PropertyAttribute needs a CustomValue bit.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-12-10  Mark Lam  <mark.lam@apple.com>
2
3         PropertyAttribute needs a CustomValue bit.
4         https://bugs.webkit.org/show_bug.cgi?id=191993
5         <rdar://problem/46264467>
6
7         Reviewed by Saam Barati.
8
9         This is because GetByIdStatus needs to distinguish CustomValue properties from
10         other types, and its only means of doing so is via the property's attributes.
11         Previously, there's nothing in the property's attributes that can indicate that
12         the property is a CustomValue.
13
14         We fix this by doing the following:
15
16         1. Added a PropertyAttribute::CustomValue bit.
17         2. Added a PropertyAttribute::CustomAccessorOrValue convenience bit mask that is
18            CustomAccessor | CustomValue.
19
20         3. Since CustomGetterSetter properties are only set via JSObject::putDirectCustomAccessor(),
21            we added a check in JSObject::putDirectCustomAccessor() to see if the attributes
22            bits include PropertyAttribute::CustomAccessor.  If not, then the property
23            must be a CustomValue, and we'll add the PropertyAttribute::CustomValue bit
24            to the attributes bits.
25
26            This ensures that the property attributes is sufficient to tell us if the
27            property contains a CustomGetterSetter.
28
29         4. Updated all checks for PropertyAttribute::CustomAccessor to check for
30            PropertyAttribute::CustomAccessorOrValue instead if their intent is to check
31            for the presence of a CustomGetterSetter as opposed to checking specifically
32            for one that is used as a CustomAccessor.
33
34            This includes all the Structure transition code that needs to capture the
35            attributes change when a CustomValue has been added.
36
37         5. Filtered out the PropertyAttribute::CustomValue bit in PropertyDescriptor.
38            The fact that we're using a CustomGetterSetter as a CustomValue should remain
39            invisible to the descriptor.  This is because the descriptor should describe
40            a CustomValue no differently from a plain value.
41
42         6. Added some asserts to ensure that property attributes are as expected, and to
43            document some invariants.
44
45         * bytecode/GetByIdStatus.cpp:
46         (JSC::GetByIdStatus::computeFromLLInt):
47         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
48         (JSC::GetByIdStatus::computeFor):
49         * bytecode/InByIdStatus.cpp:
50         (JSC::InByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
51         * bytecode/PropertyCondition.cpp:
52         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
53         * bytecode/PutByIdStatus.cpp:
54         (JSC::PutByIdStatus::computeFor):
55         * runtime/JSFunction.cpp:
56         (JSC::getCalculatedDisplayName):
57         * runtime/JSObject.cpp:
58         (JSC::JSObject::putDirectCustomAccessor):
59         (JSC::JSObject::putDirectNonIndexAccessor):
60         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
61         * runtime/JSObject.h:
62         (JSC::JSObject::putDirectIndex):
63         (JSC::JSObject::fillCustomGetterPropertySlot):
64         (JSC::JSObject::putDirect):
65         * runtime/JSObjectInlines.h:
66         (JSC::JSObject::putDirectInternal):
67         * runtime/PropertyDescriptor.cpp:
68         (JSC::PropertyDescriptor::setDescriptor):
69         (JSC::PropertyDescriptor::setCustomDescriptor):
70         (JSC::PropertyDescriptor::setAccessorDescriptor):
71         * runtime/PropertySlot.h:
72         (JSC::PropertySlot::setCustomGetterSetter):
73
74 2018-12-10  Mark Lam  <mark.lam@apple.com>
75
76         LinkBuffer::copyCompactAndLinkCode() needs to be aware of ENABLE(SEPARATED_WX_HEAP).
77         https://bugs.webkit.org/show_bug.cgi?id=192569
78         <rdar://problem/45615617>
79
80         Reviewed by Saam Barati.
81
82         * assembler/LinkBuffer.cpp:
83         (JSC::LinkBuffer::copyCompactAndLinkCode):
84
85 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
86
87         [BigInt] Add ValueMul into DFG
88         https://bugs.webkit.org/show_bug.cgi?id=186175
89
90         Reviewed by Yusuke Suzuki.
91
92         This patch is adding a new DFG node called ValueMul. This node is
93         responsible to handle multiplication operations that can result into
94         non-number values. We emit such node during DFGByteCodeParser when the
95         operands are not numbers. During FixupPhase, we change this
96         operation to ArithMul if we can speculate Number/Boolean operands.
97
98         The BigInt specialization shows a small progression:
99
100                                 noSpec                changes
101
102         big-int-simple-mul  18.8090+-1.0435  ^  17.4305+-0.2673  ^ definitely 1.0791x faster
103
104         * dfg/DFGAbstractInterpreterInlines.h:
105         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
106         * dfg/DFGBackwardsPropagationPhase.cpp:
107         (JSC::DFG::BackwardsPropagationPhase::propagate):
108         * dfg/DFGByteCodeParser.cpp:
109         (JSC::DFG::ByteCodeParser::makeSafe):
110         (JSC::DFG::ByteCodeParser::parseBlock):
111         * dfg/DFGClobberize.h:
112         (JSC::DFG::clobberize):
113         * dfg/DFGDoesGC.cpp:
114         (JSC::DFG::doesGC):
115         * dfg/DFGFixupPhase.cpp:
116         (JSC::DFG::FixupPhase::fixupMultiplication):
117         (JSC::DFG::FixupPhase::fixupNode):
118         * dfg/DFGNode.h:
119         (JSC::DFG::Node::arithNodeFlags):
120         * dfg/DFGNodeType.h:
121         * dfg/DFGOperations.cpp:
122         * dfg/DFGOperations.h:
123         * dfg/DFGPredictionPropagationPhase.cpp:
124         * dfg/DFGSafeToExecute.h:
125         (JSC::DFG::safeToExecute):
126         * dfg/DFGSpeculativeJIT.cpp:
127         (JSC::DFG::SpeculativeJIT::compileValueMul):
128         (JSC::DFG::SpeculativeJIT::compileArithMul):
129         * dfg/DFGSpeculativeJIT.h:
130         * dfg/DFGSpeculativeJIT64.cpp:
131         (JSC::DFG::SpeculativeJIT::compile):
132         * dfg/DFGValidate.cpp:
133         * ftl/FTLCapabilities.cpp:
134         (JSC::FTL::canCompile):
135         * ftl/FTLLowerDFGToB3.cpp:
136         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
137         (JSC::FTL::DFG::LowerDFGToB3::compileValueMul):
138         (JSC::FTL::DFG::LowerDFGToB3::compileArithMul):
139
140 2018-12-08  Mark Lam  <mark.lam@apple.com>
141
142         Reduce size of PropertySlot and PutPropertySlot.
143         https://bugs.webkit.org/show_bug.cgi?id=192526
144
145         Reviewed by Keith Miller.
146
147         With some minor adjustments, we can reduce the size of PropertySlot from 80 bytes
148         (19 padding bytes) to 64 bytes (3 padding bytes), and PutPropertySlot from 40
149         bytes (4 padding bytes) to 32 bytes (0 padding bytes but with 6 unused bits).
150         These measurements are for a 64-bit build.
151
152         * runtime/PropertySlot.h:
153         * runtime/PutPropertySlot.h:
154         (JSC::PutPropertySlot::PutPropertySlot):
155
156 2018-12-08  Dominik Infuehr  <dinfuehr@igalia.com>
157
158         Record right offset with aligned wide instructions
159         https://bugs.webkit.org/show_bug.cgi?id=192006
160
161         Reviewed by Yusuke Suzuki.
162
163         Aligning bytecode instructions inserts nops into the instruction stream.
164         Emitting an instruction did not record the actual start of the instruction with
165         aligned instructions, but the nop just before the actual instruction. This was
166         problematic with the StaticPropertyAnalyzer that used the wrong instruction offset.
167
168         * bytecode/InstructionStream.h:
169         (JSC::InstructionStream::MutableRef::clone):
170         * bytecompiler/BytecodeGenerator.cpp:
171         (JSC::BytecodeGenerator::alignWideOpcode):
172         (JSC::BytecodeGenerator::emitCreateThis):
173         (JSC::BytecodeGenerator::emitNewObject):
174         * generator/Opcode.rb:
175
176 2018-12-07  Tadeu Zagallo  <tzagallo@apple.com>
177
178         Align the metadata table on all platforms
179         https://bugs.webkit.org/show_bug.cgi?id=192050
180         <rdar://problem/46312674>
181
182         Reviewed by Mark Lam.
183
184         Although certain platforms don't require the metadata to be aligned,
185         values were being concurrently read and written to ValueProfiles,
186         which caused crashes since these operations are not atomic on unaligned
187         addresses.
188
189         * bytecode/Opcode.cpp:
190         (JSC::metadataAlignment):
191         * bytecode/Opcode.h:
192         * bytecode/UnlinkedMetadataTableInlines.h:
193         (JSC::UnlinkedMetadataTable::finalize):
194
195 2018-12-05  Mark Lam  <mark.lam@apple.com>
196
197         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
198         https://bugs.webkit.org/show_bug.cgi?id=192441
199         <rdar://problem/46480355>
200
201         Reviewed by Saam Barati.
202
203         This is because a regular String (non-Identifier) can be converted into an
204         Identifier.  During DFG/FTL compilation, AbstractValue::checkConsistency() may
205         expect a value to be of type SpecStringVar, but the mutator thread may have
206         converted the string into an Identifier.  This creates a race where
207         AbstractValue::checkConsistency() may fail because it sees a SpecStringIdent when
208         it expects the a SpecStringVar.  
209
210         The fix is to speculate non-Identifier strings as type SpecString which allows it
211         to be SpecStringVar or SpecStringIndent.
212
213         * bytecode/SpeculatedType.cpp:
214         (JSC::speculationFromCell):
215
216 2018-12-04  Mark Lam  <mark.lam@apple.com>
217
218         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
219         https://bugs.webkit.org/show_bug.cgi?id=192386
220         <rdar://problem/46445516>
221
222         Reviewed by Saam Barati.
223
224         This violates an invariant documented by a RELEASE_ASSERT in operationLinkDirectCall().
225
226         * dfg/DFGStrengthReductionPhase.cpp:
227         (JSC::DFG::StrengthReductionPhase::handleNode):
228
229 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
230
231         [ESNext][BigInt] Support logic operations
232         https://bugs.webkit.org/show_bug.cgi?id=179903
233
234         Reviewed by Yusuke Suzuki.
235
236         We are introducing in this patch the ToBoolean support for JSBigInt.
237         With this change, we can implement the correct behavior of BigInt as
238         operand of logical opertions. During JIT genertion into DFG and FTL,
239         we are using JSBigInt::m_length to verify if the number is 0n or not,
240         following the same approach used by JSString. This is also safe in the case
241         of BigInt, because only 0n has m_length == 0.
242
243         We are not including BigInt speculation into Branch nodes in this
244         patch, but the plan is to implement it in further patches.
245
246         * ftl/FTLAbstractHeapRepository.h:
247         * ftl/FTLLowerDFGToB3.cpp:
248         (JSC::FTL::DFG::LowerDFGToB3::boolify):
249         (JSC::FTL::DFG::LowerDFGToB3::isBigInt):
250         * jit/AssemblyHelpers.cpp:
251         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
252         (JSC::AssemblyHelpers::branchIfValue):
253         * runtime/JSBigInt.cpp:
254         (JSC::JSBigInt::isZero const):
255         (JSC::JSBigInt::offsetOfLength):
256         (JSC::JSBigInt::toBoolean const):
257         (JSC::JSBigInt::isZero): Deleted.
258         * runtime/JSBigInt.h:
259         * runtime/JSCellInlines.h:
260         (JSC::JSCell::toBoolean const):
261         (JSC::JSCell::pureToBoolean const):
262
263 2018-12-04  Devin Rousso  <drousso@apple.com>
264
265         Web Inspector: Audit: tests should support async operations
266         https://bugs.webkit.org/show_bug.cgi?id=192171
267         <rdar://problem/46423562>
268
269         Reviewed by Joseph Pecoraro.
270
271         Add `awaitPromise` command for executing a callback when a Promise gets settled.
272
273         Drive-by: allow `wasThrown` to be optional, instead of expecting it to always have a value.
274
275         * inspector/protocol/Runtime.json:
276
277         * inspector/InjectedScriptSource.js:
278         (InjectedScript.prototype.awaitPromise): Added.
279
280         * inspector/InjectedScript.h:
281         * inspector/InjectedScript.cpp:
282         (Inspector::InjectedScript::evaluate):
283         (Inspector::InjectedScript::awaitPromise): Added.
284         (Inspector::InjectedScript::callFunctionOn):
285         (Inspector::InjectedScript::evaluateOnCallFrame):
286
287         * inspector/InjectedScriptBase.h:
288         * inspector/InjectedScriptBase.cpp:
289         (Inspector::InjectedScriptBase::makeEvalCall):
290         (Inspector::InjectedScriptBase::makeAsyncCall): Added.
291         (Inspector::InjcetedScriptBase::checkCallResult): Added.
292         (Inspector::InjcetedScriptBase::checkAsyncCallResult): Added.
293
294         * inspector/agents/InspectorRuntimeAgent.h:
295         * inspector/agents/InspectorRuntimeAgent.cpp:
296         (Inspector::InspectorRuntimeAgent::evaluate):
297         (Inspector::InspectorRuntimeAgent::awaitPromise):
298         (Inspector::InspectorRuntimeAgent::callFunctionOn):
299
300         * inspector/agents/InspectorDebuggerAgent.cpp:
301         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
302
303 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
304
305         Unreviewed, rolling out r238833.
306
307         Breaks macOS and iOS debug builds.
308
309         Reverted changeset:
310
311         "[ESNext][BigInt] Support logic operations"
312         https://bugs.webkit.org/show_bug.cgi?id=179903
313         https://trac.webkit.org/changeset/238833
314
315 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
316
317         [ESNext][BigInt] Support logic operations
318         https://bugs.webkit.org/show_bug.cgi?id=179903
319
320         Reviewed by Yusuke Suzuki.
321
322         We are introducing in this patch the ToBoolean support for JSBigInt.
323         With this change, we can implement the correct behavior of BigInt as
324         operand of logical opertions. During JIT genertion into DFG and FTL,
325         we are using JSBigInt::m_length to verify if the number is 0n or not,
326         following the same approach used by JSString. This is also safe in the case
327         of BigInt, because only 0n has m_length == 0.
328
329         We are not including BigInt speculation into Branch nodes in this
330         patch, but the plan is to implement it in further patches.
331
332         * ftl/FTLAbstractHeapRepository.h:
333         * ftl/FTLLowerDFGToB3.cpp:
334         (JSC::FTL::DFG::LowerDFGToB3::boolify):
335         (JSC::FTL::DFG::LowerDFGToB3::isBigInt):
336         * jit/AssemblyHelpers.cpp:
337         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
338         (JSC::AssemblyHelpers::branchIfValue):
339         * runtime/JSBigInt.cpp:
340         (JSC::JSBigInt::isZero const):
341         (JSC::JSBigInt::offsetOfLength):
342         (JSC::JSBigInt::toBoolean const):
343         (JSC::JSBigInt::isZero): Deleted.
344         * runtime/JSBigInt.h:
345         * runtime/JSCellInlines.h:
346         (JSC::JSCell::toBoolean const):
347         (JSC::JSCell::pureToBoolean const):
348
349 2018-12-03  Keith Rollin  <krollin@apple.com>
350
351         Add .xcfilelist files
352         https://bugs.webkit.org/show_bug.cgi?id=192082
353         <rdar://problem/46312533>
354
355         Reviewed by Brent Fulgham.
356
357         Add .xcfilelist files for Generate Derived Sources and Generate
358         Unified Sources build phases in Xcode. These are just being staged for
359         now; they'll be added to the Xcode projects later.
360
361         * DerivedSources-input.xcfilelist: Added.
362         * DerivedSources-output.xcfilelist: Added.
363         * UnifiedSources-input.xcfilelist: Added.
364         * UnifiedSources-output.xcfilelist: Added.
365
366 2018-12-03  Mark Lam  <mark.lam@apple.com>
367
368         Fix the bytecode code generator scripts to pretty print BytecodeStructs.h and BytecodeIndices.h.
369         https://bugs.webkit.org/show_bug.cgi?id=192271
370
371         Reviewed by Keith Miller.
372
373         This makes the generated code style compliant and human readable.
374
375         * generator/Argument.rb:
376         * generator/DSL.rb:
377         * generator/Fits.rb:
378         * generator/Metadata.rb:
379         * generator/Opcode.rb:
380
381 2018-12-02  Zalan Bujtas  <zalan@apple.com>
382
383         Add a runtime feature flag for LayoutFormattingContext.
384         https://bugs.webkit.org/show_bug.cgi?id=192280
385
386         Reviewed by Simon Fraser.
387
388         * Configurations/FeatureDefines.xcconfig:
389
390 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
391
392         [ESNext][BigInt] Implement support for "<<" and ">>"
393         https://bugs.webkit.org/show_bug.cgi?id=186233
394
395         Reviewed by Yusuke Suzuki.
396
397         This patch is introducing the support for BigInt into lshift and
398         rshift into LLint and Baseline layers.
399
400         * runtime/CommonSlowPaths.cpp:
401         (JSC::SLOW_PATH_DECL):
402         * runtime/JSBigInt.cpp:
403         (JSC::JSBigInt::createWithLength):
404         (JSC::JSBigInt::leftShift):
405         (JSC::JSBigInt::signedRightShift):
406         (JSC::JSBigInt::leftShiftByAbsolute):
407         (JSC::JSBigInt::rightShiftByAbsolute):
408         (JSC::JSBigInt::rightShiftByMaximum):
409         (JSC::JSBigInt::toShiftAmount):
410         * runtime/JSBigInt.h:
411
412 2018-12-01  Simon Fraser  <simon.fraser@apple.com>
413
414         Heap.h refers to the non-existent HeapStatistics
415         https://bugs.webkit.org/show_bug.cgi?id=187882
416
417         Reviewed by Keith Miller.
418         
419         Just remove the "friend class HeapStatistics".
420
421         * heap/Heap.h:
422
423 2018-11-29  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
424
425         [JSC] Keep TypeMaybeBigInt small
426         https://bugs.webkit.org/show_bug.cgi?id=192203
427
428         Reviewed by Saam Barati.
429
430         As BigInt is being implemented, more and more bytecodes start returning BigInt.
431         It means that ResultType of these bytecodes include TypeMaybeBigInt. However,
432         TypeMaybeBigInt was large number 0x20, leading to wide instruction since ResultType
433         easily becomes larger than 32 (e.g. TypeInt32 | TypeMaybeBigInt == 33).
434
435         This patch sorts the numbers of TypeMaybeXXX based on the frequency of appearance in
436         the code.
437
438         * parser/ResultType.h:
439
440 2018-11-30  Dean Jackson  <dino@apple.com>
441
442         Try to fix Windows build by using strcmp instead of strcasecmp.
443
444         * jsc.cpp:
445         (isMJSFile):
446
447 2018-11-30  Mark Lam  <mark.lam@apple.com>
448
449         Fix the bytecode code generator scripts to pretty print Bytecodes.h.
450         https://bugs.webkit.org/show_bug.cgi?id=192258
451
452         Reviewed by Keith Miller.
453
454         This makes Bytecodes.h more human readable.
455
456         * generator/DSL.rb:
457         * generator/Section.rb:
458
459 2018-11-30  Mark Lam  <mark.lam@apple.com>
460
461         Add the generator directory to the Xcode project.
462         https://bugs.webkit.org/show_bug.cgi?id=192252
463
464         Reviewed by Michael Saboff.
465
466         This is so that we can work with these bytecode class generator files easily in Xcode.
467
468         * JavaScriptCore.xcodeproj/project.pbxproj:
469
470 2018-11-30  Don Olmstead  <don.olmstead@sony.com>
471
472         Rename ENABLE_SUBTLE_CRYPTO to ENABLE_WEB_CRYPTO
473         https://bugs.webkit.org/show_bug.cgi?id=192197
474
475         Reviewed by Jiewen Tan.
476
477         * Configurations/FeatureDefines.xcconfig:
478
479 2018-11-30  Dean Jackson  <dino@apple.com>
480
481         Add first-class support for .mjs files in jsc binary
482         https://bugs.webkit.org/show_bug.cgi?id=192190
483         <rdar://problem/46375715>
484
485         Reviewed by Keith Miller.
486
487         Treat files with a .mjs extension as a module, regardless
488         of whether or not the --module-file argument was given.
