[JSC] Int52Rep(DoubleRepAnyIntUse) should not call operation function
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-09-22  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] Int52Rep(DoubleRepAnyIntUse) should not call operation function
4         https://bugs.webkit.org/show_bug.cgi?id=202072
5
6         Reviewed by Mark Lam.
7
8         Inline doubleToStrictInt52 in FTL since it is very simple function.
9         This change improves JetStream2/stanford-crypto-sha256 by ~5%.
10
11         * ftl/FTLLowerDFGToB3.cpp:
12         (JSC::FTL::DFG::LowerDFGToB3::doubleToStrictInt52):
13         * ftl/FTLOutput.cpp:
14         (JSC::FTL::Output::doubleToInt64):
15         * ftl/FTLOutput.h:
16
17 2019-09-22  Yusuke Suzuki  <ysuzuki@apple.com>
18
19         Unreviewed, follow-up change after r250198
20         https://bugs.webkit.org/show_bug.cgi?id=201633
21
22         * b3/testb3_5.cpp:
23         (testCheckAddRemoveCheckWithSExt16):
24
25 2019-09-21  Yusuke Suzuki  <ysuzuki@apple.com>
26
27         [JSC] Remove CheckAdd in JetStream2/async-fs's Math.random function
28         https://bugs.webkit.org/show_bug.cgi?id=201633
29
30         Reviewed by Mark Lam.
31
32         Int52Rep is used in DFG and FTL to calculate Int52 things faster. This is typically used when user code see uint32_t type.
33         In JS, we handles Int32 well, but if the value exceeds Int32 range (like, using 0xffffffff), we use Int52 instead not to fallback to Double.
34
35         The problem is that we do not have optimizations for Int52's overflow checks. This emits many ArithAdd(Int52Rep x 2, CheckOverflow). Each
36         of them emits OSR exit, which prevents dead-store-elimination in B3, and makes ValueToInt32(Int52) alive if it is referenced from some variable which
37         can be seen if OSR exit occurs.
38
39         In this patch, we perform strength-reduction for CheckAdd, converting to Add. We already have such a thing. But the existing one does not handle instructions
40         well emitted when Int52 is used.
41
42         When Int52 is used, we typically have the sequence like,
43
44             Int64 @78 = SExt32(@73, DFG:@67<Int52>) // Widen Int32 to Int64
45             Int64 @81 = Shl(@78, $12(@80), DFG:@162<Int52>) // Convert Int32 to Int52
46
47         While we have Shl handling for integer-range optimization in B3ReduceStrength, we lack handling of SExt32 while it is very easy.
48         This patch adds SExt8, SExt16, SExt32, and ZExt32 handling to B3ReduceStrength's integer range analysis.
49         This converts many CheckAdd in JetStream2/async-fs's hot function to simple Add, and removes a bunch of unnecessary instructions which exist because of this OSR exit.
50         We can see ~5% improvement in JetStream2/async-fs.
51
52         * b3/B3ReduceStrength.cpp:
53         * b3/testb3.h:
54         (int16Operands):
55         (int8Operands):
56         * b3/testb3_1.cpp:
57         (run):
58         * b3/testb3_5.cpp:
59         (testCheckAddRemoveCheckWithSExt8):
60         (testCheckAddRemoveCheckWithSExt16):
61         (testCheckAddRemoveCheckWithSExt32):
62         (testCheckAddRemoveCheckWithZExt32):
63
64 2019-09-21  Mark Lam  <mark.lam@apple.com>
65
66         Move JSLexicalEnvironment, DirectArguments, and ScopedArguments cells out of the Gigacage.
67         https://bugs.webkit.org/show_bug.cgi?id=202082
68
69         Reviewed by Tadeu Zagallo.
70
71         They are not being caged anyway.
72
73         * runtime/DirectArguments.h:
74         * runtime/JSLexicalEnvironment.h:
75         (JSC::JSLexicalEnvironment::subspaceFor):
76         * runtime/ScopedArguments.h:
77         * runtime/VM.cpp:
78         (JSC::VM::VM):
79         * runtime/VM.h:
80
81 2019-09-21  Tadeu Zagallo  <tzagallo@apple.com>
82
83         AccessCase should strongly visit its dependencies while on stack
84         https://bugs.webkit.org/show_bug.cgi?id=201986
85         <rdar://problem/55521953>
86
87         Reviewed by Saam Barati and Yusuke Suzuki.
88
89         AccessCase::doesCalls is responsible for specifying the cells it depends on, so that
90         MarkingGCAwareJITStubRoutine can strongly visit them while the stub is on stack. However,
91         it was missing most of its dependencies, which led to it being collected while on stack.
92         This manifested in the flaky test stress/ftl-put-by-id-setter-exception-interesting-live-state.js
93         as the PolymorphicAccess being collected and removing its exception handler from the code
94         block, which led to exception propagating past the try/catch.
95
96         In order to fix this, we abstract the dependency gathering logic from AccessCase into
97         forEachDependentCell and use it to implement visitWeak as well as doesCalls in order to
98         guarantee that their implementation is consistent.
99
100         * bytecode/AccessCase.cpp:
101         (JSC::AccessCase::forEachDependentCell const):
102         (JSC::AccessCase::doesCalls const):
103         (JSC::AccessCase::visitWeak const):
104         * bytecode/AccessCase.h:
105         * bytecode/CallLinkInfo.cpp:
106         (JSC::CallLinkInfo::lastSeenCallee const):
107         (JSC::CallLinkInfo::haveLastSeenCallee const):
108         (JSC::CallLinkInfo::lastSeenCallee): Deleted.
109         (JSC::CallLinkInfo::haveLastSeenCallee): Deleted.
110         * bytecode/CallLinkInfo.h:
111         (JSC::CallLinkInfo::isDirect const):
112         (JSC::CallLinkInfo::isLinked const):
113         (JSC::CallLinkInfo::stub const):
114         (JSC::CallLinkInfo::forEachDependentCell const):
115         (JSC::CallLinkInfo::isLinked): Deleted.
116         (JSC::CallLinkInfo::stub): Deleted.
117         * bytecode/ObjectPropertyCondition.cpp:
118         (JSC::ObjectPropertyCondition::isStillLive const):
119         * bytecode/ObjectPropertyCondition.h:
120         (JSC::ObjectPropertyCondition::forEachDependentCell const):
121         * bytecode/ObjectPropertyConditionSet.cpp:
122         (JSC::ObjectPropertyConditionSet::areStillLive const):
123         * bytecode/ObjectPropertyConditionSet.h:
124         (JSC::ObjectPropertyConditionSet::forEachDependentCell const):
125         * bytecode/PropertyCondition.cpp:
126         (JSC::PropertyCondition::isStillLive const):
127         * bytecode/PropertyCondition.h:
128         (JSC::PropertyCondition::forEachDependentCell const):
129         * jit/PolymorphicCallStubRoutine.cpp:
130         (JSC::PolymorphicCallStubRoutine::visitWeak):
131         * jit/PolymorphicCallStubRoutine.h:
132         (JSC::PolymorphicCallStubRoutine::forEachDependentCell):
133
134 2019-09-21  David Kilzer  <ddkilzer@apple.com>
135
136         clang-tidy: Fix unnecessary copy/ref churn of for loop variables in WTF/JavaScriptCore
137         <https://webkit.org/b/202069>
138
139         Reviewed by Mark Lam.
140
141         Fix unwanted copying/ref churn of loop variables by making them
142         const references.
143
144         * bytecode/CodeBlock.cpp:
145         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
146         * bytecompiler/BytecodeGenerator.cpp:
147         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
148         * dfg/DFGGraph.cpp:
149         (JSC::DFG::Graph::dump):
150         * inspector/agents/InspectorAgent.cpp:
151         (Inspector::InspectorAgent::activateExtraDomains):
152         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
153         (Inspector::RemoteInspector::stopInternal):
154         (Inspector::RemoteInspector::xpcConnectionFailed):
155         (Inspector::RemoteInspector::pushListingsNow):
156         * parser/Parser.h:
157         (JSC::Scope::computeLexicallyCapturedVariablesAndPurgeCandidates):
158         * runtime/ProxyObject.cpp:
159         (JSC::ProxyObject::performGetOwnPropertyNames):
160         * runtime/SamplingProfiler.cpp:
161         (JSC::SamplingProfiler::registerForReportAtExit):
162         (JSC::SamplingProfiler::reportTopFunctions):
163         (JSC::SamplingProfiler::reportTopBytecodes):
164         * runtime/TypeSet.cpp:
165         (JSC::StructureShape::inspectorRepresentation):
166         (JSC::StructureShape::merge):
167
168 2019-09-20  Keith Miller  <keith_miller@apple.com>
169
170         eliding a move in Air O0 needs to mark the dest's old reg as available
171         https://bugs.webkit.org/show_bug.cgi?id=202066
172
173         Reviewed by Saam Barati.
174
175         Also adds a new release method that handles all the invariants of
176         returning a register to the available register pool.
177
178         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp:
179         (JSC::B3::Air::GenerateAndAllocateRegisters::release):
180         (JSC::B3::Air::GenerateAndAllocateRegisters::spill):
181         (JSC::B3::Air::GenerateAndAllocateRegisters::freeDeadTmpsIfNeeded):
182         (JSC::B3::Air::GenerateAndAllocateRegisters::generate):
183         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.h:
184
185 2019-09-20  Mark Lam  <mark.lam@apple.com>
186
187         Harden assertion in StructureIDTable::get().
188         https://bugs.webkit.org/show_bug.cgi?id=202067
189         <rdar://problem/55577923>
190
191         Reviewed by Keith Miller.
192
193         * runtime/StructureIDTable.h:
194         (JSC::StructureIDTable::get):
195
196 2019-09-20  Truitt Savell  <tsavell@apple.com>
197
198         Unreviewed, rolling out r250114.
199
200         Broke ~16 webgpu/ tests on Mojave wk2
201
202         Reverted changeset:
203
204         "Web Inspector: Canvas: show WebGPU shader pipelines"
205         https://bugs.webkit.org/show_bug.cgi?id=201675
206         https://trac.webkit.org/changeset/250114
207
208 2019-09-20  Paulo Matos  <pmatos@igalia.com>
209
210         Implement memory monitoring functions for Linux OS
211         https://bugs.webkit.org/show_bug.cgi?id=200391
212
213         Reviewed by Žan Doberšek.
214
215         * jsc.cpp:
216
217 2019-09-20  Devin Rousso  <drousso@apple.com>
218
219         ASSERT NOT REACHED in Inspector::InjectedScriptModule::ensureInjected() seen with inspector/heap/getRemoteObject.html
220         https://bugs.webkit.org/show_bug.cgi?id=201713
221         <rdar://problem/55290349>
222
223         Reviewed by Joseph Pecoraro.
224
225         Expose the `Exception` object by leveraging an `Expected` of `JSValue` as the return value
226         instead of using a referenced `bool` (which wouldn't include any of the exception's info).
227
228         * bindings/ScriptFunctionCall.h:
229         * bindings/ScriptFunctionCall.cpp:
230         (Deprecated::ScriptFunctionCall::call):
231
232         * inspector/InjectedScript.cpp:
233         (Inspector::InjectedScript::wrapCallFrames const):
234         (Inspector::InjectedScript::wrapObject const):
235         (Inspector::InjectedScript::wrapJSONString const):
236         (Inspector::InjectedScript::wrapTable const):
237         (Inspector::InjectedScript::previewValue const):
238         (Inspector::InjectedScript::findObjectById const):
239         (Inspector::InjectedScript::releaseObjectGroup):
240
241         * inspector/InjectedScriptBase.h:
242         * inspector/InjectedScriptBase.cpp:
243         (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled const):
244         (Inspector::InjectedScriptBase::makeCall):
245         (Inspector::InjectedScriptBase::makeAsyncCall):
246
247         * inspector/InjectedScriptManager.h:
248         * inspector/InjectedScriptManager.cpp:
249         (Inspector::InjectedScriptManager::createInjectedScript):
250         (Inspector::InjectedScriptManager::injectedScriptFor):
251
252         * inspector/InjectedScriptModule.cpp:
253         (Inspector::InjectedScriptModule::ensureInjected):
254
255 2019-09-19  Yusuke Suzuki  <ysuzuki@apple.com>
256
257         [JSC] DFG op_call_varargs should not assume that one-previous-local of freeReg is usable
258         https://bugs.webkit.org/show_bug.cgi?id=202014
259
260         Reviewed by Saam Barati.
261
262         Let's look into the bytecode generated by the test.
263
264             [   0] enter
265             [   1] get_scope          loc4
266             [   3] mov                loc5, loc4
267             [   6] check_traps
268             [   7] mov                loc6, callee
269             [  10] create_direct_arguments loc7
270             [  12] to_this            this
271             [  15] mov                loc8, loc7
272             [  18] mov                loc9, loc6
273             [  21] mov                loc12, Undefined(const0)
274             [  24] get_by_id          loc11, loc6, 0
275             [  29] jneq_ptr           loc11, ApplyFunction, 18(->47)
276             [  34] mov                loc11, loc6
277             [  37] call_varargs       loc11, loc11, this, loc8, loc13, 0
278             [  45] jmp                17(->62)
279             [  47] mov                loc16, loc6
280             [  50] mov                loc15, this
281             [  53] mov                loc14, loc8
282             [  56] call               loc11, loc11, 3, 22
283             ...
284
285         call_varargs uses loc13 as firstFreeReg (first usable bottom register in the current stack-frame to spread variadic arguments after this).
286         This is correct. And call_varargs uses |this| as this argument for the call_varargs. This |this| argument is not in a region starting from loc13.
287         And it is not in the previous place to loc13 (|this| is not loc12).
288
289         On the other hand, DFG::ByteCodeParser's inlining path is always assuming that the previous to firstFreeReg is usable and part of arguments.
290         But this is wrong. loc12 in the above bytecode is used for `[  56] call               loc11, loc11, 3, 22`'s argument later, and this call assumes
291         that loc12 is not clobbered by call_varargs. But DFG and FTL clobbers it.
292
293         The test is recursively calling the same function, and we inline the same function one-level. And stack-overflow error happens when inlined
294         CallForwardVarargs (from op_call_varargs) is called. FTL recovers the frames, and at this point, outer function's loc12 is recovered to garbage since
295         LoadVarargs clobbers it. And we eventually use it and crash.
296
297             60:<!0:-> LoadVarargs(Check:Untyped:Kill:@30, MustGen, start = loc13, count = loc15, machineStart = loc7, machineCount = loc9, offset = 0, mandatoryMinimum = 0, limit = 2, R:World, W:Stack(-16),Stack(-14),Stack(-13),Heap, Exits, ClobbersExit, bc#37, ExitValid)
298
299         This LoadVarargs clobbers loc12, loc13, and loc15 while loc12 is used.
300
301         In all the tiers, op_call_varargs first allocates enough region to hold varargs including |this|. And we store |this| value to a correct place.
302         DFG should not assume that the previous register to firstFreeReg is used for |this|.
303
304         This patch fixes DFG::ByteCodeParser's stack region calculation for op_call_varargs inlining. And we rename maxNumArguments to maxArgumentCountIncludingThis to
305         represent that `maxArgumentCountIncludingThis` includes |this| count.
306
307         * bytecode/CallLinkInfo.cpp:
308         (JSC::CallLinkInfo::setMaxArgumentCountIncludingThis):
309         (JSC::CallLinkInfo::setMaxNumArguments): Deleted.
310         * bytecode/CallLinkInfo.h:
311         (JSC::CallLinkInfo::addressOfMaxArgumentCountIncludingThis):
312         (JSC::CallLinkInfo::maxArgumentCountIncludingThis):
313         (JSC::CallLinkInfo::addressOfMaxNumArguments): Deleted.
314         (JSC::CallLinkInfo::maxNumArguments): Deleted.
315         * bytecode/CallLinkStatus.cpp:
316         (JSC::CallLinkStatus::computeFor):
317         (JSC::CallLinkStatus::dump const):
318         * bytecode/CallLinkStatus.h:
319         (JSC::CallLinkStatus::maxArgumentCountIncludingThis const):
320         (JSC::CallLinkStatus::maxNumArguments const): Deleted.
321         * dfg/DFGByteCodeParser.cpp:
322         (JSC::DFG::ByteCodeParser::handleVarargsInlining):
323         * dfg/DFGSpeculativeJIT32_64.cpp:
324         (JSC::DFG::SpeculativeJIT::emitCall):
325         * dfg/DFGSpeculativeJIT64.cpp:
326         (JSC::DFG::SpeculativeJIT::emitCall):
327         * ftl/FTLLowerDFGToB3.cpp:
328         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
329         * jit/JITCall.cpp:
330         (JSC::JIT::compileSetupFrame):
331         * jit/JITCall32_64.cpp:
332         (JSC::JIT::compileSetupFrame):
333         * jit/JITOperations.cpp:
334
335 2019-09-19  Devin Rousso  <drousso@apple.com>
336
337         Web Inspector: Canvas: show WebGPU shader pipelines
338         https://bugs.webkit.org/show_bug.cgi?id=201675
339
340         Reviewed by Joseph Pecoraro.
341
342         * inspector/protocol/Canvas.json:
343         Add a `ProgramType` enum that conveys the type of shader program/pipeline when notifying the
344         frontend of a new program
345
346 2019-09-19  Mark Lam  <mark.lam@apple.com>
347
348         Rename VMInspector::m_list to m_vmList.
349         https://bugs.webkit.org/show_bug.cgi?id=202015
350
351         Reviewed by Yusuke Suzuki.
352
353         m_vmList is more descriptive, and this rename helps grep-ability by disambiguating
354         it from other m_lists in the code base.
355
356         * tools/VMInspector.cpp:
357         (JSC::VMInspector::add):
358         (JSC::VMInspector::remove):
359         * tools/VMInspector.h:
360         (JSC::VMInspector::iterate):
361
362 2019-09-19  Mark Lam  <mark.lam@apple.com>
363
364         Reduce the number of required tag bits for the JSValue.
365         https://bugs.webkit.org/show_bug.cgi?id=201990
366
367         Reviewed by Yusuke Suzuki.
368
369         We're reducing the number of tag bits to 15.  It should just work.
370
371         How did we arrive at 15 bits?
372         ============================
373         Currently, the minimum number of top bits used by doubles is 13-bits.  The
374         highest double bit encoding are:
375
376             "negative" pureNaN: starts with 0xfff8
377             negative infinity:  starts with 0xfff0
378             highest number:     starts with 0xffe*
379             lowest number:      starts with 0x0000
380
381         Requirements:
382         1. We need tags for 2 range of numbers: pointers (all 0s at the top), and ints
383            (all 1s at the top).
384
385         2. We want to be able to add an offset to double bits and ensure that they never
386            end up in the ranges for pointers and ints.
387
388         3. The int tag must be higher than whatever value is produced in the top bits
389            when boxing a double.  We have code that relies on this relationship being
390            true and checks if a JSValue is an int by checking if the tag bits are above
391            or equal to the int tag.
392
393         4. We don't want to burn more than 2 CPU registers for tag / mask registers.
394
395         Based on the bit encoding of doubles, the full number range of the top 13 bits
396         are used in valid double numbers.  This means the minimum tag bits must be greater
397         than 13.
398
399         Consider a 14-bit tag.  The DoubleEncodeOffset will be 1 << 50 i.e. starts with
400         0x0004.  With this encoding,
401             "negative" pureNaN: maps to 0xfff8 + 0x0004 => 0xfffc
402
403         i.e. the top 14 bits are all set.  This conflicts with the int number range.
404
405         Next, consider a 15-bit tag.  The DoubleEncodeOffset will be 1 << 49 i.e. starts
406         with 0x0002.  With this encoding:
407             "negative" pureNaN: maps to 0xfff8 + 0x0002 => 0xfffa
408             negative infinity:  maps to 0xfff0 + 0x0002 => 0xfff2
409
410         i.e. 0xfffe (top 5 bits set) is available to represent ints.  This is the encoding
411         that we'll adopt in this patch.
412
413         Alternate encodings schemes to consider in the future:
414         =====================================================
415         1. If we're willing and able to purifyNaN at all the places that can produce a
416            "negative" pureNaN, e.g. after a division, then we can remove the "negative"
417            pureNaN as a valid double bit encoding.  With this, we can now box doubles
418            with just a 14-bit tag, and DoubleEncodeOffset will be 1 << 50 i.e. starts with
419            0x0004.
420
421            With this encoding, the top double, negative infinity, is encoded as follows:
422
423                 negative infinity:  maps to 0xfff0 + 0x0004 => 0xfff4
424
425            i.e. leaving 0xfffc as the tag for ints.
426
427            We didn't adopt this scheme at this time because it adds complexity, and may
428            have performance impact from the extra purifyNaN checks.
