cf999f42b530d16e3a6f7bc9e04010cb28e4d248
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-12-13  Saam Barati  <sbarati@apple.com>
2
3         The JSC shell should listen for memory pressure events and respond to them
4         https://bugs.webkit.org/show_bug.cgi?id=192647
5
6         Reviewed by Keith Miller.
7
8         We want the JSC shell to behave more like the WebContent process when
9         it comes to running performance tests. One way to make the shell
10         more like this is to have it respond to memory pressure events in
11         a similar way as the WebContent process. This makes it easier to run
12         benchmarks like JetStream2 on the CLI on iOS.
13
14         * jsc.cpp:
15         (jscmain):
16         * runtime/VM.cpp:
17         (JSC::VM::drainMicrotasks):
18         * runtime/VM.h:
19         (JSC::VM::setOnEachMicrotaskTick):
20
21 2018-12-13  Mark Lam  <mark.lam@apple.com>
22
23         Ensure that StructureFlags initialization always starts with Base::StructureFlags.
24         https://bugs.webkit.org/show_bug.cgi?id=192686
25
26         Reviewed by Keith Miller.
27
28         This is purely a refactoring effort to make the code consistently start all
29         StructureFlags initialization with Base::StructureFlags.  Previously, sometimes
30         Base::StructureFlags is appended at the end, and sometimes, it is expressed using
31         the name of the superclass.  This patch makes the code all consistent and easier
32         to do a quick eye scan audit on to verify that no StructureFlags are forgetting
33         to inherit Base::StructureFlags.
34
35         Also added a static_assert in JSCallbackObject.h and JSBoundFunction.h.  Both of
36         these implement a customHasInstance() method, and rely on ImplementsHasInstance
37         being included in the StructureFlags, and conversely, ImplementsDefaultHasInstance
38         has to be excluded.
39
40         JSBoundFunction.h is the only case where a bit (ImplementsDefaultHasInstance)
41         needs to be masked out of the inherited Base::StructureFlags.
42
43         * API/JSCallbackObject.h:
44         * runtime/ArrayConstructor.h:
45         * runtime/ArrayIteratorPrototype.h:
46         * runtime/Exception.h:
47         * runtime/FunctionRareData.h:
48         * runtime/InferredType.h:
49         * runtime/InferredTypeTable.h:
50         * runtime/InferredValue.h:
51         * runtime/JSBoundFunction.h:
52         * runtime/MapPrototype.h:
53         * runtime/SetPrototype.h:
54         * runtime/StringPrototype.h:
55         * runtime/SymbolConstructor.h:
56
57 2018-12-13  Mark Lam  <mark.lam@apple.com>
58
59         Add the JSC_traceBaselineJITExecution option for tracing baseline JIT execution.
60         https://bugs.webkit.org/show_bug.cgi?id=192684
61
62         Reviewed by Saam Barati.
63
64         This dataLogs the bytecode execution order of baseline JIT code when the
65         JSC_traceBaselineJITExecution option is true.
66
67         * jit/JIT.cpp:
68         (JSC::JIT::privateCompileMainPass):
69         (JSC::JIT::privateCompileSlowCases):
70         * runtime/Options.h:
71
72 2018-12-13  David Kilzer  <ddkilzer@apple.com>
73
74         clang-tidy: Fix unnecessary object copies in JavaScriptCore
75         <https://webkit.org/b/192680>
76         <rdar://problem/46708767>
77
78         Reviewed by Mark Lam.
79
80         * assembler/testmasm.cpp:
81         (JSC::invoke):
82         - Make MacroAssemblerCodeRef<JSEntryPtrTag> argument a const
83           reference.
84
85         * b3/testb3.cpp:
86         (JSC::B3::checkDisassembly):
87         - Make CString argument a const reference.
88
89         * dfg/DFGSpeculativeJIT.cpp:
90         (JSC::DFG::SpeculativeJIT::compileStringEquality):
91         * dfg/DFGSpeculativeJIT.h:
92         * dfg/DFGSpeculativeJIT32_64.cpp:
93         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
94         * dfg/DFGSpeculativeJIT64.cpp:
95         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
96         - Make JITCompiler::JumpList arguments a const reference.
97
98         * ftl/FTLLowerDFGToB3.cpp:
99         (JSC::FTL::DFG::LowerDFGToB3::checkStructure):
100         - Make RegisteredStructureSet argument a const reference.
101
102         * jsc.cpp:
103         (GlobalObject::moduleLoaderImportModule): Make local auto
104         variables const references.
105         (Workers::report): Make String argument a const reference.
106         (addOption): Make Identifier argument a const reference.
107         (runJSC): Make CString loop variable a const reference.
108
109 2018-12-13  Devin Rousso  <drousso@apple.com>
110
111         Web Inspector: remove DOM.BackendNodeId and associated commands/events
112         https://bugs.webkit.org/show_bug.cgi?id=192478
113
114         Reviewed by Matt Baker.
115
116         * inspector/protocol/DOM.json:
117
118 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
119
120         [BigInt] Add ValueDiv into DFG
121         https://bugs.webkit.org/show_bug.cgi?id=186178
122
123         Reviewed by Yusuke Suzuki.
124
125         This patch is introducing a new node type called ValueDiv. This node
126         is responsible to handle Untyped and Bigint specialization of division
127         operator, while the ArithDiv variant handles Number/Boolean cases.
128
129         BigInt specialization generates following speedup into simple
130         benchmark:
131
132                                   noSpec                 changes
133
134         big-int-simple-div    10.6013+-0.4682    ^    8.4518+-0.0943   ^ definitely 1.2543x faster
135
136         * dfg/DFGAbstractInterpreterInlines.h:
137         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
138         * dfg/DFGBackwardsPropagationPhase.cpp:
139         (JSC::DFG::BackwardsPropagationPhase::propagate):
140         * dfg/DFGByteCodeParser.cpp:
141         (JSC::DFG::ByteCodeParser::makeDivSafe):
142         (JSC::DFG::ByteCodeParser::parseBlock):
143         * dfg/DFGClobberize.h:
144         (JSC::DFG::clobberize):
145         * dfg/DFGDoesGC.cpp:
146         (JSC::DFG::doesGC):
147         * dfg/DFGFixupPhase.cpp:
148         (JSC::DFG::FixupPhase::fixupArithDiv):
149         (JSC::DFG::FixupPhase::fixupNode):
150         * dfg/DFGNode.h:
151         (JSC::DFG::Node::arithNodeFlags):
152         * dfg/DFGNodeType.h:
153         * dfg/DFGOperations.cpp:
154         * dfg/DFGOperations.h:
155         * dfg/DFGPredictionPropagationPhase.cpp:
156         * dfg/DFGSafeToExecute.h:
157         (JSC::DFG::safeToExecute):
158         * dfg/DFGSpeculativeJIT.cpp:
159         (JSC::DFG::SpeculativeJIT::compileValueDiv):
160         (JSC::DFG::SpeculativeJIT::compileArithDiv):
161         * dfg/DFGSpeculativeJIT.h:
162         * dfg/DFGSpeculativeJIT32_64.cpp:
163         (JSC::DFG::SpeculativeJIT::compile):
164         * dfg/DFGSpeculativeJIT64.cpp:
165         (JSC::DFG::SpeculativeJIT::compile):
166         * dfg/DFGValidate.cpp:
167         * ftl/FTLCapabilities.cpp:
168         (JSC::FTL::canCompile):
169         * ftl/FTLLowerDFGToB3.cpp:
170         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
171         (JSC::FTL::DFG::LowerDFGToB3::compileValueDiv):
172         (JSC::FTL::DFG::LowerDFGToB3::compileArithDiv):
173         (JSC::FTL::DFG::LowerDFGToB3::compileArithBitNot):
174
175 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
176
177         Unreviewed, build fix after r239153, part 2
178         https://bugs.webkit.org/show_bug.cgi?id=190047
179
180         * runtime/StructureRareDataInlines.h:
181         (JSC::StructureRareData::cachedOwnKeys const):
182
183 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
184
185         Unreviewed, build fix after r239153
186         https://bugs.webkit.org/show_bug.cgi?id=190047
187
188         * runtime/StructureRareDataInlines.h:
189         (JSC::StructureRareData::cachedOwnKeys const):
190
191 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
192
193         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
194         https://bugs.webkit.org/show_bug.cgi?id=190047
195
196         Reviewed by Keith Miller.
197
198         Object.keys is one of the most frequently used function in web-tooling-benchmarks (WTB).
199         Object.keys is dominant in lebab of WTB, and frequently called in babel and others.
200         Since our Structure knows the shape of JSObject, we can cache the result of Object.keys
201         in Structure (StructureRareData) as we cache JSPropertyNameEnumerator in StructureRareData.
202
203         This patch caches the result of Object.keys in StructureRareData. The cached array is created
204         as JSImmutableButterfly. And Object.keys creates CoW from this data. Currently, the lifetime
205         strategy of this JSImmutableButterfly is the same to cached JSPropertyNameEnumerator. It is
206         referenced from Structure, and collected when Structure is collected.
207
208         This improves several benchmarks in SixSpeed.
209
210                                         baseline                  patched
211
212             object-assign.es5      350.1710+-3.6303     ^    226.0368+-4.7558        ^ definitely 1.5492x faster
213             for-of-object.es6      269.1941+-3.3430     ^    127.9317+-2.3875        ^ definitely 2.1042x faster
214
215         And it improves WTB lebab by 11.8%.
216
217             Before: lebab:  6.10 runs/s
218             After:  lebab:  6.82 runs/s
219
220         * dfg/DFGAbstractInterpreterInlines.h:
221         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
222         * dfg/DFGByteCodeParser.cpp:
223         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
224         * dfg/DFGClobberize.h:
225         (JSC::DFG::clobberize):
226         * dfg/DFGConstantFoldingPhase.cpp:
227         (JSC::DFG::ConstantFoldingPhase::foldConstants):
228         * dfg/DFGDoesGC.cpp:
229         (JSC::DFG::doesGC):
230         * dfg/DFGFixupPhase.cpp:
231         (JSC::DFG::FixupPhase::fixupNode):
232         * dfg/DFGNode.cpp:
233         (JSC::DFG::Node::convertToNewArrayBuffer):
234         * dfg/DFGNode.h:
235         * dfg/DFGNodeType.h:
236         * dfg/DFGOperations.cpp:
237         * dfg/DFGOperations.h:
238         * dfg/DFGPredictionPropagationPhase.cpp:
239         * dfg/DFGSafeToExecute.h:
240         (JSC::DFG::safeToExecute):
241         * dfg/DFGSpeculativeJIT.cpp:
242         (JSC::DFG::SpeculativeJIT::compileObjectKeys):
243         * dfg/DFGSpeculativeJIT.h:
244         * dfg/DFGSpeculativeJIT32_64.cpp:
245         (JSC::DFG::SpeculativeJIT::compile):
246         * dfg/DFGSpeculativeJIT64.cpp:
247         (JSC::DFG::SpeculativeJIT::compile):
248         * ftl/FTLAbstractHeapRepository.h:
249         * ftl/FTLCapabilities.cpp:
250         (JSC::FTL::canCompile):
251         * ftl/FTLLowerDFGToB3.cpp:
252         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
253         (JSC::FTL::DFG::LowerDFGToB3::compileObjectKeys):
254         * runtime/Intrinsic.cpp:
255         (JSC::intrinsicName):
256         * runtime/Intrinsic.h:
257         * runtime/JSImmutableButterfly.h:
258         (JSC::JSImmutableButterfly::createSentinel):
259         * runtime/ObjectConstructor.cpp:
260         (JSC::ownPropertyKeys):
261         * runtime/Structure.cpp:
262         (JSC::Structure::canCachePropertyNameEnumerator const):
263         * runtime/Structure.h:
264         * runtime/StructureInlines.h:
265         (JSC::Structure::setCachedOwnKeys):
266         (JSC::Structure::cachedOwnKeys const):
267         (JSC::Structure::canCacheOwnKeys const):
268         * runtime/StructureRareData.cpp:
269         (JSC::StructureRareData::visitChildren):
270         (JSC::StructureRareData::cachedPropertyNameEnumerator const): Deleted.
271         (JSC::StructureRareData::setCachedPropertyNameEnumerator): Deleted.
272         * runtime/StructureRareData.h:
273         * runtime/StructureRareDataInlines.h:
274         (JSC::StructureRareData::cachedPropertyNameEnumerator const):
275         (JSC::StructureRareData::setCachedPropertyNameEnumerator):
276         (JSC::StructureRareData::cachedOwnKeys const):
277         (JSC::StructureRareData::cachedOwnKeysConcurrently const):
278         (JSC::StructureRareData::setCachedOwnKeys):
279         (JSC::StructureRareData::previousID const): Deleted.
280         * runtime/VM.cpp:
281         (JSC::VM::VM):
282         * runtime/VM.h:
283
284 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
285
286         [DFG][FTL] Add NewSymbol
287         https://bugs.webkit.org/show_bug.cgi?id=192620
288
289         Reviewed by Saam Barati.
290
291         This patch introduces NewSymbol DFG node into DFG and FTL tiers. The main goal of this patch is not optimize
292         NewSymbol code faster. Rather than that, this patch intends to offer SpecSymbol type information into DFG's
293         data flow to optimize generated code in FTL backend.
294
295         We add NewSymbol DFG node, which may take an argument. If an argument is not given, NewSymbol is for `Symbol()`.
296         If an argument is given, ToString is emitted to this argument before passing it to NewSymbol. So NewSymbol node
297         itself does not perform any type checks. ToString performs effects, but NewSymbol doesn't have any side observable
298         effects. So we can decouple Symbol(description) call into NewSymbol(ToString(description)).
299
300         * dfg/DFGAbstractInterpreterInlines.h:
301         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
302         * dfg/DFGByteCodeParser.cpp:
303         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
304         * dfg/DFGClobberize.h:
305         (JSC::DFG::clobberize):
306         * dfg/DFGClobbersExitState.cpp:
307         (JSC::DFG::clobbersExitState):
308         * dfg/DFGDoesGC.cpp:
309         (JSC::DFG::doesGC):
310         * dfg/DFGFixupPhase.cpp:
311         (JSC::DFG::FixupPhase::fixupNode):
312         * dfg/DFGMayExit.cpp:
313         * dfg/DFGNodeType.h:
314         * dfg/DFGOperations.cpp:
315         * dfg/DFGOperations.h:
316         * dfg/DFGPredictionPropagationPhase.cpp:
317         * dfg/DFGSafeToExecute.h:
318         (JSC::DFG::safeToExecute):
319         * dfg/DFGSpeculativeJIT.cpp:
320         (JSC::DFG::SpeculativeJIT::compileNewSymbol):
321         * dfg/DFGSpeculativeJIT.h:
322         * dfg/DFGSpeculativeJIT32_64.cpp:
323         (JSC::DFG::SpeculativeJIT::compile):
324         * dfg/DFGSpeculativeJIT64.cpp:
325         (JSC::DFG::SpeculativeJIT::compile):
326         * dfg/DFGStoreBarrierInsertionPhase.cpp:
327         * ftl/FTLCapabilities.cpp:
328         (JSC::FTL::canCompile):
329         * ftl/FTLLowerDFGToB3.cpp:
330         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
331         (JSC::FTL::DFG::LowerDFGToB3::compileNewSymbol):
332
333 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
334
335         [BigInt] Implement DFG/FTL typeof for BigInt
336         https://bugs.webkit.org/show_bug.cgi?id=192619
337
338         Reviewed by Keith Miller.
339
340         This patch implements typeof for BigInt in DFG and FTL. Our DFG and FTL tiers now correctly consider about BigInt
341         in the code generated for typeof.
342
343         * ftl/FTLLowerDFGToB3.cpp:
344         (JSC::FTL::DFG::LowerDFGToB3::boolify): We add (SpecCell - SpecString) type filter for proven type since isString
345         check is already performed here.
346         (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf): We use (SpecCell - SpecObject - SpecString) type filter for proven type
347         since String and Object are already checked here. If we know the proven type does not include Symbol type here, we
348         can omit the code for Symbol type.
349         * jit/AssemblyHelpers.h:
350         (JSC::AssemblyHelpers::emitTypeOf):
351
352 2018-12-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
353
354         [BigInt] Simplify boolean context evaluation by leveraging JSString::offsetOfLength() == JSBigInt::offsetOfLength()
355         https://bugs.webkit.org/show_bug.cgi?id=192615
356
357         Reviewed by Saam Barati.
358
359         JSString and JSBigInt have similar concept in terms of the implementation.
360         Both are immutable, JSCells, and have length information. m_length is located
361         just after JSCell header part, we can ensure `JSString::offsetOfLength() == JSBigInt::offsetOfLength()`,
362         and it allows us to optimize the boolean context evaluation.
363
364         This patch leverages the above information to reduce the code size for the boolean context evaluation.
365
366         * ftl/FTLAbstractHeapRepository.cpp:
367         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
368         * ftl/FTLAbstractHeapRepository.h:
369         * ftl/FTLLowerDFGToB3.cpp:
370         (JSC::FTL::DFG::LowerDFGToB3::boolify):
371         * jit/AssemblyHelpers.cpp:
372         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
373         (JSC::AssemblyHelpers::branchIfValue):
374         * runtime/JSBigInt.cpp:
375         (JSC::JSBigInt::JSBigInt):
376         (JSC::JSBigInt::offsetOfLength): Deleted.
377         * runtime/JSBigInt.h:
378
379 2018-12-11  Justin Michaud  <justin_michaud@apple.com>
380
381         Implement feature flag for CSS Typed OM
382         https://bugs.webkit.org/show_bug.cgi?id=192610
383
384         Reviewed by Ryosuke Niwa.
385
386         * Configurations/FeatureDefines.xcconfig:
387
388 2018-12-10  Don Olmstead  <don.olmstead@sony.com>
389
390         Move ENABLE_RESOURCE_LOAD_STATISTICS to FeatureDefines.xcconfig
391         https://bugs.webkit.org/show_bug.cgi?id=192573
392
393         Reviewed by Simon Fraser.
394
395         * Configurations/FeatureDefines.xcconfig:
396
397 2018-12-10  Mark Lam  <mark.lam@apple.com>
398
399         PropertyAttribute needs a CustomValue bit.
400         https://bugs.webkit.org/show_bug.cgi?id=191993
401         <rdar://problem/46264467>
402
403         Reviewed by Saam Barati.
404
405         This is because GetByIdStatus needs to distinguish CustomValue properties from
406         other types, and its only means of doing so is via the property's attributes.
407         Previously, there's nothing in the property's attributes that can indicate that
408         the property is a CustomValue.
409
410         We fix this by doing the following:
411
412         1. Added a PropertyAttribute::CustomValue bit.
413         2. Added a PropertyAttribute::CustomAccessorOrValue convenience bit mask that is
414            CustomAccessor | CustomValue.
415
416         3. Since CustomGetterSetter properties are only set via JSObject::putDirectCustomAccessor(),
417            we added a check in JSObject::putDirectCustomAccessor() to see if the attributes
418            bits include PropertyAttribute::CustomAccessor.  If not, then the property
419            must be a CustomValue, and we'll add the PropertyAttribute::CustomValue bit
420            to the attributes bits.
421
422            This ensures that the property attributes is sufficient to tell us if the
423            property contains a CustomGetterSetter.
424
425         4. Updated all checks for PropertyAttribute::CustomAccessor to check for
426            PropertyAttribute::CustomAccessorOrValue instead if their intent is to check
427            for the presence of a CustomGetterSetter as opposed to checking specifically
428            for one that is used as a CustomAccessor.
