ToString node actually does GC.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-01-28  Mark Lam  <mark.lam@apple.com>
2
3         ToString node actually does GC.
4         https://bugs.webkit.org/show_bug.cgi?id=193920
5         <rdar://problem/46695900>
6
7         Reviewed by Yusuke Suzuki.
8
9         Other than for StringObjectUse and StringOrStringObjectUse, ToString and
10         CallStringConstructor can allocate new JSStrings, and hence, can GC.
11
12         * dfg/DFGDoesGC.cpp:
13         (JSC::DFG::doesGC):
14
15 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
16
17         [JSC] RegExpConstructor should not have own IsoSubspace
18         https://bugs.webkit.org/show_bug.cgi?id=193801
19
20         Reviewed by Mark Lam.
21
22         This patch finally removes RegExpConstructor's cached data to JSGlobalObject and remove IsoSubspace for RegExpConstructor.
23         sizeof(RegExpConstructor) != sizeof(InternalFunction), so that we have 16KB memory just for RegExpConstructor. But cached
24         regexp matching data (e.g. `RegExp.$1`) is per-JSGlobalObject one, and we can move this data to JSGlobalObject and remove
25         it from RegExpConstructor members.
26
27         We introduce RegExpGlobalData, which holds the per-global RegExp matching data. And we perform `performMatch` etc. with
28         JSGlobalObject instead of RegExpConstructor. This change requires small changes in DFG / FTL's RecordRegExpCachedResult
29         node since its 1st argument is changed from RegExpConstructor to JSGlobalObject.
30
31         We also move emptyRegExp from RegExpPrototype to VM's RegExpCache because it is more natural place to put it.
32
33         * CMakeLists.txt:
34         * JavaScriptCore.xcodeproj/project.pbxproj:
35         * Sources.txt:
36         * dfg/DFGOperations.cpp:
37         * dfg/DFGSpeculativeJIT.cpp:
38         (JSC::DFG::SpeculativeJIT::compileRecordRegExpCachedResult):
39         * dfg/DFGStrengthReductionPhase.cpp:
40         (JSC::DFG::StrengthReductionPhase::handleNode):
41         * ftl/FTLAbstractHeapRepository.cpp:
42         * ftl/FTLAbstractHeapRepository.h:
43         * ftl/FTLLowerDFGToB3.cpp:
44         (JSC::FTL::DFG::LowerDFGToB3::compileRecordRegExpCachedResult):
45         * runtime/JSGlobalObject.cpp:
46         (JSC::JSGlobalObject::init):
47         (JSC::JSGlobalObject::visitChildren):
48         * runtime/JSGlobalObject.h:
49         (JSC::JSGlobalObject::regExpGlobalData):
50         (JSC::JSGlobalObject::regExpGlobalDataOffset):
51         (JSC::JSGlobalObject::regExpConstructor const): Deleted.
52         * runtime/RegExpCache.cpp:
53         (JSC::RegExpCache::initialize):
54         * runtime/RegExpCache.h:
55         (JSC::RegExpCache::emptyRegExp const):
56         * runtime/RegExpCachedResult.cpp:
57         (JSC::RegExpCachedResult::visitAggregate):
58         (JSC::RegExpCachedResult::visitChildren): Deleted.
59         * runtime/RegExpCachedResult.h:
60         (JSC::RegExpCachedResult::RegExpCachedResult): Deleted.
61         * runtime/RegExpConstructor.cpp:
62         (JSC::RegExpConstructor::RegExpConstructor):
63         (JSC::regExpConstructorDollar):
64         (JSC::regExpConstructorInput):
65         (JSC::regExpConstructorMultiline):
66         (JSC::regExpConstructorLastMatch):
67         (JSC::regExpConstructorLastParen):
68         (JSC::regExpConstructorLeftContext):
69         (JSC::regExpConstructorRightContext):
70         (JSC::setRegExpConstructorInput):
71         (JSC::setRegExpConstructorMultiline):
72         (JSC::RegExpConstructor::destroy): Deleted.
73         (JSC::RegExpConstructor::visitChildren): Deleted.
74         (JSC::RegExpConstructor::getBackref): Deleted.
75         (JSC::RegExpConstructor::getLastParen): Deleted.
76         (JSC::RegExpConstructor::getLeftContext): Deleted.
77         (JSC::RegExpConstructor::getRightContext): Deleted.
78         * runtime/RegExpConstructor.h:
79         (JSC::RegExpConstructor::performMatch): Deleted.
80         (JSC::RegExpConstructor::recordMatch): Deleted.
81         * runtime/RegExpGlobalData.cpp: Added.
82         (JSC::RegExpGlobalData::visitAggregate):
83         (JSC::RegExpGlobalData::getBackref):
84         (JSC::RegExpGlobalData::getLastParen):
85         (JSC::RegExpGlobalData::getLeftContext):
86         (JSC::RegExpGlobalData::getRightContext):
87         * runtime/RegExpGlobalData.h: Added.
88         (JSC::RegExpGlobalData::cachedResult):
89         (JSC::RegExpGlobalData::setMultiline):
90         (JSC::RegExpGlobalData::multiline const):
91         (JSC::RegExpGlobalData::input):
92         (JSC::RegExpGlobalData::offsetOfCachedResult):
93         * runtime/RegExpGlobalDataInlines.h: Added.
94         (JSC::RegExpGlobalData::setInput):
95         (JSC::RegExpGlobalData::performMatch):
96         (JSC::RegExpGlobalData::recordMatch):
97         * runtime/RegExpObject.cpp:
98         (JSC::RegExpObject::matchGlobal):
99         * runtime/RegExpObjectInlines.h:
100         (JSC::RegExpObject::execInline):
101         (JSC::RegExpObject::matchInline):
102         (JSC::collectMatches):
103         * runtime/RegExpPrototype.cpp:
104         (JSC::RegExpPrototype::finishCreation):
105         (JSC::regExpProtoFuncSearchFast):
106         (JSC::RegExpPrototype::visitChildren): Deleted.
107         * runtime/RegExpPrototype.h:
108         * runtime/StringPrototype.cpp:
109         (JSC::removeUsingRegExpSearch):
110         (JSC::replaceUsingRegExpSearch):
111         * runtime/VM.cpp:
112         (JSC::VM::VM):
113         * runtime/VM.h:
114
115 2018-12-15  Darin Adler  <darin@apple.com>
116
117         Replace many uses of String::format with more type-safe alternatives
118         https://bugs.webkit.org/show_bug.cgi?id=192742
119
120         Reviewed by Mark Lam.
121
122         * inspector/InjectedScriptBase.cpp:
123         (Inspector::InjectedScriptBase::makeCall): Use makeString.
124         (Inspector::InjectedScriptBase::makeAsyncCall): Ditto.
125         * inspector/InspectorBackendDispatcher.cpp:
126         (Inspector::BackendDispatcher::getPropertyValue): Ditto.
127         * inspector/agents/InspectorConsoleAgent.cpp:
128         (Inspector::InspectorConsoleAgent::enable): Ditto.
129         * jsc.cpp:
130         (FunctionJSCStackFunctor::operator() const): Ditto.
131
132         * runtime/CodeCache.cpp:
133         (JSC::writeCodeBlock): Use makeString's numeric capabilities instead of
134         using String::number.
135
136         * runtime/IntlDateTimeFormat.cpp:
137         (JSC::IntlDateTimeFormat::initializeDateTimeFormat): Use string concatenation.
138         * runtime/IntlObject.cpp:
139         (JSC::canonicalizeLocaleList): Ditto.
140
141 2019-01-27  Chris Fleizach  <cfleizach@apple.com>
142
143         AX: Introduce a static accessibility tree
144         https://bugs.webkit.org/show_bug.cgi?id=193348
145         <rdar://problem/47203295>
146
147         Reviewed by Ryosuke Niwa.
148
149         * Configurations/FeatureDefines.xcconfig:
150
151 2019-01-26  Devin Rousso  <drousso@apple.com>
152
153         Web Inspector: provide a way to edit the user agent of a remote target
154         https://bugs.webkit.org/show_bug.cgi?id=193862
155         <rdar://problem/47359292>
156
157         Reviewed by Joseph Pecoraro.
158
159         * inspector/protocol/Page.json:
160         Add `overrideUserAgent` command.
161
162 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
163
164         [JSC] NativeErrorConstructor should not have own IsoSubspace
165         https://bugs.webkit.org/show_bug.cgi?id=193713
166
167         Reviewed by Saam Barati.
168
169         This removes an additional member in NativeErrorConstructor, and make sizeof(NativeErrorConstructor) == sizeof(InternalFunction).
170         We also make error constructors lazily allocated by using LazyClassStructure. Since error structures are not accessed from DFG / FTL
171         threads, this is OK. While TypeError constructor is eagerly allocated because it is touched from our builtin JS as @TypeError, we should
172         offer some function instead of exposing TypeError constructor in the future, and remove this @TypeError reference. This change removes
173         IsoSubspace for NativeErrorConstructor in VM. We also remove @Error and @RangeError references for builtins since they are no longer
174         referenced.
175
176         * CMakeLists.txt:
177         * JavaScriptCore.xcodeproj/project.pbxproj:
178         * Sources.txt:
179         * builtins/BuiltinNames.h:
180         * interpreter/Interpreter.h:
181         * runtime/Error.cpp:
182         (JSC::createEvalError):
183         (JSC::createRangeError):
184         (JSC::createReferenceError):
185         (JSC::createSyntaxError):
186         (JSC::createTypeError):
187         (JSC::createURIError):
188         (WTF::printInternal): Deleted.
189         * runtime/Error.h:
190         * runtime/ErrorPrototype.cpp:
191         (JSC::ErrorPrototype::create):
192         (JSC::ErrorPrototype::finishCreation):
193         * runtime/ErrorPrototype.h:
194         (JSC::ErrorPrototype::create): Deleted.
195         * runtime/ErrorType.cpp: Added.
196         (JSC::errorTypeName):
197         (WTF::printInternal):
198         * runtime/ErrorType.h: Added.
199         * runtime/JSGlobalObject.cpp:
200         (JSC::JSGlobalObject::initializeErrorConstructor):
201         (JSC::JSGlobalObject::init):
202         (JSC::JSGlobalObject::visitChildren):
203         * runtime/JSGlobalObject.h:
204         (JSC::JSGlobalObject::internalPromiseConstructor const):
205         (JSC::JSGlobalObject::errorStructure const):
206         (JSC::JSGlobalObject::evalErrorConstructor const): Deleted.
207         (JSC::JSGlobalObject::rangeErrorConstructor const): Deleted.
208         (JSC::JSGlobalObject::referenceErrorConstructor const): Deleted.
209         (JSC::JSGlobalObject::syntaxErrorConstructor const): Deleted.
210         (JSC::JSGlobalObject::typeErrorConstructor const): Deleted.
211         (JSC::JSGlobalObject::URIErrorConstructor const): Deleted.
212         * runtime/NativeErrorConstructor.cpp:
213         (JSC::NativeErrorConstructor<errorType>::NativeErrorConstructor):
214         (JSC::NativeErrorConstructorBase::finishCreation):
215         (JSC::NativeErrorConstructor<errorType>::constructNativeErrorConstructor):
216         (JSC::NativeErrorConstructor<errorType>::callNativeErrorConstructor):
217         (JSC::NativeErrorConstructor::NativeErrorConstructor): Deleted.
218         (JSC::NativeErrorConstructor::finishCreation): Deleted.
219         (JSC::NativeErrorConstructor::visitChildren): Deleted.
220         (JSC::Interpreter::constructWithNativeErrorConstructor): Deleted.
221         (JSC::Interpreter::callNativeErrorConstructor): Deleted.
222         * runtime/NativeErrorConstructor.h:
223         (JSC::NativeErrorConstructorBase::createStructure):
224         (JSC::NativeErrorConstructorBase::NativeErrorConstructorBase):
225         * runtime/NativeErrorPrototype.cpp:
226         (JSC::NativeErrorPrototype::finishCreation): Deleted.
227         * runtime/NativeErrorPrototype.h:
228         * runtime/VM.cpp:
229         (JSC::VM::VM):
230         * runtime/VM.h:
231         * wasm/js/WasmToJS.cpp:
232         (JSC::Wasm::handleBadI64Use):
233
234 2019-01-25  Devin Rousso  <drousso@apple.com>
235
236         Web Inspector: provide a way to edit page settings on a remote target
237         https://bugs.webkit.org/show_bug.cgi?id=193813
238         <rdar://problem/47359510>
239
240         Reviewed by Joseph Pecoraro.
241
242         * inspector/protocol/Page.json:
243         Add `overrideSetting` command with supporting `Setting` enum type.
244
245 2019-01-25  Keith Rollin  <krollin@apple.com>
246
247         Update Xcode projects with "Check .xcfilelists" build phase
248         https://bugs.webkit.org/show_bug.cgi?id=193790
249         <rdar://problem/47201374>
250
251         Reviewed by Alex Christensen.
252
253         Support for XCBuild includes specifying inputs and outputs to various
254         Run Script build phases. These inputs and outputs are specified as
255         .xcfilelist files. Once created, these .xcfilelist files need to be
256         kept up-to-date. In order to check that they are up-to-date or not,
257         add an Xcode build step that invokes an external script that performs
258         the checking. If the .xcfilelists are found to be out-of-date, update
259         them, halt the build, and instruct the developer to restart the build
260         with up-to-date files.
261
262         At this time, the checking and regenerating is performed only if the
263         WK_ENABLE_CHECK_XCFILELISTS environment variable is set to 1. People
264         who want to use this facility can set this variable and test out the
265         checking/regenerating. Once it seems like there are no egregious
266         issues that upset a developer's workflow, we'll unconditionally enable
267         this facility.
268
269         * JavaScriptCore.xcodeproj/project.pbxproj:
270         * Scripts/check-xcfilelists.sh: Added.
271
272 2019-01-25  Joseph Pecoraro  <pecoraro@apple.com>
273
274         Web Inspector: Exclude Debugger Threads from CPU Usage values in Web Inspector
275         https://bugs.webkit.org/show_bug.cgi?id=193796
276         <rdar://problem/47532910>
277
278         Reviewed by Devin Rousso.
279
280         * runtime/SamplingProfiler.cpp:
281         (JSC::SamplingProfiler::machThread):
282         * runtime/SamplingProfiler.h:
283         Expose the mach_port_t of the SamplingProfiler thread
284         so it can be tested against later.
285
286 2019-01-25  Alex Christensen  <achristensen@webkit.org>
287
288         Fix Windows build after r240511
289
290         * bytecode/UnlinkedFunctionExecutable.cpp:
291         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
292
293 2019-01-25  Keith Rollin  <krollin@apple.com>
294
295         Update Xcode projects with "Apply Configuration to XCFileLists" build target
296         https://bugs.webkit.org/show_bug.cgi?id=193781
297         <rdar://problem/47201153>
298
299         Reviewed by Alex Christensen.
300
301         Part of generating the .xcfilelists used as part of adopting XCBuild
302         includes running `make DerivedSources.make` from a standalone script.
303         It’s important for this invocation to have the same environment as
304         when the actual build invokes `make DerivedSources.make`. If the
305         environments are different, then the two invocations will provide
306         different results. In order to get the same environment in the
307         standalone script, have the script launch xcodebuild targeting the
308         "Apply Configuration to XCFileLists" build target, which will then
309         re-invoke our standalone script. The script is now running again, this
310         time in an environment with all workspace, project, target, xcconfig
311         and other environment variables established.
312
313         The "Apply Configuration to XCFileLists" build target accomplishes
314         this task via a small embedded shell script that consists only of:
315
316             eval "${WK_SUBLAUNCH_SCRIPT_PARAMETERS[@]}"
317
318         The process that invokes "Apply Configuration to XCFileLists" first
319         sets WK_SUBLAUNCH_SCRIPT_PARAMETERS to an array of commands to be
320         evaluated and exports it into the shell environment. When xcodebuild
321         is invoked, it inherits the value of this variable and can `eval` the
322         contents of that variable. Our external standalone script can then set
323         WK_SUBLAUNCH_SCRIPT_PARAMETERS to the path to itself, along with a set
324         of command-line parameters needed to restart itself in the appropriate
325         state.
326
327         * JavaScriptCore.xcodeproj/project.pbxproj:
328
329 2019-01-25  Tadeu Zagallo  <tzagallo@apple.com>
330
331         Add API to generate and consume cached bytecode
332         https://bugs.webkit.org/show_bug.cgi?id=193401
333         <rdar://problem/47514099>
334
335         Reviewed by Keith Miller.
336
337         Add the `generateBytecode` and `generateModuleBytecode` functions to
338         generate serialized bytecode for a given `SourceCode`. These functions
339         will eagerly generate code for all the nested functions.
340
341         Additionally, update the API methods in JSScript to generate and use the
342         bytecode when the bytecodeCache path is provided.
343
344         * API/JSAPIGlobalObject.mm:
345         (JSC::JSAPIGlobalObject::moduleLoaderFetch):
346         * API/JSContext.mm:
347         (-[JSContext wrapperMap]):
348         * API/JSContextInternal.h:
349         * API/JSScript.mm:
350         (+[JSScript scriptWithSource:inVirtualMachine:]):
351         (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
352         (-[JSScript dealloc]):
353         (-[JSScript readCache]):
354         (-[JSScript writeCache]):
355         (-[JSScript hash]):
356         (-[JSScript source]):
357         (-[JSScript cachedBytecode]):
358         (-[JSScript jsSourceCode:]):
359         * API/JSScriptInternal.h:
360         * API/JSScriptSourceProvider.h: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
361         (JSScriptSourceProvider::create):
362         (JSScriptSourceProvider::JSScriptSourceProvider):
363         * API/JSScriptSourceProvider.mm: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
364         (JSScriptSourceProvider::hash const):
365         (JSScriptSourceProvider::source const):
366         (JSScriptSourceProvider::cachedBytecode const):
367         * API/JSVirtualMachine.mm:
368         (-[JSVirtualMachine vm]):
369         * API/JSVirtualMachineInternal.h:
370         * API/tests/testapi.mm:
371         (testBytecodeCache):
372         (-[JSContextFileLoaderDelegate context:fetchModuleForIdentifier:withResolveHandler:andRejectHandler:]):
373         (testObjectiveCAPI):
374         * JavaScriptCore.xcodeproj/project.pbxproj:
375         * SourcesCocoa.txt:
376         * bytecode/UnlinkedFunctionExecutable.cpp:
377         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
378         * bytecode/UnlinkedFunctionExecutable.h:
379         * parser/SourceCodeKey.h:
380         (JSC::SourceCodeKey::source const):
381         * parser/SourceProvider.h:
382         (JSC::CachedBytecode::CachedBytecode):
383         (JSC::CachedBytecode::operator=):
384         (JSC::CachedBytecode::data const):
385         (JSC::CachedBytecode::size const):
386         (JSC::CachedBytecode::owned const):
387         (JSC::CachedBytecode::~CachedBytecode):
388         (JSC::CachedBytecode::freeDataIfOwned):
389         (JSC::SourceProvider::cachedBytecode const):
390         * parser/UnlinkedSourceCode.h:
391         (JSC::UnlinkedSourceCode::provider const):
392         * runtime/CodeCache.cpp:
393         (JSC::generateUnlinkedCodeBlockForFunctions):
394         (JSC::writeCodeBlock):
395         (JSC::serializeBytecode):
396         * runtime/CodeCache.h:
397         (JSC::CodeCacheMap::fetchFromDiskImpl):
398         (JSC::CodeCacheMap::findCacheAndUpdateAge):
399         (JSC::generateUnlinkedCodeBlockImpl):
400         (JSC::generateUnlinkedCodeBlock):
401         * runtime/Completion.cpp:
402         (JSC::generateBytecode):
403         (JSC::generateModuleBytecode):
404         * runtime/Completion.h:
405         * runtime/Options.cpp:
406         (JSC::recomputeDependentOptions):
407
408 2019-01-25  Keith Rollin  <krollin@apple.com>
409
410         Update WebKitAdditions.xcconfig with correct order of variable definitions
411         https://bugs.webkit.org/show_bug.cgi?id=193793
412         <rdar://problem/47532439>
413
414         Reviewed by Alex Christensen.
415
416         XCBuild changes the way xcconfig variables are evaluated. In short,
417         all config file assignments are now considered in part of the
418         evaluation. When using the new build system and an .xcconfig file
419         contains multiple assignments of the same build setting:
420
421         - Later assignments using $(inherited) will inherit from earlier
422           assignments in the xcconfig file.
423         - Later assignments not using $(inherited) will take precedence over
424           earlier assignments. An assignment to a more general setting will
425           mask an earlier assignment to a less general setting. For example,
426           an assignment without a condition ('FOO = bar') will completely mask
427           an earlier assignment with a condition ('FOO[sdk=macos*] = quux').
428
429         This affects some of our .xcconfig files, in that sometimes platform-
430         or sdk-specific definitions appear before the general definitions.
431         Under the new evaluations rules, the general definitions alway take
432         effect because they always overwrite the more-specific definitions. The
433         solution is to swap the order, so that the general definitions are
434         established first, and then conditionally overwritten by the
435         more-specific definitions.
436
437         * Configurations/Version.xcconfig:
438
439 2019-01-25  Keith Rollin  <krollin@apple.com>
440
441         Update existing .xcfilelists
442         https://bugs.webkit.org/show_bug.cgi?id=193791
443         <rdar://problem/47201706>
444
445         Reviewed by Alex Christensen.
446
447         Many .xcfilelist files were added in r238824 in order to support
448         XCBuild. Update these with recent changes to the set of build files
449         and with the current generate-xcfilelist script.