429
430            Ref: https://bugs.webkit.org/show_bug.cgi?id=202002
431
432         2. If we're willing to use 3 tag registers or always materialize one of them, we
433            can also adopt a 14-bit tag as follows:
434
435                Pointer {  0000:PPPP:PPPP:PPPP
436                         / 0002:****:****:****
437                Double  {         ...
438                         \ FFFC:****:****:****
439                Integer {  FFFF:0000:IIII:IIII
440
441            where ...
442                NumberMask is 0xfffc: any bits set in the top 14 bits is a number.
443                IntMask is 0xffff: value is int if value & IntMask == IntMask.
444                NotCellMask is NumberMask | OtherTag.
445
446            Since the highest double is "negative" pureNaN i.e. starts with 0xfff8, adding
447            a DoubleEncodeOffset of 1<<50 (starts with 0x0004) produces 0xfffc which is
448            still less than 0xffff.
449
450            We didn't adopt this scheme at this time because it adds complexity and may
451            have a performance impact from either burning another register, or materializing
452            the 3rd mask.
453
454            Ref: https://bugs.webkit.org/show_bug.cgi?id=202005
455
456         * runtime/JSCJSValue.h:
457
458 2019-09-19  Mark Lam  <mark.lam@apple.com>
459
460         Refactoring: fix broken indentation in JSNonDestructibleProxy.h.
461         https://bugs.webkit.org/show_bug.cgi?id=201989
462
463         Reviewed by Saam Barati.
464
465         This patch only unindent the code to get it back to compliant formatting.
466         There is no actual code change.
467
468         * runtime/JSNonDestructibleProxy.h:
469         (JSC::JSNonDestructibleProxy::subspaceFor):
470         (JSC::JSNonDestructibleProxy::create):
471         (JSC::JSNonDestructibleProxy::createStructure):
472         (JSC::JSNonDestructibleProxy::JSNonDestructibleProxy):
473
474 2019-09-19  Tadeu Zagallo  <tzagallo@apple.com>
475
476         Syntax checker should report duplicate __proto__ properties
477         https://bugs.webkit.org/show_bug.cgi?id=201897
478         <rdar://problem/53201788>
479
480         Reviewed by Mark Lam.
481
482         Currently we have two ways of parsing object literals:
483         - parseObjectLiteral: this is called in sloppy mode, and as an optimization for syntax checking,
484           it doesn't allocate string literals while parsing properties. It does still allocate identifiers,
485           but it won't store them in the Property object that it creates for each parsed property. This
486           method backtracks and calls parseObjectStrictLiteral if it finds any getters or setters.
487         - parseObjectStrictLiteral: this is called in strict mode, or when the object contains getters/setters
488           as stated above. This will always allocate string literals as well as identifiers and store them in
489           the Property object, even during syntax checking.
490
491         From looking at the history, it seems that there was a distinction between these two methods:
492         parseStrictObjectLiteral was introduced in r62848 and contained an extra check for duplicate
493         getters/setters or properties defined as both getters/setters and constants. That distinction
494         was removed and the only distinction that remained was whether we build strings and store the
495         strings and properties as part of the Property object created by SyntaxChecker::createProperty.
496         However, this optimization is no longer valid, since we need to throw a SyntaxError for duplicate
497         __proto__ properties in object literals even in sloppy mode, which means that we do need to build
498         the strings and identifiers and store them as part of the Property objects.
499
500         * parser/Parser.cpp:
501         (JSC::Parser<LexerType>::parseObjectLiteral):
502         (JSC::Parser<LexerType>::parsePrimaryExpression):
503         (JSC::Parser<LexerType>::parseStrictObjectLiteral): Deleted.
504         * parser/Parser.h:
505
506 2019-09-19  Mark Lam  <mark.lam@apple.com>
507
508         Remove a now unnecessary hack to work around static const needing external linkage.
509         https://bugs.webkit.org/show_bug.cgi?id=201988
510
511         Reviewed by Saam Barati.
512
513         MacroAssembler::dataTempRegister is now a constexpr, thereby ensuring that it's
514         inlinable.
515
516         * b3/B3Common.cpp:
517         (JSC::B3::pinnedExtendedOffsetAddrRegister):
518
519 2019-09-19  Mark Lam  <mark.lam@apple.com>
520
521         Replace JSValue #defines with static constexpr values.
522         https://bugs.webkit.org/show_bug.cgi?id=201966
523
524         Reviewed by Yusuke Suzuki.
525
526         static constexpr is the modern C++ way to define these constants.
527
528         Some of the values are typed int64_t and some are int32_t.  The original #define
529         values are int64_t.  Hence, we adopt int64_t as the default type to use here.
530
531         However, some of these constants are being used as 32-bit values, and the code
532         was static_cast'ing them into int32_t.  This set of constants are all the small
533         values that fit in an int32_t anyway.  So, we're putting these in int32_t instead
534         so that we don't have to keep casting them.  In the few places where they are
535         used as int64_t, they will automatically get up-casted anyway.
536
537         In this patch, we also did the following:
538
539         1. Renamed TagMask to NotCellMask, because everywhere in the code, we're
540            basically using it to filter out cells like this:
541
542               if (value & NotCellMask) then goto handleNotCellCase;
543
544         2. Renamed TagTypeNumber to NumberTag for a shorter name.
545
546            Ditto for TagBitTypeOther, TagBitBool, TagBitUndefined, TagBitsWasm, and TagWasmMask.
547            They are now OtherTag, BoolTag, UndefinedTag, WasmTag, and WasmMask.
548
549         3. Introduced DoubleEncodeOffsetBit so that client code do not embed this value
550            as a literal constant.  We now define DoubleEncodeOffset based on
551            DoubleEncodeOffsetBit ensuring consistency.
552
553         4. Introduced MiscTag so that clients don't have to put this set of tags together
554            themselves.
555
556         5. Removed static asserts for tags in LLIntData.cpp because the offlineasm now
557            captures these values correctly with constexpr statements.  These static
558            asserts were holdovers from the old days back when we had to define LLInt
559            constant values manually, and we needed a mechanism to detect when the values
560            have changed in the source.
561
562         6. Replaced some runtime asserts in RegisterSet.cpp with static_asserts.
563
564         7. In Wasm::wasmToJS(), we were constructing the value of JSValue::DoubleEncodeOffset
565            constant by left shifting 1 by JSValue::DoubleEncodeOffsetBit.  There's no need
566            to do this for ARM64 because the constant can be loaded efficiently with a single
567            MOVZ instruction.  So, we add a CPU(ARM64) case to just move the constant into
568            the target register.
569
570         * assembler/AbortReason.h:
571         * bytecode/AccessCase.cpp:
572         (JSC::AccessCase::generateWithGuard):
573         * dfg/DFGOSRExit.cpp:
574         (JSC::DFG::OSRExit::executeOSRExit):
575         (JSC::DFG::OSRExit::compileExit):
576         * dfg/DFGSpeculativeJIT.cpp:
577         (JSC::DFG::SpeculativeJIT::silentFill):
578         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
579         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
580         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
581         (JSC::DFG::SpeculativeJIT::getIntTypedArrayStoreOperand):
582         (JSC::DFG::SpeculativeJIT::speculateMisc):
583         * dfg/DFGSpeculativeJIT.h:
584         (JSC::DFG::SpeculativeJIT::spill):
585         * dfg/DFGSpeculativeJIT64.cpp:
586         (JSC::DFG::SpeculativeJIT::fillJSValue):
587         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
588         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
589         (JSC::DFG::SpeculativeJIT::emitCall):
590         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
591         (JSC::DFG::SpeculativeJIT::compileObjectStrictEquality):
592         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
593         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
594         (JSC::DFG::SpeculativeJIT::compileInt52Compare):
595         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
596         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
597         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
598         (JSC::DFG::SpeculativeJIT::emitBranch):
599         (JSC::DFG::SpeculativeJIT::compile):
600         (JSC::DFG::SpeculativeJIT::moveTrueTo):
601         (JSC::DFG::SpeculativeJIT::moveFalseTo):
602         (JSC::DFG::SpeculativeJIT::blessBoolean):
603         * ftl/FTLLowerDFGToB3.cpp:
604         (JSC::FTL::DFG::LowerDFGToB3::lower):
605         (JSC::FTL::DFG::LowerDFGToB3::compileDoubleRep):
606         (JSC::FTL::DFG::LowerDFGToB3::compileBooleanToNumber):
607         (JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC):
608         (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC):
609         (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
610         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
611         (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf):
612         (JSC::FTL::DFG::LowerDFGToB3::compileGetArgument):
613         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
614         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
615         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
616         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
617         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
618         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
619         (JSC::FTL::DFG::LowerDFGToB3::compileInById):
620         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
621         (JSC::FTL::DFG::LowerDFGToB3::compileGetEnumeratorStructurePname):
622         (JSC::FTL::DFG::LowerDFGToB3::compileGetEnumeratorGenericPname):
623         (JSC::FTL::DFG::LowerDFGToB3::getById):
624         (JSC::FTL::DFG::LowerDFGToB3::getByIdWithThis):
625         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
626         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
627         (JSC::FTL::DFG::LowerDFGToB3::emitBinarySnippet):
628         (JSC::FTL::DFG::LowerDFGToB3::emitBinaryBitOpSnippet):
629         (JSC::FTL::DFG::LowerDFGToB3::emitRightShiftSnippet):
630         (JSC::FTL::DFG::LowerDFGToB3::equalNullOrUndefined):
631         (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf):
632         (JSC::FTL::DFG::LowerDFGToB3::isInt32):
633         (JSC::FTL::DFG::LowerDFGToB3::isNotInt32):
634         (JSC::FTL::DFG::LowerDFGToB3::boxInt32):
635         (JSC::FTL::DFG::LowerDFGToB3::isCellOrMisc):
636         (JSC::FTL::DFG::LowerDFGToB3::isNotCellOrMisc):
637         (JSC::FTL::DFG::LowerDFGToB3::unboxDouble):
638         (JSC::FTL::DFG::LowerDFGToB3::boxDouble):
639         (JSC::FTL::DFG::LowerDFGToB3::isNotCell):
640         (JSC::FTL::DFG::LowerDFGToB3::isCell):
641         (JSC::FTL::DFG::LowerDFGToB3::isNotMisc):
642         (JSC::FTL::DFG::LowerDFGToB3::isNotBoolean):
643         (JSC::FTL::DFG::LowerDFGToB3::boxBoolean):
644         (JSC::FTL::DFG::LowerDFGToB3::isNotOther):
645         (JSC::FTL::DFG::LowerDFGToB3::isOther):
646         * ftl/FTLOSRExitCompiler.cpp:
647         (JSC::FTL::reboxAccordingToFormat):
648         (JSC::FTL::compileStub):
649         * interpreter/CalleeBits.h:
650         (JSC::CalleeBits::boxWasm):
651         (JSC::CalleeBits::isWasm const):
652         (JSC::CalleeBits::asWasmCallee const):
653         * jit/AssemblyHelpers.cpp:
654         (JSC::AssemblyHelpers::jitAssertIsJSInt32):
655         (JSC::AssemblyHelpers::jitAssertIsJSNumber):
656         (JSC::AssemblyHelpers::jitAssertIsJSDouble):
657         (JSC::AssemblyHelpers::jitAssertIsCell):
658         (JSC::AssemblyHelpers::jitAssertTagsInPlace):
659         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
660         * jit/AssemblyHelpers.h:
661         (JSC::AssemblyHelpers::emitSaveThenMaterializeTagRegisters):
662         (JSC::AssemblyHelpers::emitRestoreSavedTagRegisters):
663         (JSC::AssemblyHelpers::emitMaterializeTagCheckRegisters):
664         (JSC::AssemblyHelpers::branchIfNotCell):
665         (JSC::AssemblyHelpers::branchIfCell):
666         (JSC::AssemblyHelpers::branchIfOther):
667         (JSC::AssemblyHelpers::branchIfNotOther):
668         (JSC::AssemblyHelpers::branchIfInt32):
669         (JSC::AssemblyHelpers::branchIfNotInt32):
670         (JSC::AssemblyHelpers::branchIfNumber):
671         (JSC::AssemblyHelpers::branchIfNotNumber):
672         (JSC::AssemblyHelpers::branchIfNotDoubleKnownNotInt32):
673         (JSC::AssemblyHelpers::branchIfBoolean):
674         (JSC::AssemblyHelpers::branchIfNotBoolean):
675         (JSC::AssemblyHelpers::boxDouble):
676         (JSC::AssemblyHelpers::unboxDoubleWithoutAssertions):
677         (JSC::AssemblyHelpers::boxInt52):
678         (JSC::AssemblyHelpers::boxBooleanPayload):
679         (JSC::AssemblyHelpers::boxInt32):
680         * jit/CallFrameShuffleData.h:
681         * jit/CallFrameShuffler.cpp:
682         (JSC::CallFrameShuffler::CallFrameShuffler):
683         (JSC::CallFrameShuffler::dump const):
684         (JSC::CallFrameShuffler::prepareAny):
685         * jit/CallFrameShuffler.h:
686         (JSC::CallFrameShuffler::getFreeRegister const):
687         * jit/CallFrameShuffler64.cpp:
688         (JSC::CallFrameShuffler::emitBox):
689         (JSC::CallFrameShuffler::tryAcquireNumberTagRegister):
690         (JSC::CallFrameShuffler::tryAcquireTagTypeNumber): Deleted.
691         * jit/GPRInfo.h:
692         (JSC::GPRInfo::reservedRegisters):
693         * jit/JITArithmetic.cpp:
694         (JSC::JIT::emit_compareAndJumpSlow):
695         * jit/JITBitAndGenerator.cpp:
696         (JSC::JITBitAndGenerator::generateFastPath):
697         * jit/JITBitOrGenerator.cpp:
698         (JSC::JITBitOrGenerator::generateFastPath):
699         * jit/JITBitXorGenerator.cpp:
700         (JSC::JITBitXorGenerator::generateFastPath):
701         * jit/JITCall.cpp:
702         (JSC::JIT::compileTailCall):
703         * jit/JITDivGenerator.cpp:
704         (JSC::JITDivGenerator::generateFastPath):
705         * jit/JITInlines.h:
706         (JSC::JIT::emitPatchableJumpIfNotInt):
707         * jit/JITLeftShiftGenerator.cpp:
708         (JSC::JITLeftShiftGenerator::generateFastPath):
709         * jit/JITMulGenerator.cpp:
710         (JSC::JITMulGenerator::generateFastPath):
711         * jit/JITOpcodes.cpp:
712         (JSC::JIT::emit_op_overrides_has_instance):
713         (JSC::JIT::emit_op_is_undefined):
714         (JSC::JIT::emit_op_is_undefined_or_null):
715         (JSC::JIT::emit_op_is_boolean):
716         (JSC::JIT::emit_op_is_number):
717         (JSC::JIT::emit_op_is_cell_with_type):
718         (JSC::JIT::emit_op_is_object):
719         (JSC::JIT::emit_op_not):
720         (JSC::JIT::emit_op_jeq_null):
721         (JSC::JIT::emit_op_jneq_null):
722         (JSC::JIT::emit_op_jundefined_or_null):
723         (JSC::JIT::emit_op_jnundefined_or_null):
724         (JSC::JIT::emit_op_eq_null):
725         (JSC::JIT::emit_op_neq_null):
726         * jit/JITPropertyAccess.cpp:
727         (JSC::JIT::emitGenericContiguousPutByVal):
728         (JSC::JIT::emitFloatTypedArrayPutByVal):
729         * jit/JITRightShiftGenerator.cpp:
730         (JSC::JITRightShiftGenerator::generateFastPath):
731         * jit/RegisterSet.cpp:
732         (JSC::RegisterSet::runtimeTagRegisters):
733         (JSC::RegisterSet::llintBaselineCalleeSaveRegisters):
734         (JSC::RegisterSet::dfgCalleeSaveRegisters):
735         (JSC::RegisterSet::ftlCalleeSaveRegisters):
736         * jit/SpecializedThunkJIT.h:
737         (JSC::SpecializedThunkJIT::returnDouble):
738         (JSC::SpecializedThunkJIT::tagReturnAsInt32):
739         * jit/ThunkGenerators.cpp:
740         (JSC::virtualThunkFor):
741         (JSC::nativeForGenerator):
742         (JSC::arityFixupGenerator):
743         (JSC::absThunkGenerator):
744         * llint/LLIntData.cpp:
745         (JSC::LLInt::Data::performAssertions):
746         * llint/LowLevelInterpreter.asm:
747         * llint/LowLevelInterpreter.cpp:
748         (JSC::CLoop::execute):
749         * llint/LowLevelInterpreter64.asm:
750         * offlineasm/arm64.rb:
751         * offlineasm/cloop.rb:
752         * offlineasm/x86.rb:
753         * runtime/JSCJSValue.h:
754         * runtime/JSCJSValueInlines.h:
755         (JSC::JSValue::isUndefinedOrNull const):
756         (JSC::JSValue::isCell const):
757         (JSC::JSValue::isInt32 const):
758         (JSC::JSValue::JSValue):
759         (JSC::JSValue::asDouble const):
760         (JSC::JSValue::isNumber const):
761         * wasm/js/WasmToJS.cpp:
762         (JSC::Wasm::wasmToJS):
763         * wasm/js/WebAssemblyFunction.cpp:
764         (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
765
766 2019-09-18  Devin Rousso  <drousso@apple.com>
767
768         Web Inspector: Better handling for large arrays and collections in Object Trees
769         https://bugs.webkit.org/show_bug.cgi?id=143589
770         <rdar://problem/16135388>
771
772         Reviewed by Joseph Pecoraro.
773
774         Adds two buttons before the "Prototype" item in expanded object/collection previews:
775          - Show %d More
776          - Show All (%d More)
777
778         The default `fetchCount` increment is `100`. The first button will only be shown if there
779         are more than `100` items remaining (haven't been shown).
780
781         * inspector/InjectedScriptSource.js:
782         (InjectedScript.prototype.getProperties):
783         (InjectedScript.prototype.getDisplayableProperties):
784         (InjectedScript.prototype.getCollectionEntries):
785         (InjectedScript.prototype._getProperties):
786         (InjectedScript.prototype._internalPropertyDescriptors):
787         (InjectedScript.prototype._propertyDescriptors):
788         (InjectedScript.prototype._propertyDescriptors.createFakeValueDescriptor):
789         (InjectedScript.prototype._propertyDescriptors.processProperties):
790         (InjectedScript.prototype._getSetEntries):
791         (InjectedScript.prototype._getMapEntries):
792         (InjectedScript.prototype._getWeakMapEntries):
793         (InjectedScript.prototype._getWeakSetEntries):
794         (InjectedScript.prototype._getIteratorEntries):
795         (InjectedScript.prototype._entries):
796         (RemoteObject.prototype._generatePreview):
797         (InjectedScript.prototype._propertyDescriptors.arrayIndexPropertyNames): Deleted.
798         Don't include boolean property descriptor values if they are `false.
799
800         * inspector/JSInjectedScriptHost.cpp:
801         (Inspector::JSInjectedScriptHost::weakMapEntries):
802         (Inspector::JSInjectedScriptHost::weakSetEntries):
803
804         * inspector/InjectedScript.h:
805         * inspector/InjectedScript.cpp:
806         (Inspector::InjectedScript::getProperties):
807         (Inspector::InjectedScript::getDisplayableProperties):
808         (Inspector::InjectedScript::getCollectionEntries):
809
810         * inspector/agents/InspectorRuntimeAgent.h:
811         * inspector/agents/InspectorRuntimeAgent.cpp:
812         (Inspector::asInt): Added.
813         (Inspector::InspectorRuntimeAgent::getProperties):
814         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
815         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
816
817         * inspector/protocol/Runtime.json:
818         Add `fetchStart`/`fetchCount` to `getProperties`/`getDisplayableProperties`/`getCollectionEntries`.
819         Mark boolean properties as optional so they can be omitted if `false`.
820
821 2019-09-18  Joonghun Park  <pjh0718@gmail.com>
822
823         Unreviewed. Remove build warning since r249976.
824
825         No new tests, no behavioral changes.
826
827         This patch removes the build warning below.
828         warning: control reaches end of non-void function [-Wreturn-type]
829
830         * dfg/DFGArrayMode.cpp:
831         (JSC::DFG::ArrayMode::alreadyChecked const):
832
833 2019-09-18  Saam Barati  <sbarati@apple.com>
834
835         TOCTOU bug in havingABadTime related assertion in DFGSpeculativeJIT
836         https://bugs.webkit.org/show_bug.cgi?id=201953
837         <rdar://problem/53803524>
838
839         Reviewed by Yusuke Suzuki.
840
841         We had code in DFGSpeculativeJIT like:
842         
843         if (!globalObject->isHavingABadTime()) {
844             <-- here -->
845             Structure* s = globalObject->arrayStructureForIndexingTypeDuringAllocation(node->indexingType()));
846             assert 's' has expected indexing type
847         }
848         
849         The problem is, we may have a bad time before we actually load the structure
850         inside the if. We may have a bad time while we're at the "<-- here -->" in the
851         above program. The fix is to first load the structure, then check if we're
852         having a bad time. If we're still not having a bad time, it's valid to assert
853         things about the structure.