429
430            This includes all the Structure transition code that needs to capture the
431            attributes change when a CustomValue has been added.
432
433         5. Filtered out the PropertyAttribute::CustomValue bit in PropertyDescriptor.
434            The fact that we're using a CustomGetterSetter as a CustomValue should remain
435            invisible to the descriptor.  This is because the descriptor should describe
436            a CustomValue no differently from a plain value.
437
438         6. Added some asserts to ensure that property attributes are as expected, and to
439            document some invariants.
440
441         * bytecode/GetByIdStatus.cpp:
442         (JSC::GetByIdStatus::computeFromLLInt):
443         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
444         (JSC::GetByIdStatus::computeFor):
445         * bytecode/InByIdStatus.cpp:
446         (JSC::InByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
447         * bytecode/PropertyCondition.cpp:
448         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
449         * bytecode/PutByIdStatus.cpp:
450         (JSC::PutByIdStatus::computeFor):
451         * runtime/JSFunction.cpp:
452         (JSC::getCalculatedDisplayName):
453         * runtime/JSObject.cpp:
454         (JSC::JSObject::putDirectCustomAccessor):
455         (JSC::JSObject::putDirectNonIndexAccessor):
456         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
457         * runtime/JSObject.h:
458         (JSC::JSObject::putDirectIndex):
459         (JSC::JSObject::fillCustomGetterPropertySlot):
460         (JSC::JSObject::putDirect):
461         * runtime/JSObjectInlines.h:
462         (JSC::JSObject::putDirectInternal):
463         * runtime/PropertyDescriptor.cpp:
464         (JSC::PropertyDescriptor::setDescriptor):
465         (JSC::PropertyDescriptor::setCustomDescriptor):
466         (JSC::PropertyDescriptor::setAccessorDescriptor):
467         * runtime/PropertySlot.h:
468         (JSC::PropertySlot::setCustomGetterSetter):
469
470 2018-12-10  Mark Lam  <mark.lam@apple.com>
471
472         LinkBuffer::copyCompactAndLinkCode() needs to be aware of ENABLE(SEPARATED_WX_HEAP).
473         https://bugs.webkit.org/show_bug.cgi?id=192569
474         <rdar://problem/45615617>
475
476         Reviewed by Saam Barati.
477
478         * assembler/LinkBuffer.cpp:
479         (JSC::LinkBuffer::copyCompactAndLinkCode):
480
481 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
482
483         [BigInt] Add ValueMul into DFG
484         https://bugs.webkit.org/show_bug.cgi?id=186175
485
486         Reviewed by Yusuke Suzuki.
487
488         This patch is adding a new DFG node called ValueMul. This node is
489         responsible to handle multiplication operations that can result into
490         non-number values. We emit such node during DFGByteCodeParser when the
491         operands are not numbers. During FixupPhase, we change this
492         operation to ArithMul if we can speculate Number/Boolean operands.
493
494         The BigInt specialization shows a small progression:
495
496                                 noSpec                changes
497
498         big-int-simple-mul  18.8090+-1.0435  ^  17.4305+-0.2673  ^ definitely 1.0791x faster
499
500         * dfg/DFGAbstractInterpreterInlines.h:
501         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
502         * dfg/DFGBackwardsPropagationPhase.cpp:
503         (JSC::DFG::BackwardsPropagationPhase::propagate):
504         * dfg/DFGByteCodeParser.cpp:
505         (JSC::DFG::ByteCodeParser::makeSafe):
506         (JSC::DFG::ByteCodeParser::parseBlock):
507         * dfg/DFGClobberize.h:
508         (JSC::DFG::clobberize):
509         * dfg/DFGDoesGC.cpp:
510         (JSC::DFG::doesGC):
511         * dfg/DFGFixupPhase.cpp:
512         (JSC::DFG::FixupPhase::fixupMultiplication):
513         (JSC::DFG::FixupPhase::fixupNode):
514         * dfg/DFGNode.h:
515         (JSC::DFG::Node::arithNodeFlags):
516         * dfg/DFGNodeType.h:
517         * dfg/DFGOperations.cpp:
518         * dfg/DFGOperations.h:
519         * dfg/DFGPredictionPropagationPhase.cpp:
520         * dfg/DFGSafeToExecute.h:
521         (JSC::DFG::safeToExecute):
522         * dfg/DFGSpeculativeJIT.cpp:
523         (JSC::DFG::SpeculativeJIT::compileValueMul):
524         (JSC::DFG::SpeculativeJIT::compileArithMul):
525         * dfg/DFGSpeculativeJIT.h:
526         * dfg/DFGSpeculativeJIT64.cpp:
527         (JSC::DFG::SpeculativeJIT::compile):
528         * dfg/DFGValidate.cpp:
529         * ftl/FTLCapabilities.cpp:
530         (JSC::FTL::canCompile):
531         * ftl/FTLLowerDFGToB3.cpp:
532         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
533         (JSC::FTL::DFG::LowerDFGToB3::compileValueMul):
534         (JSC::FTL::DFG::LowerDFGToB3::compileArithMul):
535
536 2018-12-08  Mark Lam  <mark.lam@apple.com>
537
538         Reduce size of PropertySlot and PutPropertySlot.
539         https://bugs.webkit.org/show_bug.cgi?id=192526
540
541         Reviewed by Keith Miller.
542
543         With some minor adjustments, we can reduce the size of PropertySlot from 80 bytes
544         (19 padding bytes) to 64 bytes (3 padding bytes), and PutPropertySlot from 40
545         bytes (4 padding bytes) to 32 bytes (0 padding bytes but with 6 unused bits).
546         These measurements are for a 64-bit build.
547
548         * runtime/PropertySlot.h:
549         * runtime/PutPropertySlot.h:
550         (JSC::PutPropertySlot::PutPropertySlot):
551
552 2018-12-08  Dominik Infuehr  <dinfuehr@igalia.com>
553
554         Record right offset with aligned wide instructions
555         https://bugs.webkit.org/show_bug.cgi?id=192006
556
557         Reviewed by Yusuke Suzuki.
558
559         Aligning bytecode instructions inserts nops into the instruction stream.
560         Emitting an instruction did not record the actual start of the instruction with
561         aligned instructions, but the nop just before the actual instruction. This was
562         problematic with the StaticPropertyAnalyzer that used the wrong instruction offset.
563
564         * bytecode/InstructionStream.h:
565         (JSC::InstructionStream::MutableRef::clone):
566         * bytecompiler/BytecodeGenerator.cpp:
567         (JSC::BytecodeGenerator::alignWideOpcode):
568         (JSC::BytecodeGenerator::emitCreateThis):
569         (JSC::BytecodeGenerator::emitNewObject):
570         * generator/Opcode.rb:
571
572 2018-12-07  Tadeu Zagallo  <tzagallo@apple.com>
573
574         Align the metadata table on all platforms
575         https://bugs.webkit.org/show_bug.cgi?id=192050
576         <rdar://problem/46312674>
577
578         Reviewed by Mark Lam.
579
580         Although certain platforms don't require the metadata to be aligned,
581         values were being concurrently read and written to ValueProfiles,
582         which caused crashes since these operations are not atomic on unaligned
583         addresses.
584
585         * bytecode/Opcode.cpp:
586         (JSC::metadataAlignment):
587         * bytecode/Opcode.h:
588         * bytecode/UnlinkedMetadataTableInlines.h:
589         (JSC::UnlinkedMetadataTable::finalize):
590
591 2018-12-05  Mark Lam  <mark.lam@apple.com>
592
593         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
594         https://bugs.webkit.org/show_bug.cgi?id=192441
595         <rdar://problem/46480355>
596
597         Reviewed by Saam Barati.
598
599         This is because a regular String (non-Identifier) can be converted into an
600         Identifier.  During DFG/FTL compilation, AbstractValue::checkConsistency() may
601         expect a value to be of type SpecStringVar, but the mutator thread may have
602         converted the string into an Identifier.  This creates a race where
603         AbstractValue::checkConsistency() may fail because it sees a SpecStringIdent when
604         it expects the a SpecStringVar.  
605
606         The fix is to speculate non-Identifier strings as type SpecString which allows it
607         to be SpecStringVar or SpecStringIndent.
608
609         * bytecode/SpeculatedType.cpp:
610         (JSC::speculationFromCell):
611
612 2018-12-04  Mark Lam  <mark.lam@apple.com>
613
614         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
615         https://bugs.webkit.org/show_bug.cgi?id=192386
616         <rdar://problem/46445516>
617
618         Reviewed by Saam Barati.
619
620         This violates an invariant documented by a RELEASE_ASSERT in operationLinkDirectCall().
621
622         * dfg/DFGStrengthReductionPhase.cpp:
623         (JSC::DFG::StrengthReductionPhase::handleNode):
624
625 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
626
627         [ESNext][BigInt] Support logic operations
628         https://bugs.webkit.org/show_bug.cgi?id=179903
629
630         Reviewed by Yusuke Suzuki.
631
632         We are introducing in this patch the ToBoolean support for JSBigInt.
633         With this change, we can implement the correct behavior of BigInt as
634         operand of logical opertions. During JIT genertion into DFG and FTL,
635         we are using JSBigInt::m_length to verify if the number is 0n or not,
636         following the same approach used by JSString. This is also safe in the case
637         of BigInt, because only 0n has m_length == 0.
638
639         We are not including BigInt speculation into Branch nodes in this
640         patch, but the plan is to implement it in further patches.
641
642         * ftl/FTLAbstractHeapRepository.h:
643         * ftl/FTLLowerDFGToB3.cpp:
644         (JSC::FTL::DFG::LowerDFGToB3::boolify):
645         (JSC::FTL::DFG::LowerDFGToB3::isBigInt):
646         * jit/AssemblyHelpers.cpp:
647         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
648         (JSC::AssemblyHelpers::branchIfValue):
649         * runtime/JSBigInt.cpp:
650         (JSC::JSBigInt::isZero const):
651         (JSC::JSBigInt::offsetOfLength):
652         (JSC::JSBigInt::toBoolean const):
653         (JSC::JSBigInt::isZero): Deleted.
654         * runtime/JSBigInt.h:
655         * runtime/JSCellInlines.h:
656         (JSC::JSCell::toBoolean const):
657         (JSC::JSCell::pureToBoolean const):
658
659 2018-12-04  Devin Rousso  <drousso@apple.com>
660
661         Web Inspector: Audit: tests should support async operations
662         https://bugs.webkit.org/show_bug.cgi?id=192171
663         <rdar://problem/46423562>
664
665         Reviewed by Joseph Pecoraro.
666
667         Add `awaitPromise` command for executing a callback when a Promise gets settled.
668
669         Drive-by: allow `wasThrown` to be optional, instead of expecting it to always have a value.
670
671         * inspector/protocol/Runtime.json:
672
673         * inspector/InjectedScriptSource.js:
674         (InjectedScript.prototype.awaitPromise): Added.
675
676         * inspector/InjectedScript.h:
677         * inspector/InjectedScript.cpp:
678         (Inspector::InjectedScript::evaluate):
679         (Inspector::InjectedScript::awaitPromise): Added.
680         (Inspector::InjectedScript::callFunctionOn):
681         (Inspector::InjectedScript::evaluateOnCallFrame):
682
683         * inspector/InjectedScriptBase.h:
684         * inspector/InjectedScriptBase.cpp:
685         (Inspector::InjectedScriptBase::makeEvalCall):
686         (Inspector::InjectedScriptBase::makeAsyncCall): Added.
687         (Inspector::InjcetedScriptBase::checkCallResult): Added.
688         (Inspector::InjcetedScriptBase::checkAsyncCallResult): Added.
689
690         * inspector/agents/InspectorRuntimeAgent.h:
691         * inspector/agents/InspectorRuntimeAgent.cpp:
692         (Inspector::InspectorRuntimeAgent::evaluate):
693         (Inspector::InspectorRuntimeAgent::awaitPromise):
694         (Inspector::InspectorRuntimeAgent::callFunctionOn):
695
696         * inspector/agents/InspectorDebuggerAgent.cpp:
697         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
698
699 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
700
701         Unreviewed, rolling out r238833.
702
703         Breaks macOS and iOS debug builds.
704
705         Reverted changeset:
706
707         "[ESNext][BigInt] Support logic operations"
708         https://bugs.webkit.org/show_bug.cgi?id=179903
709         https://trac.webkit.org/changeset/238833
710
711 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
712
713         [ESNext][BigInt] Support logic operations
714         https://bugs.webkit.org/show_bug.cgi?id=179903
715
716         Reviewed by Yusuke Suzuki.
717
718         We are introducing in this patch the ToBoolean support for JSBigInt.
719         With this change, we can implement the correct behavior of BigInt as
720         operand of logical opertions. During JIT genertion into DFG and FTL,
721         we are using JSBigInt::m_length to verify if the number is 0n or not,
722         following the same approach used by JSString. This is also safe in the case
723         of BigInt, because only 0n has m_length == 0.
724
725         We are not including BigInt speculation into Branch nodes in this
726         patch, but the plan is to implement it in further patches.
727
728         * ftl/FTLAbstractHeapRepository.h:
729         * ftl/FTLLowerDFGToB3.cpp:
730         (JSC::FTL::DFG::LowerDFGToB3::boolify):
731         (JSC::FTL::DFG::LowerDFGToB3::isBigInt):
732         * jit/AssemblyHelpers.cpp:
733         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
734         (JSC::AssemblyHelpers::branchIfValue):
735         * runtime/JSBigInt.cpp:
736         (JSC::JSBigInt::isZero const):
737         (JSC::JSBigInt::offsetOfLength):
738         (JSC::JSBigInt::toBoolean const):
739         (JSC::JSBigInt::isZero): Deleted.
740         * runtime/JSBigInt.h:
741         * runtime/JSCellInlines.h:
742         (JSC::JSCell::toBoolean const):
743         (JSC::JSCell::pureToBoolean const):
744
745 2018-12-03  Keith Rollin  <krollin@apple.com>
746
747         Add .xcfilelist files
748         https://bugs.webkit.org/show_bug.cgi?id=192082
749         <rdar://problem/46312533>
750
751         Reviewed by Brent Fulgham.
752
753         Add .xcfilelist files for Generate Derived Sources and Generate
754         Unified Sources build phases in Xcode. These are just being staged for
755         now; they'll be added to the Xcode projects later.
756
757         * DerivedSources-input.xcfilelist: Added.
758         * DerivedSources-output.xcfilelist: Added.
759         * UnifiedSources-input.xcfilelist: Added.
760         * UnifiedSources-output.xcfilelist: Added.
761
762 2018-12-03  Mark Lam  <mark.lam@apple.com>
763
764         Fix the bytecode code generator scripts to pretty print BytecodeStructs.h and BytecodeIndices.h.
765         https://bugs.webkit.org/show_bug.cgi?id=192271
766
767         Reviewed by Keith Miller.
768
769         This makes the generated code style compliant and human readable.
770
771         * generator/Argument.rb:
772         * generator/DSL.rb:
773         * generator/Fits.rb:
774         * generator/Metadata.rb:
775         * generator/Opcode.rb:
776
777 2018-12-02  Zalan Bujtas  <zalan@apple.com>
778
779         Add a runtime feature flag for LayoutFormattingContext.
780         https://bugs.webkit.org/show_bug.cgi?id=192280
781
782         Reviewed by Simon Fraser.
783
784         * Configurations/FeatureDefines.xcconfig:
785
786 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
787
788         [ESNext][BigInt] Implement support for "<<" and ">>"
789         https://bugs.webkit.org/show_bug.cgi?id=186233
790
791         Reviewed by Yusuke Suzuki.
792
793         This patch is introducing the support for BigInt into lshift and
794         rshift into LLint and Baseline layers.
795
796         * runtime/CommonSlowPaths.cpp:
797         (JSC::SLOW_PATH_DECL):
798         * runtime/JSBigInt.cpp:
799         (JSC::JSBigInt::createWithLength):
800         (JSC::JSBigInt::leftShift):
801         (JSC::JSBigInt::signedRightShift):
802         (JSC::JSBigInt::leftShiftByAbsolute):
803         (JSC::JSBigInt::rightShiftByAbsolute):
804         (JSC::JSBigInt::rightShiftByMaximum):
805         (JSC::JSBigInt::toShiftAmount):
806         * runtime/JSBigInt.h:
807
808 2018-12-01  Simon Fraser  <simon.fraser@apple.com>
809
810         Heap.h refers to the non-existent HeapStatistics
811         https://bugs.webkit.org/show_bug.cgi?id=187882
812
813         Reviewed by Keith Miller.
814         
815         Just remove the "friend class HeapStatistics".
816
817         * heap/Heap.h:
818
819 2018-11-29  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
820
821         [JSC] Keep TypeMaybeBigInt small
822         https://bugs.webkit.org/show_bug.cgi?id=192203
823
824         Reviewed by Saam Barati.
825
826         As BigInt is being implemented, more and more bytecodes start returning BigInt.
827         It means that ResultType of these bytecodes include TypeMaybeBigInt. However,
828         TypeMaybeBigInt was large number 0x20, leading to wide instruction since ResultType
829         easily becomes larger than 32 (e.g. TypeInt32 | TypeMaybeBigInt == 33).
830
831         This patch sorts the numbers of TypeMaybeXXX based on the frequency of appearance in
832         the code.
833
834         * parser/ResultType.h:
835
836 2018-11-30  Dean Jackson  <dino@apple.com>
837
838         Try to fix Windows build by using strcmp instead of strcasecmp.
839
840         * jsc.cpp:
841         (isMJSFile):
842
843 2018-11-30  Mark Lam  <mark.lam@apple.com>
844
845         Fix the bytecode code generator scripts to pretty print Bytecodes.h.
846         https://bugs.webkit.org/show_bug.cgi?id=192258
847
848         Reviewed by Keith Miller.
849
850         This makes Bytecodes.h more human readable.
851
852         * generator/DSL.rb:
853         * generator/Section.rb:
854
855 2018-11-30  Mark Lam  <mark.lam@apple.com>
856
857         Add the generator directory to the Xcode project.
858         https://bugs.webkit.org/show_bug.cgi?id=192252
859
860         Reviewed by Michael Saboff.
861
862         This is so that we can work with these bytecode class generator files easily in Xcode.
863
864         * JavaScriptCore.xcodeproj/project.pbxproj:
865
866 2018-11-30  Don Olmstead  <don.olmstead@sony.com>
867
868         Rename ENABLE_SUBTLE_CRYPTO to ENABLE_WEB_CRYPTO
869         https://bugs.webkit.org/show_bug.cgi?id=192197
870
871         Reviewed by Jiewen Tan.
872
873         * Configurations/FeatureDefines.xcconfig:
874
875 2018-11-30  Dean Jackson  <dino@apple.com>
876
877         Add first-class support for .mjs files in jsc binary
878         https://bugs.webkit.org/show_bug.cgi?id=192190
879         <rdar://problem/46375715>
880
881         Reviewed by Keith Miller.
882
883         Treat files with a .mjs extension as a module, regardless
884         of whether or not the --module-file argument was given.
885
886         * jsc.cpp:
887         (printUsageStatement): Update usage.
888         (isMJSFile): Helper to look for .mjs extensions.
889         (CommandLine::parseArguments): Pick the appropriate script type.