450
451         * DerivedSources-input.xcfilelist:
452         * DerivedSources-output.xcfilelist:
453         * UnifiedSources-input.xcfilelist:
454         * UnifiedSources-output.xcfilelist:
455
456 2019-01-25  Jon Davis  <jond@apple.com>
457
458         Update JavaScriptCore feature status entries.
459         https://bugs.webkit.org/show_bug.cgi?id=193797
460
461         Reviewed by Mark Lam.
462         
463         Updated feature status for Async Iteration, and Object rest/spread.
464
465         * features.json:
466
467 2019-01-24  Keith Miller  <keith_miller@apple.com>
468
469         Remove usage of internal macro from private header
470         https://bugs.webkit.org/show_bug.cgi?id=193809
471
472         Reviewed by Saam Barati.
473
474         Also, add a new file to include all of our API headers to make sure
475         they don't accidentally include C++ or internal values.
476
477         * API/JSScript.h:
478         * API/tests/testIncludes.m: Added.
479         * JavaScriptCore.xcodeproj/project.pbxproj:
480
481 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
482
483         [JSC] ErrorConstructor should not have own IsoSubspace
484         https://bugs.webkit.org/show_bug.cgi?id=193800
485
486         Reviewed by Saam Barati.
487
488         Similar to r240456, sizeof(ErrorConstructor) != sizeof(InternalFunction), and that is why we have
489         IsoSubspace errorConstructorSpace in VM. But it is allocated only one-per-JSGlobalObject, and it is
490         too costly to have IsoSubspace which allocates 16KB. Since stackTraceLimit information is per
491         JSGlobalObject information, we should have m_stackTraceLimit in JSGlobalObject instead and put
492         ErrorConstructor in InternalFunction's IsoSubspace. As r230813 (moving InternalFunction and subclasses
493         into IsoSubspaces) described,
494
495             "subclasses that are the same size as InternalFunction share its subspace. I did this because the subclasses
496             appear to just override methods, which are called dynamically via the structure or class of the object.
497             So, I don't see a type confusion risk if UAF is used to allocate one kind of InternalFunction over another."
498
499         Then, putting ErrorConstructor in InternalFunction IsoSubspace is fine since it meets the above condition.
500         This patch removes m_stackTraceLimit in ErrorConstructor, and drops IsoSubspace for errorConstructorSpace.
501         This reduces the memory usage.
502
503         * interpreter/Interpreter.h:
504         * runtime/Error.cpp:
505         (JSC::getStackTrace):
506         * runtime/ErrorConstructor.cpp:
507         (JSC::ErrorConstructor::ErrorConstructor):
508         (JSC::ErrorConstructor::finishCreation):
509         (JSC::constructErrorConstructor):
510         (JSC::callErrorConstructor):
511         (JSC::ErrorConstructor::put):
512         (JSC::ErrorConstructor::deleteProperty):
513         (JSC::Interpreter::constructWithErrorConstructor): Deleted.
514         (JSC::Interpreter::callErrorConstructor): Deleted.
515         * runtime/ErrorConstructor.h:
516         * runtime/JSGlobalObject.cpp:
517         (JSC::JSGlobalObject::JSGlobalObject):
518         (JSC::JSGlobalObject::init):
519         (JSC::JSGlobalObject::visitChildren):
520         * runtime/JSGlobalObject.h:
521         (JSC::JSGlobalObject::stackTraceLimit const):
522         (JSC::JSGlobalObject::setStackTraceLimit):
523         (JSC::JSGlobalObject::errorConstructor const): Deleted.
524         * runtime/VM.cpp:
525         (JSC::VM::VM):
526         * runtime/VM.h:
527
528 2019-01-24  Joseph Pecoraro  <pecoraro@apple.com>
529
530         Web Inspector: CPU Usage Timeline
531         https://bugs.webkit.org/show_bug.cgi?id=193730
532         <rdar://problem/46797201>
533
534         Reviewed by Devin Rousso.
535
536         * CMakeLists.txt:
537         * DerivedSources-input.xcfilelist:
538         * DerivedSources.make:
539         New files.
540
541         * inspector/protocol/CPUProfiler.json: Added.
542         New domain that follows the pattern of Memory/ScriptProfiler.
543
544         * inspector/protocol/Timeline.json:
545         New enum to auto-start a CPU instrument in the backend.
546
547 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
548
549         [JSC] SharedArrayBufferConstructor and ArrayBufferConstructor should not have their own IsoSubspace
550         https://bugs.webkit.org/show_bug.cgi?id=193774
551
552         Reviewed by Mark Lam.
553
554         We put all the instances of InternalFunction and its subclasses in IsoSubspace to make safer from UAF.
555         But since IsoSubspace requires the memory layout of instances is the same, we created different IsoSubspace
556         for subclasses of InternalFunction if sizeof(subclass) != sizeof(InternalFunction). One example is
557         ArrayBufferConstructor and SharedArrayBufferConstructor. But it is too costly to allocate 16KB page just
558         for these two constructor instances. They are only two instances per JSGlobalObject.
559
560         This patch makes sizeof(ArrayBufferConstructor) == sizeof(InternalFunction) so that they can use IsoSubspace
561         of InternalFunction. We introduce JSGenericArrayBufferConstructor, and it takes ArrayBufferSharingMode as
562         its template parameter. We define JSArrayBufferConstructor as JSGenericArrayBufferConstructor<ArrayBufferSharingMode::Default>
563         and JSSharedArrayBufferConstructor as JSGenericArrayBufferConstructor<ArrayBufferSharingMode::Shared> so that
564         we do not need to hold ArrayBufferSharingMode in the field of the constructor. This change removes IsoSubspace
565         for ArrayBufferConstructors, and reduces the memory usage.
566
567         * runtime/JSArrayBufferConstructor.cpp:
568         (JSC::JSGenericArrayBufferConstructor<sharingMode>::JSGenericArrayBufferConstructor):
569         (JSC::JSGenericArrayBufferConstructor<sharingMode>::finishCreation):
570         (JSC::JSGenericArrayBufferConstructor<sharingMode>::constructArrayBuffer):
571         (JSC::JSGenericArrayBufferConstructor<sharingMode>::createStructure):
572         (JSC::JSGenericArrayBufferConstructor<sharingMode>::info):
573         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor): Deleted.
574         (JSC::JSArrayBufferConstructor::finishCreation): Deleted.
575         (JSC::JSArrayBufferConstructor::create): Deleted.
576         (JSC::JSArrayBufferConstructor::createStructure): Deleted.
577         (JSC::constructArrayBuffer): Deleted.
578         * runtime/JSArrayBufferConstructor.h:
579         * runtime/JSGlobalObject.cpp:
580         (JSC::JSGlobalObject::init):
581         * runtime/JSGlobalObject.h:
582         * runtime/VM.cpp:
583         (JSC::VM::VM):
584         * runtime/VM.h:
585
586 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
587
588         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
589         https://bugs.webkit.org/show_bug.cgi?id=190693
590
591         Reviewed by Michael Saboff.
592
593         JITStubRoutine's fields are marked only when JITStubRoutine::m_mayBeExecuting is true.
594         This becomes true when we find the executable address in our conservative roots, which
595         means that we could be executing it right now. This means that object liveness in
596         JITStubRoutine depends on the information gathered in ConservativeRoots. However, our
597         constraints are separated, "Conservative Scan" and "JIT Stub Routines". They can even
598         be executed concurrently, so that "JIT Stub Routines" may miss to mark the actually
599         executing JITStubRoutine because "Conservative Scan" finds it later.
600         When finalizing the GC, we delete the dead JITStubRoutines. At that time, since
601         "Conservative Scan" already finishes, we do not delete some JITStubRoutines which do not
602         mark the depending objects. Then, in the next cycle, we find JITStubRoutines still live,
603         attempt to mark the depending objects, and encounter the dead objects which are collected
604         in the previous cycles.
605
606         This patch removes "JIT Stub Routines" and merge it to "Conservative Scan". Since
607         "Conservative Scan" and "JIT Stub Routines" need to be executed only when the execution
608         happens (ensured by GreyedByExecution and CollectionPhase check), this change is OK for
609         GC stop time.
610
611         * heap/ConservativeRoots.h:
612         (JSC::ConservativeRoots::roots const):
613         (JSC::ConservativeRoots::roots): Deleted.
614         * heap/Heap.cpp:
615         (JSC::Heap::addCoreConstraints):
616         * heap/SlotVisitor.cpp:
617         (JSC::SlotVisitor::append):
618         * heap/SlotVisitor.h:
619         * jit/GCAwareJITStubRoutine.cpp:
620         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
621         * jit/GCAwareJITStubRoutine.h:
622
623 2019-01-24  Saam Barati  <sbarati@apple.com>
624
625         Update ARM64EHash
626         https://bugs.webkit.org/show_bug.cgi?id=193776
627         <rdar://problem/47526457>
628
629         Reviewed by Mark Lam.
630
631         See radar for details.
632
633         * assembler/AssemblerBuffer.h:
634         (JSC::ARM64EHash::update):
635         (JSC::ARM64EHash::finalHash const):
636
637 2019-01-24  Saam Barati  <sbarati@apple.com>
638
639         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
640         https://bugs.webkit.org/show_bug.cgi?id=193751
641         <rdar://problem/47280215>
642
643         Reviewed by Michael Saboff.
644
645         The Object Allocation Sinking phase may move allocations around inside
646         of the program. However, it was not ensuring that it's still possible 
647         to walk the stack at the point in the program that it moved the allocation to.
648         Certain InlineCallFrames rely on data in the stack when taking a stack trace.
649         All allocation sites can do a stack walk (we do a stack walk when we GC).
650         Conservatively, this patch says we're ok to move this allocation if we are
651         moving within the same InlineCallFrame. We could be more precise and do an
652         analysis of stack writes. However, this scenario is so rare that we just
653         take the conservative-and-straight-forward approach of checking that the place
654         we're moving to is the same InlineCallFrame as the allocation site.
655         
656         In general, this issue arises anytime we do any kind of code motion.
657         Interestingly, LICM gets this right. It gets it right because the only
658         InlineCallFrames we can't move out of are the InlineCallFrames that
659         have metadata stored on the stack (callee for closure calls and argument
660         count for varargs calls). LICM doesn't have this issue because it relies
661         on Clobberize for doing its effects analysis. In clobberize, we model every
662         node within an InlineCallFrame that meets the above criteria as reading
663         from those stack fields. Consequently, LICM won't hoist any node in that
664         InlineCallFrame past the beginning of the InlineCallFrame since the IR
665         we generate to set up such an InlineCallFrame contains writes to that
666         stack location.
667
668         * dfg/DFGObjectAllocationSinkingPhase.cpp:
669
670 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
671
672         [JSC] Reenable baseline JIT on mips
673         https://bugs.webkit.org/show_bug.cgi?id=192983
674
675         Reviewed by Mark Lam.
676
677         Use $s0 as metadata register and make sure it's properly saved and
678         restored.
679
680         * jit/GPRInfo.h:
681         * jit/RegisterSet.cpp:
682         (JSC::RegisterSet::vmCalleeSaveRegisters):
683         (JSC::RegisterSet::llintBaselineCalleeSaveRegisters):
684         * llint/LowLevelInterpreter.asm:
685         * offlineasm/mips.rb:
686
687 2019-01-24  Carlos Garcia Campos  <cgarcia@igalia.com>
688
689         [GLIB] Expose JavaScriptCore options in GLib public API
690         https://bugs.webkit.org/show_bug.cgi?id=188742
691
692         Reviewed by Michael Catanzaro.
693
694         Add new API to set, get and iterate JSC options.
695
696         * API/glib/JSCOptions.cpp: Added.
697         (valueFromGValue):
698         (valueToGValue):
699         (jscOptionsSetValue):
700         (jscOptionsGetValue):
701         (jsc_options_set_boolean):
702         (jsc_options_get_boolean):
703         (jsc_options_set_int):
704         (jsc_options_get_int):
705         (jsc_options_set_uint):
706         (jsc_options_get_uint):
707         (jsc_options_set_size):
708         (jsc_options_get_size):
709         (jsc_options_set_double):
710         (jsc_options_get_double):
711         (jsc_options_set_string):
712         (jsc_options_get_string):
713         (jsc_options_set_range_string):
714         (jsc_options_get_range_string):
715         (jscOptionsType):
716         (jsc_options_foreach):
717         (setOptionEntry):
718         (jsc_options_get_option_group):
719         * API/glib/JSCOptions.h: Added.
720         * API/glib/docs/jsc-glib-4.0-sections.txt:
721         * API/glib/docs/jsc-glib-docs.sgml:
722         * API/glib/jsc.h:
723         * GLib.cmake:
724
725 2019-01-23  Mark Lam  <mark.lam@apple.com>
726
727         ARM64E should not ENABLE(SEPARATED_WX_HEAP).
728         https://bugs.webkit.org/show_bug.cgi?id=193744
729         <rdar://problem/46262952>
730
731         Reviewed by Saam Barati.
732
733         * assembler/LinkBuffer.cpp:
734         (JSC::LinkBuffer::copyCompactAndLinkCode):
735
736 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
737
738         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
739         https://bugs.webkit.org/show_bug.cgi?id=193711
740         <rdar://problem/47250262>
741
742         Reviewed by Saam Barati.
743
744         When pruning OSR Availability based on bytecode liveness, we accidentally clear the Availability (making it DeadFlush) instead of
745         making it Availability::unavailable() (Making it ConflictingFlush). In OSRAvailabilityAnalysisPhase, we perform forward analysis.
746         We first clear all the availability of basic blocks DeadFlush, which is an empty set. And then, we set operands in the root block
747         ConflictingFlush. In this forward analysis, DeadFlush is BOTTOM, and ConflictingFlush is TOP. Then, we propagate information by
748         merging availability until we reach to the fixed-point. As an optimization, we perform "pruning" of the availability in the head
749         of the basic blocks. We remove availabilities of operands which are not live in the bytecode liveness at the head of the basic block.
750         The problem is, when removing availabilities, we set DeadFlush for them instead of ConflictingFlush. Basically, it means that we set
751         BOTTOM (an empty set) instead of TOP. Let's consider the following simple example. We have 6 basic blocks, and they are connected
752         as follows.
753
754             BB0 -> BB1 -> BB2 -> BB4
755              |        \        ^
756              v          > BB3 /
757             BB5
758
759         And consider about loc1 in FTL, which is required to be recovered in BB4's OSR exit.
760
761             BB0 does nothing
762                 head: loc1 is dead
763                 tail: loc1 is dead
764
765             BB1 has MovHint @1, loc1
766                 head: loc1 is dead
767                 tail: loc1 is live
768
769             BB2 does nothing
770                 head: loc1 is live
771                 tail: loc1 is live
772
773             BB3 has PutStack @1, loc1
774                 head: loc1 is live
775                 tail: loc1 is live
776
777             BB4 has OSR exit using loc1
778                 head: loc1 is live
779                 tail: loc1 is live (in bytecode)
780
781             BB5 does nothing
782                 head: loc1 is dead
783                 tail: loc1 is dead
784
785         In our OSR Availability analysis, we always prune loc1 result in BB1's head since its head says "loc1 is dead".
786         But at that time, we clear the availability for loc1, which makes it DeadFlush, instead of making it ConflictingFlush.
787
788         So, the flush format of loc1 in each tail of BB is like this.
789
790             BB0
791                 ConflictingFlush (because all the local operands are initialized with ConflictingFlush)
792             BB1
793                 DeadFlush+@1 (pruning clears it)
794             BB2
795                 DeadFlush+@1 (since it is propagated from BB1)
796             BB3
797                 FlushedJSValue+@1 with loc1 (since it has PutStack)
798             BB4
799                 FlushedJSValue+@1 with loc1 (since MERGE(DeadFlush, FlushedJSValue) = FlushedJSValue)
800             BB5
801                 DeadFlush (pruning clears it)
802
803         Then, if we go the path BB0->BB1->BB2->BB4, we read the value from the stack while it is not flushed.
804         The correct fix is making availability "unavailable" when pruning based on bytecode liveness.
805
806         * dfg/DFGAvailabilityMap.cpp:
807         (JSC::DFG::AvailabilityMap::pruneByLiveness): When pruning availability, we first set all the operands Availability::unavailable(),
808         and copy the calculated value from the current availability map.
809         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
810         (JSC::DFG::OSRAvailabilityAnalysisPhase::run): Add logging things for debugging.
811
812 2019-01-23  David Kilzer  <ddkilzer@apple.com>
813
814         [JSC] Duplicate global variables: JSC::opcodeLengths
815         <https://webkit.org/b/193714>
816         <rdar://problem/47340200>
817
818         Reviewed by Mark Lam.
819
820         * bytecode/Opcode.cpp:
821         (JSC::opcodeLengths): Move array implementation here and mark
822         const.
823         * bytecode/Opcode.h:
824         (JSC::opcodeLengths): Change to extern declaration.
825
826 2019-01-23  Carlos Garcia Campos  <cgarcia@igalia.com>
827
828         [GLIB] Remote Inspector: no data displayed
829         https://bugs.webkit.org/show_bug.cgi?id=193569
830
831         Reviewed by Michael Catanzaro.
832
833         Release the remote inspector mutex before using RemoteConnectionToTarget in RemoteInspector::setup() to avoid a
834         deadlock.
835
836         * inspector/remote/glib/RemoteInspectorGlib.cpp:
837         (Inspector::RemoteInspector::receivedSetupMessage):
838         (Inspector::RemoteInspector::setup):
839
840 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
841
842         Unreviewed, fix initial global lexical binding epoch
843         https://bugs.webkit.org/show_bug.cgi?id=193603
844         <rdar://problem/47380869>
845
846         * bytecode/CodeBlock.cpp:
847         (JSC::CodeBlock::finishCreation):
848
849 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
850
851         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
852         https://bugs.webkit.org/show_bug.cgi?id=193709
853         <rdar://problem/47363838>
854
855         Unreviewed, rollout to watch the tests.
856
857         * JavaScriptCore.xcodeproj/project.pbxproj:
858         * dfg/DFGAbstractInterpreterInlines.h:
859         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
860         * dfg/DFGByteCodeParser.cpp:
861         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
862         * dfg/DFGClobberize.h:
863         (JSC::DFG::clobberize):
864         * dfg/DFGDoesGC.cpp:
865         (JSC::DFG::doesGC):
866         * dfg/DFGFixupPhase.cpp:
867         (JSC::DFG::FixupPhase::fixupNode):
868         (JSC::DFG::FixupPhase::fixupObjectToString): Deleted.
869         * dfg/DFGNodeType.h:
870         * dfg/DFGOperations.cpp:
871         * dfg/DFGOperations.h:
872         * dfg/DFGPredictionPropagationPhase.cpp:
873         * dfg/DFGSafeToExecute.h:
874         (JSC::DFG::safeToExecute):
875         * dfg/DFGSpeculativeJIT.cpp:
876         (JSC::DFG::SpeculativeJIT::compileObjectToString): Deleted.
877         * dfg/DFGSpeculativeJIT.h:
878         * dfg/DFGSpeculativeJIT32_64.cpp:
879         (JSC::DFG::SpeculativeJIT::compile):
880         * dfg/DFGSpeculativeJIT64.cpp:
881         (JSC::DFG::SpeculativeJIT::compile):
882         * ftl/FTLAbstractHeapRepository.h:
883         * ftl/FTLCapabilities.cpp:
884         (JSC::FTL::canCompile):
885         * ftl/FTLLowerDFGToB3.cpp:
886         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
887         (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructorOrStringValueOf):
888         (JSC::FTL::DFG::LowerDFGToB3::compileObjectToString): Deleted.
889         * runtime/Intrinsic.cpp:
890         (JSC::intrinsicName):
891         * runtime/Intrinsic.h:
892         * runtime/ObjectPrototype.cpp:
893         (JSC::ObjectPrototype::finishCreation):
894         (JSC::objectProtoFuncToString):
895         * runtime/ObjectPrototype.h:
896         * runtime/ObjectPrototypeInlines.h: Removed.
897         * runtime/StructureRareData.h:
898
899 2019-01-22  Devin Rousso  <drousso@apple.com>
900
901         Web Inspector: expose Audit and Recording versions to the frontend
902         https://bugs.webkit.org/show_bug.cgi?id=193262
903         <rdar://problem/47130684>
904
905         Reviewed by Joseph Pecoraro.
906
907         * inspector/protocol/Audit.json:
908         * inspector/protocol/Recording.json:
909         Add `version` values.
910
911         * inspector/scripts/codegen/models.py:
912         (Protocol.parse_domain):
913         (Domain.__init__):
914         (Domain.version): Added.
915         (Domains):
916
917         * inspector/scripts/codegen/generator.py:
918         (Generator.version_for_domain): Added.
919
920         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
921         (CppProtocolTypesHeaderGenerator.generate_output):
922         (CppProtocolTypesHeaderGenerator._generate_versions): Added.
923
924         * inspector/scripts/codegen/generate_js_backend_commands.py:
925         (JSBackendCommandsGenerator.should_generate_domain):
926         (JSBackendCommandsGenerator.generate_domain):
927
928         * inspector/scripts/tests/generic/version.json: Added.
929         * inspector/scripts/tests/generic/expected/version.json-result: Added.
930
931         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
932         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
933         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
934         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
935         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
936         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
937         * inspector/scripts/tests/generic/expected/enum-values.json-result:
938         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
939         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
940         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
941         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
942         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
943         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
944         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
945         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
946         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
947         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
948         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
949         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
950
951 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
952
953         [JSC] Intl constructors should fit in sizeof(InternalFunction)
954         https://bugs.webkit.org/show_bug.cgi?id=193661
955
956         Reviewed by Mark Lam.
957
958         Previously all the Intl constructors have their own subspace. This is because these constructors have different size from InternalFunction.
