhase::handleNode):
2076         * ftl/FTLCapabilities.cpp:
2077         (JSC::FTL::canCompile):
2078         * ftl/FTLLowerDFGToB3.cpp:
2079         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2080         (JSC::FTL::DFG::LowerDFGToB3::compileArithBitLShift):
2081         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitLShift):
2082         (JSC::FTL::DFG::LowerDFGToB3::compileBitLShift): Deleted.
2083         * llint/LowLevelInterpreter32_64.asm:
2084         * llint/LowLevelInterpreter64.asm:
2085         * runtime/CommonSlowPaths.cpp:
2086         (JSC::SLOW_PATH_DECL):
2087
2088 2019-07-12  Keith Miller  <keith_miller@apple.com>
2089
2090         getIndexQuickly should be const
2091         https://bugs.webkit.org/show_bug.cgi?id=199747
2092
2093         Reviewed by Yusuke Suzuki.
2094
2095         * runtime/Butterfly.h:
2096         (JSC::Butterfly::indexingPayload const):
2097         (JSC::Butterfly::arrayStorage const):
2098         (JSC::Butterfly::contiguousInt32 const):
2099         (JSC::Butterfly::contiguousDouble const):
2100         (JSC::Butterfly::contiguous const):
2101         * runtime/JSObject.h:
2102         (JSC::JSObject::canGetIndexQuickly const):
2103         (JSC::JSObject::getIndexQuickly const):
2104         (JSC::JSObject::tryGetIndexQuickly const):
2105         (JSC::JSObject::canGetIndexQuickly): Deleted.
2106         (JSC::JSObject::getIndexQuickly): Deleted.
2107
2108 2019-07-11  Justin Michaud  <justin_michaud@apple.com>
2109
2110         Add b3 macro lowering for CheckMul on arm64
2111         https://bugs.webkit.org/show_bug.cgi?id=199251
2112
2113         Reviewed by Robin Morisset.
2114
2115         - Lower CheckMul for 32-bit arguments on arm64 into a mul and then an overflow check.
2116         - Add a new opcode to air on arm64 for smull (multiplySignExtend32).
2117         - Fuse sign extend 32 + mul into smull (taking two 32-bit arguments and producing 64 bits). 
2118         - 1.25x speedup on power of two microbenchmark, 1.15x speedup on normal constant microbenchmark, 
2119           and no change on the no-constant benchmark.
2120         Also, skip some of the b3 tests that were failing before this patch so that the new tests can run
2121         to completion.
2122
2123         * assembler/MacroAssemblerARM64.h:
2124         (JSC::MacroAssemblerARM64::multiplySignExtend32):
2125         * assembler/testmasm.cpp:
2126         (JSC::testMul32SignExtend):
2127         (JSC::run):
2128         * b3/B3LowerMacros.cpp:
2129         * b3/B3LowerToAir.cpp:
2130         * b3/air/AirOpcode.opcodes:
2131         * b3/testb3.cpp:
2132         (JSC::B3::testMulArgs32SignExtend):
2133         (JSC::B3::testMulImm32SignExtend):
2134         (JSC::B3::testMemoryFence):
2135         (JSC::B3::testStoreFence):
2136         (JSC::B3::testLoadFence):
2137         (JSC::B3::testPinRegisters):
2138         (JSC::B3::run):
2139
2140 2019-07-11  Yusuke Suzuki  <ysuzuki@apple.com>
2141
2142         Unreviewed, revert r243617.
2143         https://bugs.webkit.org/show_bug.cgi?id=196341
2144
2145         Mark pointed out that JSVirtualMachine can be gone in the other thread while we are executing GC constraint-solving.
2146         This patch does not account that JavaScriptCore.framework is multi-thread safe: JSVirtualMachine wrapper can be destroyed,
2147         and [JSVirtualMachine dealloc] can be executed in any threads while the VM is retained and used in the other thread (e.g.
2148         destroyed from AutoReleasePool in some thread).
2149
2150         * API/JSContext.mm:
2151         (-[JSContext initWithVirtualMachine:]):
2152         (-[JSContext dealloc]):
2153         (-[JSContext initWithGlobalContextRef:]):
2154         (-[JSContext wrapperMap]):
2155         (+[JSContext contextWithJSGlobalContextRef:]):
2156         * API/JSVirtualMachine.mm:
2157         (initWrapperCache):
2158         (wrapperCache):
2159         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]):
2160         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]):
2161         (-[JSVirtualMachine initWithContextGroupRef:]):
2162         (-[JSVirtualMachine dealloc]):
2163         (+[JSVirtualMachine virtualMachineWithContextGroupRef:]):
2164         (-[JSVirtualMachine contextForGlobalContextRef:]):
2165         (-[JSVirtualMachine addContext:forGlobalContextRef:]):
2166         (scanExternalObjectGraph):
2167         (scanExternalRememberedSet):
2168         * API/JSVirtualMachineInternal.h:
2169         * runtime/JSGlobalObject.h:
2170         (JSC::JSGlobalObject::setWrapperMap):
2171         (JSC::JSGlobalObject::setAPIWrapper): Deleted.
2172         (JSC::JSGlobalObject::apiWrapper const): Deleted.
2173         * runtime/VM.h:
2174
2175 2019-07-10  Tadeu Zagallo  <tzagallo@apple.com>
2176
2177         Optimize join of large empty arrays
2178         https://bugs.webkit.org/show_bug.cgi?id=199636
2179
2180         Reviewed by Mark Lam.
2181
2182         Replicate the behavior of `str.repeat(count)` when performing `new Array(count + 1).join(str)`.
2183         I added two new microbenchmarks:
2184         - large-empty-array-join, which does not use the result of the join and runs ~44x faster and uses ~18x less memory.
2185         - large-empty-array-join-resolve-rope, which uses the result of the join and runs 2x faster.
2186
2187                                                     baseline                    diff
2188         large-empty-array-join                2713.9698+-72.7621    ^     61.2335+-10.4836       ^ definitely 44.3217x faster
2189         large-empty-array-join-resolve-string   26.5517+-0.3995     ^     12.9309+-0.5516        ^ definitely 2.0533x faster
2190
2191         large-empty-array-join memory usage with baseline (dirty):
2192             733012 kB current_mem
2193             756824 kB lifetime_peak
2194
2195         large-empty-array-join memory usage with diff (dirty):
2196             41904 kB current_mem
2197             41972 kB lifetime_peak
2198
2199         Additionally, I ran JetStream2, sunspider and v8-spider and all were neutral.
2200
2201         * runtime/ArrayPrototype.cpp:
2202         (JSC::fastJoin):
2203
2204 2019-07-08  Keith Miller  <keith_miller@apple.com>
2205
2206         Enable Intl.PluralRules and Intl.NumberFormatToParts by default
2207         https://bugs.webkit.org/show_bug.cgi?id=199288
2208
2209         Reviewed by Yusuke Suzuki.
2210
2211         These features have been around for a while. We should turn them on by default.
2212
2213         * runtime/IntlNumberFormatPrototype.cpp:
2214         (JSC::IntlNumberFormatPrototype::finishCreation):
2215         * runtime/IntlObject.cpp:
2216         (JSC::IntlObject::finishCreation): Deleted.
2217         * runtime/IntlObject.h:
2218         * runtime/Options.h:
2219
2220 2019-07-08  Antoine Quint  <graouts@apple.com>
2221
2222         [Pointer Events] Enable only on the most recent version of the supported iOS family
2223         https://bugs.webkit.org/show_bug.cgi?id=199562
2224         <rdar://problem/52766511>
2225
2226         Reviewed by Dean Jackson.
2227
2228         * Configurations/FeatureDefines.xcconfig:
2229
2230 2019-07-06  Michael Saboff  <msaboff@apple.com>
2231
2232         switch(String) needs to check for exceptions when resolving the string
2233         https://bugs.webkit.org/show_bug.cgi?id=199541
2234
2235         Reviewed by Mark Lam.
2236
2237         Added exception checks for resolved Strings in switch processing for all tiers.
2238
2239         * dfg/DFGOperations.cpp:
2240         * jit/JITOperations.cpp:
2241         * llint/LLIntSlowPaths.cpp:
2242         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2243
2244 2019-07-05  Mark Lam  <mark.lam@apple.com>
2245
2246         ArgumentsEliminationPhase::eliminateCandidatesThatInterfere() should not decrement nodeIndex pass zero.
2247         https://bugs.webkit.org/show_bug.cgi?id=199533
2248         <rdar://problem/52669111>
2249
2250         Reviewed by Filip Pizlo.
2251
2252         * dfg/DFGArgumentsEliminationPhase.cpp:
2253
2254 2019-07-05  Yusuke Suzuki  <ysuzuki@apple.com>
2255
2256         Unreviewed, fix build failure on ARM64_32
2257         https://bugs.webkit.org/show_bug.cgi?id=182434
2258
2259         Implicit narrowing from uint64_t to uint32_t happens. We should explicitly narrow it because we already checked
2260         the `length` is <= UINT32_MAX.
2261
2262         * runtime/ArrayPrototype.cpp:
2263         (JSC::arrayProtoFuncSpeciesCreate):
2264
2265 2019-07-05  Alexey Shvayka  <shvaikalesh@gmail.com>
2266
2267         [JSC] Clean up ArraySpeciesCreate
2268         https://bugs.webkit.org/show_bug.cgi?id=182434
2269
2270         Reviewed by Yusuke Suzuki.
2271
2272         We have duplicate code in arraySpeciesCreate, filter, map, concatSlowPath of ArrayPrototype.js
2273         and speciesConstructArray of ArrayPrototype.cpp. This patch fixes cross-realm Array constructor
2274         detection in native speciesConstructArray, upgrades `length` type to correctly handle large integers,
2275         and exposes it as @arraySpeciesCreate. Also removes now unused @isArrayConstructor private function.
2276         Native speciesConstructArray is preferred because it has fast path via speciesWatchpointIsValid.
2277
2278         Thoroughly benchmarked: this change progresses ARES-6 by 0-1%.
2279
2280         * builtins/ArrayPrototype.js:
2281         (filter):
2282         (map):
2283         (globalPrivate.concatSlowPath):
2284         (globalPrivate.arraySpeciesCreate): Deleted.
2285         * builtins/BuiltinNames.h:
2286         * runtime/ArrayConstructor.cpp:
2287         (JSC::arrayConstructorPrivateFuncIsArrayConstructor): Deleted.
2288         * runtime/ArrayConstructor.h:
2289         * runtime/ArrayPrototype.cpp:
2290         (JSC::arrayProtoFuncSpeciesCreate):
2291         * runtime/ArrayPrototype.h:
2292         * runtime/JSGlobalObject.cpp:
2293         (JSC::JSGlobalObject::init):
2294
2295 2019-07-05  Tadeu Zagallo  <tzagallo@apple.com>
2296
2297         Unreviewed, change the value used to scribble Heap::m_worldState
2298         https://bugs.webkit.org/show_bug.cgi?id=199498
2299
2300         Follow-up after r247160. The value used to scribble should have the
2301         conn bit set.