890
891 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
892
893         [BigInt] Implement ValueBitXor into DFG
894         https://bugs.webkit.org/show_bug.cgi?id=190264
895
896         Reviewed by Yusuke Suzuki.
897
898         This patch is splitting the BitXor node into ArithBitXor and
899         ValueBitXor. This is necessary due the introduction of
900         BigInt, since BitXor operations now can result into Int32 or BigInt.
901         In such case, we use ArithBitXor when operands are Int and fallback to
902         ValueBitXor when operands are anything else. In the case of
903         ValueBitXor, we speculate BigInt when op1 and op2 are predicted as
904         BigInt as well. BigInt specialization consist into call
905         `operationBigIntBitXor` function, that calls JSBigInt::bitXor.
906
907         * bytecode/BytecodeList.rb:
908         * bytecode/CodeBlock.cpp:
909         (JSC::CodeBlock::finishCreation):
910         (JSC::CodeBlock::arithProfileForPC):
911         * bytecode/Opcode.h:
912         (JSC::padOpcodeName):
913         * bytecompiler/BytecodeGenerator.h:
914         * dfg/DFGAbstractInterpreterInlines.h:
915         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
916         * dfg/DFGBackwardsPropagationPhase.cpp:
917         (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
918         (JSC::DFG::BackwardsPropagationPhase::propagate):
919         * dfg/DFGByteCodeParser.cpp:
920         (JSC::DFG::ByteCodeParser::parseBlock):
921         * dfg/DFGClobberize.h:
922         (JSC::DFG::clobberize):
923         * dfg/DFGDoesGC.cpp:
924         (JSC::DFG::doesGC):
925         * dfg/DFGFixupPhase.cpp:
926         (JSC::DFG::FixupPhase::fixupNode):
927         * dfg/DFGNodeType.h:
928         * dfg/DFGOperations.cpp:
929         * dfg/DFGOperations.h:
930         * dfg/DFGPredictionPropagationPhase.cpp:
931         * dfg/DFGSafeToExecute.h:
932         (JSC::DFG::safeToExecute):
933         * dfg/DFGSpeculativeJIT.cpp:
934         (JSC::DFG::SpeculativeJIT::compileValueBitwiseOp):
935         (JSC::DFG::SpeculativeJIT::compileBitwiseOp):
936         * dfg/DFGSpeculativeJIT.h:
937         (JSC::DFG::SpeculativeJIT::bitOp):
938         * dfg/DFGSpeculativeJIT32_64.cpp:
939         (JSC::DFG::SpeculativeJIT::compile):
940         * dfg/DFGSpeculativeJIT64.cpp:
941         (JSC::DFG::SpeculativeJIT::compile):
942         * dfg/DFGStrengthReductionPhase.cpp:
943         (JSC::DFG::StrengthReductionPhase::handleNode):
944         * ftl/FTLCapabilities.cpp:
945         (JSC::FTL::canCompile):
946         * ftl/FTLLowerDFGToB3.cpp:
947         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
948         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitXor):
949         (JSC::FTL::DFG::LowerDFGToB3::compileArithBitXor):
950         (JSC::FTL::DFG::LowerDFGToB3::compileBitXor): Deleted.
951         * jit/JITArithmetic.cpp:
952         (JSC::JIT::emit_op_bitxor):
953         * llint/LowLevelInterpreter32_64.asm:
954         * llint/LowLevelInterpreter64.asm:
955         * runtime/CommonSlowPaths.cpp:
956         (JSC::SLOW_PATH_DECL):
957
958 2018-11-29  Justin Michaud  <justin_michaud@apple.com>
959
960         CSS Painting API should pass 'this' correctly to paint callback, and repaint when properties change.
961         https://bugs.webkit.org/show_bug.cgi?id=191443
962
963         Reviewed by Dean Jackson.
964
965         Export the simpler construct() method for use in WebCore.
966
967         * runtime/ConstructData.h:
968
969 2018-11-28  Mark Lam  <mark.lam@apple.com>
970
971         ENABLE_SEPARATED_WX_HEAP needs to be defined in Platform.h.
972         https://bugs.webkit.org/show_bug.cgi?id=192110
973         <rdar://problem/46317746>
974
975         Reviewed by Saam Barati.
976
977         * config.h:
978
979 2018-11-28  Keith Rollin  <krollin@apple.com>
980
981         Update generate-{derived,unified}-sources scripts to support generating .xcfilelist files
982         https://bugs.webkit.org/show_bug.cgi?id=192031
983         <rdar://problem/46286816>
984
985         Reviewed by Alex Christensen.
986
987         The Generate Derived Sources and Generate Unified Sources build phases
988         in Xcode need to have their inputs and outputs specified. This
989         specification will come in the form of .xcfilelist files that will be
990         attached to these build phases. There is one .xcfilelist file that
991         lists the input file and one that lists the output files. As part of
992         this work, the various generate-{derived,unified}-sources scripts that
993         are executed in these Generate build phases are modified to help in
994         the creation of these .xcfilelist files. In particular, they can now
995         be invoked with command-line parameters. These parameters are then
996         used to alter the normal execution of these scripts, causing them to
997         produce the .xcfilelist files as opposed to actually generating the
998         files that are listed in those files.
999
1000         * Scripts/generate-derived-sources.sh:
1001         * Scripts/generate-unified-sources.sh:
1002
1003 2018-11-28  Keith Rollin  <krollin@apple.com>
1004
1005         Revert print_all_generated_files work in r238008; tighten up target specifications
1006         https://bugs.webkit.org/show_bug.cgi?id=192025
1007         <rdar://problem/46284301>
1008
1009         Reviewed by Alex Christensen.
1010
1011         In r238008, I added a facility for DerivedSources.make makefiles to
1012         print out the list of files that they generate. This output was used
1013         in the generation of .xcfilelist files used to specify the output of
1014         the associated Generate Derived Sources build phases in Xcode. This
1015         approach worked, but it meant that people would need to follow a
1016         specific convention to keep this mechanism working.
1017
1018         Instead of continuing this approach, I'm going to implement a new
1019         facility based on the output of `make` when passed the -d flag (which
1020         prints dependency information). This new mechanism is completely
1021         automatic and doesn't need maintainers to follow a convention. To that
1022         end, remove most of the work performed in r238008 that supports the
1023         print_all_generated_files target.
1024
1025         At the same time, it's important for the sets of targets and their
1026         dependencies to be complete and correct. Therefore, also include
1027         changes to bring those up-to-date. As part of that, you'll see
1028         prevalent use of a particular technique. Here's an example:
1029
1030             BYTECODE_FILES = \
1031                 Bytecodes.h \
1032                 BytecodeIndices.h \
1033                 BytecodeStructs.h \
1034                 InitBytecodes.asm \
1035             #
1036             BYTECODE_FILES_PATTERNS = $(subst .,%,$(BYTECODE_FILES))
1037
1038             all : $(BYTECODE_FILES)
1039
1040             $(BYTECODE_FILES_PATTERNS): $(wildcard $(JavaScriptCore)/generator/*.rb) $(JavaScriptCore)/bytecode/BytecodeList.rb
1041                 ...
1042
1043         These lines indicate a set of generated files (those specified in
1044         BYTECODE_FILES). These files are generated by the BytecodeList.rb
1045         tool. But, as opposed to the normal rule where a single foo.output is
1046         generated by foo.input plus some additional dependencies, this rule
1047         produces multiple output files from a tool whose connection to the
1048         output files is not immediately clear. A special approach is needed
1049         where a single rule produces multiple output files. The normal way to
1050         implement this is to use an .INTERMEDIATE target. However, we used
1051         this approach in the past and ran into a problem with it, addressing
1052         it with an alternate approach in r210507. The above example shows this
1053         approach. The .'s in the list of target files are replaced with %'s,
1054         and the result is used as the left side of the dependency rule.
1055
1056         * DerivedSources.make:
1057
1058 2018-11-28  Keith Rollin  <krollin@apple.com>
1059
1060         Remove Postprocess Headers dependencies
1061         https://bugs.webkit.org/show_bug.cgi?id=192023
1062         <rdar://problem/46283377>
1063
1064         Reviewed by Mark Lam.
1065
1066         JavaScriptCore's Xcode Postprocess Headers build phase used to have a
1067         dependency on a specific handful of files. In r234227, the script used
1068         in this phase (postprocess-headers.sh) was completely rewritten to
1069         operate on *all* files in JSC's Public and Private headers directories
1070         instead of just this handful. This rewrite makes the previous
1071         dependency specification insufficient, leading to incorrect
1072         incremental builds if the right files weren't touched. Address this by
1073         removing the dependencies completely. This will cause
1074         postprocess-headers.sh to always be executed, even when none of its
1075         files are touch. Running this script all the time is OK, since it has
1076         built-in protections against unnecessarily touching files that haven't
1077         changed.
1078
1079         * JavaScriptCore.xcodeproj/project.pbxproj:
1080
1081 2018-11-27  Mark Lam  <mark.lam@apple.com>
1082
1083         ENABLE_FAST_JIT_PERMISSIONS should be false for iosmac.
1084         https://bugs.webkit.org/show_bug.cgi?id=192055
1085         <rdar://problem/46288783>
1086
1087         Reviewed by Saam Barati.
1088
1089         * Configurations/FeatureDefines.xcconfig:
1090
1091 2018-11-27  Saam barati  <sbarati@apple.com>
1092
1093         r238510 broke scopes of size zero
1094         https://bugs.webkit.org/show_bug.cgi?id=192033
1095         <rdar://problem/46281734>
1096
1097         Reviewed by Keith Miller.
1098
1099         In r238510, I wrote the loop like this: 
1100         `for (ScopeOffset offset { 0 }; offset <= symbolTable->maxScopeOffset(); offset += 1)`
1101         
1102         This breaks for scopes of size zero because maxScopeOffset() will be UINT_MAX.
1103         
1104         This patch fixes this by writing the loop as:
1105         `for (unsigned offset = 0; offset < symbolTable->scopeSize(); ++offset)`
1106
1107         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1108
1109 2018-11-27  Mark Lam  <mark.lam@apple.com>
1110
1111         ASSERTION FAILED: capacity && isPageAligned(capacity) in JSC::CLoopStack::CLoopStack(JSC::VM&).
1112         https://bugs.webkit.org/show_bug.cgi?id=192018
1113
1114         Reviewed by Saam Barati.
1115
1116         This assertion failed because the regress-191579.js test was specifying
1117         --maxPerThreadStackUsage=400000 i.e. it was running with a stack size that is not
1118         page aligned.  Given that the user can specify any arbitrary stack size, and the
1119         CLoop stack expects to be page aligned, we'll just round up the requested capacity
1120         to the next page alignment.
1121
1122         * interpreter/CLoopStack.cpp:
1123         (JSC::CLoopStack::CLoopStack):
1124
1125 2018-11-27  Mark Lam  <mark.lam@apple.com>
1126
1127         [Re-landing] NaNs read from Wasm code needs to be be purified.
1128         https://bugs.webkit.org/show_bug.cgi?id=191056
1129         <rdar://problem/45660341>
1130
1131         Reviewed by Filip Pizlo.
1132
1133         * wasm/js/WebAssemblyModuleRecord.cpp:
1134         (JSC::WebAssemblyModuleRecord::link):
1135
1136 2018-11-27  Timothy Hatcher  <timothy@apple.com>
1137
1138         Web Inspector: Add support for forcing color scheme appearance in DOM tree.
1139         https://bugs.webkit.org/show_bug.cgi?id=191820
1140         rdar://problem/46153172
1141
1142         Reviewed by Devin Rousso.
1143
1144         * inspector/protocol/Page.json: Added setForcedAppearance.
1145         Also added the defaultAppearanceDidChange event and Appearance enum.
1146
1147 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1148
1149         Unreviewed, rolling out r238509.
1150
1151         Causes JSC tests to fail on iOS.
1152
1153         Reverted changeset:
1154
1155         "NaNs read from Wasm code needs to be be purified."
1156         https://bugs.webkit.org/show_bug.cgi?id=191056
1157         https://trac.webkit.org/changeset/238509
1158
1159 2018-11-27  Mark Lam  <mark.lam@apple.com>
1160
1161         Introducing a ENABLE_SEPARATED_WX_HEAP macro.
1162         https://bugs.webkit.org/show_bug.cgi?id=192013
1163         <rdar://problem/45494310>
1164
1165         Reviewed by Keith Miller.
1166
1167         This makes the code a little more readable.
1168
1169         I put the definition of ENABLE_SEPARATED_WX_HEAP in JSC's config.h instead of
1170         Platform.h because ENABLE_SEPARATED_WX_HEAP is only needed inside JSC.  Also,
1171         ENABLE_SEPARATED_WX_HEAP depends on ENABLE(FAST_JIT_PERMISSIONS), which is only
1172         defined for JSC.
1173
1174         * config.h:
1175         * jit/ExecutableAllocator.cpp:
1176         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
1177         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
1178         * jit/ExecutableAllocator.h:
1179         (JSC::performJITMemcpy):
1180         * runtime/Options.cpp:
1181         (JSC::recomputeDependentOptions):
1182
1183 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1184
1185         Re-introduce op_bitnot
1186         https://bugs.webkit.org/show_bug.cgi?id=190923
1187
1188         Reviewed by Yusuke Suzuki.
1189
1190         With the introduction of BigInt as a new type, we can't emit bitwise
1191         not as `x ^ -1` anymore, because this is incompatible with the new type.
1192         Based on that, this Patch is adding `op_bitnot` as a new operation
1193         into LLInt, as well as introducing ArithBitNot node into DFG to support
1194         JIT compilation of such opcode. We will use the ValueProfile of this
1195         intruction in the future to generate better code when its operand
1196         is not Int32.
1197
1198         * assembler/MacroAssemblerARM64.h:
1199         (JSC::MacroAssemblerARM64::not32):
1200         * assembler/MacroAssemblerARMv7.h:
1201         (JSC::MacroAssemblerARMv7::not32):
1202         * assembler/MacroAssemblerMIPS.h:
1203         (JSC::MacroAssemblerMIPS::not32):
1204         * bytecode/BytecodeList.rb:
1205         * bytecode/BytecodeUseDef.h:
1206         (JSC::computeUsesForBytecodeOffset):
1207         (JSC::computeDefsForBytecodeOffset):
1208         * bytecode/CodeBlock.cpp:
1209         (JSC::CodeBlock::finishCreation):
1210         * bytecode/Opcode.h:
1211         (JSC::padOpcodeName):
1212         * bytecompiler/BytecodeGenerator.cpp:
1213         (JSC::BytecodeGenerator::emitUnaryOp):
1214         * bytecompiler/NodesCodegen.cpp:
1215         (JSC::UnaryPlusNode::emitBytecode):
1216         (JSC::BitwiseNotNode::emitBytecode): Deleted.
1217         * dfg/DFGAbstractInterpreterInlines.h:
1218         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1219         * dfg/DFGBackwardsPropagationPhase.cpp:
1220         (JSC::DFG::BackwardsPropagationPhase::propagate):
1221         * dfg/DFGByteCodeParser.cpp:
1222         (JSC::DFG::ByteCodeParser::parseBlock):
1223         * dfg/DFGCapabilities.cpp:
1224         (JSC::DFG::capabilityLevel):
1225         * dfg/DFGClobberize.h:
1226         (JSC::DFG::clobberize):
1227         * dfg/DFGDoesGC.cpp:
1228         (JSC::DFG::doesGC):
1229         * dfg/DFGFixupPhase.cpp:
1230         (JSC::DFG::FixupPhase::fixupNode):
1231         * dfg/DFGNodeType.h:
1232         * dfg/DFGOperations.cpp:
1233         * dfg/DFGOperations.h:
1234         * dfg/DFGPredictionPropagationPhase.cpp:
1235         * dfg/DFGSafeToExecute.h:
1236         (JSC::DFG::safeToExecute):
1237         * dfg/DFGSpeculativeJIT.cpp:
1238         (JSC::DFG::SpeculativeJIT::compileBitwiseNot):
1239         * dfg/DFGSpeculativeJIT.h:
1240         * dfg/DFGSpeculativeJIT32_64.cpp:
1241         (JSC::DFG::SpeculativeJIT::compile):
1242         * dfg/DFGSpeculativeJIT64.cpp:
1243         (JSC::DFG::SpeculativeJIT::compile):
1244         * ftl/FTLCapabilities.cpp:
1245         (JSC::FTL::canCompile):
1246         * ftl/FTLLowerDFGToB3.cpp:
1247         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1248         (JSC::FTL::DFG::LowerDFGToB3::compileArithBitNot):
1249         * jit/JIT.cpp:
1250         (JSC::JIT::privateCompileMainPass):
1251         (JSC::JIT::privateCompileSlowCases):
1252         * jit/JIT.h:
1253         * jit/JITArithmetic.cpp:
1254         (JSC::JIT::emit_op_bitnot):
1255         * llint/LowLevelInterpreter32_64.asm:
1256         * llint/LowLevelInterpreter64.asm:
1257         * offlineasm/cloop.rb:
1258         * parser/NodeConstructors.h:
1259         (JSC::BitwiseNotNode::BitwiseNotNode):
1260         * parser/Nodes.h:
1261         * parser/ResultType.h:
1262         (JSC::ResultType::bigIntOrInt32Type):
1263         (JSC::ResultType::forBitOp):
1264         * runtime/CommonSlowPaths.cpp:
1265         (JSC::SLOW_PATH_DECL):
1266         * runtime/CommonSlowPaths.h:
1267
1268 2018-11-26  Saam barati  <sbarati@apple.com>
1269
1270         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1271         https://bugs.webkit.org/show_bug.cgi?id=191956
1272         <rdar://problem/45665806>
1273
1274         Reviewed by Yusuke Suzuki.
1275
1276         This is a similar bug to what Keith fixed in r232134. The issue is if we have
1277         a program like this:
1278         
1279         a: JSConstant(jsNumber(0))
1280         b: SetLocal(Int32:@a, loc1, FlushedInt32)
1281         c: ArrayifyToStructure(Cell:@a)
1282         d: Jump(...)
1283         
1284         At the point in the program right after the Jump, a GetLocal for loc1
1285         would return whatever the ArrayifyToStructure resulting type is. This breaks
1286         the invariant that a GetLocal must return a value that is a subtype of its
1287         FlushFormat. InPlaceAbstractState::endBasicBlock will know if a SetLocal is
1288         the final node touching a local slot. If so, it'll see if any nodes later
1289         in the block may have refined the type of the value stored in that slot. If
1290         so, endBasicBlock() further refines the type to ensure that any GetLocals
1291         loading from the same slot will result in having this more refined type.
1292         However, we must ensure that this logic only considers types within the
1293         hierarchy of the variable access data's FlushFormat, otherwise, we may
1294         break the invariant that a GetLocal's type is a subtype of its FlushFormat.
1295
1296         * dfg/DFGInPlaceAbstractState.cpp:
1297         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
1298
1299 2018-11-26  Saam barati  <sbarati@apple.com>
1300
1301         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1302         https://bugs.webkit.org/show_bug.cgi?id=191958
1303         <rdar://problem/46221877>
1304
1305         Reviewed by Yusuke Suzuki.
1306
1307         There may be more entries in an activation than unique variables
1308         in a symbol table's hashmap. For example, if you have two parameters
1309         to a function, and they both are the same name, and the function
1310         uses eval, we'll end up with two scope slots, but only a single
1311         entry in the hashmap in the symbol table. Object allocation sinking
1312         phase was previously iterating over the hashmap, assuming these
1313         values were equivalent. This is wrong in the above case. Instead,
1314         we need to iterate over each scope offset.