489
490         * jsc.cpp:
491         (printUsageStatement): Update usage.
492         (isMJSFile): Helper to look for .mjs extensions.
493         (CommandLine::parseArguments): Pick the appropriate script type.
494
495 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
496
497         [BigInt] Implement ValueBitXor into DFG
498         https://bugs.webkit.org/show_bug.cgi?id=190264
499
500         Reviewed by Yusuke Suzuki.
501
502         This patch is splitting the BitXor node into ArithBitXor and
503         ValueBitXor. This is necessary due the introduction of
504         BigInt, since BitXor operations now can result into Int32 or BigInt.
505         In such case, we use ArithBitXor when operands are Int and fallback to
506         ValueBitXor when operands are anything else. In the case of
507         ValueBitXor, we speculate BigInt when op1 and op2 are predicted as
508         BigInt as well. BigInt specialization consist into call
509         `operationBigIntBitXor` function, that calls JSBigInt::bitXor.
510
511         * bytecode/BytecodeList.rb:
512         * bytecode/CodeBlock.cpp:
513         (JSC::CodeBlock::finishCreation):
514         (JSC::CodeBlock::arithProfileForPC):
515         * bytecode/Opcode.h:
516         (JSC::padOpcodeName):
517         * bytecompiler/BytecodeGenerator.h:
518         * dfg/DFGAbstractInterpreterInlines.h:
519         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
520         * dfg/DFGBackwardsPropagationPhase.cpp:
521         (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
522         (JSC::DFG::BackwardsPropagationPhase::propagate):
523         * dfg/DFGByteCodeParser.cpp:
524         (JSC::DFG::ByteCodeParser::parseBlock):
525         * dfg/DFGClobberize.h:
526         (JSC::DFG::clobberize):
527         * dfg/DFGDoesGC.cpp:
528         (JSC::DFG::doesGC):
529         * dfg/DFGFixupPhase.cpp:
530         (JSC::DFG::FixupPhase::fixupNode):
531         * dfg/DFGNodeType.h:
532         * dfg/DFGOperations.cpp:
533         * dfg/DFGOperations.h:
534         * dfg/DFGPredictionPropagationPhase.cpp:
535         * dfg/DFGSafeToExecute.h:
536         (JSC::DFG::safeToExecute):
537         * dfg/DFGSpeculativeJIT.cpp:
538         (JSC::DFG::SpeculativeJIT::compileValueBitwiseOp):
539         (JSC::DFG::SpeculativeJIT::compileBitwiseOp):
540         * dfg/DFGSpeculativeJIT.h:
541         (JSC::DFG::SpeculativeJIT::bitOp):
542         * dfg/DFGSpeculativeJIT32_64.cpp:
543         (JSC::DFG::SpeculativeJIT::compile):
544         * dfg/DFGSpeculativeJIT64.cpp:
545         (JSC::DFG::SpeculativeJIT::compile):
546         * dfg/DFGStrengthReductionPhase.cpp:
547         (JSC::DFG::StrengthReductionPhase::handleNode):
548         * ftl/FTLCapabilities.cpp:
549         (JSC::FTL::canCompile):
550         * ftl/FTLLowerDFGToB3.cpp:
551         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
552         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitXor):
553         (JSC::FTL::DFG::LowerDFGToB3::compileArithBitXor):
554         (JSC::FTL::DFG::LowerDFGToB3::compileBitXor): Deleted.
555         * jit/JITArithmetic.cpp:
556         (JSC::JIT::emit_op_bitxor):
557         * llint/LowLevelInterpreter32_64.asm:
558         * llint/LowLevelInterpreter64.asm:
559         * runtime/CommonSlowPaths.cpp:
560         (JSC::SLOW_PATH_DECL):
561
562 2018-11-29  Justin Michaud  <justin_michaud@apple.com>
563
564         CSS Painting API should pass 'this' correctly to paint callback, and repaint when properties change.
565         https://bugs.webkit.org/show_bug.cgi?id=191443
566
567         Reviewed by Dean Jackson.
568
569         Export the simpler construct() method for use in WebCore.
570
571         * runtime/ConstructData.h:
572
573 2018-11-28  Mark Lam  <mark.lam@apple.com>
574
575         ENABLE_SEPARATED_WX_HEAP needs to be defined in Platform.h.
576         https://bugs.webkit.org/show_bug.cgi?id=192110
577         <rdar://problem/46317746>
578
579         Reviewed by Saam Barati.
580
581         * config.h:
582
583 2018-11-28  Keith Rollin  <krollin@apple.com>
584
585         Update generate-{derived,unified}-sources scripts to support generating .xcfilelist files
586         https://bugs.webkit.org/show_bug.cgi?id=192031
587         <rdar://problem/46286816>
588
589         Reviewed by Alex Christensen.
590
591         The Generate Derived Sources and Generate Unified Sources build phases
592         in Xcode need to have their inputs and outputs specified. This
593         specification will come in the form of .xcfilelist files that will be
594         attached to these build phases. There is one .xcfilelist file that
595         lists the input file and one that lists the output files. As part of
596         this work, the various generate-{derived,unified}-sources scripts that
597         are executed in these Generate build phases are modified to help in
598         the creation of these .xcfilelist files. In particular, they can now
599         be invoked with command-line parameters. These parameters are then
600         used to alter the normal execution of these scripts, causing them to
601         produce the .xcfilelist files as opposed to actually generating the
602         files that are listed in those files.
603
604         * Scripts/generate-derived-sources.sh:
605         * Scripts/generate-unified-sources.sh:
606
607 2018-11-28  Keith Rollin  <krollin@apple.com>
608
609         Revert print_all_generated_files work in r238008; tighten up target specifications
610         https://bugs.webkit.org/show_bug.cgi?id=192025
611         <rdar://problem/46284301>
612
613         Reviewed by Alex Christensen.
614
615         In r238008, I added a facility for DerivedSources.make makefiles to
616         print out the list of files that they generate. This output was used
617         in the generation of .xcfilelist files used to specify the output of
618         the associated Generate Derived Sources build phases in Xcode. This
619         approach worked, but it meant that people would need to follow a
620         specific convention to keep this mechanism working.
621
622         Instead of continuing this approach, I'm going to implement a new
623         facility based on the output of `make` when passed the -d flag (which
624         prints dependency information). This new mechanism is completely
625         automatic and doesn't need maintainers to follow a convention. To that
626         end, remove most of the work performed in r238008 that supports the
627         print_all_generated_files target.
628
629         At the same time, it's important for the sets of targets and their
630         dependencies to be complete and correct. Therefore, also include
631         changes to bring those up-to-date. As part of that, you'll see
632         prevalent use of a particular technique. Here's an example:
633
634             BYTECODE_FILES = \
635                 Bytecodes.h \
636                 BytecodeIndices.h \
637                 BytecodeStructs.h \
638                 InitBytecodes.asm \
639             #
640             BYTECODE_FILES_PATTERNS = $(subst .,%,$(BYTECODE_FILES))
641
642             all : $(BYTECODE_FILES)
643
644             $(BYTECODE_FILES_PATTERNS): $(wildcard $(JavaScriptCore)/generator/*.rb) $(JavaScriptCore)/bytecode/BytecodeList.rb
645                 ...
646
647         These lines indicate a set of generated files (those specified in
648         BYTECODE_FILES). These files are generated by the BytecodeList.rb
649         tool. But, as opposed to the normal rule where a single foo.output is
650         generated by foo.input plus some additional dependencies, this rule
651         produces multiple output files from a tool whose connection to the
652         output files is not immediately clear. A special approach is needed
653         where a single rule produces multiple output files. The normal way to
654         implement this is to use an .INTERMEDIATE target. However, we used
655         this approach in the past and ran into a problem with it, addressing
656         it with an alternate approach in r210507. The above example shows this
657         approach. The .'s in the list of target files are replaced with %'s,
658         and the result is used as the left side of the dependency rule.
659
660         * DerivedSources.make:
661
662 2018-11-28  Keith Rollin  <krollin@apple.com>
663
664         Remove Postprocess Headers dependencies
665         https://bugs.webkit.org/show_bug.cgi?id=192023
666         <rdar://problem/46283377>
667
668         Reviewed by Mark Lam.
669
670         JavaScriptCore's Xcode Postprocess Headers build phase used to have a
671         dependency on a specific handful of files. In r234227, the script used
672         in this phase (postprocess-headers.sh) was completely rewritten to
673         operate on *all* files in JSC's Public and Private headers directories
674         instead of just this handful. This rewrite makes the previous
675         dependency specification insufficient, leading to incorrect
676         incremental builds if the right files weren't touched. Address this by
677         removing the dependencies completely. This will cause
678         postprocess-headers.sh to always be executed, even when none of its
679         files are touch. Running this script all the time is OK, since it has
680         built-in protections against unnecessarily touching files that haven't
681         changed.
682
683         * JavaScriptCore.xcodeproj/project.pbxproj:
684
685 2018-11-27  Mark Lam  <mark.lam@apple.com>
686
687         ENABLE_FAST_JIT_PERMISSIONS should be false for iosmac.
688         https://bugs.webkit.org/show_bug.cgi?id=192055
689         <rdar://problem/46288783>
690
691         Reviewed by Saam Barati.
692
693         * Configurations/FeatureDefines.xcconfig:
694
695 2018-11-27  Saam barati  <sbarati@apple.com>
696
697         r238510 broke scopes of size zero
698         https://bugs.webkit.org/show_bug.cgi?id=192033
699         <rdar://problem/46281734>
700
701         Reviewed by Keith Miller.
702
703         In r238510, I wrote the loop like this: 
704         `for (ScopeOffset offset { 0 }; offset <= symbolTable->maxScopeOffset(); offset += 1)`
705         
706         This breaks for scopes of size zero because maxScopeOffset() will be UINT_MAX.
707         
708         This patch fixes this by writing the loop as:
709         `for (unsigned offset = 0; offset < symbolTable->scopeSize(); ++offset)`
710
711         * dfg/DFGObjectAllocationSinkingPhase.cpp:
712
713 2018-11-27  Mark Lam  <mark.lam@apple.com>
714
715         ASSERTION FAILED: capacity && isPageAligned(capacity) in JSC::CLoopStack::CLoopStack(JSC::VM&).
716         https://bugs.webkit.org/show_bug.cgi?id=192018
717
718         Reviewed by Saam Barati.
719
720         This assertion failed because the regress-191579.js test was specifying
721         --maxPerThreadStackUsage=400000 i.e. it was running with a stack size that is not
722         page aligned.  Given that the user can specify any arbitrary stack size, and the
723         CLoop stack expects to be page aligned, we'll just round up the requested capacity
724         to the next page alignment.
725
726         * interpreter/CLoopStack.cpp:
727         (JSC::CLoopStack::CLoopStack):
728
729 2018-11-27  Mark Lam  <mark.lam@apple.com>
730
731         [Re-landing] NaNs read from Wasm code needs to be be purified.
732         https://bugs.webkit.org/show_bug.cgi?id=191056
733         <rdar://problem/45660341>
734
735         Reviewed by Filip Pizlo.
736
737         * wasm/js/WebAssemblyModuleRecord.cpp:
738         (JSC::WebAssemblyModuleRecord::link):
739
740 2018-11-27  Timothy Hatcher  <timothy@apple.com>
741
742         Web Inspector: Add support for forcing color scheme appearance in DOM tree.
743         https://bugs.webkit.org/show_bug.cgi?id=191820
744         rdar://problem/46153172
745
746         Reviewed by Devin Rousso.
747
748         * inspector/protocol/Page.json: Added setForcedAppearance.
749         Also added the defaultAppearanceDidChange event and Appearance enum.
750
751 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
752
753         Unreviewed, rolling out r238509.
754
755         Causes JSC tests to fail on iOS.
756
757         Reverted changeset:
758
759         "NaNs read from Wasm code needs to be be purified."
760         https://bugs.webkit.org/show_bug.cgi?id=191056
761         https://trac.webkit.org/changeset/238509
762
763 2018-11-27  Mark Lam  <mark.lam@apple.com>
764
765         Introducing a ENABLE_SEPARATED_WX_HEAP macro.
766         https://bugs.webkit.org/show_bug.cgi?id=192013
767         <rdar://problem/45494310>
768
769         Reviewed by Keith Miller.
770
771         This makes the code a little more readable.
772
773         I put the definition of ENABLE_SEPARATED_WX_HEAP in JSC's config.h instead of
774         Platform.h because ENABLE_SEPARATED_WX_HEAP is only needed inside JSC.  Also,
775         ENABLE_SEPARATED_WX_HEAP depends on ENABLE(FAST_JIT_PERMISSIONS), which is only
776         defined for JSC.
777
778         * config.h:
779         * jit/ExecutableAllocator.cpp:
780         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
781         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
782         * jit/ExecutableAllocator.h:
783         (JSC::performJITMemcpy):
784         * runtime/Options.cpp:
785         (JSC::recomputeDependentOptions):
786
787 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
788
789         Re-introduce op_bitnot
790         https://bugs.webkit.org/show_bug.cgi?id=190923
791
792         Reviewed by Yusuke Suzuki.
793
794         With the introduction of BigInt as a new type, we can't emit bitwise
795         not as `x ^ -1` anymore, because this is incompatible with the new type.
796         Based on that, this Patch is adding `op_bitnot` as a new operation
797         into LLInt, as well as introducing ArithBitNot node into DFG to support
798         JIT compilation of such opcode. We will use the ValueProfile of this
799         intruction in the future to generate better code when its operand
800         is not Int32.
801
802         * assembler/MacroAssemblerARM64.h:
803         (JSC::MacroAssemblerARM64::not32):
804         * assembler/MacroAssemblerARMv7.h:
805         (JSC::MacroAssemblerARMv7::not32):
806         * assembler/MacroAssemblerMIPS.h:
807         (JSC::MacroAssemblerMIPS::not32):
808         * bytecode/BytecodeList.rb:
809         * bytecode/BytecodeUseDef.h:
810         (JSC::computeUsesForBytecodeOffset):
811         (JSC::computeDefsForBytecodeOffset):
812         * bytecode/CodeBlock.cpp:
813         (JSC::CodeBlock::finishCreation):
814         * bytecode/Opcode.h:
815         (JSC::padOpcodeName):
816         * bytecompiler/BytecodeGenerator.cpp:
817         (JSC::BytecodeGenerator::emitUnaryOp):
818         * bytecompiler/NodesCodegen.cpp:
819         (JSC::UnaryPlusNode::emitBytecode):
820         (JSC::BitwiseNotNode::emitBytecode): Deleted.
821         * dfg/DFGAbstractInterpreterInlines.h:
822         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
823         * dfg/DFGBackwardsPropagationPhase.cpp:
824         (JSC::DFG::BackwardsPropagationPhase::propagate):
825         * dfg/DFGByteCodeParser.cpp:
826         (JSC::DFG::ByteCodeParser::parseBlock):
827         * dfg/DFGCapabilities.cpp:
828         (JSC::DFG::capabilityLevel):
829         * dfg/DFGClobberize.h:
830         (JSC::DFG::clobberize):
831         * dfg/DFGDoesGC.cpp:
832         (JSC::DFG::doesGC):
833         * dfg/DFGFixupPhase.cpp:
834         (JSC::DFG::FixupPhase::fixupNode):
835         * dfg/DFGNodeType.h:
836         * dfg/DFGOperations.cpp:
837         * dfg/DFGOperations.h:
838         * dfg/DFGPredictionPropagationPhase.cpp:
839         * dfg/DFGSafeToExecute.h:
840         (JSC::DFG::safeToExecute):
841         * dfg/DFGSpeculativeJIT.cpp:
842         (JSC::DFG::SpeculativeJIT::compileBitwiseNot):
843         * dfg/DFGSpeculativeJIT.h:
844         * dfg/DFGSpeculativeJIT32_64.cpp:
845         (JSC::DFG::SpeculativeJIT::compile):
846         * dfg/DFGSpeculativeJIT64.cpp:
847         (JSC::DFG::SpeculativeJIT::compile):
848         * ftl/FTLCapabilities.cpp:
849         (JSC::FTL::canCompile):
850         * ftl/FTLLowerDFGToB3.cpp:
851         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
852         (JSC::FTL::DFG::LowerDFGToB3::compileArithBitNot):
853         * jit/JIT.cpp:
854         (JSC::JIT::privateCompileMainPass):
855         (JSC::JIT::privateCompileSlowCases):
856         * jit/JIT.h:
857         * jit/JITArithmetic.cpp:
858         (JSC::JIT::emit_op_bitnot):
859         * llint/LowLevelInterpreter32_64.asm:
860         * llint/LowLevelInterpreter64.asm:
861         * offlineasm/cloop.rb:
862         * parser/NodeConstructors.h:
863         (JSC::BitwiseNotNode::BitwiseNotNode):
864         * parser/Nodes.h:
865         * parser/ResultType.h:
866         (JSC::ResultType::bigIntOrInt32Type):
867         (JSC::ResultType::forBitOp):
868         * runtime/CommonSlowPaths.cpp:
869         (JSC::SLOW_PATH_DECL):
870         * runtime/CommonSlowPaths.h:
871
872 2018-11-26  Saam barati  <sbarati@apple.com>
873
874         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
875         https://bugs.webkit.org/show_bug.cgi?id=191956
876         <rdar://problem/45665806>
877
878         Reviewed by Yusuke Suzuki.
879
880         This is a similar bug to what Keith fixed in r232134. The issue is if we have
881         a program like this:
882         
883         a: JSConstant(jsNumber(0))
884         b: SetLocal(Int32:@a, loc1, FlushedInt32)
885         c: ArrayifyToStructure(Cell:@a)
886         d: Jump(...)
887         
888         At the point in the program right after the Jump, a GetLocal for loc1
889         would return whatever the ArrayifyToStructure resulting type is. This breaks
890         the invariant that a GetLocal must return a value that is a subtype of its
891         FlushFormat. InPlaceAbstractState::endBasicBlock will know if a SetLocal is
892         the final node touching a local slot. If so, it'll see if any nodes later
893         in the block may have refined the type of the value stored in that slot. If
894         so, endBasicBlock() further refines the type to ensure that any GetLocals
895         loading from the same slot will result in having this more refined type.
896         However, we must ensure that this logic only considers types within the
897         hierarchy of the variable access data's FlushFormat, otherwise, we may
898         break the invariant that a GetLocal's type is a subtype of its FlushFormat.
899
900         * dfg/DFGInPlaceAbstractState.cpp:
901         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
902
903 2018-11-26  Saam barati  <sbarati@apple.com>
904
905         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
906         https://bugs.webkit.org/show_bug.cgi?id=191958
907         <rdar://problem/46221877>
908
909         Reviewed by Yusuke Suzuki.
910
911         There may be more entries in an activation than unique variables
912         in a symbol table's hashmap. For example, if you have two parameters
913         to a function, and they both are the same name, and the function
914         uses eval, we'll end up with two scope slots, but only a single
915         entry in the hashmap in the symbol table. Object allocation sinking
916         phase was previously iterating over the hashmap, assuming these
917         values were equivalent. This is wrong in the above case. Instead,
918         we need to iterate over each scope offset.
919
920         * dfg/DFGObjectAllocationSinkingPhase.cpp:
921         * runtime/GenericOffset.h:
922         (JSC::GenericOffset::operator+=):
923         (JSC::GenericOffset::operator-=):
924
925 2018-11-26  Mark Lam  <mark.lam@apple.com>
926
927         NaNs read from Wasm code needs to be be purified.
928         https://bugs.webkit.org/show_bug.cgi?id=191056
929         <rdar://problem/45660341>
930
931         Reviewed by Filip Pizlo.
932
933         * wasm/js/WebAssemblyModuleRecord.cpp:
934         (JSC::WebAssemblyModuleRecord::link):
935
936 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
937
938         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
939         https://bugs.webkit.org/show_bug.cgi?id=191716
940         <rdar://problem/45723878>
941
942         Reviewed by Saam Barati.
943
944         After https://bugs.webkit.org/show_bug.cgi?id=187373, when updating
945         jump targets during generatorification, we only stored the new jump
946         target when it changed. However, the out-of-line jump targets are
947         cleared at the beginning of the pass, so we need to store it
948         unconditionally.