854
855         * dfg/DFGSpeculativeJIT.cpp:
856         (JSC::DFG::SpeculativeJIT::compileNewArray):
857
858 2019-09-18  Chris Dumez  <cdumez@apple.com>
859
860         Stop calling WTF::initializeMainThread() in JSGlobalContextCreate*()
861         https://bugs.webkit.org/show_bug.cgi?id=201947
862         <rdar://problem/55453612>
863
864         Reviewed by Mark Lam.
865
866         Stop calling WTF::initializeMainThread() in JSGlobalContextCreate*(). I started doing so in <https://trac.webkit.org/changeset/248533>
867         but it is causing crashes for apps using this JS API on background threads. It is also no longer necessary as of
868         <https://trac.webkit.org/changeset/249064>.
869
870         * API/JSContextRef.cpp:
871         (JSContextGroupCreate):
872         (JSGlobalContextCreate):
873         (JSGlobalContextCreateInGroup):
874
875 2019-09-18  Saam Barati  <sbarati@apple.com>
876
877         Phantom insertion phase may disagree with arguments forwarding about live ranges
878         https://bugs.webkit.org/show_bug.cgi?id=200715
879         <rdar://problem/54301717>
880
881         Reviewed by Yusuke Suzuki.
882
883         The issue is that Phantom insertion phase was disagreeing about live ranges
884         from the arguments forwarding phase. The effect is that Phantom insertion
885         would insert a Phantom creating a longer live range than what arguments
886         forwarding was analyzing. Arguments forwarding will look for the last DFG
887         use or the last bytecode use of a variable it wants to eliminate. It then
888         does an interference analysis to ensure that nothing clobbers other variables
889         it needs to recover the sunken allocation during OSR exit.
890         
891         Phantom insertion works by ordering the program into OSR exit epochs. If a value was used
892         in the current epoch, there is no need to insert a phantom for it. We
893         determine where we might need a Phantom by looking at bytecode kills. In this
894         analysis, we have a mapping from bytecode local to DFG node. However, we
895         sometimes forgot to remove the entry when a local is killed. So, if the first
896         kill of a variable is in the same OSR exit epoch, we won't insert a Phantom by design.
897         However, if the variable gets killed again, we might errantly insert a Phantom
898         for the prior variable which should've already been killed. The solution is to
899         clear the entry in our mapping when a variable is killed.
900         
901         The program in question was like this:
902         
903         1: DirectArguments
904         ...
905         2: MovHint(@1, loc1) // arguments forwarding treats this as the final kill for @1
906         ...
907         clobber things needed for recovery
908         ...
909         
910         Arguments elimination would transform the program since between @1 and
911         @2, nothing clobbers values needed for exit and nothing escapes @1. The
912         program becomes:
913         
914         1: PhantomDirectArguments
915         ...
916         2: MovHint(@1, loc1) // arguments forwarding treats this as the final kill for @1
917         ...
918         clobber things needed for recovery of @1
919         ...
920         
921         
922         Phantom insertion would then transform the program into:
923         
924         1: PhantomDirectArguments
925         ...
926         2: MovHint(@1, loc1) // arguments forwarding treats this as the final kill for @1
927         ...
928         clobber things needed for recovery of @1
929         ...
930         3: Phantom(@1)
931         ...
932         
933         This is wrong because Phantom insertion and arguments forwarding must agree on live
934         ranges, otherwise the interference analysis performed by arguments forwarding will
935         not correctly analyze up until where the value might be recovered.
936
937         * dfg/DFGPhantomInsertionPhase.cpp:
938
939 2019-09-18  Commit Queue  <commit-queue@webkit.org>
940
941         Unreviewed, rolling out r250002.
942         https://bugs.webkit.org/show_bug.cgi?id=201943
943
944         Patching of the callee and call is not atomic (Requested by
945         tadeuzagallo on #webkit).
946
947         Reverted changeset:
948
949         "Change WebAssembly calling conventions"
950         https://bugs.webkit.org/show_bug.cgi?id=201799
951         https://trac.webkit.org/changeset/250002
952
953 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
954
955         [JSC] Generator should have internal fields
956         https://bugs.webkit.org/show_bug.cgi?id=201159
957
958         Reviewed by Keith Miller.
959
960         This patch makes generator's internal states InternalField instead of private properties.
961         Each generator function produces a generator with different [[Prototype]], which makes generators have different Structures.
962         As a result, Generator.prototype.next etc.'s implementation becomes megamorphic even if it is not necessary.
963
964         If we make these structures adaptively poly-proto, some generators get poly-proto structures while others are not, resulting
965         in megamorphic lookup in Generator.prototype.next. If we make all the generator's structure poly-proto, it makes Generator.prototype.next
966         lookup suboptimal for now.
967
968         In this patch, we start with a relatively simple solution. This patch introduces JSGenerator class, and it has internal fields for generator's internal
969         states. We extend promise-internal-field access bytecodes to access to these fields from bytecode so that Generator.prototype.next can access
970         these fields without using megamorphic get_by_id_direct.
971
972         And we attach JSGeneratorType to JSGenerator so that we can efficiently implement `@isGenerator()` check in bytecode.
973
974         We reserve the offset = 0 slot for the future poly-proto extension for JSGenerator. By reserving this slot, non-poly-proto JSGenerator and poly-proto
975         JSGenerator still can offer the way to access to the same Generator internal fields with the same offset while poly-proto JSGenerator can get offset = 0
976         inline-storage slot for PolyProto implementation.
977
978         This patch adds op_create_generator since it is distinct from op_create_promise once we add PolyProto support.
979         In the future when we introduce some kind of op_create_async_generator we will probably share only one bytecode for both generator and async generator.
980
981         This patch offers around 10% improvement in JetStream2/Basic. And this patch is the basis of optimization of JetStream2/async-fs which leverages async generators significantly.
982
983         This patch includes several design decisions.
984
985             1. We add a new JSGenerator instead of leveraging JSFinalObject. The main reason is that we would like to have JSGeneratorType to quickly query `@isGenerator`.
986             2. This patch currently does not include object-allocation-sinking support for JSGenerator, but it is trivial, and will be added. And this patch also does not include poly-proto
987                support for JSGenerator. The main reason is simply because this patch is already large enough, and I do not want to make this patch larger and larger.
988             3. We can support arbitrary sized inline-storage: Reserving 0-5 offsets for internal fields, and start putting all the other things to the subsequent internal fields. But for now,
989                we are not taking this approach just because I'm not sure this is necessary. If we found such a pattern, we can easily extend the current one but for now, I would like to keep
990                this patch simple.
991
992         * JavaScriptCore.xcodeproj/project.pbxproj:
993         * Sources.txt:
994         * builtins/AsyncFunctionPrototype.js:
995         (globalPrivate.asyncFunctionResume):
996         * builtins/GeneratorPrototype.js:
997         (globalPrivate.generatorResume):
998         (next):
999         (return):
1000         (throw):
1001         * bytecode/BytecodeGeneratorification.cpp:
1002         (JSC::BytecodeGeneratorification::run):
1003         * bytecode/BytecodeIntrinsicRegistry.cpp:
1004         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1005         * bytecode/BytecodeIntrinsicRegistry.h:
1006         * bytecode/BytecodeList.rb:
1007         * bytecode/BytecodeUseDef.h:
1008         (JSC::computeUsesForBytecodeOffset):
1009         (JSC::computeDefsForBytecodeOffset):
1010         * bytecode/CodeBlock.cpp:
1011         (JSC::CodeBlock::finishCreation):
1012         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1013         * bytecode/SpeculatedType.cpp:
1014         (JSC::speculationFromJSType):
1015         * bytecode/SpeculatedType.h:
1016         * bytecompiler/BytecodeGenerator.cpp:
1017         (JSC::BytecodeGenerator::BytecodeGenerator):
1018         (JSC::BytecodeGenerator::emitPutGeneratorFields):
1019         (JSC::BytecodeGenerator::emitCreateGenerator):
1020         (JSC::BytecodeGenerator::emitNewGenerator):
1021         (JSC::BytecodeGenerator::emitYield):
1022         (JSC::BytecodeGenerator::emitDelegateYield):
1023         (JSC::BytecodeGenerator::emitGeneratorStateChange):
1024         * bytecompiler/BytecodeGenerator.h:
1025         (JSC::BytecodeGenerator::emitIsGenerator):
1026         (JSC::BytecodeGenerator::generatorStateRegister):
1027         (JSC::BytecodeGenerator::generatorValueRegister):
1028         (JSC::BytecodeGenerator::generatorResumeModeRegister):
1029         (JSC::BytecodeGenerator::generatorFrameRegister):
1030         * bytecompiler/NodesCodegen.cpp:
1031         (JSC::generatorInternalFieldIndex):
1032         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getGeneratorInternalField):
1033         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putGeneratorInternalField):
1034         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isGenerator):
1035         (JSC::FunctionNode::emitBytecode):
1036         * dfg/DFGAbstractInterpreterInlines.h:
1037         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1038         * dfg/DFGByteCodeParser.cpp:
1039         (JSC::DFG::ByteCodeParser::parseBlock):
1040         * dfg/DFGCapabilities.cpp:
1041         (JSC::DFG::capabilityLevel):
1042         * dfg/DFGClobberize.h:
1043         (JSC::DFG::clobberize):
1044         * dfg/DFGClobbersExitState.cpp:
1045         (JSC::DFG::clobbersExitState):
1046         * dfg/DFGConstantFoldingPhase.cpp:
1047         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1048         * dfg/DFGDoesGC.cpp:
1049         (JSC::DFG::doesGC):
1050         * dfg/DFGFixupPhase.cpp:
1051         (JSC::DFG::FixupPhase::fixupNode):
1052         (JSC::DFG::FixupPhase::fixupIsCellWithType):
1053         * dfg/DFGGraph.cpp:
1054         (JSC::DFG::Graph::dump):
1055         * dfg/DFGNode.h:
1056         (JSC::DFG::Node::convertToNewGenerator):
1057         (JSC::DFG::Node::speculatedTypeForQuery):
1058         (JSC::DFG::Node::hasStructure):
1059         * dfg/DFGNodeType.h:
1060         * dfg/DFGOperations.cpp:
1061         * dfg/DFGOperations.h:
1062         * dfg/DFGPredictionPropagationPhase.cpp:
1063         * dfg/DFGSafeToExecute.h:
1064         (JSC::DFG::safeToExecute):
1065         * dfg/DFGSpeculativeJIT.cpp:
1066         (JSC::DFG::SpeculativeJIT::compileCreatePromise):
1067         (JSC::DFG::SpeculativeJIT::compileCreateGenerator):
1068         (JSC::DFG::SpeculativeJIT::compileNewGenerator):
1069         * dfg/DFGSpeculativeJIT.h:
1070         * dfg/DFGSpeculativeJIT32_64.cpp:
1071         (JSC::DFG::SpeculativeJIT::compile):
1072         * dfg/DFGSpeculativeJIT64.cpp:
1073         (JSC::DFG::SpeculativeJIT::compile):
1074         * dfg/DFGStoreBarrierInsertionPhase.cpp:
1075         * ftl/FTLCapabilities.cpp:
1076         (JSC::FTL::canCompile):
1077         * ftl/FTLLowerDFGToB3.cpp:
1078         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1079         (JSC::FTL::DFG::LowerDFGToB3::compileNewGenerator):
1080         (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
1081         (JSC::FTL::DFG::LowerDFGToB3::compileCreateGenerator):
1082         (JSC::FTL::DFG::LowerDFGToB3::isCellWithType):
1083         * jit/JIT.cpp:
1084         (JSC::JIT::privateCompileMainPass):
1085         (JSC::JIT::privateCompileSlowCases):
1086         * jit/JITOperations.cpp:
1087         * jit/JITOperations.h:
1088         * jit/JITPropertyAccess.cpp:
1089         (JSC::JIT::emit_op_get_internal_field):
1090         (JSC::JIT::emit_op_put_internal_field):
1091         * llint/LowLevelInterpreter.asm:
1092         * runtime/CommonSlowPaths.cpp:
1093         (JSC::SLOW_PATH_DECL):
1094         * runtime/CommonSlowPaths.h:
1095         * runtime/InternalFunction.cpp:
1096         (JSC::InternalFunction::createSubclassStructureSlow):
1097         * runtime/InternalFunction.h:
1098         (JSC::InternalFunction::createSubclassStructure):
1099         * runtime/JSGenerator.cpp: Added.
1100         (JSC::JSGenerator::create):
1101         (JSC::JSGenerator::createStructure):
1102         (JSC::JSGenerator::JSGenerator):
1103         (JSC::JSGenerator::finishCreation):
1104         (JSC::JSGenerator::visitChildren):
1105         * runtime/JSGenerator.h: Copied from Source/JavaScriptCore/runtime/JSGeneratorFunction.h.
1106         * runtime/JSGeneratorFunction.h:
1107         * runtime/JSGlobalObject.cpp:
1108         (JSC::JSGlobalObject::init):
1109         (JSC::JSGlobalObject::visitChildren):
1110         * runtime/JSGlobalObject.h:
1111         (JSC::JSGlobalObject::generatorStructure const):
1112         * runtime/JSType.cpp:
1113         (WTF::printInternal):
1114         * runtime/JSType.h:
1115
1116 2019-09-17  Keith Miller  <keith_miller@apple.com>
1117
1118         Move comment explaining our Options to OptionsList.h
1119         https://bugs.webkit.org/show_bug.cgi?id=201891
1120
1121         Rubber-stamped by Mark Lam.
1122
1123         We moved the list so we should move the comment.
1124
1125         * runtime/Options.h:
1126         * runtime/OptionsList.h:
1127
1128 2019-09-17  Keith Miller  <keith_miller@apple.com>
1129
1130         Elide unnecessary moves in Air O0
1131         https://bugs.webkit.org/show_bug.cgi?id=201703
1132
1133         Reviewed by Saam Barati.
1134
1135         This patch also removes the code that would try to reuse temps in
1136         WasmAirIRGenerator. That code makes it hard to accurately
1137         determine where a temp dies as it could be reused again
1138         later. Thus every temp, may appear to live for a long time in the
1139         global ordering.
1140
1141         This appears to be a minor progression on the overall score of
1142         wasm subtests in JS2 and a 10% wasm-JIT memory usage reduction.
1143
1144         This patch also fixes an issue where we didn't ask Patchpoints
1145         for early clobber registers when determining what callee saves
1146         were used by the program.
1147
1148         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp:
1149         (JSC::B3::Air::GenerateAndAllocateRegisters::generate):
1150         * b3/air/AirBasicBlock.h:
1151         * b3/air/AirCode.h:
1152         * b3/air/AirHandleCalleeSaves.cpp:
1153         (JSC::B3::Air::handleCalleeSaves):
1154         * b3/air/testair.cpp:
1155         * wasm/WasmAirIRGenerator.cpp:
1156         (JSC::Wasm::AirIRGenerator::didKill): Deleted.
1157         * wasm/WasmB3IRGenerator.cpp:
1158         (JSC::Wasm::B3IRGenerator::didKill): Deleted.
1159         * wasm/WasmFunctionParser.h:
1160         (JSC::Wasm::FunctionParser<Context>::parseBody):
1161         (JSC::Wasm::FunctionParser<Context>::parseExpression):
1162         * wasm/WasmValidate.cpp:
1163         (JSC::Wasm::Validate::didKill): Deleted.
1164
1165 2019-09-17  Mark Lam  <mark.lam@apple.com>
1166
1167         Use constexpr instead of const in symbol definitions that are obviously constexpr.
1168         https://bugs.webkit.org/show_bug.cgi?id=201879
1169
1170         Rubber-stamped by Joseph Pecoraro.
1171
1172         const may require external storage  (at the compiler's whim) though these
1173         currently do not.  constexpr makes it clear that the value is a literal constant
1174         that can be inlined.  In most cases in the code, when we say static const, we
1175         actually mean static constexpr.  I'm changing the code to reflect this.