1315
1316         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1317         * runtime/GenericOffset.h:
1318         (JSC::GenericOffset::operator+=):
1319         (JSC::GenericOffset::operator-=):
1320
1321 2018-11-26  Mark Lam  <mark.lam@apple.com>
1322
1323         NaNs read from Wasm code needs to be be purified.
1324         https://bugs.webkit.org/show_bug.cgi?id=191056
1325         <rdar://problem/45660341>
1326
1327         Reviewed by Filip Pizlo.
1328
1329         * wasm/js/WebAssemblyModuleRecord.cpp:
1330         (JSC::WebAssemblyModuleRecord::link):
1331
1332 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1333
1334         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1335         https://bugs.webkit.org/show_bug.cgi?id=191716
1336         <rdar://problem/45723878>
1337
1338         Reviewed by Saam Barati.
1339
1340         After https://bugs.webkit.org/show_bug.cgi?id=187373, when updating
1341         jump targets during generatorification, we only stored the new jump
1342         target when it changed. However, the out-of-line jump targets are
1343         cleared at the beginning of the pass, so we need to store it
1344         unconditionally.
1345
1346         * bytecode/PreciseJumpTargetsInlines.h:
1347         (JSC::extractStoredJumpTargetsForInstruction):
1348         (JSC::updateStoredJumpTargetsForInstruction):
1349
1350 2018-11-23  Wenson Hsieh  <wenson_hsieh@apple.com>
1351
1352         Enable drag and drop support for iOSMac
1353         https://bugs.webkit.org/show_bug.cgi?id=191818
1354         <rdar://problem/43907454>
1355
1356         Reviewed by Dean Jackson.
1357
1358         * Configurations/FeatureDefines.xcconfig:
1359
1360 2018-11-22  Mark Lam  <mark.lam@apple.com>
1361
1362         Make the jsc shell's dumpException() more robust against long exception strings.
1363         https://bugs.webkit.org/show_bug.cgi?id=191910
1364         <rdar://problem/46212980>
1365
1366         Reviewed by Michael Saboff.
1367
1368         This only affects the dumping of the exception string in the jsc shell due to
1369         unhandled exceptions or exceptions at shell boot time before any JS code is
1370         running.
1371
1372         * jsc.cpp:
1373         (dumpException):
1374
1375 2018-11-21  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1376
1377         [JSC] Drop ARM_TRADITIONAL support in LLInt, baseline JIT, and DFG
1378         https://bugs.webkit.org/show_bug.cgi?id=191675
1379
1380         Reviewed by Mark Lam.
1381
1382         We no longer maintain ARM_TRADITIONAL LLInt and JIT in JSC. This architecture will use
1383         CLoop instead. This patch removes ARM_TRADITIONAL support in LLInt and JIT.
1384
1385         Discussed in https://lists.webkit.org/pipermail/webkit-dev/2018-October/030220.html.
1386
1387         * CMakeLists.txt:
1388         * JavaScriptCore.xcodeproj/project.pbxproj:
1389         * Sources.txt:
1390         * assembler/ARMAssembler.cpp: Removed.
1391         * assembler/ARMAssembler.h: Removed.
1392         * assembler/LinkBuffer.cpp:
1393         (JSC::LinkBuffer::linkCode):
1394         (JSC::LinkBuffer::dumpCode):
1395         * assembler/MacroAssembler.h:
1396         (JSC::MacroAssembler::patchableBranch32):
1397         * assembler/MacroAssemblerARM.cpp: Removed.
1398         * assembler/MacroAssemblerARM.h: Removed.
1399         * assembler/PerfLog.cpp:
1400         * assembler/PerfLog.h:
1401         * assembler/ProbeContext.h:
1402         (JSC::Probe::CPUState::pc):
1403         (JSC::Probe::CPUState::fp):
1404         (JSC::Probe::CPUState::sp):
1405         * assembler/testmasm.cpp:
1406         (JSC::isPC):
1407         (JSC::testProbeModifiesStackPointer):
1408         (JSC::testProbeModifiesStackValues):
1409         * bytecode/InlineAccess.h:
1410         (JSC::InlineAccess::sizeForPropertyAccess):
1411         (JSC::InlineAccess::sizeForPropertyReplace):
1412         (JSC::InlineAccess::sizeForLengthAccess):
1413         * dfg/DFGSpeculativeJIT.h:
1414         * disassembler/CapstoneDisassembler.cpp:
1415         (JSC::tryToDisassemble):
1416         * jit/AssemblyHelpers.cpp:
1417         (JSC::AssemblyHelpers::debugCall):
1418         * jit/AssemblyHelpers.h:
1419         * jit/CCallHelpers.h:
1420         (JSC::CCallHelpers::setupArgumentsImpl):
1421         (JSC::CCallHelpers::prepareForTailCallSlow):
1422         * jit/CallFrameShuffler.cpp:
1423         (JSC::CallFrameShuffler::prepareForTailCall):
1424         * jit/HostCallReturnValue.cpp:
1425         * jit/JITMathIC.h:
1426         (JSC::isProfileEmpty):
1427         * jit/RegisterSet.cpp:
1428         (JSC::RegisterSet::reservedHardwareRegisters):
1429         (JSC::RegisterSet::calleeSaveRegisters):
1430         (JSC::RegisterSet::llintBaselineCalleeSaveRegisters):
1431         (JSC::RegisterSet::dfgCalleeSaveRegisters):
1432         * jit/Repatch.cpp:
1433         (JSC::forceICFailure):
1434         * jit/ThunkGenerators.cpp:
1435         (JSC::nativeForGenerator):
1436         * llint/LLIntOfflineAsmConfig.h:
1437         * llint/LowLevelInterpreter.asm:
1438         * llint/LowLevelInterpreter32_64.asm:
1439         * offlineasm/arm.rb:
1440         * offlineasm/backends.rb:
1441         * yarr/YarrJIT.cpp:
1442         (JSC::Yarr::YarrGenerator::generateEnter):
1443         (JSC::Yarr::YarrGenerator::generateReturn):
1444
1445 2018-11-21  Saam barati  <sbarati@apple.com>
1446
1447         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1448         https://bugs.webkit.org/show_bug.cgi?id=191897
1449         <rdar://problem/45871998>
1450
1451         Reviewed by Mark Lam.
1452
1453         exitOK is a statement about it being legal to exit. mayExit() is about being
1454         conservative and returning false only if an OSR exit *could never* happen.
1455         mayExit() tries to be as smart as possible to see if it can return false.
1456         It can't return false if a runtime exit *could* happen. However, there is
1457         code in the compiler where mayExit() returns false (because it uses data
1458         generated from AI about type checks being proved), but the code we emit in the
1459         compiler backend unconditionally generates an OSR exit, even if that exit may
1460         never execute. For example, let's say we have this IR:
1461         
1462         SomeNode(Boolean:@input)
1463         
1464         And we always emit code like this as a way of emitting a boolean type check:
1465         
1466         jump L1 if input == true
1467         jump L1 if input == false
1468         emit an OSR exit
1469         
1470         In such a program, when we generate the above OSR exit, in a validationEnabled()
1471         build, and if @input is proved to be a boolean, we'll end up crashing because we
1472         have the bogus assertion saying !exitOK. This is one reason why things are cleaner
1473         if we don't conflate mayExit() with exitOK.
1474
1475         * dfg/DFGSpeculativeJIT.cpp:
1476         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1477
1478 2018-11-21  Saam barati  <sbarati@apple.com>
1479
1480         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1481         https://bugs.webkit.org/show_bug.cgi?id=191895
1482         <rdar://problem/46167406>
1483
1484         Reviewed by Mark Lam.
1485
1486         We were asserting that the input edge should have type SpecCell but it should
1487         really be SpecCellCheck since the type filter for KnownCellUse is SpecCellCheck.
1488         
1489         This patch cleans up that assertion code by joining a bunch of cases into a
1490         single function call which grabs the type filter for the edge UseKind and
1491         asserts that the incoming edge meets the type filter criteria.
1492
1493         * dfg/DFGSpeculativeJIT.cpp:
1494         (JSC::DFG::SpeculativeJIT::speculate):
1495         * ftl/FTLLowerDFGToB3.cpp:
1496         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1497
1498 2018-11-21  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1499
1500         [JSC] Use ProtoCallFrame::numberOfRegisters instead of raw number `4`
1501         https://bugs.webkit.org/show_bug.cgi?id=191877
1502
1503         Reviewed by Sam Weinig.
1504
1505         Instead of hard-coding `4` into LowLevelInterpreter, use ProtoCallFrame::numberOfRegisters.
1506
1507         * interpreter/ProtoCallFrame.h:
1508         * llint/LowLevelInterpreter32_64.asm:
1509         * llint/LowLevelInterpreter64.asm:
1510
1511 2018-11-21  Mark Lam  <mark.lam@apple.com>
1512
1513         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1514         https://bugs.webkit.org/show_bug.cgi?id=191776
1515         <rdar://problem/46152851>
1516
1517         Reviewed by Saam Barati.
1518
1519         * wasm/WasmMemory.cpp:
1520         (JSC::Wasm::Memory::tryCreate):
1521         - return nullptr if the requested bytes exceed MAX_ARRAY_BUFFER_SIZE.
1522           The clients will already do a null check and throw an OutOfMemoryError if needed.
1523         (JSC::Wasm::Memory::grow):
1524         - throw OOME if newPageCount.bytes() > MAX_ARRAY_BUFFER_SIZE.
1525         * wasm/js/WebAssemblyMemoryConstructor.cpp:
1526         (JSC::constructJSWebAssemblyMemory):
1527         - throw OOME if newPageCount.bytes() > MAX_ARRAY_BUFFER_SIZE.
1528
1529 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1530
1531         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1532         https://bugs.webkit.org/show_bug.cgi?id=190836
1533
1534         Reviewed by Saam Barati and Yusuke Suzuki.
1535
1536         In this patch we are creating a new method called `JSBigInt::createWithLengthUnchecked`
1537         where we allocate a BigInt trusting the length received as argument.
1538         With this additional method, we now check if length passed to
1539         `JSBigInt::tryCreateWithLength` is not greater than JSBigInt::maxLength.
1540         When the length is greater than JSBigInt::maxLength, we then throw OOM
1541         exception.
1542         This required us to change the interface of some JSBigInt operations to
1543         receive `ExecState*` instead of `VM&`. We changed only operations that
1544         can throw because of OOM.
1545         We beleive that this approach of throwing instead of finishing the
1546         execution abruptly is better because JS programs can catch such
1547         exception and handle this issue properly.
1548
1549         * dfg/DFGOperations.cpp:
1550         * jit/JITOperations.cpp:
1551         * runtime/CommonSlowPaths.cpp:
1552         (JSC::SLOW_PATH_DECL):
1553         * runtime/JSBigInt.cpp:
1554         (JSC::JSBigInt::createZero):
1555         (JSC::JSBigInt::tryCreateWithLength):
1556         (JSC::JSBigInt::createWithLengthUnchecked):
1557         (JSC::JSBigInt::createFrom):
1558         (JSC::JSBigInt::multiply):
1559         (JSC::JSBigInt::divide):
1560         (JSC::JSBigInt::copy):
1561         (JSC::JSBigInt::unaryMinus):
1562         (JSC::JSBigInt::remainder):
1563         (JSC::JSBigInt::add):
1564         (JSC::JSBigInt::sub):
1565         (JSC::JSBigInt::bitwiseAnd):
1566         (JSC::JSBigInt::bitwiseOr):
1567         (JSC::JSBigInt::bitwiseXor):
1568         (JSC::JSBigInt::absoluteAdd):
1569         (JSC::JSBigInt::absoluteSub):
1570         (JSC::JSBigInt::absoluteDivWithDigitDivisor):
1571         (JSC::JSBigInt::absoluteDivWithBigIntDivisor):
1572         (JSC::JSBigInt::absoluteLeftShiftAlwaysCopy):
1573         (JSC::JSBigInt::absoluteBitwiseOp):
1574         (JSC::JSBigInt::absoluteAddOne):
1575         (JSC::JSBigInt::absoluteSubOne):
1576         (JSC::JSBigInt::toStringGeneric):
1577         (JSC::JSBigInt::rightTrim):
1578         (JSC::JSBigInt::allocateFor):
1579         (JSC::JSBigInt::createWithLength): Deleted.
1580         * runtime/JSBigInt.h:
1581         * runtime/Operations.cpp:
1582         (JSC::jsAddSlowCase):
1583         * runtime/Operations.h:
1584         (JSC::jsSub):
1585         (JSC::jsMul):
1586
1587 2018-11-20  Mark Lam  <mark.lam@apple.com>
1588
1589         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1590         https://bugs.webkit.org/show_bug.cgi?id=191856
1591         <rdar://problem/46089992>
1592
1593         Reviewed by Yusuke Suzuki.
1594
1595         The ASSERT(vm.traps().needTrapHandling()) assertion in SignalSender's SigAction
1596         function is invalid because we can't be sure that the trap has been handled yet
1597         by the time the trap fires.  This is because the main thread may also check traps
1598         (in LLInt, baseline JIT and VM runtime code).  There's a race to handle the trap.
1599         Hence, the SigAction cannot assume that the trap still needs handling by the time
1600         it is executed.  This patch removed the invalid assertion.
1601
1602         Also renamed m_trapSet to m_condition because it is a AutomaticThreadCondition,
1603         and all the ways it is used is as a condvar.  The m_trapSet name doesn't seem
1604         appropriate nor meaningful.
1605
1606         * runtime/VMTraps.cpp:
1607         (JSC::VMTraps::tryInstallTrapBreakpoints):
1608         - Added a !needTrapHandling() check as an optimization: there's no need to install
1609           VMTrap breakpoints if someone already beat us to handling the trap (remember,
1610           the main thread is racing against the VMTraps signalling thread to handle the
1611           trap too).  We only need to install the VMTraps breakpoints if we need DFG/FTL
1612           compiled code to deopt so that they can check and handle pending traps.  If the
1613           trap has already been handled, it's better to not deopt any DFG/FTL functions.
1614
1615         (JSC::VMTraps::willDestroyVM):
1616         (JSC::VMTraps::fireTrap):
1617         (JSC::VMTraps::VMTraps):
1618         * runtime/VMTraps.h:
1619
1620 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1621
1622         Enable JIT on ARM/Linux
1623         https://bugs.webkit.org/show_bug.cgi?id=191548
1624
1625         Reviewed by Yusuke Suzuki.
1626
1627         Enable JIT by default on ARMv7/Linux after it was disabled with
1628         recent bytcode format change.
1629
1630         * bytecode/CodeBlock.cpp:
1631         (JSC::CodeBlock::getICStatusMap):
1632         * bytecode/CodeBlock.h:
1633         (JSC::CodeBlock::metadata):
1634         * bytecode/InByIdStatus.cpp:
1635         (JSC::InByIdStatus::computeFor):
1636         * bytecode/Instruction.h:
1637         (JSC::Instruction::cast):
1638         * bytecode/MetadataTable.h:
1639         (JSC::MetadataTable::forEach):
1640         * bytecode/PutByIdStatus.cpp:
1641         (JSC::PutByIdStatus::computeFor):
1642         (JSC::PutByIdStatus::hasExitSite): Deleted.
1643         * bytecode/PutByIdStatus.h:
1644         * dfg/DFGOSRExit.cpp:
1645         (JSC::DFG::reifyInlinedCallFrames):
1646         * dfg/DFGOSRExitCompilerCommon.cpp:
1647         (JSC::DFG::reifyInlinedCallFrames):
1648         * generator/Argument.rb:
1649         * generator/Opcode.rb:
1650         * jit/GPRInfo.h:
1651         * jit/JIT.h:
1652         * jit/JITArithmetic32_64.cpp:
1653         (JSC::JIT::emit_compareAndJump):
1654         (JSC::JIT::emit_compareUnsignedAndJump):
1655         (JSC::JIT::emit_compareUnsigned):
1656         (JSC::JIT::emit_compareAndJumpSlow):
1657         (JSC::JIT::emit_op_unsigned):
1658         (JSC::JIT::emit_op_inc):
1659         (JSC::JIT::emit_op_dec):
1660         (JSC::JIT::emitBinaryDoubleOp):
1661         (JSC::JIT::emit_op_mod):
1662         (JSC::JIT::emitSlow_op_mod):
1663         * jit/JITCall32_64.cpp:
1664         (JSC::JIT::emitPutCallResult):
1665         (JSC::JIT::emit_op_ret):
1666         (JSC::JIT::emitSlow_op_call):
1667         (JSC::JIT::emitSlow_op_tail_call):
1668         (JSC::JIT::emitSlow_op_call_eval):
1669         (JSC::JIT::emitSlow_op_call_varargs):
1670         (JSC::JIT::emitSlow_op_tail_call_varargs):
1671         (JSC::JIT::emitSlow_op_tail_call_forward_arguments):
1672         (JSC::JIT::emitSlow_op_construct_varargs):
1673         (JSC::JIT::emitSlow_op_construct):
1674         (JSC::JIT::emit_op_call):
1675         (JSC::JIT::emit_op_tail_call):
1676         (JSC::JIT::emit_op_call_eval):
1677         (JSC::JIT::emit_op_call_varargs):
1678         (JSC::JIT::emit_op_tail_call_varargs):
1679         (JSC::JIT::emit_op_tail_call_forward_arguments):
1680         (JSC::JIT::emit_op_construct_varargs):
1681         (JSC::JIT::emit_op_construct):
1682         (JSC::JIT::compileSetupFrame):
1683         (JSC::JIT::compileCallEval):
1684         (JSC::JIT::compileCallEvalSlowCase):
1685         (JSC::JIT::compileOpCall):
1686         (JSC::JIT::compileOpCallSlowCase):
1687         (JSC::JIT::compileSetupVarargsFrame): Deleted.