949
950         * bytecode/PreciseJumpTargetsInlines.h:
951         (JSC::extractStoredJumpTargetsForInstruction):
952         (JSC::updateStoredJumpTargetsForInstruction):
953
954 2018-11-23  Wenson Hsieh  <wenson_hsieh@apple.com>
955
956         Enable drag and drop support for iOSMac
957         https://bugs.webkit.org/show_bug.cgi?id=191818
958         <rdar://problem/43907454>
959
960         Reviewed by Dean Jackson.
961
962         * Configurations/FeatureDefines.xcconfig:
963
964 2018-11-22  Mark Lam  <mark.lam@apple.com>
965
966         Make the jsc shell's dumpException() more robust against long exception strings.
967         https://bugs.webkit.org/show_bug.cgi?id=191910
968         <rdar://problem/46212980>
969
970         Reviewed by Michael Saboff.
971
972         This only affects the dumping of the exception string in the jsc shell due to
973         unhandled exceptions or exceptions at shell boot time before any JS code is
974         running.
975
976         * jsc.cpp:
977         (dumpException):
978
979 2018-11-21  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
980
981         [JSC] Drop ARM_TRADITIONAL support in LLInt, baseline JIT, and DFG
982         https://bugs.webkit.org/show_bug.cgi?id=191675
983
984         Reviewed by Mark Lam.
985
986         We no longer maintain ARM_TRADITIONAL LLInt and JIT in JSC. This architecture will use
987         CLoop instead. This patch removes ARM_TRADITIONAL support in LLInt and JIT.
988
989         Discussed in https://lists.webkit.org/pipermail/webkit-dev/2018-October/030220.html.
990
991         * CMakeLists.txt:
992         * JavaScriptCore.xcodeproj/project.pbxproj:
993         * Sources.txt:
994         * assembler/ARMAssembler.cpp: Removed.
995         * assembler/ARMAssembler.h: Removed.
996         * assembler/LinkBuffer.cpp:
997         (JSC::LinkBuffer::linkCode):
998         (JSC::LinkBuffer::dumpCode):
999         * assembler/MacroAssembler.h:
1000         (JSC::MacroAssembler::patchableBranch32):
1001         * assembler/MacroAssemblerARM.cpp: Removed.
1002         * assembler/MacroAssemblerARM.h: Removed.
1003         * assembler/PerfLog.cpp:
1004         * assembler/PerfLog.h:
1005         * assembler/ProbeContext.h:
1006         (JSC::Probe::CPUState::pc):
1007         (JSC::Probe::CPUState::fp):
1008         (JSC::Probe::CPUState::sp):
1009         * assembler/testmasm.cpp:
1010         (JSC::isPC):
1011         (JSC::testProbeModifiesStackPointer):
1012         (JSC::testProbeModifiesStackValues):
1013         * bytecode/InlineAccess.h:
1014         (JSC::InlineAccess::sizeForPropertyAccess):
1015         (JSC::InlineAccess::sizeForPropertyReplace):
1016         (JSC::InlineAccess::sizeForLengthAccess):
1017         * dfg/DFGSpeculativeJIT.h:
1018         * disassembler/CapstoneDisassembler.cpp:
1019         (JSC::tryToDisassemble):
1020         * jit/AssemblyHelpers.cpp:
1021         (JSC::AssemblyHelpers::debugCall):
1022         * jit/AssemblyHelpers.h:
1023         * jit/CCallHelpers.h:
1024         (JSC::CCallHelpers::setupArgumentsImpl):
1025         (JSC::CCallHelpers::prepareForTailCallSlow):
1026         * jit/CallFrameShuffler.cpp:
1027         (JSC::CallFrameShuffler::prepareForTailCall):
1028         * jit/HostCallReturnValue.cpp:
1029         * jit/JITMathIC.h:
1030         (JSC::isProfileEmpty):
1031         * jit/RegisterSet.cpp:
1032         (JSC::RegisterSet::reservedHardwareRegisters):
1033         (JSC::RegisterSet::calleeSaveRegisters):
1034         (JSC::RegisterSet::llintBaselineCalleeSaveRegisters):
1035         (JSC::RegisterSet::dfgCalleeSaveRegisters):
1036         * jit/Repatch.cpp:
1037         (JSC::forceICFailure):
1038         * jit/ThunkGenerators.cpp:
1039         (JSC::nativeForGenerator):
1040         * llint/LLIntOfflineAsmConfig.h:
1041         * llint/LowLevelInterpreter.asm:
1042         * llint/LowLevelInterpreter32_64.asm:
1043         * offlineasm/arm.rb:
1044         * offlineasm/backends.rb:
1045         * yarr/YarrJIT.cpp:
1046         (JSC::Yarr::YarrGenerator::generateEnter):
1047         (JSC::Yarr::YarrGenerator::generateReturn):
1048
1049 2018-11-21  Saam barati  <sbarati@apple.com>
1050
1051         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1052         https://bugs.webkit.org/show_bug.cgi?id=191897
1053         <rdar://problem/45871998>
1054
1055         Reviewed by Mark Lam.
1056
1057         exitOK is a statement about it being legal to exit. mayExit() is about being
1058         conservative and returning false only if an OSR exit *could never* happen.
1059         mayExit() tries to be as smart as possible to see if it can return false.
1060         It can't return false if a runtime exit *could* happen. However, there is
1061         code in the compiler where mayExit() returns false (because it uses data
1062         generated from AI about type checks being proved), but the code we emit in the
1063         compiler backend unconditionally generates an OSR exit, even if that exit may
1064         never execute. For example, let's say we have this IR:
1065         
1066         SomeNode(Boolean:@input)
1067         
1068         And we always emit code like this as a way of emitting a boolean type check:
1069         
1070         jump L1 if input == true
1071         jump L1 if input == false
1072         emit an OSR exit
1073         
1074         In such a program, when we generate the above OSR exit, in a validationEnabled()
1075         build, and if @input is proved to be a boolean, we'll end up crashing because we
1076         have the bogus assertion saying !exitOK. This is one reason why things are cleaner
1077         if we don't conflate mayExit() with exitOK.
1078
1079         * dfg/DFGSpeculativeJIT.cpp:
1080         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1081
1082 2018-11-21  Saam barati  <sbarati@apple.com>
1083
1084         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1085         https://bugs.webkit.org/show_bug.cgi?id=191895
1086         <rdar://problem/46167406>
1087
1088         Reviewed by Mark Lam.
1089
1090         We were asserting that the input edge should have type SpecCell but it should
1091         really be SpecCellCheck since the type filter for KnownCellUse is SpecCellCheck.
1092         
1093         This patch cleans up that assertion code by joining a bunch of cases into a
1094         single function call which grabs the type filter for the edge UseKind and
1095         asserts that the incoming edge meets the type filter criteria.
1096
1097         * dfg/DFGSpeculativeJIT.cpp:
1098         (JSC::DFG::SpeculativeJIT::speculate):
1099         * ftl/FTLLowerDFGToB3.cpp:
1100         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1101
1102 2018-11-21  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1103
1104         [JSC] Use ProtoCallFrame::numberOfRegisters instead of raw number `4`
1105         https://bugs.webkit.org/show_bug.cgi?id=191877
1106
1107         Reviewed by Sam Weinig.
1108
1109         Instead of hard-coding `4` into LowLevelInterpreter, use ProtoCallFrame::numberOfRegisters.
1110
1111         * interpreter/ProtoCallFrame.h:
1112         * llint/LowLevelInterpreter32_64.asm:
1113         * llint/LowLevelInterpreter64.asm:
1114
1115 2018-11-21  Mark Lam  <mark.lam@apple.com>
1116
1117         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1118         https://bugs.webkit.org/show_bug.cgi?id=191776
1119         <rdar://problem/46152851>
1120
1121         Reviewed by Saam Barati.
1122
1123         * wasm/WasmMemory.cpp:
1124         (JSC::Wasm::Memory::tryCreate):
1125         - return nullptr if the requested bytes exceed MAX_ARRAY_BUFFER_SIZE.
1126           The clients will already do a null check and throw an OutOfMemoryError if needed.
1127         (JSC::Wasm::Memory::grow):
1128         - throw OOME if newPageCount.bytes() > MAX_ARRAY_BUFFER_SIZE.
1129         * wasm/js/WebAssemblyMemoryConstructor.cpp:
1130         (JSC::constructJSWebAssemblyMemory):
1131         - throw OOME if newPageCount.bytes() > MAX_ARRAY_BUFFER_SIZE.
1132
1133 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1134
1135         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1136         https://bugs.webkit.org/show_bug.cgi?id=190836
1137
1138         Reviewed by Saam Barati and Yusuke Suzuki.
1139
1140         In this patch we are creating a new method called `JSBigInt::createWithLengthUnchecked`
1141         where we allocate a BigInt trusting the length received as argument.
1142         With this additional method, we now check if length passed to
1143         `JSBigInt::tryCreateWithLength` is not greater than JSBigInt::maxLength.
1144         When the length is greater than JSBigInt::maxLength, we then throw OOM
1145         exception.
1146         This required us to change the interface of some JSBigInt operations to
1147         receive `ExecState*` instead of `VM&`. We changed only operations that
1148         can throw because of OOM.
1149         We beleive that this approach of throwing instead of finishing the
1150         execution abruptly is better because JS programs can catch such
1151         exception and handle this issue properly.
1152
1153         * dfg/DFGOperations.cpp:
1154         * jit/JITOperations.cpp:
1155         * runtime/CommonSlowPaths.cpp:
1156         (JSC::SLOW_PATH_DECL):
1157         * runtime/JSBigInt.cpp:
1158         (JSC::JSBigInt::createZero):
1159         (JSC::JSBigInt::tryCreateWithLength):
1160         (JSC::JSBigInt::createWithLengthUnchecked):
1161         (JSC::JSBigInt::createFrom):
1162         (JSC::JSBigInt::multiply):
1163         (JSC::JSBigInt::divide):
1164         (JSC::JSBigInt::copy):
1165         (JSC::JSBigInt::unaryMinus):
1166         (JSC::JSBigInt::remainder):
1167         (JSC::JSBigInt::add):
1168         (JSC::JSBigInt::sub):
1169         (JSC::JSBigInt::bitwiseAnd):
1170         (JSC::JSBigInt::bitwiseOr):
1171         (JSC::JSBigInt::bitwiseXor):
1172         (JSC::JSBigInt::absoluteAdd):
1173         (JSC::JSBigInt::absoluteSub):
1174         (JSC::JSBigInt::absoluteDivWithDigitDivisor):
1175         (JSC::JSBigInt::absoluteDivWithBigIntDivisor):
1176         (JSC::JSBigInt::absoluteLeftShiftAlwaysCopy):
1177         (JSC::JSBigInt::absoluteBitwiseOp):
1178         (JSC::JSBigInt::absoluteAddOne):
1179         (JSC::JSBigInt::absoluteSubOne):
1180         (JSC::JSBigInt::toStringGeneric):
1181         (JSC::JSBigInt::rightTrim):
1182         (JSC::JSBigInt::allocateFor):
1183         (JSC::JSBigInt::createWithLength): Deleted.
1184         * runtime/JSBigInt.h:
1185         * runtime/Operations.cpp:
1186         (JSC::jsAddSlowCase):
1187         * runtime/Operations.h:
1188         (JSC::jsSub):
1189         (JSC::jsMul):
1190
1191 2018-11-20  Mark Lam  <mark.lam@apple.com>
1192
1193         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1194         https://bugs.webkit.org/show_bug.cgi?id=191856
1195         <rdar://problem/46089992>
1196
1197         Reviewed by Yusuke Suzuki.
1198
1199         The ASSERT(vm.traps().needTrapHandling()) assertion in SignalSender's SigAction
1200         function is invalid because we can't be sure that the trap has been handled yet
1201         by the time the trap fires.  This is because the main thread may also check traps
1202         (in LLInt, baseline JIT and VM runtime code).  There's a race to handle the trap.
1203         Hence, the SigAction cannot assume that the trap still needs handling by the time
1204         it is executed.  This patch removed the invalid assertion.
1205
1206         Also renamed m_trapSet to m_condition because it is a AutomaticThreadCondition,
1207         and all the ways it is used is as a condvar.  The m_trapSet name doesn't seem
1208         appropriate nor meaningful.
1209
1210         * runtime/VMTraps.cpp:
1211         (JSC::VMTraps::tryInstallTrapBreakpoints):
1212         - Added a !needTrapHandling() check as an optimization: there's no need to install
1213           VMTrap breakpoints if someone already beat us to handling the trap (remember,
1214           the main thread is racing against the VMTraps signalling thread to handle the
1215           trap too).  We only need to install the VMTraps breakpoints if we need DFG/FTL
1216           compiled code to deopt so that they can check and handle pending traps.  If the
1217           trap has already been handled, it's better to not deopt any DFG/FTL functions.
1218
1219         (JSC::VMTraps::willDestroyVM):
1220         (JSC::VMTraps::fireTrap):
1221         (JSC::VMTraps::VMTraps):
1222         * runtime/VMTraps.h:
1223
1224 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1225
1226         Enable JIT on ARM/Linux
1227         https://bugs.webkit.org/show_bug.cgi?id=191548
1228
1229         Reviewed by Yusuke Suzuki.
1230
1231         Enable JIT by default on ARMv7/Linux after it was disabled with
1232         recent bytcode format change.
1233
1234         * bytecode/CodeBlock.cpp:
1235         (JSC::CodeBlock::getICStatusMap):
1236         * bytecode/CodeBlock.h:
1237         (JSC::CodeBlock::metadata):
1238         * bytecode/InByIdStatus.cpp:
1239         (JSC::InByIdStatus::computeFor):
1240         * bytecode/Instruction.h:
1241         (JSC::Instruction::cast):
1242         * bytecode/MetadataTable.h:
1243         (JSC::MetadataTable::forEach):
1244         * bytecode/PutByIdStatus.cpp:
1245         (JSC::PutByIdStatus::computeFor):
1246         (JSC::PutByIdStatus::hasExitSite): Deleted.
1247         * bytecode/PutByIdStatus.h:
1248         * dfg/DFGOSRExit.cpp:
1249         (JSC::DFG::reifyInlinedCallFrames):
1250         * dfg/DFGOSRExitCompilerCommon.cpp:
1251         (JSC::DFG::reifyInlinedCallFrames):
1252         * generator/Argument.rb:
1253         * generator/Opcode.rb:
1254         * jit/GPRInfo.h:
1255         * jit/JIT.h:
1256         * jit/JITArithmetic32_64.cpp:
1257         (JSC::JIT::emit_compareAndJump):
1258         (JSC::JIT::emit_compareUnsignedAndJump):
1259         (JSC::JIT::emit_compareUnsigned):
1260         (JSC::JIT::emit_compareAndJumpSlow):
1261         (JSC::JIT::emit_op_unsigned):
1262         (JSC::JIT::emit_op_inc):
1263         (JSC::JIT::emit_op_dec):
1264         (JSC::JIT::emitBinaryDoubleOp):
1265         (JSC::JIT::emit_op_mod):
1266         (JSC::JIT::emitSlow_op_mod):
1267         * jit/JITCall32_64.cpp:
1268         (JSC::JIT::emitPutCallResult):
1269         (JSC::JIT::emit_op_ret):
1270         (JSC::JIT::emitSlow_op_call):
1271         (JSC::JIT::emitSlow_op_tail_call):
1272         (JSC::JIT::emitSlow_op_call_eval):
1273         (JSC::JIT::emitSlow_op_call_varargs):
1274         (JSC::JIT::emitSlow_op_tail_call_varargs):
1275         (JSC::JIT::emitSlow_op_tail_call_forward_arguments):
1276         (JSC::JIT::emitSlow_op_construct_varargs):
1277         (JSC::JIT::emitSlow_op_construct):
1278         (JSC::JIT::emit_op_call):
1279         (JSC::JIT::emit_op_tail_call):
1280         (JSC::JIT::emit_op_call_eval):
1281         (JSC::JIT::emit_op_call_varargs):
1282         (JSC::JIT::emit_op_tail_call_varargs):
1283         (JSC::JIT::emit_op_tail_call_forward_arguments):
1284         (JSC::JIT::emit_op_construct_varargs):
1285         (JSC::JIT::emit_op_construct):
1286         (JSC::JIT::compileSetupFrame):
1287         (JSC::JIT::compileCallEval):
1288         (JSC::JIT::compileCallEvalSlowCase):
1289         (JSC::JIT::compileOpCall):
1290         (JSC::JIT::compileOpCallSlowCase):
1291         (JSC::JIT::compileSetupVarargsFrame): Deleted.
1292         * jit/JITInlines.h:
1293         (JSC::JIT::updateTopCallFrame):
1294         * jit/JITOpcodes.cpp:
1295         (JSC::JIT::emit_op_catch):
1296         (JSC::JIT::emitSlow_op_loop_hint):
1297         * jit/JITOpcodes32_64.cpp:
1298         (JSC::JIT::emit_op_mov):
1299         (JSC::JIT::emit_op_end):
1300         (JSC::JIT::emit_op_jmp):
1301         (JSC::JIT::emit_op_new_object):
1302         (JSC::JIT::emitSlow_op_new_object):
1303         (JSC::JIT::emit_op_overrides_has_instance):
1304         (JSC::JIT::emit_op_instanceof):
1305         (JSC::JIT::emit_op_instanceof_custom):
1306         (JSC::JIT::emitSlow_op_instanceof):
1307         (JSC::JIT::emitSlow_op_instanceof_custom):
1308         (JSC::JIT::emit_op_is_empty):
1309         (JSC::JIT::emit_op_is_undefined):
1310         (JSC::JIT::emit_op_is_boolean):
1311         (JSC::JIT::emit_op_is_number):
1312         (JSC::JIT::emit_op_is_cell_with_type):
1313         (JSC::JIT::emit_op_is_object):
1314         (JSC::JIT::emit_op_to_primitive):
1315         (JSC::JIT::emit_op_set_function_name):
1316         (JSC::JIT::emit_op_not):
1317         (JSC::JIT::emit_op_jfalse):
1318         (JSC::JIT::emit_op_jtrue):
1319         (JSC::JIT::emit_op_jeq_null):
1320         (JSC::JIT::emit_op_jneq_null):
1321         (JSC::JIT::emit_op_jneq_ptr):
1322         (JSC::JIT::emit_op_eq):
1323         (JSC::JIT::emitSlow_op_eq):
1324         (JSC::JIT::emit_op_jeq):
1325         (JSC::JIT::emitSlow_op_jeq):
1326         (JSC::JIT::emit_op_neq):
1327         (JSC::JIT::emitSlow_op_neq):
1328         (JSC::JIT::emit_op_jneq):
1329         (JSC::JIT::emitSlow_op_jneq):
1330         (JSC::JIT::compileOpStrictEq):
1331         (JSC::JIT::emit_op_stricteq):
1332         (JSC::JIT::emit_op_nstricteq):
1333         (JSC::JIT::compileOpStrictEqJump):
1334         (JSC::JIT::emit_op_jstricteq):
1335         (JSC::JIT::emit_op_jnstricteq):
1336         (JSC::JIT::emitSlow_op_jstricteq):
1337         (JSC::JIT::emitSlow_op_jnstricteq):
1338         (JSC::JIT::emit_op_eq_null):
1339         (JSC::JIT::emit_op_neq_null):
1340         (JSC::JIT::emit_op_throw):
1341         (JSC::JIT::emit_op_to_number):
1342         (JSC::JIT::emit_op_to_string):
1343         (JSC::JIT::emit_op_to_object):
1344         (JSC::JIT::emit_op_catch):
1345         (JSC::JIT::emit_op_identity_with_profile):
1346         (JSC::JIT::emit_op_get_parent_scope):
1347         (JSC::JIT::emit_op_switch_imm):
1348         (JSC::JIT::emit_op_switch_char):
1349         (JSC::JIT::emit_op_switch_string):
1350         (JSC::JIT::emit_op_debug):
1351         (JSC::JIT::emit_op_enter):
1352         (JSC::JIT::emit_op_get_scope):
1353         (JSC::JIT::emit_op_create_this):
1354         (JSC::JIT::emit_op_to_this):
1355         (JSC::JIT::emit_op_check_tdz):
1356         (JSC::JIT::emit_op_has_structure_property):
1357         (JSC::JIT::privateCompileHasIndexedProperty):
1358         (JSC::JIT::emit_op_has_indexed_property):
1359         (JSC::JIT::emitSlow_op_has_indexed_property):
1360         (JSC::JIT::emit_op_get_direct_pname):
1361         (JSC::JIT::emit_op_enumerator_structure_pname):
1362         (JSC::JIT::emit_op_enumerator_generic_pname):
1363         (JSC::JIT::emit_op_profile_type):
1364         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
1365         (JSC::JIT::emit_op_log_shadow_chicken_tail):
1366         * jit/JITPropertyAccess32_64.cpp:
1367         (JSC::JIT::emit_op_put_getter_by_id):
1368         (JSC::JIT::emit_op_put_setter_by_id):
1369         (JSC::JIT::emit_op_put_getter_setter_by_id):
1370         (JSC::JIT::emit_op_put_getter_by_val):
1371         (JSC::JIT::emit_op_put_setter_by_val):
1372         (JSC::JIT::emit_op_del_by_id):
1373         (JSC::JIT::emit_op_del_by_val):
1374         (JSC::JIT::emit_op_get_by_val):
1375         (JSC::JIT::emitGetByValWithCachedId):
1376         (JSC::JIT::emitSlow_op_get_by_val):
1377         (JSC::JIT::emit_op_put_by_val_direct):
1378         (JSC::JIT::emit_op_put_by_val):
1379         (JSC::JIT::emitGenericContiguousPutByVal):
1380         (JSC::JIT::emitArrayStoragePutByVal):
1381         (JSC::JIT::emitPutByValWithCachedId):
1382         (JSC::JIT::emitSlow_op_put_by_val):
1383         (JSC::JIT::emit_op_try_get_by_id):
1384         (JSC::JIT::emitSlow_op_try_get_by_id):
1385         (JSC::JIT::emit_op_get_by_id_direct):
1386         (JSC::JIT::emitSlow_op_get_by_id_direct):
1387         (JSC::JIT::emit_op_get_by_id):
1388         (JSC::JIT::emitSlow_op_get_by_id):
1389         (JSC::JIT::emit_op_get_by_id_with_this):
1390         (JSC::JIT::emitSlow_op_get_by_id_with_this):
1391         (JSC::JIT::emit_op_put_by_id):
1392         (JSC::JIT::emitSlow_op_put_by_id):
1393         (JSC::JIT::emit_op_in_by_id):
1394         (JSC::JIT::emitSlow_op_in_by_id):
1395         (JSC::JIT::emit_op_resolve_scope):
1396         (JSC::JIT::emit_op_get_from_scope):
1397         (JSC::JIT::emitSlow_op_get_from_scope):
1398         (JSC::JIT::emit_op_put_to_scope):
1399         (JSC::JIT::emitSlow_op_put_to_scope):
1400         (JSC::JIT::emit_op_get_from_arguments):
1401         (JSC::JIT::emit_op_put_to_arguments):
1402         * jit/RegisterSet.cpp:
1403         (JSC::RegisterSet::vmCalleeSaveRegisters):
1404         * llint/LLIntData.cpp:
1405         (JSC::LLInt::Data::performAssertions):
1406         * llint/LowLevelInterpreter.asm:
1407         * runtime/SamplingProfiler.cpp:
1408         (JSC::tryGetBytecodeIndex):