1176
1177         * API/JSAPIValueWrapper.h:
1178         * API/JSCallbackConstructor.h:
1179         * API/JSCallbackObject.h:
1180         * API/JSContextRef.cpp:
1181         * API/JSWrapperMap.mm:
1182         * API/tests/CompareAndSwapTest.cpp:
1183         * API/tests/TypedArrayCTest.cpp:
1184         * API/tests/testapi.mm:
1185         (testObjectiveCAPIMain):
1186         * KeywordLookupGenerator.py:
1187         (Trie.printAsC):
1188         * assembler/ARMv7Assembler.h:
1189         * assembler/AssemblerBuffer.h:
1190         * assembler/AssemblerCommon.h:
1191         * assembler/MacroAssembler.h:
1192         * assembler/MacroAssemblerARM64.h:
1193         * assembler/MacroAssemblerARM64E.h:
1194         * assembler/MacroAssemblerARMv7.h:
1195         * assembler/MacroAssemblerCodeRef.h:
1196         * assembler/MacroAssemblerMIPS.h:
1197         * assembler/MacroAssemblerX86.h:
1198         * assembler/MacroAssemblerX86Common.h:
1199         (JSC::MacroAssemblerX86Common::absDouble):
1200         (JSC::MacroAssemblerX86Common::negateDouble):
1201         * assembler/MacroAssemblerX86_64.h:
1202         * assembler/X86Assembler.h:
1203         * b3/B3Bank.h:
1204         * b3/B3CheckSpecial.h:
1205         * b3/B3DuplicateTails.cpp:
1206         * b3/B3EliminateCommonSubexpressions.cpp:
1207         * b3/B3FixSSA.cpp:
1208         * b3/B3FoldPathConstants.cpp:
1209         * b3/B3InferSwitches.cpp:
1210         * b3/B3Kind.h:
1211         * b3/B3LowerToAir.cpp:
1212         * b3/B3NativeTraits.h:
1213         * b3/B3ReduceDoubleToFloat.cpp:
1214         * b3/B3ReduceLoopStrength.cpp:
1215         * b3/B3ReduceStrength.cpp:
1216         * b3/B3ValueKey.h:
1217         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
1218         * b3/air/AirAllocateStackByGraphColoring.cpp:
1219         * b3/air/AirArg.h:
1220         * b3/air/AirCCallSpecial.h:
1221         * b3/air/AirEmitShuffle.cpp:
1222         * b3/air/AirFixObviousSpills.cpp:
1223         * b3/air/AirFormTable.h:
1224         * b3/air/AirLowerAfterRegAlloc.cpp:
1225         * b3/air/AirPrintSpecial.h:
1226         * b3/air/AirStackAllocation.cpp:
1227         * b3/air/AirTmp.h:
1228         * b3/testb3_6.cpp:
1229         (testInterpreter):
1230         * bytecode/AccessCase.cpp:
1231         * bytecode/CallLinkStatus.cpp:
1232         * bytecode/CallVariant.h:
1233         * bytecode/CodeBlock.h:
1234         * bytecode/CodeOrigin.h:
1235         * bytecode/DFGExitProfile.h:
1236         * bytecode/DirectEvalCodeCache.h:
1237         * bytecode/ExecutableToCodeBlockEdge.h:
1238         * bytecode/GetterSetterAccessCase.cpp:
1239         * bytecode/LazyOperandValueProfile.h:
1240         * bytecode/ObjectPropertyCondition.h:
1241         * bytecode/ObjectPropertyConditionSet.cpp:
1242         * bytecode/PolymorphicAccess.cpp:
1243         * bytecode/PropertyCondition.h:
1244         * bytecode/SpeculatedType.h:
1245         * bytecode/StructureStubInfo.cpp:
1246         * bytecode/UnlinkedCodeBlock.cpp:
1247         (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset):
1248         * bytecode/UnlinkedCodeBlock.h:
1249         * bytecode/UnlinkedEvalCodeBlock.h:
1250         * bytecode/UnlinkedFunctionCodeBlock.h:
1251         * bytecode/UnlinkedFunctionExecutable.h:
1252         * bytecode/UnlinkedModuleProgramCodeBlock.h:
1253         * bytecode/UnlinkedProgramCodeBlock.h:
1254         * bytecode/ValueProfile.h:
1255         * bytecode/VirtualRegister.h:
1256         * bytecode/Watchpoint.h:
1257         * bytecompiler/BytecodeGenerator.h:
1258         * bytecompiler/Label.h:
1259         * bytecompiler/NodesCodegen.cpp:
1260         (JSC::ThisNode::emitBytecode):
1261         * bytecompiler/RegisterID.h:
1262         * debugger/Breakpoint.h:
1263         * debugger/DebuggerParseData.cpp:
1264         * debugger/DebuggerPrimitives.h:
1265         * debugger/DebuggerScope.h:
1266         * dfg/DFGAbstractHeap.h:
1267         * dfg/DFGAbstractValue.h:
1268         * dfg/DFGArgumentsEliminationPhase.cpp:
1269         * dfg/DFGByteCodeParser.cpp:
1270         * dfg/DFGCSEPhase.cpp:
1271         * dfg/DFGCommon.h:
1272         * dfg/DFGCompilationKey.h:
1273         * dfg/DFGDesiredGlobalProperty.h:
1274         * dfg/DFGEdgeDominates.h:
1275         * dfg/DFGEpoch.h:
1276         * dfg/DFGForAllKills.h:
1277         (JSC::DFG::forAllKilledNodesAtNodeIndex):
1278         * dfg/DFGGraph.cpp:
1279         (JSC::DFG::Graph::isLiveInBytecode):
1280         * dfg/DFGHeapLocation.h:
1281         * dfg/DFGInPlaceAbstractState.cpp:
1282         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1283         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
1284         * dfg/DFGInvalidationPointInjectionPhase.cpp:
1285         * dfg/DFGLICMPhase.cpp:
1286         * dfg/DFGLazyNode.h:
1287         * dfg/DFGMinifiedID.h:
1288         * dfg/DFGMovHintRemovalPhase.cpp:
1289         * dfg/DFGNodeFlowProjection.h:
1290         * dfg/DFGNodeType.h:
1291         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1292         * dfg/DFGPhantomInsertionPhase.cpp:
1293         * dfg/DFGPromotedHeapLocation.h:
1294         * dfg/DFGPropertyTypeKey.h:
1295         * dfg/DFGPureValue.h:
1296         * dfg/DFGPutStackSinkingPhase.cpp:
1297         * dfg/DFGRegisterBank.h:
1298         * dfg/DFGSSAConversionPhase.cpp:
1299         * dfg/DFGSSALoweringPhase.cpp:
1300         * dfg/DFGSpeculativeJIT.cpp:
1301         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
1302         (JSC::DFG::compileClampDoubleToByte):
1303         (JSC::DFG::SpeculativeJIT::compileArithRounding):
1304         (JSC::DFG::compileArithPowIntegerFastPath):
1305         (JSC::DFG::SpeculativeJIT::compileArithPow):
1306         (JSC::DFG::SpeculativeJIT::emitBinarySwitchStringRecurse):
1307         * dfg/DFGStackLayoutPhase.cpp:
1308         * dfg/DFGStoreBarrierInsertionPhase.cpp:
1309         * dfg/DFGStrengthReductionPhase.cpp:
1310         * dfg/DFGStructureAbstractValue.h:
1311         * dfg/DFGVarargsForwardingPhase.cpp:
1312         * dfg/DFGVariableEventStream.cpp:
1313         (JSC::DFG::VariableEventStream::reconstruct const):
1314         * dfg/DFGWatchpointCollectionPhase.cpp:
1315         * disassembler/ARM64/A64DOpcode.h:
1316         * ftl/FTLLocation.h:
1317         * ftl/FTLLowerDFGToB3.cpp:
1318         (JSC::FTL::DFG::LowerDFGToB3::compileArithRandom):
1319         * ftl/FTLSlowPathCall.cpp:
1320         * ftl/FTLSlowPathCallKey.h:
1321         * heap/CellContainer.h:
1322         * heap/CellState.h:
1323         * heap/ConservativeRoots.h:
1324         * heap/GCSegmentedArray.h:
1325         * heap/HandleBlock.h:
1326         * heap/Heap.cpp:
1327         (JSC::Heap::updateAllocationLimits):
1328         * heap/Heap.h:
1329         * heap/HeapSnapshot.h:
1330         * heap/HeapUtil.h:
1331         (JSC::HeapUtil::findGCObjectPointersForMarking):
1332         * heap/IncrementalSweeper.cpp:
1333         * heap/LargeAllocation.h:
1334         * heap/MarkedBlock.cpp:
1335         * heap/Strong.h:
1336         * heap/VisitRaceKey.h:
1337         * heap/Weak.h:
1338         * heap/WeakBlock.h:
1339         * inspector/JSInjectedScriptHost.h:
1340         * inspector/JSInjectedScriptHostPrototype.h:
1341         * inspector/JSJavaScriptCallFrame.h:
1342         * inspector/JSJavaScriptCallFramePrototype.h:
1343         * inspector/agents/InspectorConsoleAgent.cpp:
1344         * inspector/agents/InspectorRuntimeAgent.cpp:
1345         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1346         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
1347         (CppProtocolTypesHeaderGenerator._generate_versions):
1348         * inspector/scripts/tests/generic/expected/version.json-result:
1349         * interpreter/Interpreter.h:
1350         * interpreter/ShadowChicken.cpp:
1351         * jit/BinarySwitch.cpp:
1352         * jit/CallFrameShuffler.h:
1353         * jit/ExecutableAllocator.h:
1354         * jit/FPRInfo.h:
1355         * jit/GPRInfo.h:
1356         * jit/ICStats.h:
1357         * jit/JITThunks.h:
1358         * jit/Reg.h:
1359         * jit/RegisterSet.h:
1360         * jit/TempRegisterSet.h:
1361         * jsc.cpp:
1362         * parser/ASTBuilder.h:
1363         * parser/Nodes.h:
1364         * parser/SourceCodeKey.h:
1365         * parser/SyntaxChecker.h:
1366         * parser/VariableEnvironment.h:
1367         * profiler/ProfilerOrigin.h:
1368         * profiler/ProfilerOriginStack.h:
1369         * profiler/ProfilerUID.h:
1370         * runtime/AbstractModuleRecord.cpp:
1371         * runtime/ArrayBufferNeuteringWatchpointSet.h:
1372         * runtime/ArrayConstructor.h:
1373         * runtime/ArrayConventions.h:
1374         * runtime/ArrayIteratorPrototype.h:
1375         * runtime/ArrayPrototype.cpp:
1376         (JSC::setLength):
1377         * runtime/AsyncFromSyncIteratorPrototype.h:
1378         * runtime/AsyncGeneratorFunctionPrototype.h:
1379         * runtime/AsyncGeneratorPrototype.h:
1380         * runtime/AsyncIteratorPrototype.h:
1381         * runtime/AtomicsObject.cpp:
1382         * runtime/BigIntConstructor.h:
1383         * runtime/BigIntPrototype.h:
1384         * runtime/BooleanPrototype.h:
1385         * runtime/ClonedArguments.h:
1386         * runtime/CodeCache.h:
1387         * runtime/ControlFlowProfiler.h:
1388         * runtime/CustomGetterSetter.h:
1389         * runtime/DateConstructor.h:
1390         * runtime/DatePrototype.h:
1391         * runtime/DefinePropertyAttributes.h:
1392         * runtime/ErrorPrototype.h:
1393         * runtime/EvalExecutable.h:
1394         * runtime/Exception.h:
1395         * runtime/ExceptionHelpers.cpp:
1396         (JSC::invalidParameterInSourceAppender):
1397         (JSC::invalidParameterInstanceofSourceAppender):
1398         * runtime/ExceptionHelpers.h:
1399         * runtime/ExecutableBase.h:
1400         * runtime/FunctionExecutable.h:
1401         * runtime/FunctionRareData.h:
1402         * runtime/GeneratorPrototype.h:
1403         * runtime/GenericArguments.h:
1404         * runtime/GenericOffset.h:
1405         * runtime/GetPutInfo.h:
1406         * runtime/GetterSetter.h:
1407         * runtime/GlobalExecutable.h:
1408         * runtime/Identifier.h:
1409         * runtime/InspectorInstrumentationObject.h:
1410         * runtime/InternalFunction.h:
1411         * runtime/IntlCollatorConstructor.h:
1412         * runtime/IntlCollatorPrototype.h:
1413         * runtime/IntlDateTimeFormatConstructor.h:
1414         * runtime/IntlDateTimeFormatPrototype.h:
1415         * runtime/IntlNumberFormatConstructor.h:
1416         * runtime/IntlNumberFormatPrototype.h:
1417         * runtime/IntlObject.h:
1418         * runtime/IntlPluralRulesConstructor.h:
1419         * runtime/IntlPluralRulesPrototype.h:
1420         * runtime/IteratorPrototype.h:
1421         * runtime/JSArray.cpp:
1422         (JSC::JSArray::tryCreateUninitializedRestricted):
1423         * runtime/JSArray.h:
1424         * runtime/JSArrayBuffer.h:
1425         * runtime/JSArrayBufferView.h:
1426         * runtime/JSBigInt.h:
1427         * runtime/JSCJSValue.h:
1428         * runtime/JSCell.h:
1429         * runtime/JSCustomGetterSetterFunction.h:
1430         * runtime/JSDataView.h:
1431         * runtime/JSDataViewPrototype.h:
1432         * runtime/JSDestructibleObject.h:
1433         * runtime/JSFixedArray.h:
1434         * runtime/JSGenericTypedArrayView.h:
1435         * runtime/JSGlobalLexicalEnvironment.h:
1436         * runtime/JSGlobalObject.h:
1437         * runtime/JSImmutableButterfly.h:
1438         * runtime/JSInternalPromiseConstructor.h:
1439         * runtime/JSInternalPromiseDeferred.h:
1440         * runtime/JSInternalPromisePrototype.h:
1441         * runtime/JSLexicalEnvironment.h:
1442         * runtime/JSModuleEnvironment.h:
1443         * runtime/JSModuleLoader.h:
1444         * runtime/JSModuleNamespaceObject.h:
1445         * runtime/JSNonDestructibleProxy.h:
1446         * runtime/JSONObject.cpp:
1447         * runtime/JSONObject.h:
1448         * runtime/JSObject.h:
1449         * runtime/JSPromiseConstructor.h:
1450         * runtime/JSPromiseDeferred.h:
1451         * runtime/JSPromisePrototype.h:
1452         * runtime/JSPropertyNameEnumerator.h:
1453         * runtime/JSProxy.h:
1454         * runtime/JSScope.h:
1455         * runtime/JSScriptFetchParameters.h:
1456         * runtime/JSScriptFetcher.h:
1457         * runtime/JSSegmentedVariableObject.h:
1458         * runtime/JSSourceCode.h:
1459         * runtime/JSString.cpp:
1460         * runtime/JSString.h:
1461         * runtime/JSSymbolTableObject.h:
1462         * runtime/JSTemplateObjectDescriptor.h:
1463         * runtime/JSTypeInfo.h:
1464         * runtime/MapPrototype.h:
1465         * runtime/MinimumReservedZoneSize.h:
1466         * runtime/ModuleProgramExecutable.h:
1467         * runtime/NativeExecutable.h:
1468         * runtime/NativeFunction.h:
1469         * runtime/NativeStdFunctionCell.h:
1470         * runtime/NumberConstructor.h:
1471         * runtime/NumberPrototype.h:
1472         * runtime/ObjectConstructor.h:
1473         * runtime/ObjectPrototype.h:
1474         * runtime/ProgramExecutable.h:
1475         * runtime/PromiseDeferredTimer.cpp:
1476         * runtime/PropertyMapHashTable.h:
1477         * runtime/PropertyNameArray.h:
1478         (JSC::PropertyNameArray::add):
1479         * runtime/PrototypeKey.h:
1480         * runtime/ProxyConstructor.h:
1481         * runtime/ProxyObject.cpp:
1482         (JSC::ProxyObject::performGetOwnPropertyNames):
1483         * runtime/ProxyRevoke.h:
1484         * runtime/ReflectObject.h:
1485         * runtime/RegExp.h:
1486         * runtime/RegExpCache.h:
1487         * runtime/RegExpConstructor.h:
1488         * runtime/RegExpKey.h:
1489         * runtime/RegExpObject.h:
1490         * runtime/RegExpPrototype.h:
1491         * runtime/RegExpStringIteratorPrototype.h:
1492         * runtime/SamplingProfiler.cpp:
1493         * runtime/ScopedArgumentsTable.h:
1494         * runtime/ScriptExecutable.h:
1495         * runtime/SetPrototype.h:
1496         * runtime/SmallStrings.h:
1497         * runtime/SparseArrayValueMap.h:
1498         * runtime/StringConstructor.h:
1499         * runtime/StringIteratorPrototype.h:
1500         * runtime/StringObject.h:
1501         * runtime/StringPrototype.h:
1502         * runtime/Structure.h:
1503         * runtime/StructureChain.h:
1504         * runtime/StructureRareData.h:
1505         * runtime/StructureTransitionTable.h:
1506         * runtime/Symbol.h:
1507         * runtime/SymbolConstructor.h:
1508         * runtime/SymbolPrototype.h:
1509         * runtime/SymbolTable.h:
1510         * runtime/TemplateObjectDescriptor.h:
1511         * runtime/TypeProfiler.cpp:
1512         * runtime/TypeProfiler.h:
1513         * runtime/TypeProfilerLog.cpp:
1514         * runtime/VarOffset.h:
1515         * testRegExp.cpp:
1516         * tools/HeapVerifier.cpp:
1517         (JSC::HeapVerifier::checkIfRecorded):
1518         * tools/JSDollarVM.cpp:
1519         * wasm/WasmB3IRGenerator.cpp:
1520         * wasm/WasmBBQPlan.cpp:
1521         * wasm/WasmFaultSignalHandler.cpp:
1522         * wasm/WasmFunctionParser.h:
1523         * wasm/WasmOMGForOSREntryPlan.cpp:
1524         * wasm/WasmOMGPlan.cpp:
1525         * wasm/WasmPlan.cpp:
1526         * wasm/WasmSignature.cpp:
1527         * wasm/WasmSignature.h:
1528         * wasm/WasmWorklist.cpp:
1529         * wasm/js/JSWebAssembly.h:
1530         * wasm/js/JSWebAssemblyCodeBlock.h:
1531         * wasm/js/WebAssemblyCompileErrorConstructor.h:
1532         * wasm/js/WebAssemblyCompileErrorPrototype.h:
1533         * wasm/js/WebAssemblyFunction.h:
1534         * wasm/js/WebAssemblyInstanceConstructor.h:
1535         * wasm/js/WebAssemblyInstancePrototype.h:
1536         * wasm/js/WebAssemblyLinkErrorConstructor.h:
1537         * wasm/js/WebAssemblyLinkErrorPrototype.h:
1538         * wasm/js/WebAssemblyMemoryConstructor.h:
1539         * wasm/js/WebAssemblyMemoryPrototype.h:
1540         * wasm/js/WebAssemblyModuleConstructor.h:
1541         * wasm/js/WebAssemblyModulePrototype.h:
1542         * wasm/js/WebAssemblyRuntimeErrorConstructor.h:
1543         * wasm/js/WebAssemblyRuntimeErrorPrototype.h:
1544         * wasm/js/WebAssemblyTableConstructor.h:
1545         * wasm/js/WebAssemblyTablePrototype.h:
1546         * wasm/js/WebAssemblyToJSCallee.h:
1547         * yarr/Yarr.h:
1548         * yarr/YarrParser.h:
1549         * yarr/generateYarrCanonicalizeUnicode:
1550
1551 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
1552
1553         Follow-up after String.codePointAt optimization
1554         https://bugs.webkit.org/show_bug.cgi?id=201889
1555
1556         Reviewed by Saam Barati.
1557
1558         Follow-up after string.codePointAt DFG / FTL optimizations,
1559
1560         1. Gracefully accept arguments more than expected for intrinsics
1561         2. Check BadType in String.codePointAt, String.charAt, and String.charCodeAt.
1562
1563         * dfg/DFGByteCodeParser.cpp:
1564         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1565
1566 2019-09-17  Tadeu Zagallo  <tzagallo@apple.com>
1567
1568         Change WebAssembly calling conventions
1569         https://bugs.webkit.org/show_bug.cgi?id=201799
1570
1571         Reviewed by Saam Barati.
1572
1573         Currently, the Wasm::Callee writes itself to CallFrameSlot::callee. However, this won't work when
1574         we have the Wasm interpreter, since we need the callee in order to know which function are we executing.
1575         This patch changes the calling conventions in preparation for the interpreter, so that the caller
1576         becomes responsible for writing the callee into the call frame.
1577         However, there are exceptions to this rule: stubs can still write to the callee slot, since they are individually
1578         generated and will still be present in the interpreter. We keep this design to avoid emitting unnecessary
1579         code when we know statically who is the callee:
1580         - Caller writes to call frame: intra-module direct wasm calls, indirect wasm calls, JS-to-wasm stub (new frame), JS-to-wasm IC.
1581         - Callee writes to call frame: inter-module wasm-to-wasm stub, JS-to-wasm stub (callee frame), wasm-to-JS stub, OMG osr entry
1582
1583         Additionally, this patch also changes it so that the callee keeps track of its callers, instead of having a global mapping
1584         of calls in the Wasm::CodeBlock. This makes it easier to repatch all callers of a given Callee when it tiers up.
1585
1586         * CMakeLists.txt:
1587         * JavaScriptCore.xcodeproj/project.pbxproj:
1588         * wasm/WasmAirIRGenerator.cpp:
1589         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
1590         (JSC::Wasm::AirIRGenerator::addCall):
1591         (JSC::Wasm::AirIRGenerator::addCallIndirect):
1592         (JSC::Wasm::parseAndCompileAir):
1593         * wasm/WasmAirIRGenerator.h:
1594         * wasm/WasmB3IRGenerator.cpp:
1595         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1596         (JSC::Wasm::B3IRGenerator::addCall):
1597         (JSC::Wasm::B3IRGenerator::addCallIndirect):
1598         (JSC::Wasm::parseAndCompile):
1599         * wasm/WasmB3IRGenerator.h:
1600         * wasm/WasmBBQPlan.cpp:
1601         (JSC::Wasm::BBQPlan::BBQPlan):
1602         (JSC::Wasm::BBQPlan::prepare):
1603         (JSC::Wasm::BBQPlan::compileFunctions):
1604         (JSC::Wasm::BBQPlan::complete):
1605         * wasm/WasmBBQPlan.h:
1606         * wasm/WasmBBQPlanInlines.h:
1607         (JSC::Wasm::BBQPlan::initializeCallees):
1608         * wasm/WasmBinding.cpp:
1609         (JSC::Wasm::wasmToWasm):
1610         * wasm/WasmCallee.cpp:
1611         (JSC::Wasm::Callee::Callee):
1612         (JSC::Wasm::repatchMove):
1613         (JSC::Wasm::repatchCall):
1614         (JSC::Wasm::BBQCallee::addCaller):
1615         (JSC::Wasm::BBQCallee::addAndLinkCaller):
1616         (JSC::Wasm::BBQCallee::repatchCallers):
1617         * wasm/WasmCallee.h:
1618         (JSC::Wasm::Callee::entrypoint):
1619         (JSC::Wasm::Callee::code const):
1620         (JSC::Wasm::Callee::calleeSaveRegisters):
1621         * wasm/WasmCallingConvention.h:
1622         (JSC::Wasm::CallingConvention::setupFrameInPrologue const):
1623         * wasm/WasmCodeBlock.cpp:
1624         (JSC::Wasm::CodeBlock::CodeBlock):
1625         * wasm/WasmCodeBlock.h:
1626         (JSC::Wasm::CodeBlock::embedderEntrypointCalleeFromFunctionIndexSpace):
1627         (JSC::Wasm::CodeBlock::wasmBBQCalleeFromFunctionIndexSpace):
1628         (JSC::Wasm::CodeBlock::entrypointLoadLocationFromFunctionIndexSpace):
1629         (JSC::Wasm::CodeBlock::boxedCalleeLoadLocationFromFunctionIndexSpace):
1630         * wasm/WasmEmbedder.h:
1631         * wasm/WasmFormat.h:
1632         (JSC::Wasm::WasmToWasmImportableFunction::offsetOfBoxedCalleeLoadLocation):
1633         * wasm/WasmInstance.h:
1634         (JSC::Wasm::Instance::offsetOfBoxedCalleeLoadLocation):
1635         * wasm/WasmOMGForOSREntryPlan.cpp:
1636         (JSC::Wasm::OMGForOSREntryPlan::OMGForOSREntryPlan):
1637         (JSC::Wasm::OMGForOSREntryPlan::work):
1638         * wasm/WasmOMGForOSREntryPlan.h:
1639         * wasm/WasmOMGPlan.cpp:
1640         (JSC::Wasm::OMGPlan::OMGPlan):
1641         (JSC::Wasm::OMGPlan::work):
1642         * wasm/WasmOMGPlan.h:
1643         * wasm/WasmOperations.cpp:
1644         (JSC::Wasm::triggerOMGReplacementCompile):
1645         (JSC::Wasm::doOSREntry):
1646         (JSC::Wasm::triggerOSREntryNow):
1647         * wasm/js/JSToWasm.cpp:
1648         (JSC::Wasm::createJSToWasmWrapper):
1649         * wasm/js/JSToWasm.h:
1650         * wasm/js/WebAssemblyFunction.cpp:
1651         (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
1652         (JSC::WebAssemblyFunction::create):
1653         (JSC::WebAssemblyFunction::WebAssemblyFunction):
1654         * wasm/js/WebAssemblyFunction.h:
1655         * wasm/js/WebAssemblyModuleRecord.cpp:
1656         (JSC::WebAssemblyModuleRecord::link):
1657         (JSC::WebAssemblyModuleRecord::evaluate):
1658         * wasm/js/WebAssemblyWrapperFunction.cpp:
1659         (JSC::WebAssemblyWrapperFunction::create):
1660
1661 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
1662
1663         [JSC] CheckArray+NonArray is not filtering out Array in AI
1664         https://bugs.webkit.org/show_bug.cgi?id=201857
1665         <rdar://problem/54194820>
1666
1667         Reviewed by Keith Miller.
1668
1669         The code of DFG::ArrayMode::alreadyChecked is different from SpeculativeJIT's CheckArray / CheckStructure.
1670         While we assume CheckArray+NonArray ensures it only passes non-array inputs, DFG::ArrayMode::alreadyChecked
1671         accepts arrays too. So CheckArray+NonArray is removed in AI if the input is proven that it is an array.