959         But it is too costly approach in terms of the memory usage since these constructors are only one per JSGlobalObject. This patch attempts to
960         reduce the memory size consumed by these Intl objects by holding instance structures in IntlObject instead of in each Intl constructors.
961         So that we can make sizeof(Intl constructors) == sizeof(InternalFunction) and drop costly subspaces. Since this patch drops subspaces in VM,
962         it also significantly reduces the sizeof(VM), from 76696 to 74680.
963
964         This patch also includes the preparation for making Intl properties lazy. But currently it is not possible since @Collator reference exists
965         in builtin code.
966
967         * CMakeLists.txt:
968         * DerivedSources.make:
969         * runtime/IntlCollatorConstructor.cpp:
970         (JSC::IntlCollatorConstructor::create):
971         (JSC::IntlCollatorConstructor::finishCreation):
972         (JSC::constructIntlCollator):
973         (JSC::callIntlCollator):
974         (JSC::IntlCollatorConstructor::visitChildren): Deleted.
975         * runtime/IntlCollatorConstructor.h:
976         * runtime/IntlDateTimeFormatConstructor.cpp:
977         (JSC::IntlDateTimeFormatConstructor::create):
978         (JSC::IntlDateTimeFormatConstructor::finishCreation):
979         (JSC::constructIntlDateTimeFormat):
980         (JSC::callIntlDateTimeFormat):
981         (JSC::IntlDateTimeFormatConstructor::visitChildren): Deleted.
982         * runtime/IntlDateTimeFormatConstructor.h:
983         * runtime/IntlNumberFormatConstructor.cpp:
984         (JSC::IntlNumberFormatConstructor::create):
985         (JSC::IntlNumberFormatConstructor::finishCreation):
986         (JSC::constructIntlNumberFormat):
987         (JSC::callIntlNumberFormat):
988         (JSC::IntlNumberFormatConstructor::visitChildren): Deleted.
989         * runtime/IntlNumberFormatConstructor.h:
990         * runtime/IntlObject.cpp:
991         (JSC::createCollatorConstructor):
992         (JSC::createNumberFormatConstructor):
993         (JSC::createDateTimeFormatConstructor):
994         (JSC::createPluralRulesConstructor):
995         (JSC::IntlObject::create):
996         (JSC::IntlObject::finishCreation):
997         (JSC::IntlObject::visitChildren):
998         * runtime/IntlObject.h:
999         * runtime/IntlPluralRulesConstructor.cpp:
1000         (JSC::IntlPluralRulesConstructor::create):
1001         (JSC::IntlPluralRulesConstructor::finishCreation):
1002         (JSC::constructIntlPluralRules):
1003         (JSC::IntlPluralRulesConstructor::visitChildren): Deleted.
1004         * runtime/IntlPluralRulesConstructor.h:
1005         * runtime/JSGlobalObject.cpp:
1006         (JSC::JSGlobalObject::init):
1007         (JSC::JSGlobalObject::visitChildren):
1008         * runtime/JSGlobalObject.h:
1009         (JSC::JSGlobalObject::intlObject const):
1010         * runtime/VM.cpp:
1011         (JSC::VM::VM):
1012         * runtime/VM.h:
1013
1014 2019-01-22  Saam Barati  <sbarati@apple.com>
1015
1016         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
1017
1018         * dfg/DFGBackwardsPropagationPhase.cpp:
1019         (JSC::DFG::BackwardsPropagationPhase::propagate):
1020
1021 2019-01-22  Tadeu Zagallo  <tzagallo@apple.com>
1022
1023         Unreviewed, restore bytecode cache-related JSC options deleted in r240254
1024         https://bugs.webkit.org/show_bug.cgi?id=192782
1025
1026         The JSC options were committed as part of r240210, which got rolled out in
1027         r240224. However, the options got re-landed in r240248  and then deleted
1028         again in 240254 (immediately before the caching code code landed in 240255)
1029
1030         * runtime/Options.h:
1031
1032 2019-01-22  Tadeu Zagallo  <tzagallo@apple.com>
1033
1034         Cache bytecode to disk
1035         https://bugs.webkit.org/show_bug.cgi?id=192782
1036         <rdar://problem/46084932>
1037
1038         Reviewed by Keith Miller.
1039
1040         Add the logic to serialize and deserialize the new JSC bytecode. For now,
1041         the cache is only used for tests.
1042
1043         Each class that can be serialized has a counterpart in CachedTypes, which
1044         handles the decoding and encoding. When decoding, the cached objects are
1045         mmap'd from disk, but only used for creating instances of the respective
1046         in-memory version of each object. Ideally, the mmap'd objects should be
1047         used at runtime in the future.
1048
1049         * CMakeLists.txt:
1050         * JavaScriptCore.xcodeproj/project.pbxproj:
1051         * Sources.txt:
1052         * builtins/BuiltinNames.cpp:
1053         (JSC::BuiltinNames::BuiltinNames):
1054         * builtins/BuiltinNames.h:
1055         * bytecode/CodeBlock.cpp:
1056         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
1057         * bytecode/CodeBlock.h:
1058         * bytecode/HandlerInfo.h:
1059         (JSC::UnlinkedHandlerInfo::UnlinkedHandlerInfo):
1060         * bytecode/InstructionStream.h:
1061         * bytecode/UnlinkedCodeBlock.h:
1062         (JSC::UnlinkedCodeBlock::addSetConstant):
1063         (JSC::UnlinkedCodeBlock::constantIdentifierSets):
1064         * bytecode/UnlinkedEvalCodeBlock.h:
1065         * bytecode/UnlinkedFunctionCodeBlock.h:
1066         * bytecode/UnlinkedFunctionExecutable.h:
1067         * bytecode/UnlinkedGlobalCodeBlock.h:
1068         (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock):
1069         * bytecode/UnlinkedMetadataTable.h:
1070         * bytecode/UnlinkedModuleProgramCodeBlock.h:
1071         * bytecode/UnlinkedProgramCodeBlock.h:
1072         * interpreter/Interpreter.cpp:
1073         * jsc.cpp:
1074         (functionQuit):
1075         (runJSC):
1076         * parser/SourceCode.h:
1077         * parser/SourceCodeKey.h:
1078         (JSC::SourceCodeKey::operator!= const):
1079         * parser/UnlinkedSourceCode.h:
1080         * parser/VariableEnvironment.h:
1081         * runtime/CachedTypes.cpp: Added.
1082         (JSC::Encoder::Allocation::buffer const):
1083         (JSC::Encoder::Allocation::offset const):
1084         (JSC::Encoder::Allocation::Allocation):
1085         (JSC::Encoder::Encoder):
1086         (JSC::Encoder::vm):
1087         (JSC::Encoder::malloc):
1088         (JSC::Encoder::offsetOf):
1089         (JSC::Encoder::cachePtr):
1090         (JSC::Encoder::offsetForPtr):
1091         (JSC::Encoder::release):
1092         (JSC::Encoder::Page::Page):
1093         (JSC::Encoder::Page::malloc):
1094         (JSC::Encoder::Page::buffer const):
1095         (JSC::Encoder::Page::size const):
1096         (JSC::Encoder::Page::getOffset const):
1097         (JSC::Encoder::allocateNewPage):
1098         (JSC::Decoder::Decoder):
1099         (JSC::Decoder::~Decoder):
1100         (JSC::Decoder::vm):
1101         (JSC::Decoder::offsetOf):
1102         (JSC::Decoder::cacheOffset):
1103         (JSC::Decoder::addFinalizer):
1104         (JSC::encode):
1105         (JSC::decode):
1106         (JSC::VariableLengthObject::buffer const):
1107         (JSC::VariableLengthObject::allocate):
1108         (JSC::CachedPtr::encode):
1109         (JSC::CachedPtr::decode const):
1110         (JSC::CachedPtr::operator-> const):
1111         (JSC::CachedPtr::get const):
1112         (JSC::CachedRefPtr::encode):
1113         (JSC::CachedRefPtr::decode const):
1114         (JSC::CachedWriteBarrier::encode):
1115         (JSC::CachedWriteBarrier::decode const):
1116         (JSC::CachedVector::encode):
1117         (JSC::CachedVector::decode const):
1118         (JSC::CachedPair::encode):
1119         (JSC::CachedPair::decode const):
1120         (JSC::CachedHashMap::encode):
1121         (JSC::CachedHashMap::decode const):
1122         (JSC::CachedUniquedStringImpl::encode):
1123         (JSC::CachedUniquedStringImpl::decode const):
1124         (JSC::CachedStringImpl::encode):
1125         (JSC::CachedStringImpl::decode const):
1126         (JSC::CachedString::encode):
1127         (JSC::CachedString::decode const):
1128         (JSC::CachedIdentifier::encode):
1129         (JSC::CachedIdentifier::decode const):
1130         (JSC::CachedOptional::encode):
1131         (JSC::CachedOptional::decode const):
1132         (JSC::CachedOptional::decodeAsPtr const):
1133         (JSC::CachedSimpleJumpTable::encode):
1134         (JSC::CachedSimpleJumpTable::decode const):
1135         (JSC::CachedStringJumpTable::encode):
1136         (JSC::CachedStringJumpTable::decode const):
1137         (JSC::CachedCodeBlockRareData::encode):
1138         (JSC::CachedCodeBlockRareData::decode const):
1139         (JSC::CachedBitVector::encode):
1140         (JSC::CachedBitVector::decode const):
1141         (JSC::CachedHashSet::encode):
1142         (JSC::CachedHashSet::decode const):
1143         (JSC::CachedConstantIdentifierSetEntry::encode):
1144         (JSC::CachedConstantIdentifierSetEntry::decode const):
1145         (JSC::CachedVariableEnvironment::encode):
1146         (JSC::CachedVariableEnvironment::decode const):
1147         (JSC::CachedArray::encode):
1148         (JSC::CachedArray::decode const):
1149         (JSC::CachedScopedArgumentsTable::encode):
1150         (JSC::CachedScopedArgumentsTable::decode const):
1151         (JSC::CachedSymbolTableEntry::encode):
1152         (JSC::CachedSymbolTableEntry::decode const):
1153         (JSC::CachedSymbolTable::encode):
1154         (JSC::CachedSymbolTable::decode const):
1155         (JSC::CachedImmutableButterfly::encode):
1156         (JSC::CachedImmutableButterfly::decode const):
1157         (JSC::CachedRegExp::encode):
1158         (JSC::CachedRegExp::decode const):
1159         (JSC::CachedTemplateObjectDescriptor::encode):
1160         (JSC::CachedTemplateObjectDescriptor::decode const):
1161         (JSC::CachedBigInt::encode):
1162         (JSC::CachedBigInt::decode const):
1163         (JSC::CachedJSValue::encode):
1164         (JSC::CachedJSValue::decode const):
1165         (JSC::CachedInstructionStream::encode):
1166         (JSC::CachedInstructionStream::decode const):
1167         (JSC::CachedMetadataTable::encode):
1168         (JSC::CachedMetadataTable::decode const):
1169         (JSC::CachedSourceOrigin::encode):
1170         (JSC::CachedSourceOrigin::decode const):
1171         (JSC::CachedTextPosition::encode):
1172         (JSC::CachedTextPosition::decode const):
1173         (JSC::CachedSourceProviderShape::encode):
1174         (JSC::CachedSourceProviderShape::decode const):
1175         (JSC::CachedStringSourceProvider::encode):
1176         (JSC::CachedStringSourceProvider::decode const):
1177         (JSC::CachedWebAssemblySourceProvider::encode):
1178         (JSC::CachedWebAssemblySourceProvider::decode const):
1179         (JSC::CachedSourceProvider::encode):
1180         (JSC::CachedSourceProvider::decode const):
1181         (JSC::CachedUnlinkedSourceCodeShape::encode):
1182         (JSC::CachedUnlinkedSourceCodeShape::decode const):
1183         (JSC::CachedSourceCode::encode):
1184         (JSC::CachedSourceCode::decode const):
1185         (JSC::CachedFunctionExecutable::firstLineOffset const):
1186         (JSC::CachedFunctionExecutable::lineCount const):
1187         (JSC::CachedFunctionExecutable::unlinkedFunctionNameStart const):
1188         (JSC::CachedFunctionExecutable::unlinkedBodyStartColumn const):
1189         (JSC::CachedFunctionExecutable::unlinkedBodyEndColumn const):
1190         (JSC::CachedFunctionExecutable::startOffset const):
1191         (JSC::CachedFunctionExecutable::sourceLength const):
1192         (JSC::CachedFunctionExecutable::parametersStartOffset const):
1193         (JSC::CachedFunctionExecutable::typeProfilingStartOffset const):
1194         (JSC::CachedFunctionExecutable::typeProfilingEndOffset const):
1195         (JSC::CachedFunctionExecutable::parameterCount const):
1196         (JSC::CachedFunctionExecutable::features const):
1197         (JSC::CachedFunctionExecutable::sourceParseMode const):
1198         (JSC::CachedFunctionExecutable::isInStrictContext const):
1199         (JSC::CachedFunctionExecutable::hasCapturedVariables const):
1200         (JSC::CachedFunctionExecutable::isBuiltinFunction const):
1201         (JSC::CachedFunctionExecutable::isBuiltinDefaultClassConstructor const):
1202         (JSC::CachedFunctionExecutable::constructAbility const):
1203         (JSC::CachedFunctionExecutable::constructorKind const):
1204         (JSC::CachedFunctionExecutable::functionMode const):
1205         (JSC::CachedFunctionExecutable::scriptMode const):
1206         (JSC::CachedFunctionExecutable::superBinding const):
1207         (JSC::CachedFunctionExecutable::derivedContextType const):
1208         (JSC::CachedFunctionExecutable::name const):
1209         (JSC::CachedFunctionExecutable::ecmaName const):
1210         (JSC::CachedFunctionExecutable::inferredName const):
1211         (JSC::CachedCodeBlock::instructions const):
1212         (JSC::CachedCodeBlock::thisRegister const):
1213         (JSC::CachedCodeBlock::scopeRegister const):
1214         (JSC::CachedCodeBlock::globalObjectRegister const):
1215         (JSC::CachedCodeBlock::sourceURLDirective const):
1216         (JSC::CachedCodeBlock::sourceMappingURLDirective const):
1217         (JSC::CachedCodeBlock::usesEval const):
1218         (JSC::CachedCodeBlock::isStrictMode const):
1219         (JSC::CachedCodeBlock::isConstructor const):
1220         (JSC::CachedCodeBlock::hasCapturedVariables const):
1221         (JSC::CachedCodeBlock::isBuiltinFunction const):
1222         (JSC::CachedCodeBlock::superBinding const):
1223         (JSC::CachedCodeBlock::scriptMode const):
1224         (JSC::CachedCodeBlock::isArrowFunctionContext const):
1225         (JSC::CachedCodeBlock::isClassContext const):
1226         (JSC::CachedCodeBlock::wasCompiledWithDebuggingOpcodes const):
1227         (JSC::CachedCodeBlock::constructorKind const):
1228         (JSC::CachedCodeBlock::derivedContextType const):
1229         (JSC::CachedCodeBlock::evalContextType const):
1230         (JSC::CachedCodeBlock::hasTailCalls const):
1231         (JSC::CachedCodeBlock::lineCount const):
1232         (JSC::CachedCodeBlock::endColumn const):
1233         (JSC::CachedCodeBlock::numVars const):
1234         (JSC::CachedCodeBlock::numCalleeLocals const):
1235         (JSC::CachedCodeBlock::numParameters const):
1236         (JSC::CachedCodeBlock::features const):
1237         (JSC::CachedCodeBlock::parseMode const):
1238         (JSC::CachedCodeBlock::codeType const):
1239         (JSC::CachedCodeBlock::rareData const):
1240         (JSC::CachedProgramCodeBlock::encode):
1241         (JSC::CachedProgramCodeBlock::decode const):
1242         (JSC::CachedModuleCodeBlock::encode):
1243         (JSC::CachedModuleCodeBlock::decode const):
1244         (JSC::CachedEvalCodeBlock::encode):
1245         (JSC::CachedEvalCodeBlock::decode const):
1246         (JSC::CachedFunctionCodeBlock::encode):
1247         (JSC::CachedFunctionCodeBlock::decode const):
1248         (JSC::UnlinkedFunctionCodeBlock::UnlinkedFunctionCodeBlock):
1249         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1250         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
1251         (JSC::UnlinkedProgramCodeBlock::UnlinkedProgramCodeBlock):
1252         (JSC::UnlinkedModuleProgramCodeBlock::UnlinkedModuleProgramCodeBlock):
1253         (JSC::UnlinkedEvalCodeBlock::UnlinkedEvalCodeBlock):
1254         (JSC::CachedFunctionExecutable::encode):
1255         (JSC::CachedFunctionExecutable::decode const):
1256         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1257         (JSC::CachedCodeBlock<CodeBlockType>::encode):
1258         (JSC::CachedSourceCodeKey::encode):
1259         (JSC::CachedSourceCodeKey::decode const):
1260         (JSC::CacheEntry::encode):
1261         (JSC::CacheEntry:: const):
1262         (JSC:: const):
1263         (JSC::encodeCodeBlock):
1264         (JSC::decodeCodeBlockImpl):
1265         * runtime/CachedTypes.h: Copied from Source/JavaScriptCore/bytecode/UnlinkedGlobalCodeBlock.h.
1266         (JSC::decodeCodeBlock):
1267         * runtime/CodeCache.cpp:
1268         (JSC::CodeCacheMap::pruneSlowCase):
1269         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
1270         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
1271         (JSC::CodeCache::write):
1272         * runtime/CodeCache.h:
1273         (JSC::CodeCacheMap::begin):
1274         (JSC::CodeCacheMap::end):
1275         (JSC::CodeCacheMap::fetchFromDiskImpl):
1276         (JSC::CodeCacheMap::findCacheAndUpdateAge):
1277         (JSC::writeCodeBlock):
1278         * runtime/JSBigInt.cpp:
1279         * runtime/JSBigInt.h:
1280         * runtime/Options.cpp:
1281         (JSC::recomputeDependentOptions):
1282         * runtime/RegExp.h:
1283         * runtime/ScopedArgumentsTable.h:
1284         * runtime/StackFrame.h:
1285         * runtime/StructureInlines.h:
1286         * runtime/SymbolTable.h:
1287
1288 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1289
1290         [JSC] Invalidate old scope operations using global lexical binding epoch
1291         https://bugs.webkit.org/show_bug.cgi?id=193603
1292         <rdar://problem/47380869>
1293
1294         Reviewed by Saam Barati.
1295
1296         Even if the global lexical binding does not shadow the global property at that time, we need to clear the cached information in
1297         scope related operations since we may have a global property previously. Consider the following example,
1298
1299             foo = 0;
1300             function get() { return foo; }
1301             print(get()); // 0
1302             print(get()); // 0
1303             delete globalThis.foo;
1304             $.evalScript(`const foo = 42;`);
1305             print(get()); // Should be 42, but it returns 0 if the cached information in get() is not cleared.
1306
1307         To invalidate the cache easily, we introduce global lexical binding epoch. It is bumped every time we introduce a new lexical binding
1308         into JSGlobalLexicalEnvironment, since that name could shadow the global property name previously. In op_resolve_scope, we first check
1309         the epoch stored in the metadata, and go to slow path if it is not equal to the current epoch. Our slow path code convert the scope
1310         operation to the appropriate one even if the resolve type is not UnresolvedProperty type. After updating the resolve type of the bytecode,
1311         we update the cached epoch to the current one, so that we can use the cached information as long as we stay in the same epoch.
1312
1313         In op_get_from_scope and op_put_to_scope, we do not use this epoch since Structure check can do the same thing instead. If op_resolve_type
1314         is updated by the epoch, and if it starts returning JSGlobalLexicalEnvironment instead JSGlobalObject, obviously the structure check fails.
1315         And in the slow path, we update op_get_from_scope and op_put_to_scope appropriately.
1316
1317         So, the metadata for scope related bytecodes are eventually updated to the appropriate one. In DFG and FTL, we use the watchpoint based approach.
1318         In DFG and FTL, we concurrently attempt to get the watchpoint for the lexical binding and look into it by using `isStillValid()` to avoid
1319         infinite compile-and-fail loop.
1320
1321         When the global lexical binding epoch overflows we iterate all the live CodeBlock and update the op_resolve_scope's epoch. Even if the shadowing
1322         happens, it is OK if we bump the epoch, since op_resolve_scope will return JSGlobalLexicalEnvironment instead of JSGlobalObject, and following
1323         structure check in op_put_to_scope and op_get_from_scope fail. We do not need to update op_get_from_scope and op_put_to_scope because of the same
1324         reason.
1325
1326         * bytecode/BytecodeList.rb:
1327         * bytecode/CodeBlock.cpp:
1328         (JSC::CodeBlock::finishCreation):
1329         (JSC::CodeBlock::notifyLexicalBindingUpdate):
1330         (JSC::CodeBlock::notifyLexicalBindingShadowing): Deleted.