1409
1410 2018-11-20  Saam barati  <sbarati@apple.com>
1411
1412         Merging an IC variant may lead to the IC status containing overlapping structure sets
1413         https://bugs.webkit.org/show_bug.cgi?id=191869
1414         <rdar://problem/45403453>
1415
1416         Reviewed by Mark Lam.
1417
1418         When merging two IC variant lists, we may end up in a world where we have
1419         overlapping structure sets. We defend against this when we append a new
1420         variant, but we should also defend against it once we merge in a new variant.
1421         
1422         Consider this case with MultiPutByOffset, where we merge two PutByIdStatuses
1423         together, P1 and P2.
1424         
1425         Let's consider these structures:
1426         s1 = {}
1427         s2 = {p: 0}
1428         s3 = {p: 0, p2: 1}
1429         
1430         P1 contains these variants:
1431         Transition: [s1 => s2]
1432         Replace: [s2, s3]
1433         
1434         P2 contains:
1435         Replace: [s2]
1436         
1437         Because of the ordering of the variants, we may end up combining
1438         P2's replace into P1's transition, forming this new list:
1439         Transition: [(s1, s2) => s2]
1440         Replace: [s2, s3]
1441         
1442         Obviously the ideal thing here is to have some ordering when we merge
1443         in variants to choose the most ideal option. It'd be ideal for P2's
1444         Replace to be merged into P1's replace.
1445         
1446         If we notice that this is super important, we can implement some kind
1447         of ordering. None of our tests (until this patch) stress this. This patch
1448         just makes it so we defend against this crazy scenario by falling back
1449         to the slow path gracefully. This prevents us from emitting invalid
1450         IR in FTL->B3 lowering by creating a switch with two case labels being
1451         identical values.
1452
1453         * bytecode/ICStatusUtils.h:
1454         (JSC::appendICStatusVariant):
1455
1456 2018-11-20  Fujii Hironori  <Hironori.Fujii@sony.com>
1457
1458         REGRESSION(r238039) WebCore::JSDOMGlobalObject::createStructure is using JSC::Structure::create without including StructureInlines.h
1459         https://bugs.webkit.org/show_bug.cgi?id=191626
1460         <rdar://problem/46161064>
1461
1462         Unreviewed adding comment for my change r238366.
1463
1464         * runtime/Structure.h: Added a comment for Structure::create.
1465
1466 2018-11-19  Mark Lam  <mark.lam@apple.com>
1467
1468         globalFuncImportModule() should return a promise when it clears exceptions.
1469         https://bugs.webkit.org/show_bug.cgi?id=191792
1470         <rdar://problem/46090763>
1471
1472         Reviewed by Michael Saboff.
1473
1474         If we're clearing the exceptions in a CatchScope, then it means that we've handled
1475         the exception, and is able to proceed in a normal manner.  Hence, we should not
1476         return the empty JSValue in this case: instead, we should return a Promise as
1477         expected by import's API.
1478
1479         The only time when we can't return a promise is when we fail to create a Promise.
1480         In that case, we should be propagating the exception.
1481
1482         Hence, globalFuncImportModule() contains a ThrowScope (for propagating the
1483         exception that arises from failure to create the Promise) wrapping a CatchScope
1484         (for catching any exception that arises from failure to execute the import).
1485
1486         Also fixed similar issues, and some exception check issues in JSModuleLoader and
1487         the jsc shell.
1488
1489         * jsc.cpp:
1490         (GlobalObject::moduleLoaderImportModule):
1491         (GlobalObject::moduleLoaderFetch):
1492         * runtime/JSGlobalObjectFunctions.cpp:
1493         (JSC::globalFuncImportModule):
1494         * runtime/JSModuleLoader.cpp:
1495         (JSC::JSModuleLoader::loadAndEvaluateModule):
1496         (JSC::JSModuleLoader::loadModule):
1497         (JSC::JSModuleLoader::requestImportModule):
1498         (JSC::JSModuleLoader::importModule):
1499         (JSC::JSModuleLoader::resolve):
1500         (JSC::JSModuleLoader::fetch):
1501         (JSC::moduleLoaderParseModule):
1502         (JSC::moduleLoaderResolveSync):
1503
1504 2018-11-19  Alex Christensen  <achristensen@webkit.org>
1505
1506         Add SPI to disable JIT in a WKWebView
1507         https://bugs.webkit.org/show_bug.cgi?id=191822
1508         <rdar://problem/28119360>
1509
1510         Reviewed by Geoffrey Garen.
1511
1512         * jit/ExecutableAllocator.cpp:
1513         (JSC::jitDisabled):
1514         (JSC::allowJIT):
1515         (JSC::ExecutableAllocator::setJITEnabled):
1516         * jit/ExecutableAllocator.h:
1517         (JSC::ExecutableAllocator::setJITEnabled):
1518
1519 2018-11-19  Fujii Hironori  <Hironori.Fujii@sony.com>
1520
1521         [MSVC] X86Assembler.h(108): error C2666: 'WebCore::operator -': 7 overloads have similar conversions
1522         https://bugs.webkit.org/show_bug.cgi?id=189467
1523         <rdar://problem/44290945>
1524
1525         Reviewed by Mark Lam.
1526
1527         This issue has happened several times. And, it seems that it will
1528         take more time for Microsoft to fix the MSVC bug. We need a
1529         effective workaround not to repeat this issue until they fix MSVC.
1530
1531         Remove ": int8_t" of RegisterID only for COMPILER(MSVC).
1532
1533         * assembler/X86Assembler.h: Added JSC_X86_ASM_REGISTER_ID_ENUM_BASE_TYPE macro.
1534
1535 2018-11-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1536
1537         [WebAssembly] I64 arguments / return value check should be moved from callWebAssemblyFunction to JSToWasm wrapper
1538         https://bugs.webkit.org/show_bug.cgi?id=190512
1539
1540         Reviewed by Keith Miller.
1541
1542         This patch moves I64 arguments / return value check from callWebAssemblyFunction to JSToWasm wrapper. Since this
1543         check can be done when compiling the function, we should encode the result into the generated wrapper instead of
1544         checking every time we call callWebAssemblyFunction. This change is also one of the steps removing callWebAssemblyFunction
1545         entirely.
1546
1547         * wasm/WasmExceptionType.h:
1548         * wasm/js/JSToWasm.cpp:
1549         (JSC::Wasm::createJSToWasmWrapper):
1550         * wasm/js/WebAssemblyFunction.cpp:
1551         (JSC::callWebAssemblyFunction):
1552         * wasm/js/WebAssemblyWrapperFunction.cpp:
1553         (JSC::callWebAssemblyWrapperFunction):
1554
1555 2018-11-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1556
1557         Consider removing double load for accessing the instructions from LLInt
1558         https://bugs.webkit.org/show_bug.cgi?id=190932
1559
1560         Reviewed by Mark Lam.
1561
1562         Changing InstructionStream to RefCountedArray like structure involves so much changes
1563         including BytecodeGraph, PreciseJumpTargets etc. Instead, CodeBlock simply hold a raw
1564         pointer to the InstructionStream's data. Since InstructionStream is not changed
1565         anymore, this pointer is valid while CodeBlock is live.
1566
1567         * bytecode/CodeBlock.cpp:
1568         (JSC::CodeBlock::CodeBlock):
1569         * bytecode/CodeBlock.h:
1570         * bytecode/InstructionStream.h:
1571         (JSC::InstructionStream::rawPointer const):
1572         * llint/LowLevelInterpreter.asm:
1573         * llint/LowLevelInterpreter32_64.asm:
1574         * llint/LowLevelInterpreter64.asm:
1575
1576 2018-11-18  Fujii Hironori  <Hironori.Fujii@sony.com>
1577
1578         REGRESSION(r238039) WebCore::JSDOMGlobalObject::createStructure is using JSC::Structure::create without including StructureInlines.h
1579         https://bugs.webkit.org/show_bug.cgi?id=191626
1580
1581         Reviewed by Yusuke Suzuki.
1582
1583         JSC::Structure::create is used everywhere. It should be defined in
1584         Structure.h, not in StructureInlines.h.
1585
1586         * runtime/Structure.h:
1587         (JSC::Structure::create): Moved.
1588         * runtime/StructureInlines.h: Moved JSC::Structure::create.
1589
1590 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1591
1592         Unreviewed, rolling in the rest of r237254
1593         https://bugs.webkit.org/show_bug.cgi?id=190340
1594
1595         * parser/ParserModes.h:
1596         * parser/ParserTokens.h:
1597         (JSC::JSTextPosition::JSTextPosition):
1598         (JSC::JSTokenLocation::JSTokenLocation): Deleted.
1599         * runtime/CodeCache.cpp:
1600         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
1601         * runtime/FunctionConstructor.cpp:
1602         (JSC::constructFunctionSkippingEvalEnabledCheck):
1603
1604 2018-11-17  Devin Rousso  <drousso@apple.com>
1605
1606         Web Inspector: Network: add button to show system certificate dialog
1607         https://bugs.webkit.org/show_bug.cgi?id=191458
1608         <rdar://problem/45977019>
1609
1610         Reviewed by Joseph Pecoraro.
1611
1612         * inspector/protocol/Network.json:
1613         Add `getSerializedCertificate` command.
1614
1615 2018-11-17  Dominik Infuehr  <dinfuehr@igalia.com>
1616
1617         Fix build with disabled DFG/FTL
1618         https://bugs.webkit.org/show_bug.cgi?id=191256
1619
1620         Reviewed by Yusuke Suzuki.
1621
1622         Fix compilation errors and warnings with both DFG and FTL
1623         disabled at compile-time.
1624
1625         * bytecode/CodeBlock.cpp:
1626         (JSC::CodeBlock::getICStatusMap):
1627         * bytecode/InByIdStatus.cpp:
1628         (JSC::InByIdStatus::computeFor):
1629         * bytecode/PutByIdStatus.cpp:
1630         (JSC::PutByIdStatus::computeFor):
1631         (JSC::PutByIdStatus::hasExitSite): Deleted.
1632         * bytecode/PutByIdStatus.h:
1633         * jit/JITOpcodes.cpp:
1634         (JSC::JIT::emit_op_catch):
1635
1636 2018-11-16  Joseph Pecoraro  <pecoraro@apple.com>
1637
1638         Web Inspector: Keep Web Inspector window alive across process swaps (PSON) (Local Inspector)
1639         https://bugs.webkit.org/show_bug.cgi?id=191740
1640         <rdar://problem/45470897>
1641
1642         Reviewed by Timothy Hatcher.
1643
1644         * inspector/InspectorFrontendChannel.h:
1645         Expose EnumTraits for ConnectionType for WebKit IPC messages.
1646
1647 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1648
1649         All users of ArrayBuffer should agree on the same max size
1650         https://bugs.webkit.org/show_bug.cgi?id=191771
1651
1652         Reviewed by Mark Lam.
1653
1654         Array buffers cannot be larger than 0x7fffffff, because otherwise loading typedArray.length in the DFG/FTL would produce
1655         a uint32 or would require a signedness check, neither of which sounds reasonable. It's better to just bound their max size
1656         instead.
1657
1658         * runtime/ArrayBuffer.cpp:
1659         (JSC::ArrayBufferContents::ArrayBufferContents):
1660         (JSC::ArrayBufferContents::tryAllocate):
1661         (JSC::ArrayBufferContents::transferTo):
1662         (JSC::ArrayBufferContents::copyTo):
1663         (JSC::ArrayBufferContents::shareWith):
1664         * runtime/ArrayBuffer.h:
1665         * wasm/WasmMemory.cpp:
1666         (JSC::Wasm::Memory::tryCreate):
1667         (JSC::Wasm::Memory::grow):
1668         * wasm/WasmPageCount.h:
1669
1670 2018-11-16  Saam Barati  <sbarati@apple.com>
1671
1672         KnownCellUse should also have SpecCellCheck as its type filter
1673         https://bugs.webkit.org/show_bug.cgi?id=191729
1674         <rdar://problem/45872852>
1675
1676         Reviewed by Filip Pizlo.
1677
1678         We write transformations in the compiler like this where we emit edges with
1679         KnownCellUse if we know we're inserting code at a point where we're dominated
1680         by a Cell check:
1681         
1682         a: SomeValue
1683         b: Something(Cell:@a)
1684         c: SomethingElse(@b)
1685         d: CheckNotEmpty(@a)
1686         
1687         =>
1688         
1689         a: SomeValue
1690         b: Something(Cell:@a)
1691         e: RandomOtherThing(KnownCellUse:@a)
1692         c: SomethingElse(@b)
1693         d: CheckNotEmpty(@a)
1694         
1695         However, doing this used to lead to subtly incorrect programs since KnownCellUse
1696         did not allow the empty value to flow through it. We used to end up incorrectly
1697         deleting @d in the above program. We fix this, we make KnownCellUse allow the empty
1698         value to flow through.
1699
1700         * dfg/DFGUseKind.h:
1701         (JSC::DFG::typeFilterFor):
1702
1703 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
1704
1705         Fix assertion failure on BytecodeGenerator::recordOpcode
1706         https://bugs.webkit.org/show_bug.cgi?id=191724
1707         <rdar://problem/45724395>
1708
1709         Reviewed by Saam Barati.
1710
1711         Since https://bugs.webkit.org/show_bug.cgi?id=187373, we were not
1712         restoring m_lastInstruction after patching the bytecode when
1713         finalizing StructureForInContexts, only m_lastOpcodeID, which led to
1714         the assertion failure.
1715
1716         * bytecompiler/BytecodeGenerator.cpp:
1717         (JSC::StructureForInContext::finalize):
1718
1719 2018-11-15  Mark Lam  <mark.lam@apple.com>
1720
1721         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
1722         https://bugs.webkit.org/show_bug.cgi?id=191730
1723         <rdar://problem/46048517>
1724
1725         Reviewed by Saam Barati.
1726
1727         According to the spec https://www.ecma-international.org/ecma-262/9.0/index.html#sec-regexp.prototype-@@match,
1728         the RegExp match results are filled in using the spec's CreateDataProperty()
1729         function which does not consult the prototype for setters.  JSArray:push()
1730         consults the prototype for setters.  We should be using putDirectIndex() instead.
1731
1732         * runtime/RegExpObjectInlines.h:
1733         (JSC::collectMatches):
1734
1735 2018-11-15  Mark Lam  <mark.lam@apple.com>
1736
1737         RegExp operations should not take fast patch if lastIndex is not numeric.
1738         https://bugs.webkit.org/show_bug.cgi?id=191731
1739         <rdar://problem/46017305>
1740
1741         Reviewed by Saam Barati.
1742
1743         This is because if lastIndex is an object with a valueOf() method, it can execute
1744         arbitrary code which may have side effects, and side effects are not permitted by
1745         the RegExp fast paths.
1746
1747         * builtins/RegExpPrototype.js:
1748         (globalPrivate.hasObservableSideEffectsForRegExpMatch):
1749         (overriddenName.string_appeared_here.search):
1750         (globalPrivate.hasObservableSideEffectsForRegExpSplit):
1751         (intrinsic.RegExpTestIntrinsic.test):
1752         * builtins/StringPrototype.js:
1753         (globalPrivate.hasObservableSideEffectsForStringReplace):
1754
1755 2018-11-15  Keith Rollin  <krollin@apple.com>
1756
1757         Delete old .xcfilelist files
1758         https://bugs.webkit.org/show_bug.cgi?id=191669
1759         <rdar://problem/46081994>
1760
1761         Reviewed by Chris Dumez.
1762
1763         .xcfilelist files were created and added to the Xcode project files in
1764         https://trac.webkit.org/changeset/238008/webkit. However, they caused
1765         build issues and they were removed from the Xcode projects in
1766         https://trac.webkit.org/changeset/238055/webkit. This check-in removes
1767         the files from the repository altogether. They'll ultimately be
1768         replaced with new files with names that indicate whether the
1769         associated files are inputs to the Run Script phase or are files
1770         created by the Run Script phase.
1771
1772         * DerivedSources.xcfilelist: Removed.
1773         * UnifiedSources.xcfilelist: Removed.
1774
1775 2018-11-14  Keith Rollin  <krollin@apple.com>
1776
1777         Move scripts for Derived and Unified Sources to external files
1778         https://bugs.webkit.org/show_bug.cgi?id=191670
1779         <rdar://problem/46082278>
1780
1781         Reviewed by Keith Miller.
1782
1783         Move the scripts in the Generate Derived Sources and Generate Unified
1784         Sources Run Script phases from the Xcode projects to external shell
1785         script files. Then invoke those scripts from the Run Script phases.
1786         This refactoring is being performed to support later work that will
1787         invoke these scripts in other contexts.
1788
1789         The scripts were maintained as-is when making the move. I did a little
1790         reformatting and added 'set -e' to the top of each file, but that's
1791         it.
1792
1793         * JavaScriptCore.xcodeproj/project.pbxproj:
1794         * Scripts/generate-derived-sources.sh: Added.
1795         * Scripts/generate-unified-sources.sh: Added.