1672         This patch aligns DFG::ArrayMode::alreadyChecked to the checks done at runtime.
1673
1674         * dfg/DFGArrayMode.cpp:
1675         (JSC::DFG::ArrayMode::alreadyChecked const):
1676
1677 2019-09-17  Saam Barati  <sbarati@apple.com>
1678
1679         CheckArray on DirectArguments/ScopedArguments does not filter out slow put array storage
1680         https://bugs.webkit.org/show_bug.cgi?id=201853
1681         <rdar://problem/53805461>
1682
1683         Reviewed by Yusuke Suzuki.
1684
1685         We were claiming CheckArray for ScopedArguments/DirectArguments was filtering
1686         out SlowPutArrayStorage. It does no such thing. We just check that the object
1687         is either ScopedArguments/DirectArguments.
1688
1689         * dfg/DFGArrayMode.h:
1690         (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
1691         (JSC::DFG::ArrayMode::arrayModesWithIndexingShapes const):
1692         (JSC::DFG::ArrayMode::arrayModesWithIndexingShape const): Deleted.
1693
1694 2019-09-16  Tadeu Zagallo  <tzagallo@apple.com>
1695
1696         Wasm StreamingParser should validate that number of functions matches number of declarations
1697         https://bugs.webkit.org/show_bug.cgi?id=201850
1698         <rdar://problem/55290186>
1699
1700         Reviewed by Yusuke Suzuki.
1701
1702         Currently, when parsing the code section, we check that the number of functions matches the number
1703         of declarations in the function section. However, that check is never performed if the module does
1704         not have a code section. To fix that, we perform the check again in StreamingParser::finalize.
1705
1706         * wasm/WasmStreamingParser.cpp:
1707         (JSC::Wasm::StreamingParser::finalize):
1708
1709 2019-09-16  Michael Saboff  <msaboff@apple.com>
1710
1711         [JSC] Perform check again when we found non-BMP characters
1712         https://bugs.webkit.org/show_bug.cgi?id=201647
1713
1714         Reviewed by Yusuke Suzuki.
1715
1716         We need to check for end of input for non-BMP characters when matching a character class that contains
1717         both BMP and non-BMP characters.  In advanceIndexAfterCharacterClassTermMatch() we were checking for
1718         end of input for both BMP and non-BMP characters.  For BMP characters, this check is redundant.
1719         After moving the check to after the "is BMP check", we need to decrement index after reaching the failure
1720         label to back out the index++ for the first surrogate of the non-BMP character.
1721
1722         Added the same kind of check in generateCharacterClassOnce().  In that case, we have pre-checked the
1723         first character (surrogate) for a non-BMP codepoint, so we just need to check for end of input before
1724         we increment for the second surrogate.
1725
1726         While writing tests, I found an off by one error in backtrackCharacterClassGreedy() and changed the
1727         loop to check the count at loop top instead of loop bottom.
1728
1729         * yarr/YarrJIT.cpp:
1730         (JSC::Yarr::YarrGenerator::advanceIndexAfterCharacterClassTermMatch):
1731         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
1732         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
1733         (JSC::Yarr::YarrGenerator::backtrackCharacterClassGreedy):
1734         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
1735
1736 2019-09-16  Ross Kirsling  <ross.kirsling@sony.com>
1737
1738         [JSC] Add missing syntax errors for await in function parameter default expressions
1739         https://bugs.webkit.org/show_bug.cgi?id=201615
1740
1741         Reviewed by Darin Adler.
1742
1743         This patch rectifies two oversights:
1744           1. We were prohibiting `async function f(x = (await) => {}) {}` but not `async function f(x = await => {}) {}`
1745              (and likewise for async arrow functions).
1746           2. We were not prohibiting `(x = await => {}) => {}` in an async context
1747              (regardless of parentheses, but note that this one *only* applies to arrow functions).
1748
1749         * parser/Parser.cpp:
1750         (JSC::Parser<LexerType>::isArrowFunctionParameters): Fix case (1).
1751         (JSC::Parser<LexerType>::parseFunctionInfo): Fix case (2).
1752         (JSC::Parser<LexerType>::parseAwaitExpression): Convert unfailing check into an ASSERT.
1753         (JSC::Parser<LexerType>::parsePrimaryExpression): Adjust error message for case (2).
1754
1755 2019-09-16  Tadeu Zagallo  <tzagallo@apple.com>
1756
1757         SamplingProfiler should hold API lock before reporting results
1758         https://bugs.webkit.org/show_bug.cgi?id=201829
1759
1760         Reviewed by Yusuke Suzuki.
1761
1762         Right now, the SamplingProfiler crashes in debug builds when trying
1763         report results if it finds a JSFunction on the stack that doesn't have
1764         RareData. It tries to allocate the function's rare data when we call
1765         getOwnPropertySlot in order to get the function's name, but that fails
1766         because we are not holding the VM's API lock. We fix it by just holding
1767         the lock before reporting the results.
1768
1769         * runtime/SamplingProfiler.cpp:
1770         (JSC::SamplingProfiler::reportDataToOptionFile):
1771
1772 2019-09-16  David Kilzer  <ddkilzer@apple.com>
1773
1774         [JSC] REGRESSION (r248938): Leak of uint32_t arrays in testFastForwardCopy32()
1775         <https://webkit.org/b/201804>
1776
1777         Reviewed by Saam Barati.
1778
1779         * b3/testb3_8.cpp:
1780         (testFastForwardCopy32): Allocate arrays using
1781         WTF::makeUniqueArray<uint32_t> to fix leaks caused by continue
1782         statements.
1783
1784 2019-09-16  Saam Barati  <sbarati@apple.com>
1785
1786         JSObject::putInlineSlow should not ignore "__proto__" for Proxy
1787         https://bugs.webkit.org/show_bug.cgi?id=200386
1788         <rdar://problem/53854946>
1789
1790         Reviewed by Yusuke Suzuki.
1791
1792         We used to ignore '__proto__' in putInlineSlow when the object in question
1793         was Proxy. There is no reason for this, and it goes against the spec. So
1794         I've removed that condition. This also has the effect that it fixes an
1795         assertion firing inside our inline caching code which dictates that for a
1796         property replace that the base value's structure must be equal to the
1797         structure when we grabbed the structure prior to the put operation.
1798         The old code caused a weird edge case where we broke this invariant.
1799
1800         * runtime/JSObject.cpp:
1801         (JSC::JSObject::putInlineSlow):
1802
1803 2019-09-15  David Kilzer  <ddkilzer@apple.com>
1804
1805         Leak of NSMapTable in -[JSVirtualMachine addManagedReference:withOwner:]
1806         <https://webkit.org/b/201803>
1807
1808         Reviewed by Dan Bernstein.
1809
1810         * API/JSVirtualMachine.mm:
1811         (-[JSVirtualMachine addManagedReference:withOwner:]): Use
1812         RetainPtr<> to fix the leak.
1813
1814 2019-09-14  Yusuke Suzuki  <ysuzuki@apple.com>
1815
1816         Retire x86 32bit JIT support
1817         https://bugs.webkit.org/show_bug.cgi?id=201790
1818
1819         Reviewed by Mark Lam.
1820
1821         Now, Xcode no longer has ability to build 32bit binary, so we cannot even test it on macOS.
1822         Fedora stops shipping x86 32bit kernel. Our x86/x86_64 JIT requires SSE2, and so such relatively modern CPUs
1823         can use JIT by switching x86 to x86_64. And these CPUs are modern enough to run CLoop at high speed.
1824         WebKit already disabled x86 JIT by default while the implementation exists. So literary, it is not tested.
1825
1826         While x86 32bit becomes less useful, x86 32bit JIT backend is very complicated and is being a major maintenance burden.
1827         This is due to very few # of registers. Which scatters a lot of isX86 / CPU(X86) in Baseline, DFG, and Yarr.
1828
1829         This patch retires x86 JIT support from JavaScriptCore and CSS JIT. We still keep MacroAssembler and GPRInfo / FPRInfo,
1830         MachineContext information since they are useful even though JIT is not supported.
1831
1832         * dfg/DFGArrayMode.cpp:
1833         (JSC::DFG::ArrayMode::refine const):
1834         * dfg/DFGByteCodeParser.cpp:
1835         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1836         (JSC::DFG::ByteCodeParser::parseBlock):
1837         * dfg/DFGFixupPhase.cpp:
1838         (JSC::DFG::FixupPhase::fixupNode):
1839         * dfg/DFGJITCompiler.cpp:
1840         (JSC::DFG::JITCompiler::compileExceptionHandlers):
1841         * dfg/DFGOSRExitCompilerCommon.cpp:
1842         (JSC::DFG::osrWriteBarrier):
1843         * dfg/DFGSpeculativeJIT.cpp:
1844         (JSC::DFG::SpeculativeJIT::compileArithDiv):
1845         (JSC::DFG::SpeculativeJIT::compileArithMod):
1846         (JSC::DFG::SpeculativeJIT::compileCreateRest):
1847         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
1848         * dfg/DFGSpeculativeJIT.h:
1849         * dfg/DFGSpeculativeJIT32_64.cpp:
1850         (JSC::DFG::SpeculativeJIT::emitCall):
1851         (JSC::DFG::SpeculativeJIT::compile):
1852         * dfg/DFGThunks.cpp:
1853         (JSC::DFG::osrExitGenerationThunkGenerator):
1854         * ftl/FTLThunks.cpp:
1855         (JSC::FTL::slowPathCallThunkGenerator):
1856         * jit/AssemblyHelpers.cpp:
1857         (JSC::AssemblyHelpers::callExceptionFuzz):
1858         (JSC::AssemblyHelpers::debugCall):
1859         * jit/AssemblyHelpers.h:
1860         (JSC::AssemblyHelpers::emitComputeButterflyIndexingMask):
1861         * jit/CCallHelpers.h:
1862         (JSC::CCallHelpers::setupArgumentsImpl):
1863         (JSC::CCallHelpers::prepareForTailCallSlow):
1864         * jit/CallFrameShuffler.cpp:
1865         (JSC::CallFrameShuffler::prepareForTailCall):
1866         * jit/JIT.cpp:
1867         (JSC::JIT::privateCompileExceptionHandlers):
1868         * jit/JITArithmetic32_64.cpp:
1869         (JSC::JIT::emit_op_mod):
1870         (JSC::JIT::emitSlow_op_mod):
1871         * jit/SlowPathCall.h:
1872         (JSC::JITSlowPathCall::call):
1873         * jit/ThunkGenerators.cpp:
1874         (JSC::nativeForGenerator):
1875         (JSC::arityFixupGenerator):
1876         * wasm/WasmAirIRGenerator.cpp:
1877         (JSC::Wasm::AirIRGenerator::emitModOrDiv):
1878         * yarr/YarrJIT.cpp:
1879         (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
1880         (JSC::Yarr::YarrGenerator::generateEnter):
1881         (JSC::Yarr::YarrGenerator::generateReturn):
1882         (JSC::Yarr::YarrGenerator::compile):
1883         * yarr/YarrJIT.h:
1884
1885 2019-09-13  Mark Lam  <mark.lam@apple.com>
1886
1887         jsc -d stopped working.
1888         https://bugs.webkit.org/show_bug.cgi?id=201787
1889
1890         Reviewed by Joseph Pecoraro.
1891
1892         The reason is because, in this case, the jsc shell is trying to set an option
1893         after the VM has been instantiated.  The fix is simply to move all options
1894         initialization before the VM is instantiated.
1895
1896         * jsc.cpp:
1897         (runWithOptions):
1898         (jscmain):
1899
1900 2019-09-13  Mark Lam  <mark.lam@apple.com>
1901
1902         watchOS requires PageSize alignment of 16K for JSC::Config.
1903         https://bugs.webkit.org/show_bug.cgi?id=201786
1904         <rdar://problem/55357890>
1905
1906         Reviewed by Yusuke Suzuki.
1907
1908         * runtime/JSCConfig.h:
1909
1910 2019-09-13  Yusuke Suzuki  <ysuzuki@apple.com>
1911
1912         Unreviewed, follow-up fix after r249842
1913         https://bugs.webkit.org/show_bug.cgi?id=201750
1914
1915         Michael reviewed this offline. When performing nearCall, we need to invalidate cache registers.
1916
1917         * assembler/MacroAssemblerARM64.h:
1918         (JSC::MacroAssemblerARM64::nearCall):
1919         (JSC::MacroAssemblerARM64::threadSafePatchableNearCall):
1920
1921 2019-09-13  Alexey Shvayka  <shvaikalesh@gmail.com>
1922
1923         Date.prototype.toJSON does not execute steps 1-2
1924         https://bugs.webkit.org/show_bug.cgi?id=105282
1925
1926         Reviewed by Ross Kirsling.
1927
1928         According to https://tc39.es/ecma262/#sec-built-in-function-objects, built-in methods must be
1929         strict mode functions. Before this change, `this` value in Date.prototype.toJSON was resolved
1930         using sloppy mode semantics, resulting in `toISOString` being called on global object if `this`
1931         value equals `null` or `undefined`.
1932
1933         * runtime/DatePrototype.cpp:
1934         (JSC::dateProtoFuncToJSON): Resolve thisValue using strict semantics and simplify std::isfinite check.
1935
1936 2019-09-13  Mark Lam  <mark.lam@apple.com>
1937
1938         performJITMemcpy() should do its !Gigacage assertion on exit.
1939         https://bugs.webkit.org/show_bug.cgi?id=201780
1940         <rdar://problem/55354867>
1941
1942         Reviewed by Robin Morisset.
1943
1944         Re-doing previous fix.
1945
1946         * jit/ExecutableAllocator.h:
1947         (JSC::performJITMemcpy):
1948         (JSC::GigacageAssertScope::GigacageAssertScope): Deleted.
1949         (JSC::GigacageAssertScope::~GigacageAssertScope): Deleted.
1950
1951 2019-09-13  Mark Lam  <mark.lam@apple.com>
1952
1953         performJITMemcpy() should do its !Gigacage assertion on exit.
1954         https://bugs.webkit.org/show_bug.cgi?id=201780
1955         <rdar://problem/55354867>
1956
1957         Reviewed by Robin Morisset.
1958
1959         * jit/ExecutableAllocator.h:
1960         (JSC::GigacageAssertScope::GigacageAssertScope):
1961         (JSC::GigacageAssertScope::~GigacageAssertScope):
1962         (JSC::performJITMemcpy):
1963
1964 2019-09-13  Yusuke Suzuki  <ysuzuki@apple.com>
1965
1966         [JSC] Micro-optimize YarrJIT's surrogate pair handling
1967         https://bugs.webkit.org/show_bug.cgi?id=201750
1968
1969         Reviewed by Michael Saboff.
1970
1971         Optimize sequence of machine code used to get code-point with unicode flag.
1972
1973         * yarr/YarrJIT.cpp:
1974         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
1975
1976 2019-09-13  Mark Lam  <mark.lam@apple.com>
1977
1978         We should assert $vm is enabled on entry and exit in its functions.
1979         https://bugs.webkit.org/show_bug.cgi?id=201762
1980         <rdar://problem/55338742>
1981
1982         Rubber-stamped by Michael Saboff.
1983
1984         1. Also do the same for FunctionOverrides.
1985         2. Added the DollarVMAssertScope and FunctionOverridesAssertScope to achieve this.
1986         3. Also added assertions to lambda functions in $vm.