2302
2303         * heap/Heap.cpp:
2304         (JSC::Heap::~Heap):
2305
2306 2019-07-05  Ryan Haddad  <ryanhaddad@apple.com>
2307
2308         Unreviewed, rolling out r247115.
2309
2310         Breaks lldbWebKitTester (and by extension, test-webkitpy)
2311
2312         Reverted changeset:
2313
2314         "[WHLSL] Standard library is too big to directly include in
2315         WebCore"
2316         https://bugs.webkit.org/show_bug.cgi?id=198186
2317         https://trac.webkit.org/changeset/247115
2318
2319 2019-07-05  Tadeu Zagallo  <tzagallo@apple.com>
2320
2321         Scribble Heap::m_worldState on destructor
2322         https://bugs.webkit.org/show_bug.cgi?id=199498
2323
2324         Reviewed by Sam Weinig.
2325
2326         The worldState is dumped when we crash due to a failed checkConn, and
2327         this will make it clear if the heap has already been destroyed.
2328
2329         * heap/Heap.cpp:
2330         (JSC::Heap::~Heap):
2331
2332 2019-07-03  Sam Weinig  <weinig@apple.com>
2333
2334         Adopt simple structured bindings in more places
2335         https://bugs.webkit.org/show_bug.cgi?id=199247
2336
2337         Reviewed by Alex Christensen.
2338
2339         Replaces simple uses of std::tie() with structured bindings. Does not touch
2340         uses of std::tie() that are not initial declarations, use std::ignore or in
2341         case where the binding is captured by a lambda, as structured bindings don't
2342         work for those cases yet.
2343
2344         * runtime/PromiseDeferredTimer.cpp:
2345         (JSC::PromiseDeferredTimer::doWork):
2346         * wasm/WasmFaultSignalHandler.cpp:
2347         (JSC::Wasm::trapHandler):
2348         * wasm/js/JSWebAssemblyHelpers.h:
2349         (JSC::createSourceBufferFromValue):
2350         * wasm/js/WebAssemblyPrototype.cpp:
2351         (JSC::webAssemblyValidateFunc):
2352
2353 2019-07-03  Keith Miller  <keith_miller@apple.com>
2354
2355         PACCage should first cage leaving PAC bits intact then authenticate
2356         https://bugs.webkit.org/show_bug.cgi?id=199372
2357
2358         Reviewed by Saam Barati.
2359
2360         This ordering prevents someone from taking a signed pointer from
2361         outside the gigacage and using it in a struct that expects a caged
2362         pointer. Previously, the PACCaging just double checked that the PAC
2363         bits were valid for the original pointer.
2364
2365
2366                +---------------------------+
2367                |       |        |          |
2368                | "PAC" | "base" | "offset" +----+
2369                |       |        |          |    |
2370                +---------------------------+    | Caging
2371                 |                               |
2372                 |                               |
2373                 |                               v
2374                 |                +---------------------------+
2375                 |                |       |        |          |
2376                 | Bit Merge      | 00000 |  base  | "offset" |
2377                 |                |       |        |          |
2378                 |                +---------------------------+
2379                 |                               |
2380                 |                               |
2381                 v                               |  Bit Merge
2382           +---------------------------+         |
2383           |       |        |          |         |
2384           | "PAC" |  base  | "offset" +<--------+
2385           |       |        |          |
2386           +---------------------------+
2387                       |
2388                       |
2389                       | Authenticate
2390                       |
2391                       v
2392           +---------------------------+
2393           |       |        |          |
2394           | Auth  |  base  | "offset" |
2395           |       |        |          |
2396           +---------------------------+
2397
2398         The above ascii art graph shows how the PACCage system works. The
2399         key take away is that even if someone passes in a valid, signed
2400         pointer outside the cage it will still fail to authenticate as the
2401         "base" bits will change before authentication.
2402
2403
2404         * assembler/MacroAssemblerARM64E.h:
2405         * assembler/testmasm.cpp:
2406         (JSC::testCagePreservesPACFailureBit):
2407         * ftl/FTLLowerDFGToB3.cpp:
2408         (JSC::FTL::DFG::LowerDFGToB3::caged):
2409         * jit/AssemblyHelpers.h:
2410         (JSC::AssemblyHelpers::cageConditionally):
2411         * llint/LowLevelInterpreter64.asm:
2412
2413 2019-07-03  Paulo Matos  <pmatos@igalia.com>
2414
2415         Refactoring of architectural Register Information
2416         https://bugs.webkit.org/show_bug.cgi?id=198604
2417
2418         Reviewed by Keith Miller.
2419
2420         The goal of this patch is to centralize the register information per platform
2421         but access it in a platform independent way. The patch as been implemented for all
2422         known platforms: ARM64, ARMv7, MIPS, X86 and X86_64. Register information has
2423         been centralized in an architecture per-file: each file is called assembler/<arch>Registers.h.
2424
2425         RegisterInfo.h is used as a forwarding header to choose which register information to load.
2426         assembler/<arch>Assembler.h and jit/RegisterSet.cpp use this information in a platform
2427         independent way.
2428
2429         * CMakeLists.txt:
2430         * JavaScriptCore.xcodeproj/project.pbxproj:
2431         * assembler/ARM64Assembler.h:
2432         (JSC::ARM64Assembler::gprName): Use register names from register info file.
2433         (JSC::ARM64Assembler::sprName): likewise.
2434         (JSC::ARM64Assembler::fprName): likewise.
2435         * assembler/ARM64Registers.h: Added.
2436         * assembler/ARMv7Assembler.h:
2437         (JSC::ARMv7Assembler::gprName): Use register names from register info file.
2438         (JSC::ARMv7Assembler::sprName): likewise.
2439         (JSC::ARMv7Assembler::fprName): likewise.
2440         * assembler/ARMv7Registers.h: Added.
2441         * assembler/MIPSAssembler.h:
2442         (JSC::MIPSAssembler::gprName): Use register names from register info file.
2443         (JSC::MIPSAssembler::sprName): likewise.
2444         (JSC::MIPSAssembler::fprName): likewise.
2445         * assembler/MIPSRegisters.h: Added.
2446         * assembler/RegisterInfo.h: Added.
2447         * assembler/X86Assembler.h:
2448         (JSC::X86Assembler::gprName): Use register names from register info file.
2449         (JSC::X86Assembler::sprName): likewise.
2450         (JSC::X86Assembler::fprName): likewise.
2451         * assembler/X86Registers.h: Added.
2452         * assembler/X86_64Registers.h: Added.
2453         * jit/GPRInfo.h: Fix typo in comment (s/basline/baseline).
2454         * jit/RegisterSet.cpp:
2455         (JSC::RegisterSet::reservedHardwareRegisters): Use register properties from register info file.
2456         (JSC::RegisterSet::calleeSaveRegisters): likewise.
2457
2458 2019-07-02  Michael Saboff  <msaboff@apple.com>
2459
2460         Exception from For..of loop destructured assignment eliminates TDZ checks in subsequent code
2461         https://bugs.webkit.org/show_bug.cgi?id=199395
2462
2463         Reviewed by Filip Pizlo.
2464
2465         For destructuring assignmests, the assignment might throw a reference error if
2466         the RHS cannot be coerced.  The current bytecode generated for such assignments
2467         optimizes out the TDZ check after the coercible check.
2468
2469         By saving the current state of the TDZ stack before processing the setting of 
2470         target destructured values and then restoring afterwards, we won't optimize out
2471         later TDZ check(s).
2472
2473         A similar change of saving / restoring the TDZ stack where exceptions might
2474         happen was done for for..in loops in change set r232219.
2475
2476         * bytecompiler/NodesCodegen.cpp:
2477         (JSC::ObjectPatternNode::bindValue const):
2478
2479 2019-07-02  Commit Queue  <commit-queue@webkit.org>
2480
2481         Unreviewed, rolling out r247041.
2482         https://bugs.webkit.org/show_bug.cgi?id=199425
2483
2484         broke some iOS arm64e tests (Requested by keith_miller on
2485         #webkit).
2486
2487         Reverted changeset:
2488
2489         "PACCage should first cage leaving PAC bits intact then
2490         authenticate"
2491         https://bugs.webkit.org/show_bug.cgi?id=199372
2492         https://trac.webkit.org/changeset/247041
2493
2494 2019-07-02  Keith Miller  <keith_miller@apple.com>
2495
2496         Frozen Arrays length assignment should throw in strict mode
2497         https://bugs.webkit.org/show_bug.cgi?id=199365
2498
2499         Reviewed by Yusuke Suzuki.
2500
2501         * runtime/JSArray.cpp:
2502         (JSC::JSArray::put):
2503
2504 2019-07-02  Paulo Matos  <pmatos@linki.tools>
2505
2506         Fix typo in if/else block and remove dead assignment
2507         https://bugs.webkit.org/show_bug.cgi?id=199352
2508
2509         Reviewed by Alexey Proskuryakov.
2510
2511         * yarr/YarrPattern.cpp:
2512         (JSC::Yarr::YarrPattern::dumpPattern): Fix typo in if/else block and remove dead assignment
2513
2514 2019-07-02  Keith Miller  <keith_miller@apple.com>
2515
2516         PACCage should first cage leaving PAC bits intact then authenticate
2517         https://bugs.webkit.org/show_bug.cgi?id=199372
2518
2519         Reviewed by Saam Barati.
2520
2521         This ordering prevents someone from taking a signed pointer from
2522         outside the gigacage and using it in a struct that expects a caged
2523         pointer. Previously, the PACCaging just double checked that the PAC
2524         bits were valid for the original pointer.
2525
2526
2527                +---------------------------+
2528                |       |        |          |
2529                | "PAC" | "base" | "offset" +----+
2530                |       |        |          |    |
2531                +---------------------------+    | Caging
2532                 |                               |
2533                 |                               |
2534                 |                               v
2535                 |                +---------------------------+
2536                 |                |       |        |          |
2537                 | Bit Merge      | 00000 |  base  | "offset" |
2538                 |                |       |        |          |
2539                 |                +---------------------------+
2540                 |                               |
2541                 |                               |
2542                 v                               |  Bit Merge
2543           +---------------------------+         |
2544           |       |        |          |         |
2545           | "PAC" |  base  | "offset" +<--------+
2546           |       |        |          |
2547           +---------------------------+
2548                       |
2549                       |
2550                       | Authenticate
2551                       |
2552                       v
2553           +---------------------------+
2554           |       |        |          |
2555           | Auth  |  base  | "offset" |
2556           |       |        |          |
2557           +---------------------------+
2558
2559         The above ascii art graph shows how the PACCage system works. The
2560         key take away is that even if someone passes in a valid, signed
2561         pointer outside the cage it will still fail to authenticate as the
2562         "base" bits will change before authentication.
2563
2564
2565         * assembler/MacroAssemblerARM64E.h:
2566         * assembler/testmasm.cpp:
2567         (JSC::testCagePreservesPACFailureBit):
2568         * ftl/FTLLowerDFGToB3.cpp:
2569         (JSC::FTL::DFG::LowerDFGToB3::caged):
2570         * jit/AssemblyHelpers.h:
2571         (JSC::AssemblyHelpers::cageConditionally):
2572         * llint/LowLevelInterpreter64.asm:
2573
2574 2019-07-01  Justin Michaud  <justin_michaud@apple.com>
2575
2576         [Wasm-References] Disable references by default
2577         https://bugs.webkit.org/show_bug.cgi?id=199390
2578
2579         Reviewed by Saam Barati.
2580
2581         * runtime/Options.h:
2582
2583 2019-07-01  Ryan Haddad  <ryanhaddad@apple.com>
2584
2585         Unreviewed, rolling out r246946.
2586
2587         Caused JSC test crashes on arm64
2588
2589         Reverted changeset:
2590
2591         "Add b3 macro lowering for CheckMul on arm64"
2592         https://bugs.webkit.org/show_bug.cgi?id=199251
2593         https://trac.webkit.org/changeset/246946
2594
2595 2019-06-28  Justin Michaud  <justin_michaud@apple.com>
2596
2597         Add b3 macro lowering for CheckMul on arm64
2598         https://bugs.webkit.org/show_bug.cgi?id=199251
2599
2600         Reviewed by Robin Morisset.
2601
2602         - Lower CheckMul for 32-bit arguments on arm64 into a mul and then an overflow check.
2603         - Add a new opcode to air on arm64 for smull (multiplySignExtend32).
2604         - Fuse sign extend 32 + mul into smull (taking two 32-bit arguments and producing 64 bits). 
2605         - 1.25x speedup on power of two microbenchmark, 1.15x speedup on normal constant microbenchmark, 
2606           and no change on the no-constant benchmark.
2607         Also, skip some of the b3 tests that were failing before this patch so that the new tests can run
2608         to completion.
2609
2610         * assembler/MacroAssemblerARM64.h:
2611         (JSC::MacroAssemblerARM64::multiplySignExtend32):
2612         * assembler/testmasm.cpp:
2613         (JSC::testMul32SignExtend):
2614         (JSC::run):
2615         * b3/B3LowerMacros.cpp:
2616         * b3/B3LowerToAir.cpp:
2617         * b3/air/AirOpcode.opcodes:
2618         * b3/testb3.cpp:
2619         (JSC::B3::testMulArgs32SignExtend):
2620         (JSC::B3::testMulImm32SignExtend):
2621         (JSC::B3::testMemoryFence):
2622         (JSC::B3::testStoreFence):
2623         (JSC::B3::testLoadFence):
2624         (JSC::B3::testPinRegisters):
2625         (JSC::B3::run):
2626
2627 2019-06-28  Konstantin Tokarev  <annulen@yandex.ru>
2628
2629         Remove traces of ENABLE_ICONDATABASE remaining after its removal in 219733
2630         https://bugs.webkit.org/show_bug.cgi?id=199317
2631
2632         Reviewed by Michael Catanzaro.
2633
2634         While IconDatabase and all code using it was removed,
2635         ENABLE_ICONDATABASE still exists as build option and C++ macro.
2636
2637         * Configurations/FeatureDefines.xcconfig:
2638
2639 2019-06-27  Mark Lam  <mark.lam@apple.com>
2640
2641         FTL keepAlive()'s patchpoint should also declare that it reads HeapRange::top().
2642         https://bugs.webkit.org/show_bug.cgi?id=199291
2643
2644         Reviewed by Yusuke Suzuki and Filip Pizlo.
2645
2646         The sole purpose of keepAlive() is to communicate to B3 that an LValue
2647         needs to be kept alive past the last opportunity for a GC.  The only way
2648         we can get a GC is via a function call.  Hence, what keepAlive() really
2649         needs to communicate is that the LValue needs to be kept alive past the
2650         last function call.  Function calls read and write HeapRange::top().
2651         Currently, B3 does not shuffle writes.  Hence, simply inserting the
2652         keepAlive() after the calls that can GC is sufficient.
2653
2654         But to be strictly correct, keepAlive() should also declare that it reads
2655         HeapRange::top().  This will guarantee that the keepAlive patchpoint won't
2656         ever be moved before the function call should B3 gain the ability to shuffle
2657         writes in the future.
2658
2659         * ftl/FTLLowerDFGToB3.cpp:
2660         (JSC::FTL::DFG::LowerDFGToB3::keepAlive):
2661
2662 2019-06-27  Beth Dakin  <bdakin@apple.com>
2663
2664         Upstream use of MACCATALYST
2665         https://bugs.webkit.org/show_bug.cgi?id=199245
2666         rdar://problem/51687723
2667
2668         Reviewed by Tim Horton.
2669
2670         * Configurations/Base.xcconfig:
2671         * Configurations/FeatureDefines.xcconfig:
2672         * Configurations/JavaScriptCore.xcconfig:
2673         * Configurations/SDKVariant.xcconfig:
2674
2675 2019-06-27  Saam Barati  <sbarati@apple.com>
2676
2677         Make WEBGPU enabled only on Mojave and later.
2678
2679         Rubber-stamped by Myles C. Maxfield.
2680
2681         * Configurations/FeatureDefines.xcconfig:
2682
2683 2019-06-27  Don Olmstead  <don.olmstead@sony.com>
2684
2685         [FTW] Build JavaScriptCore
2686         https://bugs.webkit.org/show_bug.cgi?id=199254
2687
2688         Reviewed by Brent Fulgham.
2689
2690         * PlatformFTW.cmake: Added.
2691
2692 2019-06-27  Konstantin Tokarev  <annulen@yandex.ru>
2693
2694         Use JSC_GLIB_API_ENABLED instead of USE(GLIB) as a compile-time check for GLib JSC API
2695         https://bugs.webkit.org/show_bug.cgi?id=199270
2696
2697         Reviewed by Michael Catanzaro.
2698
2699         This change allows building code with enabled USE(GLIB) but without
2700         GLib JSC API.
2701
2702         * heap/Heap.cpp:
2703         (JSC::Heap::releaseDelayedReleasedObjects):
2704         * heap/Heap.h:
2705         * heap/HeapInlines.h:
2706
2707 2019-06-27  Devin Rousso  <drousso@apple.com>
2708
2709         Web Inspector: throw an error if console.count/console.countReset is called with an object that throws an error from toString
2710         https://bugs.webkit.org/show_bug.cgi?id=199252
2711
2712         Reviewed by Joseph Pecoraro.
2713
2714         Parse the arguments passed to `console.count` and `console.countReset` before sending it to
2715         the `ConsoleClient` so that an error can be thrown if the first argument doesn't `toString`
2716         nicely (e.g. without throwing an error).
2717
2718         Generate call stacks for `console.countReset` to match other `console` methods. Also do this
2719         for `console.time`, `console.timeLog`, and `console.timeEnd`. Limit the call stack to only
2720         have the top frame, so no unnecessary/extra data is sent to the frontend (right now, only
2721         the call location is displayed).
2722
2723         Rename `title` to `label` for `console.time`, `console.timeLog`, and `console.timeEnd` to
2724         better match the spec.
2725
2726         * runtime/ConsoleClient.h:
2727         * runtime/ConsoleObject.cpp:
2728         (JSC::valueOrDefaultLabelString):
2729         (JSC::consoleProtoFuncCount):
2730         (JSC::consoleProtoFuncCountReset):
2731         (JSC::consoleProtoFuncTime):
2732         (JSC::consoleProtoFuncTimeLog):
2733         (JSC::consoleProtoFuncTimeEnd):
2734
2735         * inspector/JSGlobalObjectConsoleClient.h:
2736         * inspector/JSGlobalObjectConsoleClient.cpp:
2737         (Inspector::JSGlobalObjectConsoleClient::count):
2738         (Inspector::JSGlobalObjectConsoleClient::countReset):
2739         (Inspector::JSGlobalObjectConsoleClient::time):
2740         (Inspector::JSGlobalObjectConsoleClient::timeLog):
2741         (Inspector::JSGlobalObjectConsoleClient::timeEnd):
2742
2743         * inspector/agents/InspectorConsoleAgent.h:
2744         * inspector/agents/InspectorConsoleAgent.cpp:
2745         (Inspector::InspectorConsoleAgent::startTiming):
2746         (Inspector::InspectorConsoleAgent::logTiming):
2747         (Inspector::InspectorConsoleAgent::stopTiming):
2748         (Inspector::InspectorConsoleAgent::count):
2749         (Inspector::InspectorConsoleAgent::countReset):
2750         (Inspector::InspectorConsoleAgent::getCounterLabel): Deleted.
2751
2752         * inspector/ConsoleMessage.h:
2753         * inspector/ConsoleMessage.cpp:
2754         (Inspector::ConsoleMessage::ConsoleMessage):
2755         Allow `ConsoleMessage`s to be created with both `ScriptArguments` and a `ScriptCallStack`.
2756
2757 2019-06-27  Fujii Hironori  <Hironori.Fujii@sony.com>
2758
2759         [CMake] Bump cmake_minimum_required version to 3.10
2760         https://bugs.webkit.org/show_bug.cgi?id=199181
2761
2762         Reviewed by Don Olmstead.
2763
2764         * CMakeLists.txt:
2765
2766 2019-06-26  Basuke Suzuki  <Basuke.Suzuki@sony.com>
2767
2768         [RemoteInspector] Add address argument to listen for RemoteInspectorServer Socket implementation.
2769         https://bugs.webkit.org/show_bug.cgi?id=199035
2770
2771         Reviewed by Ross Kirsling.
2772
2773         Added new argument `address` to start listening. 
2774
2775         * inspector/remote/socket/RemoteInspectorServer.cpp:
2776         (Inspector::RemoteInspectorServer::start):
2777         * inspector/remote/socket/RemoteInspectorServer.h:
2778         * inspector/remote/socket/posix/RemoteInspectorSocketPOSIX.cpp:
2779         (Inspector::Socket::listen):
2780         * inspector/remote/socket/win/RemoteInspectorSocketWin.cpp:
2781         (Inspector::Socket::listen):
2782
2783 2019-06-26  Keith Miller  <keith_miller@apple.com>
2784
2785         speciesConstruct needs to throw if the result is a DataView
2786         https://bugs.webkit.org/show_bug.cgi?id=199231
2787
2788         Reviewed by Mark Lam.
2789
2790         Previously, we only checked that the result was a
2791         JSArrayBufferView, which can include DataViews. This is incorrect
2792         as the result should be only be a TypedArray.
2793
2794         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2795         (JSC::speciesConstruct):
2796
2797 2019-06-26  Joseph Pecoraro  <pecoraro@apple.com>
2798
2799         Web Inspector: Implement console.countReset
2800         https://bugs.webkit.org/show_bug.cgi?id=199200
2801
2802         Reviewed by Devin Rousso.
2803
2804         * inspector/JSGlobalObjectConsoleClient.cpp:
2805         (Inspector::JSGlobalObjectConsoleClient::countReset):
2806         * inspector/JSGlobalObjectConsoleClient.h:
2807         * inspector/agents/InspectorConsoleAgent.cpp:
2808         (Inspector::InspectorConsoleAgent::getCounterLabel):
2809         (Inspector::InspectorConsoleAgent::count):
2810         (Inspector::InspectorConsoleAgent::countReset):
2811         * inspector/agents/InspectorConsoleAgent.h:
2812         * runtime/ConsoleClient.h:
2813         * runtime/ConsoleObject.cpp:
2814         (JSC::ConsoleObject::finishCreation):
2815         (JSC::consoleProtoFuncCountReset):
2816
2817 2019-06-26  Keith Miller  <keith_miller@apple.com>
2818
2819         remove unneeded didBecomePrototype() calls
2820         https://bugs.webkit.org/show_bug.cgi?id=199221
2821
2822         Reviewed by Saam Barati.
2823
2824         Since we now set didBecomePrototype in Structure::create we don't
2825         need to set it expliticly in most of our finishCreation
2826         methods. The only exception to this is object prototype, which we
2827         set as the prototype of function prototype late (via
2828         setPrototypeWithoutTransition).
2829
2830         * inspector/JSInjectedScriptHostPrototype.cpp:
2831         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
2832         * inspector/JSJavaScriptCallFramePrototype.cpp:
2833         (Inspector::JSJavaScriptCallFramePrototype::finishCreation):
2834         * runtime/ArrayIteratorPrototype.cpp:
2835         (JSC::ArrayIteratorPrototype::finishCreation):
2836         * runtime/ArrayPrototype.cpp:
2837         (JSC::ArrayPrototype::finishCreation):
2838         * runtime/AsyncFromSyncIteratorPrototype.cpp:
2839         (JSC::AsyncFromSyncIteratorPrototype::finishCreation):
2840         * runtime/AsyncFunctionPrototype.cpp:
2841         (JSC::AsyncFunctionPrototype::finishCreation):
2842         * runtime/AsyncGeneratorFunctionPrototype.cpp:
2843         (JSC::AsyncGeneratorFunctionPrototype::finishCreation):
2844         * runtime/AsyncGeneratorPrototype.cpp:
2845         (JSC::AsyncGeneratorPrototype::finishCreation):
2846         * runtime/AsyncIteratorPrototype.cpp:
2847         (JSC::AsyncIteratorPrototype::finishCreation):
2848         * runtime/GeneratorFunctionPrototype.cpp:
2849         (JSC::GeneratorFunctionPrototype::finishCreation):
2850         * runtime/GeneratorPrototype.cpp:
2851         (JSC::GeneratorPrototype::finishCreation):
2852         * runtime/IteratorPrototype.cpp:
2853         (JSC::IteratorPrototype::finishCreation):
2854         * runtime/JSGlobalObject.cpp:
2855         (JSC::JSGlobalObject::init):
2856         * runtime/MapIteratorPrototype.cpp:
2857         (JSC::MapIteratorPrototype::finishCreation):
2858         * runtime/MapPrototype.cpp:
2859         (JSC::MapPrototype::finishCreation):
2860         * runtime/ObjectPrototype.cpp:
2861         (JSC::ObjectPrototype::finishCreation):
2862         * runtime/RegExpStringIteratorPrototype.cpp:
2863         (JSC::RegExpStringIteratorPrototype::finishCreation):
2864         * runtime/SetIteratorPrototype.cpp:
2865         (JSC::SetIteratorPrototype::finishCreation):
2866         * runtime/SetPrototype.cpp:
2867         (JSC::SetPrototype::finishCreation):
2868         * runtime/StringIteratorPrototype.cpp:
2869         (JSC::StringIteratorPrototype::finishCreation):
2870         * runtime/WeakMapPrototype.cpp:
2871         (JSC::WeakMapPrototype::finishCreation):
2872         * runtime/WeakObjectRefPrototype.cpp:
2873         (JSC::WeakObjectRefPrototype::finishCreation):
2874         * runtime/WeakSetPrototype.cpp:
2875         (JSC::WeakSetPrototype::finishCreation):
2876
2877 2019-06-25  Keith Miller  <keith_miller@apple.com>
2878
2879         Structure::create should call didBecomePrototype()
2880         https://bugs.webkit.org/show_bug.cgi?id=196315
2881
2882         Reviewed by Filip Pizlo.
2883
2884         Structure::create should also assert that the indexing type makes sense
2885         for the prototype being used.
2886
2887         * runtime/JSObject.h:
2888         * runtime/Structure.cpp:
2889         (JSC::Structure::isValidPrototype):
2890         (JSC::Structure::changePrototypeTransition):
2891         * runtime/Structure.h:
2892         (JSC::Structure::create): Deleted.
2893         * runtime/StructureInlines.h:
2894         (JSC::Structure::create):
2895         (JSC::Structure::setPrototypeWithoutTransition):
2896
2897 2019-06-25  Joseph Pecoraro  <pecoraro@apple.com>
2898
2899         Web Inspector: Implement console.timeLog
2900         https://bugs.webkit.org/show_bug.cgi?id=199184
2901
2902         Reviewed by Devin Rousso.
2903
2904         * inspector/JSGlobalObjectConsoleClient.cpp:
2905         (Inspector::JSGlobalObjectConsoleClient::timeLog):
2906         * inspector/JSGlobalObjectConsoleClient.h:
2907         * inspector/agents/InspectorConsoleAgent.cpp:
2908         (Inspector::InspectorConsoleAgent::logTiming):
2909         (Inspector::InspectorConsoleAgent::stopTiming):
2910         * inspector/agents/InspectorConsoleAgent.h:
2911         * runtime/ConsoleClient.h:
2912         * runtime/ConsoleObject.cpp:
2913         (JSC::ConsoleObject::finishCreation):
2914         (JSC::consoleProtoFuncTimeLog):
2915
2916 2019-06-25  Michael Catanzaro  <mcatanzaro@igalia.com>
2917
2918         REGRESSION(r245586): static assertion failed: Match result and EncodedMatchResult should be the same size
2919         https://bugs.webkit.org/show_bug.cgi?id=198518
2920
2921         Reviewed by Keith Miller.
2922
2923         r245586 made some bad assumptions about the size of size_t, which we can solve using the
2924         CPU(ADDRESS32) guard that I didn't know about.
2925
2926         This solution was developed by Mark Lam and Keith Miller. I'm just preparing the patch.
2927
2928         * runtime/MatchResult.h:
2929
2930 2019-06-24  Commit Queue  <commit-queue@webkit.org>
2931
2932         Unreviewed, rolling out r246714.
2933         https://bugs.webkit.org/show_bug.cgi?id=199179
2934
2935         revert to do patch in a different way. (Requested by keith_mi_
2936         on #webkit).
2937
2938         Reverted changeset:
2939
2940         "All prototypes should call didBecomePrototype()"
2941         https://bugs.webkit.org/show_bug.cgi?id=196315
2942         https://trac.webkit.org/changeset/246714
2943
2944 2019-06-24  Alexey Shvayka  <shvaikalesh@gmail.com>
2945
2946         Add Array.prototype.{flat,flatMap} to unscopables
2947         https://bugs.webkit.org/show_bug.cgi?id=194322
2948
2949         Reviewed by Keith Miller.
2950
2951         * runtime/ArrayPrototype.cpp:
2952         (JSC::ArrayPrototype::finishCreation):
2953
2954 2019-06-24  Mark Lam  <mark.lam@apple.com>
2955
2956         ArraySlice needs to keep the source array alive.
2957         https://bugs.webkit.org/show_bug.cgi?id=197374
2958         <rdar://problem/50304429>
2959
2960         Reviewed by Michael Saboff and Filip Pizlo.
2961
2962         The implementation of the FTL ArraySlice intrinsics may GC while allocating the
2963         result array and its butterfly.  Previously, ArraySlice already keeps the source
2964         butterfly alive in order to copy from it to the new butterfly after the allocation.
2965         Unfortunately, this is not enough.  We also need to keep the source array alive
2966         so that GC will scan the values in the butterfly as well.  Note: the butterfly
2967         does not have a visitChildren() method to do this scan.  It's the parent object's
2968         responsibility to do the scanning.
2969
2970         This patch fixes this by introducing a keepAlive() utility method, and we use it
2971         to keep the source array alive while allocating the result array and butterfly.
2972
2973         keepAlive() works by using a patchpoint to communicate to B3 that a value (the
2974         source array in this case) is still in use.  It also uses a fence to keep B3 from
2975         relocating the patchpoint, which may defeat the fix.
2976
2977         For the DFG's SpeculativeJIT::compileArraySlice(), we may have lucked out and the
2978         source array cell is kept alive.  This patch makes it explicit that we should
2979         keep its cell alive till after the result array has been allocated.
2980
2981         For the Baseline JIT and LLInt, we use the arrayProtoFuncSlice() runtime function
2982         and there is no issue because the source array (in "thisObj") is in the element
2983         copying loop that follows the allocation of the result array.  However, for
2984         documentation purposes, this patch adds a call to HeapCell::use() to indicate that
2985         the source array need to kept alive at least until after the allocation of the
2986         result array.
2987
2988         * dfg/DFGSpeculativeJIT.cpp:
2989         (JSC::DFG::SpeculativeJIT::compileArraySlice):
2990         * ftl/FTLLowerDFGToB3.cpp:
2991         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
2992         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
2993         (JSC::FTL::DFG::LowerDFGToB3::keepAlive):
2994         * runtime/ArrayPrototype.cpp:
2995         (JSC::arrayProtoFuncSlice):
2996
2997 2019-06-22  Robin Morisset  <rmorisset@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
2998
2999         All prototypes should call didBecomePrototype()
3000         https://bugs.webkit.org/show_bug.cgi?id=196315
3001
3002         Reviewed by Saam Barati.
3003
3004         Otherwise we won't remember to run haveABadTime() when someone adds to them an indexed accessor.
3005
3006         I added a check used in both Structure::finishCreation() and Structure::changePrototypeTransition to make sure we don't
3007         create structures with invalid prototypes.
3008         It found a lot of objects that are used as prototypes in JSGlobalObject and yet were missing didBecomePrototype() in their finishCreation().
3009         Somewhat surprisingly, some of them have names like FunctionConstructor and not only FooPrototype.
3010
3011         * runtime/BigIntPrototype.cpp:
3012         (JSC::BigIntPrototype::finishCreation):
3013         * runtime/BooleanPrototype.cpp:
3014         (JSC::BooleanPrototype::finishCreation):
3015         * runtime/DatePrototype.cpp:
3016         (JSC::DatePrototype::finishCreation):
3017         * runtime/ErrorConstructor.cpp:
3018         (JSC::ErrorConstructor::finishCreation):
3019         * runtime/ErrorPrototype.cpp:
3020         (JSC::ErrorPrototype::finishCreation):
3021         * runtime/FunctionConstructor.cpp:
3022         (JSC::FunctionConstructor::finishCreation):
3023         * runtime/FunctionPrototype.cpp:
3024         (JSC::FunctionPrototype::finishCreation):
3025         * runtime/IntlCollatorPrototype.cpp:
3026         (JSC::IntlCollatorPrototype::finishCreation):
3027         * runtime/IntlDateTimeFormatPrototype.cpp:
3028         (JSC::IntlDateTimeFormatPrototype::finishCreation):
3029         * runtime/IntlNumberFormatPrototype.cpp:
3030         (JSC::IntlNumberFormatPrototype::finishCreation):
3031         * runtime/IntlPluralRulesPrototype.cpp:
3032         (JSC::IntlPluralRulesPrototype::finishCreation):
3033         * runtime/JSArrayBufferPrototype.cpp:
3034         (JSC::JSArrayBufferPrototype::finishCreation):
3035         * runtime/JSDataViewPrototype.cpp:
3036         (JSC::JSDataViewPrototype::finishCreation):
3037         * runtime/JSGenericTypedArrayViewPrototypeInlines.h:
3038         (JSC::JSGenericTypedArrayViewPrototype<ViewClass>::finishCreation):
3039         * runtime/JSGlobalObject.cpp:
3040         (JSC::createConsoleProperty):
3041         * runtime/JSPromisePrototype.cpp:
3042         (JSC::JSPromisePrototype::finishCreation):
3043         * runtime/JSTypedArrayViewConstructor.cpp:
3044         (JSC::JSTypedArrayViewConstructor::finishCreation):
3045         * runtime/JSTypedArrayViewPrototype.cpp:
3046         (JSC::JSTypedArrayViewPrototype::finishCreation):
3047         * runtime/NumberPrototype.cpp:
3048         (JSC::NumberPrototype::finishCreation):
3049         * runtime/RegExpPrototype.cpp:
3050         (JSC::RegExpPrototype::finishCreation):
3051         * runtime/StringPrototype.cpp:
3052         (JSC::StringPrototype::finishCreation):
3053         * runtime/Structure.cpp:
3054         (JSC::Structure::isValidPrototype):
3055         (JSC::Structure::changePrototypeTransition):
3056         * runtime/Structure.h:
3057         * runtime/StructureInlines.h:
3058         (JSC::Structure::setPrototypeWithoutTransition):
3059         * runtime/SymbolPrototype.cpp:
3060         (JSC::SymbolPrototype::finishCreation):
3061         * wasm/js/WebAssemblyCompileErrorPrototype.cpp:
3062         (JSC::WebAssemblyCompileErrorPrototype::finishCreation):
3063         * wasm/js/WebAssemblyInstancePrototype.cpp:
3064         (JSC::WebAssemblyInstancePrototype::finishCreation):
3065         * wasm/js/WebAssemblyLinkErrorPrototype.cpp:
3066         (JSC::WebAssemblyLinkErrorPrototype::finishCreation):
3067         * wasm/js/WebAssemblyMemoryPrototype.cpp:
3068         (JSC::WebAssemblyMemoryPrototype::finishCreation):
3069         * wasm/js/WebAssemblyModulePrototype.cpp:
3070         (JSC::WebAssemblyModulePrototype::finishCreation):
3071         * wasm/js/WebAssemblyPrototype.cpp:
3072         (JSC::WebAssemblyPrototype::finishCreation):
3073         * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp:
3074         (JSC::WebAssemblyRuntimeErrorPrototype::finishCreation):
3075         * wasm/js/WebAssemblyTablePrototype.cpp:
3076         (JSC::WebAssemblyTablePrototype::finishCreation):
3077
3078 2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>
3079
3080         [JSC] Strict, Sloppy and Arrow functions should have different classInfo
3081         https://bugs.webkit.org/show_bug.cgi?id=197631
3082
3083         Reviewed by Saam Barati.
3084
3085         If a constructor inherits a builtin class, it creates a Structure which is subclassing the builtin class.
3086         This is done by using InternalFunction::createSubclassStructure. But to accelerate the common cases, we
3087         cache the created structure in InternalFunctionAllocationProfile. Whether the cache is valid is checked
3088         by comparing classInfo of the cached structure and the given base structure. This implicitly assume that
3089         each builtin class's InternalFunction creates an instance based on one structure.
3090
3091         However, Function constructor is an exception: Function constructor creates an instance which has different
3092         structures based on a parameter. If a strict code is given (e.g. "'use strict'"), it creates a function
3093         instance with strict function structure.
3094
3095         As a result, InternalFunctionAllocationProfile incorrectly caches the structure. Consider the following code.
3096
3097             class A extends Function { };
3098             let a = new A("'use strict'");
3099             let b = new A("");
3100
3101         While `a` and `b` should have different structures, `A` caches the structure for `a`, and reuse it even the given
3102         code is not a strict code. This is problematic: We are separating structures of strict, sloppy, and arrow functions
3103         because they have different properties. However, in the above case, a and b have the same structure while they have
3104         different properties. So it causes incorrect structure-based caching in JSC. One of the example is HasOwnPropertyCache.
3105
3106         In this patch, we introduce JSStrictFunction, JSSloppyFunction, and JSArrowFunction classes and classInfos. This design
3107         works well and already partially accepted for JSGeneratorFunction, JSAsyncGeneratorFunction, and JSAsyncFunction. Each
3108         structure now has a different classInfo so that InternalFunctionAllocationProfile correctly caches and invalidates the
3109         cached one based on the classInfo. Since we already have different structures for these instances, and DFG and FTL
3110         optimizations are based on JSFunctionType (not classInfo), introducing these three classInfo do not break the optimization.
3111
3112         Note that structures on ArrayConstructor does not cause the same problem. It only uses Undecided indexing typed array
3113         structure in InternalFunctionAllocationProfile, and once haveABadTime happens, it clears InternalFunctionAllocationProfile.
3114
3115         * runtime/JSAsyncFunction.h: This subspaceFor is not necessary since it is defined in JSFunction. And we already ensure that
3116         sizeof(JSAsyncFunction) == sizeof(JSFunction).
3117         * runtime/JSAsyncGeneratorFunction.cpp:
3118         * runtime/JSAsyncGeneratorFunction.h: Ditto.
3119         * runtime/JSFunction.cpp:
3120         * runtime/JSFunction.h:
3121         * runtime/JSGeneratorFunction.h: Ditto.
3122         * runtime/JSGlobalObject.cpp:
3123         (JSC::JSGlobalObject::init):
3124
3125 2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>
3126
3127         [JSC] ClassExpr should not store result in the middle of evaluation
3128         https://bugs.webkit.org/show_bug.cgi?id=199106
3129
3130         Reviewed by Tadeu Zagallo.
3131
3132         Let's consider the case,
3133
3134             let a = class A {
3135                 static get[a=0x12345678]() {
3136                 }
3137             };
3138
3139         When evaluating `class A` expression, we should not use the local register for `let a`
3140         until we finally store it to that register. Otherwise, `a=0x12345678` will override it.
3141         Out BytecodeGenerator does that this by using tempDestination and finalDestination, but
3142         we did not do that in ClassExprNode.
3143
3144         This patch leverages tempDestination and finalDestination to store `class A` result finally,
3145         while we attempt to reduce mov.
3146
3147         * bytecompiler/NodesCodegen.cpp:
3148         (JSC::ClassExprNode::emitBytecode):
3149
3150 2019-06-21  Sihui Liu  <sihui_liu@apple.com>
3151
3152         openDatabase should return an empty object when WebSQL is disabled
3153         https://bugs.webkit.org/show_bug.cgi?id=198805
3154
3155         Reviewed by Geoffrey Garen.
3156
3157         * runtime/JSFunction.cpp:
3158         (JSC::JSFunction::createFunctionThatMasqueradesAsUndefined):
3159         * runtime/JSFunction.h:
3160
3161 2019-06-21  Alexey Shvayka  <shvaikalesh@gmail.com>
3162
3163         Remove extra check in RegExp @matchSlow
3164         https://bugs.webkit.org/show_bug.cgi?id=198846
3165
3166         Reviewed by Joseph Pecoraro.
3167
3168         Type of RegExp `exec` result is already asserted in @regExpExec.
3169
3170         * builtins/RegExpPrototype.js:
3171         (globalPrivate.matchSlow): Remove isObject check.
3172
3173 2019-06-20  Justin Michaud  <justin_michaud@apple.com>
3174
3175         [WASM-References] Add extra tests for Wasm references + fix element parsing and subtyping bugs
3176         https://bugs.webkit.org/show_bug.cgi?id=199044
3177
3178         Reviewed by Saam Barati.
3179
3180         Fix parsing table indices from the element section. The byte that we previously read as the table index actually tells us how to parse the table index.
3181         Fix some areas where we got the isSubtype check wrong, causing funcrefs to not be considred anyrefs.
3182
3183         * wasm/WasmAirIRGenerator.cpp:
3184         (JSC::Wasm::AirIRGenerator::unify):
3185         * wasm/WasmSectionParser.cpp:
3186         (JSC::Wasm::SectionParser::parseElement):
3187         * wasm/WasmValidate.cpp:
3188         (JSC::Wasm::Validate::unify):
3189
3190 2019-06-18  Darin Adler  <darin@apple.com>
3191
3192         Tidy up the remaining bits of the AtomicString to AtomString rename
3193         https://bugs.webkit.org/show_bug.cgi?id=198990
3194
3195         Reviewed by Michael Catanzaro.
3196
3197         * dfg/DFGSpeculativeJIT.cpp:
3198         (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage): Use flagIsAtom.
3199         * dfg/DFGSpeculativeJIT32_64.cpp:
3200         (JSC::DFG::SpeculativeJIT::compile): Ditto.
3201         * dfg/DFGSpeculativeJIT64.cpp:
3202         (JSC::DFG::SpeculativeJIT::compile): Ditto.
3203         * ftl/FTLLowerDFGToB3.cpp:
3204         (JSC::FTL::DFG::LowerDFGToB3::compileHasOwnProperty): Ditto.
3205         (JSC::FTL::DFG::LowerDFGToB3::speculateStringIdent): Ditto.
3206
3207 2019-06-19  Alexey Shvayka  <shvaikalesh@gmail.com>
3208
3209         Optimize `resolve` method lookup in Promise static methods
3210         https://bugs.webkit.org/show_bug.cgi?id=198864
3211
3212         Reviewed by Yusuke Suzuki.
3213
3214         Lookup `resolve` method only once in Promise.{all,allSettled,race}.
3215         (https://github.com/tc39/ecma262/pull/1506)
3216
3217         Already implemented in V8.
3218
3219         * builtins/PromiseConstructor.js:
3220
3221 2019-06-19  Tadeu Zagallo  <tzagallo@apple.com>
3222
3223         Some of the ASSERTs in CachedTypes.cpp should be RELEASE_ASSERTs
3224         https://bugs.webkit.org/show_bug.cgi?id=199030
3225
3226         Reviewed by Mark Lam.
3227
3228         These assertions represent strong assumptions that the cache makes so
3229         it's not safe to keep executing if they fail.
3230
3231         * runtime/CachedTypes.cpp:
3232         (JSC::Encoder::malloc):
3233         (JSC::Encoder::Page::alignEnd):
3234         (JSC::Decoder::ptrForOffsetFromBase):
3235         (JSC::Decoder::handleForEnvironment const):
3236         (JSC::Decoder::setHandleForEnvironment):
3237         (JSC::CachedPtr::get const):
3238         (JSC::CachedOptional::encode):
3239         (JSC::CachedOptional::decodeAsPtr const): Deleted.
3240
3241 2019-06-19  Adrian Perez de Castro  <aperez@igalia.com>
3242
3243         [WPE][GTK] Fix build with unified sources disabled
3244         https://bugs.webkit.org/show_bug.cgi?id=198752
3245
3246         Reviewed by Michael Catanzaro.
3247
3248         * runtime/WeakObjectRefConstructor.h: Add missing inclusion of InternalFunction.h
3249         and forward declaration of WeakObjectRefPrototype.
3250         * wasm/js/WebAssemblyFunction.cpp: Add missing inclusion of JSWebAssemblyHelpers.h
3251
3252 2019-06-19  Justin Michaud  <justin_michaud@apple.com>
3253
3254         [WASM-References] Rename anyfunc to funcref
3255         https://bugs.webkit.org/show_bug.cgi?id=198983
3256
3257         Reviewed by Yusuke Suzuki.
3258
3259         Anyfunc should become funcref since it was renamed in the spec. We should also support the string 'anyfunc' in the table constructor since this is 
3260         the only non-binary-format place where it is exposed to users.
3261
3262         * wasm/WasmAirIRGenerator.cpp:
3263         (JSC::Wasm::AirIRGenerator::gFuncref):
3264         (JSC::Wasm::AirIRGenerator::tmpForType):
3265         (JSC::Wasm::AirIRGenerator::emitCCall):
3266         (JSC::Wasm::AirIRGenerator::moveOpForValueType):
3267         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
3268         (JSC::Wasm::AirIRGenerator::addLocal):
3269         (JSC::Wasm::AirIRGenerator::addConstant):
3270         (JSC::Wasm::AirIRGenerator::addRefFunc):
3271         (JSC::Wasm::AirIRGenerator::addReturn):
3272         (JSC::Wasm::AirIRGenerator::gAnyfunc): Deleted.
3273         * wasm/WasmCallingConvention.h:
3274         (JSC::Wasm::CallingConventionAir::marshallArgument const):
3275         (JSC::Wasm::CallingConventionAir::setupCall const):
3276         * wasm/WasmExceptionType.h:
3277         * wasm/WasmFormat.h:
3278         (JSC::Wasm::isValueType):
3279         (JSC::Wasm::isSubtype):
3280         (JSC::Wasm::TableInformation::wasmType const):
3281         * wasm/WasmFunctionParser.h:
3282         (JSC::Wasm::FunctionParser<Context>::parseExpression):
3283         * wasm/WasmSectionParser.cpp:
3284         (JSC::Wasm::SectionParser::parseTableHelper):
3285         (JSC::Wasm::SectionParser::parseElement):
3286         (JSC::Wasm::SectionParser::parseInitExpr):
3287         * wasm/WasmValidate.cpp:
3288         (JSC::Wasm::Validate::addRefFunc):
3289         * wasm/js/JSToWasm.cpp:
3290         (JSC::Wasm::createJSToWasmWrapper):
3291         * wasm/js/WasmToJS.cpp:
3292         (JSC::Wasm::wasmToJS):
3293         * wasm/js/WebAssemblyFunction.cpp:
3294         (JSC::callWebAssemblyFunction):
3295         (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
3296         * wasm/js/WebAssemblyModuleRecord.cpp:
3297         (JSC::WebAssemblyModuleRecord::link):
3298         * wasm/js/WebAssemblyTableConstructor.cpp:
3299         (JSC::constructJSWebAssemblyTable):
3300         * wasm/wasm.json:
3301
3302 2019-06-19  Fujii Hironori  <Hironori.Fujii@sony.com>
3303
3304         [CMake][Win] CombinedDomains.json is generated twice in JavaScriptCore_CopyPrivateHeaders and JavaScriptCore projects
3305         https://bugs.webkit.org/show_bug.cgi?id=198853
3306
3307         Reviewed by Don Olmstead.
3308
3309         JavaScriptCore_CopyPrivateHeaders target needs to have a direct or
3310         indirect dependency of JavaScriptCore target for CMake Visual
3311         Studio generator to eliminate duplicated custom commands.
3312
3313         * CMakeLists.txt: Added JavaScriptCore as a dependency of JavaScriptCore_CopyPrivateHeaders.
3314
3315 2019-06-18  Yusuke Suzuki  <ysuzuki@apple.com>
3316
3317         [JSC] JSLock should be WebThread aware
3318         https://bugs.webkit.org/show_bug.cgi?id=198911
3319
3320         Reviewed by Geoffrey Garen.
3321
3322         Since WebKitLegacy content rendering is done in WebThread instead of the main thread in iOS, user of WebKitLegacy (e.g. UIWebView) needs
3323         to grab the WebThread lock (which is a recursive lock) in the main thread when touching the WebKitLegacy content.
3324         But, WebKitLegacy can expose JSContext for the web view. And we can interact with the JS content through JavaScriptCore APIs. However,
3325         since WebThread is a concept in WebCore, JavaScriptCore APIs do not grab the WebThread lock. As a result, WebKitLegacy web content can be
3326         modified from the main thread without grabbing the WebThread lock through JavaScriptCore APIs.
3327
3328         This patch makes JSC aware of WebThread: JSLock grabs the WebThread lock before grabbing JS's lock. While this seems layering violation,
3329         we already have many USE(WEB_THREAD) and WebThread aware code in WTF. Eventually, we should move WebThread code from WebCore to WTF since
3330         JSC and WTF need to be aware of WebThread. But, for now, we just use the function pointer exposed by WebCore.
3331
3332         Since both JSLock and the WebThread lock are recursive locks, nested locking is totally OK. The possible problem is the order of locking.
3333         We ensure that we always grab locks in (1) the WebThread lock and (2) JSLock order.
3334
3335         In JSLock, we take the WebThread lock, but we do not unlock it. This is how we use the WebThread lock: the WebThread lock is released
3336         automatically when RunLoop finishes the current cycle, and in WebKitLegacy, we do not call unlocking function of the WebThread lock except
3337         for some edge cases.
3338
3339         * API/JSVirtualMachine.mm:
3340         (-[JSVirtualMachine isWebThreadAware]):
3341         * API/JSVirtualMachineInternal.h:
3342         * runtime/JSLock.cpp:
3343         (JSC::JSLockHolder::JSLockHolder):
3344         (JSC::JSLock::lock):
3345         (JSC::JSLockHolder::init): Deleted.
3346         * runtime/JSLock.h:
3347         (JSC::JSLock::makeWebThreadAware):
3348         (JSC::JSLock::isWebThreadAware const):
3349
3350 2019-06-18  Justin Michaud  <justin_michaud@apple.com>
3351
3352         [WASM-References] Add support for Table.size, grow and fill instructions
3353         https://bugs.webkit.org/show_bug.cgi?id=198761
3354
3355         Reviewed by Yusuke Suzuki.
3356
3357         Add support for Table.size, grow and fill instructions. This also required
3358         adding support for two-byte opcodes to the ops generator.
3359
3360         * wasm/WasmAirIRGenerator.cpp:
3361         (JSC::Wasm::AirIRGenerator::gAnyref):
3362         (JSC::Wasm::AirIRGenerator::tmpForType):
3363         (JSC::Wasm::AirIRGenerator::addTableSize):
3364         (JSC::Wasm::AirIRGenerator::addTableGrow):
3365         (JSC::Wasm::AirIRGenerator::addTableFill):
3366         * wasm/WasmB3IRGenerator.cpp:
3367         (JSC::Wasm::B3IRGenerator::addTableSize):
3368         (JSC::Wasm::B3IRGenerator::addTableGrow):
3369         (JSC::Wasm::B3IRGenerator::addTableFill):
3370         * wasm/WasmExceptionType.h:
3371         * wasm/WasmFormat.h:
3372         (JSC::Wasm::TableInformation::wasmType const):
3373         * wasm/WasmFunctionParser.h:
3374         (JSC::Wasm::FunctionParser<Context>::parseExpression):
3375         (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
3376         * wasm/WasmInstance.cpp:
3377         (JSC::Wasm::doWasmTableGrow):
3378         (JSC::Wasm::doWasmTableFill):
3379         * wasm/WasmInstance.h:
3380         * wasm/WasmTable.cpp:
3381         (JSC::Wasm::Table::grow):
3382         * wasm/WasmValidate.cpp:
3383         (JSC::Wasm::Validate::addTableSize):
3384         (JSC::Wasm::Validate::addTableGrow):
3385         (JSC::Wasm::Validate::addTableFill):
3386         * wasm/generateWasmOpsHeader.py:
3387         (opcodeMacroizer):
3388         (ExtTableOpType):
3389         * wasm/wasm.json:
3390
3391 2019-06-18  Keith Miller  <keith_miller@apple.com>
3392
3393         Unreviewed, fix signature of currentWeakRefVersion to return an uintptr_t.
3394
3395         * runtime/VM.h:
3396         (JSC::VM::currentWeakRefVersion const):
3397
3398 2019-06-18  Justin Michaud  <justin_michaud@apple.com>
3399
3400         [WASM-References] Add support for multiple tables
3401         https://bugs.webkit.org/show_bug.cgi?id=198760
3402
3403         Reviewed by Saam Barati.
3404
3405         Support multiple wasm tables. We turn tableInformation into a tables array, and update all of the
3406         existing users to give a table index. The array of Tables in Wasm::Instance is hung off the tail
3407         to make it easier to use from jit code. 
3408
3409         * wasm/WasmAirIRGenerator.cpp:
3410         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
3411         (JSC::Wasm::AirIRGenerator::addTableGet):
3412         (JSC::Wasm::AirIRGenerator::addTableSet):
3413         (JSC::Wasm::AirIRGenerator::addCallIndirect):
3414         * wasm/WasmB3IRGenerator.cpp:
3415         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
3416         (JSC::Wasm::B3IRGenerator::addTableGet):
3417         (JSC::Wasm::B3IRGenerator::addTableSet):
3418         (JSC::Wasm::B3IRGenerator::addCallIndirect):
3419         * wasm/WasmExceptionType.h:
3420         * wasm/WasmFormat.h:
3421         (JSC::Wasm::Element::Element):
3422         * wasm/WasmFunctionParser.h:
3423         (JSC::Wasm::FunctionParser<Context>::parseExpression):
3424         (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
3425         * wasm/WasmInstance.cpp:
3426         (JSC::Wasm::Instance::Instance):
3427         (JSC::Wasm::Instance::create):
3428         (JSC::Wasm::Instance::extraMemoryAllocated const):
3429         (JSC::Wasm::Instance::table):
3430         (JSC::Wasm::Instance::setTable):
3431         * wasm/WasmInstance.h:
3432         (JSC::Wasm::Instance::updateCachedMemory):
3433         (JSC::Wasm::Instance::offsetOfGlobals):
3434         (JSC::Wasm::Instance::offsetOfTablePtr):
3435         (JSC::Wasm::Instance::allocationSize):
3436         (JSC::Wasm::Instance::table): Deleted.
3437         (JSC::Wasm::Instance::setTable): Deleted.
3438         (JSC::Wasm::Instance::offsetOfTable): Deleted.
3439         * wasm/WasmModuleInformation.h:
3440         (JSC::Wasm::ModuleInformation::tableCount const):
3441         * wasm/WasmSectionParser.cpp:
3442         (JSC::Wasm::SectionParser::parseImport):
3443         (JSC::Wasm::SectionParser::parseTableHelper):
3444         (JSC::Wasm::SectionParser::parseTable):
3445         (JSC::Wasm::SectionParser::parseElement):
3446         * wasm/WasmTable.h:
3447         (JSC::Wasm::Table::owner const):
3448         * wasm/WasmValidate.cpp:
3449         (JSC::Wasm::Validate::addTableGet):
3450         (JSC::Wasm::Validate::addTableSet):
3451         (JSC::Wasm::Validate::addCallIndirect):
3452         * wasm/js/JSWebAssemblyInstance.cpp:
3453         (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
3454         (JSC::JSWebAssemblyInstance::visitChildren):
3455         * wasm/js/JSWebAssemblyInstance.h:
3456         * wasm/js/WebAssemblyModuleRecord.cpp:
3457         (JSC::WebAssemblyModuleRecord::link):
3458         (JSC::WebAssemblyModuleRecord::evaluate):
3459         * wasm/wasm.json:
3460
3461 2019-06-18  Alexey Shvayka  <shvaikalesh@gmail.com>
3462
3463         [ESNExt] String.prototype.matchAll
3464         https://bugs.webkit.org/show_bug.cgi?id=186694
3465
3466         Reviewed by Yusuke Suzuki.
3467
3468         Implement String.prototype.matchAll.
3469         (https://tc39.es/ecma262/#sec-string.prototype.matchall)
3470
3471         Also rename @globalPrivate @constructor functions and C++ variables holding them.
3472
3473         Shipping in Chrome since version 73.
3474         Shipping in Firefox since version 67.
3475
3476         * CMakeLists.txt:
3477         * DerivedSources-input.xcfilelist:
3478         * DerivedSources.make:
3479         * JavaScriptCore.xcodeproj/project.pbxproj:
3480         * Scripts/wkbuiltins/builtins_generate_combined_header.py:
3481         (get_var_name):
3482         (generate_section_for_global_private_code_name_macro):
3483         * Sources.txt:
3484         * builtins/ArrayPrototype.js:
3485         (globalPrivate.ArrayIterator):
3486         (values):
3487         (keys):
3488         (entries):
3489         (globalPrivate.createArrayIterator): Deleted.
3490         * builtins/AsyncFromSyncIteratorPrototype.js:
3491         (globalPrivate.createAsyncFromSyncIterator):
3492         (globalPrivate.AsyncFromSyncIterator):
3493         (globalPrivate.AsyncFromSyncIteratorConstructor): Deleted.
3494         * builtins/BuiltinNames.h:
3495         * builtins/MapPrototype.js:
3496         (globalPrivate.MapIterator):
3497         (values):
3498         (keys):
3499         (entries):
3500         (globalPrivate.createMapIterator): Deleted.
3501         * builtins/RegExpPrototype.js:
3502         (globalPrivate.RegExpStringIterator):
3503         (overriddenName.string_appeared_here.matchAll):
3504         * builtins/RegExpStringIteratorPrototype.js: Added.
3505         (next):
3506         * builtins/SetPrototype.js:
3507         (globalPrivate.SetIterator):
3508         (values):
3509         (entries):
3510         (globalPrivate.createSetIterator): Deleted.
3511         * builtins/StringPrototype.js:
3512         (matchAll):
3513         * builtins/TypedArrayPrototype.js:
3514         (values):
3515         (keys):
3516         (entries):
3517         * runtime/CommonIdentifiers.h:
3518         * runtime/JSGlobalObject.cpp:
3519         (JSC::JSGlobalObject::init):
3520         * runtime/RegExpPrototype.cpp:
3521         (JSC::RegExpPrototype::finishCreation):
3522         * runtime/RegExpStringIteratorPrototype.cpp: Added.
3523         (JSC::RegExpStringIteratorPrototype::finishCreation):
3524         * runtime/RegExpStringIteratorPrototype.h: Added.
3525         * runtime/StringPrototype.cpp:
3526
3527 2019-06-18  Keith Miller  <keith_miller@apple.com>
3528
3529         Add support for WeakRef
3530         https://bugs.webkit.org/show_bug.cgi?id=198710
3531
3532         Reviewed by Yusuke Suzuki.
3533
3534         Add support for WeakRefs which are now at stage 3
3535         (https://tc39.es/proposal-weakrefs). This patch doesn't add
3536         support for FinalizationGroups, which I'll add in another patch.
3537
3538         Some other things of interest. Per the spec, we cannot collect a
3539         weak refs target unless it has not been dereffed (or created) in
3540         the current microtask turn. i.e. WeakRefs are only allowed to be
3541         collected at the end of a drain of the Microtask queue. My
3542         understanding for this behavior is to reduce implementation
3543         dependence on specific GC behavior in a given browser.
3544
3545         We track if a WeakRef is retaining its target by using a version
3546         number on each WeakRef as well as on the VM. Whenever a WeakRef is
3547         derefed we update its version number to match the VM's then
3548         WriteBarrier ourselves. During marking if the VM and the WeakRef
3549         have the same version number, the target is visited.
3550
3551         * JavaScriptCore.xcodeproj/project.pbxproj:
3552         * Sources.txt:
3553         * heap/Heap.cpp:
3554         (JSC::Heap::finalizeUnconditionalFinalizers):
3555         * jsc.cpp:
3556         (GlobalObject::finishCreation):
3557         (functionReleaseWeakRefs):
3558         * runtime/CommonIdentifiers.h:
3559         * runtime/JSGlobalObject.cpp:
3560         * runtime/JSGlobalObject.h:
3561         * runtime/JSWeakObjectRef.cpp: Added.
3562         (JSC::JSWeakObjectRef::finishCreation):
3563         (JSC::JSWeakObjectRef::visitChildren):
3564         (JSC::JSWeakObjectRef::finalizeUnconditionally):
3565         (JSC::JSWeakObjectRef::toStringName):
3566         * runtime/JSWeakObjectRef.h: Added.
3567         * runtime/VM.cpp:
3568         (JSC::VM::drainMicrotasks):
3569         * runtime/VM.h:
3570         (JSC::VM::setOnEachMicrotaskTick):
3571         (JSC::VM::finalizeSynchronousJSExecution):
3572         (JSC::VM::currentWeakRefVersion const):
3573         * runtime/WeakObjectRefConstructor.cpp: Added.
3574         (JSC::WeakObjectRefConstructor::finishCreation):
3575         (JSC::WeakObjectRefConstructor::WeakObjectRefConstructor):
3576         (JSC::callWeakRef):
3577         (JSC::constructWeakRef):
3578         * runtime/WeakObjectRefConstructor.h: Added.
3579         (JSC::WeakObjectRefConstructor::create):
3580         (JSC::WeakObjectRefConstructor::createStructure):
3581         * runtime/WeakObjectRefPrototype.cpp: Added.
3582         (JSC::WeakObjectRefPrototype::finishCreation):
3583         (JSC::getWeakRef):
3584         (JSC::protoFuncWeakRefDeref):
3585         * runtime/WeakObjectRefPrototype.h: Added.
3586
3587 2019-06-18  Tadeu Zagallo  <tzagallo@apple.com>
3588
3589         Add missing mutator fence in compileNewFunction
3590         https://bugs.webkit.org/show_bug.cgi?id=198849
3591         <rdar://problem/51733890>
3592
3593         Reviewed by Saam Barati.
3594
3595         Follow-up after r246553. Saam pointed out that we still need a mutator
3596         fence before allocating the FunctionRareData, since the allocation
3597         might trigger a slow path call.
3598
3599         * dfg/DFGSpeculativeJIT.cpp:
3600         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
3601         * ftl/FTLLowerDFGToB3.cpp:
3602         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
3603
3604 2019-06-18  Tadeu Zagallo  <tzagallo@apple.com>
3605
3606         DFG code should not reify the names of builtin functions with private names
3607         https://bugs.webkit.org/show_bug.cgi?id=198849
3608         <rdar://problem/51733890>
3609
3610         Reviewed by Filip Pizlo.
3611
3612         Builtin functions that have a private name call setHasReifiedName from finishCreation.
3613         When compiled with DFG and FTL, that does not get called and the function ends up reifying
3614         its name. In order to fix that, we initialize FunctionRareData and set m_hasReifiedName to
3615         true from compileNewFunction in both DFG and FTL.
3616
3617         * bytecode/InternalFunctionAllocationProfile.h:
3618         (JSC::InternalFunctionAllocationProfile::offsetOfStructure):
3619         * bytecode/ObjectAllocationProfile.h:
3620         (JSC::ObjectAllocationProfileWithPrototype::offsetOfPrototype):
3621         * bytecode/UnlinkedFunctionExecutable.h:
3622         * dfg/DFGSpeculativeJIT.cpp:
3623         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
3624         * ftl/FTLAbstractHeapRepository.h:
3625         * ftl/FTLLowerDFGToB3.cpp:
3626         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
3627         * runtime/FunctionExecutable.h:
3628         * runtime/FunctionRareData.h:
3629         * runtime/JSFunction.cpp:
3630         (JSC::JSFunction::finishCreation):
3631         * runtime/JSFunction.h:
3632         * runtime/JSFunctionInlines.h:
3633         (JSC::JSFunction::isAnonymousBuiltinFunction const):
3634
3635 2019-06-18  Keith Miller  <keith_miller@apple.com>
3636
3637         MaybeParseAsGeneratorForScope sometimes loses track of its scope ref
3638         https://bugs.webkit.org/show_bug.cgi?id=198969
3639         <rdar://problem/51620714>
3640
3641         Reviewed by Tadeu Zagallo.
3642
3643         Sometimes if the parser has enough nested scopes
3644         MaybeParseAsGeneratorForScope can lose track of the ScopeRef it
3645         should be tracking. This is because the parser sometimes relocates
3646         its ScopeRefs. To fix this MaybeParseAsGeneratorForScope should
3647         hold the scope ref it's watching.
3648
3649         * parser/Parser.cpp:
3650         (JSC::Scope::MaybeParseAsGeneratorForScope::MaybeParseAsGeneratorForScope):
3651         (JSC::Scope::MaybeParseAsGeneratorForScope::~MaybeParseAsGeneratorForScope):
3652
3653 2019-06-17  Justin Michaud  <justin_michaud@apple.com>
3654
3655         Validate that table element type is funcref if using an element section
3656         https://bugs.webkit.org/show_bug.cgi?id=198910
3657
3658         Reviewed by Yusuke Suzuki.
3659
3660         Add missing validation when attempting to add an element section to an anyref table.
3661
3662         * wasm/WasmSectionParser.cpp:
3663         (JSC::Wasm::SectionParser::parseElement):
3664
3665 2019-06-17  Tadeu Zagallo  <tzagallo@apple.com>
3666
3667         Concurrent GC should check the conn before starting a new collection cycle
3668         https://bugs.webkit.org/show_bug.cgi?id=198913
3669         <rdar://problem/49515149>
3670
3671         Reviewed by Filip Pizlo.
3672
3673         Heap::requestCollection tries to steal the conn as an optimization to avoid waking up the collector
3674         thread if it's idle. We determine if the collector is idle by ensuring that there are no pending collections
3675         and that the current GC phase is NotRunning. However, that's not safe immediately after the concurrent
3676         GC has finished processing the last pending request. The collector thread will runEndPhase and immediately
3677         start runNotRunningPhase, without checking if it still has the conn. If the mutator has stolen the conn in
3678         the mean time, this will lead to both threads collecting concurrently, and eventually we'll crash in checkConn,
3679         since the collector is running but doesn't have the conn anymore.
3680
3681         To solve this, we check if we still have the conn after holding the lock in runNotRunningPhase, in case the mutator
3682         has stolen the conn. Ideally, we wouldn't let the mutator steal the conn in the first place, but that doesn't seem
3683         trivial to determine.
3684
3685         * heap/Heap.cpp:
3686         (JSC::Heap::runNotRunningPhase):
3687
3688 2019-06-17  Yusuke Suzuki  <ysuzuki@apple.com>
3689
3690         [JSC] Introduce DisposableCallSiteIndex to enforce type-safety
3691         https://bugs.webkit.org/show_bug.cgi?id=197378
3692
3693         Reviewed by Saam Barati.
3694
3695         Some of CallSiteIndex are disposable. This is because some of CallSiteIndex are allocated and freed at runtime (not DFG/FTL compile time).
3696         The example is CallSiteIndex for exception handler in GCAwareJITStubRoutineWithExceptionHandler. If we do not allocate and free CallSiteIndex,
3697         we will create a new CallSiteIndex continuously and leak memory.
3698
3699         The other CallSiteIndex are not simply disposable because the ownership model is not unique one. They can be shared between multiple clients.
3700         But not disposing them is OK because they are static one: they are allocated when compiling DFG/FTL, and we do not allocate such CallSiteIndex
3701         at runtime.
3702
3703         To make this difference explicit and avoid disposing non-disposable CallSiteIndex accidentally, we introduce DisposableCallSiteIndex type, and
3704         enforce type-safety to some degree.
3705
3706         We also correctly update the DisposableCallSiteIndex => CodeOrigin table when we are reusing the previously used DisposableCallSiteIndex.
3707
3708         * bytecode/CodeBlock.cpp:
3709         (JSC::CodeBlock::newExceptionHandlingCallSiteIndex):
3710         (JSC::CodeBlock::removeExceptionHandlerForCallSite):
3711         * bytecode/CodeBlock.h:
3712         * bytecode/PolymorphicAccess.cpp:
3713         (JSC::AccessGenerationState::callSiteIndexForExceptionHandling):
3714         (JSC::PolymorphicAccess::regenerate):
3715         * bytecode/PolymorphicAccess.h:
3716         (JSC::AccessGenerationState::callSiteIndexForExceptionHandling): Deleted.