1796
1797 2018-11-14  Joseph Pecoraro  <pecoraro@apple.com>
1798
1799         Web Inspector: Pass Inspector::FrontendChannel as a reference connect/disconnect methods
1800         https://bugs.webkit.org/show_bug.cgi?id=191612
1801
1802         Reviewed by Matt Baker.
1803
1804         * inspector/InspectorFrontendRouter.cpp:
1805         (Inspector::FrontendRouter::connectFrontend):
1806         (Inspector::FrontendRouter::disconnectFrontend):
1807         * inspector/InspectorFrontendRouter.h:
1808         * inspector/JSGlobalObjectInspectorController.cpp:
1809         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
1810         (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
1811         * inspector/JSGlobalObjectInspectorController.h:
1812         * inspector/remote/RemoteControllableTarget.h:
1813         * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:
1814         (Inspector::RemoteConnectionToTarget::setup):
1815         (Inspector::RemoteConnectionToTarget::close):
1816         * inspector/remote/glib/RemoteConnectionToTargetGlib.cpp:
1817         (Inspector::RemoteConnectionToTarget::setup):
1818         (Inspector::RemoteConnectionToTarget::close):
1819         * runtime/JSGlobalObjectDebuggable.cpp:
1820         (JSC::JSGlobalObjectDebuggable::connect):
1821         (JSC::JSGlobalObjectDebuggable::disconnect):
1822         * runtime/JSGlobalObjectDebuggable.h:
1823
1824 2018-11-14  Joseph Pecoraro  <pecoraro@apple.com>
1825
1826         Web Inspector: Keep Web Inspector window alive across process swaps (PSON) (Remote Inspector)
1827         https://bugs.webkit.org/show_bug.cgi?id=191494
1828         <rdar://problem/45469854>
1829
1830         Reviewed by Devin Rousso.
1831
1832         * CMakeLists.txt:
1833         * DerivedSources.make:
1834         * JavaScriptCore.xcodeproj/project.pbxproj:
1835         * Sources.txt:
1836         New domain and resources.
1837
1838         * inspector/protocol/Target.json: Added.
1839         New protocol domain, modeled after Worker.json, to allow for
1840         multiplexing between different targets.
1841
1842         * inspector/InspectorTarget.h:
1843         Each target will instantiate an InspectorTarget and must
1844         provide an identifier, type, and means of connecting/disconnecting
1845         to a frontend channel.
1846
1847         * inspector/agents/InspectorTargetAgent.cpp: Added.
1848         (Inspector::InspectorTargetAgent::InspectorTargetAgent):
1849         (Inspector::InspectorTargetAgent::didCreateFrontendAndBackend):
1850         (Inspector::InspectorTargetAgent::willDestroyFrontendAndBackend):
1851         (Inspector::InspectorTargetAgent::exists):
1852         (Inspector::InspectorTargetAgent::initialized):
1853         (Inspector::InspectorTargetAgent::sendMessageToTarget):
1854         (Inspector::InspectorTargetAgent::sendMessageFromTargetToFrontend):
1855         (Inspector::targetTypeToProtocolType):
1856         (Inspector::buildTargetInfoObject):
1857         (Inspector::InspectorTargetAgent::targetCreated):
1858         (Inspector::InspectorTargetAgent::targetTerminated):
1859         (Inspector::InspectorTargetAgent::connectToTargets):
1860         (Inspector::InspectorTargetAgent::disconnectFromTargets):
1861         * inspector/agents/InspectorTargetAgent.h: Added.
1862         TargetAgent holds a list of targets, and connects/disconnects to each
1863         of the targets when a frontend connects/disconnects.
1864
1865         * inspector/scripts/codegen/generator.py:
1866         Better enum casing of ServiceWorker.
1867
1868 2018-11-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1869
1870         Unreviewed, rolling in CodeCache in r237254
1871         https://bugs.webkit.org/show_bug.cgi?id=190340
1872
1873         Land the CodeCache part without adding an additional hash value.
1874
1875         * bytecode/UnlinkedFunctionExecutable.cpp:
1876         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
1877         * bytecode/UnlinkedFunctionExecutable.h:
1878         * parser/SourceCodeKey.h:
1879         (JSC::SourceCodeKey::SourceCodeKey):
1880         (JSC::SourceCodeKey::operator== const):
1881         * runtime/CodeCache.cpp:
1882         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
1883         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
1884         * runtime/CodeCache.h:
1885         * runtime/FunctionConstructor.cpp:
1886         (JSC::constructFunctionSkippingEvalEnabledCheck):
1887         * runtime/FunctionExecutable.cpp:
1888         (JSC::FunctionExecutable::fromGlobalCode):
1889         * runtime/FunctionExecutable.h:
1890
1891 2018-11-13  Saam Barati  <sbarati@apple.com>
1892
1893         ProxyObject should check for VMInquiry and return early before throwing a stack overflow exception
1894         https://bugs.webkit.org/show_bug.cgi?id=191601
1895
1896         Reviewed by Mark Lam.
1897
1898         This doesn't fix any bugs today, but it may reduce future bugs. It was
1899         always weird that ProxyObject::getOwnPropertySlot with VMInquiry might
1900         throw a stack overflow error instead of just returning false like it
1901         normally does when VMInquiry is passed in.
1902
1903         * runtime/ProxyObject.cpp:
1904         (JSC::ProxyObject::getOwnPropertySlotCommon):
1905
1906 2018-11-13  Saam Barati  <sbarati@apple.com>
1907
1908         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
1909         https://bugs.webkit.org/show_bug.cgi?id=191600
1910
1911         Reviewed by Mark Lam.
1912
1913         processLogEntries will call into calculatedClassName, which will clear
1914         any exceptions it encounters (it assumes that they're stack overflow exceptions).
1915         However, this code may be called when an exception is already pending on the 
1916         VM (e.g, when we throw an exception in the DFG, we compile an OSR exit
1917         offramp, which may compile a baseline codeblock, which will process
1918         the type profiler log). To get around this, processLogEntires should stash
1919         away and re-apply any pending exceptions.
1920
1921         * dfg/DFGDriver.cpp:
1922         (JSC::DFG::compileImpl):
1923         * dfg/DFGOperations.cpp:
1924         * inspector/agents/InspectorRuntimeAgent.cpp:
1925         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1926         * jit/JIT.cpp:
1927         (JSC::JIT::doMainThreadPreparationBeforeCompile):
1928         * jit/JITOperations.cpp:
1929         * runtime/CommonSlowPaths.cpp:
1930         (JSC::SLOW_PATH_DECL):
1931         * runtime/TypeProfilerLog.cpp:
1932         (JSC::TypeProfilerLog::processLogEntries):
1933         * runtime/TypeProfilerLog.h:
1934         * runtime/VM.cpp:
1935         (JSC::VM::dumpTypeProfilerData):
1936         * runtime/VM.h:
1937         (JSC::VM::DeferExceptionScope::DeferExceptionScope):
1938         * tools/JSDollarVM.cpp:
1939         (JSC::functionFindTypeForExpression):
1940         (JSC::functionReturnTypeFor):
1941
1942 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
1943
1944         Unreviewed, rolling out r238132.
1945
1946         The test added with this change is timing out on Debug JSC
1947         bots.
1948
1949         Reverted changeset:
1950
1951         "[BigInt] JSBigInt::createWithLength should throw when length
1952         is greater than JSBigInt::maxLength"
1953         https://bugs.webkit.org/show_bug.cgi?id=190836
1954         https://trac.webkit.org/changeset/238132
1955
1956 2018-11-12  Mark Lam  <mark.lam@apple.com>
1957
1958         Add OOM detection to StringPrototype's substituteBackreferences().
1959         https://bugs.webkit.org/show_bug.cgi?id=191563
1960         <rdar://problem/45720428>
1961
1962         Reviewed by Saam Barati.
1963
1964         * dfg/DFGStrengthReductionPhase.cpp:
1965         (JSC::DFG::StrengthReductionPhase::handleNode):
1966         * runtime/StringPrototype.cpp:
1967         (JSC::substituteBackreferencesSlow):
1968         (JSC::substituteBackreferencesInline):
1969         (JSC::substituteBackreferences):
1970         (JSC::replaceUsingRegExpSearch):
1971         (JSC::replaceUsingStringSearch):
1972         * runtime/StringPrototype.h:
1973
1974 2018-11-13  Mark Lam  <mark.lam@apple.com>
1975
1976         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
1977         https://bugs.webkit.org/show_bug.cgi?id=191579
1978         <rdar://problem/45942472>
1979
1980         Reviewed by Saam Barati.
1981
1982         Both of these functions do a lot of work.  It would be good for the topCallFrame
1983         to be correct should we need to throw an exception.
1984
1985         For example, we've observed the following crash trace:
1986
1987           * frame #0: WTFCrash() at Assertions.cpp:253
1988             frame #1: ...
1989             frame #2: JSC::StructureIDTable::get(this=0x00006040000162f0, structureID=1874583248) at StructureIDTable.h:129
1990             frame #3: JSC::VM::getStructure(this=0x0000604000016210, id=4022066896) at VM.h:705
1991             frame #4: JSC::JSCell::structure(this=0x00007ffeefbbde30, vm=0x0000604000016210) const at JSCellInlines.h:125
1992             frame #5: JSC::JSCell::classInfo(this=0x00007ffeefbbde30, vm=0x0000604000016210) const at JSCellInlines.h:335
1993             frame #6: JSC::JSCell::inherits(this=0x00007ffeefbbde30, vm=0x0000604000016210, info=0x0000000105eaf020) const at JSCellInlines.h:302
1994             frame #7: JSC::JSObject* JSC::jsCast<JSC::JSObject*, JSC::JSCell>(from=0x00007ffeefbbde30) at JSCast.h:36
1995             frame #8: JSC::asObject(cell=0x00007ffeefbbde30) at JSObject.h:1299
1996             frame #9: JSC::asObject(value=JSValue @ 0x00007ffeefbba380) at JSObject.h:1304
1997             frame #10: JSC::Register::object(this=0x00007ffeefbbdd58) const at JSObject.h:1514
1998             frame #11: JSC::ExecState::jsCallee(this=0x00007ffeefbbdd40) const at CallFrame.h:107
1999             frame #12: JSC::ExecState::isStackOverflowFrame(this=0x00007ffeefbbdd40) const at CallFrameInlines.h:36
2000             frame #13: JSC::StackVisitor::StackVisitor(this=0x00007ffeefbba860, startFrame=0x00007ffeefbbdd40, vm=0x0000631000000800) at StackVisitor.cpp:52
2001             frame #14: JSC::StackVisitor::StackVisitor(this=0x00007ffeefbba860, startFrame=0x00007ffeefbbdd40, vm=0x0000631000000800) at StackVisitor.cpp:41
2002             frame #15: void JSC::StackVisitor::visit<(JSC::StackVisitor::EmptyEntryFrameAction)0, JSC::Interpreter::getStackTrace(JSC::JSCell*, WTF::Vector<JSC::StackFrame, 0ul, WTF::CrashOnOverflow, 16ul>&, unsigned long, unsigned long)::$_3>(startFrame=0x00007ffeefbbdd40, vm=0x0000631000000800, functor=0x00007ffeefbbaa60)::$_3 const&) at StackVisitor.h:147
2003             frame #16: JSC::Interpreter::getStackTrace(this=0x0000602000005db0, owner=0x000062d00020cbe0, results=0x00006020000249d0, framesToSkip=0, maxStackSize=1) at Interpreter.cpp:437
2004             frame #17: JSC::getStackTrace(exec=0x000062d00002c048, vm=0x0000631000000800, obj=0x000062d00020cbe0, useCurrentFrame=true) at Error.cpp:170
2005             frame #18: JSC::ErrorInstance::finishCreation(this=0x000062d00020cbe0, exec=0x000062d00002c048, vm=0x0000631000000800, message=0x00007ffeefbbb800, useCurrentFrame=true) at ErrorInstance.cpp:119
2006             frame #19: JSC::ErrorInstance::create(exec=0x000062d00002c048, vm=0x0000631000000800, structure=0x000062d0000f5730, message=0x00007ffeefbbb800, appender=0x0000000000000000, type=TypeNothing, useCurrentFrame=true)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred), JSC::RuntimeType, bool) at ErrorInstance.h:49
2007             frame #20: JSC::createRangeError(exec=0x000062d00002c048, globalObject=0x000062d00002c000, message=0x00007ffeefbbb800, appender=0x0000000000000000)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred)) at Error.cpp:68
2008             frame #21: JSC::createRangeError(exec=0x000062d00002c048, globalObject=0x000062d00002c000, message=0x00007ffeefbbb800) at Error.cpp:316
2009             frame #22: JSC::createStackOverflowError(exec=0x000062d00002c048, globalObject=0x000062d00002c000) at ExceptionHelpers.cpp:77
2010             frame #23: JSC::createStackOverflowError(exec=0x000062d00002c048) at ExceptionHelpers.cpp:72
2011             frame #24: JSC::throwStackOverflowError(exec=0x000062d00002c048, scope=0x00007ffeefbbbaa0) at ExceptionHelpers.cpp:335
2012             frame #25: JSC::ProxyObject::getOwnPropertySlotCommon(this=0x000062d000200e40, exec=0x000062d00002c048, propertyName=PropertyName @ 0x00007ffeefbbba80, slot=0x00007ffeefbbc720) at ProxyObject.cpp:372
2013             frame #26: JSC::ProxyObject::getOwnPropertySlot(object=0x000062d000200e40, exec=0x000062d00002c048, propertyName=PropertyName @ 0x00007ffeefbbbd40, slot=0x00007ffeefbbc720) at ProxyObject.cpp:395
2014             frame #27: JSC::JSObject::getNonIndexPropertySlot(this=0x000062d000200e40, exec=0x000062d00002c048, propertyName=PropertyName @ 0x00007ffeefbbbea0, slot=0x00007ffeefbbc720) at JSObjectInlines.h:150
2015             frame #28: bool JSC::JSObject::getPropertySlot<false>(this=0x000062d000200e40, exec=0x000062d00002c048, propertyName=PropertyName @ 0x00007ffeefbbc320, slot=0x00007ffeefbbc720) at JSObject.h:1424
2016             frame #29: JSC::JSObject::calculatedClassName(object=0x000062d000200e40) at JSObject.cpp:535
2017             frame #30: JSC::Structure::toStructureShape(this=0x000062d000007410, value=JSValue @ 0x00007ffeefbbcae0, sawPolyProtoStructure=0x00007ffeefbbcf60) at Structure.cpp:1142
2018             frame #31: JSC::TypeProfilerLog::processLogEntries(this=0x000060400000a950, reason=0x00007ffeefbbd5c0) at TypeProfilerLog.cpp:89
2019             frame #32: JSC::JIT::doMainThreadPreparationBeforeCompile(this=0x0000619000034da0) at JIT.cpp:951
2020             frame #33: JSC::JITWorklist::Plan::Plan(this=0x0000619000034d80, codeBlock=0x000062d0001d88c0, loopOSREntryBytecodeOffset=0) at JITWorklist.cpp:43
2021             frame #34: JSC::JITWorklist::Plan::Plan(this=0x0000619000034d80, codeBlock=0x000062d0001d88c0, loopOSREntryBytecodeOffset=0) at JITWorklist.cpp:42
2022             frame #35: JSC::JITWorklist::compileLater(this=0x0000616000001b80, codeBlock=0x000062d0001d88c0, loopOSREntryBytecodeOffset=0) at JITWorklist.cpp:256
2023             frame #36: JSC::LLInt::jitCompileAndSetHeuristics(codeBlock=0x000062d0001d88c0, exec=0x00007ffeefbbde30, loopOSREntryBytecodeOffset=0) at LLIntSlowPaths.cpp:391
2024             frame #37: llint_replace(exec=0x00007ffeefbbde30, pc=0x00006040000161ba) at LLIntSlowPaths.cpp:516
2025             frame #38: llint_entry at LowLevelInterpreter64.asm:98
2026             frame #39: vmEntryToJavaScript at LowLevelInterpreter64.asm:296
2027             ...
2028
2029         This crash occurred because StackVisitor was seeing an invalid topCallFrame while
2030         trying to capture the Error stack while throwing a StackOverflowError below
2031         llint_replace.  While in this specific example, it is questionable whether we
2032         should be executing JS code below TypeProfilerLog::processLogEntries(), it is
2033         correct to have set the topCallFrame in llint_replace.  We do this by calling
2034         LLINT_BEGIN_NO_SET_PC() at the top of llint_replace.
2035
2036         We also do the same for llint_osr.
2037         
2038         Note: both of these LLInt slow path functions are called with a fully initialized
2039         CallFrame.  Hence, there's no issue with setting topCallFrame to their CallFrames
2040         for these functions.
2041
2042         * llint/LLIntSlowPaths.cpp:
2043         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2044
2045 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2046
2047         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2048         https://bugs.webkit.org/show_bug.cgi?id=190836
2049
2050         Reviewed by Saam Barati.
2051
2052         In this patch we are creating a new method called `JSBigInt::createWithLengthUnchecked`
2053         where we allocate a BigInt trusting the length received as argument.
2054         With this additional method, we now check if length passed to
2055         `JSBigInt::createWithLength` is not greater than JSBigInt::maxLength.
2056         When the length is greater than maxLength, we then throw OOM
2057         exception.
2058         This required change the interface of some JSBigInt operations to
2059         receive `ExecState*` instead of `VM&`. We changed only operations that
2060         can throw because of OOM.
2061         We beleive that this approach of throwing instead of finishing the
2062         execution abruptly is better because JS programs can catch such
2063         exception and handle this issue properly.
2064
2065         * dfg/DFGOperations.cpp:
2066         * jit/JITOperations.cpp:
2067         * runtime/CommonSlowPaths.cpp:
2068         (JSC::SLOW_PATH_DECL):
2069         * runtime/JSBigInt.cpp:
2070         (JSC::JSBigInt::createZero):
2071         (JSC::JSBigInt::tryCreateWithLength):
2072         (JSC::JSBigInt::createWithLengthUnchecked):
2073         (JSC::JSBigInt::createFrom):
2074         (JSC::JSBigInt::multiply):
2075         (JSC::JSBigInt::divide):
2076         (JSC::JSBigInt::copy):
2077         (JSC::JSBigInt::unaryMinus):
2078         (JSC::JSBigInt::remainder):
2079         (JSC::JSBigInt::add):
2080         (JSC::JSBigInt::sub):
2081         (JSC::JSBigInt::bitwiseAnd):
2082         (JSC::JSBigInt::bitwiseOr):
2083         (JSC::JSBigInt::bitwiseXor):
2084         (JSC::JSBigInt::absoluteAdd):
2085         (JSC::JSBigInt::absoluteSub):
2086         (JSC::JSBigInt::absoluteDivWithDigitDivisor):
2087         (JSC::JSBigInt::absoluteDivWithBigIntDivisor):
2088         (JSC::JSBigInt::absoluteLeftShiftAlwaysCopy):
2089         (JSC::JSBigInt::absoluteBitwiseOp):
2090         (JSC::JSBigInt::absoluteAddOne):
2091         (JSC::JSBigInt::absoluteSubOne):
2092         (JSC::JSBigInt::toStringGeneric):
2093         (JSC::JSBigInt::rightTrim):
2094         (JSC::JSBigInt::allocateFor):
2095         (JSC::JSBigInt::createWithLength): Deleted.
2096         * runtime/JSBigInt.h:
2097         * runtime/Operations.cpp:
2098         (JSC::jsAddSlowCase):
2099         * runtime/Operations.h:
2100         (JSC::jsSub):
2101         (JSC::jsMul):
2102
2103 2018-11-12  Devin Rousso  <drousso@apple.com>
2104
2105         Web Inspector: Network: show secure certificate details per-request
2106         https://bugs.webkit.org/show_bug.cgi?id=191447
2107         <rdar://problem/30019476>
2108
2109         Reviewed by Joseph Pecoraro.
2110
2111         Add Security domain to hold security related protocol types.
2112
2113         * CMakeLists.txt:
2114         * DerivedSources.make:
2115         * inspector/protocol/Network.json:
2116         * inspector/protocol/Security.json: Added.