1987
1988         * tools/FunctionOverrides.cpp:
1989         (JSC::FunctionOverridesAssertScope::FunctionOverridesAssertScope):
1990         (JSC::FunctionOverridesAssertScope::~FunctionOverridesAssertScope):
1991         (JSC::FunctionOverrides::overrides):
1992         (JSC::FunctionOverrides::FunctionOverrides):
1993         (JSC::FunctionOverrides::reinstallOverrides):
1994         (JSC::initializeOverrideInfo):
1995         (JSC::FunctionOverrides::initializeOverrideFor):
1996         (JSC::parseClause):
1997         (JSC::FunctionOverrides::parseOverridesInFile):
1998         * tools/JSDollarVM.cpp:
1999         (JSC::JSDollarVMCallFrame::JSDollarVMCallFrame):
2000         (JSC::JSDollarVMCallFrame::createStructure):
2001         (JSC::JSDollarVMCallFrame::create):
2002         (JSC::JSDollarVMCallFrame::finishCreation):
2003         (JSC::JSDollarVMCallFrame::addProperty):
2004         (JSC::Element::Element):
2005         (JSC::Element::create):
2006         (JSC::Element::visitChildren):
2007         (JSC::Element::createStructure):
2008         (JSC::Root::Root):
2009         (JSC::Root::setElement):
2010         (JSC::Root::create):
2011         (JSC::Root::createStructure):
2012         (JSC::Root::visitChildren):
2013         (JSC::SimpleObject::SimpleObject):
2014         (JSC::SimpleObject::create):
2015         (JSC::SimpleObject::visitChildren):
2016         (JSC::SimpleObject::createStructure):
2017         (JSC::ImpureGetter::ImpureGetter):
2018         (JSC::ImpureGetter::createStructure):
2019         (JSC::ImpureGetter::create):
2020         (JSC::ImpureGetter::finishCreation):
2021         (JSC::ImpureGetter::getOwnPropertySlot):
2022         (JSC::ImpureGetter::visitChildren):
2023         (JSC::CustomGetter::CustomGetter):
2024         (JSC::CustomGetter::createStructure):
2025         (JSC::CustomGetter::create):
2026         (JSC::CustomGetter::getOwnPropertySlot):
2027         (JSC::CustomGetter::customGetter):
2028         (JSC::CustomGetter::customGetterAcessor):
2029         (JSC::RuntimeArray::create):
2030         (JSC::RuntimeArray::destroy):
2031         (JSC::RuntimeArray::getOwnPropertySlot):
2032         (JSC::RuntimeArray::getOwnPropertySlotByIndex):
2033         (JSC::RuntimeArray::createPrototype):
2034         (JSC::RuntimeArray::createStructure):
2035         (JSC::RuntimeArray::finishCreation):
2036         (JSC::RuntimeArray::RuntimeArray):
2037         (JSC::RuntimeArray::lengthGetter):
2038         (JSC::DOMJITNode::DOMJITNode):
2039         (JSC::DOMJITNode::createStructure):
2040         (JSC::DOMJITNode::checkSubClassSnippet):
2041         (JSC::DOMJITNode::create):
2042         (JSC::DOMJITGetter::DOMJITGetter):
2043         (JSC::DOMJITGetter::createStructure):
2044         (JSC::DOMJITGetter::create):
2045         (JSC::DOMJITGetter::DOMJITAttribute::slowCall):
2046         (JSC::DOMJITGetter::DOMJITAttribute::callDOMGetter):
2047         (JSC::DOMJITGetter::customGetter):
2048         (JSC::DOMJITGetter::finishCreation):
2049         (JSC::DOMJITGetterComplex::DOMJITGetterComplex):
2050         (JSC::DOMJITGetterComplex::createStructure):
2051         (JSC::DOMJITGetterComplex::create):
2052         (JSC::DOMJITGetterComplex::DOMJITAttribute::slowCall):
2053         (JSC::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
2054         (JSC::DOMJITGetterComplex::functionEnableException):
2055         (JSC::DOMJITGetterComplex::customGetter):
2056         (JSC::DOMJITGetterComplex::finishCreation):
2057         (JSC::DOMJITFunctionObject::DOMJITFunctionObject):
2058         (JSC::DOMJITFunctionObject::createStructure):
2059         (JSC::DOMJITFunctionObject::create):
2060         (JSC::DOMJITFunctionObject::functionWithTypeCheck):
2061         (JSC::DOMJITFunctionObject::functionWithoutTypeCheck):
2062         (JSC::DOMJITFunctionObject::checkSubClassSnippet):
2063         (JSC::DOMJITFunctionObject::finishCreation):
2064         (JSC::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
2065         (JSC::DOMJITCheckSubClassObject::createStructure):
2066         (JSC::DOMJITCheckSubClassObject::create):
2067         (JSC::DOMJITCheckSubClassObject::functionWithTypeCheck):
2068         (JSC::DOMJITCheckSubClassObject::functionWithoutTypeCheck):
2069         (JSC::DOMJITCheckSubClassObject::finishCreation):
2070         (JSC::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject):
2071         (JSC::DOMJITGetterBaseJSObject::createStructure):
2072         (JSC::DOMJITGetterBaseJSObject::create):
2073         (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
2074         (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter):
2075         (JSC::DOMJITGetterBaseJSObject::customGetter):
2076         (JSC::DOMJITGetterBaseJSObject::finishCreation):
2077         (JSC::JSTestCustomGetterSetter::JSTestCustomGetterSetter):
2078         (JSC::JSTestCustomGetterSetter::create):
2079         (JSC::JSTestCustomGetterSetter::createStructure):
2080         (JSC::customSetAccessor):
2081         (JSC::customSetValue):
2082         (JSC::JSTestCustomGetterSetter::finishCreation):
2083         (JSC::Element::handleOwner):
2084         (JSC::Element::finishCreation):
2085         (JSC::WasmStreamingParser::WasmStreamingParser):
2086         (JSC::WasmStreamingParser::create):
2087         (JSC::WasmStreamingParser::createStructure):
2088         (JSC::WasmStreamingParser::finishCreation):
2089         (JSC::functionWasmStreamingParserAddBytes):
2090         (JSC::functionWasmStreamingParserFinalize):
2091         (JSC::functionCrash):
2092         (JSC::functionBreakpoint):
2093         (JSC::functionDFGTrue):
2094         (JSC::functionFTLTrue):
2095         (JSC::functionCpuMfence):
2096         (JSC::functionCpuRdtsc):
2097         (JSC::functionCpuCpuid):
2098         (JSC::functionCpuPause):
2099         (JSC::functionCpuClflush):
2100         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
2101         (JSC::getExecutableForFunction):
2102         (JSC::functionLLintTrue):
2103         (JSC::functionJITTrue):
2104         (JSC::functionNoInline):
2105         (JSC::functionGC):
2106         (JSC::functionEdenGC):
2107         (JSC::functionDumpSubspaceHashes):
2108         (JSC::functionCallFrame):
2109         (JSC::functionCodeBlockForFrame):
2110         (JSC::codeBlockFromArg):
2111         (JSC::functionCodeBlockFor):
2112         (JSC::functionDumpSourceFor):
2113         (JSC::functionDumpBytecodeFor):
2114         (JSC::doPrint):
2115         (JSC::functionDataLog):
2116         (JSC::functionPrint):
2117         (JSC::functionDumpCallFrame):
2118         (JSC::functionDumpStack):
2119         (JSC::functionDumpRegisters):
2120         (JSC::functionDumpCell):
2121         (JSC::functionIndexingMode):
2122         (JSC::functionInlineCapacity):
2123         (JSC::functionValue):
2124         (JSC::functionGetPID):
2125         (JSC::functionHaveABadTime):
2126         (JSC::functionIsHavingABadTime):
2127         (JSC::functionCreateGlobalObject):
2128         (JSC::functionCreateProxy):
2129         (JSC::functionCreateRuntimeArray):
2130         (JSC::functionCreateNullRopeString):
2131         (JSC::functionCreateImpureGetter):
2132         (JSC::functionCreateCustomGetterObject):
2133         (JSC::functionCreateDOMJITNodeObject):
2134         (JSC::functionCreateDOMJITGetterObject):
2135         (JSC::functionCreateDOMJITGetterComplexObject):
2136         (JSC::functionCreateDOMJITFunctionObject):
2137         (JSC::functionCreateDOMJITCheckSubClassObject):
2138         (JSC::functionCreateDOMJITGetterBaseJSObject):
2139         (JSC::functionCreateWasmStreamingParser):
2140         (JSC::functionSetImpureGetterDelegate):
2141         (JSC::functionCreateBuiltin):
2142         (JSC::functionGetPrivateProperty):
2143         (JSC::functionCreateRoot):
2144         (JSC::functionCreateElement):
2145         (JSC::functionGetElement):
2146         (JSC::functionCreateSimpleObject):
2147         (JSC::functionGetHiddenValue):
2148         (JSC::functionSetHiddenValue):
2149         (JSC::functionShadowChickenFunctionsOnStack):
2150         (JSC::functionSetGlobalConstRedeclarationShouldNotThrow):
2151         (JSC::functionFindTypeForExpression):
2152         (JSC::functionReturnTypeFor):
2153         (JSC::functionFlattenDictionaryObject):
2154         (JSC::functionDumpBasicBlockExecutionRanges):
2155         (JSC::functionHasBasicBlockExecuted):
2156         (JSC::functionBasicBlockExecutionCount):
2157         (JSC::functionEnableExceptionFuzz):
2158         (JSC::changeDebuggerModeWhenIdle):
2159         (JSC::functionEnableDebuggerModeWhenIdle):
2160         (JSC::functionDisableDebuggerModeWhenIdle):
2161         (JSC::functionDeleteAllCodeWhenIdle):
2162         (JSC::functionGlobalObjectCount):
2163         (JSC::functionGlobalObjectForObject):
2164         (JSC::functionGetGetterSetter):
2165         (JSC::functionLoadGetterFromGetterSetter):
2166         (JSC::functionCreateCustomTestGetterSetter):
2167         (JSC::functionDeltaBetweenButterflies):
2168         (JSC::functionTotalGCTime):
2169         (JSC::functionParseCount):
2170         (JSC::functionIsWasmSupported):
2171         (JSC::JSDollarVM::finishCreation):
2172         (JSC::JSDollarVM::addFunction):
2173         (JSC::JSDollarVM::addConstructibleFunction):
2174         * tools/JSDollarVM.h:
2175         (JSC::DollarVMAssertScope::DollarVMAssertScope):
2176         (JSC::DollarVMAssertScope::~DollarVMAssertScope):
2177
2178 2019-09-13  Joseph Pecoraro  <pecoraro@apple.com>
2179
2180         Web Inspector: Formatter: Pretty Print HTML resources (including inline <script>/<style>)
2181         https://bugs.webkit.org/show_bug.cgi?id=201535
2182         <rdar://problem/29119232>
2183
2184         Reviewed by Devin Rousso.
2185
2186         * debugger/Debugger.cpp:
2187         (JSC::Debugger::resolveBreakpoint):
2188         When resolving a breakpoint inside of an inline <script> we need to adjust
2189         based on the starting position of the <script> in the HTML resource.
2190
2191 2019-09-13  Yusuke Suzuki  <ysuzuki@apple.com>
2192
2193         [JSC] X86Registers.h callee-save register definition is wrong
2194         https://bugs.webkit.org/show_bug.cgi?id=201756
2195
2196         Reviewed by Mark Lam.
2197
2198         I think nobody is using X86 JIT backend, but it is simply wrong.
2199         edi and esi should be callee-save.
2200
2201         * assembler/X86Registers.h:
2202
2203 2019-09-12  Mark Lam  <mark.lam@apple.com>
2204
2205         Harden JSC against the abuse of runtime options.
2206         https://bugs.webkit.org/show_bug.cgi?id=201597
2207         <rdar://problem/55167068>
2208
2209         Reviewed by Filip Pizlo.
2210
2211         Linux parts contributed by Carlos Garcia Campos <cgarcia@igalia.com>.
2212
2213         1. Introduce a JSC::Config struct that will be protected as ReadOnly once the
2214            first VM instance is constructed.  The end of the VM constructor calls
2215            Config::permanentlyFreeze() which will make the Config ReadOnly.
2216
2217            Note: this is currently only supported for OS(DARWIN) and OS(LINUX).
2218            OS(WINDOWS) will need to implement some missing pieces before it can enable
2219            this hardening (see FIXME in JSCConfig.cpp).
2220
2221            The hardening strategy here is to put immutable global values into the Config.
2222            Any modifications that need to be made to these values must be done before the
2223            first VM instance is done instantiating.  This ensures that no script will
2224            ever run while the Config is still writable.
2225
2226            Also, the policy for this hardening is that a process is opted in by default.
2227            If there's a valid need to disable this hardening (e.g. for some test
2228            environments), the relevant process will need to opt itself out by calling
2229            Config::configureForTesting().
2230
2231            The jsc shell, WK2 UI and WebContent processes are opted in by default.
2232            Only test processes may be opt out.
2233
2234         2. Put all JSC::Options in the Config.  This enforces the invariant that options
2235            can only be changed before we instantiate a VM.  Once a VM is instantiated,
2236            the options are immutable.
2237
2238         3. Remove functionForceGCSlowPaths() from the jsc shell.  Setting
2239            Options::forceGCSlowPaths this way is no longer allowed.
2240
2241         4. Re-factored the Options code (Options.h) into:
2242            - OptionEntry.h: the data structure that stores the option values.
2243            - OptionsList.h: the list of options.
2244            - Options.h: the Options singleton object which is the interface for accessing options.
2245
2246            Renamed the JSC_OPTIONS macro to FOR_EACH_JSC_OPTION, because
2247            "FOR_EACH_JSC_OPTION(SET_OPTION_VALUE)" reads a lot better than
2248            "JSC_OPTIONS(FOR_EACH_OPTION)".
2249
2250         5. Change testapi to call Config::configureForTesting().  Parts of testapi makes
2251            use of setting options in its tests.  Hence, this hardening is disabled for
2252            testapi.
2253
2254            Note: the jsc shell does enable this hardening.
2255
2256         6. Put ExecutableAllocator's immutable globals in the Config.
2257
2258         7. RELEASE_ASSERT that restrictedOptionsEnabled in order to use the
2259            FunctionOverrides test utility.
2260
2261         8. RELEASE_ASSERT that Options::useDollarVM() is enabled in order to use the $vm.
2262
2263            We must RELEASE_ASSERT(Options::useDollarVM()) in all JSDollarVM functions
2264            that are non-trivial at an eye's glance.  This includes (but is not limited to):
2265                constructors
2266                create() factory
2267                createStructure() factory
2268                finishCreation()
2269                HOST_CALL or operation functions
2270                Constructors and methods of utility and test classes
2271
2272            The only exception are some constexpr constructors used for instantiating
2273            globals (since these must have trivial constructors) e.g. DOMJITAttribute.
2274            Instead, these constructors should always be ALWAYS_INLINE.
2275
2276         * API/glib/JSCOptions.cpp:
2277         (jscOptionsSetValue):
2278         (jscOptionsGetValue):
2279         (jsc_options_foreach):
2280         (jsc_options_get_option_group):
2281         * API/tests/testapi.c:
2282         (main):
2283         * API/tests/testapi.cpp:
2284         (configureJSCForTesting):
2285         * CMakeLists.txt:
2286         * JavaScriptCore.xcodeproj/project.pbxproj:
2287         * Sources.txt:
2288         * jit/ExecutableAllocator.cpp:
2289         (JSC::isJITEnabled):
2290         (JSC::ExecutableAllocator::setJITEnabled):
2291         (JSC::ExecutableAllocator::initializeUnderlyingAllocator):
2292         (JSC::ExecutableAllocator::isValid const):
2293         (JSC::ExecutableAllocator::underMemoryPressure):
2294         (JSC::ExecutableAllocator::memoryPressureMultiplier):
2295         (JSC::ExecutableAllocator::allocate):
2296         (JSC::ExecutableAllocator::isValidExecutableMemory):
2297         (JSC::ExecutableAllocator::getLock const):
2298         (JSC::ExecutableAllocator::committedByteCount):
2299         (JSC::ExecutableAllocator::dumpProfile):
2300         (JSC::startOfFixedExecutableMemoryPoolImpl):
2301         (JSC::endOfFixedExecutableMemoryPoolImpl):
2302         (JSC::isJITPC):
2303         (JSC::dumpJITMemory):
2304         (JSC::ExecutableAllocator::initialize):
2305         (JSC::ExecutableAllocator::singleton):
2306         * jit/ExecutableAllocator.h:
2307         (JSC::performJITMemcpy):
2308         * jsc.cpp:
2309         (GlobalObject::finishCreation):
2310         (functionJSCOptions):
2311         (jscmain):
2312         (functionForceGCSlowPaths): Deleted.
2313         * runtime/ConfigFile.cpp:
2314         (JSC::ConfigFile::parse):
2315         * runtime/InitializeThreading.cpp:
2316         (JSC::initializeThreading):
2317         * runtime/JSCConfig.cpp: Added.
2318         (JSC::Config::disableFreezingForTesting):
2319         (JSC::Config::enableRestrictedOptions):
2320         (JSC::Config::permanentlyFreeze):
2321         * runtime/JSCConfig.h: Added.
2322         (JSC::Config::configureForTesting):
2323         * runtime/JSGlobalObject.cpp:
2324         (JSC::JSGlobalObject::exposeDollarVM):
2325         * runtime/OptionEntry.h: Added.
2326         (JSC::OptionRange::operator= ):
2327         (JSC::OptionRange::rangeString const):
2328         * runtime/Options.cpp:
2329         (JSC::Options::isAvailable):
2330         (JSC::scaleJITPolicy):
2331         (JSC::Options::initialize):
2332         (JSC::Options::setOptions):
2333         (JSC::Options::setOptionWithoutAlias):
2334         (JSC::Options::setAliasedOption):
2335         (JSC::Option::dump const):
2336         (JSC::Option::operator== const):
2337         (): Deleted.
2338         (JSC::Options::enableRestrictedOptions): Deleted.
2339         * runtime/Options.h:
2340         (JSC::Option::Option):
2341         (JSC::Option::defaultOption const):
2342         (JSC::Option::boolVal):
2343         (JSC::Option::unsignedVal):
2344         (JSC::Option::doubleVal):
2345         (JSC::Option::int32Val):
2346         (JSC::Option::optionRangeVal):
2347         (JSC::Option::optionStringVal):
2348         (JSC::Option::gcLogLevelVal):
2349         (JSC::OptionRange::operator= ): Deleted.
2350         (JSC::OptionRange::rangeString const): Deleted.
2351         * runtime/OptionsList.h: Added.
2352         (JSC::countNumberOfJSCOptions):
2353         * runtime/VM.cpp:
2354         (JSC::VM::VM):
2355         * tools/FunctionOverrides.cpp:
2356         (JSC::FunctionOverrides::FunctionOverrides):
2357         (JSC::FunctionOverrides::reinstallOverrides):
2358         (JSC::FunctionOverrides::initializeOverrideFor):
2359         (JSC::FunctionOverrides::parseOverridesInFile):
2360         * tools/JSDollarVM.cpp:
2361         (JSC::JSDollarVMCallFrame::JSDollarVMCallFrame):
2362         (JSC::JSDollarVMCallFrame::createStructure):
2363         (JSC::JSDollarVMCallFrame::create):
2364         (JSC::JSDollarVMCallFrame::finishCreation):
2365         (JSC::JSDollarVMCallFrame::addProperty):
2366         (JSC::Element::Element):
2367         (JSC::Element::create):
2368         (JSC::Element::createStructure):
2369         (JSC::Root::Root):
2370         (JSC::Root::create):
2371         (JSC::Root::createStructure):
2372         (JSC::SimpleObject::SimpleObject):
2373         (JSC::SimpleObject::create):
2374         (JSC::SimpleObject::createStructure):
2375         (JSC::ImpureGetter::ImpureGetter):
2376         (JSC::ImpureGetter::createStructure):
2377         (JSC::ImpureGetter::create):
2378         (JSC::ImpureGetter::finishCreation):
2379         (JSC::ImpureGetter::getOwnPropertySlot):
2380         (JSC::CustomGetter::CustomGetter):
2381         (JSC::CustomGetter::createStructure):
2382         (JSC::CustomGetter::create):
2383         (JSC::CustomGetter::getOwnPropertySlot):
2384         (JSC::CustomGetter::customGetter):
2385         (JSC::CustomGetter::customGetterAcessor):
2386         (JSC::RuntimeArray::create):
2387         (JSC::RuntimeArray::destroy):
2388         (JSC::RuntimeArray::getOwnPropertySlot):
2389         (JSC::RuntimeArray::getOwnPropertySlotByIndex):
2390         (JSC::RuntimeArray::createPrototype):
2391         (JSC::RuntimeArray::createStructure):
2392         (JSC::RuntimeArray::finishCreation):
2393         (JSC::RuntimeArray::RuntimeArray):
2394         (JSC::RuntimeArray::lengthGetter):
2395         (JSC::DOMJITNode::DOMJITNode):
2396         (JSC::DOMJITNode::createStructure):
2397         (JSC::DOMJITNode::checkSubClassSnippet):
2398         (JSC::DOMJITNode::create):
2399         (JSC::DOMJITGetter::DOMJITGetter):
2400         (JSC::DOMJITGetter::createStructure):
2401         (JSC::DOMJITGetter::create):
2402         (JSC::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
2403         (JSC::DOMJITGetter::DOMJITAttribute::slowCall):
2404         (JSC::DOMJITGetter::DOMJITAttribute::callDOMGetter):
2405         (JSC::DOMJITGetter::customGetter):
2406         (JSC::DOMJITGetter::finishCreation):
2407         (JSC::DOMJITGetterComplex::DOMJITGetterComplex):
2408         (JSC::DOMJITGetterComplex::createStructure):
2409         (JSC::DOMJITGetterComplex::create):
2410         (JSC::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
2411         (JSC::DOMJITGetterComplex::DOMJITAttribute::slowCall):
2412         (JSC::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
2413         (JSC::DOMJITGetterComplex::functionEnableException):
2414         (JSC::DOMJITGetterComplex::customGetter):
2415         (JSC::DOMJITGetterComplex::finishCreation):
2416         (JSC::DOMJITFunctionObject::DOMJITFunctionObject):
2417         (JSC::DOMJITFunctionObject::createStructure):
2418         (JSC::DOMJITFunctionObject::create):
2419         (JSC::DOMJITFunctionObject::functionWithTypeCheck):
2420         (JSC::DOMJITFunctionObject::functionWithoutTypeCheck):
2421         (JSC::DOMJITFunctionObject::checkSubClassSnippet):
2422         (JSC::DOMJITFunctionObject::finishCreation):
2423         (JSC::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
2424         (JSC::DOMJITCheckSubClassObject::createStructure):
2425         (JSC::DOMJITCheckSubClassObject::create):
2426         (JSC::DOMJITCheckSubClassObject::functionWithTypeCheck):
2427         (JSC::DOMJITCheckSubClassObject::functionWithoutTypeCheck):
2428         (JSC::DOMJITCheckSubClassObject::finishCreation):
2429         (JSC::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject):
2430         (JSC::DOMJITGetterBaseJSObject::createStructure):
2431         (JSC::DOMJITGetterBaseJSObject::create):
2432         (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute):
2433         (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
2434         (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter):
2435         (JSC::DOMJITGetterBaseJSObject::customGetter):
2436         (JSC::DOMJITGetterBaseJSObject::finishCreation):
2437         (JSC::JSTestCustomGetterSetter::JSTestCustomGetterSetter):
2438         (JSC::JSTestCustomGetterSetter::create):
2439         (JSC::JSTestCustomGetterSetter::createStructure):
2440         (JSC::customSetAccessor):
2441         (JSC::customSetValue):
2442         (JSC::JSTestCustomGetterSetter::finishCreation):
2443         (JSC::Element::handleOwner):
2444         (JSC::Element::finishCreation):
2445         (JSC::WasmStreamingParser::WasmStreamingParser):
2446         (JSC::WasmStreamingParser::create):
2447         (JSC::WasmStreamingParser::createStructure):
2448         (JSC::WasmStreamingParser::finishCreation):
2449         (JSC::functionWasmStreamingParserAddBytes):
2450         (JSC::functionWasmStreamingParserFinalize):
2451         (JSC::functionCrash):
2452         (JSC::functionBreakpoint):
2453         (JSC::functionDFGTrue):
2454         (JSC::functionFTLTrue):
2455         (JSC::functionCpuMfence):
2456         (JSC::functionCpuRdtsc):
2457         (JSC::functionCpuCpuid):
2458         (JSC::functionCpuPause):
2459         (JSC::functionCpuClflush):
2460         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
2461         (JSC::getExecutableForFunction):
2462         (JSC::functionLLintTrue):
2463         (JSC::functionJITTrue):
2464         (JSC::functionNoInline):
2465         (JSC::functionGC):
2466         (JSC::functionEdenGC):
2467         (JSC::functionDumpSubspaceHashes):
2468         (JSC::functionCallFrame):
2469         (JSC::functionCodeBlockForFrame):
2470         (JSC::codeBlockFromArg):
2471         (JSC::functionCodeBlockFor):
2472         (JSC::functionDumpSourceFor):
2473         (JSC::functionDumpBytecodeFor):
2474         (JSC::doPrint):
2475         (JSC::functionDataLog):
2476         (JSC::functionPrint):
2477         (JSC::functionDumpCallFrame):
2478         (JSC::functionDumpStack):
2479         (JSC::functionDumpRegisters):
2480         (JSC::functionDumpCell):
2481         (JSC::functionIndexingMode):
2482         (JSC::functionInlineCapacity):
2483         (JSC::functionValue):
2484         (JSC::functionGetPID):
2485         (JSC::functionHaveABadTime):
2486         (JSC::functionIsHavingABadTime):
2487         (JSC::functionCreateGlobalObject):
2488         (JSC::functionCreateProxy):
2489         (JSC::functionCreateRuntimeArray):
2490         (JSC::functionCreateNullRopeString):
2491         (JSC::functionCreateImpureGetter):
2492         (JSC::functionCreateCustomGetterObject):
2493         (JSC::functionCreateDOMJITNodeObject):
2494         (JSC::functionCreateDOMJITGetterObject):
2495         (JSC::functionCreateDOMJITGetterComplexObject):
2496         (JSC::functionCreateDOMJITFunctionObject):
2497         (JSC::functionCreateDOMJITCheckSubClassObject):
2498         (JSC::functionCreateDOMJITGetterBaseJSObject):
2499         (JSC::functionCreateWasmStreamingParser):
2500         (JSC::functionSetImpureGetterDelegate):
2501         (JSC::functionCreateBuiltin):
2502         (JSC::functionGetPrivateProperty):
2503         (JSC::functionCreateRoot):
2504         (JSC::functionCreateElement):
2505         (JSC::functionGetElement):
2506         (JSC::functionCreateSimpleObject):
2507         (JSC::functionGetHiddenValue):
2508         (JSC::functionSetHiddenValue):
2509         (JSC::functionShadowChickenFunctionsOnStack):
2510         (JSC::functionSetGlobalConstRedeclarationShouldNotThrow):
2511         (JSC::functionFindTypeForExpression):
2512         (JSC::functionReturnTypeFor):
2513         (JSC::functionFlattenDictionaryObject):
2514         (JSC::functionDumpBasicBlockExecutionRanges):
2515         (JSC::functionHasBasicBlockExecuted):
2516         (JSC::functionBasicBlockExecutionCount):
2517         (JSC::functionEnableExceptionFuzz):
2518         (JSC::changeDebuggerModeWhenIdle):
2519         (JSC::functionEnableDebuggerModeWhenIdle):
2520         (JSC::functionDisableDebuggerModeWhenIdle):
2521         (JSC::functionDeleteAllCodeWhenIdle):
2522         (JSC::functionGlobalObjectCount):
2523         (JSC::functionGlobalObjectForObject):
2524         (JSC::functionGetGetterSetter):
2525         (JSC::functionLoadGetterFromGetterSetter):
2526         (JSC::functionCreateCustomTestGetterSetter):
2527         (JSC::functionDeltaBetweenButterflies):
2528         (JSC::functionTotalGCTime):
2529         (JSC::functionParseCount):
2530         (JSC::functionIsWasmSupported):
2531         (JSC::JSDollarVM::finishCreation):
2532         (JSC::JSDollarVM::addFunction):
2533         (JSC::JSDollarVM::addConstructibleFunction):
2534         * tools/JSDollarVM.h:
2535
2536 2019-09-11  Devin Rousso  <drousso@apple.com>
2537
2538         Web Inspector: Canvas: instrument WebGPUDevice instead of GPUCanvasContext
2539         https://bugs.webkit.org/show_bug.cgi?id=201650
2540
2541         Reviewed by Joseph Pecoraro.
2542
2543         Most of the actual "work" done with Web GPU actually uses a `WebGPUDevice`.
2544
2545         A `GPUCanvasContext` is basically just a display "client" of the device, and isn't even
2546         required (e.g. compute pipeline).  We should treat the `GPUCanvasContext` almost like a
2547         `-webkit-canvas` client of a `WebGPUDevice`.
2548
2549         * inspector/protocol/Canvas.json:
2550          - Add `powerPreference` key to `ContextAttributes` type.
2551          - Rename `requestCSSCanvasClientNodes` command to `requestClientNodes` for the above reason.
2552          - Rename `cssCanvasClientNodesChanged` event to `clientNodesChanged` for the above reason.
2553          - Rename `resolveCanvasContext` command to `resolveContext` since a `WebGPUDevice` isn't
2554            really a "canvas".
2555
2556 2019-09-11  Yusuke Suzuki  <ysuzuki@apple.com>
2557
2558         [JSC] Add StringCodePointAt intrinsic
2559         https://bugs.webkit.org/show_bug.cgi?id=201673
2560
2561         Reviewed by Michael Saboff.
2562
2563         JetStream2/UniPoker executes String#codePointAt frequently. We should handle it in ThunkGenerator, DFG, and FTL like we are doing so for String#charCodeAt.
2564         This patch adds these supports for String#codePointAt to get ~10% score improvement in JetStream2/UniPoker.
2565
2566         In ThunkGenerator, we add a thunk for String#codePointAt, which accelerates LLInt and Baseline. In DFG, we handle this as StringCodePointAt node, and emit
2567         inlined code in DFG and FTL. The characteristics of StringCodePointAt node is basically the same to StringCharAt. It has String array-mode, so it emits
2568         preceding CheckArray. This ensures that (1) StringCodePointAt node itself does not do GC since the string is always resolved, and (2) we can skip the rope
2569         check. This thing is just the same to the existing StringCharCodeAt mechanism.
2570
2571         * dfg/DFGAbstractInterpreterInlines.h:
2572         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2573         * dfg/DFGBackwardsPropagationPhase.cpp:
2574         (JSC::DFG::BackwardsPropagationPhase::propagate):
2575         * dfg/DFGByteCodeParser.cpp:
2576         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2577         * dfg/DFGClobberize.h:
2578         (JSC::DFG::clobberize):
2579         * dfg/DFGDoesGC.cpp:
2580         (JSC::DFG::doesGC):
2581         * dfg/DFGFixupPhase.cpp:
2582         (JSC::DFG::FixupPhase::fixupNode):
2583         * dfg/DFGNode.h:
2584         (JSC::DFG::Node::hasArrayMode):
2585         * dfg/DFGNodeType.h:
2586         * dfg/DFGPredictionPropagationPhase.cpp:
2587         * dfg/DFGSafeToExecute.h:
2588         (JSC::DFG::safeToExecute):
2589         * dfg/DFGSpeculativeJIT.h:
2590         * dfg/DFGSpeculativeJIT32_64.cpp:
2591         (JSC::DFG::SpeculativeJIT::compile):
2592         * dfg/DFGSpeculativeJIT64.cpp:
2593         (JSC::DFG::SpeculativeJIT::compile):
2594         (JSC::DFG::SpeculativeJIT::compileStringCodePointAt):
2595         * ftl/FTLCapabilities.cpp:
2596         (JSC::FTL::canCompile):
2597         * ftl/FTLLowerDFGToB3.cpp:
2598         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2599         (JSC::FTL::DFG::LowerDFGToB3::compileStringCodePointAt):
2600         * jit/JITInlines.h:
2601         (JSC::JIT::emitLoadCharacterString):
2602         * jit/ThunkGenerators.cpp:
2603         (JSC::stringGetByValGenerator):
2604         (JSC::stringCharLoad):
2605         (JSC::stringPrototypeCodePointAtThunkGenerator):
2606         * jit/ThunkGenerators.h:
2607         * runtime/Intrinsic.cpp:
2608         (JSC::intrinsicName):
2609         * runtime/Intrinsic.h:
2610         * runtime/StringPrototype.cpp:
2611         (JSC::StringPrototype::finishCreation):
2612         * runtime/VM.cpp:
2613         (JSC::thunkGeneratorForIntrinsic):
2614
2615 2019-09-11  Michael Saboff  <msaboff@apple.com>
2616
2617         JSC crashes due to stack overflow while building RegExp
2618         https://bugs.webkit.org/show_bug.cgi?id=201649
2619
2620         Reviewed by Yusuke Suzuki.
2621
2622         Check for running out of stack when we are optimizing RegExp containing BOL terms or
2623         other deep copying of disjunctions.
2624
2625         * yarr/YarrPattern.cpp:
2626         (JSC::Yarr::YarrPatternConstructor::copyDisjunction):
2627         (JSC::Yarr::YarrPatternConstructor::copyTerm):
2628         (JSC::Yarr::YarrPatternConstructor::error):
2629         (JSC::Yarr::YarrPattern::compile):
2630
2631 2019-09-11  Truitt Savell  <tsavell@apple.com>
2632
2633         Unreviewed, rolling out r249753.
2634
2635         caused inspector/canvas/shaderProgram-add-remove-webgl.html to
2636         crash on all Mac platforms.
2637
2638         Reverted changeset:
2639
2640         "Web Inspector: Canvas: instrument WebGPUDevice instead of
2641         GPUCanvasContext"
2642         https://bugs.webkit.org/show_bug.cgi?id=201650
2643         https://trac.webkit.org/changeset/249753
2644
2645 2019-09-10  Devin Rousso  <drousso@apple.com>
2646
2647         Web Inspector: Canvas: instrument WebGPUDevice instead of GPUCanvasContext
2648         https://bugs.webkit.org/show_bug.cgi?id=201650
2649
2650         Reviewed by Joseph Pecoraro.
2651
2652         Most of the actual "work" done with Web GPU actually uses a `WebGPUDevice`.
2653
2654         A `GPUCanvasContext` is basically just a display "client" of the device, and isn't even
2655         required (e.g. compute pipeline).  We should treat the `GPUCanvasContext` almost like a
2656         `-webkit-canvas` client of a `WebGPUDevice`.
2657
2658         * inspector/protocol/Canvas.json:
2659          - Add `powerPreference` key to `ContextAttributes` type.
2660          - Rename `requestCSSCanvasClientNodes` command to `requestClientNodes` for the above reason.
2661          - Rename `cssCanvasClientNodesChanged` event to `clientNodesChanged` for the above reason.
2662          - Rename `resolveCanvasContext` command to `resolveContext` since a `WebGPUDevice` isn't
2663            really a "canvas".
2664
2665 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
2666
2667         [JSC] 32bit bitwide operation with all-one (-1) is wrong in B3
2668         https://bugs.webkit.org/show_bug.cgi?id=201634
2669
2670         Reviewed by Mark Lam and Robin Morisset.
2671
2672         This patch includes two things. One is fixing 32bit bitwise operation with allOne constants. Another is fixing the existing bug in BitAnd strength reduction.
2673
2674         1. 32bit bitwise operation with allOne constants
2675
2676             Accidentally, the B3::Value is ConstInt32(-1), `value->isInt(std::numeric_limits<uint32_t>::max())` returns `false`!
2677             For example, in BitAnd strength reduction,
2678
2679                 1034             // Turn this: BitAnd(value, all-ones)
2680                 1035             // Into this: value.
2681                 1036             if ((m_value->type() == Int64 && m_value->child(1)->isInt(std::numeric_limits<uint64_t>::max()))
2682                 1037                 || (m_value->type() == Int32 && m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max()))) {
2683                 1038                 replaceWithIdentity(m_value->child(0));
2684                 1039                 break;
2685                 1040             }
2686
2687             We use `m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max())`. However, Value::isInt is,
2688
2689                 262 inline bool Value::isInt(int64_t value) const
2690                 263 {
2691                 264     return hasInt() && asInt() == value;
2692                 265 }
2693
2694             So, UINT32_MAX is expanded to int64_t, but it is not -1 since UINT32_MAX can be representable in int64_t. And Value::asInt implementation is,
2695
2696                 257 inline int64_t Value::asInt() const
2697                 258 {
2698                 259     return hasInt32() ? asInt32() : asInt64();
2699                 260 }
2700
2701             So, we perform `static_cast<int64_t>(-1) == static_cast<int64_t>(UINT32_MAX)`. This is false, but this comparison is not what we want!
2702             We should use `isInt32` and `isInt64` for bit patterns (like, operands for Bitwise opcodes).
2703
2704         2. BitAnd and BitOr strength reduction bug
2705
2706             We also fix the following optimization.
2707
2708                 // Turn this: BitAnd(Op(value, constant1), constant2)
2709                 //     where !(constant1 & constant2)
2710                 //       and Op is BitOr or BitXor
2711                 // into this: BitAnd(value, constant2)
2712
2713             Since we stop further optimization when we match `if (m_value->child(1)->hasInt())`, the following optimization is never taken.
2714
2715                 // Turn this: BitAnd(BitXor(x, allOnes), c)
2716                 // Into this: BitXor(BitOr(x, ~c), allOnes)
2717
2718             And we also found that this not-used optimization has a bug not inserting a newly produced constant B3::Value. This patch also fixes it.
2719
2720         For both, this patch adds tests. And (2) fix can be ensured that the testb3 does not crash with validate-graph option.
2721
2722         * b3/B3LowerToAir.cpp:
2723         * b3/B3ReduceStrength.cpp:
2724         * b3/testb3.h:
2725         * b3/testb3_2.cpp:
2726         (testBitAndNotNot32):
2727         (testBitAndNotImm):
2728         (testBitAndNotImm32):
2729         (testBitOrAndAndArgs32):
2730         (testBitOrAndSameArgs32):
2731         (testBitOrNotNot32):
2732         (testBitOrNotImm32):
2733         (addBitTests):
2734         * b3/testb3_3.cpp:
2735         (testBitXorAndAndArgs32):
2736         (testBitXorAndSameArgs32):
2737
2738 2019-09-10  Commit Queue  <commit-queue@webkit.org>
2739
2740         Unreviewed, rolling out r249721.
2741         https://bugs.webkit.org/show_bug.cgi?id=201667
2742
2743         Discovering existing bug (Requested by yusukesuzuki on
2744         #webkit).
2745
2746         Reverted changeset:
2747
2748         "[JSC] 32bit bitwide operation with all-one (-1) is wrong in
2749         B3"
2750         https://bugs.webkit.org/show_bug.cgi?id=201634
2751         https://trac.webkit.org/changeset/249721
2752
2753 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
2754
2755         [JSC] CodeBlock::calleeSaveRegisters should not see half-baked JITData
2756         https://bugs.webkit.org/show_bug.cgi?id=201664
2757         <rdar://problem/52126927>
2758
2759         Reviewed by Tadeu Zagallo.
2760
2761         We are hitting the crash accessing invalid-pointer as CodeBlock::calleeSaveRegisters result.
2762         This is because concurrent Baseline JIT compiler can access m_jitData without taking a lock through CodeBlock::calleeSaveRegisters.
2763         Since m_jitData can be initialized in the main thread while calling CodeBlock::calleeSaveRegisters from concurrent Baseline JIT compiler thread,
2764         we can see half-baked JITData structure which holds garbage pointers.
2765
2766         But we do not want to make CodeBlock::calleeSaveRegisters() call with CodeBlock::m_lock due to several reasons.
2767
2768         1. This function is very primitive one and it is called from various AssemblyHelpers functions and other code-generation functions. Some of these functions are
2769            called while taking this exact same lock, so dead-lock can happen.
2770         2. JITData::m_calleeSaveRegisters is filled only for DFG and FTL CodeBlock. And DFG and FTL code accesses these field after initializing properly. For Baseline JIT
2771            compiler case, only thing we should do is that JITData should say m_calleeSaveRegisters is nullptr and it won't be filled for this CodeBlock.
2772
2773         Instead of guarding CodeBlock::calleeSaveRegisters() function with CodeBlock::m_lock, this patch inserts WTF::storeStoreFence when filling m_jitData. This ensures that
2774         JITData::m_calleeSaveRegisters is initialized with nullptr when this JITData pointer is exposed to concurrent Baseline JIT compiler thread.
2775
2776         * bytecode/CodeBlock.cpp:
2777         (JSC::CodeBlock::ensureJITDataSlow):
2778
2779 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
2780
2781         [JSC] ResultType implementation is wrong for bit ops, and ends up making ArithDiv take the DFG Int32 fast path even if Baseline constantly produces Double result
2782         https://bugs.webkit.org/show_bug.cgi?id=198253
2783
2784         Reviewed by Mark Lam.
2785
2786         ResultType of bitwise operation needs to include TypeMaybeNumber. TypeInt32 is something like a flag indicating the number looks like a int32.
2787         When it is specified, TypeMaybeNumber must exist too. This issue compiles op_div in JetStream2/async-fs slow-path. And eventually DFG first mis-compiles
2788         it with Int32 ArithDiv while that div always produces double. And unnecessary OSR exit happens.
2789
2790         In this patch, we add TypeMaybeNumber to bigIntOrInt32Type correctly.
2791
2792         * parser/ResultType.h:
2793         (JSC::ResultType::bigIntOrInt32Type):
2794
2795 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
2796
2797         [JSC] 32bit bitwide operation with all-one (-1) is wrong in B3
2798         https://bugs.webkit.org/show_bug.cgi?id=201634
2799
2800         Reviewed by Mark Lam.
2801
2802         Accidentally, the B3::Value is ConstInt32(-1), `value->isInt(std::numeric_limits<uint32_t>::max())` returns `false`!
2803         For example, in BitAnd strength reduction,
2804
2805             1034             // Turn this: BitAnd(value, all-ones)
2806             1035             // Into this: value.
2807             1036             if ((m_value->type() == Int64 && m_value->child(1)->isInt(std::numeric_limits<uint64_t>::max()))
2808             1037                 || (m_value->type() == Int32 && m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max()))) {
2809             1038                 replaceWithIdentity(m_value->child(0));
2810             1039                 break;
2811             1040             }
2812
2813         We use `m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max())`. However, Value::isInt is,
2814
2815             262 inline bool Value::isInt(int64_t value) const
2816             263 {
2817             264     return hasInt() && asInt() == value;
2818             265 }
2819
2820         So, UINT32_MAX is expanded to int64_t, but it is not -1 since UINT32_MAX can be representable in int64_t. And Value::asInt implementation is,
2821
2822             257 inline int64_t Value::asInt() const
2823             258 {
2824             259     return hasInt32() ? asInt32() : asInt64();
2825             260 }
2826
2827         So, we perform `static_cast<int64_t>(-1) == static_cast<int64_t>(UINT32_MAX)`. This is false, but this comparison is not what we want!
2828         We should use `isInt32` and `isInt64` for bit patterns (like, operands for Bitwise opcodes).
2829
2830         We also fix the following optimization.
2831
2832             // Turn this: BitAnd(Op(value, constant1), constant2)
2833             //     where !(constant1 & constant2)
2834             //       and Op is BitOr or BitXor
2835             // into this: BitAnd(value, constant2)
2836
2837         Since we stop further optimization when we match `if (m_value->child(1)->hasInt())`, the following optimization is never taken.
2838
2839             // Turn this: BitAnd(BitXor(x, allOnes), c)
2840             // Into this: BitXor(BitOr(x, ~c), allOnes)
2841
2842         We add 32bit version of B3 tests for these optimizations.
2843
2844         * b3/B3LowerToAir.cpp:
2845         * b3/B3ReduceStrength.cpp:
2846         * b3/testb3.h:
2847         * b3/testb3_2.cpp:
2848         (testBitAndNotNot32):
2849         (testBitAndNotImm):
2850         (testBitAndNotImm32):
2851         (testBitOrAndAndArgs32):
2852         (testBitOrAndSameArgs32):
2853         (testBitOrNotNot32):
2854         (testBitOrNotImm32):
2855         (addBitTests):
2856         * b3/testb3_3.cpp:
2857         (testBitXorAndAndArgs32):
2858         (testBitXorAndSameArgs32):
2859
2860 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
2861
2862         [WebAssembly] Use StreamingParser in existing Wasm::BBQPlan
2863         https://bugs.webkit.org/show_bug.cgi?id=189043
2864
2865         Reviewed by Keith Miller.
2866
2867         This patch integrates Wasm::StreamingParser into the existing Wasm::BBQPlan.
2868         And remove Wasm::ModuleParser. This patch paves the way to implementing Wasm streaming features by
2869         using Wasm::StreamingParser.
2870
2871         Currently, we are not using streaming feature of StreamingParser. In a subsequent patch, we will
2872         create a mechanism to pipe a chunk of data to streaming parser to enable WebAssembly.compileStreaming
2873         and instantiateStreaming.
2874
2875         * JavaScriptCore.xcodeproj/project.pbxproj:
2876         * Sources.txt:
2877         * tools/JSDollarVM.cpp:
2878         (JSC::WasmStreamingParser::WasmStreamingParser):
2879         * wasm/WasmAirIRGenerator.cpp:
2880         (JSC::Wasm::parseAndCompileAir):
2881         * wasm/WasmAirIRGenerator.h:
2882         * wasm/WasmB3IRGenerator.cpp:
2883         (JSC::Wasm::parseAndCompile): Use FunctionData, it is good since it is more strongly typed.