1331         * bytecode/CodeBlock.h:
1332         * dfg/DFGByteCodeParser.cpp:
1333         (JSC::DFG::ByteCodeParser::parseBlock):
1334         * dfg/DFGDesiredGlobalProperties.cpp:
1335         (JSC::DFG::DesiredGlobalProperties::isStillValidOnMainThread):
1336         * dfg/DFGDesiredGlobalProperties.h:
1337         * dfg/DFGGraph.cpp:
1338         (JSC::DFG::Graph::watchGlobalProperty):
1339         * dfg/DFGGraph.h:
1340         * dfg/DFGPlan.cpp:
1341         (JSC::DFG::Plan::isStillValidOnMainThread):
1342         * jit/JITPropertyAccess.cpp:
1343         (JSC::JIT::emit_op_resolve_scope):
1344         * jit/JITPropertyAccess32_64.cpp:
1345         (JSC::JIT::emit_op_resolve_scope):
1346         * llint/LowLevelInterpreter32_64.asm:
1347         * llint/LowLevelInterpreter64.asm:
1348         * runtime/CommonSlowPaths.cpp:
1349         (JSC::SLOW_PATH_DECL):
1350         * runtime/CommonSlowPaths.h:
1351         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
1352         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
1353         * runtime/JSGlobalObject.cpp:
1354         (JSC::JSGlobalObject::bumpGlobalLexicalBindingEpoch):
1355         (JSC::JSGlobalObject::getReferencedPropertyWatchpointSet):
1356         (JSC::JSGlobalObject::ensureReferencedPropertyWatchpointSet):
1357         (JSC::JSGlobalObject::notifyLexicalBindingShadowing): Deleted.
1358         * runtime/JSGlobalObject.h:
1359         (JSC::JSGlobalObject::globalLexicalBindingEpoch const):
1360         (JSC::JSGlobalObject::globalLexicalBindingEpochOffset):
1361         (JSC::JSGlobalObject::addressOfGlobalLexicalBindingEpoch):
1362         * runtime/Options.cpp:
1363         (JSC::correctOptions):
1364         (JSC::Options::initialize):
1365         (JSC::Options::setOptions):
1366         (JSC::Options::setOptionWithoutAlias):
1367         * runtime/Options.h:
1368         * runtime/ProgramExecutable.cpp:
1369         (JSC::ProgramExecutable::initializeGlobalProperties):
1370
1371 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1372
1373         Unreviewed, roll out r240220 due to date-format-xparb regression
1374         https://bugs.webkit.org/show_bug.cgi?id=193603
1375
1376         * bytecode/BytecodeList.rb:
1377         * bytecode/CodeBlock.cpp:
1378         (JSC::CodeBlock::notifyLexicalBindingShadowing):
1379         (JSC::CodeBlock::notifyLexicalBindingUpdate): Deleted.
1380         * bytecode/CodeBlock.h:
1381         * dfg/DFGByteCodeParser.cpp:
1382         (JSC::DFG::ByteCodeParser::parseBlock):
1383         * dfg/DFGDesiredGlobalProperties.cpp:
1384         (JSC::DFG::DesiredGlobalProperties::isStillValidOnMainThread):
1385         * dfg/DFGDesiredGlobalProperties.h:
1386         * dfg/DFGGraph.cpp:
1387         (JSC::DFG::Graph::watchGlobalProperty): Deleted.
1388         * dfg/DFGGraph.h:
1389         * dfg/DFGPlan.cpp:
1390         (JSC::DFG::Plan::isStillValidOnMainThread):
1391         * jit/JITPropertyAccess.cpp:
1392         (JSC::JIT::emit_op_resolve_scope):
1393         * jit/JITPropertyAccess32_64.cpp:
1394         (JSC::JIT::emit_op_resolve_scope):
1395         * llint/LowLevelInterpreter32_64.asm:
1396         * llint/LowLevelInterpreter64.asm:
1397         * runtime/CommonSlowPaths.cpp:
1398         (JSC::SLOW_PATH_DECL):
1399         * runtime/CommonSlowPaths.h:
1400         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
1401         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
1402         * runtime/JSGlobalObject.cpp:
1403         (JSC::JSGlobalObject::notifyLexicalBindingShadowing):
1404         (JSC::JSGlobalObject::getReferencedPropertyWatchpointSet):
1405         (JSC::JSGlobalObject::ensureReferencedPropertyWatchpointSet):
1406         (JSC::JSGlobalObject::bumpGlobalLexicalBindingEpoch): Deleted.
1407         * runtime/JSGlobalObject.h:
1408         (JSC::JSGlobalObject::globalLexicalBindingEpoch const): Deleted.
1409         (JSC::JSGlobalObject::globalLexicalBindingEpochOffset): Deleted.
1410         (JSC::JSGlobalObject::addressOfGlobalLexicalBindingEpoch): Deleted.
1411         * runtime/Options.cpp:
1412         (JSC::Options::initialize):
1413         (JSC::Options::setOptions):
1414         (JSC::Options::setOptionWithoutAlias):
1415         (JSC::correctOptions): Deleted.
1416         * runtime/Options.h:
1417         * runtime/ProgramExecutable.cpp:
1418         (JSC::ProgramExecutable::initializeGlobalProperties):
1419
1420 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1421
1422         [JSC] StrictModeTypeErrorFunction is no longer used
1423         https://bugs.webkit.org/show_bug.cgi?id=193662
1424
1425         Reviewed by Mark Lam.
1426
1427         StrictModeTypeErrorFunction is no longer used. This patch drops it. Furthermore, it also allows us to drop
1428         strictModeTypeErrorFunctionSpace from VM.
1429
1430         * runtime/Error.cpp:
1431         (JSC::StrictModeTypeErrorFunction::destroy): Deleted.
1432         * runtime/Error.h:
1433         (): Deleted.
1434         * runtime/VM.cpp:
1435         (JSC::VM::VM):
1436         * runtime/VM.h:
1437
1438 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1439
1440         DoesGC rule is wrong for nodes with BigIntUse
1441         https://bugs.webkit.org/show_bug.cgi?id=193652
1442
1443         Reviewed by Saam Barati.
1444
1445         Former rule was that ValueOp does not GC. However this is wrong, since
1446         these operations can trigger GC and mess up memory management. In the end, this
1447         will generate wrong code because we will have wrong GC epoch value during 
1448         Store Barrier Insertion phase.
1449         We changed this to consider BigIntUse for such nodes and properly return true when
1450         they are BigIntUse.
1451
1452         * dfg/DFGDoesGC.cpp:
1453         (JSC::DFG::doesGC):
1454
1455 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1456
1457         [JSC] Lazily initialize JSModuleLoader
1458         https://bugs.webkit.org/show_bug.cgi?id=193646
1459
1460         Reviewed by Keith Miller and Saam Barati.
1461
1462         Lazily initialize JSModuleLoader so that we do not need to initialize it until we need modules.
1463
1464         * runtime/JSGlobalObject.cpp:
1465         (JSC::JSGlobalObject::init):
1466         (JSC::JSGlobalObject::visitChildren):
1467         * runtime/JSGlobalObject.h:
1468         (JSC::JSGlobalObject::moduleLoader const):
1469
1470 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1471
1472         [JSC] sub op with 0 should be optimized
1473         https://bugs.webkit.org/show_bug.cgi?id=190751
1474
1475         Reviewed by Mark Lam.
1476
1477         LLInt sometimes emit `subp 0, %rxx`. For example, `maxFrameExtentForSlowPathCall` is 0 in X86_64, ARM64, and ARM64E.
1478         So `subp maxFrameExtentForSlowPathCall sp` becomes `subp 0, %rsp`. While `addp 0, %rsp` is removed in offlineasm,
1479         sub operation does not have such an optimization. This patch applies the same optimization to sub operation already
1480         done in add operation. Since the CPU flags changed in offlineasm's these operations are not considered (if these flags
1481         are required, we use special branch operations instead), this optimization is sane.
1482
1483         One problem is that zero-extension of the 32bit register in 64bit architecture. If the instruction emission is skipped,
1484         this won't be happen. Currently, we align our sub to add operation: we skip emission in this case.
1485
1486         * offlineasm/arm64.rb:
1487         * offlineasm/x86.rb:
1488
1489 2019-01-20  Saam Barati  <sbarati@apple.com>
1490
1491         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1492         https://bugs.webkit.org/show_bug.cgi?id=193644
1493         <rdar://problem/46209745>
1494
1495         Reviewed by Yusuke Suzuki.
1496
1497         This patch also makes it so we fail fast when we make this mistake.
1498         I've made this mistake more than once.
1499
1500         * dfg/DFGByteCodeParser.cpp:
1501         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1502
1503 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1504
1505         [JSC] Reduce size of SourceProvider
1506         https://bugs.webkit.org/show_bug.cgi?id=193544
1507
1508         Reviewed by Saam Barati.
1509
1510         This patch attempts to reduce the dirty memory footprint by the following 3 optimizations.
1511
1512         1. Reordering the members of SourceProvider to reduce the size. This affects on JSC, and CachedScriptSourceProvider used in WebCore.
1513
1514         2. Create one SourceProvider for all the builtin code and use substring to create builtin JS functions.
1515            This reduces # of SourceProvider created for builtins.
1516
1517         3. Drop m_validated flag in SourceProvider since nobody uses it. It also deletes dead code in Parser.cpp.
1518
1519         Unfortunately, MSVC does not accept super long C string literal. So instead, we construct combined string in a form of C array.
1520
1521         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
1522         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
1523         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
1524         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
1525         * Scripts/wkbuiltins/builtins_generate_combined_header.py:
1526         (BuiltinsCombinedHeaderGenerator.generate_output):
1527         * Scripts/wkbuiltins/builtins_generate_combined_implementation.py:
1528         (BuiltinsCombinedImplementationGenerator.generate_output):
1529         * Scripts/wkbuiltins/builtins_generate_separate_implementation.py:
1530         (BuiltinsSeparateImplementationGenerator.generate_output):
1531         * Scripts/wkbuiltins/builtins_generator.py:
1532         (BuiltinsGenerator.generate_embedded_code_data_for_function):
1533         (BuiltinsGenerator.generate_embedded_code_string_section_for_data):
1534         (BuiltinsGenerator.generate_embedded_code_string_section_for_function): Deleted.
1535         * builtins/BuiltinExecutables.cpp:
1536         (JSC::BuiltinExecutables::BuiltinExecutables):
1537         (JSC::JSC_FOREACH_BUILTIN_CODE):
1538         (JSC::BuiltinExecutables::createExecutable):
1539         * builtins/BuiltinExecutables.h:
1540         * parser/Parser.cpp:
1541         (JSC::Parser<LexerType>::Parser):
1542         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
1543         (JSC::Parser<LexerType>::shouldCheckPropertyForUnderscoreProtoDuplicate):
1544         (JSC::Parser<LexerType>::parseObjectLiteral):
1545         (JSC::Parser<LexerType>::parseUnaryExpression):
1546         * parser/Parser.h:
1547         * parser/SourceCode.h:
1548         * parser/SourceProvider.cpp:
1549         (JSC::SourceProvider::SourceProvider):
1550         * parser/SourceProvider.h:
1551         (JSC::SourceProvider::isValid const): Deleted.
1552         (JSC::SourceProvider::setValid): Deleted.
1553         * runtime/CachedTypes.cpp:
1554         (JSC::CachedSourceProviderShape::encode):
1555         (JSC::CachedSourceProviderShape::decode const):
1556
1557 2019-01-20  Michael Catanzaro  <mcatanzaro@igalia.com>
1558
1559         Unreviewed, fix -Wint-in-bool-context warning
1560         https://bugs.webkit.org/show_bug.cgi?id=193483
1561         <rdar://problem/47280522>
1562
1563         * dfg/DFGFixupPhase.cpp:
1564         (JSC::DFG::FixupPhase::addCheckStructureForOriginalStringObjectUse):
1565
1566 2019-01-20  Saam Barati  <sbarati@apple.com>
1567
1568         Rollout r240210: It broke tests on iOS
1569         https://bugs.webkit.org/show_bug.cgi?id=193640
1570
1571         Unreviewed. ~2650 tests are failing on iOS.
1572
1573         * CMakeLists.txt:
1574         * JavaScriptCore.xcodeproj/project.pbxproj:
1575         * Sources.txt:
1576         * builtins/BuiltinNames.cpp:
1577         (JSC::BuiltinNames::BuiltinNames):
1578         * builtins/BuiltinNames.h:
1579         * bytecode/CodeBlock.cpp:
1580         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
1581         * bytecode/CodeBlock.h:
1582         * bytecode/HandlerInfo.h:
1583         * bytecode/InstructionStream.h:
1584         * bytecode/UnlinkedCodeBlock.h:
1585         (JSC::UnlinkedCodeBlock::addSetConstant):
1586         (JSC::UnlinkedCodeBlock::constantIdentifierSets):
1587         * bytecode/UnlinkedEvalCodeBlock.h:
1588         * bytecode/UnlinkedFunctionCodeBlock.h:
1589         * bytecode/UnlinkedFunctionExecutable.h:
1590         * bytecode/UnlinkedGlobalCodeBlock.h:
1591         (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock):
1592         * bytecode/UnlinkedMetadataTable.h:
1593         * bytecode/UnlinkedModuleProgramCodeBlock.h:
1594         * bytecode/UnlinkedProgramCodeBlock.h:
1595         * interpreter/Interpreter.cpp:
1596         * jsc.cpp:
1597         (functionQuit):
1598         (runJSC):
1599         * parser/SourceCode.h:
1600         * parser/SourceCodeKey.h:
1601         (JSC::SourceCodeKey::operator!= const): Deleted.
1602         * parser/UnlinkedSourceCode.h:
1603         * parser/VariableEnvironment.h:
1604         * runtime/CachedTypes.cpp:
1605         (): Deleted.
1606         (JSC::Encoder::Allocation::buffer const): Deleted.
1607         (JSC::Encoder::Allocation::offset const): Deleted.
1608         (JSC::Encoder::Allocation::Allocation): Deleted.
1609         (JSC::Encoder::Encoder): Deleted.
1610         (JSC::Encoder::vm): Deleted.
1611         (JSC::Encoder::malloc): Deleted.
1612         (JSC::Encoder::offsetOf): Deleted.
1613         (JSC::Encoder::cachePtr): Deleted.
1614         (JSC::Encoder::offsetForPtr): Deleted.
1615         (JSC::Encoder::release): Deleted.
1616         (JSC::Encoder::Page::Page): Deleted.
1617         (JSC::Encoder::Page::malloc): Deleted.
1618         (JSC::Encoder::Page::buffer const): Deleted.
1619         (JSC::Encoder::Page::size const): Deleted.
1620         (JSC::Encoder::Page::getOffset const): Deleted.
1621         (JSC::Encoder::allocateNewPage): Deleted.
1622         (JSC::Decoder::Decoder): Deleted.
1623         (JSC::Decoder::~Decoder): Deleted.
1624         (JSC::Decoder::vm): Deleted.
1625         (JSC::Decoder::offsetOf): Deleted.
1626         (JSC::Decoder::cacheOffset): Deleted.
1627         (JSC::Decoder::addFinalizer): Deleted.
1628         (JSC::encode): Deleted.
1629         (JSC::decode): Deleted.
1630         (JSC::VariableLengthObject::buffer const): Deleted.
1631         (JSC::VariableLengthObject::allocate): Deleted.
1632         (JSC::CachedPtr::encode): Deleted.
1633         (JSC::CachedPtr::decode const): Deleted.
1634         (JSC::CachedPtr::operator-> const): Deleted.
1635         (JSC::CachedPtr::get const): Deleted.
1636         (JSC::CachedRefPtr::encode): Deleted.
1637         (JSC::CachedRefPtr::decode const): Deleted.
1638         (JSC::CachedWriteBarrier::encode): Deleted.
1639         (JSC::CachedWriteBarrier::decode const): Deleted.
1640         (JSC::CachedVector::encode): Deleted.
1641         (JSC::CachedVector::decode const): Deleted.
1642         (JSC::CachedPair::encode): Deleted.
1643         (JSC::CachedPair::decode const): Deleted.
1644         (JSC::CachedHashMap::encode): Deleted.
1645         (JSC::CachedHashMap::decode const): Deleted.
1646         (JSC::CachedUniquedStringImpl::encode): Deleted.
1647         (JSC::CachedUniquedStringImpl::decode const): Deleted.
1648         (JSC::CachedStringImpl::encode): Deleted.
1649         (JSC::CachedStringImpl::decode const): Deleted.
1650         (JSC::CachedString::encode): Deleted.
1651         (JSC::CachedString::decode const): Deleted.
1652         (JSC::CachedIdentifier::encode): Deleted.
1653         (JSC::CachedIdentifier::decode const): Deleted.
1654         (JSC::CachedOptional::encode): Deleted.
1655         (JSC::CachedOptional::decode const): Deleted.
1656         (JSC::CachedOptional::decodeAsPtr const): Deleted.
1657         (JSC::CachedSimpleJumpTable::encode): Deleted.
1658         (JSC::CachedSimpleJumpTable::decode const): Deleted.
1659         (JSC::CachedStringJumpTable::encode): Deleted.
1660         (JSC::CachedStringJumpTable::decode const): Deleted.
1661         (JSC::CachedCodeBlockRareData::encode): Deleted.
1662         (JSC::CachedCodeBlockRareData::decode const): Deleted.
1663         (JSC::CachedBitVector::encode): Deleted.
1664         (JSC::CachedBitVector::decode const): Deleted.
1665         (JSC::CachedHashSet::encode): Deleted.
1666         (JSC::CachedHashSet::decode const): Deleted.
1667         (JSC::CachedConstantIdentifierSetEntry::encode): Deleted.
1668         (JSC::CachedConstantIdentifierSetEntry::decode const): Deleted.
1669         (JSC::CachedVariableEnvironment::encode): Deleted.
1670         (JSC::CachedVariableEnvironment::decode const): Deleted.
1671         (JSC::CachedArray::encode): Deleted.
1672         (JSC::CachedArray::decode const): Deleted.
1673         (JSC::CachedScopedArgumentsTable::encode): Deleted.
1674         (JSC::CachedScopedArgumentsTable::decode const): Deleted.
1675         (JSC::CachedSymbolTableEntry::encode): Deleted.
1676         (JSC::CachedSymbolTableEntry::decode const): Deleted.
1677         (JSC::CachedSymbolTable::encode): Deleted.
1678         (JSC::CachedSymbolTable::decode const): Deleted.
1679         (JSC::CachedImmutableButterfly::encode): Deleted.
1680         (JSC::CachedImmutableButterfly::decode const): Deleted.
1681         (JSC::CachedRegExp::encode): Deleted.
1682         (JSC::CachedRegExp::decode const): Deleted.
1683         (JSC::CachedTemplateObjectDescriptor::encode): Deleted.
1684         (JSC::CachedTemplateObjectDescriptor::decode const): Deleted.
1685         (JSC::CachedBigInt::encode): Deleted.
1686         (JSC::CachedBigInt::decode const): Deleted.
1687         (JSC::CachedJSValue::encode): Deleted.
1688         (JSC::CachedJSValue::decode const): Deleted.
1689         (JSC::CachedInstructionStream::encode): Deleted.
1690         (JSC::CachedInstructionStream::decode const): Deleted.
1691         (JSC::CachedMetadataTable::encode): Deleted.
1692         (JSC::CachedMetadataTable::decode const): Deleted.
1693         (JSC::CachedSourceOrigin::encode): Deleted.
1694         (JSC::CachedSourceOrigin::decode const): Deleted.
1695         (JSC::CachedTextPosition::encode): Deleted.
1696         (JSC::CachedTextPosition::decode const): Deleted.
1697         (JSC::CachedSourceProviderShape::encode): Deleted.
1698         (JSC::CachedSourceProviderShape::decode const): Deleted.
1699         (JSC::CachedStringSourceProvider::encode): Deleted.
1700         (JSC::CachedStringSourceProvider::decode const): Deleted.
1701         (JSC::CachedWebAssemblySourceProvider::encode): Deleted.
1702         (JSC::CachedWebAssemblySourceProvider::decode const): Deleted.
1703         (JSC::CachedSourceProvider::encode): Deleted.
1704         (JSC::CachedSourceProvider::decode const): Deleted.
1705         (JSC::CachedUnlinkedSourceCodeShape::encode): Deleted.
1706         (JSC::CachedUnlinkedSourceCodeShape::decode const): Deleted.
1707         (JSC::CachedSourceCode::encode): Deleted.
1708         (JSC::CachedSourceCode::decode const): Deleted.
1709         (JSC::CachedFunctionExecutable::firstLineOffset const): Deleted.
1710         (JSC::CachedFunctionExecutable::lineCount const): Deleted.
1711         (JSC::CachedFunctionExecutable::unlinkedFunctionNameStart const): Deleted.
1712         (JSC::CachedFunctionExecutable::unlinkedBodyStartColumn const): Deleted.
1713         (JSC::CachedFunctionExecutable::unlinkedBodyEndColumn const): Deleted.
1714         (JSC::CachedFunctionExecutable::startOffset const): Deleted.
1715         (JSC::CachedFunctionExecutable::sourceLength const): Deleted.
1716         (JSC::CachedFunctionExecutable::parametersStartOffset const): Deleted.
1717         (JSC::CachedFunctionExecutable::typeProfilingStartOffset const): Deleted.
1718         (JSC::CachedFunctionExecutable::typeProfilingEndOffset const): Deleted.
1719         (JSC::CachedFunctionExecutable::parameterCount const): Deleted.
1720         (JSC::CachedFunctionExecutable::features const): Deleted.
1721         (JSC::CachedFunctionExecutable::sourceParseMode const): Deleted.
1722         (JSC::CachedFunctionExecutable::isInStrictContext const): Deleted.
1723         (JSC::CachedFunctionExecutable::hasCapturedVariables const): Deleted.
1724         (JSC::CachedFunctionExecutable::isBuiltinFunction const): Deleted.
1725         (JSC::CachedFunctionExecutable::isBuiltinDefaultClassConstructor const): Deleted.
1726         (JSC::CachedFunctionExecutable::constructAbility const): Deleted.