2117         * inspector/scripts/codegen/objc_generator.py:
2118         (ObjCGenerator):
2119
2120 2018-11-12  Saam barati  <sbarati@apple.com>
2121
2122         Unreviewed. Rollout 238026: It caused ~8% JetStream 2 regressions on some iOS devices
2123         https://bugs.webkit.org/show_bug.cgi?id=191555
2124
2125         * bytecode/UnlinkedFunctionExecutable.cpp:
2126         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
2127         * bytecode/UnlinkedFunctionExecutable.h:
2128         * parser/SourceCodeKey.h:
2129         (JSC::SourceCodeKey::SourceCodeKey):
2130         (JSC::SourceCodeKey::operator== const):
2131         * runtime/CodeCache.cpp:
2132         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
2133         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
2134         * runtime/CodeCache.h:
2135         * runtime/FunctionConstructor.cpp:
2136         (JSC::constructFunctionSkippingEvalEnabledCheck):
2137         * runtime/FunctionExecutable.cpp:
2138         (JSC::FunctionExecutable::fromGlobalCode):
2139         * runtime/FunctionExecutable.h:
2140
2141 2018-11-11  Benjamin Poulain  <benjamin@webkit.org>
2142
2143         Fix a fixme: rename wtfObjcMsgSend to wtfObjCMsgSend
2144         https://bugs.webkit.org/show_bug.cgi?id=191492
2145
2146         Reviewed by Alex Christensen.
2147
2148         Rename file.
2149
2150         * API/JSValue.mm:
2151
2152 2018-11-10  Benjamin Poulain  <benjamin@webkit.org>
2153
2154         Fix a fixme: rename wtfObjcMsgSend to wtfObjCMsgSend
2155         https://bugs.webkit.org/show_bug.cgi?id=191492
2156
2157         Reviewed by Alex Christensen.
2158
2159         * API/JSValue.mm:
2160
2161 2018-11-10  Michael Catanzaro  <mcatanzaro@igalia.com>
2162
2163         Unreviewed, silence -Wunused-variable warning
2164
2165         * bytecode/Opcode.h:
2166         (JSC::padOpcodeName):
2167
2168 2018-11-09  Keith Rollin  <krollin@apple.com>
2169
2170         Unreviewed build fix after https://bugs.webkit.org/show_bug.cgi?id=191324
2171
2172         Remove the use of .xcfilelists until their side-effects are better
2173         understood.
2174
2175         * JavaScriptCore.xcodeproj/project.pbxproj:
2176
2177 2018-11-09  Keith Miller  <keith_miller@apple.com>
2178
2179         LLInt VectorSizeOffset should be based on offset extraction
2180         https://bugs.webkit.org/show_bug.cgi?id=191468
2181
2182         Reviewed by Yusuke Suzuki.
2183
2184         This patch also adds some usings to LLIntOffsetsExtractor that
2185         make it possible to use the bare names of Vector/RefCountedArray
2186         in offsets extraction.
2187
2188         * llint/LLIntOffsetsExtractor.cpp:
2189         * llint/LowLevelInterpreter.asm:
2190
2191 2018-11-09  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2192
2193         Unreviewed, rolling in CodeCache in r237254
2194         https://bugs.webkit.org/show_bug.cgi?id=190340
2195
2196         Land the CodeCache part, which uses DefaultHash<>::Hash instead of computeHash.
2197
2198         * bytecode/UnlinkedFunctionExecutable.cpp:
2199         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
2200         * bytecode/UnlinkedFunctionExecutable.h:
2201         * parser/SourceCodeKey.h:
2202         (JSC::SourceCodeKey::SourceCodeKey):
2203         (JSC::SourceCodeKey::operator== const):
2204         * runtime/CodeCache.cpp:
2205         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
2206         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
2207         * runtime/CodeCache.h:
2208         * runtime/FunctionConstructor.cpp:
2209         (JSC::constructFunctionSkippingEvalEnabledCheck):
2210         * runtime/FunctionExecutable.cpp:
2211         (JSC::FunctionExecutable::fromGlobalCode):
2212         * runtime/FunctionExecutable.h:
2213
2214 2018-11-08  Keith Miller  <keith_miller@apple.com>
2215
2216         put_by_val opcodes need to add the number tag as a 64-bit register
2217         https://bugs.webkit.org/show_bug.cgi?id=191456
2218
2219         Reviewed by Saam Barati.
2220
2221         Previously the LLInt would add it as a pointer sized value. That is
2222         wrong if pointer size is less 64-bits.
2223
2224         * llint/LowLevelInterpreter64.asm:
2225
2226 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2227
2228         [JSC] isStrWhiteSpace seems redundant with Lexer<UChar>::isWhiteSpace
2229         https://bugs.webkit.org/show_bug.cgi?id=191439
2230
2231         Reviewed by Saam Barati.
2232
2233         * CMakeLists.txt:
2234         * runtime/ParseInt.h:
2235         (JSC::isStrWhiteSpace):
2236         Define isStrWhiteSpace in terms of isWhiteSpace and isLineTerminator.
2237
2238 2018-11-08  Michael Saboff  <msaboff@apple.com>
2239
2240         Options::useRegExpJIT() should use jitEnabledByDefault() just like useJIT()
2241         https://bugs.webkit.org/show_bug.cgi?id=191444
2242
2243         Reviewed by Saam Barati.
2244
2245         * runtime/Options.h:
2246
2247 2018-11-08  Fujii Hironori  <Hironori.Fujii@sony.com>
2248
2249         [Win] UDis86Disassembler.cpp: warning: format specifies type 'unsigned long' but the argument has type 'uintptr_t' (aka 'unsigned long long')
2250         https://bugs.webkit.org/show_bug.cgi?id=191416
2251
2252         Reviewed by Saam Barati.
2253
2254         * disassembler/UDis86Disassembler.cpp:
2255         (JSC::tryToDisassembleWithUDis86): Use PRIxPTR for uintptr_t.
2256
2257 2018-11-08  Keith Rollin  <krollin@apple.com>
2258
2259         Create .xcfilelist files
2260         https://bugs.webkit.org/show_bug.cgi?id=191324
2261         <rdar://problem/45852819>
2262
2263         Reviewed by Alex Christensen.
2264
2265         As part of preparing for enabling XCBuild, create and use .xcfilelist
2266         files. These files are using during Run Script build phases in an
2267         Xcode project. If a Run Script build phase produces new files that are
2268         used later as inputs to subsequent build phases, XCBuild needs to know
2269         about these files. These files can be either specified in an "output
2270         files" section of the Run Script phase editor, or in .xcfilelist files
2271         that are associated with the Run Script build phase.
2272
2273         This patch takes the second approach. It consists of three sets of changes:
2274
2275         - Modify the DerivedSources.make files to have a
2276           'print_all_generated_files" target that produces a list of the files
2277           they create.
2278
2279         - Create a shell script that produces .xcfilelist files from the
2280           output of the previous step, as well as for the files created in the
2281           Generate Unified Sources build steps.
2282
2283         - Add the new .xcfilelist files to the associated projects.
2284
2285         Note that, with these changes, the Xcode workspace and projects can no
2286         longer be fully loaded into Xcode 9. Xcode will attempt to load the
2287         projects that have .xcfilelist files associated with them, but will
2288         fail and display a placeholder for those projects instead. It's
2289         expected that all developers are using Xcode 10 by now and that not
2290         being able to load into Xcode 9 is not a practical issue. Keep in mind
2291         that this is strictly an IDE issue, and that the projects can still be
2292         built with `xcodebuild`.
2293
2294         Also note that the shell script that creates the .xcfilelist files can
2295         also be used to verify that the set of files that's currently checked
2296         in is up-to-date. This checking can be used as part of a check-in hook
2297         or part of check-webkit-style to sooner catch cases where the
2298         .xcfilelist files need to be regenerated.
2299
2300         * DerivedSources.make:
2301         * DerivedSources.xcfilelist: Added.
2302         * JavaScriptCore.xcodeproj/project.pbxproj:
2303         * UnifiedSources.xcfilelist: Added.
2304
2305 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2306
2307         U+180E is no longer a whitespace character
2308         https://bugs.webkit.org/show_bug.cgi?id=191415
2309
2310         Reviewed by Saam Barati.
2311
2312         Mongolian Vowel Separator stopped being a valid whitespace character as of ES2016.
2313         (https://github.com/tc39/ecma262/pull/300)
2314
2315         * parser/Lexer.h:
2316         (JSC::Lexer<UChar>::isWhiteSpace):
2317         * runtime/ParseInt.h:
2318         (JSC::isStrWhiteSpace):
2319         * yarr/create_regex_tables:
2320
2321 2018-11-08  Keith Miller  <keith_miller@apple.com>
2322
2323         jitEnabledByDefault() should be on useJIT not useBaselineJIT
2324         https://bugs.webkit.org/show_bug.cgi?id=191434
2325
2326         Reviewed by Saam Barati.
2327
2328         * runtime/Options.h:
2329
2330 2018-11-08  Joseph Pecoraro  <pecoraro@apple.com>
2331
2332         Web Inspector: Restrict domains at the target level instead of only at the window level
2333         https://bugs.webkit.org/show_bug.cgi?id=191344
2334
2335         Reviewed by Devin Rousso.
2336
2337         * inspector/protocol/Console.json:
2338         * inspector/protocol/Debugger.json:
2339         * inspector/protocol/Heap.json:
2340         * inspector/protocol/Runtime.json:
2341         Remove workerSupported as it is now no longer necessary. It is implied
2342         by availability being empty (meaning it is supported everywhere).
2343
2344         * inspector/protocol/Inspector.json:
2345         * inspector/protocol/ScriptProfiler.json:
2346         Restrict to "javascript" and "web" debuggables, not available in workers.
2347
2348         * inspector/protocol/Worker.json:
2349         Cleanup, remove empty types list.
2350         
2351         * inspector/protocol/Recording.json:
2352         Cleanup, only expose this in the "web" domain for now.
2353
2354         * inspector/scripts/codegen/generate_js_backend_commands.py:
2355         (JSBackendCommandsGenerator.generate_domain):
2356         * inspector/scripts/codegen/models.py:
2357         (Protocol.parse_domain):
2358         Allow a list of debuggable types. Add "worker" even though it is unused
2359         since that is a type we would want to allow or consider.
2360
2361         (Domain.__init__):
2362         (Domains):
2363         Remove now unnecessary workerSupported code.
2364         Allow availability on a domain with only types.
2365
2366         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result: Removed.
2367         * inspector/scripts/tests/generic/worker-supported-domains.json: Removed.
2368
2369 2018-11-07  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2370
2371         Consider removing double load for accessing the MetadataTable from LLInt
2372         https://bugs.webkit.org/show_bug.cgi?id=190933
2373
2374         Reviewed by Keith Miller.
2375
2376         This patch removes double load for accesses to MetadataTable from LLInt.
2377         MetadataTable is now specially RefCounted class, which has interesting memory layout.
2378         When refcount becomes 0, MetadataTable asks UnlinkedMetadataTable to destroy itself.
2379
2380         * bytecode/CodeBlock.cpp:
2381         (JSC::CodeBlock::finishCreation):
2382         (JSC::CodeBlock::estimatedSize):
2383         (JSC::CodeBlock::visitChildren):
2384         * bytecode/CodeBlock.h:
2385         (JSC::CodeBlock::metadata):
2386         * bytecode/CodeBlockInlines.h:
2387         (JSC::CodeBlock::forEachValueProfile):
2388         (JSC::CodeBlock::forEachArrayProfile):
2389         (JSC::CodeBlock::forEachArrayAllocationProfile):
2390         (JSC::CodeBlock::forEachObjectAllocationProfile):
2391         (JSC::CodeBlock::forEachLLIntCallLinkInfo):
2392         * bytecode/MetadataTable.cpp:
2393         (JSC::MetadataTable::MetadataTable):
2394         (JSC::MetadataTable::~MetadataTable):
2395         (JSC::MetadataTable::sizeInBytes):
2396         * bytecode/MetadataTable.h:
2397         (JSC::MetadataTable::get):
2398         (JSC::MetadataTable::forEach):
2399         (JSC::MetadataTable::ref const):
2400         (JSC::MetadataTable::deref const):
2401         (JSC::MetadataTable::refCount const):
2402         (JSC::MetadataTable::hasOneRef const):
2403         (JSC::MetadataTable::buffer):
2404         (JSC::MetadataTable::linkingData const):
2405         (JSC::MetadataTable::getImpl):
2406         * bytecode/UnlinkedMetadataTable.h:
2407         (JSC::UnlinkedMetadataTable::buffer const):
2408         * bytecode/UnlinkedMetadataTableInlines.h:
2409         (JSC::UnlinkedMetadataTable::UnlinkedMetadataTable):
2410         (JSC::UnlinkedMetadataTable::~UnlinkedMetadataTable):
2411         (JSC::UnlinkedMetadataTable::addEntry):
2412         (JSC::UnlinkedMetadataTable::sizeInBytes):
2413         (JSC::UnlinkedMetadataTable::finalize):
2414         (JSC::UnlinkedMetadataTable::link):
2415         (JSC::UnlinkedMetadataTable::unlink):
2416         * llint/LowLevelInterpreter.asm:
2417         * llint/LowLevelInterpreter32_64.asm:
2418
2419 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2420
2421         [BigInt] Add support to BigInt into ValueAdd
2422         https://bugs.webkit.org/show_bug.cgi?id=186177
2423
2424         Reviewed by Keith Miller.
2425
2426         We are adding a very primitive specialization case of BigInts into ValueAdd.
2427         When compiling a speculated version of this node to BigInt, we are currently
2428         calling 'operationAddBigInt', a function that expects only BigInts as
2429         parameter and effectly add numbers using JSBigInt::add. To properly
2430         speculate BigInt operands, we changed ArithProfile to observe when
2431         its result is a BigInt. With this new observation, we are able to identify
2432         when ValueAdd results into a String or BigInt.
2433
2434         Here are some numbers for this specialization running
2435         microbenchmarks:
2436
2437         big-int-simple-add                   21.5411+-1.1096  ^  15.3502+-0.7027  ^ definitely 1.4033x faster
2438         big-int-add-prediction-propagation   13.7762+-0.5578  ^  10.8117+-0.5330  ^ definitely 1.2742x faster
2439
2440         * bytecode/ArithProfile.cpp:
2441         (JSC::ArithProfile::emitObserveResult):
2442         (JSC::ArithProfile::shouldEmitSetNonNumeric const):
2443         (JSC::ArithProfile::shouldEmitSetBigInt const):
2444         (JSC::ArithProfile::emitSetNonNumeric const):
2445         (JSC::ArithProfile::emitSetBigInt const):
2446         (WTF::printInternal):
2447         (JSC::ArithProfile::shouldEmitSetNonNumber const): Deleted.
2448         (JSC::ArithProfile::emitSetNonNumber const): Deleted.
2449         * bytecode/ArithProfile.h:
2450         (JSC::ArithProfile::observedUnaryInt):
2451         (JSC::ArithProfile::observedUnaryNumber):
2452         (JSC::ArithProfile::observedBinaryIntInt):
2453         (JSC::ArithProfile::observedBinaryNumberInt):
2454         (JSC::ArithProfile::observedBinaryIntNumber):
2455         (JSC::ArithProfile::observedBinaryNumberNumber):
2456         (JSC::ArithProfile::didObserveNonInt32 const):
2457         (JSC::ArithProfile::didObserveNonNumeric const):
2458         (JSC::ArithProfile::didObserveBigInt const):
2459         (JSC::ArithProfile::setObservedNonNumeric):
2460         (JSC::ArithProfile::setObservedBigInt):
2461         (JSC::ArithProfile::observeResult):
2462         (JSC::ArithProfile::didObserveNonNumber const): Deleted.
2463         (JSC::ArithProfile::setObservedNonNumber): Deleted.
2464         * dfg/DFGByteCodeParser.cpp:
2465         (JSC::DFG::ByteCodeParser::makeSafe):
2466         * dfg/DFGFixupPhase.cpp:
2467         (JSC::DFG::FixupPhase::fixupNode):
2468         * dfg/DFGNode.h:
2469         (JSC::DFG::Node::mayHaveNonNumericResult):
2470         (JSC::DFG::Node::mayHaveBigIntResult):
2471         (JSC::DFG::Node::mayHaveNonNumberResult): Deleted.
2472         * dfg/DFGNodeFlags.cpp:
2473         (JSC::DFG::dumpNodeFlags):
2474         * dfg/DFGNodeFlags.h:
2475         * dfg/DFGOperations.cpp:
2476         * dfg/DFGOperations.h:
2477         * dfg/DFGPredictionPropagationPhase.cpp:
2478         * dfg/DFGSpeculativeJIT.cpp:
2479         (JSC::DFG::SpeculativeJIT::compileValueAdd):
2480         * ftl/FTLLowerDFGToB3.cpp:
2481         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
2482         * runtime/CommonSlowPaths.cpp:
2483         (JSC::updateArithProfileForUnaryArithOp):
2484         (JSC::updateArithProfileForBinaryArithOp):
2485
2486 2018-11-07  Joseph Pecoraro  <pecoraro@apple.com>
2487
2488         Web Inspector: Fix "Javascript" => "JavaScript" enum in protocol generated objects
2489         https://bugs.webkit.org/show_bug.cgi?id=191340
2490
2491         Reviewed by Devin Rousso.
2492
2493         * inspector/ConsoleMessage.cpp:
2494         (Inspector::messageSourceValue):
2495         Use new enum name.
2496
2497         * inspector/scripts/codegen/generator.py:
2498         Correct the casing of "JavaScript".
2499
2500 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2501
2502         Align wide opcodes in the instruction stream
2503         https://bugs.webkit.org/show_bug.cgi?id=191254
2504
2505         Reviewed by Keith Miller.
2506
2507         Pad the bytecode with nops to ensure that wide opcodes are 4-byte
2508         aligned on platforms that don't like unaligned memory access.
2509
2510         For that, add a new type to represent jump targets, BoundLabel, which
2511         delays computing the offset in case we need to emit nops for padding.
2512         Extra padding is also emitted before op_yield and at the of each
2513         BytecodeWriter fragment, to ensure that the bytecode remains aligned
2514         after the rewriting.
2515
2516         As a side effect, we can longer guarantee that the point immediately
2517         before emitting an opcode is the start of that opcode, since nops
2518         might be emitted in between if the opcode needs to be wide. To fix
2519         that, we only take the offset of opcodes after they have been emitted,
2520         using `m_lastInstruction.offset()`.
2521
2522         * bytecode/BytecodeDumper.h:
2523         (JSC::BytecodeDumper::dumpValue):
2524         * bytecode/BytecodeGeneratorification.cpp:
2525         (JSC::BytecodeGeneratorification::run):
2526         * bytecode/BytecodeList.rb:
2527         * bytecode/BytecodeRewriter.h:
2528         (JSC::BytecodeRewriter::Fragment::align):
2529         (JSC::BytecodeRewriter::insertFragmentBefore):
2530         (JSC::BytecodeRewriter::insertFragmentAfter):
2531         * bytecode/Fits.h:
2532         * bytecode/InstructionStream.h:
2533         (JSC::InstructionStreamWriter::ref):
2534         * bytecode/PreciseJumpTargetsInlines.h:
2535         (JSC::updateStoredJumpTargetsForInstruction):
2536         * bytecompiler/BytecodeGenerator.cpp:
2537         (JSC::Label::setLocation):
2538         (JSC::BoundLabel::target):
2539         (JSC::BoundLabel::saveTarget):
2540         (JSC::BoundLabel::commitTarget):
2541         (JSC::BytecodeGenerator::generate):
2542         (JSC::BytecodeGenerator::recordOpcode):
2543         (JSC::BytecodeGenerator::alignWideOpcode):
2544         (JSC::BytecodeGenerator::emitProfileControlFlow):
2545         (JSC::BytecodeGenerator::emitResolveScope):
2546         (JSC::BytecodeGenerator::emitGetFromScope):
2547         (JSC::BytecodeGenerator::emitPutToScope):
2548         (JSC::BytecodeGenerator::emitGetById):
2549         (JSC::BytecodeGenerator::emitDirectGetById):
2550         (JSC::BytecodeGenerator::emitPutById):
2551         (JSC::BytecodeGenerator::emitDirectPutById):
2552         (JSC::BytecodeGenerator::emitGetByVal):
2553         (JSC::BytecodeGenerator::emitCreateThis):
2554         (JSC::BytecodeGenerator::beginSwitch):
2555         (JSC::BytecodeGenerator::endSwitch):
2556         (JSC::BytecodeGenerator::emitRequireObjectCoercible):
2557         (JSC::BytecodeGenerator::emitYieldPoint):
2558         (JSC::BytecodeGenerator::emitToThis):
2559         (JSC::Label::bind): Deleted.