1688         * jit/JITInlines.h:
1689         (JSC::JIT::updateTopCallFrame):
1690         * jit/JITOpcodes.cpp:
1691         (JSC::JIT::emit_op_catch):
1692         (JSC::JIT::emitSlow_op_loop_hint):
1693         * jit/JITOpcodes32_64.cpp:
1694         (JSC::JIT::emit_op_mov):
1695         (JSC::JIT::emit_op_end):
1696         (JSC::JIT::emit_op_jmp):
1697         (JSC::JIT::emit_op_new_object):
1698         (JSC::JIT::emitSlow_op_new_object):
1699         (JSC::JIT::emit_op_overrides_has_instance):
1700         (JSC::JIT::emit_op_instanceof):
1701         (JSC::JIT::emit_op_instanceof_custom):
1702         (JSC::JIT::emitSlow_op_instanceof):
1703         (JSC::JIT::emitSlow_op_instanceof_custom):
1704         (JSC::JIT::emit_op_is_empty):
1705         (JSC::JIT::emit_op_is_undefined):
1706         (JSC::JIT::emit_op_is_boolean):
1707         (JSC::JIT::emit_op_is_number):
1708         (JSC::JIT::emit_op_is_cell_with_type):
1709         (JSC::JIT::emit_op_is_object):
1710         (JSC::JIT::emit_op_to_primitive):
1711         (JSC::JIT::emit_op_set_function_name):
1712         (JSC::JIT::emit_op_not):
1713         (JSC::JIT::emit_op_jfalse):
1714         (JSC::JIT::emit_op_jtrue):
1715         (JSC::JIT::emit_op_jeq_null):
1716         (JSC::JIT::emit_op_jneq_null):
1717         (JSC::JIT::emit_op_jneq_ptr):
1718         (JSC::JIT::emit_op_eq):
1719         (JSC::JIT::emitSlow_op_eq):
1720         (JSC::JIT::emit_op_jeq):
1721         (JSC::JIT::emitSlow_op_jeq):
1722         (JSC::JIT::emit_op_neq):
1723         (JSC::JIT::emitSlow_op_neq):
1724         (JSC::JIT::emit_op_jneq):
1725         (JSC::JIT::emitSlow_op_jneq):
1726         (JSC::JIT::compileOpStrictEq):
1727         (JSC::JIT::emit_op_stricteq):
1728         (JSC::JIT::emit_op_nstricteq):
1729         (JSC::JIT::compileOpStrictEqJump):
1730         (JSC::JIT::emit_op_jstricteq):
1731         (JSC::JIT::emit_op_jnstricteq):
1732         (JSC::JIT::emitSlow_op_jstricteq):
1733         (JSC::JIT::emitSlow_op_jnstricteq):
1734         (JSC::JIT::emit_op_eq_null):
1735         (JSC::JIT::emit_op_neq_null):
1736         (JSC::JIT::emit_op_throw):
1737         (JSC::JIT::emit_op_to_number):
1738         (JSC::JIT::emit_op_to_string):
1739         (JSC::JIT::emit_op_to_object):
1740         (JSC::JIT::emit_op_catch):
1741         (JSC::JIT::emit_op_identity_with_profile):
1742         (JSC::JIT::emit_op_get_parent_scope):
1743         (JSC::JIT::emit_op_switch_imm):
1744         (JSC::JIT::emit_op_switch_char):
1745         (JSC::JIT::emit_op_switch_string):
1746         (JSC::JIT::emit_op_debug):
1747         (JSC::JIT::emit_op_enter):
1748         (JSC::JIT::emit_op_get_scope):
1749         (JSC::JIT::emit_op_create_this):
1750         (JSC::JIT::emit_op_to_this):
1751         (JSC::JIT::emit_op_check_tdz):
1752         (JSC::JIT::emit_op_has_structure_property):
1753         (JSC::JIT::privateCompileHasIndexedProperty):
1754         (JSC::JIT::emit_op_has_indexed_property):
1755         (JSC::JIT::emitSlow_op_has_indexed_property):
1756         (JSC::JIT::emit_op_get_direct_pname):
1757         (JSC::JIT::emit_op_enumerator_structure_pname):
1758         (JSC::JIT::emit_op_enumerator_generic_pname):
1759         (JSC::JIT::emit_op_profile_type):
1760         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
1761         (JSC::JIT::emit_op_log_shadow_chicken_tail):
1762         * jit/JITPropertyAccess32_64.cpp:
1763         (JSC::JIT::emit_op_put_getter_by_id):
1764         (JSC::JIT::emit_op_put_setter_by_id):
1765         (JSC::JIT::emit_op_put_getter_setter_by_id):
1766         (JSC::JIT::emit_op_put_getter_by_val):
1767         (JSC::JIT::emit_op_put_setter_by_val):
1768         (JSC::JIT::emit_op_del_by_id):
1769         (JSC::JIT::emit_op_del_by_val):
1770         (JSC::JIT::emit_op_get_by_val):
1771         (JSC::JIT::emitGetByValWithCachedId):
1772         (JSC::JIT::emitSlow_op_get_by_val):
1773         (JSC::JIT::emit_op_put_by_val_direct):
1774         (JSC::JIT::emit_op_put_by_val):
1775         (JSC::JIT::emitGenericContiguousPutByVal):
1776         (JSC::JIT::emitArrayStoragePutByVal):
1777         (JSC::JIT::emitPutByValWithCachedId):
1778         (JSC::JIT::emitSlow_op_put_by_val):
1779         (JSC::JIT::emit_op_try_get_by_id):
1780         (JSC::JIT::emitSlow_op_try_get_by_id):
1781         (JSC::JIT::emit_op_get_by_id_direct):
1782         (JSC::JIT::emitSlow_op_get_by_id_direct):
1783         (JSC::JIT::emit_op_get_by_id):
1784         (JSC::JIT::emitSlow_op_get_by_id):
1785         (JSC::JIT::emit_op_get_by_id_with_this):
1786         (JSC::JIT::emitSlow_op_get_by_id_with_this):
1787         (JSC::JIT::emit_op_put_by_id):
1788         (JSC::JIT::emitSlow_op_put_by_id):
1789         (JSC::JIT::emit_op_in_by_id):
1790         (JSC::JIT::emitSlow_op_in_by_id):
1791         (JSC::JIT::emit_op_resolve_scope):
1792         (JSC::JIT::emit_op_get_from_scope):
1793         (JSC::JIT::emitSlow_op_get_from_scope):
1794         (JSC::JIT::emit_op_put_to_scope):
1795         (JSC::JIT::emitSlow_op_put_to_scope):
1796         (JSC::JIT::emit_op_get_from_arguments):
1797         (JSC::JIT::emit_op_put_to_arguments):
1798         * jit/RegisterSet.cpp:
1799         (JSC::RegisterSet::vmCalleeSaveRegisters):
1800         * llint/LLIntData.cpp:
1801         (JSC::LLInt::Data::performAssertions):
1802         * llint/LowLevelInterpreter.asm:
1803         * runtime/SamplingProfiler.cpp:
1804         (JSC::tryGetBytecodeIndex):
1805
1806 2018-11-20  Saam barati  <sbarati@apple.com>
1807
1808         Merging an IC variant may lead to the IC status containing overlapping structure sets
1809         https://bugs.webkit.org/show_bug.cgi?id=191869
1810         <rdar://problem/45403453>
1811
1812         Reviewed by Mark Lam.
1813
1814         When merging two IC variant lists, we may end up in a world where we have
1815         overlapping structure sets. We defend against this when we append a new
1816         variant, but we should also defend against it once we merge in a new variant.
1817         
1818         Consider this case with MultiPutByOffset, where we merge two PutByIdStatuses
1819         together, P1 and P2.
1820         
1821         Let's consider these structures:
1822         s1 = {}
1823         s2 = {p: 0}
1824         s3 = {p: 0, p2: 1}
1825         
1826         P1 contains these variants:
1827         Transition: [s1 => s2]
1828         Replace: [s2, s3]
1829         
1830         P2 contains:
1831         Replace: [s2]
1832         
1833         Because of the ordering of the variants, we may end up combining
1834         P2's replace into P1's transition, forming this new list:
1835         Transition: [(s1, s2) => s2]
1836         Replace: [s2, s3]
1837         
1838         Obviously the ideal thing here is to have some ordering when we merge
1839         in variants to choose the most ideal option. It'd be ideal for P2's
1840         Replace to be merged into P1's replace.
1841         
1842         If we notice that this is super important, we can implement some kind
1843         of ordering. None of our tests (until this patch) stress this. This patch
1844         just makes it so we defend against this crazy scenario by falling back
1845         to the slow path gracefully. This prevents us from emitting invalid
1846         IR in FTL->B3 lowering by creating a switch with two case labels being
1847         identical values.
1848
1849         * bytecode/ICStatusUtils.h:
1850         (JSC::appendICStatusVariant):
1851
1852 2018-11-20  Fujii Hironori  <Hironori.Fujii@sony.com>
1853
1854         REGRESSION(r238039) WebCore::JSDOMGlobalObject::createStructure is using JSC::Structure::create without including StructureInlines.h
1855         https://bugs.webkit.org/show_bug.cgi?id=191626
1856         <rdar://problem/46161064>
1857
1858         Unreviewed adding comment for my change r238366.
1859
1860         * runtime/Structure.h: Added a comment for Structure::create.
1861
1862 2018-11-19  Mark Lam  <mark.lam@apple.com>
1863
1864         globalFuncImportModule() should return a promise when it clears exceptions.
1865         https://bugs.webkit.org/show_bug.cgi?id=191792
1866         <rdar://problem/46090763>
1867
1868         Reviewed by Michael Saboff.
1869
1870         If we're clearing the exceptions in a CatchScope, then it means that we've handled
1871         the exception, and is able to proceed in a normal manner.  Hence, we should not
1872         return the empty JSValue in this case: instead, we should return a Promise as
1873         expected by import's API.
1874
1875         The only time when we can't return a promise is when we fail to create a Promise.
1876         In that case, we should be propagating the exception.
1877
1878         Hence, globalFuncImportModule() contains a ThrowScope (for propagating the
1879         exception that arises from failure to create the Promise) wrapping a CatchScope
1880         (for catching any exception that arises from failure to execute the import).
1881
1882         Also fixed similar issues, and some exception check issues in JSModuleLoader and
1883         the jsc shell.
1884
1885         * jsc.cpp:
1886         (GlobalObject::moduleLoaderImportModule):
1887         (GlobalObject::moduleLoaderFetch):
1888         * runtime/JSGlobalObjectFunctions.cpp:
1889         (JSC::globalFuncImportModule):
1890         * runtime/JSModuleLoader.cpp:
1891         (JSC::JSModuleLoader::loadAndEvaluateModule):
1892         (JSC::JSModuleLoader::loadModule):
1893         (JSC::JSModuleLoader::requestImportModule):
1894         (JSC::JSModuleLoader::importModule):
1895         (JSC::JSModuleLoader::resolve):
1896         (JSC::JSModuleLoader::fetch):
1897         (JSC::moduleLoaderParseModule):
1898         (JSC::moduleLoaderResolveSync):
1899
1900 2018-11-19  Alex Christensen  <achristensen@webkit.org>
1901
1902         Add SPI to disable JIT in a WKWebView
1903         https://bugs.webkit.org/show_bug.cgi?id=191822
1904         <rdar://problem/28119360>
1905
1906         Reviewed by Geoffrey Garen.
1907
1908         * jit/ExecutableAllocator.cpp:
1909         (JSC::jitDisabled):
1910         (JSC::allowJIT):
1911         (JSC::ExecutableAllocator::setJITEnabled):
1912         * jit/ExecutableAllocator.h:
1913         (JSC::ExecutableAllocator::setJITEnabled):
1914
1915 2018-11-19  Fujii Hironori  <Hironori.Fujii@sony.com>
1916
1917         [MSVC] X86Assembler.h(108): error C2666: 'WebCore::operator -': 7 overloads have similar conversions
1918         https://bugs.webkit.org/show_bug.cgi?id=189467
1919         <rdar://problem/44290945>
1920
1921         Reviewed by Mark Lam.
1922
1923         This issue has happened several times. And, it seems that it will
1924         take more time for Microsoft to fix the MSVC bug. We need a
1925         effective workaround not to repeat this issue until they fix MSVC.
1926
1927         Remove ": int8_t" of RegisterID only for COMPILER(MSVC).
1928
1929         * assembler/X86Assembler.h: Added JSC_X86_ASM_REGISTER_ID_ENUM_BASE_TYPE macro.
1930
1931 2018-11-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1932
1933         [WebAssembly] I64 arguments / return value check should be moved from callWebAssemblyFunction to JSToWasm wrapper
1934         https://bugs.webkit.org/show_bug.cgi?id=190512
1935
1936         Reviewed by Keith Miller.
1937
1938         This patch moves I64 arguments / return value check from callWebAssemblyFunction to JSToWasm wrapper. Since this
1939         check can be done when compiling the function, we should encode the result into the generated wrapper instead of
1940         checking every time we call callWebAssemblyFunction. This change is also one of the steps removing callWebAssemblyFunction
1941         entirely.
1942
1943         * wasm/WasmExceptionType.h:
1944         * wasm/js/JSToWasm.cpp:
1945         (JSC::Wasm::createJSToWasmWrapper):
1946         * wasm/js/WebAssemblyFunction.cpp:
1947         (JSC::callWebAssemblyFunction):
1948         * wasm/js/WebAssemblyWrapperFunction.cpp:
1949         (JSC::callWebAssemblyWrapperFunction):
1950
1951 2018-11-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1952
1953         Consider removing double load for accessing the instructions from LLInt
1954         https://bugs.webkit.org/show_bug.cgi?id=190932
1955
1956         Reviewed by Mark Lam.
1957
1958         Changing InstructionStream to RefCountedArray like structure involves so much changes
1959         including BytecodeGraph, PreciseJumpTargets etc. Instead, CodeBlock simply hold a raw
1960         pointer to the InstructionStream's data. Since InstructionStream is not changed
1961         anymore, this pointer is valid while CodeBlock is live.
1962
1963         * bytecode/CodeBlock.cpp:
1964         (JSC::CodeBlock::CodeBlock):
1965         * bytecode/CodeBlock.h:
1966         * bytecode/InstructionStream.h:
1967         (JSC::InstructionStream::rawPointer const):
1968         * llint/LowLevelInterpreter.asm:
1969         * llint/LowLevelInterpreter32_64.asm:
1970         * llint/LowLevelInterpreter64.asm:
1971
1972 2018-11-18  Fujii Hironori  <Hironori.Fujii@sony.com>
1973
1974         REGRESSION(r238039) WebCore::JSDOMGlobalObject::createStructure is using JSC::Structure::create without including StructureInlines.h
1975         https://bugs.webkit.org/show_bug.cgi?id=191626
1976
1977         Reviewed by Yusuke Suzuki.
1978
1979         JSC::Structure::create is used everywhere. It should be defined in
1980         Structure.h, not in StructureInlines.h.
1981
1982         * runtime/Structure.h:
1983         (JSC::Structure::create): Moved.
1984         * runtime/StructureInlines.h: Moved JSC::Structure::create.
1985
1986 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1987
1988         Unreviewed, rolling in the rest of r237254
1989         https://bugs.webkit.org/show_bug.cgi?id=190340
1990
1991         * parser/ParserModes.h:
1992         * parser/ParserTokens.h:
1993         (JSC::JSTextPosition::JSTextPosition):
1994         (JSC::JSTokenLocation::JSTokenLocation): Deleted.
1995         * runtime/CodeCache.cpp:
1996         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
1997         * runtime/FunctionConstructor.cpp:
1998         (JSC::constructFunctionSkippingEvalEnabledCheck):
1999
2000 2018-11-17  Devin Rousso  <drousso@apple.com>
2001
2002         Web Inspector: Network: add button to show system certificate dialog
2003         https://bugs.webkit.org/show_bug.cgi?id=191458
2004         <rdar://problem/45977019>
2005
2006         Reviewed by Joseph Pecoraro.
2007
2008         * inspector/protocol/Network.json:
2009         Add `getSerializedCertificate` command.
2010
2011 2018-11-17  Dominik Infuehr  <dinfuehr@igalia.com>
2012
2013         Fix build with disabled DFG/FTL
2014         https://bugs.webkit.org/show_bug.cgi?id=191256
2015
2016         Reviewed by Yusuke Suzuki.
2017
2018         Fix compilation errors and warnings with both DFG and FTL
2019         disabled at compile-time.
2020
2021         * bytecode/CodeBlock.cpp:
2022         (JSC::CodeBlock::getICStatusMap):
2023         * bytecode/InByIdStatus.cpp:
2024         (JSC::InByIdStatus::computeFor):
2025         * bytecode/PutByIdStatus.cpp:
2026         (JSC::PutByIdStatus::computeFor):
2027         (JSC::PutByIdStatus::hasExitSite): Deleted.
2028         * bytecode/PutByIdStatus.h:
2029         * jit/JITOpcodes.cpp:
2030         (JSC::JIT::emit_op_catch):
2031
2032 2018-11-16  Joseph Pecoraro  <pecoraro@apple.com>
2033
2034         Web Inspector: Keep Web Inspector window alive across process swaps (PSON) (Local Inspector)
2035         https://bugs.webkit.org/show_bug.cgi?id=191740
2036         <rdar://problem/45470897>
2037
2038         Reviewed by Timothy Hatcher.
2039
2040         * inspector/InspectorFrontendChannel.h:
2041         Expose EnumTraits for ConnectionType for WebKit IPC messages.
2042
2043 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2044
2045         All users of ArrayBuffer should agree on the same max size
2046         https://bugs.webkit.org/show_bug.cgi?id=191771
2047
2048         Reviewed by Mark Lam.
2049
2050         Array buffers cannot be larger than 0x7fffffff, because otherwise loading typedArray.length in the DFG/FTL would produce
2051         a uint32 or would require a signedness check, neither of which sounds reasonable. It's better to just bound their max size
2052         instead.
2053
2054         * runtime/ArrayBuffer.cpp:
2055         (JSC::ArrayBufferContents::ArrayBufferContents):
2056         (JSC::ArrayBufferContents::tryAllocate):
2057         (JSC::ArrayBufferContents::transferTo):
2058         (JSC::ArrayBufferContents::copyTo):
2059         (JSC::ArrayBufferContents::shareWith):
2060         * runtime/ArrayBuffer.h:
2061         * wasm/WasmMemory.cpp:
2062         (JSC::Wasm::Memory::tryCreate):
2063         (JSC::Wasm::Memory::grow):
2064         * wasm/WasmPageCount.h:
2065
2066 2018-11-16  Saam Barati  <sbarati@apple.com>
2067
2068         KnownCellUse should also have SpecCellCheck as its type filter
2069         https://bugs.webkit.org/show_bug.cgi?id=191729
2070         <rdar://problem/45872852>
2071
2072         Reviewed by Filip Pizlo.
2073
2074         We write transformations in the compiler like this where we emit edges with
2075         KnownCellUse if we know we're inserting code at a point where we're dominated
2076         by a Cell check:
2077         
2078         a: SomeValue
2079         b: Something(Cell:@a)
2080         c: SomethingElse(@b)
2081         d: CheckNotEmpty(@a)
2082         
2083         =>
2084         
2085         a: SomeValue
2086         b: Something(Cell:@a)
2087         e: RandomOtherThing(KnownCellUse:@a)
2088         c: SomethingElse(@b)
2089         d: CheckNotEmpty(@a)
2090         
2091         However, doing this used to lead to subtly incorrect programs since KnownCellUse
2092         did not allow the empty value to flow through it. We used to end up incorrectly
2093         deleting @d in the above program. We fix this, we make KnownCellUse allow the empty
2094         value to flow through.
2095
2096         * dfg/DFGUseKind.h:
2097         (JSC::DFG::typeFilterFor):
2098
2099 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2100
2101         Fix assertion failure on BytecodeGenerator::recordOpcode
2102         https://bugs.webkit.org/show_bug.cgi?id=191724
2103         <rdar://problem/45724395>
2104
2105         Reviewed by Saam Barati.
2106
2107         Since https://bugs.webkit.org/show_bug.cgi?id=187373, we were not
2108         restoring m_lastInstruction after patching the bytecode when
2109         finalizing StructureForInContexts, only m_lastOpcodeID, which led to
2110         the assertion failure.
2111
2112         * bytecompiler/BytecodeGenerator.cpp:
2113         (JSC::StructureForInContext::finalize):
2114
2115 2018-11-15  Mark Lam  <mark.lam@apple.com>
2116
2117         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2118         https://bugs.webkit.org/show_bug.cgi?id=191730
2119         <rdar://problem/46048517>
2120
2121         Reviewed by Saam Barati.
2122
2123         According to the spec https://www.ecma-international.org/ecma-262/9.0/index.html#sec-regexp.prototype-@@match,
2124         the RegExp match results are filled in using the spec's CreateDataProperty()
2125         function which does not consult the prototype for setters.  JSArray:push()
2126         consults the prototype for setters.  We should be using putDirectIndex() instead.
2127
2128         * runtime/RegExpObjectInlines.h:
2129         (JSC::collectMatches):
2130
2131 2018-11-15  Mark Lam  <mark.lam@apple.com>
2132
2133         RegExp operations should not take fast patch if lastIndex is not numeric.
2134         https://bugs.webkit.org/show_bug.cgi?id=191731
2135         <rdar://problem/46017305>
2136
2137         Reviewed by Saam Barati.
2138
2139         This is because if lastIndex is an object with a valueOf() method, it can execute
2140         arbitrary code which may have side effects, and side effects are not permitted by
2141         the RegExp fast paths.