1727         (JSC::CachedFunctionExecutable::constructorKind const): Deleted.
1728         (JSC::CachedFunctionExecutable::functionMode const): Deleted.
1729         (JSC::CachedFunctionExecutable::scriptMode const): Deleted.
1730         (JSC::CachedFunctionExecutable::superBinding const): Deleted.
1731         (JSC::CachedFunctionExecutable::derivedContextType const): Deleted.
1732         (JSC::CachedFunctionExecutable::name const): Deleted.
1733         (JSC::CachedFunctionExecutable::ecmaName const): Deleted.
1734         (JSC::CachedFunctionExecutable::inferredName const): Deleted.
1735         (JSC::CachedCodeBlock::instructions const): Deleted.
1736         (JSC::CachedCodeBlock::thisRegister const): Deleted.
1737         (JSC::CachedCodeBlock::scopeRegister const): Deleted.
1738         (JSC::CachedCodeBlock::globalObjectRegister const): Deleted.
1739         (JSC::CachedCodeBlock::sourceURLDirective const): Deleted.
1740         (JSC::CachedCodeBlock::sourceMappingURLDirective const): Deleted.
1741         (JSC::CachedCodeBlock::usesEval const): Deleted.
1742         (JSC::CachedCodeBlock::isStrictMode const): Deleted.
1743         (JSC::CachedCodeBlock::isConstructor const): Deleted.
1744         (JSC::CachedCodeBlock::hasCapturedVariables const): Deleted.
1745         (JSC::CachedCodeBlock::isBuiltinFunction const): Deleted.
1746         (JSC::CachedCodeBlock::superBinding const): Deleted.
1747         (JSC::CachedCodeBlock::scriptMode const): Deleted.
1748         (JSC::CachedCodeBlock::isArrowFunctionContext const): Deleted.
1749         (JSC::CachedCodeBlock::isClassContext const): Deleted.
1750         (JSC::CachedCodeBlock::wasCompiledWithDebuggingOpcodes const): Deleted.
1751         (JSC::CachedCodeBlock::constructorKind const): Deleted.
1752         (JSC::CachedCodeBlock::derivedContextType const): Deleted.
1753         (JSC::CachedCodeBlock::evalContextType const): Deleted.
1754         (JSC::CachedCodeBlock::hasTailCalls const): Deleted.
1755         (JSC::CachedCodeBlock::lineCount const): Deleted.
1756         (JSC::CachedCodeBlock::endColumn const): Deleted.
1757         (JSC::CachedCodeBlock::numVars const): Deleted.
1758         (JSC::CachedCodeBlock::numCalleeLocals const): Deleted.
1759         (JSC::CachedCodeBlock::numParameters const): Deleted.
1760         (JSC::CachedCodeBlock::features const): Deleted.
1761         (JSC::CachedCodeBlock::parseMode const): Deleted.
1762         (JSC::CachedCodeBlock::codeType const): Deleted.
1763         (JSC::CachedCodeBlock::rareData const): Deleted.
1764         (JSC::CachedProgramCodeBlock::encode): Deleted.
1765         (JSC::CachedProgramCodeBlock::decode const): Deleted.
1766         (JSC::CachedModuleCodeBlock::encode): Deleted.
1767         (JSC::CachedModuleCodeBlock::decode const): Deleted.
1768         (JSC::CachedEvalCodeBlock::encode): Deleted.
1769         (JSC::CachedEvalCodeBlock::decode const): Deleted.
1770         (JSC::CachedFunctionCodeBlock::encode): Deleted.
1771         (JSC::CachedFunctionCodeBlock::decode const): Deleted.
1772         (JSC::UnlinkedFunctionCodeBlock::UnlinkedFunctionCodeBlock): Deleted.
1773         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): Deleted.
1774         (JSC::CachedCodeBlock<CodeBlockType>::decode const): Deleted.
1775         (JSC::UnlinkedProgramCodeBlock::UnlinkedProgramCodeBlock): Deleted.
1776         (JSC::UnlinkedModuleProgramCodeBlock::UnlinkedModuleProgramCodeBlock): Deleted.
1777         (JSC::UnlinkedEvalCodeBlock::UnlinkedEvalCodeBlock): Deleted.
1778         (JSC::CachedFunctionExecutable::encode): Deleted.
1779         (JSC::CachedFunctionExecutable::decode const): Deleted.
1780         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable): Deleted.
1781         (JSC::CachedCodeBlock<CodeBlockType>::encode): Deleted.
1782         (JSC::CachedSourceCodeKey::encode): Deleted.
1783         (JSC::CachedSourceCodeKey::decode const): Deleted.
1784         (JSC::CacheEntry::encode): Deleted.
1785         (JSC::CacheEntry:: const): Deleted.
1786         (JSC:: const): Deleted.
1787         (JSC::encodeCodeBlock): Deleted.
1788         (JSC::decodeCodeBlockImpl): Deleted.
1789         * runtime/CachedTypes.h:
1790         (JSC::decodeCodeBlock): Deleted.
1791         * runtime/CodeCache.cpp:
1792         (JSC::CodeCacheMap::pruneSlowCase):
1793         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
1794         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
1795         (JSC::CodeCache::write): Deleted.
1796         * runtime/CodeCache.h:
1797         (JSC::CodeCacheMap::findCacheAndUpdateAge):
1798         (JSC::CodeCache::clear):
1799         (JSC::CodeCacheMap::begin): Deleted.
1800         (JSC::CodeCacheMap::end): Deleted.
1801         (JSC::CodeCacheMap::fetchFromDiskImpl): Deleted.
1802         (): Deleted.
1803         (JSC::writeCodeBlock): Deleted.
1804         * runtime/JSBigInt.cpp:
1805         (JSC::JSBigInt::offsetOfData):
1806         (JSC::JSBigInt::dataStorage):
1807         * runtime/JSBigInt.h:
1808         * runtime/Options.cpp:
1809         (JSC::recomputeDependentOptions):
1810         * runtime/Options.h:
1811         * runtime/RegExp.h:
1812         * runtime/ScopedArgumentsTable.h:
1813         * runtime/StackFrame.h:
1814         * runtime/StructureInlines.h:
1815         * runtime/SymbolTable.h:
1816
1817 2019-01-20  Saam Barati  <sbarati@apple.com>
1818
1819         MovHint must merge NodeBytecodeUsesAsValue for its child in backwards propagation
1820         https://bugs.webkit.org/show_bug.cgi?id=186916
1821         <rdar://problem/41396612>
1822
1823         Reviewed by Yusuke Suzuki.
1824
1825         Otherwise, we may not think we care about the non-integral part in
1826         a division (or perhaps overflow in an add, etc). Consider a program
1827         like this:
1828         
1829         ```return a / b```
1830         
1831         That gets compiled to:
1832         ```
1833         a: ArithDiv // We don't check that the remainder is zero here.
1834         b: MovHint(@a)
1835         c: ForceOSRExit
1836         d: Unreachable
1837         ```
1838         
1839         If we don't inform @a that we care about its result in full number
1840         accuracy, it will choose to ignore its non-integral remainder. This
1841         makes sense if *everybody* that all uses of the Div only cared about
1842         the integral part. However, OSR exit is not one of those users. OSR
1843         exit cares about the fractional bits in such a Div.
1844
1845         * dfg/DFGBackwardsPropagationPhase.cpp:
1846         (JSC::DFG::BackwardsPropagationPhase::propagate):
1847
1848 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1849
1850         [JSC] Invalidate old scope operations using global lexical binding epoch
1851         https://bugs.webkit.org/show_bug.cgi?id=193603
1852         <rdar://problem/47380869>
1853
1854         Reviewed by Saam Barati.
1855
1856         Even if the global lexical binding does not shadow the global property at that time, we need to clear the cached information in
1857         scope related operations since we may have a global property previously. Consider the following example,
1858
1859             foo = 0;
1860             function get() { return foo; }
1861             print(get()); // 0
1862             print(get()); // 0
1863             delete globalThis.foo;
1864             $.evalScript(`const foo = 42;`);
1865             print(get()); // Should be 42, but it returns 0 if the cached information in get() is not cleared.
1866
1867         To invalidate the cache easily, we introduce global lexical binding epoch. It is bumped every time we introduce a new lexical binding
1868         into JSGlobalLexicalEnvironment, since that name could shadow the global property name previously. In op_resolve_scope, we first check
1869         the epoch stored in the metadata, and go to slow path if it is not equal to the current epoch. Our slow path code convert the scope
1870         operation to the appropriate one even if the resolve type is not UnresolvedProperty type. After updating the resolve type of the bytecode,
1871         we update the cached epoch to the current one, so that we can use the cached information as long as we stay in the same epoch.
1872
1873         In op_get_from_scope and op_put_to_scope, we do not use this epoch since Structure check can do the same thing instead. If op_resolve_type
1874         is updated by the epoch, and if it starts returning JSGlobalLexicalEnvironment instead JSGlobalObject, obviously the structure check fails.
1875         And in the slow path, we update op_get_from_scope and op_put_to_scope appropriately.
1876
1877         So, the metadata for scope related bytecodes are eventually updated to the appropriate one. In DFG and FTL, we use the watchpoint based approach.
1878         In DFG and FTL, we concurrently attempt to get the watchpoint for the lexical binding and look into it by using `isStillValid()` to avoid
1879         infinite compile-and-fail loop.
1880
1881         When the global lexical binding epoch overflows we iterate all the live CodeBlock and update the op_resolve_scope's epoch. Even if the shadowing
1882         happens, it is OK if we bump the epoch, since op_resolve_scope will return JSGlobalLexicalEnvironment instead of JSGlobalObject, and following
1883         structure check in op_put_to_scope and op_get_from_scope fail. We do not need to update op_get_from_scope and op_put_to_scope because of the same
1884         reason.
1885
1886         * bytecode/BytecodeList.rb:
1887         * bytecode/CodeBlock.cpp:
1888         (JSC::CodeBlock::notifyLexicalBindingUpdate):
1889         (JSC::CodeBlock::notifyLexicalBindingShadowing): Deleted.
1890         * bytecode/CodeBlock.h:
1891         * dfg/DFGByteCodeParser.cpp:
1892         (JSC::DFG::ByteCodeParser::parseBlock):
1893         * dfg/DFGDesiredGlobalProperties.cpp:
1894         (JSC::DFG::DesiredGlobalProperties::isStillValidOnMainThread):
1895         * dfg/DFGDesiredGlobalProperties.h:
1896         * dfg/DFGGraph.cpp:
1897         (JSC::DFG::Graph::watchGlobalProperty):
1898         * dfg/DFGGraph.h:
1899         * dfg/DFGPlan.cpp:
1900         (JSC::DFG::Plan::isStillValidOnMainThread):
1901         * jit/JITPropertyAccess.cpp:
1902         (JSC::JIT::emit_op_resolve_scope):
1903         * jit/JITPropertyAccess32_64.cpp:
1904         (JSC::JIT::emit_op_resolve_scope):
1905         * llint/LowLevelInterpreter32_64.asm:
1906         * llint/LowLevelInterpreter64.asm:
1907         * runtime/CommonSlowPaths.cpp:
1908         (JSC::SLOW_PATH_DECL):
1909         * runtime/CommonSlowPaths.h:
1910         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
1911         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
1912         * runtime/JSGlobalObject.cpp:
1913         (JSC::JSGlobalObject::bumpGlobalLexicalBindingEpoch):
1914         (JSC::JSGlobalObject::getReferencedPropertyWatchpointSet):
1915         (JSC::JSGlobalObject::ensureReferencedPropertyWatchpointSet):
1916         (JSC::JSGlobalObject::notifyLexicalBindingShadowing): Deleted.
1917         * runtime/JSGlobalObject.h:
1918         (JSC::JSGlobalObject::globalLexicalBindingEpoch const):
1919         (JSC::JSGlobalObject::globalLexicalBindingEpochOffset):
1920         (JSC::JSGlobalObject::addressOfGlobalLexicalBindingEpoch):
1921         * runtime/Options.cpp:
1922         (JSC::correctOptions):
1923         (JSC::Options::initialize):
1924         (JSC::Options::setOptions):
1925         (JSC::Options::setOptionWithoutAlias):
1926         * runtime/Options.h:
1927         * runtime/ProgramExecutable.cpp:
1928         (JSC::ProgramExecutable::initializeGlobalProperties):
1929
1930 2019-01-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1931
1932         [JSC] Shrink data structure size in JSC/heap
1933         https://bugs.webkit.org/show_bug.cgi?id=193612
1934
1935         Reviewed by Saam Barati.
1936
1937         This patch reduces the size of data structures in JSC/heap. Basically, we reorder the members to remove paddings.
1938
1939         For Subspace, we drop CellAttributes `m_attributes`. Instead, we use `heapCellType->attributes()`. And we use
1940         FreeList::cellSize() instead of holding m_cellSize in LocalAllocator.
1941
1942         This change reduces the size of JSC::VM too since it includes JSC::Heap. The size of VM becomes from 78208 to 76696.
1943
1944         * heap/BlockDirectory.cpp:
1945         * heap/BlockDirectory.h:
1946         * heap/CollectionScope.h:
1947         * heap/CompleteSubspace.cpp:
1948         (JSC::CompleteSubspace::allocatorForSlow):
1949         * heap/FreeList.h:
1950         (JSC::FreeList::offsetOfCellSize):
1951         (JSC::FreeList::cellSize const):
1952         * heap/Heap.cpp:
1953         (JSC::Heap::Heap):
1954         (JSC::Heap::updateObjectCounts):
1955         (JSC::Heap::addToRememberedSet):
1956         (JSC::Heap::runBeginPhase):
1957         (JSC::Heap::willStartCollection):
1958         (JSC::Heap::pruneStaleEntriesFromWeakGCMaps):
1959         (JSC::Heap::deleteSourceProviderCaches):
1960         (JSC::Heap::notifyIncrementalSweeper):
1961         (JSC::Heap::updateAllocationLimits):
1962         * heap/Heap.h:
1963         * heap/IsoAlignedMemoryAllocator.h:
1964         * heap/LargeAllocation.cpp:
1965         * heap/LocalAllocator.cpp:
1966         (JSC::LocalAllocator::LocalAllocator):
1967         * heap/LocalAllocator.h:
1968         (JSC::LocalAllocator::cellSize const):
1969         (JSC::LocalAllocator::offsetOfCellSize):
1970         * heap/MarkedSpace.cpp:
1971         (JSC::MarkedSpace::MarkedSpace):
1972         * heap/MarkedSpace.h:
1973         * heap/MarkingConstraint.h:
1974         * heap/Subspace.cpp:
1975         (JSC::Subspace::initialize):
1976         * heap/Subspace.h:
1977         (JSC::Subspace::attributes const): Deleted.
1978         * heap/SubspaceInlines.h:
1979         (JSC::Subspace::forEachMarkedCell):
1980         (JSC::Subspace::forEachMarkedCellInParallel):
1981         (JSC::Subspace::forEachLiveCell):
1982         (JSC::Subspace::attributes const):
1983
1984 2019-01-20  Tadeu Zagallo  <tzagallo@apple.com>
1985
1986         Cache bytecode to disk
1987         https://bugs.webkit.org/show_bug.cgi?id=192782
1988         <rdar://problem/46084932>
1989
1990         Reviewed by Keith Miller.
1991
1992         Add the logic to serialize and deserialize the new JSC bytecode. For now,
1993         the cache is only used for tests.
1994
1995         Each class that can be serialized has a counterpart in CachedTypes, which
1996         handles the decoding and encoding. When decoding, the cached objects are
1997         mmap'd from disk, but only used for creating instances of the respective
1998         in-memory version of each object. Ideally, the mmap'd objects should be
1999         used at runtime in the future.
2000
2001         * CMakeLists.txt:
2002         * JavaScriptCore.xcodeproj/project.pbxproj:
2003         * Sources.txt:
2004         * builtins/BuiltinNames.cpp:
2005         (JSC::BuiltinNames::BuiltinNames):
2006         * builtins/BuiltinNames.h:
2007         * bytecode/CodeBlock.cpp:
2008         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
2009         * bytecode/CodeBlock.h:
2010         * bytecode/HandlerInfo.h:
2011         (JSC::UnlinkedHandlerInfo::UnlinkedHandlerInfo):
2012         * bytecode/InstructionStream.h:
2013         * bytecode/UnlinkedCodeBlock.h:
2014         (JSC::UnlinkedCodeBlock::addSetConstant):
2015         (JSC::UnlinkedCodeBlock::constantIdentifierSets):
2016         * bytecode/UnlinkedEvalCodeBlock.h:
2017         * bytecode/UnlinkedFunctionCodeBlock.h:
2018         * bytecode/UnlinkedFunctionExecutable.h:
2019         * bytecode/UnlinkedGlobalCodeBlock.h:
2020         (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock):
2021         * bytecode/UnlinkedMetadataTable.h:
2022         * bytecode/UnlinkedModuleProgramCodeBlock.h:
2023         * bytecode/UnlinkedProgramCodeBlock.h:
2024         * interpreter/Interpreter.cpp:
2025         * jsc.cpp:
2026         (functionQuit):
2027         (runJSC):
2028         * parser/SourceCode.h:
2029         * parser/SourceCodeKey.h:
2030         (JSC::SourceCodeKey::operator!= const):
2031         * parser/UnlinkedSourceCode.h:
2032         * parser/VariableEnvironment.h:
2033         * runtime/CachedTypes.cpp: Added.