2560         * bytecompiler/BytecodeGenerator.h:
2561         (JSC::BytecodeGenerator::recordOpcode): Deleted.
2562         * bytecompiler/Label.h:
2563         (JSC::BoundLabel::BoundLabel):
2564         (JSC::BoundLabel::operator int):
2565         (JSC::Label::bind):
2566         * generator/Opcode.rb:
2567
2568 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2569
2570         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2571         https://bugs.webkit.org/show_bug.cgi?id=191184
2572
2573         Reviewed by Saam Barati.
2574
2575         Fix API test on CLoop: we can only disable the LLInt when the JIT is enabled.
2576
2577         * API/tests/PingPongStackOverflowTest.cpp:
2578         (testPingPongStackOverflow):
2579
2580 2018-11-06  Justin Fan  <justin_fan@apple.com>
2581
2582         [WebGPU] Experimental prototype for WebGPURenderPipeline and WebGPUSwapChain
2583         https://bugs.webkit.org/show_bug.cgi?id=191291
2584
2585         Reviewed by Myles Maxfield.
2586
2587         Properly disable WEBGPU on all non-Metal platforms for now.
2588
2589         * Configurations/FeatureDefines.xcconfig:
2590
2591 2018-11-06  Keith Rollin  <krollin@apple.com>
2592
2593         Adjust handling of Include paths that need quoting
2594         https://bugs.webkit.org/show_bug.cgi?id=191314
2595         <rdar://problem/45849143>
2596
2597         Reviewed by Dan Bernstein.
2598
2599         There are several places in the JavaScriptCore Xcode project where the
2600         paths defined in HEADER_SEARCH_PATHS are quoted. That is, the
2601         definitions look like:
2602
2603             HEADER_SEARCH_PATHS = (
2604                 "\"${BUILT_PRODUCTS_DIR}/DerivedSources/JavaScriptCore\"",
2605                 "\"${BUILT_PRODUCTS_DIR}/LLIntOffsets/${ARCHS}\"",
2606                 "\"$(JAVASCRIPTCORE_FRAMEWORKS_DIR)/JavaScriptCore.framework/PrivateHeaders\"",
2607                 "$(inherited)",
2608             );
2609
2610         The idea here is presumably to have the resulting $(CPP) command have
2611         -I options where the associated paths are themselves quoted,
2612         protecting against space characters in the paths.
2613
2614         This approach to quote management can break under Xcode 9. If
2615         .xcfilelist files are added to the project, the 'objectVersion' value
2616         in the Xcode project file is changed from 46 to 51. If a project with
2617         objectVersion=51 is presented to Xcode 9 (as can happen when we build
2618         for older OS's), it produces build lines where the quotes are escaped,
2619         thereby becoming part of the path. The build then fails because a
2620         search for a file normally found in a directory called "Foo" will be
2621         looked for in "\"Foo\"", which doesn't exist.
2622
2623         Simply removing the escaped quotes from the HEADER_SEARCH_PATHS
2624         definition doesn't work, leading to paths that need quoting due to
2625         space characters but that don't get this quoting (the part of the path
2626         after the space appears to simply go missing).
2627
2628         Removing the escaped quotes from the HEADER_SEARCH_PATHS and moving
2629         the definitions to the .xcconfig fixes this problem.
2630
2631         * Configurations/ToolExecutable.xcconfig:
2632         * JavaScriptCore.xcodeproj/project.pbxproj:
2633
2634 2018-11-06  Michael Saboff  <msaboff@apple.com>
2635
2636         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2637         https://bugs.webkit.org/show_bug.cgi?id=191271
2638
2639         Reviewed by Saam Barati.
2640
2641         Fixed use of ThrowScope my adding release() calls.  Found a few places where we needed
2642         RETURN_IF_EXCEPTION().  After some code inspections determined that we need to cover the
2643         exception bubbling for String.match() with a global RegExp as well as String.replace()
2644         and String.search().
2645
2646         * runtime/RegExpObjectInlines.h:
2647         (JSC::RegExpObject::matchInline):
2648         (JSC::collectMatches):
2649         * runtime/RegExpPrototype.cpp:
2650         (JSC::regExpProtoFuncSearchFast):
2651         * runtime/StringPrototype.cpp:
2652         (JSC::removeUsingRegExpSearch):
2653         (JSC::replaceUsingRegExpSearch):
2654
2655 2018-11-05  Don Olmstead  <don.olmstead@sony.com>
2656
2657         Fix typos in closing ENABLE guards
2658         https://bugs.webkit.org/show_bug.cgi?id=191273
2659
2660         Reviewed by Keith Miller.
2661
2662         * ftl/FTLForOSREntryJITCode.h:
2663         * ftl/FTLJITCode.h:
2664         * jsc.cpp:
2665         * wasm/WasmMemoryInformation.h:
2666         * wasm/WasmPageCount.h:
2667
2668 2018-11-05  Keith Miller  <keith_miller@apple.com>
2669
2670         Make static_asserts in APICast into bitwise_cast
2671         https://bugs.webkit.org/show_bug.cgi?id=191272
2672
2673         Reviewed by Filip Pizlo.
2674
2675         * API/APICast.h:
2676         (toJS):
2677         (toJSForGC):
2678         (toRef):
2679
2680 2018-11-05  Dominik Infuehr  <dinfuehr@igalia.com>
2681
2682         Enable LLInt on ARMv7/Linux
2683         https://bugs.webkit.org/show_bug.cgi?id=191190
2684
2685         Reviewed by Yusuke Suzuki.
2686
2687         After enabling the new bytecode format in r237547, C_LOOP was
2688         forced on all 32-bit platforms. Now enable LLInt again on
2689         ARMv7-Thumb2/Linux.
2690
2691         This adds a callee-saved register in ARMv7/Linux for the metadataTable and
2692         stores/restores it on LLInt function calls. It also introduces the globaladdr-
2693         instruction for the ARM-offlineasm to access the opcode-table.
2694
2695         * jit/GPRInfo.h:
2696         * jit/RegisterSet.cpp:
2697         (JSC::RegisterSet::llintBaselineCalleeSaveRegisters):
2698         * llint/LowLevelInterpreter.asm:
2699         * llint/LowLevelInterpreter32_64.asm:
2700         * offlineasm/arm.rb:
2701         * offlineasm/asm.rb:
2702         * offlineasm/instructions.rb:
2703
2704 2018-11-05  Fujii Hironori  <Hironori.Fujii@sony.com>
2705
2706         [Win][Clang][JSC] JIT::is64BitType reports "warning: explicit specialization cannot have a storage class"
2707         https://bugs.webkit.org/show_bug.cgi?id=191146
2708
2709         Reviewed by Yusuke Suzuki.
2710
2711         * jit/JIT.h: Changed is64BitType from a template class method to a
2712         template inner class.
2713
2714 2018-11-02  Keith Miller  <keith_miller@apple.com>
2715
2716         Assert JSValues can fit into a pointer when API casting
2717         https://bugs.webkit.org/show_bug.cgi?id=191220
2718
2719         Reviewed by Michael Saboff.
2720
2721         * API/APICast.h:
2722         (toJS):
2723         (toJSForGC):
2724         (toRef):
2725
2726 2018-11-02  Michael Saboff  <msaboff@apple.com>
2727
2728         Rolling in r237753 with unreviewed build fix.
2729
2730         Fixed issues with DECLARE_THROW_SCOPE placement.
2731
2732 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2733
2734         Unreviewed, rolling out r237753.
2735
2736         Introduced JSC test failures
2737
2738         Reverted changeset:
2739
2740         "Running out of stack space not properly handled in
2741         RegExp::compile() and its callers"
2742         https://bugs.webkit.org/show_bug.cgi?id=191206
2743         https://trac.webkit.org/changeset/237753
2744
2745 2018-11-02  Michael Saboff  <msaboff@apple.com>
2746
2747         Running out of stack space not properly handled in RegExp::compile() and its callers
2748         https://bugs.webkit.org/show_bug.cgi?id=191206
2749
2750         Reviewed by Filip Pizlo.
2751
2752         Eliminated two RELEASE_ASSERT_NOT_REACHED() for errors returned by Yarr parsing code.  Bubbled those errors
2753         up to where they are turned into the appropriate exceptions in matchInline().  If the errors are not due
2754         to syntax, we reset the RegExp state in case the parsing is tried with a smaller stack.
2755
2756         * runtime/RegExp.cpp:
2757         (JSC::RegExp::compile):
2758         (JSC::RegExp::compileMatchOnly):
2759         * runtime/RegExp.h:
2760         * runtime/RegExpInlines.h:
2761         (JSC::RegExp::compileIfNecessary):
2762         (JSC::RegExp::matchInline):
2763         (JSC::RegExp::compileIfNecessaryMatchOnly):
2764         * runtime/RegExpObjectInlines.h:
2765         (JSC::RegExpObject::execInline):
2766         * yarr/YarrErrorCode.h:
2767         (JSC::Yarr::hasHardError):
2768
2769 2018-11-02  Keith Miller  <keith_miller@apple.com>
2770
2771         API should use wrapper object if address is 32-bit
2772         https://bugs.webkit.org/show_bug.cgi?id=191203
2773
2774         Reviewed by Filip Pizlo.
2775
2776         * API/APICast.h:
2777         (toJS):
2778         (toJSForGC):
2779         (toRef):
2780
2781 2018-11-02  Tadeu Zagallo  <tzagallo@apple.com>
2782
2783         Metadata should not be copyable
2784         https://bugs.webkit.org/show_bug.cgi?id=191193
2785
2786         Reviewed by Keith Miller.
2787
2788         We should only ever hold references to the entry in the metadata table.
2789
2790         * bytecode/CodeBlock.cpp:
2791         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2792         * dfg/DFGByteCodeParser.cpp:
2793         (JSC::DFG::ByteCodeParser::parseBlock):
2794         * generator/Metadata.rb:
2795
2796 2018-11-02  Tadeu Zagallo  <tzagallo@apple.com>
2797
2798         REGRESSION(r237547): Exception handlers should be aware of wide opcodes when JIT is disabled
2799         https://bugs.webkit.org/show_bug.cgi?id=191175
2800
2801         Reviewed by Keith Miller.
2802
2803         https://bugs.webkit.org/show_bug.cgi?id=191108 did not handle the case where JIT is not enabled
2804
2805         * jit/JITExceptions.cpp:
2806         (JSC::genericUnwind):
2807         * llint/LLIntData.h:
2808         (JSC::LLInt::getWideCodePtr):
2809
2810 2018-11-01  Fujii Hironori  <Hironori.Fujii@sony.com>
2811
2812         Rename <wtf/unicode/UTF8.h> to <wtf/unicode/UTF8Conversion.h> in order to avoid conflicting with ICU's unicode/utf8.h
2813         https://bugs.webkit.org/show_bug.cgi?id=189693
2814
2815         Reviewed by Yusuke Suzuki.
2816
2817         * API/JSClassRef.cpp: Replaced <wtf/unicode/UTF8.h> with <wtf/unicode/UTF8Conversion.h>.
2818         * API/JSStringRef.cpp: Ditto.
2819         * runtime/JSGlobalObjectFunctions.cpp: Ditto.
2820         * wasm/WasmParser.h: Ditto.
2821
2822 2018-11-01  Keith Miller  <keith_miller@apple.com>
2823
2824         Unreviewed, JavaScriptCore should only guarantee to produce a
2825         modulemap if we are building for iOSMac.
2826
2827         * Configurations/JavaScriptCore.xcconfig:
2828
2829 2018-10-31  Devin Rousso  <drousso@apple.com>
2830
2831         Web Inspector: Canvas: create a setting for auto-recording newly created contexts
2832         https://bugs.webkit.org/show_bug.cgi?id=190856
2833
2834         Reviewed by Brian Burg.
2835
2836         * inspector/protocol/Canvas.json:
2837         Add `setRecordingAutoCaptureFrameCount` command for setting the number of frames to record
2838         immediately after a context is created.
2839
2840         * inspector/protocol/Recording.json:
2841         Add `creation` value for `Initiator` enum.
2842
2843 2018-10-31  Devin Rousso  <drousso@apple.com>
2844
2845         Web Inspector: display low-power enter/exit events in Timelines and Network node waterfalls
2846         https://bugs.webkit.org/show_bug.cgi?id=190641
2847         <rdar://problem/45319049>
2848
2849         Reviewed by Joseph Pecoraro.
2850
2851         * inspector/protocol/DOM.json:
2852         Add `videoLowPowerChanged` event that is fired when `InspectorDOMAgent` is able to determine
2853         whether a video element's low power state has changed.
2854
2855 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2856
2857         Adjust inlining threshold for new bytecode format
2858         https://bugs.webkit.org/show_bug.cgi?id=191115
2859
2860         Reviewed by Saam Barati.
2861
2862         The new format reduced the number of operands for many opcodes, which
2863         changed inlining decisions and impacted performance negatively.
2864
2865         * runtime/Options.h:
2866
2867 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2868
2869         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2870         https://bugs.webkit.org/show_bug.cgi?id=191108
2871         <rdar://problem/45690700>
2872
2873         Reviewed by Saam Barati.
2874
2875         When linking the handler, we need to check whether the target op_catch is
2876         wide or narrow in order to chose the right code pointer for the handler.
2877
2878         * bytecode/CodeBlock.cpp:
2879         (JSC::CodeBlock::finishCreation):
2880
2881 2018-10-31  Dominik Infuehr  <dinfuehr@igalia.com>
2882
2883         Align entries in metadata table
2884         https://bugs.webkit.org/show_bug.cgi?id=191062
2885
2886         Reviewed by Filip Pizlo.
2887
2888         Entries in the metadata table need to be aligned on some 32-bit
2889         architectures.
2890
2891         * bytecode/MetadataTable.h:
2892         (JSC::MetadataTable::forEach):
2893         * bytecode/Opcode.cpp:
2894         (JSC::metadataAlignment):
2895         * bytecode/Opcode.h:
2896         * bytecode/UnlinkedMetadataTableInlines.h:
2897         (JSC::UnlinkedMetadataTable::finalize):
2898         * generator/Section.rb:
2899
2900 2018-10-31  Jim Mason  <jmason@ibinx.com>
2901
2902         Static global 'fastHandlerInstalled' conditionally declared in WasmFaultSignalHandler.cpp
2903         https://bugs.webkit.org/show_bug.cgi?id=191063
2904
2905         Reviewed by Yusuke Suzuki.
2906
2907         * wasm/WasmFaultSignalHandler.cpp:
2908
2909 2018-10-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2910
2911         [JSC][LLInt] Compact LLInt ASM code by removing unnecessary instructions
2912         https://bugs.webkit.org/show_bug.cgi?id=191092
2913
2914         Reviewed by Saam Barati.
2915
2916         Looking through LLIntAssembly.h, we can find several inefficiencies. This patch fixes the
2917         following things to tighten LLInt ASM code.
2918
2919         1. Remove unnecessary load instructions. Use jmp with BaseIndex directly.
2920         2. Introduce strength reduction for mul instructions in offlineasm layer. This is now critical
2921         since mul instruction is executed in `metadata` operation in LLInt. If the given immediate is
2922         a power of two, we convert it to lshift instruction.
2923
2924         * llint/LowLevelInterpreter32_64.asm:
2925         * llint/LowLevelInterpreter64.asm:
2926         * offlineasm/arm64.rb:
2927         * offlineasm/instructions.rb:
2928         * offlineasm/x86.rb:
2929
2930 2018-10-30  Don Olmstead  <don.olmstead@sony.com>
2931
2932         [PlayStation] Enable JavaScriptCore
2933         https://bugs.webkit.org/show_bug.cgi?id=191072
2934
2935         Reviewed by Brent Fulgham.
2936
2937         Add platform files for the PlayStation port.
2938
2939         * PlatformPlayStation.cmake: Added.
2940
2941 2018-10-30  Alexey Proskuryakov  <ap@apple.com>
2942
2943         Clean up some obsolete MAX_ALLOWED macros
2944         https://bugs.webkit.org/show_bug.cgi?id=190916
2945
2946         Reviewed by Tim Horton.
2947
2948         * API/JSManagedValue.mm:
2949         * API/JSVirtualMachine.mm:
2950         * API/JSWrapperMap.mm:
2951
2952 2018-10-30  Ross Kirsling  <ross.kirsling@sony.com>
2953
2954         useProbeOSRExit causes failures for Win64 DFG JIT
2955         https://bugs.webkit.org/show_bug.cgi?id=190656
2956
2957         Reviewed by Keith Miller.
2958
2959         * assembler/ProbeContext.cpp:
2960         (JSC::Probe::executeProbe):
2961         If lowWatermark is expected to equal lowWatermarkFromVisitingDirtyPages *regardless* of the input param,
2962         then let's just call lowWatermarkFromVisitingDirtyPages instead.
2963
2964         * dfg/DFGOSRExit.cpp:
2965         (JSC::DFG::OSRExit::executeOSRExit):
2966         The result of VariableEventStream::reconstruct appears to be inappropriate for direct use as a stack pointer offset;
2967         mimic the non-probe case and use requiredRegisterCountForExit from DFGCommonData instead.
2968         (Also, stop redundantly setting the stack pointer twice in a row.)
2969
2970 2018-10-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2971
2972         "Unreviewed, partial rolling in r237254"
2973         https://bugs.webkit.org/show_bug.cgi?id=190340
2974
2975         This only adds Parser.{cpp,h}. And it is not used in this patch.
2976         It examines that the regression is related to exact Parser changes.
2977
2978         * parser/Parser.cpp:
2979         (JSC::Parser<LexerType>::parseInner):
2980         (JSC::Parser<LexerType>::parseSingleFunction):
2981         (JSC::Parser<LexerType>::parseFunctionInfo):
2982         (JSC::Parser<LexerType>::parseFunctionDeclaration):
2983         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
2984         * parser/Parser.h:
2985         (JSC::Parser<LexerType>::parse):
2986         (JSC::parse):
2987         (JSC::parseFunctionForFunctionConstructor):
2988
2989 2018-10-29  Mark Lam  <mark.lam@apple.com>
2990
2991         Correctly detect string overflow when using the 'Function' constructor.
2992         https://bugs.webkit.org/show_bug.cgi?id=184883
2993         <rdar://problem/36320331>
2994
2995         Reviewed by Saam Barati.
2996
2997         Added StringBuilder::hasOverflowed() checks, and throwing OutOfMemoryErrors if
2998         we detect an overflow.
2999
3000         * runtime/FunctionConstructor.cpp:
3001         (JSC::constructFunctionSkippingEvalEnabledCheck):
3002         * runtime/JSGlobalObjectFunctions.cpp:
3003         (JSC::encode):
3004         (JSC::decode):
3005         * runtime/JSONObject.cpp:
3006         (JSC::Stringifier::stringify):
3007         (JSC::Stringifier::appendStringifiedValue):
3008
3009 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
3010
3011         Unreviewed, fix JSC on arm64e after r237547
3012         https://bugs.webkit.org/show_bug.cgi?id=187373
3013
3014         Unreviewed.
3015
3016         Remove unused move guarded by POINTER_PROFILING that was trashing the
3017         metadata on arm64e.
3018
3019         * llint/LowLevelInterpreter64.asm:
3020
3021 2018-10-29  Keith Miller  <keith_miller@apple.com>
3022
3023         JSC should explicitly list its modulemap file
3024         https://bugs.webkit.org/show_bug.cgi?id=191032
3025
3026         Reviewed by Saam Barati.
3027
3028         The automagically generated module map file for JSC will
3029         include headers where they may not work out of the box.
3030         This patch makes it so we now export the same modulemap
3031         that used to be provided via the legacy system.
3032
3033         * Configurations/JavaScriptCore.xcconfig:
3034         * JavaScriptCore.modulemap: Added.