2142
2143         * builtins/RegExpPrototype.js:
2144         (globalPrivate.hasObservableSideEffectsForRegExpMatch):
2145         (overriddenName.string_appeared_here.search):
2146         (globalPrivate.hasObservableSideEffectsForRegExpSplit):
2147         (intrinsic.RegExpTestIntrinsic.test):
2148         * builtins/StringPrototype.js:
2149         (globalPrivate.hasObservableSideEffectsForStringReplace):
2150
2151 2018-11-15  Keith Rollin  <krollin@apple.com>
2152
2153         Delete old .xcfilelist files
2154         https://bugs.webkit.org/show_bug.cgi?id=191669
2155         <rdar://problem/46081994>
2156
2157         Reviewed by Chris Dumez.
2158
2159         .xcfilelist files were created and added to the Xcode project files in
2160         https://trac.webkit.org/changeset/238008/webkit. However, they caused
2161         build issues and they were removed from the Xcode projects in
2162         https://trac.webkit.org/changeset/238055/webkit. This check-in removes
2163         the files from the repository altogether. They'll ultimately be
2164         replaced with new files with names that indicate whether the
2165         associated files are inputs to the Run Script phase or are files
2166         created by the Run Script phase.
2167
2168         * DerivedSources.xcfilelist: Removed.
2169         * UnifiedSources.xcfilelist: Removed.
2170
2171 2018-11-14  Keith Rollin  <krollin@apple.com>
2172
2173         Move scripts for Derived and Unified Sources to external files
2174         https://bugs.webkit.org/show_bug.cgi?id=191670
2175         <rdar://problem/46082278>
2176
2177         Reviewed by Keith Miller.
2178
2179         Move the scripts in the Generate Derived Sources and Generate Unified
2180         Sources Run Script phases from the Xcode projects to external shell
2181         script files. Then invoke those scripts from the Run Script phases.
2182         This refactoring is being performed to support later work that will
2183         invoke these scripts in other contexts.
2184
2185         The scripts were maintained as-is when making the move. I did a little
2186         reformatting and added 'set -e' to the top of each file, but that's
2187         it.
2188
2189         * JavaScriptCore.xcodeproj/project.pbxproj:
2190         * Scripts/generate-derived-sources.sh: Added.
2191         * Scripts/generate-unified-sources.sh: Added.
2192
2193 2018-11-14  Joseph Pecoraro  <pecoraro@apple.com>
2194
2195         Web Inspector: Pass Inspector::FrontendChannel as a reference connect/disconnect methods
2196         https://bugs.webkit.org/show_bug.cgi?id=191612
2197
2198         Reviewed by Matt Baker.
2199
2200         * inspector/InspectorFrontendRouter.cpp:
2201         (Inspector::FrontendRouter::connectFrontend):
2202         (Inspector::FrontendRouter::disconnectFrontend):
2203         * inspector/InspectorFrontendRouter.h:
2204         * inspector/JSGlobalObjectInspectorController.cpp:
2205         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
2206         (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
2207         * inspector/JSGlobalObjectInspectorController.h:
2208         * inspector/remote/RemoteControllableTarget.h:
2209         * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:
2210         (Inspector::RemoteConnectionToTarget::setup):
2211         (Inspector::RemoteConnectionToTarget::close):
2212         * inspector/remote/glib/RemoteConnectionToTargetGlib.cpp:
2213         (Inspector::RemoteConnectionToTarget::setup):
2214         (Inspector::RemoteConnectionToTarget::close):
2215         * runtime/JSGlobalObjectDebuggable.cpp:
2216         (JSC::JSGlobalObjectDebuggable::connect):
2217         (JSC::JSGlobalObjectDebuggable::disconnect):
2218         * runtime/JSGlobalObjectDebuggable.h:
2219
2220 2018-11-14  Joseph Pecoraro  <pecoraro@apple.com>
2221
2222         Web Inspector: Keep Web Inspector window alive across process swaps (PSON) (Remote Inspector)
2223         https://bugs.webkit.org/show_bug.cgi?id=191494
2224         <rdar://problem/45469854>
2225
2226         Reviewed by Devin Rousso.
2227
2228         * CMakeLists.txt:
2229         * DerivedSources.make:
2230         * JavaScriptCore.xcodeproj/project.pbxproj:
2231         * Sources.txt:
2232         New domain and resources.
2233
2234         * inspector/protocol/Target.json: Added.
2235         New protocol domain, modeled after Worker.json, to allow for
2236         multiplexing between different targets.
2237
2238         * inspector/InspectorTarget.h:
2239         Each target will instantiate an InspectorTarget and must
2240         provide an identifier, type, and means of connecting/disconnecting
2241         to a frontend channel.
2242
2243         * inspector/agents/InspectorTargetAgent.cpp: Added.
2244         (Inspector::InspectorTargetAgent::InspectorTargetAgent):
2245         (Inspector::InspectorTargetAgent::didCreateFrontendAndBackend):
2246         (Inspector::InspectorTargetAgent::willDestroyFrontendAndBackend):
2247         (Inspector::InspectorTargetAgent::exists):
2248         (Inspector::InspectorTargetAgent::initialized):
2249         (Inspector::InspectorTargetAgent::sendMessageToTarget):
2250         (Inspector::InspectorTargetAgent::sendMessageFromTargetToFrontend):
2251         (Inspector::targetTypeToProtocolType):
2252         (Inspector::buildTargetInfoObject):
2253         (Inspector::InspectorTargetAgent::targetCreated):
2254         (Inspector::InspectorTargetAgent::targetTerminated):
2255         (Inspector::InspectorTargetAgent::connectToTargets):
2256         (Inspector::InspectorTargetAgent::disconnectFromTargets):
2257         * inspector/agents/InspectorTargetAgent.h: Added.
2258         TargetAgent holds a list of targets, and connects/disconnects to each
2259         of the targets when a frontend connects/disconnects.
2260
2261         * inspector/scripts/codegen/generator.py:
2262         Better enum casing of ServiceWorker.
2263
2264 2018-11-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2265
2266         Unreviewed, rolling in CodeCache in r237254
2267         https://bugs.webkit.org/show_bug.cgi?id=190340
2268
2269         Land the CodeCache part without adding an additional hash value.
2270
2271         * bytecode/UnlinkedFunctionExecutable.cpp:
2272         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
2273         * bytecode/UnlinkedFunctionExecutable.h:
2274         * parser/SourceCodeKey.h:
2275         (JSC::SourceCodeKey::SourceCodeKey):
2276         (JSC::SourceCodeKey::operator== const):
2277         * runtime/CodeCache.cpp:
2278         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
2279         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
2280         * runtime/CodeCache.h:
2281         * runtime/FunctionConstructor.cpp:
2282         (JSC::constructFunctionSkippingEvalEnabledCheck):
2283         * runtime/FunctionExecutable.cpp:
2284         (JSC::FunctionExecutable::fromGlobalCode):
2285         * runtime/FunctionExecutable.h:
2286
2287 2018-11-13  Saam Barati  <sbarati@apple.com>
2288
2289         ProxyObject should check for VMInquiry and return early before throwing a stack overflow exception
2290         https://bugs.webkit.org/show_bug.cgi?id=191601
2291
2292         Reviewed by Mark Lam.
2293
2294         This doesn't fix any bugs today, but it may reduce future bugs. It was
2295         always weird that ProxyObject::getOwnPropertySlot with VMInquiry might
2296         throw a stack overflow error instead of just returning false like it
2297         normally does when VMInquiry is passed in.
2298
2299         * runtime/ProxyObject.cpp:
2300         (JSC::ProxyObject::getOwnPropertySlotCommon):
2301
2302 2018-11-13  Saam Barati  <sbarati@apple.com>
2303
2304         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2305         https://bugs.webkit.org/show_bug.cgi?id=191600
2306
2307         Reviewed by Mark Lam.
2308
2309         processLogEntries will call into calculatedClassName, which will clear
2310         any exceptions it encounters (it assumes that they're stack overflow exceptions).
2311         However, this code may be called when an exception is already pending on the 
2312         VM (e.g, when we throw an exception in the DFG, we compile an OSR exit
2313         offramp, which may compile a baseline codeblock, which will process
2314         the type profiler log). To get around this, processLogEntires should stash
2315         away and re-apply any pending exceptions.
2316
2317         * dfg/DFGDriver.cpp:
2318         (JSC::DFG::compileImpl):
2319         * dfg/DFGOperations.cpp:
2320         * inspector/agents/InspectorRuntimeAgent.cpp:
2321         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
2322         * jit/JIT.cpp:
2323         (JSC::JIT::doMainThreadPreparationBeforeCompile):
2324         * jit/JITOperations.cpp:
2325         * runtime/CommonSlowPaths.cpp:
2326         (JSC::SLOW_PATH_DECL):
2327         * runtime/TypeProfilerLog.cpp:
2328         (JSC::TypeProfilerLog::processLogEntries):
2329         * runtime/TypeProfilerLog.h:
2330         * runtime/VM.cpp:
2331         (JSC::VM::dumpTypeProfilerData):
2332         * runtime/VM.h:
2333         (JSC::VM::DeferExceptionScope::DeferExceptionScope):
2334         * tools/JSDollarVM.cpp:
2335         (JSC::functionFindTypeForExpression):
2336         (JSC::functionReturnTypeFor):
2337
2338 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2339
2340         Unreviewed, rolling out r238132.
2341
2342         The test added with this change is timing out on Debug JSC
2343         bots.
2344
2345         Reverted changeset:
2346
2347         "[BigInt] JSBigInt::createWithLength should throw when length
2348         is greater than JSBigInt::maxLength"
2349         https://bugs.webkit.org/show_bug.cgi?id=190836
2350         https://trac.webkit.org/changeset/238132
2351
2352 2018-11-12  Mark Lam  <mark.lam@apple.com>
2353
2354         Add OOM detection to StringPrototype's substituteBackreferences().
2355         https://bugs.webkit.org/show_bug.cgi?id=191563
2356         <rdar://problem/45720428>
2357
2358         Reviewed by Saam Barati.
2359
2360         * dfg/DFGStrengthReductionPhase.cpp:
2361         (JSC::DFG::StrengthReductionPhase::handleNode):
2362         * runtime/StringPrototype.cpp:
2363         (JSC::substituteBackreferencesSlow):
2364         (JSC::substituteBackreferencesInline):
2365         (JSC::substituteBackreferences):
2366         (JSC::replaceUsingRegExpSearch):
2367         (JSC::replaceUsingStringSearch):
2368         * runtime/StringPrototype.h:
2369
2370 2018-11-13  Mark Lam  <mark.lam@apple.com>
2371
2372         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2373         https://bugs.webkit.org/show_bug.cgi?id=191579
2374         <rdar://problem/45942472>
2375
2376         Reviewed by Saam Barati.
2377
2378         Both of these functions do a lot of work.  It would be good for the topCallFrame
2379         to be correct should we need to throw an exception.
2380
2381         For example, we've observed the following crash trace:
2382
2383           * frame #0: WTFCrash() at Assertions.cpp:253
2384             frame #1: ...
2385             frame #2: JSC::StructureIDTable::get(this=0x00006040000162f0, structureID=1874583248) at StructureIDTable.h:129
2386             frame #3: JSC::VM::getStructure(this=0x0000604000016210, id=4022066896) at VM.h:705
2387             frame #4: JSC::JSCell::structure(this=0x00007ffeefbbde30, vm=0x0000604000016210) const at JSCellInlines.h:125
2388             frame #5: JSC::JSCell::classInfo(this=0x00007ffeefbbde30, vm=0x0000604000016210) const at JSCellInlines.h:335
2389             frame #6: JSC::JSCell::inherits(this=0x00007ffeefbbde30, vm=0x0000604000016210, info=0x0000000105eaf020) const at JSCellInlines.h:302
2390             frame #7: JSC::JSObject* JSC::jsCast<JSC::JSObject*, JSC::JSCell>(from=0x00007ffeefbbde30) at JSCast.h:36
2391             frame #8: JSC::asObject(cell=0x00007ffeefbbde30) at JSObject.h:1299
2392             frame #9: JSC::asObject(value=JSValue @ 0x00007ffeefbba380) at JSObject.h:1304
2393             frame #10: JSC::Register::object(this=0x00007ffeefbbdd58) const at JSObject.h:1514
2394             frame #11: JSC::ExecState::jsCallee(this=0x00007ffeefbbdd40) const at CallFrame.h:107
2395             frame #12: JSC::ExecState::isStackOverflowFrame(this=0x00007ffeefbbdd40) const at CallFrameInlines.h:36
2396             frame #13: JSC::StackVisitor::StackVisitor(this=0x00007ffeefbba860, startFrame=0x00007ffeefbbdd40, vm=0x0000631000000800) at StackVisitor.cpp:52
2397             frame #14: JSC::StackVisitor::StackVisitor(this=0x00007ffeefbba860, startFrame=0x00007ffeefbbdd40, vm=0x0000631000000800) at StackVisitor.cpp:41
2398             frame #15: void JSC::StackVisitor::visit<(JSC::StackVisitor::EmptyEntryFrameAction)0, JSC::Interpreter::getStackTrace(JSC::JSCell*, WTF::Vector<JSC::StackFrame, 0ul, WTF::CrashOnOverflow, 16ul>&, unsigned long, unsigned long)::$_3>(startFrame=0x00007ffeefbbdd40, vm=0x0000631000000800, functor=0x00007ffeefbbaa60)::$_3 const&) at StackVisitor.h:147
2399             frame #16: JSC::Interpreter::getStackTrace(this=0x0000602000005db0, owner=0x000062d00020cbe0, results=0x00006020000249d0, framesToSkip=0, maxStackSize=1) at Interpreter.cpp:437
2400             frame #17: JSC::getStackTrace(exec=0x000062d00002c048, vm=0x0000631000000800, obj=0x000062d00020cbe0, useCurrentFrame=true) at Error.cpp:170
2401             frame #18: JSC::ErrorInstance::finishCreation(this=0x000062d00020cbe0, exec=0x000062d00002c048, vm=0x0000631000000800, message=0x00007ffeefbbb800, useCurrentFrame=true) at ErrorInstance.cpp:119
2402             frame #19: JSC::ErrorInstance::create(exec=0x000062d00002c048, vm=0x0000631000000800, structure=0x000062d0000f5730, message=0x00007ffeefbbb800, appender=0x0000000000000000, type=TypeNothing, useCurrentFrame=true)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred), JSC::RuntimeType, bool) at ErrorInstance.h:49
2403             frame #20: JSC::createRangeError(exec=0x000062d00002c048, globalObject=0x000062d00002c000, message=0x00007ffeefbbb800, appender=0x0000000000000000)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred)) at Error.cpp:68
2404             frame #21: JSC::createRangeError(exec=0x000062d00002c048, globalObject=0x000062d00002c000, message=0x00007ffeefbbb800) at Error.cpp:316
2405             frame #22: JSC::createStackOverflowError(exec=0x000062d00002c048, globalObject=0x000062d00002c000) at ExceptionHelpers.cpp:77
2406             frame #23: JSC::createStackOverflowError(exec=0x000062d00002c048) at ExceptionHelpers.cpp:72
2407             frame #24: JSC::throwStackOverflowError(exec=0x000062d00002c048, scope=0x00007ffeefbbbaa0) at ExceptionHelpers.cpp:335
2408             frame #25: JSC::ProxyObject::getOwnPropertySlotCommon(this=0x000062d000200e40, exec=0x000062d00002c048, propertyName=PropertyName @ 0x00007ffeefbbba80, slot=0x00007ffeefbbc720) at ProxyObject.cpp:372
2409             frame #26: JSC::ProxyObject::getOwnPropertySlot(object=0x000062d000200e40, exec=0x000062d00002c048, propertyName=PropertyName @ 0x00007ffeefbbbd40, slot=0x00007ffeefbbc720) at ProxyObject.cpp:395
2410             frame #27: JSC::JSObject::getNonIndexPropertySlot(this=0x000062d000200e40, exec=0x000062d00002c048, propertyName=PropertyName @ 0x00007ffeefbbbea0, slot=0x00007ffeefbbc720) at JSObjectInlines.h:150
2411             frame #28: bool JSC::JSObject::getPropertySlot<false>(this=0x000062d000200e40, exec=0x000062d00002c048, propertyName=PropertyName @ 0x00007ffeefbbc320, slot=0x00007ffeefbbc720) at JSObject.h:1424
2412             frame #29: JSC::JSObject::calculatedClassName(object=0x000062d000200e40) at JSObject.cpp:535
2413             frame #30: JSC::Structure::toStructureShape(this=0x000062d000007410, value=JSValue @ 0x00007ffeefbbcae0, sawPolyProtoStructure=0x00007ffeefbbcf60) at Structure.cpp:1142
2414             frame #31: JSC::TypeProfilerLog::processLogEntries(this=0x000060400000a950, reason=0x00007ffeefbbd5c0) at TypeProfilerLog.cpp:89
2415             frame #32: JSC::JIT::doMainThreadPreparationBeforeCompile(this=0x0000619000034da0) at JIT.cpp:951
2416             frame #33: JSC::JITWorklist::Plan::Plan(this=0x0000619000034d80, codeBlock=0x000062d0001d88c0, loopOSREntryBytecodeOffset=0) at JITWorklist.cpp:43
2417             frame #34: JSC::JITWorklist::Plan::Plan(this=0x0000619000034d80, codeBlock=0x000062d0001d88c0, loopOSREntryBytecodeOffset=0) at JITWorklist.cpp:42
2418             frame #35: JSC::JITWorklist::compileLater(this=0x0000616000001b80, codeBlock=0x000062d0001d88c0, loopOSREntryBytecodeOffset=0) at JITWorklist.cpp:256
2419             frame #36: JSC::LLInt::jitCompileAndSetHeuristics(codeBlock=0x000062d0001d88c0, exec=0x00007ffeefbbde30, loopOSREntryBytecodeOffset=0) at LLIntSlowPaths.cpp:391
2420             frame #37: llint_replace(exec=0x00007ffeefbbde30, pc=0x00006040000161ba) at LLIntSlowPaths.cpp:516
2421             frame #38: llint_entry at LowLevelInterpreter64.asm:98
2422             frame #39: vmEntryToJavaScript at LowLevelInterpreter64.asm:296
2423             ...
2424
2425         This crash occurred because StackVisitor was seeing an invalid topCallFrame while
2426         trying to capture the Error stack while throwing a StackOverflowError below
2427         llint_replace.  While in this specific example, it is questionable whether we
2428         should be executing JS code below TypeProfilerLog::processLogEntries(), it is
2429         correct to have set the topCallFrame in llint_replace.  We do this by calling
2430         LLINT_BEGIN_NO_SET_PC() at the top of llint_replace.
2431
2432         We also do the same for llint_osr.
2433         
2434         Note: both of these LLInt slow path functions are called with a fully initialized
2435         CallFrame.  Hence, there's no issue with setting topCallFrame to their CallFrames
2436         for these functions.
2437
2438         * llint/LLIntSlowPaths.cpp:
2439         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2440
2441 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2442
2443         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2444         https://bugs.webkit.org/show_bug.cgi?id=190836
2445
2446         Reviewed by Saam Barati.
2447
2448         In this patch we are creating a new method called `JSBigInt::createWithLengthUnchecked`
2449         where we allocate a BigInt trusting the length received as argument.
2450         With this additional method, we now check if length passed to
2451         `JSBigInt::createWithLength` is not greater than JSBigInt::maxLength.