2034         (JSC::Encoder::Allocation::buffer const):
2035         (JSC::Encoder::Allocation::offset const):
2036         (JSC::Encoder::Allocation::Allocation):
2037         (JSC::Encoder::Encoder):
2038         (JSC::Encoder::vm):
2039         (JSC::Encoder::malloc):
2040         (JSC::Encoder::offsetOf):
2041         (JSC::Encoder::cachePtr):
2042         (JSC::Encoder::offsetForPtr):
2043         (JSC::Encoder::release):
2044         (JSC::Encoder::Page::Page):
2045         (JSC::Encoder::Page::malloc):
2046         (JSC::Encoder::Page::buffer const):
2047         (JSC::Encoder::Page::size const):
2048         (JSC::Encoder::Page::getOffset const):
2049         (JSC::Encoder::allocateNewPage):
2050         (JSC::Decoder::Decoder):
2051         (JSC::Decoder::~Decoder):
2052         (JSC::Decoder::vm):
2053         (JSC::Decoder::offsetOf):
2054         (JSC::Decoder::cacheOffset):
2055         (JSC::Decoder::addFinalizer):
2056         (JSC::encode):
2057         (JSC::decode):
2058         (JSC::VariableLengthObject::buffer const):
2059         (JSC::VariableLengthObject::allocate):
2060         (JSC::CachedPtr::encode):
2061         (JSC::CachedPtr::decode const):
2062         (JSC::CachedPtr::operator-> const):
2063         (JSC::CachedPtr::get const):
2064         (JSC::CachedRefPtr::encode):
2065         (JSC::CachedRefPtr::decode const):
2066         (JSC::CachedWriteBarrier::encode):
2067         (JSC::CachedWriteBarrier::decode const):
2068         (JSC::CachedVector::encode):
2069         (JSC::CachedVector::decode const):
2070         (JSC::CachedPair::encode):
2071         (JSC::CachedPair::decode const):
2072         (JSC::CachedHashMap::encode):
2073         (JSC::CachedHashMap::decode const):
2074         (JSC::CachedUniquedStringImpl::encode):
2075         (JSC::CachedUniquedStringImpl::decode const):
2076         (JSC::CachedStringImpl::encode):
2077         (JSC::CachedStringImpl::decode const):
2078         (JSC::CachedString::encode):
2079         (JSC::CachedString::decode const):
2080         (JSC::CachedIdentifier::encode):
2081         (JSC::CachedIdentifier::decode const):
2082         (JSC::CachedOptional::encode):
2083         (JSC::CachedOptional::decode const):
2084         (JSC::CachedOptional::decodeAsPtr const):
2085         (JSC::CachedSimpleJumpTable::encode):
2086         (JSC::CachedSimpleJumpTable::decode const):
2087         (JSC::CachedStringJumpTable::encode):
2088         (JSC::CachedStringJumpTable::decode const):
2089         (JSC::CachedCodeBlockRareData::encode):
2090         (JSC::CachedCodeBlockRareData::decode const):
2091         (JSC::CachedBitVector::encode):
2092         (JSC::CachedBitVector::decode const):
2093         (JSC::CachedHashSet::encode):
2094         (JSC::CachedHashSet::decode const):
2095         (JSC::CachedConstantIdentifierSetEntry::encode):
2096         (JSC::CachedConstantIdentifierSetEntry::decode const):
2097         (JSC::CachedVariableEnvironment::encode):
2098         (JSC::CachedVariableEnvironment::decode const):
2099         (JSC::CachedArray::encode):
2100         (JSC::CachedArray::decode const):
2101         (JSC::CachedScopedArgumentsTable::encode):
2102         (JSC::CachedScopedArgumentsTable::decode const):
2103         (JSC::CachedSymbolTableEntry::encode):
2104         (JSC::CachedSymbolTableEntry::decode const):
2105         (JSC::CachedSymbolTable::encode):
2106         (JSC::CachedSymbolTable::decode const):
2107         (JSC::CachedImmutableButterfly::encode):
2108         (JSC::CachedImmutableButterfly::decode const):
2109         (JSC::CachedRegExp::encode):
2110         (JSC::CachedRegExp::decode const):
2111         (JSC::CachedTemplateObjectDescriptor::encode):
2112         (JSC::CachedTemplateObjectDescriptor::decode const):
2113         (JSC::CachedBigInt::encode):
2114         (JSC::CachedBigInt::decode const):
2115         (JSC::CachedJSValue::encode):
2116         (JSC::CachedJSValue::decode const):
2117         (JSC::CachedInstructionStream::encode):
2118         (JSC::CachedInstructionStream::decode const):
2119         (JSC::CachedMetadataTable::encode):
2120         (JSC::CachedMetadataTable::decode const):
2121         (JSC::CachedSourceOrigin::encode):
2122         (JSC::CachedSourceOrigin::decode const):
2123         (JSC::CachedTextPosition::encode):
2124         (JSC::CachedTextPosition::decode const):
2125         (JSC::CachedSourceProviderShape::encode):
2126         (JSC::CachedSourceProviderShape::decode const):
2127         (JSC::CachedStringSourceProvider::encode):
2128         (JSC::CachedStringSourceProvider::decode const):
2129         (JSC::CachedWebAssemblySourceProvider::encode):
2130         (JSC::CachedWebAssemblySourceProvider::decode const):
2131         (JSC::CachedSourceProvider::encode):
2132         (JSC::CachedSourceProvider::decode const):
2133         (JSC::CachedUnlinkedSourceCodeShape::encode):
2134         (JSC::CachedUnlinkedSourceCodeShape::decode const):
2135         (JSC::CachedSourceCode::encode):
2136         (JSC::CachedSourceCode::decode const):
2137         (JSC::CachedFunctionExecutable::firstLineOffset const):
2138         (JSC::CachedFunctionExecutable::lineCount const):
2139         (JSC::CachedFunctionExecutable::unlinkedFunctionNameStart const):
2140         (JSC::CachedFunctionExecutable::unlinkedBodyStartColumn const):
2141         (JSC::CachedFunctionExecutable::unlinkedBodyEndColumn const):
2142         (JSC::CachedFunctionExecutable::startOffset const):
2143         (JSC::CachedFunctionExecutable::sourceLength const):
2144         (JSC::CachedFunctionExecutable::parametersStartOffset const):
2145         (JSC::CachedFunctionExecutable::typeProfilingStartOffset const):
2146         (JSC::CachedFunctionExecutable::typeProfilingEndOffset const):
2147         (JSC::CachedFunctionExecutable::parameterCount const):
2148         (JSC::CachedFunctionExecutable::features const):
2149         (JSC::CachedFunctionExecutable::sourceParseMode const):
2150         (JSC::CachedFunctionExecutable::isInStrictContext const):
2151         (JSC::CachedFunctionExecutable::hasCapturedVariables const):
2152         (JSC::CachedFunctionExecutable::isBuiltinFunction const):
2153         (JSC::CachedFunctionExecutable::isBuiltinDefaultClassConstructor const):
2154         (JSC::CachedFunctionExecutable::constructAbility const):
2155         (JSC::CachedFunctionExecutable::constructorKind const):
2156         (JSC::CachedFunctionExecutable::functionMode const):
2157         (JSC::CachedFunctionExecutable::scriptMode const):
2158         (JSC::CachedFunctionExecutable::superBinding const):
2159         (JSC::CachedFunctionExecutable::derivedContextType const):
2160         (JSC::CachedFunctionExecutable::name const):
2161         (JSC::CachedFunctionExecutable::ecmaName const):
2162         (JSC::CachedFunctionExecutable::inferredName const):
2163         (JSC::CachedCodeBlock::instructions const):
2164         (JSC::CachedCodeBlock::thisRegister const):
2165         (JSC::CachedCodeBlock::scopeRegister const):
2166         (JSC::CachedCodeBlock::globalObjectRegister const):
2167         (JSC::CachedCodeBlock::sourceURLDirective const):
2168         (JSC::CachedCodeBlock::sourceMappingURLDirective const):
2169         (JSC::CachedCodeBlock::usesEval const):
2170         (JSC::CachedCodeBlock::isStrictMode const):
2171         (JSC::CachedCodeBlock::isConstructor const):
2172         (JSC::CachedCodeBlock::hasCapturedVariables const):
2173         (JSC::CachedCodeBlock::isBuiltinFunction const):
2174         (JSC::CachedCodeBlock::superBinding const):
2175         (JSC::CachedCodeBlock::scriptMode const):
2176         (JSC::CachedCodeBlock::isArrowFunctionContext const):
2177         (JSC::CachedCodeBlock::isClassContext const):
2178         (JSC::CachedCodeBlock::wasCompiledWithDebuggingOpcodes const):
2179         (JSC::CachedCodeBlock::constructorKind const):
2180         (JSC::CachedCodeBlock::derivedContextType const):
2181         (JSC::CachedCodeBlock::evalContextType const):
2182         (JSC::CachedCodeBlock::hasTailCalls const):
2183         (JSC::CachedCodeBlock::lineCount const):
2184         (JSC::CachedCodeBlock::endColumn const):
2185         (JSC::CachedCodeBlock::numVars const):
2186         (JSC::CachedCodeBlock::numCalleeLocals const):
2187         (JSC::CachedCodeBlock::numParameters const):
2188         (JSC::CachedCodeBlock::features const):
2189         (JSC::CachedCodeBlock::parseMode const):
2190         (JSC::CachedCodeBlock::codeType const):
2191         (JSC::CachedCodeBlock::rareData const):
2192         (JSC::CachedProgramCodeBlock::encode):
2193         (JSC::CachedProgramCodeBlock::decode const):
2194         (JSC::CachedModuleCodeBlock::encode):
2195         (JSC::CachedModuleCodeBlock::decode const):
2196         (JSC::CachedEvalCodeBlock::encode):
2197         (JSC::CachedEvalCodeBlock::decode const):
2198         (JSC::CachedFunctionCodeBlock::encode):
2199         (JSC::CachedFunctionCodeBlock::decode const):
2200         (JSC::UnlinkedFunctionCodeBlock::UnlinkedFunctionCodeBlock):
2201         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2202         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
2203         (JSC::UnlinkedProgramCodeBlock::UnlinkedProgramCodeBlock):
2204         (JSC::UnlinkedModuleProgramCodeBlock::UnlinkedModuleProgramCodeBlock):
2205         (JSC::UnlinkedEvalCodeBlock::UnlinkedEvalCodeBlock):
2206         (JSC::CachedFunctionExecutable::encode):
2207         (JSC::CachedFunctionExecutable::decode const):
2208         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2209         (JSC::CachedCodeBlock<CodeBlockType>::encode):
2210         (JSC::CachedSourceCodeKey::encode):
2211         (JSC::CachedSourceCodeKey::decode const):
2212         (JSC::CacheEntry::encode):
2213         (JSC::CacheEntry:: const):
2214         (JSC:: const):
2215         (JSC::encodeCodeBlock):
2216         (JSC::decodeCodeBlockImpl):
2217         * runtime/CachedTypes.h: Copied from Source/JavaScriptCore/bytecode/UnlinkedGlobalCodeBlock.h.
2218         (JSC::decodeCodeBlock):
2219         * runtime/CodeCache.cpp:
2220         (JSC::CodeCacheMap::pruneSlowCase):
2221         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
2222         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
2223         (JSC::CodeCache::write):
2224         * runtime/CodeCache.h:
2225         (JSC::CodeCacheMap::begin):
2226         (JSC::CodeCacheMap::end):
2227         (JSC::CodeCacheMap::fetchFromDiskImpl):
2228         (JSC::CodeCacheMap::findCacheAndUpdateAge):
2229         (JSC::writeCodeBlock):
2230         * runtime/JSBigInt.cpp:
2231         * runtime/JSBigInt.h:
2232         * runtime/Options.cpp:
2233         (JSC::recomputeDependentOptions):
2234         * runtime/Options.h:
2235         * runtime/RegExp.h:
2236         * runtime/ScopedArgumentsTable.h:
2237         * runtime/StackFrame.h:
2238         * runtime/StructureInlines.h:
2239         * runtime/SymbolTable.h:
2240
2241 2019-01-20  Antoine Quint  <graouts@apple.com>
2242
2243         Add a POINTER_EVENTS feature flag
2244         https://bugs.webkit.org/show_bug.cgi?id=193577
2245         <rdar://problem/47408511>
2246
2247         Unreviewed. Also enable Pointer Events for iosmac.
2248
2249         * Configurations/FeatureDefines.xcconfig:
2250
2251 2019-01-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2252
2253         [JSC] Reorder JSSegmentedVariableObject member for preparation of JSGlobalObject memory reduction
2254         https://bugs.webkit.org/show_bug.cgi?id=193609
2255
2256         Reviewed by Sam Weinig.
2257
2258         Basically, we should order the members in large => small order not to add paddings.
2259
2260         * runtime/JSSegmentedVariableObject.h:
2261
2262 2019-01-19  Antoine Quint  <graouts@apple.com>
2263
2264         Add a POINTER_EVENTS feature flag
2265         https://bugs.webkit.org/show_bug.cgi?id=193577
2266
2267         Reviewed by Dean Jackson.
2268
2269         * Configurations/FeatureDefines.xcconfig:
2270
2271 2019-01-18  Keith Miller  <keith_miller@apple.com>
2272
2273         JSScript API should only take ascii files.
2274         https://bugs.webkit.org/show_bug.cgi?id=193420
2275
2276         Reviewed by Saam Barati.
2277
2278         This patch leaves the UTF8 method for binary compatablity, which
2279         will be removed later.
2280
2281         * API/JSScript.h:
2282         * API/JSScript.mm:
2283         (fillBufferWithContentsOfFile):
2284         (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
2285         (+[JSScript scriptFromUTF8File:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
2286         * API/tests/testapi.mm:
2287         (-[JSContextFileLoaderDelegate context:fetchModuleForIdentifier:withResolveHandler:andRejectHandler:]):
2288
2289 2019-01-18  David Kilzer  <ddkilzer@apple.com>
2290
2291         Follow-up: Gigacages should start allocations from a slide
2292         <https://bugs.webkit.org/show_bug.cgi?id=193523>
2293         <rdar://problem/44958707>
2294
2295         * ftl/FTLLowerDFGToB3.cpp:
2296         (JSC::FTL::DFG::LowerDFGToB3::caged): Add UNUSED_PARAM(kind) to
2297         fix the build.
2298
2299 2019-01-18  Jer Noble  <jer.noble@apple.com>
2300
2301         SDK_VARIANT build destinations should be separate from non-SDK_VARIANT builds
2302         https://bugs.webkit.org/show_bug.cgi?id=189553
2303
2304         Reviewed by Tim Horton.
2305
2306         * Configurations/Base.xcconfig:
2307         * Configurations/SDKVariant.xcconfig: Added.
2308
2309 2019-01-18  Keith Miller  <keith_miller@apple.com>
2310
2311         Gigacages should start allocations from a slide
2312         https://bugs.webkit.org/show_bug.cgi?id=193523
2313
2314         Reviewed by Mark Lam.
2315
2316         This patch changes some macros into constants since macros are the
2317         devil.
2318
2319         * ftl/FTLLowerDFGToB3.cpp:
2320         (JSC::FTL::DFG::LowerDFGToB3::caged):
2321         * llint/LowLevelInterpreter64.asm:
2322
2323 2019-01-18  Matt Lewis  <jlewis3@apple.com>
2324
2325         Unreviewed, rolling out r240160.
2326
2327         This broke multiple internal builds.
2328
2329         Reverted changeset:
2330
2331         "Gigacages should start allocations from a slide"
2332         https://bugs.webkit.org/show_bug.cgi?id=193523
2333         https://trac.webkit.org/changeset/240160
2334
2335 2019-01-18  Keith Miller  <keith_miller@apple.com>
2336
2337         Gigacages should start allocations from a slide
2338         https://bugs.webkit.org/show_bug.cgi?id=193523
2339
2340         Reviewed by Mark Lam.
2341
2342         This patch changes some macros into constants since macros are the
2343         devil.
2344
2345         * llint/LowLevelInterpreter64.asm:
2346
2347 2019-01-17  Mark Lam  <mark.lam@apple.com>
2348
2349         Audit bytecode fields and ensure that LLInt instructions for accessing them are appropriate.
2350         https://bugs.webkit.org/show_bug.cgi?id=193557
2351         <rdar://problem/47369125>
2352
2353         Reviewed by Yusuke Suzuki.
2354
2355         1. Rename some bytecode fields so that it's easier to discern whether the LLInt
2356            is accessing them the right way:
2357            - distinguish between targetVirtualRegister and targetLabel.
2358            - name all StructureID fields as structureID (oldStructureID, newStructureID)
2359              instead of structure (oldStructure, newStructure).
2360
2361         2. Use bitwise_cast in struct Fits when sizeof(T) == size.
2362            This prevents potential undefined behavior issues arising from doing
2363            assignments with reinterpret_cast'ed pointers.
2364
2365         3. Make Special::Pointer an unsigned type (previously int).
2366            Make ResolveType an unsigned type (previously int).
2367
2368         4. In LowLevelInterpreter*.asm:
2369
2370            - rename the op macro argument to opcodeName or opcodeStruct respectively.
2371              This makes it clearer which argument type the macro is working with.
2372
2373            - rename the name macro argument to opcodeName.
2374
2375            - fix operator types to match the field type being accessed.  The following
2376              may have resulted in bugs before:
2377
2378              1. The following should be read with getu() instead of get() because they
2379                 are unsigned ints:
2380                     OpSwitchImm::m_tableIndex
2381                     OpSwitchChar::m_tableIndex
2382                     OpGetFromArguments::m_index
2383                     OpPutToArguments::m_index
2384                     OpGetRestLength::m_numParametersToSkip
2385
2386                 OpJneqPtr::m_specialPointer should also be read with getu() though this
2387                 wasn't a bug because it was previously an int by default, and is only
2388                 changed to an unsigned int in this patch.
2389
2390              2.The following should be read with loadi (not loadp) because they are of
2391                unsigned type (not a pointer):
2392                     OpResolveScope::Metadata::m_resolveType
2393                     CodeBlock::m_numParameters (see prepareForTailCall)
2394
2395              3. OpPutToScope::Metadata::m_operand should be read with loadp (not loadis)
2396                 because it is a uintptr_t.
2397
2398              4. The following should be read with loadi (not loadis) because they are
2399                 unsigned ints:
2400                     OpNegate::Metadata::m_arithProfile + ArithProfile::m_bits
2401                     OpPutById::Metadata::m_oldStructureID
2402                     OpPutToScope::Metadata::m_getPutInfo + GetPutInfo::m_operand
2403
2404                 These may not have manifested in bugs because the operations that follow
2405                 the load are 32-bit instructions which ignore the high word.
2406
2407         5. Give class GetPutInfo a default constructor so that we can use bitwise_cast
2408            on it.  Also befriend LLIntOffsetsExtractor so that we can take the offset of
2409            m_operand in it.
2410
2411         * bytecode/ArithProfile.h:
2412         * bytecode/BytecodeList.rb:
2413         * bytecode/BytecodeUseDef.h:
2414         (JSC::computeUsesForBytecodeOffset):
2415         (JSC::computeDefsForBytecodeOffset):
2416         * bytecode/CodeBlock.cpp:
2417         (JSC::CodeBlock::propagateTransitions):
2418         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2419         * bytecode/Fits.h:
2420         * bytecode/GetByIdMetadata.h:
2421         * bytecode/GetByIdStatus.cpp:
2422         (JSC::GetByIdStatus::computeFromLLInt):
2423         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
2424         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::clearLLIntGetByIdCache):
2425         * bytecode/PreciseJumpTargetsInlines.h:
2426         (JSC::jumpTargetForInstruction):
2427         (JSC::updateStoredJumpTargetsForInstruction):
2428         * bytecode/PutByIdStatus.cpp:
2429         (JSC::PutByIdStatus::computeFromLLInt):
2430         * bytecode/SpecialPointer.h:
2431         * bytecompiler/BytecodeGenerator.cpp:
2432         (JSC::Label::setLocation):
2433         * dfg/DFGByteCodeParser.cpp:
2434         (JSC::DFG::ByteCodeParser::parseBlock):
2435         * jit/JITArithmetic.cpp:
2436         (JSC::JIT::emit_compareAndJump):
2437         (JSC::JIT::emit_compareUnsignedAndJump):
2438         (JSC::JIT::emit_compareAndJumpSlow):
2439         * jit/JITArithmetic32_64.cpp:
2440         (JSC::JIT::emit_compareAndJump):
2441         (JSC::JIT::emit_compareUnsignedAndJump):
2442         (JSC::JIT::emit_compareAndJumpSlow):
2443         (JSC::JIT::emitBinaryDoubleOp):
2444         * jit/JITOpcodes.cpp:
2445         (JSC::JIT::emit_op_jmp):
2446         (JSC::JIT::emit_op_jfalse):
2447         (JSC::JIT::emit_op_jeq_null):
2448         (JSC::JIT::emit_op_jneq_null):
2449         (JSC::JIT::emit_op_jneq_ptr):
2450         (JSC::JIT::emit_op_jeq):
2451         (JSC::JIT::emit_op_jtrue):
2452         (JSC::JIT::emit_op_jneq):
2453         (JSC::JIT::compileOpStrictEqJump):
2454         (JSC::JIT::emitSlow_op_jstricteq):
2455         (JSC::JIT::emitSlow_op_jnstricteq):
2456         (JSC::JIT::emit_op_check_tdz):
2457         (JSC::JIT::emitSlow_op_jeq):
2458         (JSC::JIT::emitSlow_op_jneq):
2459         (JSC::JIT::emit_op_profile_type):
2460         * jit/JITOpcodes32_64.cpp:
2461         (JSC::JIT::emit_op_jmp):
2462         (JSC::JIT::emit_op_jfalse):
2463         (JSC::JIT::emit_op_jtrue):
2464         (JSC::JIT::emit_op_jeq_null):
2465         (JSC::JIT::emit_op_jneq_null):
2466         (JSC::JIT::emit_op_jneq_ptr):
2467         (JSC::JIT::emit_op_jeq):
2468         (JSC::JIT::emitSlow_op_jeq):
2469         (JSC::JIT::emit_op_jneq):
2470         (JSC::JIT::emitSlow_op_jneq):
2471         (JSC::JIT::compileOpStrictEqJump):
2472         (JSC::JIT::emitSlow_op_jstricteq):
2473         (JSC::JIT::emitSlow_op_jnstricteq):
2474         (JSC::JIT::emit_op_check_tdz):
2475         (JSC::JIT::emit_op_profile_type):
2476         * llint/LLIntSlowPaths.cpp:
2477         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2478         (JSC::LLInt::setupGetByIdPrototypeCache):
2479         * llint/LowLevelInterpreter.asm:
2480         * llint/LowLevelInterpreter32_64.asm:
2481         * llint/LowLevelInterpreter64.asm:
2482         * runtime/CommonSlowPaths.cpp:
2483         * runtime/GetPutInfo.h:
2484
2485 2019-01-17  Truitt Savell  <tsavell@apple.com>
2486
2487         Unreviewed, rolling out r240124.
2488
2489         This commit broke an internal build.
2490
2491         Reverted changeset:
2492
2493         "SDK_VARIANT build destinations should be separate from non-
2494         SDK_VARIANT builds"
2495         https://bugs.webkit.org/show_bug.cgi?id=189553
2496         https://trac.webkit.org/changeset/240124
2497
2498 2019-01-17  Jer Noble  <jer.noble@apple.com>
2499
2500         SDK_VARIANT build destinations should be separate from non-SDK_VARIANT builds
2501         https://bugs.webkit.org/show_bug.cgi?id=189553
2502
2503         Reviewed by Tim Horton.
2504
2505         * Configurations/Base.xcconfig:
2506         * Configurations/SDKVariant.xcconfig: Added.
2507
2508 2019-01-17  Saam barati  <sbarati@apple.com>
2509
2510         StringObjectUse should not be a structure check for the original string object structure
2511         https://bugs.webkit.org/show_bug.cgi?id=193483
2512         <rdar://problem/47280522>
2513
2514         Reviewed by Yusuke Suzuki.
2515
2516         Prior to this patch, the use kind for StringObjectUse implied that we
2517         do a StructureCheck on the input operand for the *original* StringObject
2518         structure. This is generally not how we use UseKinds, so it's no surprise
2519         that this is buggy. A UseKind should map to a set of SpeculatedTypes, not an
2520         actual set of structures. This patch changes the meaning of StringObjectUse
2521         to mean an object where jsDynamicCast<StringObject*> would succeed.
2522         
2523         This patch also fixes a bug that was caused by the old and weird usage of the
2524         UseKind to mean StructureCheck. Consider a program like this:
2525         ```
2526         S1 = Original StringObject structure
2527         S2 = Original StringObject structure with the field "f" added
2528         
2529         a: GetLocal()
2530         b: CheckStructure(@a, {S2})
2531         c: ToString(StringObject:@a)
2532         ```
2533         
2534         According to AI, in the above program, we would exit at @c, since
2535         StringObject:@a implies a structure check of {S1}, and the intersection
2536         of {S1} and {S2} is {}. So, we'd convert the program to be:
2537         ```
2538         a: GetLocal()
2539         b: CheckStructure(@a, {S2})
2540         c: Check(StringObject:@a)
2541         d: Unreachable
2542         ```
2543         
2544         However, AI would set the proof status of the StringObject:@a edge
2545         to be proven, since the SpeculatedType for @a is SpecStringObject.
2546         This was incorrect of AI to do because the SpeculatedType itself
2547         didn't capture the full power of StringObjectUse. However, having
2548         a UseKind mean CheckStructure is weird precisely because what AI was
2549         doing is a natural fit to how we typically we think about UseKinds.