2884         * wasm/WasmB3IRGenerator.h:
2885         * wasm/WasmBBQPlan.cpp:
2886         (JSC::Wasm::BBQPlan::BBQPlan):
2887         (JSC::Wasm::BBQPlan::didReceiveFunctionData): Add a callback, which invokes validation.
2888         (JSC::Wasm::BBQPlan::parseAndValidateModule): Use StreamingParser instead of old ModuleParser.
2889         (JSC::Wasm::BBQPlan::compileFunctions):
2890         (JSC::Wasm::BBQPlan::complete):
2891         * wasm/WasmBBQPlan.h:
2892         * wasm/WasmModuleParser.cpp: Removed.
2893         * wasm/WasmModuleParser.h: Removed.
2894         * wasm/WasmOMGForOSREntryPlan.cpp:
2895         (JSC::Wasm::OMGForOSREntryPlan::work):
2896         * wasm/WasmOMGPlan.cpp:
2897         (JSC::Wasm::OMGPlan::work):
2898         * wasm/WasmPlan.cpp:
2899         (JSC::Wasm::Plan::fail): Make fail function callable multiple times. The first error will be used.
2900         * wasm/WasmSectionParser.cpp:
2901         (JSC::Wasm::SectionParser::parseCode): Since the Code section is specially handled in StreamingParser, this code is never used.
2902         * wasm/WasmStreamingParser.cpp:
2903         (JSC::Wasm::StreamingParser::StreamingParser):
2904         (JSC::Wasm::StreamingParser::parseCodeSectionSize):
2905         (JSC::Wasm::StreamingParser::parseFunctionPayload):
2906         (JSC::Wasm::StreamingParser::parseSectionPayload):
2907         (JSC::Wasm::StreamingParser::finalize): Call client's callbacks at appropriate timings.
2908         * wasm/WasmStreamingParser.h:
2909         (JSC::Wasm::StreamingParserClient::didReceiveSectionData):
2910         (JSC::Wasm::StreamingParserClient::didReceiveFunctionData):
2911         (JSC::Wasm::StreamingParserClient::didFinishParsing): Add StreamingParserClient,
2912         which has 3 callbacks right now. StreamingParser gets this client and call these callbacks
2913         at appropriate timings.
2914         * wasm/WasmValidate.cpp:
2915         (JSC::Wasm::validateFunction):
2916         * wasm/WasmValidate.h: Use FunctionData, it is good since it is more strongly typed.
2917
2918 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
2919
2920         [JSC] CodeBlock::m_constantRegisters should be guarded by ConcurrentJSLock when Vector reallocate memory
2921         https://bugs.webkit.org/show_bug.cgi?id=201622
2922
2923         Reviewed by Mark Lam.
2924
2925         CodeBlock::visitChildren takes ConcurrentJSLock while iterating m_constantRegisters, some of the places reallocate
2926         this Vector without taking a lock. If a Vector memory is reallocated while iterating it in concurrent collector,
2927         the concurrent collector can see a garbage. This patch guards m_constantRegisters reallocation with ConcurrentJSLock.
2928
2929         * bytecode/CodeBlock.cpp:
2930         (JSC::CodeBlock::finishCreation):
2931         (JSC::CodeBlock::setConstantRegisters):
2932         * bytecode/CodeBlock.h:
2933         (JSC::CodeBlock::addConstant):
2934         (JSC::CodeBlock::addConstantLazily):
2935         * dfg/DFGDesiredWatchpoints.cpp:
2936         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
2937         (JSC::DFG::SymbolTableAdaptor::add):
2938         (JSC::DFG::FunctionExecutableAdaptor::add):
2939         * dfg/DFGGraph.cpp:
2940         (JSC::DFG::Graph::registerFrozenValues):
2941         * dfg/DFGJITFinalizer.cpp:
2942         (JSC::DFG::JITFinalizer::finalizeCommon):
2943         * dfg/DFGLazyJSValue.cpp:
2944         (JSC::DFG::LazyJSValue::emit const):
2945
2946 2019-09-09  Robin Morisset  <rmorisset@apple.com>
2947
2948         [Air] highOrderAdjacents in AbstractColoringAllocator::conservativeHeuristic should be some kind of array
2949         https://bugs.webkit.org/show_bug.cgi?id=197305
2950
2951         Reviewed by Keith Miller.
2952
2953         Currently it is a HashSet, but it only ever holds at most registerCount() items. And linear search tends to be faster on such a small collection than hashing + searching in a HashSet.
2954         Further benefits include avoiding the allocation of the HashSet, not actually adding the nodes adjacent to V (since there are no duplicates in the adjacency lists).
2955
2956         This patch also contains a trivial optimization: if the remaining number of nodes to consider + the number of highOrderAdjacents already seen is smaller than registerCount() we can return true directly.
2957         Apart from that, the patch got some trivial cleanup of GraphColoringRegisterAllocation::allocateOnBank() (that for example was only logging the number of iterations for FP registers, and not the more interesting number for GP registers).
2958
2959         The time spent in the register allocator throughout JetStream2 on this MacBook Pro moves from 3767 / 3710 / 3785 ms to 3551 / 3454 / 3503 ms.
2960         So about a 6% speedup for that phase, and between 1 and 1.5% speedup for FTL/OMG compilation overall.
2961
2962         No new tests as there is no intended change to the code being generated, and this was already tested by running testb3 + JetStream2.
2963
2964         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
2965
2966 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
2967
2968         [JSC] Use metadata table to iterate specific bytecode metadata instead of propertyAccessInstructions vector
2969         https://bugs.webkit.org/show_bug.cgi?id=201613
2970
2971         Reviewed by Mark Lam.
2972
2973         We do not need to maintain propertyAccessInstructions vector to access metadata tied to a specific bytecode opcode
2974         since we have MetadataTable::forEach<Op> feature. This removes propertyAccessInstructions entirely, and fixes the
2975         issue that `op_create_promise` missed propertyAccessInstructions registration (a name "propertyAccessInstructions" is
2976         misleading, it is like "instructions-requires-llint-finalize").
2977
2978         * bytecode/CodeBlock.cpp:
2979         (JSC::CodeBlock::propagateTransitions):
2980         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2981         * bytecode/UnlinkedCodeBlock.cpp:
2982         (JSC::UnlinkedCodeBlock::applyModification):
2983         (JSC::UnlinkedCodeBlock::shrinkToFit):
2984         * bytecode/UnlinkedCodeBlock.h:
2985         (JSC::UnlinkedCodeBlock::addPropertyAccessInstruction): Deleted.
2986         (JSC::UnlinkedCodeBlock::numberOfPropertyAccessInstructions const): Deleted.
2987         (JSC::UnlinkedCodeBlock::propertyAccessInstructions const): Deleted.
2988         * bytecompiler/BytecodeGenerator.cpp:
2989         (JSC::BytecodeGenerator::emitResolveScope):
2990         (JSC::BytecodeGenerator::emitGetFromScope):
2991         (JSC::BytecodeGenerator::emitPutToScope):
2992         (JSC::BytecodeGenerator::emitGetById):
2993         (JSC::BytecodeGenerator::emitDirectGetById):
2994         (JSC::BytecodeGenerator::emitPutById):
2995         (JSC::BytecodeGenerator::emitDirectPutById):
2996         (JSC::BytecodeGenerator::emitCreateThis):
2997         (JSC::BytecodeGenerator::emitToThis):
2998         * runtime/CachedTypes.cpp:
2999         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
3000         (JSC::CachedCodeBlock<CodeBlockType>::encode):
3001
3002 2019-09-07  Keith Miller  <keith_miller@apple.com>
3003
3004         OSR entry into wasm misses some contexts
3005         https://bugs.webkit.org/show_bug.cgi?id=201569
3006
3007         Reviewed by Yusuke Suzuki.
3008
3009         This patch fixes an issue where we could fail to capture some of
3010         our contexts when OSR entering into wasm code. Before we would
3011         only capture the state of the block immediately surrounding the
3012         entrance loop block header. We actually need to capture all
3013         enclosed stacks.
3014
3015         Additionally, we don't need to use variables for all the captured
3016         values. We can use a Phi and insert an upsilon just below the
3017         captured value.
3018
3019         * interpreter/CallFrame.h:
3020         * jsc.cpp:
3021         (GlobalObject::finishCreation):
3022         (functionCallerIsOMGCompiled):
3023         * wasm/WasmAirIRGenerator.cpp:
3024         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
3025         (JSC::Wasm::AirIRGenerator::emitEntryTierUpCheck):
3026         (JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck):
3027         (JSC::Wasm::AirIRGenerator::addLoop):
3028         * wasm/WasmB3IRGenerator.cpp:
3029         (JSC::Wasm::B3IRGenerator::createStack):
3030         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
3031         (JSC::Wasm::B3IRGenerator::addConstant):
3032         (JSC::Wasm::B3IRGenerator::emitEntryTierUpCheck):
3033         (JSC::Wasm::B3IRGenerator::emitLoopTierUpCheck):
3034         (JSC::Wasm::B3IRGenerator::addLoop):
3035         (JSC::Wasm::B3IRGenerator::addEndToUnreachable):
3036         (JSC::Wasm::dumpExpressionStack):
3037         (JSC::Wasm::B3IRGenerator::dump):
3038         (JSC::Wasm::B3IRGenerator::Stack::Stack): Deleted.
3039         (JSC::Wasm::B3IRGenerator::Stack::append): Deleted.
3040         (JSC::Wasm::B3IRGenerator::Stack::takeLast): Deleted.
3041         (JSC::Wasm::B3IRGenerator::Stack::last): Deleted.
3042         (JSC::Wasm::B3IRGenerator::Stack::size const): Deleted.
3043         (JSC::Wasm::B3IRGenerator::Stack::isEmpty const): Deleted.
3044         (JSC::Wasm::B3IRGenerator::Stack::convertToExpressionList): Deleted.
3045         (JSC::Wasm::B3IRGenerator::Stack::at const): Deleted.
3046         (JSC::Wasm::B3IRGenerator::Stack::variableAt const): Deleted.
3047         (JSC::Wasm::B3IRGenerator::Stack::shrink): Deleted.
3048         (JSC::Wasm::B3IRGenerator::Stack::swap): Deleted.
3049         (JSC::Wasm::B3IRGenerator::Stack::dump const): Deleted.
3050         * wasm/WasmFunctionParser.h:
3051         (JSC::Wasm::FunctionParser::controlStack):
3052
3053 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
3054
3055         [JSC] Promise resolve/reject functions should be created more efficiently
3056         https://bugs.webkit.org/show_bug.cgi?id=201488
3057
3058         Reviewed by Mark Lam.
3059
3060         While r246553 fixed an important issue, it makes anonymous-builtin-function creation costly since it enforces FunctionRareData allocations.
3061         Unfortunately, anonymous-builtin-function function can be created frequently since this type of function is used
3062         for `resolve` and `reject` arguments of Promise's executor (e.g. `new Promise((resolve, reject) => ...)`'s resolve and reject).
3063         Since we are now always creating FunctionRareData for these functions, this additional allocation makes promise creation slower.
3064
3065         In this patch, we use `isAnonymousBuiltinFunction` information for `hasReifiedName` correctly. And we propagate `isAnonymousBuiltinFunction` information
3066         to FunctionRareData to initialize `m_hasReifiedName` correctly. Then we can avoid unnecessary FunctionRareData allocation, which makes
3067         anonymous-builtin-function creation faster.
3068
3069         We can ensure that this patch does not revert r246553's fix by running JSTests/stress/builtin-private-function-name.js test.
3070         The simple microbenchmark shows 1.7x improvement.
3071
3072                                               ToT                     Patched
3073
3074             promise-creation-many       45.6701+-0.1488     ^     26.8663+-1.8336        ^ definitely 1.6999x faster
3075
3076         * dfg/DFGSpeculativeJIT.cpp:
3077         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
3078         * ftl/FTLLowerDFGToB3.cpp:
3079         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
3080         * runtime/FunctionRareData.cpp:
3081         (JSC::FunctionRareData::create):
3082         (JSC::FunctionRareData::FunctionRareData):
3083         * runtime/FunctionRareData.h:
3084         * runtime/JSFunction.cpp:
3085         (JSC::JSFunction::finishCreation):
3086         (JSC::JSFunction::allocateRareData):
3087         (JSC::JSFunction::allocateAndInitializeRareData):
3088         * runtime/JSFunctionInlines.h:
3089         (JSC::JSFunction::hasReifiedName const):
3090
3091 2019-09-07  Mark Lam  <mark.lam@apple.com>
3092
3093         performJITMemcpy() source buffer should not be in the Gigacage.
3094         https://bugs.webkit.org/show_bug.cgi?id=201577
3095         <rdar://problem/55142606>
3096
3097         Reviewed by Michael Saboff.
3098
3099         Add a RELEASE_ASSERT in performJITMemcpy() to ensure that the passed in source
3100         buffer is not in the Gigacage.
3101
3102         * jit/ExecutableAllocator.h:
3103         (JSC::performJITMemcpy):
3104
3105 2019-09-07  Mark Lam  <mark.lam@apple.com>
3106
3107         The jsc shell should allow disabling of the Gigacage for testing purposes.
3108         https://bugs.webkit.org/show_bug.cgi?id=201579
3109
3110         Reviewed by Michael Saboff.
3111
3112         Check for the same GIGACAGE_ENABLED env var that is checked by Gigacage code.  If
3113         this env var is present and it has a falsy value, then do not
3114         forbidDisablingPrimitiveGigacage() in the jsc shell.
3115
3116         * jsc.cpp:
3117         (jscmain):
3118
3119 2019-09-06  Mark Lam  <mark.lam@apple.com>
3120
3121         Harden protection of the Gigacage Config parameters.
3122         https://bugs.webkit.org/show_bug.cgi?id=201570
3123         <rdar://problem/55134229>
3124
3125         Reviewed by Saam Barati.
3126
3127         Just renaming some function names here.
3128
3129         * assembler/testmasm.cpp:
3130         (JSC::testCagePreservesPACFailureBit):
3131         * jit/AssemblyHelpers.h:
3132         (JSC::AssemblyHelpers::cageConditionally):
3133         * jsc.cpp:
3134         (jscmain):
3135
3136 2019-09-06  Ross Kirsling  <ross.kirsling@sony.com>
3137
3138         Math.round() produces wrong result for value prior to 0.5
3139         https://bugs.webkit.org/show_bug.cgi?id=185115
3140
3141         Reviewed by Saam Barati.
3142
3143         Our Math.round implementation goes in the wrong direction for double values like 0.49999999999999994.
3144         This requires just a subtle adjustment for three of our four versions; only baseline JIT needed a full rewrite.
3145
3146         Specifically:
3147           - While 0.49999999999999994 is representable, 1 - 0.49999999999999994 is not (it turns into 0.5),
3148             so taking the difference between ceil(value)` and `value` is problematic.
3149           - The baseline implementation was doing `floor(x + 0.5)` for positive doubles and slowpathing negative ones
3150             (by falling back to jsRound). This patch gives baseline a legitimate implementation too.
3151
3152         * dfg/DFGSpeculativeJIT.cpp:
3153         (JSC::DFG::SpeculativeJIT::compileArithRounding):
3154         * ftl/FTLLowerDFGToB3.cpp:
3155         (JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
3156         * jit/ThunkGenerators.cpp:
3157         (JSC::roundThunkGenerator):
3158         * runtime/MathCommon.cpp:
3159
3160 2019-09-05  Joseph Pecoraro  <pecoraro@apple.com>
3161
3162         Tail Deleted Frames shown in Web Inspector are sometimes incorrect (Shadow Chicken)
3163         https://bugs.webkit.org/show_bug.cgi?id=201366
3164
3165         Reviewed by Saam Barati.
3166
3167         It is possible for the log buffer to be full right as someone is trying to
3168         log a function prologue. In such a case the machine stack has already been
3169         updated to include the new JavaScript call frame, but the prologue packet
3170         cannot be included in the update because the log is full. This would mean
3171         that the update fails to rationalize the machine stack with the shadow
3172         log / stack. Namely, the current JavaScript call frame is unable to
3173         find a matching prologue (the one we are holding to include after the update)
3174         and inserts a questionable value into the stack; and in the process
3175         missing and removing real potential tail calls.
3176
3177         For example:
3178         
3179             "use strict";
3180             function third() { return 1; }
3181             function second() { return third(); }
3182             function first() { return second(); }
3183             function start() { return first(); }
3184
3185         If the the log fills up just as we are entering `b` then we may have a list
3186         full log of packets looking like:
3187
3188           Shadow Log:
3189             ...
3190             { prologue-packet: entering `start` ... }
3191             { prologue-packet: entering `first` ... }
3192             { tail-packet: leaving `first` with a tail call }
3193
3194           Incoming Packet:
3195             { prologue-packet: entering `second` ... }
3196
3197           Current JS Stack:
3198             second
3199             start
3200
3201         Since the Current JavaScript stack already has `second`, if we process the
3202         log without the prologue for `second` then we push a confused entry on the
3203         shadow stack and clear the log such that we eventually lose the tail-call
3204         information for `first` to `second`.
3205
3206         This patch solves this issue by providing enough extra space in the log
3207         to always process the incoming packet when that forces an update. This way
3208         clients can continue to behave exactly as they are.
3209
3210         --
3211
3212         We also document a corner case in some circumstances where the shadow
3213         log may currently be insufficient to know how to reconcile:
3214         
3215         For example:
3216
3217             "use strict";
3218             function third() { return 1; }
3219             function second() { return third(); }
3220             function first() { return second(); }
3221             function doNothingTail() { return Math.random() }
3222             function start() {
3223                 for (i=0;i<1000;++i) doNothingTail();
3224                 return first();
3225             }
3226
3227         In this case the ShadowChicken log may be processed multiple times due
3228         to the many calls to `doNothingTail` / `Math.random()`. When calling the
3229         Native function no prologue packet is emitted, so it is unclear that we
3230         temporarly go deeper and come back out on the stack, so the log appears
3231         to have lots of doNothingTail calls reusing the same frame:
3232
3233           Shadow Log:
3234             ...
3235             , [123] {callee = 0x72a21aee0, frame = 0x7ffeef897270, callerFrame = 0x7ffeef8972e0, name = start}
3236             , [124] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
3237             , [125] tail-packet:{frame = 0x7ffeef8971f0}
3238             , [126] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
3239             , [127] tail-packet:{frame = 0x7ffeef8971f0}
3240             ...
3241             , [140] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
3242             , [141] tail-packet:{frame = 0x7ffeef8971f0}
3243             , [142] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
3244             , [143] tail-packet:{frame = 0x7ffeef8971f0}
3245             , [144] {callee = 0x72a21aeb0, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = first}
3246             , [145] tail-packet:{frame = 0x7ffeef8971f0}
3247             , [146] {callee = 0x72a21ae80, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = second}
3248             ...
3249
3250         This log would seem to be indistinguishable from real tail recursion, such as:
3251
3252             "use strict";
3253             function third() { return 1; }
3254             function second() { return third(); }
3255             function first() { return second(); }
3256             function doNothingTail(n) {
3257                 return n ? doNothingTail(n-1) : first();
3258             }
3259             function start() {
3260                 return doNothingTail(1000);
3261             }
3262
3263         Likewise there are more cases where the shadow log appears to be ambiguous with determining
3264         the appropriate parent call frame with intermediate function calls. In practice this may
3265         not be too problematic, as this is a best effort reconstruction of tail deleted frames.
3266         It seems likely we would only show additional frames that did in fact happen serially
3267         between JavaScript call frames, but may not actually be the proper parent frames
3268         heirachy in the stack.
3269
3270         * interpreter/ShadowChicken.cpp:
3271         (JSC::ShadowChicken::Packet::dump const):
3272         (JSC::ShadowChicken::Frame::dump const):
3273         (JSC::ShadowChicken::dump const):
3274         Improved debugging output. Especially for functions.
3275
3276         (JSC::ShadowChicken::ShadowChicken):
3277         Make space in the log for 1 additional packet to process when we slow log.
3278
3279         (JSC::ShadowChicken::log):
3280         Include this packet in our update.
3281
3282         (JSC::ShadowChicken::update):
3283         Address an edge case where we can eliminate tail-deleted frames that don't make sense.
3284
3285 2019-09-06  Ryan Haddad  <ryanhaddad@apple.com>
3286
3287         Unreviewed, rolling out r249566.
3288
3289         Causes inspector layout test crashes under GuardMalloc
3290
3291         Reverted changeset:
3292
3293         "Tail Deleted Frames shown in Web Inspector are sometimes
3294         incorrect (Shadow Chicken)"
3295         https://bugs.webkit.org/show_bug.cgi?id=201366
3296         https://trac.webkit.org/changeset/249566
3297
3298 2019-09-06  Guillaume Emont  <guijemont@igalia.com>
3299
3300         testmasm: save r6 in JIT'ed code on ARM_THUMB2
3301         https://bugs.webkit.org/show_bug.cgi?id=201138
3302
3303         Reviewed by Mark Lam.