3717         * dfg/DFGCommonData.cpp:
3718         (JSC::DFG::CommonData::addUniqueCallSiteIndex):
3719         (JSC::DFG::CommonData::addDisposableCallSiteIndex):
3720         (JSC::DFG::CommonData::removeDisposableCallSiteIndex):
3721         (JSC::DFG::CommonData::removeCallSiteIndex): Deleted.
3722         * dfg/DFGCommonData.h:
3723         * interpreter/CallFrame.h:
3724         (JSC::DisposableCallSiteIndex::DisposableCallSiteIndex):
3725         (JSC::DisposableCallSiteIndex::fromCallSiteIndex):
3726         * jit/GCAwareJITStubRoutine.cpp:
3727         (JSC::GCAwareJITStubRoutineWithExceptionHandler::GCAwareJITStubRoutineWithExceptionHandler):
3728         (JSC::GCAwareJITStubRoutineWithExceptionHandler::observeZeroRefCount):
3729         (JSC::createJITStubRoutine):
3730         * jit/GCAwareJITStubRoutine.h:
3731         * jit/JITInlineCacheGenerator.h:
3732
3733 2019-06-17  Justin Michaud  <justin_michaud@apple.com>
3734
3735         [WASM-References] Add support for Funcref in parameters and return types
3736         https://bugs.webkit.org/show_bug.cgi?id=198157
3737
3738         Reviewed by Yusuke Suzuki.
3739
3740         Add support for funcref in parameters, globals, and in table.get/set. When converting a JSValue to 
3741         a funcref (nee anyfunc), we first make sure it is an exported wasm function or null. 
3742
3743         We also add support for Ref.func. Anywhere a Ref.func is used, (statically) we construct a JS wrapper
3744         for it so that we never need to construct JSValues when handling references. This should make threads
3745         easier to implement.
3746
3747         Finally, we add some missing bounds checks for table.get/set.
3748
3749         * wasm/WasmAirIRGenerator.cpp:
3750         (JSC::Wasm::AirIRGenerator::tmpForType):
3751         (JSC::Wasm::AirIRGenerator::moveOpForValueType):
3752         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
3753         (JSC::Wasm::AirIRGenerator::addLocal):
3754         (JSC::Wasm::AirIRGenerator::addConstant):
3755         (JSC::Wasm::AirIRGenerator::addRefFunc):
3756         (JSC::Wasm::AirIRGenerator::addTableSet):
3757         (JSC::Wasm::AirIRGenerator::setGlobal):
3758         (JSC::Wasm::AirIRGenerator::addReturn):
3759         * wasm/WasmB3IRGenerator.cpp:
3760         (JSC::Wasm::B3IRGenerator::addLocal):
3761         (JSC::Wasm::B3IRGenerator::addTableSet):
3762         (JSC::Wasm::B3IRGenerator::addRefFunc):
3763         (JSC::Wasm::B3IRGenerator::setGlobal):
3764         * wasm/WasmBBQPlan.cpp:
3765         (JSC::Wasm::BBQPlan::compileFunctions):
3766         * wasm/WasmCallingConvention.h:
3767         (JSC::Wasm::CallingConventionAir::marshallArgument const):
3768         (JSC::Wasm::CallingConventionAir::setupCall const):
3769         * wasm/WasmExceptionType.h:
3770         * wasm/WasmFormat.h:
3771         (JSC::Wasm::isValueType):
3772         (JSC::Wasm::isSubtype):
3773         * wasm/WasmFunctionParser.h:
3774         (JSC::Wasm::FunctionParser<Context>::parseExpression):
3775         (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
3776         * wasm/WasmInstance.cpp:
3777         (JSC::Wasm::Instance::Instance):
3778         (JSC::Wasm::Instance::getFunctionWrapper const):
3779         (JSC::Wasm::Instance::setFunctionWrapper):
3780         * wasm/WasmInstance.h:
3781         * wasm/WasmModuleInformation.h:
3782         (JSC::Wasm::ModuleInformation::referencedFunctions const):
3783         (JSC::Wasm::ModuleInformation::addReferencedFunction const):
3784         * wasm/WasmSectionParser.cpp:
3785         (JSC::Wasm::SectionParser::parseGlobal):
3786         (JSC::Wasm::SectionParser::parseInitExpr):
3787         * wasm/WasmValidate.cpp:
3788         (JSC::Wasm::Validate::addTableGet):
3789         (JSC::Wasm::Validate::addTableSet):
3790         (JSC::Wasm::Validate::addRefIsNull):
3791         (JSC::Wasm::Validate::addRefFunc):
3792         (JSC::Wasm::Validate::setLocal):
3793         (JSC::Wasm::Validate::addCall):
3794         (JSC::Wasm::Validate::addCallIndirect):
3795         * wasm/js/JSToWasm.cpp:
3796         (JSC::Wasm::createJSToWasmWrapper):
3797         * wasm/js/JSWebAssemblyHelpers.h:
3798         (JSC::isWebAssemblyHostFunction):
3799         * wasm/js/JSWebAssemblyInstance.cpp:
3800         (JSC::JSWebAssemblyInstance::visitChildren):
3801         * wasm/js/JSWebAssemblyRuntimeError.cpp:
3802         (JSC::createJSWebAssemblyRuntimeError):
3803         * wasm/js/JSWebAssemblyRuntimeError.h:
3804         * wasm/js/WasmToJS.cpp:
3805         (JSC::Wasm::handleBadI64Use):
3806         (JSC::Wasm::wasmToJS):
3807         (JSC::Wasm::emitWasmToJSException):
3808         * wasm/js/WasmToJS.h:
3809         * wasm/js/WebAssemblyFunction.cpp:
3810         (JSC::callWebAssemblyFunction):
3811         (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
3812         * wasm/js/WebAssemblyModuleRecord.cpp:
3813         (JSC::WebAssemblyModuleRecord::link):
3814         * wasm/wasm.json:
3815
3816 2019-06-16  Darin Adler  <darin@apple.com>
3817
3818         Rename AtomicString to AtomString
3819         https://bugs.webkit.org/show_bug.cgi?id=195276
3820
3821         Reviewed by Michael Catanzaro.
3822
3823         * many files: Let do-webcore-rename do the renaming.
3824
3825 2019-06-16  Yusuke Suzuki  <ysuzuki@apple.com>
3826
3827         [JSC] Grown region of WasmTable should be initialized with null
3828         https://bugs.webkit.org/show_bug.cgi?id=198903
3829
3830         Reviewed by Saam Barati.
3831
3832         Grown region of Wasmtable is now empty. We should initialize it with null.
3833         We also rename Wasm::Table::visitChildren to Wasm::Table::visitAggregate to
3834         align to the naming convention.
3835
3836         * wasm/WasmTable.cpp:
3837         (JSC::Wasm::Table::grow):
3838         (JSC::Wasm::Table::visitAggregate):
3839         (JSC::Wasm::Table::visitChildren): Deleted.
3840         * wasm/WasmTable.h:
3841         * wasm/js/JSWebAssemblyTable.cpp:
3842         (JSC::JSWebAssemblyTable::visitChildren):
3843
3844 2019-06-14  Keith Miller  <keith_miller@apple.com>
3845
3846         Restore PAC based cage.
3847         https://bugs.webkit.org/show_bug.cgi?id=198872
3848
3849         Rubber-stamped by Saam Barati.
3850
3851         * assembler/MacroAssemblerARM64.h:
3852         (JSC::MacroAssemblerARM64::bitFieldInsert64):
3853         * assembler/MacroAssemblerARM64E.h:
3854         * assembler/testmasm.cpp:
3855         (JSC::testCagePreservesPACFailureBit):
3856         (JSC::run):
3857         * dfg/DFGSpeculativeJIT.cpp:
3858         (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds):
3859         (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
3860         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
3861         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
3862         * ftl/FTLLowerDFGToB3.cpp:
3863         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
3864         (JSC::FTL::DFG::LowerDFGToB3::caged):
3865         * jit/AssemblyHelpers.h:
3866         (JSC::AssemblyHelpers::cageWithoutUntagging):
3867         (JSC::AssemblyHelpers::cageConditionally):
3868         (JSC::AssemblyHelpers::cage): Deleted.
3869         * jit/JITPropertyAccess.cpp:
3870         (JSC::JIT::emitIntTypedArrayGetByVal):
3871         (JSC::JIT::emitFloatTypedArrayGetByVal):
3872         (JSC::JIT::emitIntTypedArrayPutByVal):
3873         (JSC::JIT::emitFloatTypedArrayPutByVal):
3874         * llint/LowLevelInterpreter.asm:
3875         * llint/LowLevelInterpreter64.asm:
3876         * offlineasm/arm64.rb:
3877         * offlineasm/instructions.rb:
3878         * offlineasm/registers.rb:
3879         * wasm/WasmAirIRGenerator.cpp:
3880         (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
3881         (JSC::Wasm::AirIRGenerator::addCallIndirect):
3882         * wasm/WasmB3IRGenerator.cpp:
3883         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
3884         (JSC::Wasm::B3IRGenerator::addCallIndirect):
3885         * wasm/WasmBinding.cpp:
3886         (JSC::Wasm::wasmToWasm):
3887         * wasm/js/JSToWasm.cpp:
3888         (JSC::Wasm::createJSToWasmWrapper):
3889         * wasm/js/WebAssemblyFunction.cpp:
3890         (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
3891
3892 2019-06-13  Yusuke Suzuki  <ysuzuki@apple.com>
3893
3894         Yarr bytecode compilation failure should be gracefully handled
3895         https://bugs.webkit.org/show_bug.cgi?id=198700
3896
3897         Reviewed by Michael Saboff.
3898
3899         Currently, we assume that Yarr bytecode compilation does not fail. But in fact it can fail.
3900         We should gracefully handle this failure as a runtime error, as we did for parse errors in [1].
3901         We also harden Yarr's consumed character calculation by using Checked.
3902
3903         [1]: https://bugs.webkit.org/show_bug.cgi?id=185755
3904
3905         * inspector/ContentSearchUtilities.cpp:
3906         (Inspector::ContentSearchUtilities::findMagicComment):
3907         * runtime/RegExp.cpp:
3908         (JSC::RegExp::byteCodeCompileIfNecessary):
3909         (JSC::RegExp::compile):
3910         (JSC::RegExp::compileMatchOnly):
3911         * runtime/RegExpInlines.h:
3912         (JSC::RegExp::matchInline):
3913         * yarr/YarrErrorCode.cpp:
3914         (JSC::Yarr::errorMessage):
3915         (JSC::Yarr::errorToThrow):
3916         * yarr/YarrErrorCode.h:
3917         * yarr/YarrInterpreter.cpp:
3918         (JSC::Yarr::ByteCompiler::ByteCompiler):
3919         (JSC::Yarr::ByteCompiler::compile):
3920         (JSC::Yarr::ByteCompiler::atomCharacterClass):
3921         (JSC::Yarr::ByteCompiler::atomBackReference):
3922         (JSC::Yarr::ByteCompiler::atomParenthesesOnceBegin):
3923         (JSC::Yarr::ByteCompiler::atomParenthesesTerminalBegin):
3924         (JSC::Yarr::ByteCompiler::atomParenthesesSubpatternBegin):