3035         * JavaScriptCore.xcodeproj/project.pbxproj:
3036
3037 2018-10-29  Tim Horton  <timothy_horton@apple.com>
3038
3039         Modernize WebKit nibs and lprojs for localization's sake
3040         https://bugs.webkit.org/show_bug.cgi?id=190911
3041         <rdar://problem/45349466>
3042
3043         Reviewed by Dan Bernstein.
3044
3045         * JavaScriptCore.xcodeproj/project.pbxproj:
3046         English->en
3047
3048 2018-10-29  Commit Queue  <commit-queue@webkit.org>
3049
3050         Unreviewed, rolling out r237492.
3051         https://bugs.webkit.org/show_bug.cgi?id=191035
3052
3053         "It regresses JetStream 2 by 5% on some iOS devices"
3054         (Requested by saamyjoon on #webkit).
3055
3056         Reverted changeset:
3057
3058         "Unreviewed, partial rolling in r237254"
3059         https://bugs.webkit.org/show_bug.cgi?id=190340
3060         https://trac.webkit.org/changeset/237492
3061
3062 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
3063
3064         Add support for GetStack FlushedDouble
3065         https://bugs.webkit.org/show_bug.cgi?id=191012
3066         <rdar://problem/45265141>
3067
3068         Reviewed by Saam Barati.
3069
3070         LowerDFGToB3::compileGetStack assumed that we would not emit GetStack
3071         for doubles, but it turns out it may arise from the PutStack sinking
3072         phase: if we sink a PutStack into a successor block, other predecessors
3073         will emit a GetStack followed by a Upsilon.
3074
3075         * ftl/FTLLowerDFGToB3.cpp:
3076         (JSC::FTL::DFG::LowerDFGToB3::compileGetStack):
3077
3078 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
3079
3080         New bytecode format for JSC
3081         https://bugs.webkit.org/show_bug.cgi?id=187373
3082         <rdar://problem/44186758>
3083
3084         Reviewed by Filip Pizlo.
3085
3086         Replace unlinked and linked bytecode with a new immutable bytecode that does not embed
3087         any addresses. Instructions can be encoded as narrow (1-byte operands) or wide (4-byte
3088         operands) and might contain an extra operand, the metadataID. The metadataID is used to
3089         access the instruction's mutable data in a side table in the CodeBlock (the MetadataTable).
3090
3091         Bytecodes now must be structs declared in the new BytecodeList.rb. All bytecodes give names
3092         and types to all its operands. Additionally, reading a bytecode from the instruction stream
3093         requires decoding the whole bytecode, i.e. it's no longer possible to access arbitrary
3094         operands directly from the stream.
3095
3096
3097         * CMakeLists.txt:
3098         * DerivedSources.make:
3099         * JavaScriptCore.xcodeproj/project.pbxproj:
3100         * Sources.txt:
3101         * assembler/MacroAssemblerCodeRef.h:
3102         (JSC::ReturnAddressPtr::ReturnAddressPtr):
3103         (JSC::ReturnAddressPtr::value const):
3104         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
3105         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
3106         * bytecode/ArithProfile.h:
3107         (JSC::ArithProfile::ArithProfile):
3108         * bytecode/ArrayAllocationProfile.h:
3109         (JSC::ArrayAllocationProfile::ArrayAllocationProfile):
3110         * bytecode/ArrayProfile.h:
3111         * bytecode/BytecodeBasicBlock.cpp:
3112         (JSC::isJumpTarget):
3113         (JSC::BytecodeBasicBlock::computeImpl):
3114         (JSC::BytecodeBasicBlock::compute):
3115         * bytecode/BytecodeBasicBlock.h:
3116         (JSC::BytecodeBasicBlock::leaderOffset const):
3117         (JSC::BytecodeBasicBlock::totalLength const):
3118         (JSC::BytecodeBasicBlock::offsets const):
3119         (JSC::BytecodeBasicBlock::BytecodeBasicBlock):
3120         (JSC::BytecodeBasicBlock::addLength):
3121         * bytecode/BytecodeDumper.cpp:
3122         (JSC::BytecodeDumper<Block>::printLocationAndOp):
3123         (JSC::BytecodeDumper<Block>::dumpBytecode):
3124         (JSC::BytecodeDumper<Block>::dumpIdentifiers):
3125         (JSC::BytecodeDumper<Block>::dumpConstants):
3126         (JSC::BytecodeDumper<Block>::dumpExceptionHandlers):
3127         (JSC::BytecodeDumper<Block>::dumpSwitchJumpTables):
3128         (JSC::BytecodeDumper<Block>::dumpStringSwitchJumpTables):
3129         (JSC::BytecodeDumper<Block>::dumpBlock):
3130         * bytecode/BytecodeDumper.h:
3131         (JSC::BytecodeDumper::dumpOperand):
3132         (JSC::BytecodeDumper::dumpValue):
3133         (JSC::BytecodeDumper::BytecodeDumper):
3134         (JSC::BytecodeDumper::block const):
3135         * bytecode/BytecodeGeneratorification.cpp:
3136         (JSC::BytecodeGeneratorification::BytecodeGeneratorification):
3137         (JSC::BytecodeGeneratorification::enterPoint const):
3138         (JSC::BytecodeGeneratorification::instructions const):
3139         (JSC::GeneratorLivenessAnalysis::run):
3140         (JSC::BytecodeGeneratorification::run):
3141         (JSC::performGeneratorification):
3142         * bytecode/BytecodeGeneratorification.h:
3143         * bytecode/BytecodeGraph.h:
3144         (JSC::BytecodeGraph::blockContainsBytecodeOffset):
3145         (JSC::BytecodeGraph::findBasicBlockForBytecodeOffset):
3146         (JSC::BytecodeGraph::findBasicBlockWithLeaderOffset):
3147         (JSC::BytecodeGraph::BytecodeGraph):
3148         * bytecode/BytecodeKills.h:
3149         * bytecode/BytecodeList.json: Removed.
3150         * bytecode/BytecodeList.rb: Added.
3151         * bytecode/BytecodeLivenessAnalysis.cpp:
3152         (JSC::BytecodeLivenessAnalysis::dumpResults):
3153         * bytecode/BytecodeLivenessAnalysis.h:
3154         * bytecode/BytecodeLivenessAnalysisInlines.h:
3155         (JSC::isValidRegisterForLiveness):
3156         (JSC::BytecodeLivenessPropagation::stepOverInstruction):
3157         * bytecode/BytecodeRewriter.cpp:
3158         (JSC::BytecodeRewriter::applyModification):
3159         (JSC::BytecodeRewriter::execute):
3160         (JSC::BytecodeRewriter::adjustJumpTargetsInFragment):
3161         (JSC::BytecodeRewriter::insertImpl):
3162         (JSC::BytecodeRewriter::adjustJumpTarget):
3163         (JSC::BytecodeRewriter::adjustJumpTargets):
3164         * bytecode/BytecodeRewriter.h:
3165         (JSC::BytecodeRewriter::InsertionPoint::InsertionPoint):
3166         (JSC::BytecodeRewriter::Fragment::Fragment):
3167         (JSC::BytecodeRewriter::Fragment::appendInstruction):
3168         (JSC::BytecodeRewriter::BytecodeRewriter):
3169         (JSC::BytecodeRewriter::insertFragmentBefore):
3170         (JSC::BytecodeRewriter::insertFragmentAfter):
3171         (JSC::BytecodeRewriter::removeBytecode):
3172         (JSC::BytecodeRewriter::adjustAbsoluteOffset):
3173         (JSC::BytecodeRewriter::adjustJumpTarget):
3174         * bytecode/BytecodeUseDef.h:
3175         (JSC::computeUsesForBytecodeOffset):
3176         (JSC::computeDefsForBytecodeOffset):
3177         * bytecode/CallLinkStatus.cpp:
3178         (JSC::CallLinkStatus::computeFromLLInt):
3179         * bytecode/CodeBlock.cpp:
3180         (JSC::CodeBlock::dumpBytecode):
3181         (JSC::CodeBlock::CodeBlock):
3182         (JSC::CodeBlock::finishCreation):
3183         (JSC::CodeBlock::estimatedSize):
3184         (JSC::CodeBlock::visitChildren):
3185         (JSC::CodeBlock::propagateTransitions):
3186         (JSC::CodeBlock::finalizeLLIntInlineCaches):
3187         (JSC::CodeBlock::addJITAddIC):
3188         (JSC::CodeBlock::addJITMulIC):
3189         (JSC::CodeBlock::addJITSubIC):
3190         (JSC::CodeBlock::addJITNegIC):
3191         (JSC::CodeBlock::stronglyVisitStrongReferences):
3192         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffset):
3193         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
3194         (JSC::CodeBlock::hasOpDebugForLineAndColumn):
3195         (JSC::CodeBlock::getArrayProfile):
3196         (JSC::CodeBlock::updateAllArrayPredictions):
3197         (JSC::CodeBlock::predictedMachineCodeSize):
3198         (JSC::CodeBlock::tryGetValueProfileForBytecodeOffset):
3199         (JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):
3200         (JSC::CodeBlock::valueProfileForBytecodeOffset):
3201         (JSC::CodeBlock::validate):
3202         (JSC::CodeBlock::outOfLineJumpOffset):
3203         (JSC::CodeBlock::outOfLineJumpTarget):
3204         (JSC::CodeBlock::arithProfileForBytecodeOffset):
3205         (JSC::CodeBlock::arithProfileForPC):
3206         (JSC::CodeBlock::couldTakeSpecialFastCase):
3207         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
3208         * bytecode/CodeBlock.h:
3209         (JSC::CodeBlock::addMathIC):
3210         (JSC::CodeBlock::outOfLineJumpOffset):
3211         (JSC::CodeBlock::bytecodeOffset):
3212         (JSC::CodeBlock::instructions const):
3213         (JSC::CodeBlock::instructionCount const):
3214         (JSC::CodeBlock::llintBaselineCalleeSaveSpaceAsVirtualRegisters):
3215         (JSC::CodeBlock::metadata):
3216         (JSC::CodeBlock::metadataSizeInBytes):
3217         (JSC::CodeBlock::numberOfNonArgumentValueProfiles):
3218         (JSC::CodeBlock::totalNumberOfValueProfiles):
3219         * bytecode/CodeBlockInlines.h: Added.
3220         (JSC::CodeBlock::forEachValueProfile):
3221         (JSC::CodeBlock::forEachArrayProfile):
3222         (JSC::CodeBlock::forEachArrayAllocationProfile):
3223         (JSC::CodeBlock::forEachObjectAllocationProfile):
3224         (JSC::CodeBlock::forEachLLIntCallLinkInfo):
3225         * bytecode/Fits.h: Added.
3226         * bytecode/GetByIdMetadata.h: Copied from Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h.
3227         * bytecode/GetByIdStatus.cpp:
3228         (JSC::GetByIdStatus::computeFromLLInt):
3229         * bytecode/Instruction.h:
3230         (JSC::Instruction::Instruction):
3231         (JSC::Instruction::Impl::opcodeID const):
3232         (JSC::Instruction::opcodeID const):
3233         (JSC::Instruction::name const):
3234         (JSC::Instruction::isWide const):
3235         (JSC::Instruction::size const):
3236         (JSC::Instruction::is const):
3237         (JSC::Instruction::as const):
3238         (JSC::Instruction::cast):
3239         (JSC::Instruction::cast const):
3240         (JSC::Instruction::narrow const):
3241         (JSC::Instruction::wide const):
3242         * bytecode/InstructionStream.cpp: Copied from Source/JavaScriptCore/bytecode/SpecialPointer.cpp.
3243         (JSC::InstructionStream::InstructionStream):
3244         (JSC::InstructionStream::sizeInBytes const):
3245         * bytecode/InstructionStream.h: Added.
3246         (JSC::InstructionStream::BaseRef::BaseRef):
3247         (JSC::InstructionStream::BaseRef::operator=):
3248         (JSC::InstructionStream::BaseRef::operator-> const):
3249         (JSC::InstructionStream::BaseRef::ptr const):
3250         (JSC::InstructionStream::BaseRef::operator!= const):
3251         (JSC::InstructionStream::BaseRef::next const):
3252         (JSC::InstructionStream::BaseRef::offset const):
3253         (JSC::InstructionStream::BaseRef::isValid const):
3254         (JSC::InstructionStream::BaseRef::unwrap const):
3255         (JSC::InstructionStream::MutableRef::freeze const):
3256         (JSC::InstructionStream::MutableRef::operator->):
3257         (JSC::InstructionStream::MutableRef::ptr):
3258         (JSC::InstructionStream::MutableRef::operator Ref):
3259         (JSC::InstructionStream::MutableRef::unwrap):
3260         (JSC::InstructionStream::iterator::operator*):
3261         (JSC::InstructionStream::iterator::operator++):
3262         (JSC::InstructionStream::begin const):
3263         (JSC::InstructionStream::end const):
3264         (JSC::InstructionStream::at const):
3265         (JSC::InstructionStream::size const):
3266         (JSC::InstructionStreamWriter::InstructionStreamWriter):
3267         (JSC::InstructionStreamWriter::ref):
3268         (JSC::InstructionStreamWriter::seek):
3269         (JSC::InstructionStreamWriter::position):
3270         (JSC::InstructionStreamWriter::write):
3271         (JSC::InstructionStreamWriter::rewind):
3272         (JSC::InstructionStreamWriter::finalize):
3273         (JSC::InstructionStreamWriter::swap):
3274         (JSC::InstructionStreamWriter::iterator::operator*):
3275         (JSC::InstructionStreamWriter::iterator::operator++):
3276         (JSC::InstructionStreamWriter::begin):
3277         (JSC::InstructionStreamWriter::end):
3278         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
3279         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::LLIntPrototypeLoadAdaptiveStructureWatchpoint):
3280         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
3281         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::clearLLIntGetByIdCache):
3282         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
3283         * bytecode/MetadataTable.cpp: Copied from Source/JavaScriptCore/bytecode/SpecialPointer.cpp.
3284         (JSC::MetadataTable::MetadataTable):
3285         (JSC::DeallocTable::withOpcodeType):
3286         (JSC::MetadataTable::~MetadataTable):
3287         (JSC::MetadataTable::sizeInBytes):
3288         * bytecode/MetadataTable.h: Copied from Source/JavaScriptCore/runtime/Watchdog.h.
3289         (JSC::MetadataTable::get):
3290         (JSC::MetadataTable::forEach):
3291         (JSC::MetadataTable::getImpl):
3292         * bytecode/Opcode.cpp:
3293         (JSC::metadataSize):
3294         * bytecode/Opcode.h:
3295         (JSC::padOpcodeName):
3296         * bytecode/OpcodeInlines.h:
3297         (JSC::isOpcodeShape):
3298         (JSC::getOpcodeType):
3299         * bytecode/OpcodeSize.h: Copied from Source/JavaScriptCore/bytecode/SpecialPointer.cpp.
3300         * bytecode/PreciseJumpTargets.cpp:
3301         (JSC::getJumpTargetsForInstruction):
3302         (JSC::computePreciseJumpTargetsInternal):
3303         (JSC::computePreciseJumpTargets):
3304         (JSC::recomputePreciseJumpTargets):
3305         (JSC::findJumpTargetsForInstruction):
3306         * bytecode/PreciseJumpTargets.h:
3307         * bytecode/PreciseJumpTargetsInlines.h:
3308         (JSC::jumpTargetForInstruction):
3309         (JSC::extractStoredJumpTargetsForInstruction):
3310         (JSC::updateStoredJumpTargetsForInstruction):
3311         * bytecode/PutByIdStatus.cpp:
3312         (JSC::PutByIdStatus::computeFromLLInt):
3313         * bytecode/SpecialPointer.cpp:
3314         (WTF::printInternal):
3315         * bytecode/SpecialPointer.h:
3316         * bytecode/UnlinkedCodeBlock.cpp:
3317         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
3318         (JSC::UnlinkedCodeBlock::visitChildren):
3319         (JSC::UnlinkedCodeBlock::estimatedSize):
3320         (JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset):
3321         (JSC::dumpLineColumnEntry):
3322         (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset const):
3323         (JSC::UnlinkedCodeBlock::setInstructions):
3324         (JSC::UnlinkedCodeBlock::instructions const):
3325         (JSC::UnlinkedCodeBlock::applyModification):
3326         (JSC::UnlinkedCodeBlock::addOutOfLineJumpTarget):
3327         (JSC::UnlinkedCodeBlock::outOfLineJumpOffset):
3328         * bytecode/UnlinkedCodeBlock.h:
3329         (JSC::UnlinkedCodeBlock::addPropertyAccessInstruction):
3330         (JSC::UnlinkedCodeBlock::propertyAccessInstructions const):
3331         (JSC::UnlinkedCodeBlock::addOpProfileControlFlowBytecodeOffset):
3332         (JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets const):
3333         (JSC::UnlinkedCodeBlock::metadata):
3334         (JSC::UnlinkedCodeBlock::metadataSizeInBytes):
3335         (JSC::UnlinkedCodeBlock::outOfLineJumpOffset):
3336         (JSC::UnlinkedCodeBlock::replaceOutOfLineJumpTargets):
3337         * bytecode/UnlinkedInstructionStream.cpp: Removed.
3338         * bytecode/UnlinkedInstructionStream.h: Removed.
3339         * bytecode/UnlinkedMetadataTable.h: Copied from Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h.
3340         * bytecode/UnlinkedMetadataTableInlines.h: Added.
3341         (JSC::UnlinkedMetadataTable::UnlinkedMetadataTable):
3342         (JSC::UnlinkedMetadataTable::~UnlinkedMetadataTable):
3343         (JSC::UnlinkedMetadataTable::addEntry):
3344         (JSC::UnlinkedMetadataTable::sizeInBytes):
3345         (JSC::UnlinkedMetadataTable::finalize):
3346         (JSC::UnlinkedMetadataTable::link):
3347         (JSC::UnlinkedMetadataTable::unlink):
3348         * bytecode/VirtualRegister.cpp:
3349         (JSC::VirtualRegister::VirtualRegister):
3350         * bytecode/VirtualRegister.h:
3351         * bytecompiler/BytecodeGenerator.cpp:
3352         (JSC::Label::setLocation):
3353         (JSC::Label::bind):
3354         (JSC::BytecodeGenerator::generate):
3355         (JSC::BytecodeGenerator::BytecodeGenerator):
3356         (JSC::BytecodeGenerator::initializeVarLexicalEnvironment):
3357         (JSC::BytecodeGenerator::emitEnter):
3358         (JSC::BytecodeGenerator::emitLoopHint):
3359         (JSC::BytecodeGenerator::emitJump):
3360         (JSC::BytecodeGenerator::emitCheckTraps):
3361         (JSC::BytecodeGenerator::rewind):
3362         (JSC::BytecodeGenerator::fuseCompareAndJump):
3363         (JSC::BytecodeGenerator::fuseTestAndJmp):
3364         (JSC::BytecodeGenerator::emitJumpIfTrue):
3365         (JSC::BytecodeGenerator::emitJumpIfFalse):
3366         (JSC::BytecodeGenerator::emitJumpIfNotFunctionCall):
3367         (JSC::BytecodeGenerator::emitJumpIfNotFunctionApply):
3368         (JSC::BytecodeGenerator::moveLinkTimeConstant):
3369         (JSC::BytecodeGenerator::moveEmptyValue):
3370         (JSC::BytecodeGenerator::emitMove):
3371         (JSC::BytecodeGenerator::emitUnaryOp):
3372         (JSC::BytecodeGenerator::emitBinaryOp):
3373         (JSC::BytecodeGenerator::emitToObject):
3374         (JSC::BytecodeGenerator::emitToNumber):
3375         (JSC::BytecodeGenerator::emitToString):
3376         (JSC::BytecodeGenerator::emitTypeOf):
3377         (JSC::BytecodeGenerator::emitInc):
3378         (JSC::BytecodeGenerator::emitDec):
3379         (JSC::BytecodeGenerator::emitEqualityOp):
3380         (JSC::BytecodeGenerator::emitProfileType):
3381         (JSC::BytecodeGenerator::emitProfileControlFlow):
3382         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
3383         (JSC::BytecodeGenerator::emitResolveScopeForHoistingFuncDeclInEval):
3384         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
3385         (JSC::BytecodeGenerator::emitOverridesHasInstance):
3386         (JSC::BytecodeGenerator::emitResolveScope):
3387         (JSC::BytecodeGenerator::emitGetFromScope):
3388         (JSC::BytecodeGenerator::emitPutToScope):
3389         (JSC::BytecodeGenerator::emitInstanceOf):
3390         (JSC::BytecodeGenerator::emitInstanceOfCustom):
3391         (JSC::BytecodeGenerator::emitInByVal):