2550         
2551         So the above program would then incorrectly be converted to this, and
2552         we'd crash when reaching the Unreachable node:
2553         ```
2554         a: GetLocal()
2555         b: CheckStructure(@a, {S2})
2556         d: Unreachable
2557         ```
2558         
2559         This patch makes it so that StringObjectUse just means that the object that
2560         filters through a StringObjectUse check must !!jsDynamicCast<StringObject*>.
2561         This is now in line with all other UseKinds. It also lets us simplify a bunch
2562         of other code that had weird checks for the StringObjectUse UseKind.
2563         
2564         This patch also makes it so that anywhere where we used to rely on
2565         StringObjectUse implying a structure check we actually emit an explicit
2566         CheckStructure node.
2567
2568         * JavaScriptCore.xcodeproj/project.pbxproj:
2569         * bytecode/ExitKind.cpp:
2570         (JSC::exitKindToString):
2571         * bytecode/ExitKind.h:
2572         * dfg/DFGAbstractInterpreterInlines.h:
2573         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2574         * dfg/DFGCSEPhase.cpp:
2575         * dfg/DFGClobberize.h:
2576         (JSC::DFG::clobberize):
2577         * dfg/DFGEdgeUsesStructure.h: Removed.
2578         * dfg/DFGFixupPhase.cpp:
2579         (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion):
2580         (JSC::DFG::FixupPhase::addCheckStructureForOriginalStringObjectUse):
2581         (JSC::DFG::FixupPhase::fixupToPrimitive):
2582         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
2583         (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
2584         (JSC::DFG::FixupPhase::isStringObjectUse): Deleted.
2585         * dfg/DFGGraph.cpp:
2586         (JSC::DFG::Graph::canOptimizeStringObjectAccess):
2587         * dfg/DFGMayExit.cpp:
2588         * dfg/DFGSpeculativeJIT.cpp:
2589         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOrStringValueOf):
2590         (JSC::DFG::SpeculativeJIT::speculateStringObject):
2591         (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
2592         * dfg/DFGSpeculativeJIT.h:
2593         (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure): Deleted.
2594         * dfg/DFGUseKind.h:
2595         (JSC::DFG::alreadyChecked):
2596         (JSC::DFG::usesStructure): Deleted.
2597         * ftl/FTLLowerDFGToB3.cpp:
2598         (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructorOrStringValueOf):
2599         (JSC::FTL::DFG::LowerDFGToB3::speculateStringObject):
2600         (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrStringObject):
2601         (JSC::FTL::DFG::LowerDFGToB3::speculateStringObjectForCell):
2602         (JSC::FTL::DFG::LowerDFGToB3::speculateStringObjectForStructureID): Deleted.
2603         * runtime/JSType.cpp:
2604         (WTF::printInternal):
2605         * runtime/JSType.h:
2606         * runtime/StringObject.h:
2607         (JSC::StringObject::createStructure):
2608         * runtime/StringPrototype.h:
2609
2610 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2611
2612         [JSC] Add generateHeapSnapshotForGCDebugging function to dump GCDebugging data
2613         https://bugs.webkit.org/show_bug.cgi?id=193526
2614
2615         Reviewed by Michael Saboff.
2616
2617         This patch adds generateHeapSnapshotForGCDebugging to JSC shell to dump heap snapshot JSON string with GCDebugging option.
2618         GCDebuggingSnapshot mode is slightly different from InspectorSnapshot in terms of both the output data and the behavior.
2619         It always takes full snapshot, and it reports internal data too. This is useful to view the live heap objects after running
2620         the code. Also, generateHeapSnapshotForGCDebugging returns String instead of parsing it to JSObject internally by calling
2621         JSON.parse. If we convert the String to bunch of objects by using JSON.parse, it is difficult to call generateHeapSnapshotForGCDebugging
2622         multiple times for debugging. Currently, it only generates a large string, which is easily distinguishable in the heap inspector tool.
2623
2624         * jsc.cpp:
2625         (GlobalObject::finishCreation):
2626         (functionGenerateHeapSnapshotForGCDebugging):
2627
2628 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2629
2630         [JSC] ToThis omission in DFGByteCodeParser is wrong
2631         https://bugs.webkit.org/show_bug.cgi?id=193513
2632         <rdar://problem/45842236>
2633
2634         Reviewed by Saam Barati.
2635
2636         DFGByteCodeParser omitted ToThis node when we have `ToThis(ToThis(value))`. This semantics is wrong if ToThis has different semantics
2637         in the sloppy mode and the strict mode. If we convert `ToThisInSloppyMode(ToThisInStrictMode(boolean))` to `ToThisInStrictMode(boolean)`,
2638         we get boolean instead of BooleanObject.
2639
2640         This optimization is introduced more than 7 years ago, and from that, we have several optimizations that can remove such ToThis nodes
2641         in BytecodeParser, AI, and Fixup. Furthermore, this optimization is simply wrong since `toThis()` function of JSCell can be defined
2642         as they want. Before ensuring all the toThis function is safe, we should not fold `ToThis(ToThis(value))` => `ToThis(value)`.
2643         This patch just removes the problematic optimization. The performance numbers look neutral.
2644
2645         * dfg/DFGAbstractInterpreterInlines.h:
2646         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2647         * dfg/DFGByteCodeParser.cpp:
2648         (JSC::DFG::ByteCodeParser::parseBlock):
2649
2650 2019-01-16  Mark Lam  <mark.lam@apple.com>
2651
2652         Refactor new bytecode structs so that the fields are prefixed with "m_".
2653         https://bugs.webkit.org/show_bug.cgi?id=193467
2654
2655         Reviewed by Saam Barati and Tadeu Zagallo.
2656
2657         This makes it easier to do a manual audit of type correctness of the LLInt
2658         instructions used to access these fields.  Without this change, it would be
2659         difficult (and error prone) to distinguish the difference between field names and
2660         macro variables.  This audit will be done after this patch lands.
2661
2662         * bytecode/BytecodeGeneratorification.cpp:
2663         (JSC::BytecodeGeneratorification::BytecodeGeneratorification):
2664         * bytecode/BytecodeUseDef.h:
2665         (JSC::computeUsesForBytecodeOffset):
2666         * bytecode/CallLinkStatus.cpp:
2667         (JSC::CallLinkStatus::computeFromLLInt):
2668         * bytecode/CodeBlock.cpp:
2669         (JSC::CodeBlock::finishCreation):
2670         (JSC::CodeBlock::propagateTransitions):
2671         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2672         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffset):
2673         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
2674         (JSC::CodeBlock::getArrayProfile):
2675         (JSC::CodeBlock::notifyLexicalBindingShadowing):
2676         (JSC::CodeBlock::tryGetValueProfileForBytecodeOffset):
2677         (JSC::CodeBlock::arithProfileForPC):
2678         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
2679         * bytecode/CodeBlockInlines.h:
2680         (JSC::CodeBlock::forEachValueProfile):
2681         (JSC::CodeBlock::forEachArrayProfile):
2682         (JSC::CodeBlock::forEachArrayAllocationProfile):
2683         (JSC::CodeBlock::forEachObjectAllocationProfile):
2684         (JSC::CodeBlock::forEachLLIntCallLinkInfo):
2685         * bytecode/GetByIdStatus.cpp:
2686         (JSC::GetByIdStatus::computeFromLLInt):
2687         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
2688         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::clearLLIntGetByIdCache):
2689         * bytecode/PreciseJumpTargetsInlines.h:
2690         (JSC::jumpTargetForInstruction):
2691         (JSC::extractStoredJumpTargetsForInstruction):
2692         (JSC::updateStoredJumpTargetsForInstruction):
2693         * bytecode/PutByIdStatus.cpp:
2694         (JSC::PutByIdStatus::computeFromLLInt):
2695         * bytecode/UnlinkedCodeBlock.cpp:
2696         (JSC::dumpLineColumnEntry):
2697         * bytecompiler/BytecodeGenerator.cpp:
2698         (JSC::BytecodeGenerator::fuseCompareAndJump):
2699         (JSC::BytecodeGenerator::fuseTestAndJmp):
2700         (JSC::BytecodeGenerator::emitEqualityOp):
2701         (JSC::BytecodeGenerator::endSwitch):
2702         (JSC::StructureForInContext::finalize):
2703         * dfg/DFGByteCodeParser.cpp:
2704         (JSC::DFG::ByteCodeParser::handleCall):
2705         (JSC::DFG::ByteCodeParser::handleVarargsCall):
2706         (JSC::DFG::ByteCodeParser::parseGetById):
2707         (JSC::DFG::ByteCodeParser::parseBlock):
2708         (JSC::DFG::ByteCodeParser::handlePutByVal):
2709         (JSC::DFG::ByteCodeParser::handlePutAccessorById):
2710         (JSC::DFG::ByteCodeParser::handlePutAccessorByVal):
2711         (JSC::DFG::ByteCodeParser::handleNewFunc):
2712         (JSC::DFG::ByteCodeParser::handleNewFuncExp):
2713         * dfg/DFGOSREntry.cpp:
2714         (JSC::DFG::prepareCatchOSREntry):
2715         * ftl/FTLOperations.cpp:
2716         (JSC::FTL::operationMaterializeObjectInOSR):
2717         * generator/Argument.rb:
2718         * generator/Metadata.rb:
2719         * generator/Opcode.rb:
2720         * jit/JIT.h:
2721         * jit/JITArithmetic.cpp:
2722         (JSC::JIT::emit_op_unsigned):
2723         (JSC::JIT::emit_compareAndJump):
2724         (JSC::JIT::emit_compareUnsignedAndJump):
2725         (JSC::JIT::emit_compareUnsigned):
2726         (JSC::JIT::emit_compareAndJumpSlow):
2727         (JSC::JIT::emit_op_inc):
2728         (JSC::JIT::emit_op_dec):
2729         (JSC::JIT::emit_op_mod):
2730         (JSC::JIT::emit_op_negate):
2731         (JSC::JIT::emitBitBinaryOpFastPath):
2732         (JSC::JIT::emit_op_bitnot):
2733         (JSC::JIT::emitRightShiftFastPath):
2734         (JSC::JIT::emit_op_add):
2735         (JSC::JIT::emitMathICFast):
2736         (JSC::JIT::emitMathICSlow):
2737         (JSC::JIT::emit_op_div):
2738         (JSC::JIT::emit_op_mul):
2739         (JSC::JIT::emit_op_sub):
2740         * jit/JITArithmetic32_64.cpp:
2741         (JSC::JIT::emit_compareAndJump):
2742         (JSC::JIT::emit_compareUnsignedAndJump):
2743         (JSC::JIT::emit_compareUnsigned):
2744         (JSC::JIT::emit_compareAndJumpSlow):
2745         (JSC::JIT::emit_op_unsigned):
2746         (JSC::JIT::emit_op_inc):
2747         (JSC::JIT::emit_op_dec):
2748         (JSC::JIT::emitBinaryDoubleOp):
2749         (JSC::JIT::emit_op_mod):
2750         * jit/JITCall.cpp:
2751         (JSC::JIT::emitPutCallResult):
2752         (JSC::JIT::compileSetupFrame):
2753         (JSC::JIT::compileCallEvalSlowCase):
2754         (JSC::JIT::compileTailCall):
2755         (JSC::JIT::compileOpCall):
2756         * jit/JITCall32_64.cpp:
2757         (JSC::JIT::emitPutCallResult):
2758         (JSC::JIT::emit_op_ret):
2759         (JSC::JIT::compileSetupFrame):
2760         (JSC::JIT::compileCallEvalSlowCase):
2761         (JSC::JIT::compileOpCall):
2762         * jit/JITInlines.h:
2763         (JSC::JIT::emitValueProfilingSiteIfProfiledOpcode):
2764         (JSC::JIT::emitValueProfilingSite):
2765         (JSC::JIT::copiedGetPutInfo):
2766         (JSC::JIT::copiedArithProfile):
2767         * jit/JITOpcodes.cpp:
2768         (JSC::JIT::emit_op_mov):
2769         (JSC::JIT::emit_op_end):
2770         (JSC::JIT::emit_op_jmp):
2771         (JSC::JIT::emit_op_new_object):
2772         (JSC::JIT::emitSlow_op_new_object):
2773         (JSC::JIT::emit_op_overrides_has_instance):
2774         (JSC::JIT::emit_op_instanceof):
2775         (JSC::JIT::emitSlow_op_instanceof):
2776         (JSC::JIT::emit_op_is_empty):
2777         (JSC::JIT::emit_op_is_undefined):
2778         (JSC::JIT::emit_op_is_undefined_or_null):
2779         (JSC::JIT::emit_op_is_boolean):
2780         (JSC::JIT::emit_op_is_number):
2781         (JSC::JIT::emit_op_is_cell_with_type):
2782         (JSC::JIT::emit_op_is_object):
2783         (JSC::JIT::emit_op_ret):
2784         (JSC::JIT::emit_op_to_primitive):
2785         (JSC::JIT::emit_op_set_function_name):
2786         (JSC::JIT::emit_op_not):
2787         (JSC::JIT::emit_op_jfalse):
2788         (JSC::JIT::emit_op_jeq_null):
2789         (JSC::JIT::emit_op_jneq_null):
2790         (JSC::JIT::emit_op_jneq_ptr):
2791         (JSC::JIT::emit_op_eq):
2792         (JSC::JIT::emit_op_jeq):
2793         (JSC::JIT::emit_op_jtrue):
2794         (JSC::JIT::emit_op_neq):
2795         (JSC::JIT::emit_op_jneq):
2796         (JSC::JIT::emit_op_throw):
2797         (JSC::JIT::compileOpStrictEq):
2798         (JSC::JIT::compileOpStrictEqJump):
2799         (JSC::JIT::emitSlow_op_jstricteq):
2800         (JSC::JIT::emitSlow_op_jnstricteq):
2801         (JSC::JIT::emit_op_to_number):
2802         (JSC::JIT::emit_op_to_string):
2803         (JSC::JIT::emit_op_to_object):
2804         (JSC::JIT::emit_op_catch):
2805         (JSC::JIT::emit_op_get_parent_scope):
2806         (JSC::JIT::emit_op_switch_imm):
2807         (JSC::JIT::emit_op_switch_char):
2808         (JSC::JIT::emit_op_switch_string):
2809         (JSC::JIT::emit_op_debug):
2810         (JSC::JIT::emit_op_eq_null):
2811         (JSC::JIT::emit_op_neq_null):
2812         (JSC::JIT::emit_op_get_scope):
2813         (JSC::JIT::emit_op_to_this):
2814         (JSC::JIT::emit_op_create_this):
2815         (JSC::JIT::emit_op_check_tdz):
2816         (JSC::JIT::emitSlow_op_eq):
2817         (JSC::JIT::emitSlow_op_neq):
2818         (JSC::JIT::emitSlow_op_jeq):
2819         (JSC::JIT::emitSlow_op_jneq):
2820         (JSC::JIT::emitSlow_op_instanceof_custom):
2821         (JSC::JIT::emit_op_new_regexp):
2822         (JSC::JIT::emitNewFuncCommon):
2823         (JSC::JIT::emitNewFuncExprCommon):
2824         (JSC::JIT::emit_op_new_array):
2825         (JSC::JIT::emit_op_new_array_with_size):
2826         (JSC::JIT::emit_op_has_structure_property):
2827         (JSC::JIT::emit_op_has_indexed_property):
2828         (JSC::JIT::emitSlow_op_has_indexed_property):
2829         (JSC::JIT::emit_op_get_direct_pname):
2830         (JSC::JIT::emit_op_enumerator_structure_pname):
2831         (JSC::JIT::emit_op_enumerator_generic_pname):
2832         (JSC::JIT::emit_op_profile_type):
2833         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
2834         (JSC::JIT::emit_op_log_shadow_chicken_tail):
2835         (JSC::JIT::emit_op_profile_control_flow):
2836         (JSC::JIT::emit_op_argument_count):
2837         (JSC::JIT::emit_op_get_rest_length):
2838         (JSC::JIT::emit_op_get_argument):
2839         * jit/JITOpcodes32_64.cpp:
2840         (JSC::JIT::emit_op_mov):
2841         (JSC::JIT::emit_op_end):
2842         (JSC::JIT::emit_op_jmp):
2843         (JSC::JIT::emit_op_new_object):
2844         (JSC::JIT::emitSlow_op_new_object):
2845         (JSC::JIT::emit_op_overrides_has_instance):
2846         (JSC::JIT::emit_op_instanceof):
2847         (JSC::JIT::emitSlow_op_instanceof):
2848         (JSC::JIT::emitSlow_op_instanceof_custom):
2849         (JSC::JIT::emit_op_is_empty):
2850         (JSC::JIT::emit_op_is_undefined):
2851         (JSC::JIT::emit_op_is_undefined_or_null):
2852         (JSC::JIT::emit_op_is_boolean):
2853         (JSC::JIT::emit_op_is_number):
2854         (JSC::JIT::emit_op_is_cell_with_type):
2855         (JSC::JIT::emit_op_is_object):
2856         (JSC::JIT::emit_op_to_primitive):
2857         (JSC::JIT::emit_op_set_function_name):
2858         (JSC::JIT::emit_op_not):
2859         (JSC::JIT::emit_op_jfalse):
2860         (JSC::JIT::emit_op_jtrue):
2861         (JSC::JIT::emit_op_jeq_null):
2862         (JSC::JIT::emit_op_jneq_null):
2863         (JSC::JIT::emit_op_jneq_ptr):
2864         (JSC::JIT::emit_op_eq):
2865         (JSC::JIT::emitSlow_op_eq):
2866         (JSC::JIT::emit_op_jeq):
2867         (JSC::JIT::emitSlow_op_jeq):
2868         (JSC::JIT::emit_op_neq):
2869         (JSC::JIT::emitSlow_op_neq):
2870         (JSC::JIT::emit_op_jneq):
2871         (JSC::JIT::emitSlow_op_jneq):
2872         (JSC::JIT::compileOpStrictEq):
2873         (JSC::JIT::compileOpStrictEqJump):
2874         (JSC::JIT::emitSlow_op_jstricteq):
2875         (JSC::JIT::emitSlow_op_jnstricteq):
2876         (JSC::JIT::emit_op_eq_null):
2877         (JSC::JIT::emit_op_neq_null):
2878         (JSC::JIT::emit_op_throw):
2879         (JSC::JIT::emit_op_to_number):
2880         (JSC::JIT::emit_op_to_string):
2881         (JSC::JIT::emit_op_to_object):
2882         (JSC::JIT::emit_op_catch):
2883         (JSC::JIT::emit_op_get_parent_scope):
2884         (JSC::JIT::emit_op_switch_imm):
2885         (JSC::JIT::emit_op_switch_char):
2886         (JSC::JIT::emit_op_switch_string):
2887         (JSC::JIT::emit_op_debug):
2888         (JSC::JIT::emit_op_get_scope):
2889         (JSC::JIT::emit_op_create_this):
2890         (JSC::JIT::emit_op_to_this):
2891         (JSC::JIT::emit_op_check_tdz):
2892         (JSC::JIT::emit_op_has_structure_property):
2893         (JSC::JIT::emit_op_has_indexed_property):
2894         (JSC::JIT::emitSlow_op_has_indexed_property):
2895         (JSC::JIT::emit_op_get_direct_pname):
2896         (JSC::JIT::emit_op_enumerator_structure_pname):
2897         (JSC::JIT::emit_op_enumerator_generic_pname):
2898         (JSC::JIT::emit_op_profile_type):
2899         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
2900         (JSC::JIT::emit_op_log_shadow_chicken_tail):
2901         * jit/JITOperations.cpp:
2902         * jit/JITPropertyAccess.cpp:
2903         (JSC::JIT::emit_op_get_by_val):
2904         (JSC::JIT::emitGetByValWithCachedId):
2905         (JSC::JIT::emitSlow_op_get_by_val):
2906         (JSC::JIT::emit_op_put_by_val):
2907         (JSC::JIT::emitGenericContiguousPutByVal):
2908         (JSC::JIT::emitArrayStoragePutByVal):
2909         (JSC::JIT::emitPutByValWithCachedId):
2910         (JSC::JIT::emitSlow_op_put_by_val):
2911         (JSC::JIT::emit_op_put_getter_by_id):
2912         (JSC::JIT::emit_op_put_setter_by_id):
2913         (JSC::JIT::emit_op_put_getter_setter_by_id):
2914         (JSC::JIT::emit_op_put_getter_by_val):
2915         (JSC::JIT::emit_op_put_setter_by_val):
2916         (JSC::JIT::emit_op_del_by_id):
2917         (JSC::JIT::emit_op_del_by_val):
2918         (JSC::JIT::emit_op_try_get_by_id):
2919         (JSC::JIT::emitSlow_op_try_get_by_id):
2920         (JSC::JIT::emit_op_get_by_id_direct):
2921         (JSC::JIT::emitSlow_op_get_by_id_direct):
2922         (JSC::JIT::emit_op_get_by_id):
2923         (JSC::JIT::emit_op_get_by_id_with_this):
2924         (JSC::JIT::emitSlow_op_get_by_id):
2925         (JSC::JIT::emitSlow_op_get_by_id_with_this):
2926         (JSC::JIT::emit_op_put_by_id):
2927         (JSC::JIT::emitSlow_op_put_by_id):
2928         (JSC::JIT::emit_op_in_by_id):
2929         (JSC::JIT::emitSlow_op_in_by_id):
2930         (JSC::JIT::emit_op_resolve_scope):
2931         (JSC::JIT::emit_op_get_from_scope):
2932         (JSC::JIT::emitSlow_op_get_from_scope):
2933         (JSC::JIT::emit_op_put_to_scope):
2934         (JSC::JIT::emit_op_get_from_arguments):
2935         (JSC::JIT::emit_op_put_to_arguments):
2936         (JSC::JIT::emitIntTypedArrayPutByVal):
2937         (JSC::JIT::emitFloatTypedArrayPutByVal):
2938         * jit/JITPropertyAccess32_64.cpp:
2939         (JSC::JIT::emit_op_put_getter_by_id):
2940         (JSC::JIT::emit_op_put_setter_by_id):
2941         (JSC::JIT::emit_op_put_getter_setter_by_id):
2942         (JSC::JIT::emit_op_put_getter_by_val):
2943         (JSC::JIT::emit_op_put_setter_by_val):
2944         (JSC::JIT::emit_op_del_by_id):
2945         (JSC::JIT::emit_op_del_by_val):
2946         (JSC::JIT::emit_op_get_by_val):
2947         (JSC::JIT::emitGetByValWithCachedId):
2948         (JSC::JIT::emitSlow_op_get_by_val):
2949         (JSC::JIT::emit_op_put_by_val):
2950         (JSC::JIT::emitGenericContiguousPutByVal):
2951         (JSC::JIT::emitArrayStoragePutByVal):
2952         (JSC::JIT::emitPutByValWithCachedId):
2953         (JSC::JIT::emitSlow_op_put_by_val):
2954         (JSC::JIT::emit_op_try_get_by_id):
2955         (JSC::JIT::emitSlow_op_try_get_by_id):
2956         (JSC::JIT::emit_op_get_by_id_direct):
2957         (JSC::JIT::emitSlow_op_get_by_id_direct):
2958         (JSC::JIT::emit_op_get_by_id):
2959         (JSC::JIT::emitSlow_op_get_by_id):
2960         (JSC::JIT::emit_op_get_by_id_with_this):
2961         (JSC::JIT::emitSlow_op_get_by_id_with_this):
2962         (JSC::JIT::emit_op_put_by_id):
2963         (JSC::JIT::emitSlow_op_put_by_id):
2964         (JSC::JIT::emit_op_in_by_id):
2965         (JSC::JIT::emitSlow_op_in_by_id):
2966         (JSC::JIT::emit_op_resolve_scope):
2967         (JSC::JIT::emit_op_get_from_scope):
2968         (JSC::JIT::emitSlow_op_get_from_scope):
2969         (JSC::JIT::emit_op_put_to_scope):
2970         (JSC::JIT::emit_op_get_from_arguments):
2971         (JSC::JIT::emit_op_put_to_arguments):
2972         * llint/LLIntSlowPaths.cpp:
2973         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2974         (JSC::LLInt::setupGetByIdPrototypeCache):
2975         (JSC::LLInt::getByVal):
2976         (JSC::LLInt::genericCall):
2977         (JSC::LLInt::varargsSetup):
2978         (JSC::LLInt::commonCallEval):
2979         * llint/LowLevelInterpreter.asm:
2980         * llint/LowLevelInterpreter32_64.asm:
2981         * llint/LowLevelInterpreter64.asm:
2982         * runtime/CommonSlowPaths.cpp:
2983         (JSC::SLOW_PATH_DECL):
2984         (JSC::updateArithProfileForUnaryArithOp):
2985         * runtime/CommonSlowPaths.h:
2986         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
2987         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
2988
2989 2019-01-15  Mark Lam  <mark.lam@apple.com>
2990
2991         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
2992         https://bugs.webkit.org/show_bug.cgi?id=193423
2993         <rdar://problem/46209355>
2994
2995         Reviewed by Saam Barati.
2996
2997         JSFunction::canUseAllocationProfile() should return false for most builtins
2998         because the majority of them have no prototype property.  The only exception to
2999         this is the few builtin functions that are explicitly used as constructors.
3000
3001         For these builtin constructors, JSFunction::canUseAllocationProfile() should also
3002         return false if the prototype property is a getter or custom getter because
3003         getting the prototype would then be effectful.
3004
3005         * dfg/DFGOperations.cpp:
3006         * runtime/CommonSlowPaths.cpp:
3007         (JSC::SLOW_PATH_DECL):
3008         * runtime/JSFunctionInlines.h:
3009         (JSC::JSFunction::canUseAllocationProfile):
3010         * runtime/PropertySlot.h:
3011
3012 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3013
3014         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
3015         https://bugs.webkit.org/show_bug.cgi?id=193438
3016         <rdar://problem/45581249>
3017
3018         Reviewed by Saam Barati and Keith Miller.
3019
3020         GetByVal(Array::String) emits Check(String) before that. But AI can broaden type constraint in the second run.
3021         After the first run removes Check(String), it would happen that AI starts saying the type of 1st child is not String.
3022         To claim that it *is* a String type, we should use KnownStringUse here.
3023
3024         * dfg/DFGFixupPhase.cpp:
3025         (JSC::DFG::FixupPhase::fixupNode): StringCharAt and GetByVal(Array::String) share the underlying compiler code. We should
3026         change StringUse => KnownStringUse for StringCharAt too. And StringCharAt and StringCharCodeAt potentially have the same
3027         problem. This patch fixes it too.
3028         * dfg/DFGSSALoweringPhase.cpp:
3029         (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
3030         * ftl/FTLLowerDFGToB3.cpp:
3031         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
3032         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
3033
3034 2019-01-15  Saam Barati  <sbarati@apple.com>
3035
3036         Try ripping out inferred types because it might be a performance improvement
3037         https://bugs.webkit.org/show_bug.cgi?id=190906
3038
3039         Reviewed by Yusuke Suzuki.
3040
3041         This patch removes inferred types from JSC. Initial evidence shows that
3042         this might be around a ~1% speedup on Speedometer2 and JetStream2.
3043
3044         * JavaScriptCore.xcodeproj/project.pbxproj:
3045         * Sources.txt:
3046         * bytecode/AccessCase.cpp:
3047         (JSC::AccessCase::generateImpl):
3048         * bytecode/Fits.h:
3049         * bytecode/PutByIdFlags.cpp:
3050         (WTF::printInternal):
3051         * bytecode/PutByIdFlags.h:
3052         * bytecode/PutByIdStatus.cpp:
3053         (JSC::PutByIdStatus::computeFromLLInt):
3054         (JSC::PutByIdStatus::computeForStubInfo):
3055         (JSC::PutByIdStatus::computeFor):
3056         * bytecode/PutByIdVariant.cpp:
3057         (JSC::PutByIdVariant::operator=):
3058         (JSC::PutByIdVariant::replace):
3059         (JSC::PutByIdVariant::transition):
3060         (JSC::PutByIdVariant::setter):
3061         (JSC::PutByIdVariant::attemptToMerge):
3062         (JSC::PutByIdVariant::dumpInContext const):
3063         * bytecode/PutByIdVariant.h:
3064         (JSC::PutByIdVariant::requiredType const): Deleted.
3065         * dfg/DFGAbstractInterpreterInlines.h:
3066         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3067         * dfg/DFGAbstractValue.cpp:
3068         (JSC::DFG::AbstractValue::isType const): Deleted.
3069         * dfg/DFGAbstractValue.h:
3070         * dfg/DFGByteCodeParser.cpp:
3071         (JSC::DFG::ByteCodeParser::handleGetByOffset):
3072         (JSC::DFG::ByteCodeParser::handlePutByOffset):
3073         (JSC::DFG::ByteCodeParser::load):
3074         (JSC::DFG::ByteCodeParser::store):
3075         (JSC::DFG::ByteCodeParser::handlePutById):
3076         (JSC::DFG::ByteCodeParser::parseBlock):
3077         * dfg/DFGConstantFoldingPhase.cpp:
3078         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3079         (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
3080         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
3081         * dfg/DFGDesiredInferredType.h: Removed.
3082         * dfg/DFGDesiredWatchpoints.cpp:
3083         (JSC::DFG::DesiredWatchpoints::reallyAdd):
3084         (JSC::DFG::DesiredWatchpoints::areStillValid const):
3085         (JSC::DFG::DesiredWatchpoints::dumpInContext const):
3086         (JSC::DFG::InferredTypeAdaptor::add): Deleted.
3087         * dfg/DFGDesiredWatchpoints.h:
3088         (JSC::DFG::DesiredWatchpoints::isWatched):
3089         (JSC::DFG::InferredTypeAdaptor::hasBeenInvalidated): Deleted.
3090         (JSC::DFG::InferredTypeAdaptor::dumpInContext): Deleted.
3091         * dfg/DFGFixupPhase.cpp:
3092         (JSC::DFG::FixupPhase::fixupNode):
3093         * dfg/DFGGraph.cpp:
3094         (JSC::DFG::Graph::dump):
3095         (JSC::DFG::Graph::inferredValueForProperty):
3096         (JSC::DFG::Graph::inferredTypeFor): Deleted.
3097         * dfg/DFGGraph.h:
3098         (JSC::DFG::Graph::registerInferredType): Deleted.
3099         (JSC::DFG::Graph::inferredTypeForProperty): Deleted.
3100         * dfg/DFGInferredTypeCheck.cpp: Removed.
3101         * dfg/DFGInferredTypeCheck.h: Removed.
3102         * dfg/DFGNode.h:
3103         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3104         * dfg/DFGSafeToExecute.h:
3105         (JSC::DFG::safeToExecute):
3106         * ftl/FTLLowerDFGToB3.cpp:
3107         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
3108         (JSC::FTL::DFG::LowerDFGToB3::checkInferredType): Deleted.
3109         * generator/DSL.rb:
3110         * heap/Heap.cpp:
3111         (JSC::Heap::finalizeUnconditionalFinalizers):
3112         * jit/AssemblyHelpers.cpp:
3113         (JSC::AssemblyHelpers::branchIfNotType): Deleted.
3114         * jit/AssemblyHelpers.h:
3115         * jit/Repatch.cpp:
3116         (JSC::tryCachePutByID):
3117         * llint/LLIntOffsetsExtractor.cpp:
3118         * llint/LLIntSlowPaths.cpp:
3119         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3120         * llint/LowLevelInterpreter.asm:
3121         * llint/LowLevelInterpreter32_64.asm:
3122         * llint/LowLevelInterpreter64.asm:
3123         * runtime/InferredStructure.cpp:
3124         (JSC::InferredStructure::InferredStructure): Deleted.
3125         * runtime/InferredStructure.h:
3126         (): Deleted.
3127         * runtime/InferredStructureWatchpoint.cpp:
3128         (JSC::InferredStructureWatchpoint::fireInternal): Deleted.
3129         * runtime/InferredType.cpp: Removed.
3130         * runtime/InferredType.h: Removed.
3131         * runtime/InferredTypeInlines.h: Removed.
3132         * runtime/InferredTypeTable.cpp: Removed.
3133         * runtime/InferredTypeTable.h: Removed.
3134         * runtime/JSObjectInlines.h:
3135         (JSC::JSObject::putDirectInternal):
3136         * runtime/Structure.cpp:
3137         (JSC::Structure::materializePropertyTable):
3138         (JSC::Structure::addNewPropertyTransition):
3139         (JSC::Structure::removePropertyTransition):
3140         (JSC::Structure::willStoreValueSlow):
3141         (JSC::Structure::visitChildren):
3142         * runtime/Structure.h:
3143         (JSC::PropertyMapEntry::PropertyMapEntry):
3144         * runtime/StructureInlines.h:
3145         (JSC::Structure::get):
3146         * runtime/VM.cpp:
3147         (JSC::VM::VM):
3148         * runtime/VM.h:
3149
3150 2019-01-15  Tomas Popela  <tpopela@redhat.com>
3151
3152         Unreviewed: Fix the -Wformat compiler warnings
3153
3154         * jsc.cpp:
3155         (jscmain):
3156
3157 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
3158
3159         DFGByteCodeParser rules for bitwise operations should consider type of their operands
3160         https://bugs.webkit.org/show_bug.cgi?id=192966
3161
3162         Reviewed by Yusuke Suzuki.
3163
3164         This patch is changing the logic how we lower bitwise operations, to
3165         consider only the type of input nodes and fix them during FixupPhase,
3166         if necessary. We are also changing the prediction propagation rules
3167         for ValueBitOp to use `getHeapPrediction()`. 
3168
3169         * dfg/DFGBackwardsPropagationPhase.cpp:
3170         (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
3171         (JSC::DFG::BackwardsPropagationPhase::propagate):
3172         * dfg/DFGByteCodeParser.cpp:
3173         (JSC::DFG::ByteCodeParser::parseBlock):
3174         * dfg/DFGFixupPhase.cpp:
3175         (JSC::DFG::FixupPhase::fixupNode):
3176         * dfg/DFGNode.h:
3177         (JSC::DFG::Node::hasInt32Result):
3178         (JSC::DFG::Node::hasNumberOrAnyIntResult):
3179         (JSC::DFG::Node::hasHeapPrediction):
3180         * dfg/DFGPredictionPropagationPhase.cpp:
3181
3182 2019-01-15  Joseph Pecoraro  <pecoraro@apple.com>
3183
3184         Web Inspector: Generate the DOMDebugger domain for Augmenting Agents (ObjC protocol)
3185         https://bugs.webkit.org/show_bug.cgi?id=193409
3186         <rdar://problem/44349411>
3187
3188         Reviewed by Devin Rousso.
3189
3190         * inspector/scripts/codegen/objc_generator.py:
3191         (ObjCGenerator):
3192         Generate DOMDebugger domain ObjC interfaces.
3193
3194 2019-01-15  Devin Rousso  <drousso@apple.com>
3195
3196         Web Inspector: Audit: create new IDL type for exposing special functionality in test context
3197         https://bugs.webkit.org/show_bug.cgi?id=193149
3198         <rdar://problem/46801218>
3199
3200         Reviewed by Joseph Pecoraro.
3201
3202         Create a new `AuditAgent` (and various subclasses for different inspection targets)
3203
3204         * inspector/protocol/Audit.json: Added.
3205         Add a `run` command that is a simpler version of `Runtime.evaluate`, except that it expects
3206         a function string instead of an arbitrary JavaScript expression.
3207         Add `setup` and `teardown` commands that create a JavaScript object that will be passed in
3208         to the test as an argument. Keep this object alive so that tests can add to the object and
3209         have later tests use what was added.
3210
3211         * inspector/agents/InspectorAuditAgent.h: Added.
3212         * inspector/agents/InspectorAuditAgent.cpp: Added.
3213         (Inspector::InspectorAuditAgent::InspectorAuditAgent):
3214         (Inspector::InspectorAuditAgent::didCreateFrontendAndBackend):
3215         (Inspector::InspectorAuditAgent::willDestroyFrontendAndBackend):
3216         (Inspector::InspectorAuditAgent::setup):
3217         (Inspector::InspectorAuditAgent::run):
3218         (Inspector::InspectorAuditAgent::teardown):
3219         (Inspector::InspectorAuditAgent::hasActiveAudit):
3220         (Inspector::InspectorAuditAgent::populateAuditObject):
3221
3222         * inspector/agents/JSGlobalObjectAuditAgent.h: Added.
3223         * inspector/agents/JSGlobalObjectAuditAgent.cpp: Added.
3224         (Inspector::JSGlobalObjectAuditAgent::JSGlobalObjectAuditAgent):
3225         (Inspector::JSGlobalObjectAuditAgent::injectedScriptForEval):
3226
3227         * inspector/JSGlobalObjectInspectorController.h:
3228         * inspector/JSGlobalObjectInspectorController.cpp:
3229         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3230         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
3231         (Inspector::JSGlobalObjectInspectorController::jsAgentContext): Added.
3232         (Inspector::JSGlobalObjectInspectorController::createLazyAgents): Added.
3233
3234         * inspector/InjectedScript.h:
3235         * inspector/InjectedScript.cpp:
3236         (Inspector::InjectedScript::execute): Added.
3237         (Inspector::InjectedScript::arrayFromVector): Added.
3238         Create a version of `evaluate` that accepts a list of values to be passed in as arguments
3239         to the function that was created by the `eval` of the given `functionString`.
3240
3241         * inspector/InjectedScriptSource.js:
3242         (InjectedScript.prototype.execute): Added.
3243         (InjectedScript.prototype.evaluate):
3244         (InjectedScript.prototype.evaluateOnCallFrame):
3245         (InjectedScript.prototype._evaluateAndWrap):
3246         (InjectedScript.prototype._wrapAndSaveCall): Added.
3247         (InjectedScript.prototype._wrapCall): Added.
3248         (InjectedScript.prototype._evaluateOn):
3249         Refactor the `eval` and `saveResult` logic to allow for more flexibility for other callers.
3250
3251         * CMakeLists.txt:
3252         * DerivedSources-input.xcfilelist:
3253         * DerivedSources.make:
3254         * JavaScriptCore.xcodeproj/project.pbxproj:
3255         * Sources.txt:
3256         * UnifiedSources-input.xcfilelist:
3257
3258 2019-01-14  Michael Saboff  <msaboff@apple.com>
3259
3260         Add option to JSC to dump memory footprint on script completion
3261         https://bugs.webkit.org/show_bug.cgi?id=193422
3262
3263         Reviewed by Mark Lam.
3264
3265         Added the --footprint option to dump peak and current memory usage.  This uses the same
3266         OS calls added in r2362362.
3267
3268         * jsc.cpp:
3269         (printUsageStatement):
3270         (CommandLine::parseArguments):
3271         (jscmain):
3272
3273 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3274
3275         [JSC] AI should check the given constant's array type when folding GetByVal into constant
3276         https://bugs.webkit.org/show_bug.cgi?id=193413
3277         <rdar://problem/46092389>
3278
3279         Reviewed by Keith Miller.
3280
3281         If GetByVal's DFG::ArrayMode's type is Array::Double, we expect that the result of GetByVal is Double, since we already performed CheckStructure or CheckArray
3282         to ensure this array type. But this assumption on the given value becomes wrong in AI, since CheckStructure may not perform filtering. And the proven AbstractValue
3283         in GetByVal would not be expected one.
3284
3285         We have the graph before performing constant folding.
3286
3287         53:<!0:->     GetLocal(Check:Untyped:@77, JS|MustGen|UseAsOther, Array, arg2(C<Array>/FlushedCell), R:Stack(7), bc#37, ExitValid)  predicting Array
3288         54:< 1:->     JSConstant(JS|PureNum|UseAsOther|UseAsInt|ReallyWantsInt, BoolInt32, Int32: 0, bc#37, ExitValid)
3289         93:<!0:->     CheckStructure(Cell:@53, MustGen, [%C7:Array], R:JSCell_structureID, Exits, bc#37, ExitValid)
3290         94:< 1:->     GetButterfly(Check:Cell:@53, Storage|PureInt, R:JSObject_butterfly, Exits, bc#37, ExitValid)
3291         55:<!0:->     GetByVal(Check:KnownCell:@53, Check:Int32:@54, Check:Untyped:@94, Double|MustGen|VarArgs|PureInt, AnyIntAsDouble|NonIntAsdouble, Double+OriginalCopyOnWriteArray+SaneChain+AsIs+Read, R:Butterfly_publicLength,IndexedDoubleProperties, Exits, bc#37, ExitValid)  predicting StringIdent|NonIntAsdouble
3292
3293         And 53 is converted to JSConstant in the constant folding. It leads to constant folding attempt in GetByVal.
3294
3295         53:< 1:->     JSConstant(JS|UseAsOther, Array, Weak:Object: 0x117fb4370 with butterfly 0x8000e4050 (Structure %BV:Array), StructureID: 104, bc#37, ExitValid)
3296         54:< 1:->     JSConstant(JS|PureNum|UseAsOther|UseAsInt|ReallyWantsInt, BoolInt32, Int32: 0, bc#37, ExitValid)
3297         93:<!0:->     CheckStructure(Cell:@53, MustGen, [%C7:Array], R:JSCell_structureID, Exits, bc#37, ExitValid)
3298         94:< 1:->     GetButterfly(Check:Cell:@53, Storage|PureInt, R:JSObject_butterfly, Exits, bc#37, ExitValid)
3299         55:<!0:->     GetByVal(Check:KnownCell:@53, Check:Int32:@54, Check:Untyped:@94, Double|MustGen|VarArgs|PureInt, AnyIntAsDouble|NonIntAsdouble, Double+OriginalCopyOnWriteArray+SaneChain+AsIs+Read, R:Butterfly_publicLength,IndexedDoubleProperties, Exits, bc#37, ExitValid)  predicting StringIdent|NonIntAsdouble
3300
3301         GetByVal gets constant Array from @53, and attempt to perform constant folding by leverating CoW state: if the given array's butterfly is CoW and we performed CoW array check for this GetByVal, the array would not be changed as long as the check works.
3302         However, CheckStructure for @53 does not filter anything at AI. So, if @53 is CopyOnWrite | Contiguous array (not CopyOnWrite | Double array!), GetByVal will get a JSValue. But it does not meet the requirement of GetByVal since it has Double Array mode, and says it returns Double.
3303         Here, CheckStructure is valid because structure of the constant object would be changed. What we should do is additional CoW & ArrayShape check in GetByVal when folding since this node leverages CoW's interesting feature,
3304         "If CoW array check (CheckStructure etc.) is emitted by GetByVal's DFG::ArrayMode, the content is not changed from the creation!".
3305
3306         This patch adds ArrayShape check in addition to CoW status check in GetByVal.
3307
3308         Unfortunately, this crash is very flaky. In the above case, if @53 stays GetLocal after the constant folding phase, this issue does not occur. We can see this crash in r238109, but it is really hard to reproduce it in the current ToT.
3309         I verified this fix works in r238109 with the attached test.
3310
3311         * dfg/DFGAbstractInterpreterInlines.h:
3312         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3313         * dfg/DFGAbstractValue.cpp: