[JSC] Delete IC creation should check mayNeedToCheckCell/canCacheDeleteIC regardless...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2020-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] Delete IC creation should check mayNeedToCheckCell/canCacheDeleteIC regardless of Structure::outOfLineCapacity
4         https://bugs.webkit.org/show_bug.cgi?id=209027
5
6         Reviewed by Saam Barati.
7
8         Delete IC code generation assumes that mayNeedToCheckCell (it is replaced with canCacheDeleteIC) is false
9         while we are looking into this status only if Structure::outOfLineCapacity meets a certain condition. We should avoid
10         create Delete IC when mayNeedToCheckCell/canCacheDeleteIC is true regardless of Structure::outOfLineCapacity
11
12         * bytecode/AccessCase.cpp:
13         (JSC::AccessCase::createDelete):
14         (JSC::AccessCase::generateImpl):
15         * runtime/Structure.h:
16         * runtime/StructureInlines.h:
17         (JSC::Structure::mayHaveIndexingHeader const):
18         (JSC::Structure::canCacheDeleteIC const):
19
20 2020-03-13  Alexey Shvayka  <shvaikalesh@gmail.com>
21
22         Bound functions should pass correct NewTarget value
23         https://bugs.webkit.org/show_bug.cgi?id=209057
24
25         Reviewed by Keith Miller.
26
27         This change implements steps 5-6 of bound function's [[Construct]] method [1],
28         fixing bound function subclasses and aligning JSC with V8 and SpiderMonkey.
29
30         [1]: https://tc39.es/ecma262/#sec-bound-function-exotic-objects-construct-argumentslist-newtarget
31
32         * runtime/JSBoundFunction.cpp:
33         (JSC::boundThisNoArgsFunctionConstruct):
34         (JSC::boundFunctionConstruct):
35
36 2020-03-13  Yusuke Suzuki  <ysuzuki@apple.com>
37
38         Unreviewed, change ASSERT to ASSERT_WITH_SECURITY_IMPLICATION since it is now enabled under ENABLE(SECURITY_ASSERTIONS)
39         https://bugs.webkit.org/show_bug.cgi?id=209041
40         <rdar://problem/59705631>
41
42         * runtime/JSCast.h:
43         (JSC::jsCast):
44
45 2020-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
46
47         Report crashed cell in jsCast in debug builds
48         https://bugs.webkit.org/show_bug.cgi?id=209041
49         <rdar://problem/59705631>
50
51         Reviewed by Mark Lam.
52
53         To collect more information when crashing with jsCast, we attempt to use reportZappedCellAndCrash.
54         If it succeeds, we can get more information in registers. We enable this only for ASSERT_ENABLED
55         build. For non ASSERT_ENABLED, we keep the original assertion since this assertion can be enabled
56         via ENABLE(SECURITY_ASSERTIONS).
57
58         * heap/SlotVisitor.cpp:
59         (JSC::SlotVisitor::appendToMarkStack):
60         (JSC::SlotVisitor::visitChildren):
61         (JSC::SlotVisitor::reportZappedCellAndCrash): Deleted.
62         * heap/SlotVisitor.h:
63         * runtime/JSCast.h:
64         (JSC::jsCast):
65         * runtime/JSCell.cpp:
66         (JSC::reportZappedCellAndCrash):
67         * runtime/JSCell.h:
68
69 2020-03-12  Keith Miller  <keith_miller@apple.com>
70
71         DFG nodes that take a TypedArray's storage need to keepAlive the TypedArray
72         https://bugs.webkit.org/show_bug.cgi?id=209035
73
74         Reviewed by Saam Barati.
75
76         It might be possible to produce a graph where the last reference to a TypedArray
77         is via a GetByVal or PutByVal. Since those nodes don't create any reference to the
78         TypedArray in B3 we may end up not keeping the TypedArray alive until after the
79         storage access.
80
81         * ftl/FTLLowerDFGToB3.cpp:
82         (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
83         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
84         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
85
86 2020-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
87
88         [JSC] Use CacheableIdentifier in ByValInfo
89         https://bugs.webkit.org/show_bug.cgi?id=208978
90
91         Reviewed by Saam Barati.
92
93         CodeBlock::finalizeUnconditionally discards JITData. And this includes ByValInfo, which holds Identifier.
94         However, finalizeUnconditionally is only guaranteeing that the main thread is not working. It can be invoked
95         in the heap thread, and it is not not setting the AtomStringTable for this heap thread. If Identifier destroys
96         AtomStringImpl, which fails to unregister itself from the table.
97
98         In this patch,
99
100             1. We explicitly set nullptr for the current AtomStringTable to catch the bug as soon as possible in GC end phase.
101             2. We use CacheableIdentifier in ByValInfo to avoid destroying Identifier in CodeBlock::finalizeUnconditionally.
102
103         * CMakeLists.txt:
104         * JavaScriptCore.xcodeproj/project.pbxproj:
105         * Sources.txt:
106         * bytecode/ByValInfo.cpp: Added.
107         (JSC::ByValInfo::visitAggregate):
108         * bytecode/ByValInfo.h:
109         * bytecode/CodeBlock.cpp:
110         (JSC::CodeBlock::stronglyVisitStrongReferences):
111         * bytecode/CodeBlock.h:
112         * dfg/DFGByteCodeParser.cpp:
113         (JSC::DFG::ByteCodeParser::handlePutByVal):
114         * heap/Heap.cpp:
115         (JSC::Heap::runEndPhase):
116         * jit/JIT.h:
117         * jit/JITOperations.cpp:
118         * jit/JITPropertyAccess.cpp:
119         (JSC::JIT::emitByValIdentifierCheck):
120         * runtime/CacheableIdentifier.h:
121
122 2020-03-11  Keith Miller  <keith_miller@apple.com>
123
124         Test262-runner should always consider crashes as new failures
125         https://bugs.webkit.org/show_bug.cgi?id=208943
126
127         Reviewed by Yusuke Suzuki.
128
129         BigInt.asUintN() / BigInt.asIntN() should not crash when called even if we have
130         not implemented them yet...
131
132         * runtime/BigIntConstructor.cpp:
133         (JSC::bigIntConstructorFuncAsUintN):
134         (JSC::bigIntConstructorFuncAsIntN):
135
136 2020-03-11  Keith Miller  <keith_miller@apple.com>
137
138         Throws incorrectly a syntax error when declaring a top level catch variable the same as a parameter
139         https://bugs.webkit.org/show_bug.cgi?id=189914
140
141         Reviewed by Saam Barati.
142
143         When we are parsing catch block parameters we should increment the statement depth so we don't think
144         we are trying to shadow top level lexical variables in the same statement depth.
145
146         * parser/Parser.cpp:
147         (JSC::Parser<LexerType>::parseTryStatement):
148
149 2020-03-10  Yusuke Suzuki  <ysuzuki@apple.com>
150
151         [JSC] Fix iso-subspace static_assert for JSJavaScriptCallFramePrototype
152         https://bugs.webkit.org/show_bug.cgi?id=208874
153
154         Reviewed by Saam Barati.
155
156         This static_assert should ensure the condition for JSJavaScriptCallFramePrototype, not for JSInjectedScriptHostPrototype.
157
158         * inspector/JSJavaScriptCallFramePrototype.h:
159
160 2020-03-09  Don Olmstead  <don.olmstead@sony.com>
161
162         Remove obsolete feature flags
163         https://bugs.webkit.org/show_bug.cgi?id=208830
164
165         Reviewed by Alex Christensen.
166
167         Remove ENABLE_CUSTOM_SCHEME_HANDLER and ENABLE_MAC_VIDEO_TOOLBOX since they
168         are no longer used.
169
170         * Configurations/FeatureDefines.xcconfig:
171
172 2020-03-09  Alexey Shvayka  <shvaikalesh@gmail.com>
173
174         @putByValDirect does not perform [[DefineOwnProperty]] correctly
175         https://bugs.webkit.org/show_bug.cgi?id=208708
176
177         Reviewed by Yusuke Suzuki.
178
179         This change adds inSparseIndexingMode() check to canDoFastPutDirectIndex(), fixing slow path
180         of @putByValDirect() to perform [[DefineOwnProperty]] according to spec [1] and aligning JSC
181         with V8 and SpiderMonkey.
182
183         This patch preserves existing behavior for Arguments exotic objects (thus the checks order)
184         and aligns slow path checks in JSObject::putDirectIndexSlowOrBeyondVectorLength
185         with JSObject::defineOwnIndexedProperty.
186
187         JetStream2 benchmark is neutral.
188
189         [1]: https://tc39.es/ecma262/#sec-validateandapplypropertydescriptor
190
191         * runtime/JSObject.cpp:
192         (JSC::canDoFastPutDirectIndex):
193
194 2020-03-09  Antoine Quint  <graouts@apple.com>
195
196         Remove the compile-time flag for Pointer Events
197         https://bugs.webkit.org/show_bug.cgi?id=208821
198         <rdar://problem/60223471>
199
200         Reviewed by Dean Jackson.
201
202         * Configurations/FeatureDefines.xcconfig:
203
204 2020-03-09  Caio Lima  <ticaiolima@gmail.com>
205
206         Tail calls are broken on ARM_THUMB2 and MIPS
207         https://bugs.webkit.org/show_bug.cgi?id=197797
208
209         Reviewed by Yusuke Suzuki.
210
211         `prepareForTailCall` operation expects that header size + parameters
212         size is aligned with stack (alignment is 16-bytes for every architecture).
213         This means that headerSizeInBytes + argumentsIncludingThisInBytes needs
214         to be multiple of 16. This was not being preserved during getter IC code
215         for 32-bits. The code generated was taking in account only
216         headerSizeInRegisters (it is 4 on 32-bits) and argumentsIncludingThis
217         (that is always 1 for getters) and allocating 32-bytes when applying
218         operation `(headerSize + argumentsIncludingThis) * 8 - sizeof(CallerFrameAndPC)`.
219         This results in a stack frame with size of 40 bytes (after we push
220         `lr` and `sp`). Since `prepareForTailCall` expects frames to be
221         16-bytes aligned, it will then calculate the top of such frame
222         considering it is 48 bytes, cloberring values of previous frame and
223         causing unexpected behavior. This patch is fixing how this IC code
224         calculates the stack frame using `roundArgumentCountToAlignFrame(numberOfParameters)`
225         aligning with what we do on code without IC installed.
226         This was not a problem for getter and setter IC on 64-bits because
227         `roundArgumentCountToAlignFrame(1) == 1` and `roundArgumentCountToAlignFrame(2) == 3`
228         while it is `roundArgumentCountToAlignFrame(1) == 2` and
229         `roundArgumentCountToAlignFrame(2) == 2` for MIPS and ARMv7.
230
231         * bytecode/AccessCase.cpp:
232         (JSC::AccessCase::generateImpl):
233
234 2020-03-08  Brady Eidson  <beidson@apple.com>
235
236         Remember completed subranges during incremental PDF loading.
237         https://bugs.webkit.org/show_bug.cgi?id=208785
238
239         Reviewed by Tim Horton.
240
241         Move 'using WTF::Range' from the WTF/Range.h header to these JSC users.
242         
243         The alternative to making these 3 changes was to make over 20 changes up in the WebCore/WebKits
244         to resolve the conflict with WebCore::Range.
245         
246         * b3/B3HeapRange.h:
247         * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
248         * heap/JITStubRoutineSet.h:
249
250 2020-03-07  Alexey Shvayka  <shvaikalesh@gmail.com>
251
252         REGRESSION (r258049): Unchecked JS exception in jsc::Stringifier::toJSON
253         https://bugs.webkit.org/show_bug.cgi?id=208766
254
255         Reviewed by Yusuke Suzuki.
256
257         * runtime/JSONObject.cpp:
258         (JSC::Stringifier::toJSON): Add missing RELEASE_AND_RETURN.
259
260 2020-03-07  Mark Lam  <mark.lam@apple.com>
261
262         Remove bad assertion in FTLLowerDFGToB3's compileDelBy().
263         https://bugs.webkit.org/show_bug.cgi?id=208764
264         <rdar://problem/59940095>
265
266         Reviewed by Keith Miller.
267
268         The assertion ASSERT(base.gpr() != params[2].gpr()) is wrong because it is legal
269         JS to pass in the same value as the base and subscript.  The runtime will handle
270         it properly.
271
272         * ftl/FTLLowerDFGToB3.cpp:
273         (JSC::FTL::DFG::LowerDFGToB3::compileDelBy):
274
275 2020-03-05  Sam Weinig  <weinig@apple.com>
276
277         Move JavaScriptCore related feature defines from FeatureDefines.xcconfig to PlatformEnableCocoa.h
278         https://bugs.webkit.org/show_bug.cgi?id=207436
279         <rdar://problem/59296762>
280
281         Reviewed by Darin Adler.
282
283         * Configurations/FeatureDefines.xcconfig:
284         Remove JSC related defines.
285
286 2020-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
287
288         [JSC] Enable public class fields
289         https://bugs.webkit.org/show_bug.cgi?id=208756
290
291         Reviewed by Mark Lam.
292
293         This patch turns public-class-fields feature on, implemented in r254653.
294         To separate from private-class-fields, this patch renames the flag from useClassFields to usePublicClassFields,
295         and first enable public-class-fields feature.
296
297         * bytecompiler/BytecodeGenerator.cpp:
298         (JSC::BytecodeGenerator::BytecodeGenerator):
299         * bytecompiler/NodesCodegen.cpp:
300         (JSC::FunctionCallValueNode::emitBytecode):
301         * parser/Parser.cpp:
302         (JSC::Parser<LexerType>::parseClass):
303         * runtime/OptionsList.h:
304
305 2020-03-06  Mark Lam  <mark.lam@apple.com>
306
307         Add "AndOrdered" to the names of ordered DoubleConditions.
308         https://bugs.webkit.org/show_bug.cgi?id=208736
309
310         Reviewed by Keith Miller.
311
312         Renamed the following:
313             DoubleEqual ==> DoubleEqualAndOrdered
314             DoubleNotEqual ==> DoubleNotEqualAndOrdered
315             DoubleGreaterThan ==> DoubleGreaterThanAndOrdered
316             DoubleGreaterThanOrEqual ==> DoubleGreaterThanOrEqualAndOrdered
317             DoubleLessThan ==> DoubleLessThanAndOrdered
318             DoubleLessThanOrEqual ==> DoubleLessThanOrEqualAndOrdered
319
320         The comment for these enums in MacroAssemblerARM64.h says:
321             // These conditions will only evaluate to true if the comparison is ordered - i.e. neither operand is NaN.
322
323         Adding "AndOrdered" to their names makes this property explicit.
324
325         From reading the original names, one might intuitively think that these conditions
326         map directly to the C++ double comparisons.  This intuition is incorrect.
327         Consider the DoubleNotEqual case: let's compare 2 doubles, a and b:
328
329             result = (a != b);
330
331         For C++, if either a or b are NaNs, then a != b will actually return true.
332         This is contrary to the behavior documented in the MacroAssemblerARM64.h comment
333         above about how DoubleNotEqual should behave.  In our code, DoubleNotEqual actually
334         means DoubleNotEqualAndOrdered.  The C++ != behavior actually matches our
335         DoubleNotEqualOrUnordered condition instead.
336
337         The tendency to want to associate DoubleNotEqual with the behavior of the C++
338         != operator is precisely why we should give these conditions better names.
339         Adding the "AndOperand" name make the expected behavior explicit in the name, and
340         leave no room for confusion with C++ double comparison semantics.
341
342         * assembler/MacroAssembler.cpp:
343         (WTF::printInternal):
344         * assembler/MacroAssembler.h:
345         (JSC::MacroAssembler::invert):
346         * assembler/MacroAssemblerARM64.h:
347         (JSC::MacroAssemblerARM64::moveConditionallyAfterFloatingPointCompare):
348         (JSC::MacroAssemblerARM64::moveDoubleConditionallyAfterFloatingPointCompare):
349         (JSC::MacroAssemblerARM64::jumpAfterFloatingPointCompare):
350         (JSC::MacroAssemblerARM64::floatingPointCompare):
351         * assembler/MacroAssemblerARMv7.h:
352         (JSC::MacroAssemblerARMv7::branchDouble):
353         * assembler/MacroAssemblerMIPS.h:
354         (JSC::MacroAssemblerMIPS::branchDouble):
355         (JSC::MacroAssemblerMIPS::branchDoubleNonZero):
356         * assembler/MacroAssemblerX86Common.h:
357         (JSC::MacroAssemblerX86Common::branchDoubleNonZero):
358         (JSC::MacroAssemblerX86Common::moveConditionallyDouble):
359         (JSC::MacroAssemblerX86Common::invert):
360         (JSC::MacroAssemblerX86Common::floatingPointCompare):
361         (JSC::MacroAssemblerX86Common::jumpAfterFloatingPointCompare):
362         (JSC::MacroAssemblerX86Common::moveConditionallyAfterFloatingPointCompare):
363         * assembler/MacroAssemblerX86_64.h:
364         (JSC::MacroAssemblerX86_64::truncateDoubleToUint64):
365         (JSC::MacroAssemblerX86_64::truncateFloatToUint64):
366         * assembler/testmasm.cpp:
367         (JSC::testCompareDouble):
368         (JSC::testCompareDoubleSameArg):
369         (JSC::testMoveConditionallyFloatingPoint):
370         (JSC::testMoveDoubleConditionallyDouble):
371         (JSC::testMoveDoubleConditionallyDoubleDestSameAsThenCase):
372         (JSC::testMoveDoubleConditionallyDoubleDestSameAsElseCase):
373         (JSC::testMoveDoubleConditionallyFloat):
374         (JSC::testMoveDoubleConditionallyFloatDestSameAsThenCase):
375         (JSC::testMoveDoubleConditionallyFloatDestSameAsElseCase):
376         (JSC::testMoveConditionallyFloatingPointSameArg):
377         (JSC::run):
378         * b3/B3LowerToAir.cpp:
379         * dfg/DFGSpeculativeJIT.cpp:
380         (JSC::DFG::compileClampDoubleToByte):
381         (JSC::DFG::SpeculativeJIT::compileArithRounding):
382         (JSC::DFG::SpeculativeJIT::compileArithMinMax):
383         (JSC::DFG::SpeculativeJIT::compileArithPow):
384         (JSC::DFG::SpeculativeJIT::compileStrictEq):
385         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
386         (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
387         * dfg/DFGSpeculativeJIT32_64.cpp:
388         (JSC::DFG::SpeculativeJIT::compile):
389         * dfg/DFGSpeculativeJIT64.cpp:
390         (JSC::DFG::SpeculativeJIT::compile):
391         * ftl/FTLLowerDFGToB3.cpp:
392         (JSC::FTL::DFG::LowerDFGToB3::compileNumberIsInteger):
393         * jit/AssemblyHelpers.h:
394         (JSC::AssemblyHelpers::branchIfNotNaN):
395         * jit/JITArithmetic.cpp:
396         (JSC::JIT::emitSlow_op_jless):
397         (JSC::JIT::emitSlow_op_jlesseq):
398         (JSC::JIT::emitSlow_op_jgreater):
399         (JSC::JIT::emitSlow_op_jgreatereq):
400         * jit/JITArithmetic32_64.cpp:
401         (JSC::JIT::emitBinaryDoubleOp):
402         * jit/ThunkGenerators.cpp:
403         (JSC::floorThunkGenerator):
404         (JSC::roundThunkGenerator):
405         * wasm/WasmAirIRGenerator.cpp:
406         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Le>):
407         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Lt>):
408         (JSC::Wasm::AirIRGenerator::addFloatingPointMinOrMax):
409         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Gt>):
410         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ge>):
411         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Lt>):
412         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Eq>):
413         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Le>):
414         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ge>):
415         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Eq>):
416         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Gt>):
417
418 2020-03-06  David Kilzer  <ddkilzer@apple.com>
419
420         REGRESSION (r258038): Build failure on Windows 10 bots
421         <https://bugs.webkit.org/show_bug.cgi?id=208731>
422         <rdar://problem/59222568>
423
424         * assembler/testmasm.cpp:
425         (JSC::testCompareDouble):
426         (JSC::testCompareDoubleSameArg):
427         (JSC::testMoveConditionallyFloatingPoint):
428         (JSC::testMoveConditionallyFloatingPointSameArg):
429         - Add RELEASE_ASSERT_NOT_REACHED() statements to try to fix the
430           bots.
431
432 2020-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
433
434         Put remaining fixed-sized cells into IsoSubspace
435         https://bugs.webkit.org/show_bug.cgi?id=208754
436
437         Reviewed by Keith Miller.
438
439         Put remaining fixed-sized cells into IsoSubspace. Now all the fixed-sized cells have their own IsoSubspaces.
440
441         1. JSArray (We need to care about RAMification number, or compensate RAMification regression with improvements).
442         2. Inspector's objects
443         3. All prototype objects have one IsoSubspace since they are plain objects.
444
445         * inspector/JSInjectedScriptHost.cpp:
446         (Inspector::JSInjectedScriptHost::JSInjectedScriptHost):
447         * inspector/JSInjectedScriptHost.h:
448         * inspector/JSInjectedScriptHostPrototype.h:
449         * inspector/JSJavaScriptCallFrame.cpp:
450         (Inspector::JSJavaScriptCallFrame::JSJavaScriptCallFrame):
451         * inspector/JSJavaScriptCallFrame.h:
452         * inspector/JSJavaScriptCallFramePrototype.h:
453         * jsc.cpp:
454         (JSC::Masquerader::subspaceFor):
455         (JSCMemoryFootprint::subspaceFor):
456         * runtime/ArrayIteratorPrototype.h:
457         * runtime/ArrayPrototype.h:
458         * runtime/AsyncFromSyncIteratorPrototype.h:
459         * runtime/AsyncFunctionPrototype.h:
460         * runtime/AsyncGeneratorFunctionPrototype.h:
461         * runtime/AsyncGeneratorPrototype.h:
462         * runtime/AsyncIteratorPrototype.h:
463         * runtime/AtomicsObject.h:
464         * runtime/BigIntPrototype.h:
465         * runtime/ConsoleObject.h:
466         * runtime/DatePrototype.h:
467         * runtime/ErrorPrototype.h:
468         * runtime/ExceptionHelpers.h:
469         * runtime/GeneratorFunctionPrototype.h:
470         * runtime/GeneratorPrototype.h:
471         * runtime/InspectorInstrumentationObject.h:
472         * runtime/IntlCollatorPrototype.h:
473         * runtime/IntlDateTimeFormatPrototype.h:
474         * runtime/IntlNumberFormatPrototype.h:
475         * runtime/IntlObject.h:
476         * runtime/IntlPluralRulesPrototype.h:
477         * runtime/IteratorPrototype.h:
478         * runtime/JSArray.h:
479         (JSC::JSArray::subspaceFor):
480         * runtime/JSArrayBufferPrototype.h:
481         * runtime/JSDataViewPrototype.h:
482         * runtime/JSDestructibleObject.h:
483         (JSC::JSDestructibleObject::subspaceFor): Deleted.
484         * runtime/JSGenericTypedArrayViewPrototype.h:
485         * runtime/JSModuleLoader.h:
486         * runtime/JSONObject.h:
487         * runtime/JSObject.h:
488         * runtime/JSObjectInlines.h:
489         (JSC::JSFinalObject::subspaceFor):
490         (JSC::JSObject::subspaceFor): Deleted.
491         * runtime/JSPromisePrototype.h:
492         (JSC::JSPromisePrototype::subspaceFor):
493         * runtime/JSTypedArrayViewPrototype.h:
494         * runtime/MapIteratorPrototype.h:
495         * runtime/MapPrototype.h:
496         * runtime/MathObject.h:
497         * runtime/NativeErrorPrototype.h:
498         * runtime/ObjectPrototype.h:
499         * runtime/ReflectObject.h:
500         * runtime/RegExpPrototype.h:
501         * runtime/RegExpStringIteratorPrototype.h:
502         * runtime/SetIteratorPrototype.h:
503         * runtime/SetPrototype.h:
504         * runtime/StringIteratorPrototype.h:
505         * runtime/SymbolPrototype.h:
506         * runtime/VM.cpp:
507         (JSC::VM::VM):
508         * runtime/VM.h:
509         * runtime/WeakMapPrototype.h:
510         * runtime/WeakObjectRefPrototype.h:
511         * runtime/WeakSetPrototype.h:
512         * tools/JSDollarVM.cpp:
513         * tools/JSDollarVM.h:
514         * wasm/js/JSWebAssembly.h:
515         * wasm/js/WebAssemblyCompileErrorPrototype.h:
516         * wasm/js/WebAssemblyGlobalPrototype.h:
517         * wasm/js/WebAssemblyInstancePrototype.h:
518         * wasm/js/WebAssemblyLinkErrorPrototype.h:
519         * wasm/js/WebAssemblyMemoryPrototype.h:
520         * wasm/js/WebAssemblyModulePrototype.h:
521         * wasm/js/WebAssemblyRuntimeErrorPrototype.h:
522         * wasm/js/WebAssemblyTablePrototype.h:
523
524 2020-03-06  Alexey Shvayka  <shvaikalesh@gmail.com>
525
526         JSON.stringify should call replacer on deleted properties
527         https://bugs.webkit.org/show_bug.cgi?id=208725
528
529         Reviewed by Ross Kirsling.
530
531         This change removes extra `hasProperty` check from `appendNextProperty` as
532         it does not exist in the spec [1], aligning JSC with V8 and SpiderMonkey.
533
534         This patch also replaces 3 usages of `getPropertySlot` with semantically
535         equivalent (yet more concise) `get` and inlines `toJSONImpl` (this change
536         is performance-neutral).
537
538         [1]: https://tc39.es/ecma262/#sec-serializejsonobject (steps 6, 8.a)
539
540         * runtime/JSONObject.cpp:
541         (JSC::Stringifier::toJSON):
542         (JSC::Stringifier::Holder::appendNextProperty):
543         (JSC::Stringifier::toJSONImpl): Deleted.
544
545 2020-03-06  Mark Lam  <mark.lam@apple.com>
546
547         Fix some issues in the ARM64 moveConditionallyAfterFloatingPointCompare() and moveDoubleConditionallyAfterFloatingPointCompare().
548         https://bugs.webkit.org/show_bug.cgi?id=208731
549         <rdar://problem/59222568>
550
551         Reviewed by Saam Barati.
552
553         Both the ARM64 moveConditionallyAfterFloatingPointCompare() and
554         moveDoubleConditionallyAfterFloatingPointCompare() had the following issues:
555
556         1. For the DoubleNotEqual condition, they fail to set the result register if
557            one or both of the comparison operands is a NaN.
558
559         2. For the DoubleEqualOrUnordered condition, they can clobber the else case
560            input register if one of the comparison operands is a NaN.
561
562         This patch fixes both of these, and exhaustive testmasm test cases for affected
563         MacroAssembler instruction emitters using these functions.
564
565         * assembler/MacroAssemblerARM64.h:
566         (JSC::MacroAssemblerARM64::moveConditionallyAfterFloatingPointCompare):
567         (JSC::MacroAssemblerARM64::moveDoubleConditionallyAfterFloatingPointCompare):
568         * assembler/testmasm.cpp:
569         (JSC::testCompareDouble):
570         (JSC::testCompareDoubleSameArg):
571         (JSC::testMoveConditionallyFloatingPoint):
572         (JSC::testMoveConditionallyDouble2):
573         (JSC::testMoveConditionallyDouble3):
574         (JSC::testMoveConditionallyDouble3DestSameAsThenCase):
575         (JSC::testMoveConditionallyDouble3DestSameAsElseCase):
576         (JSC::testMoveConditionallyFloat2):
577         (JSC::testMoveConditionallyFloat3):
578         (JSC::testMoveConditionallyFloat3DestSameAsThenCase):
579         (JSC::testMoveConditionallyFloat3DestSameAsElseCase):
580         (JSC::testMoveDoubleConditionallyDouble):
581         (JSC::testMoveDoubleConditionallyDoubleDestSameAsThenCase):
582         (JSC::testMoveDoubleConditionallyDoubleDestSameAsElseCase):
583         (JSC::testMoveDoubleConditionallyFloat):
584         (JSC::testMoveDoubleConditionallyFloatDestSameAsThenCase):
585         (JSC::testMoveDoubleConditionallyFloatDestSameAsElseCase):
586         (JSC::testMoveConditionallyFloatingPointSameArg):
587         (JSC::testMoveConditionallyDouble2SameArg):
588         (JSC::testMoveConditionallyDouble3SameArg):
589         (JSC::testMoveConditionallyFloat2SameArg):
590         (JSC::testMoveConditionallyFloat3SameArg):
591         (JSC::testMoveDoubleConditionallyDoubleSameArg):
592         (JSC::testMoveDoubleConditionallyFloatSameArg):
593         (JSC::run):
594
595 2020-03-05  Paulo Matos  <pmatos@igalia.com>
596
597         [JSCOnly] 32-bits warning on memset of JSValue
598         https://bugs.webkit.org/show_bug.cgi?id=204411
599
600         Reviewed by Mark Lam.
601
602         Fixes warning on 32bit builds. This is required because GCC knows
603         it is not safe to use memset on non-POD types and warns against its use.
604
605         * heap/GCMemoryOperations.h:
606         (JSC::gcSafeZeroMemory):
607
608 2020-03-04  Mark Lam  <mark.lam@apple.com>
609
610         Handle an out of memory error while constructing the BytecodeGenerator.
611         https://bugs.webkit.org/show_bug.cgi?id=208622
612         <rdar://problem/59341136>
613
614         Reviewed by Saam Barati.
615
616         Added the ability to handle out of memory errors encountered during the
617         construction of the BytecodeGenerator.  Currently, we only use this for the
618         case where we fail to instantiate a ScopedArgumentsTable.
619
620         * bytecompiler/BytecodeGenerator.cpp:
621         (JSC::BytecodeGenerator::generate):
622         (JSC::BytecodeGenerator::BytecodeGenerator):
623         * bytecompiler/BytecodeGeneratorBase.h:
624         * runtime/ScopedArgumentsTable.cpp:
625         (JSC::ScopedArgumentsTable::tryCreate):
626         * runtime/ScopedArgumentsTable.h:
627         * runtime/SymbolTable.h:
628
629 2020-03-04  Paulo Matos  <pmatos@igalia.com>
630
631         JSC 32bits broken in debug mode by r257399
632         https://bugs.webkit.org/show_bug.cgi?id=208439
633
634         Reviewed by Carlos Alberto Lopez Perez.
635
636         Use uses() method call instead of gpr() on assert to that it
637         works for both 64 and 32 bits.
638
639         * bytecode/AccessCase.cpp:
640         (JSC::AccessCase::generateImpl):
641
642 2020-03-03  Saam Barati  <sbarati@apple.com>
643
644         Refactor FixedVMPoolExecutableAllocator to not have member functions which are really just helper functions
645         https://bugs.webkit.org/show_bug.cgi?id=208537
646
647         Reviewed by Mark Lam.
648
649         There were a few member functions in FixedVMPoolExecutableAllocator that were
650         essentially helper functions. I've factored them out, and made FixedVMPoolExecutableAllocator
651         call them directly. This refactoring is needed when I implement the 1GB
652         executable pool on arm64 since the implementation of that will create split
653         implementations of something like FixedVMPoolExecutableAllocator.
654
655         * jit/ExecutableAllocator.cpp:
656         (JSC::jitWriteThunkGenerator):
657         (JSC::genericWriteToJITRegion):
658         (JSC::initializeSeparatedWXHeaps):
659         (JSC::initializeJITPageReservation):
660         (JSC::ExecutableAllocator::isValid const):
661         (JSC::ExecutableAllocator::underMemoryPressure):
662         (JSC::ExecutableAllocator::memoryPressureMultiplier):
663         (JSC::ExecutableAllocator::allocate):
664         (JSC::ExecutableAllocator::isValidExecutableMemory):
665         (JSC::ExecutableAllocator::getLock const):
666         (JSC::ExecutableAllocator::committedByteCount):
667         (JSC::ExecutableAllocator::dumpProfile):
668         (JSC::startOfFixedExecutableMemoryPoolImpl):
669         (JSC::endOfFixedExecutableMemoryPoolImpl):
670         (JSC::isJITPC):
671
672 2020-03-03  Ross Kirsling  <ross.kirsling@sony.com>
673
674         Introduce JSRemoteInspectorServerStart API for socket-based RWI.
675         https://bugs.webkit.org/show_bug.cgi?id=208349
676
677         Reviewed by Joseph Pecoraro.
678
679         * API/JSRemoteInspectorServer.cpp: Added.
680         (JSRemoteInspectorServerStart):
681         * API/JSRemoteInspectorServer.h: Added.
682         * CMakeLists.txt:
683
684 2020-03-03  Basuke Suzuki  <basuke.suzuki@sony.com>
685
686         [WinCairo][PlayStation] Add interface to get listening port of RemoteInspectorServer
687         https://bugs.webkit.org/show_bug.cgi?id=208391
688
689         Reviewed by Don Olmstead.
690
691         When passing zero as a port argument, system will pick an available port for it.
692         Without this method, client cannot get which port is listening.
693
694         * inspector/remote/socket/RemoteInspectorServer.cpp:
695         (Inspector::RemoteInspectorServer::start):
696         (Inspector::RemoteInspectorServer::getPort):
697         * inspector/remote/socket/RemoteInspectorServer.h:
698
699 2020-03-03  Yusuke Suzuki  <ysuzuki@apple.com>
700
701         [JSC] @hasOwnLengthProperty returns wrong value if "length" is attempted to be modified
702         https://bugs.webkit.org/show_bug.cgi?id=208497
703         <rdar://problem/59913544>
704
705         Reviewed by Mark Lam.
706
707         When "length" of JSFunction is attempted to be modified, we put a flag. And @hasOwnLengthProperty
708         does not correctly use this flag to return a value for the fast path. This affects on "length"
709         property of bound functions. For example,
710
711             function userFunction(a) { }
712             userFunction.length = 20; // This field is read-only. So, it is not changed.
713             userFunction.bind().length; // Should be 1, but it returns 0.
714
715         1. We rename m_hasModifiedLength to m_hasModifiedLengthForNonHostFunction and m_hasModifiedName
716            to m_hasModifiedNameForNonHostFunction since we are not tracking these states for host-functions
717            which can eagerly initialize them.
718         2. We rename areNameAndLengthOriginal to canAssumeNameAndLengthAreOriginal to allow it to return
719            "false" for host functions. If it returns true, we go to the fast path.
720         3. Correctly use canAssumeNameAndLengthAreOriginal information in @hasOwnLengthProperty.
721
722         * runtime/FunctionRareData.cpp:
723         (JSC::FunctionRareData::FunctionRareData):
724         * runtime/FunctionRareData.h:
725         * runtime/JSFunction.cpp:
726         (JSC::JSFunction::put):
727         (JSC::JSFunction::deleteProperty):
728         (JSC::JSFunction::defineOwnProperty):
729         * runtime/JSFunction.h:
730         * runtime/JSFunctionInlines.h:
731         (JSC::JSFunction::canAssumeNameAndLengthAreOriginal):
732         (JSC::JSFunction::areNameAndLengthOriginal): Deleted.
733         * runtime/JSGlobalObject.cpp:
734         (JSC::hasOwnLengthProperty):
735         * tools/JSDollarVM.cpp:
736         (JSC::functionHasOwnLengthProperty):
737
738 2020-03-02  Alan Coon  <alancoon@apple.com>
739
740         Add new Mac target numbers
741         https://bugs.webkit.org/show_bug.cgi?id=208398
742
743         Reviewed by Alexey Proskuryakov.
744
745         * Configurations/Base.xcconfig:
746         * Configurations/DebugRelease.xcconfig:
747         * Configurations/Version.xcconfig:
748         * Configurations/WebKitTargetConditionals.xcconfig:
749
750 2020-03-02  Justin Michaud  <justin_michaud@apple.com>
751
752         Delete by val caching does not keep the subscript alive
753         https://bugs.webkit.org/show_bug.cgi?id=208393
754
755         Reviewed by Yusuke Suzuki.
756
757         Before, the provided test case crashed with asan because we did not keep deleteByVal
758         subscripts alive. This patch changes CacheableIdentifier to make this mistake harder
759         to make again, by making the constructor calls more explicit when CacheableIdentifier
760         will not keep an Identifier alive.
761
762         * jit/JITOperations.cpp:
763         * jit/Repatch.cpp:
764         (JSC::tryCachePutByID):
765         (JSC::tryCacheDeleteBy):
766         (JSC::repatchDeleteBy):
767         (JSC::tryCacheInByID):
768         (JSC::tryCacheInstanceOf):
769         (JSC::tryCacheDelBy): Deleted.
770         (JSC::repatchDelBy): Deleted.
771         * jit/Repatch.h:
772         * runtime/CacheableIdentifier.h:
773         * runtime/CacheableIdentifierInlines.h:
774         (JSC::CacheableIdentifier::createFromIdentifierOwnedByCodeBlock):
775         (JSC::CacheableIdentifier::createFromCell):
776
777 2020-03-02  Paulo Matos  <pmatos@igalia.com>
778
779         Fix JSC 32bit alignment increase gcc warning
780         https://bugs.webkit.org/show_bug.cgi?id=208445
781
782         Reviewed by Yusuke Suzuki.
783
784         Use reinterpret_cast_ptr<>() instead of reinterpret_cast<>() to
785         avoid GCC warning about increase in alignment requirement for cast
786         target type.
787
788         * dfg/DFGOSRExit.cpp:
789         (JSC::DFG::OSRExit::compileExit):
790
791 2020-03-02  Yusuke Suzuki  <ysuzuki@apple.com>
792
793         Unreviewed, fix wrong assertion
794         https://bugs.webkit.org/show_bug.cgi?id=208404
795         <rdar://problem/59956592>
796
797         * runtime/CachedTypes.cpp:
798         (JSC::CachedUniquedStringImplBase::decode const):
799
800 2020-03-01  Charles Turner  <cturner@igalia.com>
801
802         undefined reference to `JSC::ExecutableBase::hasJITCodeForCall() const'
803         https://bugs.webkit.org/show_bug.cgi?id=207890
804
805         Reviewed by Yusuke Suzuki.
806
807         Encountered on arm-buildroot-linux-gnueabihf with GCC 9.2.0.
808
809         * runtime/NativeExecutable.cpp: Inclusion of
810         ExecutableBaseInlines.h resolves the issue for me.
811
812 2020-02-29  Yusuke Suzuki  <ysuzuki@apple.com>
813
814         Remove std::lock_guard
815         https://bugs.webkit.org/show_bug.cgi?id=206451
816
817         Reviewed by Anders Carlsson.
818
819         * API/JSVirtualMachine.mm:
820         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]):
821         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]):
822         * API/glib/JSCVirtualMachine.cpp:
823         (addWrapper):
824         (removeWrapper):
825         * heap/HeapSnapshotBuilder.cpp:
826         (JSC::HeapSnapshotBuilder::analyzeNode):
827         (JSC::HeapSnapshotBuilder::analyzeEdge):
828         (JSC::HeapSnapshotBuilder::analyzePropertyNameEdge):
829         (JSC::HeapSnapshotBuilder::analyzeVariableNameEdge):
830         (JSC::HeapSnapshotBuilder::analyzeIndexEdge):
831         (JSC::HeapSnapshotBuilder::setOpaqueRootReachabilityReasonForCell):
832         * heap/MachineStackMarker.cpp:
833         (JSC::MachineThreads::tryCopyOtherThreadStacks):
834         * runtime/JSRunLoopTimer.cpp:
835         (JSC::JSRunLoopTimer::timerDidFire):
836
837 2020-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
838
839         [JSC] BuiltinNames' HashMap should be small
840         https://bugs.webkit.org/show_bug.cgi?id=208404
841
842         Reviewed by Mark Lam.
843
844         This patch converts public-to-private-name-map from HashMap<RefPtr<UniquedStringImpl>, SymbolImpl*> to HashSet<String> to save half of memory.
845         The key is that private names have the same string content to the public names. We can just query with string content to the HashSet of
846         private names, and we can get private names.
847
848         The problem is that we also have a hack inserting string <-> non-private well-known Symbol mappings into this table. These symbols do not have
849         the same content to the public string. So the above assumption is broken.
850
851         To make the above assumption valid, we have a separate small HashMap which holds string <-> non-private well-known Symbol mappings. Since # of
852         well-known Symbols are only 13, this new HashMap is taking at most 512B for entries, which is much smaller compared to the saved memory by
853         converting HashMap to HashSet for private names (32KB).
854
855         To allow it, we introduce new well-known Symbol identifier syntax to builtin JS, which is "@@iterator" format. If there is two "@", we parse this
856         identifier as a well-known Symbol.
857
858         * builtins/ArrayConstructor.js:
859         (from.wrapper.iterator):
860         (from):
861         (from.wrapper.iteratorSymbol): Deleted.
862         * builtins/ArrayPrototype.js:
863         (globalPrivate.concatSlowPath):
864         (concat):
865         * builtins/BuiltinNames.cpp:
866         (JSC::BuiltinNames::BuiltinNames):
867         (JSC::CharBufferSeacher::hash):
868         (JSC::CharBufferSeacher::equal):
869         (JSC::lookUpPrivateNameImpl):
870         (JSC::lookUpWellKnownSymbolImpl):
871         (JSC::BuiltinNames::lookUpPrivateName const):
872         (JSC::BuiltinNames::lookUpWellKnownSymbol const):
873         * builtins/BuiltinNames.h:
874         (JSC::BuiltinNames::lookUpPrivateName const):
875         (JSC::BuiltinNames::lookUpWellKnownSymbol const):
876         (JSC::BuiltinNames::checkPublicToPrivateMapConsistency):
877         (JSC::BuiltinNames::appendExternalName):
878         (JSC::BuiltinNames::getPublicName const): Deleted.
879         * builtins/GlobalOperations.js:
880         (globalPrivate.speciesConstructor):
881         * builtins/IteratorHelpers.js:
882         (performIteration):
883         * builtins/StringPrototype.js:
884         (match):
885         (matchAll):
886         (intrinsic.StringPrototypeReplaceIntrinsic.replace):
887         (replaceAll):
888         (search):
889         (split):
890         * builtins/TypedArrayConstructor.js:
891         (from.wrapper.iterator):
892         (from):
893         (from.wrapper.iteratorSymbol): Deleted.
894         * builtins/TypedArrayPrototype.js:
895         (globalPrivate.typedArraySpeciesConstructor):
896         (map):
897         (filter):
898         * bytecompiler/NodesCodegen.cpp:
899         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
900         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
901         * parser/Lexer.cpp:
902         (JSC::Lexer<LChar>::parseIdentifier):
903         (JSC::Lexer<UChar>::parseIdentifier):
904         * runtime/CachedTypes.cpp:
905         (JSC::CachedUniquedStringImplBase::encode):
906         (JSC::CachedUniquedStringImplBase::decode const):
907         * runtime/CommonIdentifiers.cpp:
908         (JSC::CommonIdentifiers::CommonIdentifiers):
909         (JSC::CommonIdentifiers::lookUpPrivateName const): Deleted.
910         (JSC::CommonIdentifiers::getPublicName const): Deleted.
911         * runtime/CommonIdentifiers.h:
912         * tools/JSDollarVM.cpp:
913         (JSC::functionGetPrivateProperty):
914
915 2020-02-28  Saam Barati  <sbarati@apple.com>
916
917         Clean up code with how we choose Gigacage sizes and whether or not to use Wasm fast memory
918         https://bugs.webkit.org/show_bug.cgi?id=208392
919
920         Reviewed by Yusuke Suzuki.
921
922         * runtime/OptionsList.h:
923
924 2020-02-27  Saam Barati  <sbarati@apple.com>
925
926         Fix debug arm64 Wasm tests
927         https://bugs.webkit.org/show_bug.cgi?id=208362
928
929         Reviewed by Yusuke Suzuki.
930
931         * wasm/WasmAirIRGenerator.cpp:
932         (JSC::Wasm::AirIRGenerator::emitChecksForModOrDiv):
933
934         We were assuming that "-1" is a valid imm on arm64, but it's not, we need
935         to use big imm.
936
937 2020-02-27  Justin Michaud  <justin_michaud@apple.com>
938
939         Poly proto should work with property delete transitions
940         https://bugs.webkit.org/show_bug.cgi?id=208261
941
942         Reviewed by Saam Barati.
943
944         This patch fixes a bug where the combination of inline caching
945         and poly proto cause us to cache a setter call along a prototype chain that 
946         is no longer the correct setter to call. This is exposed as a result of
947         https://bugs.webkit.org/show_bug.cgi?id=206430 since DefineOwnProperty used 
948         to transition to uncacheable dictionary.
949
950         The case looks like this:
951         A - setter for x redefines x
952         |
953         B
954         |
955         C
956
957         We set (new C).x
958
959         Right now, we first call A's setter, then we try to figure out what the state of things
960         were before it was called in order to cache it. We just assume that A's setter still exists, and we cache it
961         without ever checking, In this patch, we ensure that the property exists and the attributes match in order to prevent crashing. 
962
963         In the code, A = target, C = base.
964
965         Get is correct because it collects caching information before any calls.
966
967         The bug https://bugs.webkit.org/show_bug.cgi?id=208337 tracks the remaining semantic bugs around this code.
968
969         * jit/Repatch.cpp:
970         (JSC::tryCachePutByID):
971
972 2020-02-27  Basuke Suzuki  <basuke.suzuki@sony.com>
973
974         [WinCairo] Fix RemoteInspector reconnect issue
975         https://bugs.webkit.org/show_bug.cgi?id=208256
976
977         Reviewed by Devin Rousso.
978
979         Call target's disconnection sequence asynchronously to avoid deadlock.
980
981         * inspector/remote/RemoteConnectionToTarget.cpp:
982         (Inspector::RemoteConnectionToTarget::close):
983         * inspector/remote/socket/RemoteInspectorSocketEndpoint.cpp:
984         (Inspector::RemoteInspectorSocketEndpoint::workerThread):
985
986 2020-02-26  Mark Lam  <mark.lam@apple.com>
987
988         Enhance JSObjectGetProperty() to mitigate against null object pointers.
989         https://bugs.webkit.org/show_bug.cgi?id=208275
990         <rdar://problem/59826325>
991
992         Reviewed by Robin Morisset.
993
994         * API/JSObjectRef.cpp:
995         (JSObjectGetProperty):
996
997 2020-02-26  Saam Barati  <sbarati@apple.com>
998
999         Make testair pass on arm64
1000         https://bugs.webkit.org/show_bug.cgi?id=208258
1001
1002         Reviewed by Tadeu Zagallo.
1003
1004         testElideMoveThenRealloc and testElideSimpleMove were never tested
1005         on arm64. This patch makes those tests work. 
1006         - testElideMoveThenRealloc was using a BitImm that is invalid on arm64
1007         - testElideSimpleMove was testing for the wrong disassembly
1008
1009         * b3/air/testair.cpp:
1010
1011 2020-02-26  Don Olmstead  <don.olmstead@sony.com>
1012
1013         Allow setting of stack sizes for threads
1014         https://bugs.webkit.org/show_bug.cgi?id=208223
1015
1016         Reviewed by Yusuke Suzuki.
1017
1018         Specify ThreadType at the Thread::create callsite.
1019
1020         * heap/Heap.cpp:
1021         (JSC::Heap::notifyIsSafeToCollect):
1022
1023 2020-02-26  Caio Lima  <ticaiolima@gmail.com>
1024
1025         [JSC][MIPS] Adding support to Checkpoints
1026         https://bugs.webkit.org/show_bug.cgi?id=208196
1027
1028         Reviewed by Yusuke Suzuki.
1029
1030         This patch is adding changes to properly support OSR to
1031         checkpoints on MIPS. It required fixes on JIT probe and some
1032         adjustment on Offlineasm to correct generate `$gp` load when executing 
1033         `checkpoint_osr_exit_from_inlined_call_trampoline`.
1034
1035         * assembler/MacroAssemblerMIPS.cpp:
1036
1037         Probe trampoline needs to allocate 16 bytes for 4 arguments to
1038         properly follow C calling conventions. This space is used by callee
1039         when the JSC is compiled with `-O0` flags
1040         (Check "DEFAULT C CALLING CONVENTION (O32)" section on
1041         https://www.mips.com/downloads/mips32-instruction-set-quick-reference-v1-01).
1042
1043         * llint/LowLevelInterpreter.asm:
1044
1045         As we need to do on ARMv7, 64-bits arguments needs to be passed in
1046         register pairs `$a1:$a0` or `$a3:$a2` (little-endian mode). Since `$a0`
1047         contais `CallFrame*`, we need to pass `EncodedJSValue` on `$a3:$a2`
1048         pair.
1049
1050         * offlineasm/mips.rb:
1051
1052         Following the same reason for return locations on OSR to LLInt, we
1053         need to adjust `$gp` using `$ra` instead of `$t9` on
1054         `checkpoint_osr_exit_from_inlined_call_trampoline`, given it is only
1055         reachable through `ret` operations. For detailed explanation, check
1056         ChangeLog of https://trac.webkit.org/changeset/252713.
1057
1058 2020-02-25  Devin Rousso  <drousso@apple.com>
1059
1060         Web Inspector: safari app extension isolated worlds and injected files use the extension's identifier instead of its name
1061         https://bugs.webkit.org/show_bug.cgi?id=206911
1062         <rdar://problem/58026635>
1063
1064         Reviewed by Brian Burg.
1065
1066         * inspector/protocol/Browser.json: Added.
1067         Add a `Browser` agent that can communicate with the inspected page's containing browser. It
1068         lives in the UIProcess alongside the `Target` agent (meaning there should only be one per
1069         debuggable rather than one per target) and as such is not routed through the `Target` agent.
1070
1071         * CMakeLists.txt:
1072         * DerivedSources-input.xcfilelist:
1073         * DerivedSources.make:
1074
1075 2020-02-25  Justin Michaud  <justin_michaud@apple.com>
1076
1077         Inline Cache delete by id/val
1078         https://bugs.webkit.org/show_bug.cgi?id=207522
1079
1080         Reviewed by Keith Miller and Filip Pizlo.
1081
1082         We add inline caching for deleteById/val for baseline only. We also fix a concurrency bug in ICStats used for testing.
1083         We add three new access cases (no inline code is emitted at this time): 
1084         - Delete is a cached delete of an existing property
1085         - DeleteMiss is a delete of a property that does not exist
1086         - DeleteNonConfigurable is a delete of a property that exists, but should not be deleted.
1087         There are no conditions required for these caches, since the structure id must change and the prototype does not matter.
1088         This gives the following microbenchmark results:
1089
1090         delete-property-keeps-cacheable-structure (neutral)
1091         delete-property-inline-cache              definitely 3.9096x faster
1092         delete-property-inline-cache-polymorphic  definitely 1.5239x faster
1093         delete-property-from-prototype-chain      (neutral)
1094
1095         * API/JSCallbackObject.h:
1096         * API/JSCallbackObjectFunctions.h:
1097         (JSC::JSCallbackObject<Parent>::deleteProperty):
1098         (JSC::JSCallbackObject<Parent>::deletePropertyByIndex):
1099         * API/JSObjectRef.cpp:
1100         (JSObjectDeletePropertyForKey):
1101         (JSObjectDeleteProperty):
1102         * CMakeLists.txt:
1103         * JavaScriptCore.xcodeproj/project.pbxproj:
1104         * bytecode/AccessCase.cpp:
1105         (JSC::AccessCase::create):
1106         (JSC::AccessCase::createTransition):
1107         (JSC::AccessCase::createDelete):
1108         (JSC::AccessCase::requiresIdentifierNameMatch const):
1109         (JSC::AccessCase::requiresInt32PropertyCheck const):
1110         (JSC::AccessCase::needsScratchFPR const):
1111         (JSC::AccessCase::forEachDependentCell const):
1112         (JSC::AccessCase::doesCalls const):
1113         (JSC::AccessCase::canReplace const):
1114         (JSC::AccessCase::dump const):
1115         (JSC::AccessCase::propagateTransitions const):
1116         (JSC::AccessCase::generateImpl):
1117         * bytecode/AccessCase.h:
1118         (JSC::AccessCase::structure const):
1119         (JSC::AccessCase::newStructure const):
1120         * bytecode/PolymorphicAccess.cpp:
1121         (WTF::printInternal):
1122         * bytecode/StructureStubInfo.cpp:
1123         (JSC::StructureStubInfo::reset):
1124         * bytecode/StructureStubInfo.h:
1125         * debugger/DebuggerScope.cpp:
1126         (JSC::DebuggerScope::deleteProperty):
1127         * debugger/DebuggerScope.h:
1128         * dfg/DFGFixupPhase.cpp:
1129         (JSC::DFG::FixupPhase::fixupNode):
1130         * dfg/DFGJITCompiler.cpp:
1131         (JSC::DFG::JITCompiler::link):
1132         * dfg/DFGJITCompiler.h:
1133         (JSC::DFG::JITCompiler::addDelById):
1134         (JSC::DFG::JITCompiler::addDelByVal):
1135         * dfg/DFGSpeculativeJIT.cpp:
1136         (JSC::DFG::SpeculativeJIT::compileDeleteById): Deleted.
1137         (JSC::DFG::SpeculativeJIT::compileDeleteByVal): Deleted.
1138         * dfg/DFGSpeculativeJIT32_64.cpp:
1139         (JSC::DFG::SpeculativeJIT::compileDeleteById):
1140         (JSC::DFG::SpeculativeJIT::compileDeleteByVal):
1141         * dfg/DFGSpeculativeJIT64.cpp:
1142         (JSC::DFG::SpeculativeJIT::compileDeleteById):
1143         (JSC::DFG::SpeculativeJIT::compileDeleteByVal):
1144         * ftl/FTLLowerDFGToB3.cpp:
1145         (JSC::FTL::DFG::LowerDFGToB3::compileDelBy):
1146         (JSC::FTL::DFG::LowerDFGToB3::compileDeleteById):
1147         (JSC::FTL::DFG::LowerDFGToB3::compileDeleteByVal):
1148         * jit/ICStats.h:
1149         * jit/JIT.cpp:
1150         (JSC::JIT::privateCompileSlowCases):
1151         (JSC::JIT::link):
1152         * jit/JIT.h:
1153         * jit/JITInlineCacheGenerator.cpp:
1154         (JSC::JITDelByValGenerator::JITDelByValGenerator):
1155         (JSC::JITDelByValGenerator::generateFastPath):
1156         (JSC::JITDelByValGenerator::finalize):
1157         (JSC::JITDelByIdGenerator::JITDelByIdGenerator):
1158         (JSC::JITDelByIdGenerator::generateFastPath):
1159         (JSC::JITDelByIdGenerator::finalize):
1160         * jit/JITInlineCacheGenerator.h:
1161         (JSC::JITDelByValGenerator::JITDelByValGenerator):
1162         (JSC::JITDelByValGenerator::slowPathJump const):
1163         (JSC::JITDelByIdGenerator::JITDelByIdGenerator):
1164         (JSC::JITDelByIdGenerator::slowPathJump const):
1165         * jit/JITOperations.cpp:
1166         * jit/JITOperations.h:
1167         * jit/JITPropertyAccess.cpp:
1168         (JSC::JIT::emit_op_del_by_id):
1169         (JSC::JIT::emitSlow_op_del_by_id):
1170         (JSC::JIT::emit_op_del_by_val):
1171         (JSC::JIT::emitSlow_op_del_by_val):
1172         * jit/JITPropertyAccess32_64.cpp:
1173         (JSC::JIT::emit_op_del_by_id):
1174         (JSC::JIT::emit_op_del_by_val):
1175         (JSC::JIT::emitSlow_op_del_by_val):
1176         (JSC::JIT::emitSlow_op_del_by_id):
1177         * jit/Repatch.cpp:
1178         (JSC::tryCachePutByID):
1179         (JSC::tryCacheDelBy):
1180         (JSC::repatchDelBy):
1181         (JSC::resetPutByID):
1182         (JSC::resetDelBy):
1183         * jit/Repatch.h:
1184         * llint/LLIntSlowPaths.cpp:
1185         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1186         * runtime/CacheableIdentifierInlines.h:
1187         (JSC::CacheableIdentifier::CacheableIdentifier):
1188         * runtime/ClassInfo.h:
1189         * runtime/ClonedArguments.cpp:
1190         (JSC::ClonedArguments::deleteProperty):
1191         * runtime/ClonedArguments.h:
1192         * runtime/CommonSlowPaths.cpp:
1193         (JSC::SLOW_PATH_DECL):
1194         * runtime/DeletePropertySlot.h: Added.
1195         (JSC::DeletePropertySlot::DeletePropertySlot):
1196         (JSC::DeletePropertySlot::setConfigurableMiss):
1197         (JSC::DeletePropertySlot::setNonconfigurable):
1198         (JSC::DeletePropertySlot::setHit):
1199         (JSC::DeletePropertySlot::isCacheableDelete const):
1200         (JSC::DeletePropertySlot::isDeleteHit const):
1201         (JSC::DeletePropertySlot::isConfigurableDeleteMiss const):
1202         (JSC::DeletePropertySlot::isNonconfigurable const):
1203         (JSC::DeletePropertySlot::cachedOffset const):
1204         (JSC::DeletePropertySlot::disableCaching):
1205         (JSC::DeletePropertySlot::isCacheable const):
1206         * runtime/ErrorConstructor.cpp:
1207         (JSC::ErrorConstructor::deleteProperty):
1208         * runtime/ErrorConstructor.h:
1209         * runtime/ErrorInstance.cpp:
1210         (JSC::ErrorInstance::deleteProperty):
1211         * runtime/ErrorInstance.h:
1212         * runtime/GenericArguments.h:
1213         * runtime/GenericArgumentsInlines.h:
1214         (JSC::GenericArguments<Type>::put):
1215         (JSC::GenericArguments<Type>::deleteProperty):
1216         * runtime/GetterSetter.h:
1217         * runtime/JSArray.cpp:
1218         (JSC::JSArray::deleteProperty):
1219         * runtime/JSArray.h:
1220         * runtime/JSCJSValue.h:
1221         * runtime/JSCell.cpp:
1222         (JSC::JSCell::deleteProperty):
1223         * runtime/JSCell.h:
1224         * runtime/JSDataView.cpp:
1225         (JSC::JSDataView::deleteProperty):
1226         * runtime/JSDataView.h:
1227         * runtime/JSFunction.cpp:
1228         (JSC::JSFunction::deleteProperty):
1229         * runtime/JSFunction.h:
1230         * runtime/JSGenericTypedArrayView.h:
1231         * runtime/JSGenericTypedArrayViewInlines.h:
1232         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
1233         (JSC::JSGenericTypedArrayView<Adaptor>::deletePropertyByIndex):
1234         * runtime/JSGlobalObject.cpp:
1235         (JSC::JSGlobalObject::addFunction):
1236         * runtime/JSLexicalEnvironment.cpp:
1237         (JSC::JSLexicalEnvironment::deleteProperty):
1238         * runtime/JSLexicalEnvironment.h:
1239         * runtime/JSModuleEnvironment.cpp:
1240         (JSC::JSModuleEnvironment::deleteProperty):
1241         * runtime/JSModuleEnvironment.h:
1242         * runtime/JSModuleNamespaceObject.cpp:
1243         (JSC::JSModuleNamespaceObject::deleteProperty):
1244         * runtime/JSModuleNamespaceObject.h:
1245         * runtime/JSONObject.cpp:
1246         (JSC::Walker::walk):
1247         * runtime/JSObject.cpp:
1248         (JSC::JSObject::deleteProperty):
1249         (JSC::JSObject::deletePropertyByIndex):
1250         (JSC::validateAndApplyPropertyDescriptor):
1251         * runtime/JSObject.h:
1252         * runtime/JSProxy.cpp:
1253         (JSC::JSProxy::deleteProperty):
1254         * runtime/JSProxy.h:
1255         * runtime/JSSymbolTableObject.cpp:
1256         (JSC::JSSymbolTableObject::deleteProperty):
1257         * runtime/JSSymbolTableObject.h:
1258         * runtime/ProxyObject.cpp:
1259         (JSC::ProxyObject::deleteProperty):
1260         * runtime/ProxyObject.h:
1261         * runtime/RegExpObject.cpp:
1262         (JSC::RegExpObject::deleteProperty):
1263         * runtime/RegExpObject.h:
1264         * runtime/StrictEvalActivation.cpp:
1265         (JSC::StrictEvalActivation::deleteProperty):
1266         * runtime/StrictEvalActivation.h:
1267         * runtime/StringObject.cpp:
1268         (JSC::StringObject::deleteProperty):
1269         * runtime/StringObject.h:
1270         * runtime/Structure.cpp:
1271         (JSC::Structure::removePropertyTransition):
1272         (JSC::Structure::removePropertyTransitionFromExistingStructureImpl):
1273         (JSC::Structure::removePropertyTransitionFromExistingStructure):
1274         (JSC::Structure::removePropertyTransitionFromExistingStructureConcurrently):
1275         (JSC::Structure::removeNewPropertyTransition):
1276         (JSC::Structure::dump const):
1277         * runtime/Structure.h:
1278         * runtime/StructureInlines.h:
1279         (JSC::Structure::hasIndexingHeader const):
1280         (JSC::Structure::mayHaveIndexingHeader const):
1281         * tools/JSDollarVM.cpp:
1282         (JSC::functionHasOwnLengthProperty):
1283         (JSC::JSDollarVM::finishCreation):
1284
1285 2020-02-24  Yusuke Suzuki  <ysuzuki@apple.com>
1286
1287         [WTF] Attach WARN_UNUSED_RETURN to makeScopeExit and fix existing wrong usage
1288         https://bugs.webkit.org/show_bug.cgi?id=208162
1289
1290         Reviewed by Robin Morisset.
1291
1292         * parser/Parser.cpp:
1293         (JSC::Parser<LexerType>::parseUnaryExpression):
1294
1295 2020-02-24  Keith Miller  <keith_miller@apple.com>
1296
1297         LLInt should fast path for jtrue/false on Symbols and Objects
1298         https://bugs.webkit.org/show_bug.cgi?id=208151
1299
1300         Reviewed by Yusuke Suzuki.
1301
1302         64-bit interpreter can fast path the case where an object or symbol
1303         is passed to a jtrue or jfalse opcode. This is because these values
1304         are always truthy.
1305
1306         Also, fix some weird indentation in LowLevelInterpreter.asm.
1307
1308         * llint/LowLevelInterpreter.asm:
1309         * llint/LowLevelInterpreter32_64.asm:
1310         * llint/LowLevelInterpreter64.asm:
1311         * runtime/JSType.h:
1312
1313 2020-02-24  Caio Lima  <ticaiolima@gmail.com>
1314
1315         [JSC] 32-bits debug build broken after r257212
1316         https://bugs.webkit.org/show_bug.cgi?id=208149
1317
1318         Reviewed by Yusuke Suzuki.
1319
1320         Changing `Structure::setCachedPrototypeChain` to use
1321         `m_cachedPrototypeChainOrRareData.setMayBeNull`, since `chain` may be
1322         null.
1323
1324         * runtime/StructureInlines.h:
1325         (JSC::Structure::setCachedPrototypeChain):
1326
1327 2020-02-24  Yusuke Suzuki  <ysuzuki@apple.com>
1328
1329         Unreviewed, fix watchOS build
1330         https://bugs.webkit.org/show_bug.cgi?id=207827
1331
1332         While watchOS does not use FTL at all, it still compiles.
1333
1334         * ftl/FTLLowerDFGToB3.cpp:
1335         (JSC::FTL::DFG::LowerDFGToB3::compileObjectKeys):
1336         (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
1337         (JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject):
1338         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1339         (JSC::FTL::DFG::LowerDFGToB3::loadStructureClassInfo):
1340         (JSC::FTL::DFG::LowerDFGToB3::loadStructureCachedPrototypeChainOrRareData):
1341
1342 2020-02-24  Yusuke Suzuki  <ysuzuki@apple.com>
1343
1344         Unreviewed, build fix for 32bit pointer architectures
1345         https://bugs.webkit.org/show_bug.cgi?id=207827
1346
1347         * runtime/Structure.h:
1348
1349 2020-02-23  Yusuke Suzuki  <ysuzuki@apple.com>
1350
1351         [JSC] Shrink Structure
1352         https://bugs.webkit.org/show_bug.cgi?id=207827
1353
1354         Reviewed by Saam Barati.
1355
1356         This patch shrinks sizeof(Structure) from 112 to 96 (16 bytes) in architectures using 64 bit pointers.
1357         Structure is one of the most frequently allocated JSCell in JSC. So it is worth doing
1358         all the sort of bit hacks to make it compact as much as possible.
1359
1360             1. Put outOfLineTypeFlags, maxOffset and transitionOffset into highest bits of m_propertyTableUnsafe,
1361                m_cachedPrototypeChain, m_classInfo, and m_transitionPropertyName. Do not use PackedPtr here since
1362                some of them are concurrently accessed by GC.
1363             2. Put m_inlineCapacity into lower 8 bits of m_propertyHash.
1364             3. Remove m_lock, and use Structure::cellLock() instead.
1365             4. Remove m_cachedPrototypeChain clearing from the concurrent collector since it is dead code, it was old code.
1366                We were setting m_cachedPrototypeChain only if Structure is for JSObject. Clearing happened only if it was not
1367                a Structure for JSObject.
1368             5. Previous Structure is held as StructureID m_previous. And m_previousOrRareData becomes m_cachedPrototypeChainOrRareData.
1369
1370         Many pairs are using CompactPointerTuple to make code clean.
1371         Combining all of the above techniques saves us 16 bytes.
1372
1373         * bytecode/AccessCase.cpp:
1374         (JSC::AccessCase::create):
1375         (JSC::AccessCase::propagateTransitions const):
1376         * bytecode/AccessCase.h:
1377         (JSC::AccessCase::structure const):
1378         * dfg/DFGSpeculativeJIT.cpp:
1379         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
1380         (JSC::DFG::SpeculativeJIT::compileObjectKeys):
1381         (JSC::DFG::SpeculativeJIT::compileCreateThis):
1382         (JSC::DFG::SpeculativeJIT::compileCreatePromise):
1383         (JSC::DFG::SpeculativeJIT::compileCreateInternalFieldObject):
1384         * ftl/FTLAbstractHeapRepository.h:
1385         * ftl/FTLLowerDFGToB3.cpp:
1386         (JSC::FTL::DFG::LowerDFGToB3::compileObjectKeys):
1387         (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
1388         (JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject):
1389         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1390         * jit/AssemblyHelpers.h:
1391         (JSC::AssemblyHelpers::emitLoadClassInfoFromStructure):
1392         * jit/JITOpcodes.cpp:
1393         (JSC::JIT::emit_op_create_this):
1394         * jit/JITOpcodes32_64.cpp:
1395         (JSC::JIT::emit_op_create_this):
1396         * jit/Repatch.cpp:
1397         (JSC::tryCachePutByID):
1398         * llint/LLIntSlowPaths.cpp:
1399         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1400         * runtime/ClonedArguments.cpp:
1401         (JSC::ClonedArguments::createStructure):
1402         * runtime/ConcurrentJSLock.h:
1403         (JSC::ConcurrentJSLockerBase::ConcurrentJSLockerBase):
1404         (JSC::GCSafeConcurrentJSLockerImpl::GCSafeConcurrentJSLockerImpl):
1405         (JSC::GCSafeConcurrentJSLockerImpl::~GCSafeConcurrentJSLockerImpl):
1406         (JSC::ConcurrentJSLockerImpl::ConcurrentJSLockerImpl):
1407         (JSC::GCSafeConcurrentJSLocker::GCSafeConcurrentJSLocker): Deleted.
1408         (JSC::GCSafeConcurrentJSLocker::~GCSafeConcurrentJSLocker): Deleted.
1409         (JSC::ConcurrentJSLocker::ConcurrentJSLocker): Deleted.
1410         * runtime/JSCell.h:
1411         * runtime/JSObject.cpp:
1412         (JSC::JSObject::deleteProperty):
1413         (JSC::JSObject::shiftButterflyAfterFlattening):
1414         * runtime/JSObject.h:
1415         (JSC::JSObject::getDirectConcurrently const):
1416         * runtime/JSObjectInlines.h:
1417         (JSC::JSObject::prepareToPutDirectWithoutTransition):
1418         * runtime/JSType.cpp:
1419         (WTF::printInternal):
1420         * runtime/JSType.h:
1421         * runtime/Structure.cpp:
1422         (JSC::StructureTransitionTable::contains const):
1423         (JSC::StructureTransitionTable::get const):
1424         (JSC::StructureTransitionTable::add):
1425         (JSC::Structure::dumpStatistics):
1426         (JSC::Structure::Structure):
1427         (JSC::Structure::create):
1428         (JSC::Structure::findStructuresAndMapForMaterialization):
1429         (JSC::Structure::materializePropertyTable):
1430         (JSC::Structure::addPropertyTransitionToExistingStructureImpl):
1431         (JSC::Structure::addPropertyTransitionToExistingStructureConcurrently):
1432         (JSC::Structure::addNewPropertyTransition):
1433         (JSC::Structure::removeNewPropertyTransition):
1434         (JSC::Structure::changePrototypeTransition):
1435         (JSC::Structure::attributeChangeTransition):
1436         (JSC::Structure::toDictionaryTransition):
1437         (JSC::Structure::takePropertyTableOrCloneIfPinned):
1438         (JSC::Structure::nonPropertyTransitionSlow):
1439         (JSC::Structure::flattenDictionaryStructure):
1440         (JSC::Structure::pin):
1441         (JSC::Structure::pinForCaching):
1442         (JSC::Structure::allocateRareData):
1443         (JSC::Structure::ensurePropertyReplacementWatchpointSet):
1444         (JSC::Structure::copyPropertyTableForPinning):
1445         (JSC::Structure::add):
1446         (JSC::Structure::remove):
1447         (JSC::Structure::visitChildren):
1448         (JSC::Structure::canCachePropertyNameEnumerator const):
1449         * runtime/Structure.h:
1450         * runtime/StructureInlines.h:
1451         (JSC::Structure::get):
1452         (JSC::Structure::ruleOutUnseenProperty const):
1453         (JSC::Structure::seenProperties const):
1454         (JSC::Structure::addPropertyHashAndSeenProperty):
1455         (JSC::Structure::forEachPropertyConcurrently):
1456         (JSC::Structure::transitivelyTransitionedFrom):
1457         (JSC::Structure::cachedPrototypeChain const):
1458         (JSC::Structure::setCachedPrototypeChain):
1459         (JSC::Structure::prototypeChain const):
1460         (JSC::Structure::propertyReplacementWatchpointSet):
1461         (JSC::Structure::checkOffsetConsistency const):
1462         (JSC::Structure::add):
1463         (JSC::Structure::remove):
1464         (JSC::Structure::removePropertyWithoutTransition):
1465         (JSC::Structure::setPropertyTable):
1466         (JSC::Structure::clearPropertyTable):
1467         (JSC::Structure::setOutOfLineTypeFlags):
1468         (JSC::Structure::setInlineCapacity):
1469         (JSC::Structure::setClassInfo):
1470         (JSC::Structure::setPreviousID):
1471         (JSC::Structure::clearPreviousID):
1472         * runtime/StructureRareData.cpp:
1473         (JSC::StructureRareData::createStructure):
1474         (JSC::StructureRareData::create):
1475         (JSC::StructureRareData::StructureRareData):
1476         (JSC::StructureRareData::visitChildren):
1477         * runtime/StructureRareData.h:
1478         * runtime/StructureRareDataInlines.h:
1479         (JSC::StructureRareData::setCachedPrototypeChain):
1480         (JSC::StructureRareData::setPreviousID): Deleted.
1481         (JSC::StructureRareData::clearPreviousID): Deleted.
1482         * tools/JSDollarVM.cpp:
1483         (JSC::JSDollarVMHelper::functionGetStructureTransitionList):
1484         * wasm/js/WebAssemblyFunction.cpp:
1485         (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
1486
1487 2020-02-20  Mark Lam  <mark.lam@apple.com>
1488
1489         Make support for bytecode caching more robust against file corruption.
1490         https://bugs.webkit.org/show_bug.cgi?id=207972
1491         <rdar://problem/59260595>
1492
1493         Reviewed by Yusuke Suzuki.
1494
1495         If a bytecode cache file is corrupted, we currently will always crash every time
1496         we try to read it (in perpetuity as long as the corrupted cache file continues to
1497         exist on disk).  To guard against this, we'll harden the bytecode caching mechanism
1498         as follows:
1499
1500         1. Modify the writeCache operation to always write the cache file in a transactional
1501            manner i.e. we'll first write to a .tmp file, and then rename the .tmp file to
1502            the cache file only if the entire file has been written in completeness.
1503
1504            This ensures that we won't get corrupted cache files due to interrupted writes.
1505
1506         2. Modify the writeCache operation to also compute a SHA1 hash of the cache file
1507            and append the hash at end of the file.  Modify the readCache operation to
1508            first authenticate the SHA1 hash before allowing the cache file to be used.
1509            If the hash does not match, the file is bad, and we'll just delete it.
1510
1511            This ensures that we won't be crashing while decoding a corrupted cache file.
1512
1513         Manually tested with the following scenarios and ensuring that the client recovers
1514         with no crashes:
1515
1516         1. no cache file on disk.
1517         2. a 0-sized cache file on a disk.
1518         3. a truncated cache file on disk.
1519         4. a corrupted cache file on disk.
1520         5. an uncorrupted cache file on disk.
1521
1522         Also added some static_asserts in CachedTypes.cpp to document some invariants that
1523         the pre-existing code is dependent on.
1524
1525         * API/JSScript.mm:
1526         (-[JSScript readCache]):
1527         (-[JSScript writeCache:]):
1528         * runtime/CachedTypes.cpp:
1529
1530 2020-02-19  Ross Kirsling  <ross.kirsling@sony.com>
1531
1532         Computed Properties with increment sometimes produces incorrect results
1533         https://bugs.webkit.org/show_bug.cgi?id=170934
1534
1535         Reviewed by Yusuke Suzuki.
1536
1537         When the key and value of a computed property each have side effects, the eval order should be key-before-value.
1538         Not only have we had this backwards, we've also been giving them both the same target register.
1539
1540         * bytecompiler/NodesCodegen.cpp:
1541         (JSC::PropertyListNode::emitPutConstantProperty):
1542
1543 2020-02-19  Keith Miller  <keith_miller@apple.com>
1544
1545         Disable Wasm reference types by default
1546         https://bugs.webkit.org/show_bug.cgi?id=207952
1547
1548         Reviewed by Mark Lam.
1549
1550         * runtime/OptionsList.h:
1551
1552 2020-02-19  Stephan Szabo  <stephan.szabo@sony.com>
1553
1554         [PlayStation] Get jsc test wrappers using find_package
1555         https://bugs.webkit.org/show_bug.cgi?id=207914
1556
1557         Reviewed by Ross Kirsling.
1558
1559         * shell/PlatformPlayStation.cmake:
1560
1561 2020-02-18  Keith Miller  <keith_miller@apple.com>
1562
1563         Add an os_log PrintStream
1564         https://bugs.webkit.org/show_bug.cgi?id=207898
1565
1566         Reviewed by Mark Lam.
1567
1568         Add jsc option to write dataLogs to os_log.
1569
1570         * runtime/Options.cpp:
1571         (JSC::Options::initialize):
1572         * runtime/OptionsList.h:
1573
1574 2020-02-18  Paulo Matos  <pmatos@igalia.com>
1575
1576         Fix order (in MIPS) under which CS-registers are saved/restored
1577         https://bugs.webkit.org/show_bug.cgi?id=207752
1578
1579         Reviewed by Keith Miller.
1580
1581         This has been causing several segfaults on MIPS with JIT enabled
1582         because during an OSR to baseline, the order in which LLInt was
1583         saving the registers was not in sync with the way baseline was
1584         restoring them.
1585
1586         * llint/LowLevelInterpreter.asm:
1587
1588 2020-02-18  Ross Kirsling  <ross.kirsling@sony.com>
1589
1590         [JSC] Computed function properties compute their keys twice
1591         https://bugs.webkit.org/show_bug.cgi?id=207297
1592
1593         Reviewed by Keith Miller.
1594
1595         If a pseudo-String is used as the key of a computed function property,
1596         any side effects from resolving the string value occur in duplicate.
1597
1598         The cause has two parts:
1599           - We aren't ensuring that the string value is resolved before doing SetFunctionName and PutByVal.
1600           - Our implementation of SetFunctionName (https://tc39.es/ecma262/#sec-setfunctionname)
1601             calls toString on a non-symbol argument, instead of assuming the type is a string.
1602
1603         * bytecompiler/BytecodeGenerator.cpp:
1604         (JSC::BytecodeGenerator::shouldSetFunctionName): Added.
1605         (JSC::BytecodeGenerator::emitSetFunctionName): Added.
1606         (JSC::BytecodeGenerator::emitSetFunctionNameIfNeededImpl): Deleted.
1607         (JSC::BytecodeGenerator::emitSetFunctionNameIfNeeded): Deleted.
1608         * bytecompiler/BytecodeGenerator.h:
1609         Split the "if needed" logic out into its own function.
1610
1611         * bytecompiler/NodesCodegen.cpp:
1612         (JSC::PropertyListNode::emitBytecode):
1613         (JSC::PropertyListNode::emitPutConstantProperty):
1614         (JSC::DefineFieldNode::emitBytecode):
1615         Never emit OpSetFunctionName for a name of unknown type.
1616         (But also, don't perform a needless ToPropertyKey for non-function computed property keys.)
1617
1618         * runtime/JSFunction.cpp:
1619         (JSC::JSFunction::setFunctionName):
1620         Don't call toString, assert isString.
1621
1622 2020-02-17  Yusuke Suzuki  <ysuzuki@apple.com>
1623
1624         [JSC] JITThunk should be HashSet<Weak<NativeExecutable>> with appropriate GC weakness handling
1625         https://bugs.webkit.org/show_bug.cgi?id=207715
1626
1627         Reviewed by Darin Adler.
1628
1629         This patch refines JITThunks GC-aware Weak hash map for NativeExecutable. Previously, we have
1630         HashMap<std::tuple<TaggedNativeFunction, TaggedNativeFunction, String>, Weak<NativeExecutable>> table.
1631         But this is not good because the first tuple's information is already in NativeExecutable.
1632         But we were using this design since Weak<NativeExecutable> can be nullified because of Weak<>. If this
1633         happens, we could have invalid Entry in HashMap which does not have corresponding values. This will
1634         cause crash when rehasing requires hash code for this entry.
1635
1636         But this HashMap is very bad in terms of memory usage. Each entry has 32 bytes, and this table gets enough
1637         large. We identified that this table is consuming much memory in Membuster. So it is worth designing
1638         carefully crafted data structure which only holds Weak<NativeExecutable> by leveraging the deep interaction
1639         with our GC implementation.
1640
1641         This patch implements new design of JITThunks, which uses HashSet<Weak<NativeExecutable>> and carefully crafted
1642         HashTraits / KeyTraits to handle Weak<> well.
1643
1644         1. Each Weak should have finalizer, and this finalizer should remove dead Weak<NativeExecutable> from HashSet.
1645
1646             This is ensuring that all the keys in HashSet is, even if Weak<> is saying it is Dead, it still has an way
1647             to access content of NativeExecutable if the content is not a JS objects. For example, we can get function
1648             pointer from dead Weak<NativeExecutable> if it is not yet finalized. Since we remove all finalized Weak<>
1649             from the table, this finalizer mechanism allows us to access function pointers etc. from Weak<NativeExecutable>
1650             so long as it is held in this table.
1651
1652         2. Getting NativeExecutable* from JITThunks should have special protocol.
1653
1654             When getting NativeExecutable* from JITThunks, we do the following,
1655
1656             1. First, we check we have an Entry in JITThunks. If it does not exist, we should insert it anyway.
1657                 1.1. If it exists, we should check whether this Weak<NativeExecutable> is dead or not. It is possible that
1658                      dead one is still in the table because "dead" does not mean that it is "finalized". Until finalizing happens (and
1659                      it can be delayed by incremental-sweeper), Weak<NativeExecutable> can be dead but still accessible. So the table
1660                      is still holding dead one. If we get dead one, we should insert a new one.
1661                 1.2. If it is not dead, we return it.
1662             2. Second, we create a new NativeExecutable and insert it. In that case, it is possible that the table already has Weak<NativeExecutable>,
1663                but it is dead. In that case, we need to explicitly replace it with newly created one since old one is holding old content. If we
1664                replaced, finalizer of Weak<> will not be invoked since it immediately deallocates Weak<>. So, it does not happen that this newly
1665                inserted NativeExecutable* is removed by the finalizer registered by the old Weak<>.
1666
1667         This change makes memory usage of JITThunks table 1/4.
1668
1669         * heap/Weak.cpp:
1670         (JSC::weakClearSlowCase):
1671         * heap/Weak.h:
1672         (JSC::Weak::Weak):
1673         (JSC::Weak::isHashTableEmptyValue const):
1674         (JSC::Weak::unsafeImpl const):
1675         (WTF::HashTraits<JSC::Weak<T>>::isEmptyValue):
1676         * heap/WeakInlines.h:
1677         (JSC::Weak<T>::Weak):
1678         * jit/JITThunks.cpp:
1679         (JSC::JITThunks::JITThunks):
1680         (JSC::JITThunks::WeakNativeExecutableHash::hash):
1681         (JSC::JITThunks::WeakNativeExecutableHash::equal):
1682         (JSC::JITThunks::HostKeySearcher::hash):
1683         (JSC::JITThunks::HostKeySearcher::equal):
1684         (JSC::JITThunks::NativeExecutableTranslator::hash):
1685         (JSC::JITThunks::NativeExecutableTranslator::equal):
1686         (JSC::JITThunks::NativeExecutableTranslator::translate):
1687         (JSC::JITThunks::finalize):
1688         (JSC::JITThunks::hostFunctionStub):
1689         (JSC::JITThunks::clearHostFunctionStubs): Deleted.
1690         * jit/JITThunks.h:
1691         * runtime/NativeExecutable.h:
1692         * tools/JSDollarVM.cpp:
1693         (JSC::functionGCSweepAsynchronously):
1694         (JSC::functionCreateEmptyFunctionWithName):
1695         (JSC::JSDollarVM::finishCreation):
1696
1697 2020-02-17  Tadeu Zagallo  <tzagallo@apple.com>
1698
1699         [Wasm] REGRESSION(r256665): Wasm->JS call IC needs to save memory size register
1700         https://bugs.webkit.org/show_bug.cgi?id=207849
1701
1702         Reviewed by Mark Lam.
1703
1704         When generating the call IC, we should select the callee saves using BoundsChecking mode in order
1705         to obey to the calling conventions described in r256665. Currently, we won't restore the memory size
1706         register when calling the Wasm LLInt through the call IC.
1707
1708         * wasm/js/WebAssemblyFunction.cpp:
1709         (JSC::WebAssemblyFunction::calleeSaves const):
1710
1711 2020-02-17  Per Arne Vollan  <pvollan@apple.com>
1712
1713         Mach lookup to com.apple.webinspector should not be allowed in WebKit's WebContent process
1714         https://bugs.webkit.org/show_bug.cgi?id=203214
1715
1716         Reviewed by Brent Fulgham.
1717
1718         Add static flag in RemoteInspector to indicate whether a sandbox extension is needed. The remote inspector will only be
1719         started if the sandbox extension is not needed. Only the WebContent process will need a sandbox extension, since this
1720         patch removes mach access to 'com.apple.webinspector' for this process. Also add name and domain for the
1721         'Enable Remote Inspector' setting, since this will be used in the UI process.
1722
1723         * inspector/remote/RemoteInspector.cpp:
1724         * inspector/remote/RemoteInspector.h:
1725         * inspector/remote/RemoteInspectorConstants.h:
1726         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
1727         (Inspector::RemoteInspector::singleton):
1728
1729 2020-02-16  Fujii Hironori  <Hironori.Fujii@sony.com>
1730
1731         Remove remaining WTF_EXPORT and WTF_IMPORT by replacing them with WTF_EXPORT_DECLARATION and WTF_IMPORT_DECLARATION
1732         https://bugs.webkit.org/show_bug.cgi?id=207746
1733
1734         Reviewed by Don Olmstead.
1735
1736         * runtime/JSExportMacros.h:
1737
1738 2020-02-16  Paulo Matos  <pmatos@igalia.com>
1739
1740         Remove nonArgGPR1 for ARMv7 and ARM64 (unused)
1741         https://bugs.webkit.org/show_bug.cgi?id=207753
1742
1743         Reviewed by Darin Adler.
1744
1745         Cleanup commit - nonArgGPR1 is unused for both ARMv7
1746         and ARM64.
1747
1748         * jit/GPRInfo.h:
1749
1750 2020-02-14  Tadeu Zagallo  <tzagallo@apple.com> and Michael Saboff  <msaboff@apple.com>
1751
1752         [WASM] Wasm interpreter's calling convention doesn't match Wasm JIT's convention.
1753         https://bugs.webkit.org/show_bug.cgi?id=207727
1754
1755         Reviewed by Mark Lam.
1756
1757         The Wasm JIT has unusual calling conventions, which were further complicated by the addition
1758         of the interpreter, and the interpreter did not correctly follow these conventions (by incorrectly
1759         saving and restoring the callee save registers used for the memory base and size). Here's a summary
1760         of the calling convention:
1761
1762         - When entering Wasm from JS, the wrapper must:
1763             - Preserve the base and size when entering LLInt regardless of the mode. (Prior to this
1764               patch we only preserved the base in Signaling mode)
1765             - Preserve the memory base in either mode, and the size for BoundsChecking.
1766         - Both tiers must preserve every *other* register they use. e.g. the LLInt must preserve PB
1767           and wasmInstance, but must *not* preserve memoryBase and memorySize.
1768         - Changes to memoryBase and memorySize are visible to the caller. This means that:
1769             - Intra-module calls can assume these registers are up-to-date even if the memory was
1770               resized. The only exception here is if the LLInt calls a signaling JIT, in which case
1771               the JIT will not update the size register, since it won't be using it.
1772             - Inter-module and JS calls require the caller to reload these registers. These calls may
1773               result in memory changes (e.g. the callee may call memory.grow).
1774             - A Signaling JIT caller must be aware that the LLInt may trash the size register, since
1775               it always bounds checks.
1776
1777         * llint/WebAssembly.asm:
1778         * wasm/WasmAirIRGenerator.cpp:
1779         (JSC::Wasm::AirIRGenerator::addCall):
1780         * wasm/WasmB3IRGenerator.cpp:
1781         (JSC::Wasm::B3IRGenerator::addCall):
1782         * wasm/WasmCallee.cpp:
1783         (JSC::Wasm::LLIntCallee::calleeSaveRegisters):
1784         * wasm/WasmCallingConvention.h:
1785         * wasm/WasmLLIntPlan.cpp:
1786         (JSC::Wasm::LLIntPlan::didCompleteCompilation):
1787         * wasm/WasmMemoryInformation.cpp:
1788         (JSC::Wasm::PinnedRegisterInfo::get):
1789         (JSC::Wasm::getPinnedRegisters): Deleted.
1790
1791 2020-02-13  Stephan Szabo  <stephan.szabo@sony.com>
1792
1793         [PlayStation] Make special udis86 C file handling only happen for Visual Studio
1794         https://bugs.webkit.org/show_bug.cgi?id=207729
1795
1796         Reviewed by Don Olmstead.
1797
1798         * PlatformPlayStation.cmake:
1799
1800 2020-02-13  Caio Lima  <ticaiolima@gmail.com>
1801
1802         [ESNext][BigInt] We don't support BigInt literal as PropertyName
1803         https://bugs.webkit.org/show_bug.cgi?id=206888
1804
1805         Reviewed by Ross Kirsling.
1806
1807         According to spec (https://tc39.es/ecma262/#prod-PropertyName),
1808         BigInt literals are valid property names. Given that, we should not
1809         throw a SyntaxError when using BigInt literals on destructuring
1810         pattern, method declaration, object literals, etc.
1811         This patch is adding BigInt literal as a valid syntax to PropertyName.
1812
1813         * parser/Parser.cpp:
1814         (JSC::Parser<LexerType>::parseDestructuringPattern):
1815         (JSC::Parser<LexerType>::parseClass):
1816         (JSC::Parser<LexerType>::parseInstanceFieldInitializerSourceElements):
1817         (JSC::Parser<LexerType>::parseProperty):
1818         (JSC::Parser<LexerType>::parseGetterSetter):
1819         * parser/ParserArena.cpp:
1820         (JSC::IdentifierArena::makeBigIntDecimalIdentifier):
1821         * parser/ParserArena.h:
1822
1823 2020-02-12  Mark Lam  <mark.lam@apple.com>
1824
1825         Add options for debugging WASM code.
1826         https://bugs.webkit.org/show_bug.cgi?id=207677
1827         <rdar://problem/59411390>
1828
1829         Reviewed by Yusuke Suzuki.
1830
1831         Specifically ...
1832
1833             JSC_useBBQJIT                            - allows the BBQ JIT to be used if true
1834             JSC_useOMGJIT                            - allows the OMG JIT to be used if true
1835             JSC_useWasmLLIntPrologueOSR              - allows prologue OSR from Wasm LLInt if true
1836             JSC_useWasmLLIntLoopOSR                  - allows loop OSR from Wasm LLInt if true
1837             JSC_useWasmLLIntEpilogueOSR              - allows epilogue OSR from Wasm LLInt if true
1838             JSC_wasmFunctionIndexRangeToCompile=N:M  - wasm function index range to allow compilation on, e.g. 1:100
1839
1840         * JavaScriptCore.xcodeproj/project.pbxproj:
1841         * runtime/Options.cpp:
1842         (JSC::Options::ensureOptionsAreCoherent):
1843         * runtime/OptionsList.h:
1844         * wasm/WasmBBQPlan.cpp:
1845         (JSC::Wasm::BBQPlan::BBQPlan):
1846         * wasm/WasmOMGForOSREntryPlan.cpp:
1847         (JSC::Wasm::OMGForOSREntryPlan::OMGForOSREntryPlan):
1848         * wasm/WasmOMGPlan.cpp:
1849         (JSC::Wasm::OMGPlan::OMGPlan):
1850         * wasm/WasmOperations.cpp:
1851         (JSC::Wasm::shouldJIT):
1852         (JSC::Wasm::operationWasmTriggerOSREntryNow):
1853         (JSC::Wasm::operationWasmTriggerTierUpNow):
1854         * wasm/WasmSlowPaths.cpp:
1855         (JSC::LLInt::shouldJIT):
1856         (JSC::LLInt::WASM_SLOW_PATH_DECL):
1857
1858 2020-02-12  Yusuke Suzuki  <ysuzuki@apple.com>
1859
1860         [JSC] Compact JITCodeMap by storing BytecodeIndex and CodeLocation separately
1861         https://bugs.webkit.org/show_bug.cgi?id=207673
1862
1863         Reviewed by Mark Lam.
1864
1865         While BytecodeIndex is 4 bytes, CodeLocation is 8 bytes. So the tuple of them "JITCodeMap::Entry"
1866         becomes 16 bytes because it adds 4 bytes padding. We should store BytecodeIndex and CodeLocation separately
1867         to avoid this padding.
1868
1869         This patch introduces JITCodeMapBuilder. We use this to build JITCodeMap data structure as a immutable final result.
1870
1871         * jit/JIT.cpp:
1872         (JSC::JIT::link):
1873         * jit/JITCodeMap.h:
1874         (JSC::JITCodeMap::JITCodeMap):
1875         (JSC::JITCodeMap::find const):
1876         (JSC::JITCodeMap::operator bool const):
1877         (JSC::JITCodeMap::codeLocations const):
1878         (JSC::JITCodeMap::indexes const):
1879         (JSC::JITCodeMapBuilder::append):
1880         (JSC::JITCodeMapBuilder::finalize):
1881         (JSC::JITCodeMap::Entry::Entry): Deleted.
1882         (JSC::JITCodeMap::Entry::bytecodeIndex const): Deleted.
1883         (JSC::JITCodeMap::Entry::codeLocation): Deleted.
1884         (JSC::JITCodeMap::append): Deleted.
1885         (JSC::JITCodeMap::finish): Deleted.
1886
1887 2020-02-12  Pavel Feldman  <pavel.feldman@gmail.com>
1888
1889         Web Inspector: encode binary web socket frames using base64
1890         https://bugs.webkit.org/show_bug.cgi?id=207448
1891         
1892         Previous representation of binary frames is lossy using fromUTF8WithLatin1Fallback,
1893         this patch consistently encodes binary data using base64.
1894
1895         Reviewed by Timothy Hatcher.
1896
1897         * inspector/protocol/Network.json:
1898
1899 2020-02-12  Simon Fraser  <simon.fraser@apple.com>
1900
1901         Remove CSS_DEVICE_ADAPTATION
1902         https://bugs.webkit.org/show_bug.cgi?id=203479
1903
1904         Reviewed by Tim Horton.
1905
1906         CSS Working Group resolved to remove @viewport <https://github.com/w3c/csswg-drafts/issues/4766>,
1907         so remove the code.
1908
1909         * Configurations/FeatureDefines.xcconfig:
1910
1911 2020-02-12  Yusuke Suzuki  <ysuzuki@apple.com>
1912
1913         [JSC] Compact StructureTransitionTable
1914         https://bugs.webkit.org/show_bug.cgi?id=207616
1915
1916         Reviewed by Mark Lam.
1917
1918         Some of StructureTransitionTable are shown as very large HashMap and we can compact it by encoding key.
1919         We leverage 48bit pointers and 8byte alignment of UniquedStringImpl* to encode other parameters into it.
1920
1921         * runtime/Structure.cpp:
1922         (JSC::StructureTransitionTable::contains const):
1923         (JSC::StructureTransitionTable::get const):
1924         (JSC::StructureTransitionTable::add):
1925         * runtime/Structure.h:
1926         * runtime/StructureTransitionTable.h:
1927         (JSC::StructureTransitionTable::Hash::Key::Key):
1928         (JSC::StructureTransitionTable::Hash::Key::isHashTableDeletedValue const):
1929         (JSC::StructureTransitionTable::Hash::Key::impl const):
1930         (JSC::StructureTransitionTable::Hash::Key::isAddition const):
1931         (JSC::StructureTransitionTable::Hash::Key::attributes const):
1932         (JSC::StructureTransitionTable::Hash::Key::operator==):
1933         (JSC::StructureTransitionTable::Hash::Key::operator!=):
1934         (JSC::StructureTransitionTable::Hash::hash):
1935         (JSC::StructureTransitionTable::Hash::equal):
1936
1937 2020-02-12  Yusuke Suzuki  <ysuzuki@apple.com>
1938
1939         [JSC] Make RegExpCache small
1940         https://bugs.webkit.org/show_bug.cgi?id=207619
1941
1942         Reviewed by Mark Lam.
1943
1944         We can compact RegExpKey by using PackedRefPtr, so that we can shrink memory consumption of RegExpCache.
1945
1946         * runtime/RegExpKey.h:
1947
1948 2020-02-10  Mark Lam  <mark.lam@apple.com>
1949
1950         Placate exception check validator in GenericArguments<Type>::put().
1951         https://bugs.webkit.org/show_bug.cgi?id=207485
1952         <rdar://problem/59302535>
1953
1954         Reviewed by Robin Morisset.
1955
1956         * runtime/GenericArgumentsInlines.h:
1957         (JSC::GenericArguments<Type>::put):
1958
1959 2020-02-10  Mark Lam  <mark.lam@apple.com>
1960
1961         Missing exception check in GenericArguments<Type>::deletePropertyByIndex().
1962         https://bugs.webkit.org/show_bug.cgi?id=207483
1963         <rdar://problem/59302616>
1964
1965         Reviewed by Yusuke Suzuki.
1966
1967         * runtime/GenericArgumentsInlines.h:
1968         (JSC::GenericArguments<Type>::deletePropertyByIndex):
1969
1970 2020-02-10  Truitt Savell  <tsavell@apple.com>
1971
1972         Unreviewed, rolling out r256091.
1973
1974         Broke internal builds
1975
1976         Reverted changeset:
1977
1978         "Move trivial definitions from FeatureDefines.xcconfig to
1979         PlatformEnableCocoa.h"
1980         https://bugs.webkit.org/show_bug.cgi?id=207155
1981         https://trac.webkit.org/changeset/256091
1982
1983 2020-02-10  Truitt Savell  <tsavell@apple.com>
1984
1985         Unreviewed, rolling out r256103.
1986
1987         This patch is blocking the rollout of r256091
1988
1989         Reverted changeset:
1990
1991         "Move JavaScriptCore related feature defines from
1992         FeatureDefines.xcconfig to PlatformEnableCocoa.h"
1993         https://bugs.webkit.org/show_bug.cgi?id=207436
1994         https://trac.webkit.org/changeset/256103
1995
1996 2020-02-09  Keith Rollin  <krollin@apple.com>
1997
1998         Re-enable LTO for ARM builds
1999         https://bugs.webkit.org/show_bug.cgi?id=207402
2000         <rdar://problem/49190767>
2001
2002         Reviewed by Sam Weinig.
2003
2004         Bug 190758 re-enabled LTO for Production builds for x86-family CPUs.
2005         Enabling it for ARM was left out due to a compiler issue. That issue
2006         has been fixed, and so now we can re-enable LTO for ARM.
2007
2008         * Configurations/Base.xcconfig:
2009
2010 2020-02-08  Sam Weinig  <weinig@apple.com>
2011
2012         Move JavaScriptCore related feature defines from FeatureDefines.xcconfig to PlatformEnableCocoa.h
2013         https://bugs.webkit.org/show_bug.cgi?id=207436
2014
2015         Reviewed by Tim Horton.
2016
2017         * Configurations/FeatureDefines.xcconfig:
2018         Remove ENABLE_FAST_JIT_PERMISSIONS and ENABLE_FTL_JIT.
2019
2020 2020-02-08  Sam Weinig  <weinig@apple.com>
2021
2022         Move trivial definitions from FeatureDefines.xcconfig to PlatformEnableCocoa.h
2023         https://bugs.webkit.org/show_bug.cgi?id=207155
2024
2025         Reviewed by Tim Horton.
2026         
2027         Move all trivial definitions (just ENABLE_FOO = ENABLE_FOO; or ENABLE_BAR = ;)
2028         from the FeatureDefines.xcconfigs to PlatformEnableCocoa.h, ensuring each one
2029         also has a default value in PlatformEnable.h
2030
2031         To support the move, DerivedSources.make has been updated to generate the list
2032         of ENABLE_* features by directly from preprocessing Platform.h, rather than 
2033         just getting the partial list from the xcconfig file.
2034
2035         * Configurations/FeatureDefines.xcconfig:
2036         * DerivedSources.make:
2037
2038 2020-02-07  Robin Morisset  <rmorisset@apple.com>
2039
2040         Throw OutOfMemory exception instead of crashing if DirectArguments/ScopedArguments can't be created
2041         https://bugs.webkit.org/show_bug.cgi?id=207423
2042
2043         Reviewed by Mark Lam.
2044
2045         AllocationFailureMode::Assert is problematic because fuzzers keep producing spurious error reports when they generate code that tries allocating infinite amount of memory.
2046         The right approach is to use AllocationFailureMode::ReturnNull, and throw a JS exception upon receiving null.
2047
2048         In this patch I fixed two functions that were using AllocationFailureMode::Assert:
2049             DirectArguments::DirectArguments::overrideThings
2050             GenericArguments<Type>::initModifiedArgumentsDescriptor
2051
2052         No test added, because the only test we have is highly non-deterministic/flaky (only triggers about 10 to 20% of the time even before the fix).
2053
2054         * runtime/DirectArguments.h:
2055         * runtime/GenericArguments.h:
2056         * runtime/GenericArgumentsInlines.h:
2057         (JSC::GenericArguments<Type>::deletePropertyByIndex):
2058         (JSC::GenericArguments<Type>::defineOwnProperty):
2059         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
2060         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptorIfNecessary):
2061         (JSC::GenericArguments<Type>::setModifiedArgumentDescriptor):
2062         * runtime/ScopedArguments.h:
2063
2064 2020-02-07  Ryan Haddad  <ryanhaddad@apple.com>
2065
2066         Unreviewed, rolling out r256051.
2067
2068         Broke internal builds.
2069
2070         Reverted changeset:
2071
2072         "Move trivial definitions from FeatureDefines.xcconfig to
2073         PlatformEnableCocoa.h"
2074         https://bugs.webkit.org/show_bug.cgi?id=207155
2075         https://trac.webkit.org/changeset/256051
2076
2077 2020-02-07  Sam Weinig  <weinig@apple.com>
2078
2079         Move trivial definitions from FeatureDefines.xcconfig to PlatformEnableCocoa.h
2080         https://bugs.webkit.org/show_bug.cgi?id=207155
2081
2082         Reviewed by Tim Horton.
2083         
2084         Move all trivial definitions (just ENABLE_FOO = ENABLE_FOO; or ENABLE_BAR = ;)
2085         from the FeatureDefines.xcconfigs to PlatformEnableCocoa.h, ensuring each one
2086         also has a default value in PlatformEnable.h
2087
2088         To support the move, DerivedSources.make has been updated to generate the list
2089         of ENABLE_* features by directly from preprocessing Platform.h, rather than 
2090         just getting the partial list from the xcconfig file.
2091
2092         * Configurations/FeatureDefines.xcconfig:
2093         * DerivedSources.make:
2094
2095 2020-02-07  Yusuke Suzuki  <ysuzuki@apple.com>
2096
2097         [JSC] CodeBlock::shrinkToFit should shrink m_constantRegisters and m_constantsSourceCodeRepresentation in 64bit architectures
2098         https://bugs.webkit.org/show_bug.cgi?id=207356
2099
2100         Reviewed by Mark Lam.
2101
2102         Only 32bit architectures are using m_constantRegisters's address. 64bit architectures are not relying on m_constantRegisters's address.
2103         This patches fixes the thing so that CodeBlock::shrinkToFit will shrink m_constantRegisters and m_constantsSourceCodeRepresentation
2104         regardless of whether this is EarlyShrink or not. We also move DFG/FTL's LateShrink call to the place after calling DFGCommon reallyAdd
2105         since they can add more constant registers.
2106
2107         Relanding it by fixing dead-lock.
2108
2109         * bytecode/CodeBlock.cpp:
2110         (JSC::CodeBlock::shrinkToFit):
2111         * bytecode/CodeBlock.h:
2112         * dfg/DFGJITCompiler.cpp:
2113         (JSC::DFG::JITCompiler::compile):
2114         (JSC::DFG::JITCompiler::compileFunction):
2115         * dfg/DFGJITFinalizer.cpp:
2116         (JSC::DFG::JITFinalizer::finalizeCommon):
2117         * dfg/DFGPlan.cpp:
2118         (JSC::DFG::Plan::compileInThreadImpl):
2119         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
2120         * jit/JIT.cpp:
2121         (JSC::JIT::link):
2122         * jit/JIT.h:
2123         * jit/JITInlines.h:
2124         (JSC::JIT::emitLoadDouble):
2125         (JSC::JIT::emitLoadInt32ToDouble): Deleted.
2126
2127 2020-02-06  Robin Morisset  <rmorisset@apple.com>
2128
2129         Most of B3 and Air does not need to include CCallHelpers.h
2130         https://bugs.webkit.org/show_bug.cgi?id=206975
2131
2132         Reviewed by Mark Lam.
2133
2134         They only do to use CCallHelpers::Jump or CCallHelpers::Label.
2135         But CCallHelpers inherit those from MacroAssembler. And MacroAssembler.h is dramatically cheaper to include (since CCallHelpers includes AssemblyHelpers which includes CodeBlock.h which includes roughly the entire runtime).
2136
2137         * b3/B3CheckSpecial.cpp:
2138         * b3/B3CheckSpecial.h:
2139         * b3/B3LowerMacros.cpp:
2140         * b3/B3PatchpointSpecial.cpp:
2141         (JSC::B3::PatchpointSpecial::generate):
2142         * b3/B3PatchpointSpecial.h:
2143         * b3/B3StackmapGenerationParams.cpp:
2144         (JSC::B3::StackmapGenerationParams::successorLabels const):
2145         * b3/B3StackmapGenerationParams.h:
2146         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.h:
2147         * b3/air/AirCCallSpecial.cpp:
2148         * b3/air/AirCCallSpecial.h:
2149         * b3/air/AirCode.cpp:
2150         * b3/air/AirCode.h:
2151         (JSC::B3::Air::Code::entrypointLabel const):
2152         * b3/air/AirCustom.cpp:
2153         (JSC::B3::Air::CCallCustom::generate):
2154         (JSC::B3::Air::ShuffleCustom::generate):
2155         (JSC::B3::Air::WasmBoundsCheckCustom::generate):
2156         * b3/air/AirCustom.h:
2157         (JSC::B3::Air::PatchCustom::generate):
2158         (JSC::B3::Air::EntrySwitchCustom::generate):
2159         * b3/air/AirDisassembler.cpp:
2160         (JSC::B3::Air::Disassembler::addInst):
2161         * b3/air/AirDisassembler.h:
2162         * b3/air/AirGenerationContext.h:
2163         * b3/air/AirInst.h:
2164         * b3/air/AirPrintSpecial.cpp:
2165         (JSC::B3::Air::PrintSpecial::generate):
2166         * b3/air/AirPrintSpecial.h:
2167         * b3/air/AirSpecial.h:
2168         * b3/air/AirValidate.cpp:
2169         * b3/air/opcode_generator.rb:
2170
2171 2020-02-06  Commit Queue  <commit-queue@webkit.org>
2172
2173         Unreviewed, rolling out r255987.
2174         https://bugs.webkit.org/show_bug.cgi?id=207369
2175
2176         JSTests failures (Requested by yusukesuzuki on #webkit).
2177
2178         Reverted changeset:
2179
2180         "[JSC] CodeBlock::shrinkToFit should shrink
2181         m_constantRegisters and m_constantsSourceCodeRepresentation in
2182         64bit architectures"
2183         https://bugs.webkit.org/show_bug.cgi?id=207356
2184         https://trac.webkit.org/changeset/255987
2185
2186 2020-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
2187
2188         [JSC] CodeBlock::shrinkToFit should shrink m_constantRegisters and m_constantsSourceCodeRepresentation in 64bit architectures
2189         https://bugs.webkit.org/show_bug.cgi?id=207356
2190
2191         Reviewed by Mark Lam.
2192
2193         Only 32bit architectures are using m_constantRegisters's address. 64bit architectures are not relying on m_constantRegisters's address.
2194         This patches fixes the thing so that CodeBlock::shrinkToFit will shrink m_constantRegisters and m_constantsSourceCodeRepresentation
2195         regardless of whether this is EarlyShrink or not. We also move DFG/FTL's LateShrink call to the place after calling DFGCommon reallyAdd
2196         since they can add more constant registers.
2197
2198         * bytecode/CodeBlock.cpp:
2199         (JSC::CodeBlock::shrinkToFit):
2200         * bytecode/CodeBlock.h:
2201         * dfg/DFGJITCompiler.cpp:
2202         (JSC::DFG::JITCompiler::compile):
2203         (JSC::DFG::JITCompiler::compileFunction):
2204         * dfg/DFGJITFinalizer.cpp:
2205         (JSC::DFG::JITFinalizer::finalizeCommon):
2206         * dfg/DFGPlan.cpp:
2207         (JSC::DFG::Plan::compileInThreadImpl):
2208         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
2209         * jit/JIT.cpp:
2210         (JSC::JIT::link):
2211         * jit/JIT.h:
2212         * jit/JITInlines.h:
2213         (JSC::JIT::emitLoadDouble):
2214         (JSC::JIT::emitLoadInt32ToDouble): Deleted.
2215
2216 2020-02-05  Don Olmstead  <don.olmstead@sony.com>
2217
2218         [PlayStation] Build a shared JavaScriptCore
2219         https://bugs.webkit.org/show_bug.cgi?id=198446
2220
2221         Reviewed by Fujii Hironori.
2222
2223         Add TARGET_OBJECTS for bmalloc and WTF so JavaScriptCore links. Add bmalloc and
2224         WTF compile definitions so exports are exposed.
2225
2226         * PlatformPlayStation.cmake:
2227
2228 2020-02-05  Justin Michaud  <justin_michaud@apple.com>
2229
2230         Deleting a property should not turn structures into uncacheable dictionaries
2231         https://bugs.webkit.org/show_bug.cgi?id=206430
2232
2233         Reviewed by Yusuke Suzuki.
2234
2235         Right now, deleteProperty/removePropertyTransition causes a structure transition to uncacheable dictionary. Instead, we should allow it to transition to a new regular structure like adding a property does. This means that we have to:
2236
2237         1) Break the assumption that structure transition offsets increase monotonically
2238
2239         We add a new flag to tell that a structure has deleted its property, and update materializePropertyTable to use it.
2240
2241         2) Add a new transition map and transition kind for deletes
2242
2243         We cache the delete transition. We will not transition back to a previous structure if you add then immediately remove a property.
2244
2245         3) Find some heuristic for when we should actually transition to uncacheable dictionary.
2246
2247         Since deleting properties is expected to be rare, we just walk the structure list and count its size on removal. 
2248
2249         This patch also fixes a related bug in addProperty, where we did not use a GCSafeConcurrentJSLocker, and adds an option to trigger the bug. Finally, we add some helper methods to dollarVM to test.
2250
2251         This gives a 24x speedup on delete-property-keeps-cacheable-structure.js, and is neutral on delete-property-from-prototype-chain.js (which was already generating code using the inline cache).
2252
2253         * heap/HeapInlines.h:
2254         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
2255         * runtime/JSObject.cpp:
2256         (JSC::JSObject::deleteProperty):
2257         * runtime/OptionsList.h:
2258         * runtime/PropertyMapHashTable.h:
2259         (JSC::PropertyTable::get):
2260         (JSC::PropertyTable::add):
2261         (JSC::PropertyTable::addDeletedOffset):
2262         (JSC::PropertyTable::reinsert):
2263         * runtime/Structure.cpp:
2264         (JSC::StructureTransitionTable::contains const):
2265         (JSC::StructureTransitionTable::get const):
2266         (JSC::StructureTransitionTable::add):
2267         (JSC::Structure::Structure):
2268         (JSC::Structure::materializePropertyTable):
2269         (JSC::Structure::addNewPropertyTransition):
2270         (JSC::Structure::removePropertyTransition):
2271         (JSC::Structure::removePropertyTransitionFromExistingStructure):
2272         (JSC::Structure::removeNewPropertyTransition):
2273         (JSC::Structure::toUncacheableDictionaryTransition):
2274         (JSC::Structure::remove):
2275         (JSC::Structure::visitChildren):
2276         * runtime/Structure.h:
2277         * runtime/StructureInlines.h:
2278         (JSC::Structure::forEachPropertyConcurrently):
2279         (JSC::Structure::add):
2280         (JSC::Structure::remove):
2281         (JSC::Structure::removePropertyWithoutTransition):
2282         * runtime/StructureTransitionTable.h:
2283         (JSC::StructureTransitionTable::Hash::hash):
2284         * tools/JSDollarVM.cpp:
2285         (JSC::JSDollarVMHelper::functionGetStructureTransitionList):
2286         (JSC::functionGetConcurrently):
2287         (JSC::JSDollarVM::finishCreation):
2288
2289 2020-02-05  Devin Rousso  <drousso@apple.com>
2290
2291         Web Inspector: Sources: add a special breakpoint for controlling whether `debugger` statements pause
2292         https://bugs.webkit.org/show_bug.cgi?id=206818
2293
2294         Reviewed by Timothy Hatcher.
2295
2296         * inspector/protocol/Debugger.json:
2297         * inspector/agents/InspectorDebuggerAgent.h:
2298         * inspector/agents/InspectorDebuggerAgent.cpp:
2299         (Inspector::InspectorDebuggerAgent::setPauseOnDebuggerStatements): Added.
2300
2301         * bytecompiler/NodesCodegen.cpp:
2302         (JSC::DebuggerStatementNode::emitBytecode):
2303         * bytecode/CodeBlock.cpp:
2304         (JSC::CodeBlock::finishCreation):
2305         * bytecode/UnlinkedCodeBlock.cpp:
2306         (JSC::dumpLineColumnEntry):
2307         * interpreter/Interpreter.h:
2308         * interpreter/Interpreter.cpp:
2309         (JSC::Interpreter::debug):
2310         (WTF::printInternal):
2311         * debugger/Debugger.h:
2312         (JSC::Debugger::setPauseOnDebuggerStatements): Added.
2313         * debugger/Debugger.cpp:
2314         (JSC::Debugger::didReachDebuggerStatement): Added.
2315         (JSC::Debugger::didReachBreakpoint): Deleted.
2316         Replace `DebugHookType::DidReachBreakpoint` with `DebugHookType::DidReachDebuggerStatement`,
2317         as it is only actually used for `debugger;` statements, not breakpoints.
2318
2319 2020-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2320
2321         [JSC] Structure::setMaxOffset and setTransitionOffset are racy
2322         https://bugs.webkit.org/show_bug.cgi?id=207249
2323
2324         Reviewed by Mark Lam.
2325
2326         We hit crash in JSTests/stress/array-slice-osr-exit-2.js. The situation is following.
2327
2328             1. The mutator thread (A) is working.
2329             2. The concurrent collector (B) is working.
2330             3. A attempts to set m_maxOffset in StructureRareData by allocating it. First, A sets Structure::m_maxOffset to useRareDataFlag.
2331             3. B is in JSObject::visitButterflyImpl, and executing Structure::maxOffset().
2332             4. B detects that m_maxOffset is useRareDataFlag.
2333             5. B attempts to load rareData, but this is not a StructureRareData since A is just now setting up StructureRareData.
2334             6. B crashes.
2335
2336         Set useRareDataFlag after StructureRareData is set. Ensuring this store-order by using storeStoreFence.
2337
2338         * runtime/Structure.h:
2339
2340 2020-02-04  Adrian Perez de Castro  <aperez@igalia.com>
2341
2342         Non-unified build fixes early February 2020 edition
2343         https://bugs.webkit.org/show_bug.cgi?id=207227
2344
2345         Reviewed by Don Olmstead.
2346
2347         * bytecode/PolyProtoAccessChain.h: Add missing inclusions of StructureIDTable.h and VM.h
2348
2349 2020-02-04  Alex Christensen  <achristensen@webkit.org>
2350
2351         Fix Mac CMake build
2352         https://bugs.webkit.org/show_bug.cgi?id=207231
2353
2354         * PlatformMac.cmake:
2355
2356 2020-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2357
2358         [JSC] Use PackedRefPtr in UnlinkedCodeBlock
2359         https://bugs.webkit.org/show_bug.cgi?id=207229
2360
2361         Reviewed by Mark Lam.
2362
2363         Use PackedRefPtr in UnlinkedCodeBlock to compact it from 168 to 160, which saves 16 bytes (10%) per UnlinkedCodeBlock since
2364         we have 16 bytes alignment for GC cells.
2365
2366         * bytecode/UnlinkedCodeBlock.h:
2367         (JSC::UnlinkedCodeBlock::sourceURLDirective const):
2368         (JSC::UnlinkedCodeBlock::sourceMappingURLDirective const):
2369         (JSC::UnlinkedCodeBlock::setSourceURLDirective):
2370         (JSC::UnlinkedCodeBlock::setSourceMappingURLDirective):
2371         * runtime/CachedTypes.cpp:
2372         (JSC::CachedCodeBlock::sourceURLDirective const):
2373         (JSC::CachedCodeBlock::sourceMappingURLDirective const):
2374         (JSC::CachedCodeBlock<CodeBlockType>::encode):
2375         * runtime/CodeCache.cpp:
2376         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
2377
2378 2020-02-04  Alexey Shvayka  <shvaikalesh@gmail.com>
2379
2380         Quantifiers after lookahead assertions should be syntax errors in Unicode patterns only
2381         https://bugs.webkit.org/show_bug.cgi?id=206988
2382
2383         Reviewed by Darin Adler and Ross Kirsling.
2384
2385         This change adds SyntaxError for quantifiable assertions in Unicode patterns,
2386         aligning JSC with V8 and SpiderMonkey.
2387
2388         Grammar: https://tc39.es/ecma262/#prod-annexB-Term
2389         (/u flag precludes the use of QuantifiableAssertion)
2390
2391         Return value of parseParenthesesEnd() now matches with parseEscape() and
2392         parseAtomEscape().
2393
2394         * yarr/YarrParser.h:
2395         (JSC::Yarr::Parser::parseParenthesesBegin):
2396         (JSC::Yarr::Parser::parseParenthesesEnd):
2397         (JSC::Yarr::Parser::parseTokens):
2398
2399 2020-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2400
2401         [JSC] Introduce UnlinkedCodeBlockGenerator and reduce sizeof(UnlinkedCodeBlock)
2402         https://bugs.webkit.org/show_bug.cgi?id=207087
2403
2404         Reviewed by Tadeu Zagallo.
2405
2406         While UnlinkedCodeBlock is immutable once it is created from BytecodeGenerator, it has many mutable Vectors.
2407         This is because we are using UnlinkedCodeBlock as a builder of UnlinkedCodeBlock itself too in BytecodeGenerator.
2408         Since Vector takes 16 bytes to allow efficient expansions, it is nice if we can use RefCountedArray instead when
2409         we know this Vector is immutable.
2410
2411         In this patch, we introduce UnlinkedCodeBlockGenerator wrapper. BytecodeGenerator, BytecodeRewriter, BytecodeDumper,
2412         and BytecodeGeneratorification interact with UnlinkedCodeBlockGenerator instead of UnlinkedCodeBlock. And UnlinkedCodeBlockGenerator
2413         will generate the finalized UnlinkedCodeBlock. This design allows us to use RefCountedArray for data in UnlinkedCodeBlock,
2414         which is (1) smaller and (2) doing shrinkToFit operation when creating it from Vector.
2415
2416         This patch reduces sizeof(UnlinkedCodeBlock) from 256 to 168, 88 bytes reduction.
2417
2418         * JavaScriptCore.xcodeproj/project.pbxproj:
2419         * Sources.txt:
2420         * bytecode/BytecodeBasicBlock.cpp:
2421         (JSC::BytecodeBasicBlock::compute):
2422         * bytecode/BytecodeBasicBlock.h:
2423         * bytecode/BytecodeDumper.cpp:
2424         * bytecode/BytecodeGeneratorification.cpp:
2425         (JSC::BytecodeGeneratorification::BytecodeGeneratorification):
2426         (JSC::GeneratorLivenessAnalysis::run):
2427         (JSC::BytecodeGeneratorification::run):
2428         (JSC::performGeneratorification):
2429         * bytecode/BytecodeGeneratorification.h:
2430         * bytecode/BytecodeRewriter.h:
2431         (JSC::BytecodeRewriter::BytecodeRewriter):
2432         * bytecode/CodeBlock.cpp:
2433         (JSC::CodeBlock::finishCreation):
2434         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
2435         (JSC::CodeBlock::setConstantRegisters):
2436         (JSC::CodeBlock::handlerForIndex):
2437         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
2438         * bytecode/CodeBlock.h:
2439         (JSC::CodeBlock::numberOfSwitchJumpTables const):
2440         (JSC::CodeBlock::numberOfStringSwitchJumpTables const):
2441         (JSC::CodeBlock::addSwitchJumpTable): Deleted.
2442         (JSC::CodeBlock::addStringSwitchJumpTable): Deleted.
2443         * bytecode/HandlerInfo.h:
2444         (JSC::HandlerInfoBase::handlerForIndex):
2445         * bytecode/JumpTable.h:
2446         (JSC::SimpleJumpTable::add): Deleted.
2447         * bytecode/PreciseJumpTargets.cpp:
2448         (JSC::computePreciseJumpTargets):
2449         (JSC::recomputePreciseJumpTargets):
2450         (JSC::findJumpTargetsForInstruction):
2451         * bytecode/PreciseJumpTargets.h:
2452         * bytecode/UnlinkedCodeBlock.cpp:
2453         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2454         (JSC::UnlinkedCodeBlock::visitChildren):
2455         (JSC::UnlinkedCodeBlock::dumpExpressionRangeInfo):
2456         (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeIndex const):
2457         (JSC::UnlinkedCodeBlock::handlerForIndex):
2458         (JSC::UnlinkedCodeBlock::addExpressionInfo): Deleted.
2459         (JSC::UnlinkedCodeBlock::addTypeProfilerExpressionInfo): Deleted.
2460         (JSC::UnlinkedCodeBlock::setInstructions): Deleted.
2461         (JSC::UnlinkedCodeBlock::applyModification): Deleted.
2462         (JSC::UnlinkedCodeBlock::shrinkToFit): Deleted.
2463         (JSC::UnlinkedCodeBlock::addOutOfLineJumpTarget): Deleted.
2464         * bytecode/UnlinkedCodeBlock.h:
2465         (JSC::UnlinkedCodeBlock::expressionInfo):
2466         (JSC::UnlinkedCodeBlock::setNumParameters):
2467         (JSC::UnlinkedCodeBlock::numberOfIdentifiers const):
2468         (JSC::UnlinkedCodeBlock::identifiers const):
2469         (JSC::UnlinkedCodeBlock::bitVector):
2470         (JSC::UnlinkedCodeBlock::constantRegisters):
2471         (JSC::UnlinkedCodeBlock::constantsSourceCodeRepresentation):
2472         (JSC::UnlinkedCodeBlock::constantIdentifierSets):
2473         (JSC::UnlinkedCodeBlock::numberOfJumpTargets const):
2474         (JSC::UnlinkedCodeBlock::numberOfSwitchJumpTables const):
2475         (JSC::UnlinkedCodeBlock::numberOfStringSwitchJumpTables const):
2476         (JSC::UnlinkedCodeBlock::numberOfFunctionDecls):
2477         (JSC::UnlinkedCodeBlock::numberOfExceptionHandlers const):
2478         (JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets const):
2479         (JSC::UnlinkedCodeBlock::createRareDataIfNecessary):
2480         (JSC::UnlinkedCodeBlock::addParameter): Deleted.
2481         (JSC::UnlinkedCodeBlock::addIdentifier): Deleted.
2482         (JSC::UnlinkedCodeBlock::addBitVector): Deleted.
2483         (JSC::UnlinkedCodeBlock::addSetConstant): Deleted.
2484         (JSC::UnlinkedCodeBlock::addConstant): Deleted.
2485         (JSC::UnlinkedCodeBlock::addJumpTarget): Deleted.
2486         (JSC::UnlinkedCodeBlock::addSwitchJumpTable): Deleted.
2487         (JSC::UnlinkedCodeBlock::addStringSwitchJumpTable): Deleted.
2488         (JSC::UnlinkedCodeBlock::addFunctionDecl): Deleted.
2489         (JSC::UnlinkedCodeBlock::addFunctionExpr): Deleted.
2490         (JSC::UnlinkedCodeBlock::addExceptionHandler): Deleted.
2491         (JSC::UnlinkedCodeBlock::addOpProfileControlFlowBytecodeOffset): Deleted.
2492         (JSC::UnlinkedCodeBlock::replaceOutOfLineJumpTargets): Deleted.
2493         * bytecode/UnlinkedCodeBlockGenerator.cpp: Added.
2494         (JSC::UnlinkedCodeBlockGenerator::getLineAndColumn const):
2495         (JSC::UnlinkedCodeBlockGenerator::addExpressionInfo):
2496         (JSC::UnlinkedCodeBlockGenerator::addTypeProfilerExpressionInfo):
2497         (JSC::UnlinkedCodeBlockGenerator::finalize):
2498         (JSC::UnlinkedCodeBlockGenerator::handlerForBytecodeIndex):
2499         (JSC::UnlinkedCodeBlockGenerator::handlerForIndex):
2500         (JSC::UnlinkedCodeBlockGenerator::applyModification):
2501         (JSC::UnlinkedCodeBlockGenerator::addOutOfLineJumpTarget):
2502         (JSC::UnlinkedCodeBlockGenerator::outOfLineJumpOffset):
2503         (JSC::UnlinkedCodeBlockGenerator::dump const):
2504         * bytecode/UnlinkedCodeBlockGenerator.h: Added.
2505         (JSC::UnlinkedCodeBlockGenerator::UnlinkedCodeBlockGenerator):
2506         (JSC::UnlinkedCodeBlockGenerator::vm):
2507         (JSC::UnlinkedCodeBlockGenerator::isConstructor const):
2508         (JSC::UnlinkedCodeBlockGenerator::constructorKind const):
2509         (JSC::UnlinkedCodeBlockGenerator::superBinding const):
2510         (JSC::UnlinkedCodeBlockGenerator::scriptMode const):
2511         (JSC::UnlinkedCodeBlockGenerator::needsClassFieldInitializer const):
2512         (JSC::UnlinkedCodeBlockGenerator::isStrictMode const):
2513         (JSC::UnlinkedCodeBlockGenerator::usesEval const):
2514         (JSC::UnlinkedCodeBlockGenerator::parseMode const):
2515         (JSC::UnlinkedCodeBlockGenerator::isArrowFunction):
2516         (JSC::UnlinkedCodeBlockGenerator::derivedContextType const):
2517         (JSC::UnlinkedCodeBlockGenerator::evalContextType const):
2518         (JSC::UnlinkedCodeBlockGenerator::isArrowFunctionContext const):
2519         (JSC::UnlinkedCodeBlockGenerator::isClassContext const):
2520         (JSC::UnlinkedCodeBlockGenerator::numCalleeLocals const):
2521         (JSC::UnlinkedCodeBlockGenerator::numVars const):
2522         (JSC::UnlinkedCodeBlockGenerator::numParameters const):
2523         (JSC::UnlinkedCodeBlockGenerator::thisRegister const):
2524         (JSC::UnlinkedCodeBlockGenerator::scopeRegister const):
2525         (JSC::UnlinkedCodeBlockGenerator::wasCompiledWithDebuggingOpcodes const):
2526         (JSC::UnlinkedCodeBlockGenerator::hasCheckpoints const):
2527         (JSC::UnlinkedCodeBlockGenerator::hasTailCalls const):
2528         (JSC::UnlinkedCodeBlockGenerator::setHasCheckpoints):
2529         (JSC::UnlinkedCodeBlockGenerator::setHasTailCalls):
2530         (JSC::UnlinkedCodeBlockGenerator::setNumCalleeLocals):
2531         (JSC::UnlinkedCodeBlockGenerator::setNumVars):
2532         (JSC::UnlinkedCodeBlockGenerator::setThisRegister):
2533         (JSC::UnlinkedCodeBlockGenerator::setScopeRegister):
2534         (JSC::UnlinkedCodeBlockGenerator::setNumParameters):
2535         (JSC::UnlinkedCodeBlockGenerator::metadata):
2536         (JSC::UnlinkedCodeBlockGenerator::addOpProfileControlFlowBytecodeOffset):
2537         (JSC::UnlinkedCodeBlockGenerator::numberOfJumpTargets const):
2538         (JSC::UnlinkedCodeBlockGenerator::addJumpTarget):
2539         (JSC::UnlinkedCodeBlockGenerator::jumpTarget const):
2540         (JSC::UnlinkedCodeBlockGenerator::lastJumpTarget const):
2541         (JSC::UnlinkedCodeBlockGenerator::numberOfSwitchJumpTables const):
2542         (JSC::UnlinkedCodeBlockGenerator::addSwitchJumpTable):
2543         (JSC::UnlinkedCodeBlockGenerator::switchJumpTable):
2544         (JSC::UnlinkedCodeBlockGenerator::numberOfStringSwitchJumpTables const):
2545         (JSC::UnlinkedCodeBlockGenerator::addStringSwitchJumpTable):
2546         (JSC::UnlinkedCodeBlockGenerator::stringSwitchJumpTable):
2547         (JSC::UnlinkedCodeBlockGenerator::numberOfExceptionHandlers const):
2548         (JSC::UnlinkedCodeBlockGenerator::exceptionHandler):
2549         (JSC::UnlinkedCodeBlockGenerator::addExceptionHandler):
2550         (JSC::UnlinkedCodeBlockGenerator::bitVector):
2551         (JSC::UnlinkedCodeBlockGenerator::addBitVector):
2552         (JSC::UnlinkedCodeBlockGenerator::numberOfConstantIdentifierSets const):
2553         (JSC::UnlinkedCodeBlockGenerator::constantIdentifierSets):
2554         (JSC::UnlinkedCodeBlockGenerator::addSetConstant):
2555         (JSC::UnlinkedCodeBlockGenerator::constantRegister const):
2556         (JSC::UnlinkedCodeBlockGenerator::constantRegisters):
2557         (JSC::UnlinkedCodeBlockGenerator::getConstant const):
2558         (JSC::UnlinkedCodeBlockGenerator::constantsSourceCodeRepresentation):
2559         (JSC::UnlinkedCodeBlockGenerator::addConstant):
2560         (JSC::UnlinkedCodeBlockGenerator::addFunctionDecl):
2561         (JSC::UnlinkedCodeBlockGenerator::addFunctionExpr):
2562         (JSC::UnlinkedCodeBlockGenerator::numberOfIdentifiers const):
2563         (JSC::UnlinkedCodeBlockGenerator::identifier const):
2564         (JSC::UnlinkedCodeBlockGenerator::addIdentifier):
2565         (JSC::UnlinkedCodeBlockGenerator::outOfLineJumpOffset):
2566         (JSC::UnlinkedCodeBlockGenerator::replaceOutOfLineJumpTargets):
2567         (JSC::UnlinkedCodeBlockGenerator::metadataSizeInBytes):
2568         * bytecompiler/BytecodeGenerator.cpp:
2569         (JSC::BytecodeGenerator::generate):
2570         (JSC::BytecodeGenerator::BytecodeGenerator):
2571         (JSC::BytecodeGenerator::initializeNextParameter):
2572         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
2573         (JSC::prepareJumpTableForSwitch):
2574         (JSC::ForInContext::finalize):
2575         (JSC::StructureForInContext::finalize):
2576         (JSC::IndexedForInContext::finalize):
2577         * bytecompiler/BytecodeGenerator.h:
2578         * bytecompiler/BytecodeGeneratorBaseInlines.h:
2579         (JSC::BytecodeGeneratorBase<Traits>::newRegister):
2580         (JSC::BytecodeGeneratorBase<Traits>::addVar):
2581         * runtime/CachedTypes.cpp:
2582         (JSC::CachedVector::encode):
2583         (JSC::CachedVector::decode const):
2584         * wasm/WasmFunctionCodeBlock.h:
2585         (JSC::Wasm::FunctionCodeBlock::setNumVars):
2586         (JSC::Wasm::FunctionCodeBlock::setNumCalleeLocals):
2587
2588 2020-02-04  Devin Rousso  <drousso@apple.com>
2589
2590         Web Inspector: REGRESSION(r248287): Console: function objects saved to a $n will be invoked instead of just referenced when evaluating in the Console
2591         https://bugs.webkit.org/show_bug.cgi?id=207180
2592         <rdar://problem/58860268>
2593
2594         Reviewed by Joseph Pecoraro.
2595
2596         * inspector/InjectedScriptSource.js:
2597         (CommandLineAPI):
2598         Instead of deciding whether to wrap the value given for a `$n` getter based on if the value
2599         is already a function, always wrap getter values in a function so that if the value being
2600         stored in the getter is already a function, it isn't used as the callback for the getter and
2601         therefore invoked when the getter is referenced.
2602
2603 2020-02-03  Yusuke Suzuki  <ysuzuki@apple.com>
2604
2605         [JSC] Use PackedPtr for VariableEnvironment
2606         https://bugs.webkit.org/show_bug.cgi?id=207172
2607
2608         Reviewed by Mark Lam.
2609
2610         Since VariableEnvironment's KeyValue is key: pointer + value: 2 byte, using PackedPtr can make it 8 bytes, 50% reduction.
2611
2612         * parser/VariableEnvironment.h:
2613         * runtime/CachedTypes.cpp:
2614         (JSC::CachedRefPtr::encode):
2615         (JSC::CachedRefPtr::decode const): CachedTypes should handle PackedPtr too since VariableEnvironment starts using it.
2616
2617 2020-02-03  Alexey Shvayka  <shvaikalesh@gmail.com>
2618
2619         \0 identity escapes should be syntax errors in Unicode patterns only
2620         https://bugs.webkit.org/show_bug.cgi?id=207114
2621
2622         Reviewed by Darin Adler.
2623
2624         This change adds a separate check for null character because `strchr`
2625         always returns a non-null pointer when called with '\0' as second argument.
2626
2627         Grammar: https://tc39.es/ecma262/#prod-annexB-IdentityEscape
2628         (/u flag precludes the use of SourceCharacterIdentityEscape)
2629
2630         * yarr/YarrParser.h:
2631         (JSC::Yarr::Parser::isIdentityEscapeAnError):
2632
2633 2020-02-01  Alexey Shvayka  <shvaikalesh@gmail.com>
2634
2635         Non-alphabetical \c escapes should be syntax errors in Unicode patterns only
2636         https://bugs.webkit.org/show_bug.cgi?id=207091
2637
2638         Reviewed by Darin Adler.
2639
2640         This change adds SyntaxError for non-alphabetical and identity \c escapes
2641         in Unicode patterns, aligning JSC with V8 and SpiderMonkey.
2642
2643         Grammar: https://tc39.es/ecma262/#prod-annexB-ClassEscape
2644         (/u flag precludes the use of ClassControlLetter)
2645
2646         * yarr/YarrErrorCode.cpp:
2647         (JSC::Yarr::errorMessage):
2648         (JSC::Yarr::errorToThrow):
2649         * yarr/YarrErrorCode.h:
2650         * yarr/YarrParser.h:
2651         (JSC::Yarr::Parser::parseEscape):
2652
2653 2020-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2654
2655         [JSC] Hold StructureID instead of Structure* in PolyProtoAccessChain and DFG::CommonData
2656         https://bugs.webkit.org/show_bug.cgi?id=207086
2657
2658         Reviewed by Mark Lam.
2659
2660         PolyProtoAccessChain and DFG::CommonData are kept alive so long as associated AccessCase / DFG/FTL CodeBlock
2661         is alive. They hold Vector<Structure*> / Vector<WriteBarrier<Structure*>>, but access frequency is low. And
2662         We should hold Vector<StructureID> instead to cut 50% of the size.
2663
2664         * bytecode/AccessCase.cpp:
2665         (JSC::AccessCase::commit):
2666         (JSC::AccessCase::forEachDependentCell const):
2667         (JSC::AccessCase::doesCalls const):
2668         (JSC::AccessCase::visitWeak const):
2669         (JSC::AccessCase::propagateTransitions const):
2670         (JSC::AccessCase::generateWithGuard):
2671         * bytecode/AccessCase.h:
2672         * bytecode/CodeBlock.cpp:
2673         (JSC::CodeBlock::propagateTransitions):
2674         (JSC::CodeBlock::determineLiveness):
2675         (JSC::CodeBlock::stronglyVisitWeakReferences):
2676         * bytecode/GetByStatus.cpp:
2677         (JSC::GetByStatus::computeForStubInfoWithoutExitSiteFeedback):
2678         * bytecode/InByIdStatus.cpp:
2679         (JSC::InByIdStatus::computeFor):
2680         (JSC::InByIdStatus::computeForStubInfo):
2681         (JSC::InByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
2682         * bytecode/InByIdStatus.h:
2683         * bytecode/InstanceOfStatus.cpp:
2684         (JSC::InstanceOfStatus::computeFor):
2685         (JSC::InstanceOfStatus::computeForStubInfo):
2686         * bytecode/InstanceOfStatus.h:
2687         * bytecode/PolyProtoAccessChain.cpp:
2688         (JSC::PolyProtoAccessChain::create):
2689         (JSC::PolyProtoAccessChain::needImpurePropertyWatchpoint const):
2690         (JSC::PolyProtoAccessChain::dump const):
2691         * bytecode/PolyProtoAccessChain.h:
2692         (JSC::PolyProtoAccessChain::chain const):
2693         (JSC::PolyProtoAccessChain::forEach const):
2694         (JSC::PolyProtoAccessChain::slotBaseStructure const):
2695         (JSC::PolyProtoAccessChain:: const): Deleted.
2696         * bytecode/PolymorphicAccess.cpp:
2697         (JSC::PolymorphicAccess::regenerate):
2698         * bytecode/PutByIdStatus.cpp:
2699         (JSC::PutByIdStatus::computeForStubInfo):
2700         * bytecode/StructureStubInfo.cpp:
2701         (JSC::StructureStubInfo::summary const):
2702         (JSC::StructureStubInfo::summary):
2703         * bytecode/StructureStubInfo.h:
2704         * dfg/DFGCommonData.h:
2705         * dfg/DFGDesiredWeakReferences.cpp:
2706         (JSC::DFG::DesiredWeakReferences::reallyAdd):
2707         * dfg/DFGPlan.cpp:
2708         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
2709         * jit/Repatch.cpp:
2710         (JSC::tryCacheGetBy):
2711         (JSC::tryCachePutByID):
2712         (JSC::tryCacheInByID):
2713
2714 2020-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2715
2716         [JSC] ShrinkToFit some vectors kept by JIT data structures
2717         https://bugs.webkit.org/show_bug.cgi?id=207085
2718
2719         Reviewed by Mark Lam.
2720
2721         1. We are allocating RareCaseProfile by using SegmentedVector since JIT code is directly accessing to RareCaseProfile*. But when creating RareCaseProfile, we can know
2722            how many RareCaseProfiles should we create: RareCaseProfile is created per slow paths of Baseline JIT bytecode. Since we already scan bytecode for the main paths,
2723            we can count it and use this number when creating RareCaseProfile.
2724         2. Vectors held by PolymorphicAccess and PolymorphicCallStubRoutine should be kept small by calling shrinkToFit.
2725
2726         * bytecode/CodeBlock.cpp:
2727         (JSC::CodeBlock::setRareCaseProfiles):
2728         (JSC::CodeBlock::shrinkToFit):
2729         (JSC::CodeBlock::addRareCaseProfile): Deleted.
2730         * bytecode/CodeBlock.h:
2731         * bytecode/PolyProtoAccessChain.cpp:
2732         (JSC::PolyProtoAccessChain::create):
2733         * bytecode/PolymorphicAccess.cpp:
2734         (JSC::PolymorphicAccess::regenerate):
2735         * bytecode/ValueProfile.h:
2736         (JSC::RareCaseProfile::RareCaseProfile):
2737         * jit/JIT.cpp:
2738         (JSC::JIT::privateCompileMainPass):
2739         (JSC::JIT::privateCompileSlowCases):
2740         * jit/JIT.h:
2741         * jit/PolymorphicCallStubRoutine.cpp:
2742         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
2743
2744 2020-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2745
2746         [JSC] DFG::CommonData::shrinkToFit called before DFG::Plan::reallyAdd is called
2747         https://bugs.webkit.org/show_bug.cgi?id=207083
2748
2749         Reviewed by Mark Lam.
2750
2751         We are calling DFG::CommonData::shrinkToFit, but calling this too early: we execute
2752         DFG::Plan::reallyAdd(DFG::CommonData*) after that, and this adds many entries to
2753         DFG::CommonData*. We should call DFG::CommonData::shrinkToFit after calling DFG::Plan::reallyAdd.
2754
2755         To implement it, we make DFG::JITCode::shrinkToFit virtual function in JSC::JITCode. Then, we
2756         can also implement FTL::JITCode::shrinkToFit which was previously not implemented.
2757
2758         * dfg/DFGJITCode.cpp:
2759         (JSC::DFG::JITCode::shrinkToFit):
2760         * dfg/DFGJITCode.h:
2761         * dfg/DFGJITCompiler.cpp:
2762         (JSC::DFG::JITCompiler::compile):
2763         (JSC::DFG::JITCompiler::compileFunction):
2764         * dfg/DFGPlan.cpp:
2765         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
2766         * ftl/FTLJITCode.cpp:
2767         (JSC::FTL::JITCode::shrinkToFit):
2768         * ftl/FTLJITCode.h:
2769         * jit/JITCode.cpp:
2770         (JSC::JITCode::shrinkToFit):
2771         * jit/JITCode.h:
2772
2773 2020-01-31  Saam Barati  <sbarati@apple.com>
2774
2775         GetButterfly should check if the input value is an object in safe to execute
2776         https://bugs.webkit.org/show_bug.cgi?id=207082
2777
2778         Reviewed by Mark Lam.
2779
2780         We can only hoist GetButterfly when we know the incoming value is an object.
2781         We might want to reconsider making GetButterfly use ObjectUse as its edge
2782         kind, but that's out of the scope of this patch. Currently, we use CellUse
2783         for GetButterfly node's child1.
2784
2785         * dfg/DFGSafeToExecute.h:
2786         (JSC::DFG::safeToExecute):
2787
2788 2020-01-31  Saam Barati  <sbarati@apple.com>
2789
2790         safe to execute should return false when we know code won't be moved
2791         https://bugs.webkit.org/show_bug.cgi?id=207074
2792
2793         Reviewed by Yusuke Suzuki.
2794
2795         We use safeToExecute to determine inside LICM whether it's safe to execute
2796         a node somewhere else in the program. We were returning true for nodes
2797         we knew would never be moved, because they were effectful. Things like Call
2798         and GetById. This patch makes those nodes return false now, since we want
2799         to make it easier to audit the nodes that return true. This makes that audit
2800         easier, since it gets rid of the obvious things that will never be hoisted.
2801
2802         * dfg/DFGSafeToExecute.h:
2803         (JSC::DFG::safeToExecute):
2804
2805 2020-01-31  Saam Barati  <sbarati@apple.com>
2806
2807         GetGetterSetterByOffset and GetGetter/GetSetter are not always safe to execute
2808         https://bugs.webkit.org/show_bug.cgi?id=206805
2809         <rdar://problem/58898161>
2810
2811         Reviewed by Yusuke Suzuki.
2812
2813         This patch fixes two bugs. The first is GetGetterSetterByOffset. Previously,
2814         we were just checking that we could load the value safely. However, because
2815         GetGetterSetterByOffset returns a GetterSetter object, we can only safely
2816         move this node into a context where it's guaranteed that the offset loaded
2817         will return a GetterSetter.
2818         
2819         The second fix is GetGetter/GetSetter were both always marked as safe to execute.
2820         However, they're only safe to execute when the incoming value to load from
2821         is a GetterSetter object.
2822
2823         * dfg/DFGSafeToExecute.h:
2824         (JSC::DFG::safeToExecute):
2825
2826 2020-01-31  Alexey Shvayka  <shvaikalesh@gmail.com>
2827
2828         Unmatched ] or } brackets should be syntax errors in Unicode patterns only
2829         https://bugs.webkit.org/show_bug.cgi?id=207023
2830
2831         Reviewed by Darin Adler.
2832
2833         This change adds SyntaxError for Unicode patterns, aligning JSC with
2834         V8 and SpiderMonkey.
2835
2836         Grammar: https://tc39.es/ecma262/#prod-annexB-Term
2837         (/u flag precludes the use of ExtendedAtom and thus ExtendedPatternCharacter)
2838
2839         * yarr/YarrErrorCode.cpp:
2840         (JSC::Yarr::errorMessage):
2841         (JSC::Yarr::errorToThrow):
2842         * yarr/YarrErrorCode.h:
2843         * yarr/YarrParser.h:
2844         (JSC::Yarr::Parser::parseTokens):
2845
2846 2020-01-31  Don Olmstead  <don.olmstead@sony.com>
2847
2848         [CMake] Add _PRIVATE_LIBRARIES to framework
2849         https://bugs.webkit.org/show_bug.cgi?id=207004
2850
2851         Reviewed by Konstantin Tokarev.
2852
2853         Move uses of PRIVATE within _LIBRARIES to _PRIVATE_LIBRARIES. Any _LIBRARIES appended
2854         afterwards will have that visibility set erroneously.
2855
2856         * PlatformFTW.cmake:
2857
2858 2020-01-30  Mark Lam  <mark.lam@apple.com>
2859
2860         Some improvements to DFG and FTL dumps to improve readability and searchability.
2861         https://bugs.webkit.org/show_bug.cgi?id=207024
2862
2863         Reviewed by Saam Barati.
2864
2865         This patch applies the following changes:
2866
2867         1. Prefix Air and B2 dumps with a tierName prefix.
2868            The tierName prefix strings are as follows:
2869
2870                "FTL ", "DFG ", "b3  ", "Air ", "asm "
2871
2872            The choice to use a lowercase "b3" and "asm" with upper case "Air" is
2873            deliberate because I found this combination to be easier to read and scan as
2874            prefixes of the dump lines.  See dump samples below.
2875
2876         2. Make DFG node IDs consistently expressed as D@<node index> e.g. D@104.
2877            The definition of the node will be the id followed by a colon e.g. D@104:
2878            This makes it easy to search references to this node anywhere in the dump.
2879
2880            Make B3 nodes expressed as b@<node index> e.g. b@542.
2881            This also makes it searchable since there's now no ambiguity between b@542 and
2882            D@542.
2883
2884            The choice to use a lowercase "b" and an uppercase "D" is intentional because
2885            "b@542" and "d@542" looks too similar, and I prefer to not use too much
2886            uppercase.  Plus this makes the node consistent in capitalization with the
2887            tierName prefixes above of "b3  " and "DFG " respectively.
2888
2889         Here's a sample of what the dumps now look like:
2890
2891         DFG graph dump:
2892         <code>
2893             ...
2894                  6 55:   <-- foo#DFndCW:<0x62d0000b8140, bc#65, Call, known callee: Object: 0x62d000035920 with butterfly 0x0 (Structure %AN:Function), StructureID: 12711, numArgs+this = 1, numFixup = 0, stackOffset = -16 (loc0 maps to loc16)>
2895               3  6 55:   D@79:< 3:->    ArithAdd(Int32:Kill:D@95, Int32:D@42, Int32|PureNum|UseAsOther, Int32, CheckOverflow, Exits, bc#71, ExitValid)
2896               4  6 55:    D@3:<!0:->    KillStack(MustGen, loc7, W:Stack(loc7), ClobbersExit, bc#71, ExitInvalid)
2897               5  6 55:   D@85:<!0:->    MovHint(Check:Untyped:D@79, MustGen, loc7, W:SideState, ClobbersExit, bc#71, ExitInvalid)
2898               6  6 55:  D@102:< 1:->    CompareLess(Int32:D@79, Int32:D@89, Boolean|UseAsOther, Bool, Exits, bc#74, ExitValid)
2899               7  6 55:  D@104:<!0:->    Branch(KnownBoolean:Kill:D@102, MustGen, T:#1/w:10.000000, F:#7/w:1.000000, W:SideState, bc#74, ExitInvalid)
2900             ...
2901         </code>
2902
2903         B3 graph dump:
2904         <code>
2905             ...
2906             b3  BB#14: ; frequency = 10.000000
2907             b3    Predecessors: #13
2908             b3      Int32 b@531 = CheckAdd(b@10:WarmAny, $1(b@1):WarmAny, b@64:ColdAny, b@10:ColdAny, generator = 0x606000022e80, earlyClobbered = [], lateClobbered = [], usedRegisters = [], ExitsSideways|Reads:Top, D@79)
2909             b3      Int32 b@539 = LessThan(b@531, $100(b@578), D@102)
2910             b3      Void b@542 = Branch(b@539, Terminal, D@104)
2911             b3    Successors: Then:#2, Else:#15
2912             ...
2913         </code>
2914
2915         Air graph dump:
2916         <code>
2917             ...
2918             Air BB#5: ; frequency = 10.000000
2919             Air   Predecessors: #4
2920             Air     Move -96(%rbp), %rax, b@531
2921             Air     Patch &BranchAdd32(3,ForceLateUseUnlessRecoverable)3, Overflow, $1, %rax, -104(%rbp), -96(%rbp), b@531
2922             Air     Branch32 LessThan, %rax, $100, b@542
2923             Air   Successors: #1, #6
2924             ...
2925         </code>
2926
2927         FTL disassembly dump:
2928         <code>
2929             ...
2930             Air BB#5: ; frequency = 10.000000
2931             Air   Predecessors: #4
2932             DFG       D@42:< 2:->   JSConstant(JS|PureInt, Int32, Int32: 1, bc#0, ExitInvalid)
2933             DFG       D@79:< 3:->   ArithAdd(Int32:Kill:D@95, Int32:D@42, Int32|PureNum|UseAsOther, Int32, CheckOverflow, Exits, bc#71, ExitValid)
2934             b3            Int32 b@1 = Const32(1)
2935             b3            Int32 b@531 = CheckAdd(b@10:WarmAny, $1(b@1):WarmAny, b@64:ColdAny, b@10:ColdAny, generator = 0x606000022e80, earlyClobbered = [], lateClobbered = [], usedRegisters = [%rax, %rbx, %rbp, %r12], ExitsSideways|Reads:Top, D@79)
2936             Air               Move -96(%rbp), %rax, b@531
2937             asm                   0x4576b9c04712: mov -0x60(%rbp), %rax
2938             Air               Patch &BranchAdd32(3,ForceLateUseUnlessRecoverable)3, Overflow, $1, %rax, -104(%rbp), -96(%rbp), b@531
2939             asm                   0x4576b9c04716: inc %eax
2940             asm                   0x4576b9c04718: jo 0x4576b9c04861
2941             DFG       D@89:< 1:->   JSConstant(JS|PureNum|UseAsOther, NonBoolInt32, Int32: 100, bc#0, ExitInvalid)
2942             DFG      D@102:< 1:->   CompareLess(Int32:D@79, Int32:D@89, Boolean|UseAsOther, Bool, Exits, bc#74, ExitValid)
2943             DFG      D@104:<!0:->   Branch(KnownBoolean:Kill:D@102, MustGen, T:#1/w:10.000000, F:#7/w:1.000000, W:SideState, bc#74, ExitInvalid)
2944             b3            Int32 b@578 = Const32(100, D@89)
2945             b3            Int32 b@539 = LessThan(b@531, $100(b@578), D@102)
2946             b3            Void b@542 = Branch(b@539, Terminal, D@104)
2947             Air               Branch32 LessThan, %rax, $100, b@542
2948             asm                   0x4576b9c0471e: cmp $0x64, %eax
2949             asm                   0x4576b9c04721: jl 0x4576b9c0462f
2950             Air   Successors: #1, #6
2951             ...
2952         </code>
2953
2954         * b3/B3BasicBlock.cpp:
2955         (JSC::B3::BasicBlock::deepDump const):
2956         * b3/B3Common.cpp:
2957         * b3/B3Common.h:
2958         * b3/B3Generate.cpp:
2959         (JSC::B3::generateToAir):
2960         * b3/B3Procedure.cpp:
2961         (JSC::B3::Procedure::dump const):
2962         * b3/B3Value.cpp:
2963         * b3/air/AirBasicBlock.cpp:
2964         (JSC::B3::Air::BasicBlock::deepDump const):
2965         (JSC::B3::Air::BasicBlock::dumpHeader const):
2966         (JSC::B3::Air::BasicBlock::dumpFooter const):
2967         * b3/air/AirCode.cpp:
2968         (JSC::B3::Air::Code::dump const):
2969         * b3/air/AirCode.h:
2970         * b3/air/AirDisassembler.cpp:
2971         (JSC::B3::Air::Disassembler::dump):
2972         * b3/air/AirGenerate.cpp:
2973         (JSC::B3::Air::prepareForGeneration):
2974         * dfg/DFGCommon.cpp:
2975         * dfg/DFGCommon.h:
2976         * dfg/DFGGraph.cpp:
2977         (JSC::DFG::Graph::dump):
2978         (JSC::DFG::Graph::dumpBlockHeader):
2979         * dfg/DFGNode.cpp:
2980         (WTF::printInternal):
2981         * ftl/FTLCompile.cpp:
2982         (JSC::FTL::compile):
2983         * ftl/FTLCompile.h:
2984         * ftl/FTLState.cpp:
2985         (JSC::FTL::State::State):
2986
2987 2020-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
2988
2989         [WTF] Remove PackedIntVector
2990         https://bugs.webkit.org/show_bug.cgi?id=207018
2991
2992         Reviewed by Mark Lam.
2993
2994         * bytecode/BytecodeBasicBlock.h:
2995
2996 2020-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
2997
2998         [JSC] Remove unnecessary allocations in BytecodeBasicBlock
2999         https://bugs.webkit.org/show_bug.cgi?id=206986
3000
3001         Reviewed by Mark Lam.
3002
3003         We know that BytecodeBasicBlock itself takes 2MB in Gmail. And each BytecodeBasicBlock has Vector<unsigned>
3004         and Vector<BytecodeBasicBlock*>.
3005
3006         BytecodeBasicBlock holds all the offset per bytecode as unsigned in m_offsets. But this offset is
3007         only used when reverse iterating a bytecode in a BytecodeBasicBlock. We can hold a length of each
3008         bytecode instead, which is much smaller (unsigned v.s. uint8_t).
3009
3010         Since each BytecodeBasicBlock has index, we should hold successors in Vector<unsigned> instead of Vector<BytecodeBasicBlock*>.
3011
3012         We are also allocating BytecodeBasicBlock in makeUnique<> and having them in Vector<std::unique_ptr<BytecodeBasicBlock>>.
3013         But this is not necessary since only BytecodeBasicBlock::compute can modify this vector. We should generate Vector<BytecodeBasicBlock>
3014         from BytecodeBasicBlock::compute.
3015
3016         We are also planning purging BytecodeBasicBlock in UnlinkedCodeBlock if it is not used so much. But this will be done in a separate patch.
3017
3018         * bytecode/BytecodeBasicBlock.cpp:
3019         (JSC::BytecodeBasicBlock::BytecodeBasicBlock):
3020         (JSC::BytecodeBasicBlock::addLength):
3021         (JSC::BytecodeBasicBlock::shrinkToFit):
3022         (JSC::BytecodeBasicBlock::computeImpl):
3023         (JSC::BytecodeBasicBlock::compute):
3024         * bytecode/BytecodeBasicBlock.h:
3025         (JSC::BytecodeBasicBlock::delta const):
3026         (JSC::BytecodeBasicBlock::successors const):
3027         (JSC::BytecodeBasicBlock::operator bool const):
3028         (JSC::BytecodeBasicBlock::addSuccessor):
3029         (JSC::BytecodeBasicBlock::offsets const): Deleted.
3030         (JSC::BytecodeBasicBlock:: const): Deleted.
3031         (JSC::BytecodeBasicBlock::BytecodeBasicBlock): Deleted.
3032         (JSC::BytecodeBasicBlock::addLength): Deleted.
3033         * bytecode/BytecodeGeneratorification.cpp:
3034         (JSC::BytecodeGeneratorification::BytecodeGeneratorification):
3035         * bytecode/BytecodeGraph.h:
3036         (JSC::BytecodeGraph::blockContainsBytecodeOffset):
3037         (JSC::BytecodeGraph::findBasicBlockForBytecodeOffset):
3038         (JSC::BytecodeGraph::findBasicBlockWithLeaderOffset):
3039         (JSC::BytecodeGraph::at const):
3040         (JSC::BytecodeGraph::operator[] const):
3041         (JSC::BytecodeGraph::begin):
3042         (JSC::BytecodeGraph::end):
3043         (JSC::BytecodeGraph::first):
3044         (JSC::BytecodeGraph::last):
3045         (JSC::BytecodeGraph::BytecodeGraph):
3046         (JSC::BytecodeGraph::begin const): Deleted.
3047         (JSC::BytecodeGraph::end const): Deleted.
3048         * bytecode/BytecodeLivenessAnalysis.cpp:
3049         (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeIndex):
3050         (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
3051         (JSC::BytecodeLivenessAnalysis::computeKills):
3052         (JSC::BytecodeLivenessAnalysis::dumpResults):
3053         * bytecode/BytecodeLivenessAnalysis.h:
3054         * bytecode/BytecodeLivenessAnalysisInlines.h:
3055         (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBytecodeIndex):
3056         (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBlock):
3057         (JSC::BytecodeLivenessPropagation::getLivenessInfoAtBytecodeIndex):
3058         (JSC::BytecodeLivenessPropagation::runLivenessFixpoint):
3059         * bytecode/InstructionStream.h:
3060         (JSC::InstructionStream::MutableRef::operator-> const):
3061         (JSC::InstructionStream::MutableRef::ptr const):
3062         (JSC::InstructionStream::MutableRef::unwrap const):
3063         * bytecode/Opcode.h:
3064         * generator/Section.rb:
3065         * jit/JIT.cpp:
3066         (JSC::JIT::privateCompileMainPass):
3067         * llint/LLIntData.cpp:
3068         (JSC::LLInt::initialize):
3069         * llint/LowLevelInterpreter.cpp:
3070         (JSC::CLoop::execute):
3071
3072 2020-01-30  Alexey Shvayka  <shvaikalesh@gmail.com>
3073
3074         Incomplete braced quantifiers should be banned in Unicode patterns only
3075         https://bugs.webkit.org/show_bug.cgi?id=206776
3076
3077         Reviewed by Darin Adler.
3078
3079         This change adds SyntaxError for Unicode patterns, aligning JSC with
3080         V8 and SpiderMonkey, and also capitalizes "Unicode" in error messages.
3081
3082         Grammar: https://tc39.es/ecma262/#prod-annexB-Term
3083         (/u flag precludes the use of ExtendedAtom and thus InvalidBracedQuantifier)
3084
3085         * yarr/YarrErrorCode.cpp:
3086         (JSC::Yarr::errorMessage):
3087         (JSC::Yarr::errorToThrow):
3088         * yarr/YarrErrorCode.h:
3089         * yarr/YarrParser.h:
3090         (JSC::Yarr::Parser::parseTokens):
3091
3092 2020-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
3093
3094         [JSC] Make SourceProviderCacheItem small
3095         https://bugs.webkit.org/show_bug.cgi?id=206987
3096
3097         Reviewed by Mark Lam.
3098
3099         We know this becomes very large when parsing a large script, and it is noticeable in some of RAMification tests.
3100         We should use PackedPtr to shrink size of SourceProviderCacheItem.
3101
3102         * parser/Parser.h:
3103         (JSC::Scope::restoreFromSourceProviderCache):
3104         * parser/SourceProviderCacheItem.h:
3105         (JSC::SourceProviderCacheItem::usedVariables const):
3106         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
3107
3108 2020-01-30  Keith Miller  <keith_miller@apple.com>
3109
3110         Parser needs to restore unary stack state when backtracking
3111         https://bugs.webkit.org/show_bug.cgi?id=206972
3112
3113         Reviewed by Saam Barati.
3114
3115         Previously we would try to parse possibly stale unary operator
3116         stack entries after backtracking from a parse error.  This would
3117         cause us to think one token was a different token while reparsing
3118         after backtracking. Additionally, this patch fixes an issue where
3119         the syntax checker would think assignment expressions were resolve
3120         expressions. Intrestingly, this was not tested in test262.
3121
3122         Lastly, I tried adding some assertions to improve help diagnose
3123         when our source text locations are incorrect.
3124
3125         * bytecompiler/BytecodeGenerator.h:
3126         (JSC::BytecodeGenerator::emitExpressionInfo):
3127         * bytecompiler/NodesCodegen.cpp:
3128         (JSC::ThisNode::emitBytecode):
3129         (JSC::ResolveNode::emitBytecode):
3130         (JSC::EmptyVarExpression::emitBytecode):
3131         (JSC::EmptyLetExpression::emitBytecode):
3132         (JSC::ForInNode::emitLoopHeader):
3133         (JSC::ForOfNode::emitBytecode):
3134         (JSC::DefineFieldNode::emitBytecode):
3135         * parser/ASTBuilder.h:
3136         (JSC::ASTBuilder::unaryTokenStackDepth const):
3137         (JSC::ASTBuilder::setUnaryTokenStackDepth):
3138         * parser/Lexer.cpp:
3139         (JSC::Lexer<T>::Lexer):
3140         * parser/Lexer.h:
3141         (JSC::Lexer::setLineNumber):
3142         * parser/Nodes.cpp:
3143         (JSC::FunctionMetadataNode::operator== const):
3144         * parser/Nodes.h:
3145         (JSC::ThrowableExpressionData::ThrowableExpressionData):
3146         (JSC::ThrowableExpressionData::setExceptionSourceCode):
3147         (JSC::ThrowableExpressionData::checkConsistency const):
3148         * parser/Parser.cpp:
3149         (JSC::Parser<LexerType>::isArrowFunctionParameters):
3150         (JSC::Parser<LexerType>::parseSourceElements):
3151         (JSC::Parser<LexerType>::parseModuleSourceElements):
3152         (JSC::Parser<LexerType>::parseStatementListItem):
3153         (JSC::Parser<LexerType>::parseAssignmentElement):
3154         (JSC::Parser<LexerType>::parseForStatement):
3155         (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement):
3156         (JSC::Parser<LexerType>::parseFunctionInfo):
3157         (JSC::Parser<LexerType>::parseClass):
3158         (JSC::Parser<LexerType>::parseExportDeclaration):
3159         (JSC::Parser<LexerType>::parseAssignmentExpression):
3160         (JSC::Parser<LexerType>::parseYieldExpression):
3161         (JSC::Parser<LexerType>::parseProperty):
3162         (JSC::Parser<LexerType>::parseMemberExpression):
3163         (JSC::Parser<LexerType>::parseUnaryExpression):
3164         * parser/Parser.h:
3165         (JSC::Parser::lexCurrentTokenAgainUnderCurrentContext):
3166         (JSC::Parser::internalSaveParserState):
3167         (JSC::Parser::restoreParserState):
3168         (JSC::Parser::internalSaveState):
3169         (JSC::Parser::swapSavePointForError):
3170         (JSC::Parser::createSavePoint):
3171         (JSC::Parser::internalRestoreState):
3172         (JSC::Parser::restoreSavePointWithError):
3173         (JSC::Parser::restoreSavePoint):
3174         (JSC::Parser::createSavePointForError): Deleted.
3175         * parser/ParserTokens.h:
3176         (JSC::JSTextPosition::JSTextPosition):
3177         (JSC::JSTextPosition::checkConsistency):
3178         * parser/SyntaxChecker.h:
3179         (JSC::SyntaxChecker::operatorStackPop):
3180
3181 2020-01-29  Mark Lam  <mark.lam@apple.com>
3182
3183         Fix bad assertion in InternalFunctionAllocationProfile::createAllocationStructureFromBase().
3184         https://bugs.webkit.org/show_bug.cgi?id=206981
3185         <rdar://problem/58985736>
3186
3187         Reviewed by Keith Miller.
3188
3189         InternalFunctionAllocationProfile::createAllocationStructureFromBase() is only
3190         called from FunctionRareData::createInternalFunctionAllocationStructureFromBase(),
3191         which in turn is only called from InternalFunction::createSubclassStructureSlow().
3192
3193         InternalFunction::createSubclassStructureSlow() only allows a call to
3194         FunctionRareData::createInternalFunctionAllocationStructureFromBase() under
3195         certain conditions.  One of these conditions is that the baseGlobalObject is
3196         different than the newTarget's globalObject.
3197
3198         InternalFunctionAllocationProfile::createAllocationStructureFromBase() has an
3199         ASSERT on the same set of conditions, with one ommission: the one above.  This
3200         patch fixes the ASSERT by adding the missing condition to match the check in
3201         InternalFunction::createSubclassStructureSlow().
3202
3203         * bytecode/InternalFunctionAllocationProfile.h:
3204         (JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase):
3205
3206 2020-01-29  Robin Morisset  <rmorisset@apple.com>
3207
3208         Remove Options::enableSpectreMitigations
3209         https://bugs.webkit.org/show_bug.cgi?id=193885
3210
3211         Reviewed by Saam Barati.
3212
3213         From what I remember we decided to remove the spectre-specific mitigations we had tried (in favor of things like process-per-origin).
3214         I don't think anyone is using the SpectreGadget we had added for experiments either.
3215         So this patch removes the following three options, and all the code that depended on them:
3216         - enableSpectreMitigations (was true, only used in one place)
3217         - enableSpectreGadgets (was false)
3218         - zeroStackFrame (was false, and was an experiment about Spectre variant 4 if I remember correctly)
3219
3220         * b3/air/AirCode.cpp:
3221         (JSC::B3::Air::defaultPrologueGenerator):
3222         * dfg/DFGJITCompiler.cpp:
3223         (JSC::DFG::JITCompiler::compile):
3224         (JSC::DFG::JITCompiler::compileFunction):
3225         * dfg/DFGSpeculativeJIT.cpp:
3226         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
3227         * ftl/FTLLowerDFGToB3.cpp:
3228         (JSC::FTL::DFG::LowerDFGToB3::lower):
3229         * jit/AssemblyHelpers.h:
3230         * jit/JIT.cpp:
3231         (JSC::JIT::compileWithoutLinking):
3232         * runtime/OptionsList.h:
3233         * wasm/WasmB3IRGenerator.cpp:
3234         (JSC::Wasm::B3IRGenerator::addCallIndirect):
3235         * yarr/YarrJIT.cpp:
3236         (JSC::Yarr::YarrGenerator::initCallFrame):
3237
3238 2020-01-29  Devin Rousso  <drousso@apple.com>
3239
3240         Web Inspector: add instrumentation for showing existing Web Animations
3241         https://bugs.webkit.org/show_bug.cgi?id=205434
3242         <rdar://problem/28328087>
3243
3244         Reviewed by Brian Burg.
3245
3246         * inspector/protocol/Animation.json:
3247         Add types/commands/events for instrumenting the lifecycle of `Animation` objects, as well as
3248         commands for getting the JavaScript wrapper object and the target DOM node.
3249
3250 2020-01-29  Robin Morisset  <rmorisset@apple.com>
3251
3252         Don't include CCallHelpers.h in B3Procedure.h
3253         https://bugs.webkit.org/show_bug.cgi?id=206966
3254
3255         Reviewed by Saam Barati.
3256
3257         I verified through -ftime-trace and it massively speeds up a few of the compilation units (e.g. UnifiedSource10.cpp).
3258
3259         * b3/B3Procedure.cpp:
3260         * b3/B3Procedure.h:
3261         * b3/testb3_6.cpp:
3262         (testEntrySwitchSimple):
3263         (testEntrySwitchNoEntrySwitch):
3264         (testEntrySwitchWithCommonPaths):
3265         (testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
3266         (testEntrySwitchLoop):
3267         * ftl/FTLCompile.cpp:
3268         (JSC::FTL::compile):
3269         * wasm/WasmParser.h:
3270
3271 2020-01-29  Justin Michaud  <justin_michaud@apple.com>
3272
3273         Fix small memory regression caused by r206365
3274         https://bugs.webkit.org/show_bug.cgi?id=206557
3275
3276         Reviewed by Yusuke Suzuki.
3277
3278         Put StructureRareData::m_giveUpOnObjectToStringValueCache into m_objectToStringValue to prevent increasing StructureRareData's size. We make a special value for the pointer
3279         objectToStringCacheGiveUpMarker() to signal that we should not cache the string value. As a result, adding m_transitionOffset does not increase the size of the class.
3280
3281         * runtime/Structure.h:
3282         * runtime/StructureRareData.cpp:
3283         (JSC::StructureRareData::StructureRareData):
3284         (JSC::StructureRareData::visitChildren):
3285         (JSC::StructureRareData::setObjectToStringValue):
3286         (JSC::StructureRareData::clearObjectToStringValue):
3287         * runtime/StructureRareData.h:
3288         * runtime/StructureRareDataInlines.h:
3289         (JSC::StructureRareData::objectToStringValue const):
3290
3291 2020-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
3292
3293         [JSC] Give up IC when unknown structure transition happens
3294         https://bugs.webkit.org/show_bug.cgi?id=206846
3295
3296         Reviewed by Mark Lam.
3297
3298         When we are creating Put IC for a new property, we grab the old Structure before performing
3299         the put. For a custom ::put, our convention is that the implemented ::put should mark the PutPropertySlot
3300         as non-cachable. The IC code relies on this in order to work correctly. If we didn't mark it as non-cacheable,
3301         a semantic failure can happen. This patch hardens the code against this semantic failure case by giving up trying
3302         to cache the IC when the newStructure calculated from oldStructure does not match against
3303         the actual structure after the put operation.
3304
3305         * jit/Repatch.cpp:
3306         (JSC::tryCachePutByID):
3307         (JSC::repatchPutByID):
3308         * llint/LLIntSlowPaths.cpp:
3309         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3310         * runtime/Structure.cpp:
3311         (JSC::Structure::flattenDictionaryStructure):
3312         * tools/JSDollarVM.cpp:
3313         (JSC::functionCreateObjectDoingSideEffectPutWithoutCorrectSlotStatus):
3314         (JSC::JSDollarVM::finishCreation):
3315         (JSC::JSDollarVM::visitChildren):
3316         * tools/JSDollarVM.h:
3317
3318 2020-01-28  Robin Morisset  <rmorisset@apple.com>
3319
3320         Remove the include of BytecodeGenerator.h in CodeCache.h
3321         https://bugs.webkit.org/show_bug.cgi?id=206851
3322
3323         Reviewed by Tadeu Zagallo.
3324
3325         This reduces the number of times that BytecodeStructs.h has to be parsed from 33 to 25 times, and unblocks https://bugs.webkit.org/show_bug.cgi?id=206720.
3326
3327         * runtime/CodeCache.cpp:
3328         (JSC::generateUnlinkedCodeBlockForFunctions):
3329         (JSC::generateUnlinkedCodeBlockImpl):
3330         (JSC::generateUnlinkedCodeBlock):
3331         (JSC::generateUnlinkedCodeBlockForDirectEval):
3332         (JSC::recursivelyGenerateUnlinkedCodeBlockForProgram):
3333         (JSC::recursivelyGenerateUnlinkedCodeBlockForModuleProgram):
3334         * runtime/CodeCache.h:
3335         * runtime/Completion.cpp:
3336         (JSC::generateProgramBytecode):
3337         (JSC::generateModuleBytecode):
3338         * runtime/DirectEvalExecutable.cpp:
3339         (JSC::DirectEvalExecutable::create):
3340         * runtime/JSGlobalObject.cpp:
3341         * runtime/VM.cpp:
3342
3343 2020-01-28  Mark Lam  <mark.lam@apple.com>
3344
3345         Some website needs more stack space.
3346         https://bugs.webkit.org/show_bug.cgi?id=206891
3347
3348         Reviewed by Saam Barati.
3349