2452         When the length is greater than maxLength, we then throw OOM
2453         exception.
2454         This required change the interface of some JSBigInt operations to
2455         receive `ExecState*` instead of `VM&`. We changed only operations that
2456         can throw because of OOM.
2457         We beleive that this approach of throwing instead of finishing the
2458         execution abruptly is better because JS programs can catch such
2459         exception and handle this issue properly.
2460
2461         * dfg/DFGOperations.cpp:
2462         * jit/JITOperations.cpp:
2463         * runtime/CommonSlowPaths.cpp:
2464         (JSC::SLOW_PATH_DECL):
2465         * runtime/JSBigInt.cpp:
2466         (JSC::JSBigInt::createZero):
2467         (JSC::JSBigInt::tryCreateWithLength):
2468         (JSC::JSBigInt::createWithLengthUnchecked):
2469         (JSC::JSBigInt::createFrom):
2470         (JSC::JSBigInt::multiply):
2471         (JSC::JSBigInt::divide):
2472         (JSC::JSBigInt::copy):
2473         (JSC::JSBigInt::unaryMinus):
2474         (JSC::JSBigInt::remainder):
2475         (JSC::JSBigInt::add):
2476         (JSC::JSBigInt::sub):
2477         (JSC::JSBigInt::bitwiseAnd):
2478         (JSC::JSBigInt::bitwiseOr):
2479         (JSC::JSBigInt::bitwiseXor):
2480         (JSC::JSBigInt::absoluteAdd):
2481         (JSC::JSBigInt::absoluteSub):
2482         (JSC::JSBigInt::absoluteDivWithDigitDivisor):
2483         (JSC::JSBigInt::absoluteDivWithBigIntDivisor):
2484         (JSC::JSBigInt::absoluteLeftShiftAlwaysCopy):
2485         (JSC::JSBigInt::absoluteBitwiseOp):
2486         (JSC::JSBigInt::absoluteAddOne):
2487         (JSC::JSBigInt::absoluteSubOne):
2488         (JSC::JSBigInt::toStringGeneric):
2489         (JSC::JSBigInt::rightTrim):
2490         (JSC::JSBigInt::allocateFor):
2491         (JSC::JSBigInt::createWithLength): Deleted.
2492         * runtime/JSBigInt.h:
2493         * runtime/Operations.cpp:
2494         (JSC::jsAddSlowCase):
2495         * runtime/Operations.h:
2496         (JSC::jsSub):
2497         (JSC::jsMul):
2498
2499 2018-11-12  Devin Rousso  <drousso@apple.com>
2500
2501         Web Inspector: Network: show secure certificate details per-request
2502         https://bugs.webkit.org/show_bug.cgi?id=191447
2503         <rdar://problem/30019476>
2504
2505         Reviewed by Joseph Pecoraro.
2506
2507         Add Security domain to hold security related protocol types.
2508
2509         * CMakeLists.txt:
2510         * DerivedSources.make:
2511         * inspector/protocol/Network.json:
2512         * inspector/protocol/Security.json: Added.
2513         * inspector/scripts/codegen/objc_generator.py:
2514         (ObjCGenerator):
2515
2516 2018-11-12  Saam barati  <sbarati@apple.com>
2517
2518         Unreviewed. Rollout 238026: It caused ~8% JetStream 2 regressions on some iOS devices
2519         https://bugs.webkit.org/show_bug.cgi?id=191555
2520
2521         * bytecode/UnlinkedFunctionExecutable.cpp:
2522         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
2523         * bytecode/UnlinkedFunctionExecutable.h:
2524         * parser/SourceCodeKey.h:
2525         (JSC::SourceCodeKey::SourceCodeKey):
2526         (JSC::SourceCodeKey::operator== const):
2527         * runtime/CodeCache.cpp:
2528         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
2529         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
2530         * runtime/CodeCache.h:
2531         * runtime/FunctionConstructor.cpp:
2532         (JSC::constructFunctionSkippingEvalEnabledCheck):
2533         * runtime/FunctionExecutable.cpp:
2534         (JSC::FunctionExecutable::fromGlobalCode):
2535         * runtime/FunctionExecutable.h:
2536
2537 2018-11-11  Benjamin Poulain  <benjamin@webkit.org>
2538
2539         Fix a fixme: rename wtfObjcMsgSend to wtfObjCMsgSend
2540         https://bugs.webkit.org/show_bug.cgi?id=191492
2541
2542         Reviewed by Alex Christensen.
2543
2544         Rename file.
2545
2546         * API/JSValue.mm:
2547
2548 2018-11-10  Benjamin Poulain  <benjamin@webkit.org>
2549
2550         Fix a fixme: rename wtfObjcMsgSend to wtfObjCMsgSend
2551         https://bugs.webkit.org/show_bug.cgi?id=191492
2552
2553         Reviewed by Alex Christensen.
2554
2555         * API/JSValue.mm:
2556
2557 2018-11-10  Michael Catanzaro  <mcatanzaro@igalia.com>
2558
2559         Unreviewed, silence -Wunused-variable warning
2560
2561         * bytecode/Opcode.h:
2562         (JSC::padOpcodeName):
2563
2564 2018-11-09  Keith Rollin  <krollin@apple.com>
2565
2566         Unreviewed build fix after https://bugs.webkit.org/show_bug.cgi?id=191324
2567
2568         Remove the use of .xcfilelists until their side-effects are better
2569         understood.
2570
2571         * JavaScriptCore.xcodeproj/project.pbxproj:
2572
2573 2018-11-09  Keith Miller  <keith_miller@apple.com>
2574
2575         LLInt VectorSizeOffset should be based on offset extraction
2576         https://bugs.webkit.org/show_bug.cgi?id=191468
2577
2578         Reviewed by Yusuke Suzuki.
2579
2580         This patch also adds some usings to LLIntOffsetsExtractor that
2581         make it possible to use the bare names of Vector/RefCountedArray
2582         in offsets extraction.
2583
2584         * llint/LLIntOffsetsExtractor.cpp:
2585         * llint/LowLevelInterpreter.asm:
2586
2587 2018-11-09  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2588
2589         Unreviewed, rolling in CodeCache in r237254
2590         https://bugs.webkit.org/show_bug.cgi?id=190340
2591
2592         Land the CodeCache part, which uses DefaultHash<>::Hash instead of computeHash.
2593
2594         * bytecode/UnlinkedFunctionExecutable.cpp:
2595         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
2596         * bytecode/UnlinkedFunctionExecutable.h:
2597         * parser/SourceCodeKey.h:
2598         (JSC::SourceCodeKey::SourceCodeKey):
2599         (JSC::SourceCodeKey::operator== const):
2600         * runtime/CodeCache.cpp:
2601         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
2602         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
2603         * runtime/CodeCache.h:
2604         * runtime/FunctionConstructor.cpp:
2605         (JSC::constructFunctionSkippingEvalEnabledCheck):
2606         * runtime/FunctionExecutable.cpp:
2607         (JSC::FunctionExecutable::fromGlobalCode):
2608         * runtime/FunctionExecutable.h:
2609
2610 2018-11-08  Keith Miller  <keith_miller@apple.com>
2611
2612         put_by_val opcodes need to add the number tag as a 64-bit register
2613         https://bugs.webkit.org/show_bug.cgi?id=191456
2614
2615         Reviewed by Saam Barati.
2616
2617         Previously the LLInt would add it as a pointer sized value. That is
2618         wrong if pointer size is less 64-bits.
2619
2620         * llint/LowLevelInterpreter64.asm:
2621
2622 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2623
2624         [JSC] isStrWhiteSpace seems redundant with Lexer<UChar>::isWhiteSpace
2625         https://bugs.webkit.org/show_bug.cgi?id=191439
2626
2627         Reviewed by Saam Barati.
2628
2629         * CMakeLists.txt:
2630         * runtime/ParseInt.h:
2631         (JSC::isStrWhiteSpace):
2632         Define isStrWhiteSpace in terms of isWhiteSpace and isLineTerminator.
2633
2634 2018-11-08  Michael Saboff  <msaboff@apple.com>
2635
2636         Options::useRegExpJIT() should use jitEnabledByDefault() just like useJIT()
2637         https://bugs.webkit.org/show_bug.cgi?id=191444
2638
2639         Reviewed by Saam Barati.
2640
2641         * runtime/Options.h:
2642
2643 2018-11-08  Fujii Hironori  <Hironori.Fujii@sony.com>
2644
2645         [Win] UDis86Disassembler.cpp: warning: format specifies type 'unsigned long' but the argument has type 'uintptr_t' (aka 'unsigned long long')
2646         https://bugs.webkit.org/show_bug.cgi?id=191416
2647
2648         Reviewed by Saam Barati.
2649
2650         * disassembler/UDis86Disassembler.cpp:
2651         (JSC::tryToDisassembleWithUDis86): Use PRIxPTR for uintptr_t.
2652
2653 2018-11-08  Keith Rollin  <krollin@apple.com>
2654
2655         Create .xcfilelist files
2656         https://bugs.webkit.org/show_bug.cgi?id=191324
2657         <rdar://problem/45852819>
2658
2659         Reviewed by Alex Christensen.
2660
2661         As part of preparing for enabling XCBuild, create and use .xcfilelist
2662         files. These files are using during Run Script build phases in an
2663         Xcode project. If a Run Script build phase produces new files that are
2664         used later as inputs to subsequent build phases, XCBuild needs to know
2665         about these files. These files can be either specified in an "output
2666         files" section of the Run Script phase editor, or in .xcfilelist files
2667         that are associated with the Run Script build phase.
2668
2669         This patch takes the second approach. It consists of three sets of changes:
2670
2671         - Modify the DerivedSources.make files to have a
2672           'print_all_generated_files" target that produces a list of the files
2673           they create.
2674
2675         - Create a shell script that produces .xcfilelist files from the
2676           output of the previous step, as well as for the files created in the
2677           Generate Unified Sources build steps.
2678
2679         - Add the new .xcfilelist files to the associated projects.
2680
2681         Note that, with these changes, the Xcode workspace and projects can no
2682         longer be fully loaded into Xcode 9. Xcode will attempt to load the
2683         projects that have .xcfilelist files associated with them, but will
2684         fail and display a placeholder for those projects instead. It's
2685         expected that all developers are using Xcode 10 by now and that not
2686         being able to load into Xcode 9 is not a practical issue. Keep in mind
2687         that this is strictly an IDE issue, and that the projects can still be
2688         built with `xcodebuild`.
2689
2690         Also note that the shell script that creates the .xcfilelist files can
2691         also be used to verify that the set of files that's currently checked
2692         in is up-to-date. This checking can be used as part of a check-in hook
2693         or part of check-webkit-style to sooner catch cases where the
2694         .xcfilelist files need to be regenerated.
2695
2696         * DerivedSources.make:
2697         * DerivedSources.xcfilelist: Added.
2698         * JavaScriptCore.xcodeproj/project.pbxproj:
2699         * UnifiedSources.xcfilelist: Added.
2700
2701 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2702
2703         U+180E is no longer a whitespace character
2704         https://bugs.webkit.org/show_bug.cgi?id=191415
2705
2706         Reviewed by Saam Barati.
2707
2708         Mongolian Vowel Separator stopped being a valid whitespace character as of ES2016.
2709         (https://github.com/tc39/ecma262/pull/300)
2710
2711         * parser/Lexer.h:
2712         (JSC::Lexer<UChar>::isWhiteSpace):
2713         * runtime/ParseInt.h:
2714         (JSC::isStrWhiteSpace):
2715         * yarr/create_regex_tables:
2716
2717 2018-11-08  Keith Miller  <keith_miller@apple.com>
2718
2719         jitEnabledByDefault() should be on useJIT not useBaselineJIT
2720         https://bugs.webkit.org/show_bug.cgi?id=191434
2721
2722         Reviewed by Saam Barati.
2723
2724         * runtime/Options.h:
2725
2726 2018-11-08  Joseph Pecoraro  <pecoraro@apple.com>
2727
2728         Web Inspector: Restrict domains at the target level instead of only at the window level
2729         https://bugs.webkit.org/show_bug.cgi?id=191344
2730
2731         Reviewed by Devin Rousso.
2732
2733         * inspector/protocol/Console.json:
2734         * inspector/protocol/Debugger.json:
2735         * inspector/protocol/Heap.json:
2736         * inspector/protocol/Runtime.json:
2737         Remove workerSupported as it is now no longer necessary. It is implied
2738         by availability being empty (meaning it is supported everywhere).
2739
2740         * inspector/protocol/Inspector.json:
2741         * inspector/protocol/ScriptProfiler.json:
2742         Restrict to "javascript" and "web" debuggables, not available in workers.
2743
2744         * inspector/protocol/Worker.json:
2745         Cleanup, remove empty types list.
2746         
2747         * inspector/protocol/Recording.json:
2748         Cleanup, only expose this in the "web" domain for now.
2749
2750         * inspector/scripts/codegen/generate_js_backend_commands.py:
2751         (JSBackendCommandsGenerator.generate_domain):
2752         * inspector/scripts/codegen/models.py:
2753         (Protocol.parse_domain):
2754         Allow a list of debuggable types. Add "worker" even though it is unused
2755         since that is a type we would want to allow or consider.
2756
2757         (Domain.__init__):
2758         (Domains):
2759         Remove now unnecessary workerSupported code.
2760         Allow availability on a domain with only types.
2761
2762         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result: Removed.
2763         * inspector/scripts/tests/generic/worker-supported-domains.json: Removed.
2764
2765 2018-11-07  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2766
2767         Consider removing double load for accessing the MetadataTable from LLInt
2768         https://bugs.webkit.org/show_bug.cgi?id=190933
2769
2770         Reviewed by Keith Miller.
2771
2772         This patch removes double load for accesses to MetadataTable from LLInt.
2773         MetadataTable is now specially RefCounted class, which has interesting memory layout.
2774         When refcount becomes 0, MetadataTable asks UnlinkedMetadataTable to destroy itself.
2775
2776         * bytecode/CodeBlock.cpp:
2777         (JSC::CodeBlock::finishCreation):
2778         (JSC::CodeBlock::estimatedSize):
2779         (JSC::CodeBlock::visitChildren):
2780         * bytecode/CodeBlock.h:
2781         (JSC::CodeBlock::metadata):
2782         * bytecode/CodeBlockInlines.h:
2783         (JSC::CodeBlock::forEachValueProfile):
2784         (JSC::CodeBlock::forEachArrayProfile):
2785         (JSC::CodeBlock::forEachArrayAllocationProfile):
2786         (JSC::CodeBlock::forEachObjectAllocationProfile):
2787         (JSC::CodeBlock::forEachLLIntCallLinkInfo):
2788         * bytecode/MetadataTable.cpp:
2789         (JSC::MetadataTable::MetadataTable):
2790         (JSC::MetadataTable::~MetadataTable):
2791         (JSC::MetadataTable::sizeInBytes):
2792         * bytecode/MetadataTable.h:
2793         (JSC::MetadataTable::get):
2794         (JSC::MetadataTable::forEach):
2795         (JSC::MetadataTable::ref const):
2796         (JSC::MetadataTable::deref const):
2797         (JSC::MetadataTable::refCount const):
2798         (JSC::MetadataTable::hasOneRef const):
2799         (JSC::MetadataTable::buffer):
2800         (JSC::MetadataTable::linkingData const):
2801         (JSC::MetadataTable::getImpl):
2802         * bytecode/UnlinkedMetadataTable.h:
2803         (JSC::UnlinkedMetadataTable::buffer const):
2804         * bytecode/UnlinkedMetadataTableInlines.h:
2805         (JSC::UnlinkedMetadataTable::UnlinkedMetadataTable):
2806         (JSC::UnlinkedMetadataTable::~UnlinkedMetadataTable):
2807         (JSC::UnlinkedMetadataTable::addEntry):
2808         (JSC::UnlinkedMetadataTable::sizeInBytes):
2809         (JSC::UnlinkedMetadataTable::finalize):
2810         (JSC::UnlinkedMetadataTable::link):
2811         (JSC::UnlinkedMetadataTable::unlink):
2812         * llint/LowLevelInterpreter.asm:
2813         * llint/LowLevelInterpreter32_64.asm:
2814
2815 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2816
2817         [BigInt] Add support to BigInt into ValueAdd
2818         https://bugs.webkit.org/show_bug.cgi?id=186177
2819
2820         Reviewed by Keith Miller.
2821
2822         We are adding a very primitive specialization case of BigInts into ValueAdd.
2823         When compiling a speculated version of this node to BigInt, we are currently
2824         calling 'operationAddBigInt', a function that expects only BigInts as
2825         parameter and effectly add numbers using JSBigInt::add. To properly
2826         speculate BigInt operands, we changed ArithProfile to observe when
2827         its result is a BigInt. With this new observation, we are able to identify
2828         when ValueAdd results into a String or BigInt.
2829
2830         Here are some numbers for this specialization running
2831         microbenchmarks:
2832
2833         big-int-simple-add                   21.5411+-1.1096  ^  15.3502+-0.7027  ^ definitely 1.4033x faster
2834         big-int-add-prediction-propagation   13.7762+-0.5578  ^  10.8117+-0.5330  ^ definitely 1.2742x faster
2835
2836         * bytecode/ArithProfile.cpp:
2837         (JSC::ArithProfile::emitObserveResult):
2838         (JSC::ArithProfile::shouldEmitSetNonNumeric const):
2839         (JSC::ArithProfile::shouldEmitSetBigInt const):
2840         (JSC::ArithProfile::emitSetNonNumeric const):
2841         (JSC::ArithProfile::emitSetBigInt const):
2842         (WTF::printInternal):
2843         (JSC::ArithProfile::shouldEmitSetNonNumber const): Deleted.
2844         (JSC::ArithProfile::emitSetNonNumber const): Deleted.
2845         * bytecode/ArithProfile.h:
2846         (JSC::ArithProfile::observedUnaryInt):
2847         (JSC::ArithProfile::observedUnaryNumber):
2848         (JSC::ArithProfile::observedBinaryIntInt):
2849         (JSC::ArithProfile::observedBinaryNumberInt):
2850         (JSC::ArithProfile::observedBinaryIntNumber):
2851         (JSC::ArithProfile::observedBinaryNumberNumber):
2852         (JSC::ArithProfile::didObserveNonInt32 const):
2853         (JSC::ArithProfile::didObserveNonNumeric const):
2854         (JSC::ArithProfile::didObserveBigInt const):
2855         (JSC::ArithProfile::setObservedNonNumeric):
2856         (JSC::ArithProfile::setObservedBigInt):
2857         (JSC::ArithProfile::observeResult):
2858         (JSC::ArithProfile::didObserveNonNumber const): Deleted.
2859         (JSC::ArithProfile::setObservedNonNumber): Deleted.
2860         * dfg/DFGByteCodeParser.cpp:
2861         (JSC::DFG::ByteCodeParser::makeSafe):
2862         * dfg/DFGFixupPhase.cpp:
2863         (JSC::DFG::FixupPhase::fixupNode):
2864         * dfg/DFGNode.h:
2865         (JSC::DFG::Node::mayHaveNonNumericResult):
2866         (JSC::DFG::Node::mayHaveBigIntResult):
2867         (JSC::DFG::Node::mayHaveNonNumberResult): Deleted.
2868         * dfg/DFGNodeFlags.cpp:
2869         (JSC::DFG::dumpNodeFlags):
2870         * dfg/DFGNodeFlags.h:
2871         * dfg/DFGOperations.cpp:
2872         * dfg/DFGOperations.h:
2873         * dfg/DFGPredictionPropagationPhase.cpp:
2874         * dfg/DFGSpeculativeJIT.cpp:
2875         (JSC::DFG::SpeculativeJIT::compileValueAdd):
2876         * ftl/FTLLowerDFGToB3.cpp:
2877         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
2878         * runtime/CommonSlowPaths.cpp:
2879         (JSC::updateArithProfileForUnaryArithOp):
2880         (JSC::updateArithProfileForBinaryArithOp):
2881
2882 2018-11-07  Joseph Pecoraro  <pecoraro@apple.com>
2883
2884         Web Inspector: Fix "Javascript" => "JavaScript" enum in protocol generated objects
2885         https://bugs.webkit.org/show_bug.cgi?id=191340
2886
2887         Reviewed by Devin Rousso.
2888
2889         * inspector/ConsoleMessage.cpp:
2890         (Inspector::messageSourceValue):
2891         Use new enum name.
2892
2893         * inspector/scripts/codegen/generator.py:
2894         Correct the casing of "JavaScript".
2895
2896 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2897
2898         Align wide opcodes in the instruction stream
2899         https://bugs.webkit.org/show_bug.cgi?id=191254
2900
2901         Reviewed by Keith Miller.
2902
2903         Pad the bytecode with nops to ensure that wide opcodes are 4-byte
2904         aligned on platforms that don't like unaligned memory access.
2905
2906         For that, add a new type to represent jump targets, BoundLabel, which
2907         delays computing the offset in case we need to emit nops for padding.
2908         Extra padding is also emitted before op_yield and at the of each
2909         BytecodeWriter fragment, to ensure that the bytecode remains aligned
2910         after the rewriting.
2911
2912         As a side effect, we can longer guarantee that the point immediately
2913         before emitting an opcode is the start of that opcode, since nops
2914         might be emitted in between if the opcode needs to be wide. To fix
2915         that, we only take the offset of opcodes after they have been emitted,
2916         using `m_lastInstruction.offset()`.
2917
2918         * bytecode/BytecodeDumper.h:
2919         (JSC::BytecodeDumper::dumpValue):
2920         * bytecode/BytecodeGeneratorification.cpp:
2921         (JSC::BytecodeGeneratorification::run):
2922         * bytecode/BytecodeList.rb:
2923         * bytecode/BytecodeRewriter.h:
2924         (JSC::BytecodeRewriter::Fragment::align):
2925         (JSC::BytecodeRewriter::insertFragmentBefore):
2926         (JSC::BytecodeRewriter::insertFragmentAfter):
2927         * bytecode/Fits.h:
2928         * bytecode/InstructionStream.h:
2929         (JSC::InstructionStreamWriter::ref):
2930         * bytecode/PreciseJumpTargetsInlines.h:
2931         (JSC::updateStoredJumpTargetsForInstruction):
2932         * bytecompiler/BytecodeGenerator.cpp:
2933         (JSC::Label::setLocation):
2934         (JSC::BoundLabel::target):
2935         (JSC::BoundLabel::saveTarget):
2936         (JSC::BoundLabel::commitTarget):
2937         (JSC::BytecodeGenerator::generate):
2938         (JSC::BytecodeGenerator::recordOpcode):
2939         (JSC::BytecodeGenerator::alignWideOpcode):
2940         (JSC::BytecodeGenerator::emitProfileControlFlow):
2941         (JSC::BytecodeGenerator::emitResolveScope):
2942         (JSC::BytecodeGenerator::emitGetFromScope):
2943         (JSC::BytecodeGenerator::emitPutToScope):
2944         (JSC::BytecodeGenerator::emitGetById):
2945         (JSC::BytecodeGenerator::emitDirectGetById):
2946         (JSC::BytecodeGenerator::emitPutById):
2947         (JSC::BytecodeGenerator::emitDirectPutById):
2948         (JSC::BytecodeGenerator::emitGetByVal):
2949         (JSC::BytecodeGenerator::emitCreateThis):
2950         (JSC::BytecodeGenerator::beginSwitch):
2951         (JSC::BytecodeGenerator::endSwitch):
2952         (JSC::BytecodeGenerator::emitRequireObjectCoercible):
2953         (JSC::BytecodeGenerator::emitYieldPoint):
2954         (JSC::BytecodeGenerator::emitToThis):
2955         (JSC::Label::bind): Deleted.
2956         * bytecompiler/BytecodeGenerator.h:
2957         (JSC::BytecodeGenerator::recordOpcode): Deleted.
2958         * bytecompiler/Label.h:
2959         (JSC::BoundLabel::BoundLabel):
2960         (JSC::BoundLabel::operator int):
2961         (JSC::Label::bind):
2962         * generator/Opcode.rb:
2963
2964 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2965
2966         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2967         https://bugs.webkit.org/show_bug.cgi?id=191184
2968
2969         Reviewed by Saam Barati.
2970
2971         Fix API test on CLoop: we can only disable the LLInt when the JIT is enabled.
2972
2973         * API/tests/PingPongStackOverflowTest.cpp:
2974         (testPingPongStackOverflow):
2975
2976 2018-11-06  Justin Fan  <justin_fan@apple.com>
2977
2978         [WebGPU] Experimental prototype for WebGPURenderPipeline and WebGPUSwapChain
2979         https://bugs.webkit.org/show_bug.cgi?id=191291
2980
2981         Reviewed by Myles Maxfield.
2982
2983         Properly disable WEBGPU on all non-Metal platforms for now.
2984
2985         * Configurations/FeatureDefines.xcconfig:
2986
2987 2018-11-06  Keith Rollin  <krollin@apple.com>
2988
2989         Adjust handling of Include paths that need quoting
2990         https://bugs.webkit.org/show_bug.cgi?id=191314
2991         <rdar://problem/45849143>
2992
2993         Reviewed by Dan Bernstein.
2994
2995         There are several places in the JavaScriptCore Xcode project where the
2996         paths defined in HEADER_SEARCH_PATHS are quoted. That is, the
2997         definitions look like:
2998
2999             HEADER_SEARCH_PATHS = (
3000                 "\"${BUILT_PRODUCTS_DIR}/DerivedSources/JavaScriptCore\"",
3001                 "\"${BUILT_PRODUCTS_DIR}/LLIntOffsets/${ARCHS}\"",
3002                 "\"$(JAVASCRIPTCORE_FRAMEWORKS_DIR)/JavaScriptCore.framework/PrivateHeaders\"",
3003                 "$(inherited)",
3004             );
3005
3006         The idea here is presumably to have the resulting $(CPP) command have
3007         -I options where the associated paths are themselves quoted,
3008         protecting against space characters in the paths.
3009
3010         This approach to quote management can break under Xcode 9. If
3011         .xcfilelist files are added to the project, the 'objectVersion' value
3012         in the Xcode project file is changed from 46 to 51. If a project with
3013         objectVersion=51 is presented to Xcode 9 (as can happen when we build
3014         for older OS's), it produces build lines where the quotes are escaped,
3015         thereby becoming part of the path. The build then fails because a
3016         search for a file normally found in a directory called "Foo" will be
3017         looked for in "\"Foo\"", which doesn't exist.
3018
3019         Simply removing the escaped quotes from the HEADER_SEARCH_PATHS
3020         definition doesn't work, leading to paths that need quoting due to
3021         space characters but that don't get this quoting (the part of the path
3022         after the space appears to simply go missing).
3023
3024         Removing the escaped quotes from the HEADER_SEARCH_PATHS and moving
3025         the definitions to the .xcconfig fixes this problem.
3026
3027         * Configurations/ToolExecutable.xcconfig:
3028         * JavaScriptCore.xcodeproj/project.pbxproj:
3029
3030 2018-11-06  Michael Saboff  <msaboff@apple.com>
3031
3032         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
3033         https://bugs.webkit.org/show_bug.cgi?id=191271
3034
3035         Reviewed by Saam Barati.
3036
3037         Fixed use of ThrowScope my adding release() calls.  Found a few places where we needed
3038         RETURN_IF_EXCEPTION().  After some code inspections determined that we need to cover the
3039         exception bubbling for String.match() with a global RegExp as well as String.replace()
3040         and String.search().
3041
3042         * runtime/RegExpObjectInlines.h:
3043         (JSC::RegExpObject::matchInline):
3044         (JSC::collectMatches):
3045         * runtime/RegExpPrototype.cpp:
3046         (JSC::regExpProtoFuncSearchFast):
3047         * runtime/StringPrototype.cpp:
3048         (JSC::removeUsingRegExpSearch):
3049         (JSC::replaceUsingRegExpSearch):
3050
3051 2018-11-05  Don Olmstead  <don.olmstead@sony.com>
3052
3053         Fix typos in closing ENABLE guards
3054         https://bugs.webkit.org/show_bug.cgi?id=191273
3055
3056         Reviewed by Keith Miller.
3057
3058         * ftl/FTLForOSREntryJITCode.h:
3059         * ftl/FTLJITCode.h:
3060         * jsc.cpp:
3061         * wasm/WasmMemoryInformation.h:
3062         * wasm/WasmPageCount.h:
3063
3064 2018-11-05  Keith Miller  <keith_miller@apple.com>
3065
3066         Make static_asserts in APICast into bitwise_cast
3067         https://bugs.webkit.org/show_bug.cgi?id=191272
3068
3069         Reviewed by Filip Pizlo.
3070
3071         * API/APICast.h:
3072         (toJS):
3073         (toJSForGC):
3074         (toRef):
3075
3076 2018-11-05  Dominik Infuehr  <dinfuehr@igalia.com>
3077
3078         Enable LLInt on ARMv7/Linux
3079         https://bugs.webkit.org/show_bug.cgi?id=191190
3080
3081         Reviewed by Yusuke Suzuki.
3082
3083         After enabling the new bytecode format in r237547, C_LOOP was
3084         forced on all 32-bit platforms. Now enable LLInt again on
3085         ARMv7-Thumb2/Linux.
3086
3087         This adds a callee-saved register in ARMv7/Linux for the metadataTable and
3088         stores/restores it on LLInt function calls. It also introduces the globaladdr-
3089         instruction for the ARM-offlineasm to access the opcode-table.
3090
3091         * jit/GPRInfo.h:
3092         * jit/RegisterSet.cpp:
3093         (JSC::RegisterSet::llintBaselineCalleeSaveRegisters):
3094         * llint/LowLevelInterpreter.asm:
3095         * llint/LowLevelInterpreter32_64.asm:
3096         * offlineasm/arm.rb:
3097         * offlineasm/asm.rb:
3098         * offlineasm/instructions.rb:
3099
3100 2018-11-05  Fujii Hironori  <Hironori.Fujii@sony.com>
3101
3102         [Win][Clang][JSC] JIT::is64BitType reports "warning: explicit specialization cannot have a storage class"
3103         https://bugs.webkit.org/show_bug.cgi?id=191146
3104
3105         Reviewed by Yusuke Suzuki.
3106
3107         * jit/JIT.h: Changed is64BitType from a template class method to a
3108         template inner class.
3109
3110 2018-11-02  Keith Miller  <keith_miller@apple.com>
3111
3112         Assert JSValues can fit into a pointer when API casting
3113         https://bugs.webkit.org/show_bug.cgi?id=191220
3114
3115         Reviewed by Michael Saboff.
3116
3117         * API/APICast.h:
3118         (toJS):
3119         (toJSForGC):
3120         (toRef):
3121
3122 2018-11-02  Michael Saboff  <msaboff@apple.com>
3123
3124         Rolling in r237753 with unreviewed build fix.
3125
3126         Fixed issues with DECLARE_THROW_SCOPE placement.
3127
3128 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
3129
3130         Unreviewed, rolling out r237753.
3131
3132         Introduced JSC test failures
3133
3134         Reverted changeset:
3135
3136         "Running out of stack space not properly handled in
3137         RegExp::compile() and its callers"
3138         https://bugs.webkit.org/show_bug.cgi?id=191206
3139         https://trac.webkit.org/changeset/237753
3140
3141 2018-11-02  Michael Saboff  <msaboff@apple.com>
3142
3143         Running out of stack space not properly handled in RegExp::compile() and its callers
3144         https://bugs.webkit.org/show_bug.cgi?id=191206
3145
3146         Reviewed by Filip Pizlo.
3147
3148         Eliminated two RELEASE_ASSERT_NOT_REACHED() for errors returned by Yarr parsing code.  Bubbled those errors
3149         up to where they are turned into the appropriate exceptions in matchInline().  If the errors are not due
3150         to syntax, we reset the RegExp state in case the parsing is tried with a smaller stack.
3151
3152         * runtime/RegExp.cpp:
3153         (JSC::RegExp::compile):
3154         (JSC::RegExp::compileMatchOnly):
3155         * runtime/RegExp.h:
3156         * runtime/RegExpInlines.h:
3157         (JSC::RegExp::compileIfNecessary):
3158         (JSC::RegExp::matchInline):
3159         (JSC::RegExp::compileIfNecessaryMatchOnly):
3160         * runtime/RegExpObjectInlines.h:
3161         (JSC::RegExpObject::execInline):
3162         * yarr/YarrErrorCode.h:
3163         (JSC::Yarr::hasHardError):
3164
3165 2018-11-02  Keith Miller  <keith_miller@apple.com>
3166
3167         API should use wrapper object if address is 32-bit
3168         https://bugs.webkit.org/show_bug.cgi?id=191203
3169
3170         Reviewed by Filip Pizlo.
3171
3172         * API/APICast.h:
3173         (toJS):
3174         (toJSForGC):
3175         (toRef):
3176
3177 2018-11-02  Tadeu Zagallo  <tzagallo@apple.com>
3178
3179         Metadata should not be copyable
3180         https://bugs.webkit.org/show_bug.cgi?id=191193
3181
3182         Reviewed by Keith Miller.
3183
3184         We should only ever hold references to the entry in the metadata table.
3185
3186         * bytecode/CodeBlock.cpp:
3187         (JSC::CodeBlock::finalizeLLIntInlineCaches):
3188         * dfg/DFGByteCodeParser.cpp:
3189         (JSC::DFG::ByteCodeParser::parseBlock):
3190         * generator/Metadata.rb:
3191
3192 2018-11-02  Tadeu Zagallo  <tzagallo@apple.com>
3193
3194         REGRESSION(r237547): Exception handlers should be aware of wide opcodes when JIT is disabled
3195         https://bugs.webkit.org/show_bug.cgi?id=191175
3196
3197         Reviewed by Keith Miller.
3198
3199         https://bugs.webkit.org/show_bug.cgi?id=191108 did not handle the case where JIT is not enabled
3200
3201         * jit/JITExceptions.cpp:
3202         (JSC::genericUnwind):
3203         * llint/LLIntData.h:
3204         (JSC::LLInt::getWideCodePtr):
3205
3206 2018-11-01  Fujii Hironori  <Hironori.Fujii@sony.com>
3207
3208         Rename <wtf/unicode/UTF8.h> to <wtf/unicode/UTF8Conversion.h> in order to avoid conflicting with ICU's unicode/utf8.h
3209         https://bugs.webkit.org/show_bug.cgi?id=189693
3210
3211         Reviewed by Yusuke Suzuki.
3212
3213         * API/JSClassRef.cpp: Replaced <wtf/unicode/UTF8.h> with <wtf/unicode/UTF8Conversion.h>.
3214         * API/JSStringRef.cpp: Ditto.
3215         * runtime/JSGlobalObjectFunctions.cpp: Ditto.
3216         * wasm/WasmParser.h: Ditto.
3217
3218 2018-11-01  Keith Miller  <keith_miller@apple.com>
3219
3220         Unreviewed, JavaScriptCore should only guarantee to produce a
3221         modulemap if we are building for iOSMac.
3222
3223         * Configurations/JavaScriptCore.xcconfig:
3224
3225 2018-10-31  Devin Rousso  <drousso@apple.com>
3226
3227         Web Inspector: Canvas: create a setting for auto-recording newly created contexts
3228         https://bugs.webkit.org/show_bug.cgi?id=190856
3229
3230         Reviewed by Brian Burg.
3231
3232         * inspector/protocol/Canvas.json:
3233         Add `setRecordingAutoCaptureFrameCount` command for setting the number of frames to record
3234         immediately after a context is created.
3235
3236         * inspector/protocol/Recording.json:
3237         Add `creation` value for `Initiator` enum.
3238
3239 2018-10-31  Devin Rousso  <drousso@apple.com>
3240
3241         Web Inspector: display low-power enter/exit events in Timelines and Network node waterfalls
3242         https://bugs.webkit.org/show_bug.cgi?id=190641
3243         <rdar://problem/45319049>
3244
3245         Reviewed by Joseph Pecoraro.
3246
3247         * inspector/protocol/DOM.json:
3248         Add `videoLowPowerChanged` event that is fired when `InspectorDOMAgent` is able to determine
3249         whether a video element's low power state has changed.
3250
3251 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
3252
3253         Adjust inlining threshold for new bytecode format
3254         https://bugs.webkit.org/show_bug.cgi?id=191115
3255
3256         Reviewed by Saam Barati.
3257
3258         The new format reduced the number of operands for many opcodes, which
3259         changed inlining decisions and impacted performance negatively.
3260
3261         * runtime/Options.h:
3262
3263 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
3264
3265         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
3266         https://bugs.webkit.org/show_bug.cgi?id=191108
3267         <rdar://problem/45690700>
3268
3269         Reviewed by Saam Barati.
3270
3271         When linking the handler, we need to check whether the target op_catch is
3272         wide or narrow in order to chose the right code pointer for the handler.
3273
3274         * bytecode/CodeBlock.cpp:
3275         (JSC::CodeBlock::finishCreation):
3276
3277 2018-10-31  Dominik Infuehr  <dinfuehr@igalia.com>
3278
3279         Align entries in metadata table
3280         https://bugs.webkit.org/show_bug.cgi?id=191062
3281
3282         Reviewed by Filip Pizlo.
3283
3284         Entries in the metadata table need to be aligned on some 32-bit
3285         architectures.
3286
3287         * bytecode/MetadataTable.h:
3288         (JSC::MetadataTable::forEach):
3289         * bytecode/Opcode.cpp:
3290         (JSC::metadataAlignment):
3291         * bytecode/Opcode.h:
3292         * bytecode/UnlinkedMetadataTableInlines.h:
3293         (JSC::UnlinkedMetadataTable::finalize):
3294         * generator/Section.rb:
3295
3296 2018-10-31  Jim Mason  <jmason@ibinx.com>
3297
3298         Static global 'fastHandlerInstalled' conditionally declared in WasmFaultSignalHandler.cpp
3299         https://bugs.webkit.org/show_bug.cgi?id=191063
3300
3301         Reviewed by Yusuke Suzuki.
3302
3303         * wasm/WasmFaultSignalHandler.cpp:
3304
3305 2018-10-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3306
3307         [JSC][LLInt] Compact LLInt ASM code by removing unnecessary instructions
3308         https://bugs.webkit.org/show_bug.cgi?id=191092
3309
3310         Reviewed by Saam Barati.
3311
3312         Looking through LLIntAssembly.h, we can find several inefficiencies. This patch fixes the
3313         following things to tighten LLInt ASM code.
3314
3315         1. Remove unnecessary load instructions. Use jmp with BaseIndex directly.
3316         2. Introduce strength reduction for mul instructions in offlineasm layer. This is now critical
3317         since mul instruction is executed in `metadata` operation in LLInt. If the given immediate is
3318         a power of two, we convert it to lshift instruction.
3319
3320         * llint/LowLevelInterpreter32_64.asm:
3321         * llint/LowLevelInterpreter64.asm:
3322         * offlineasm/arm64.rb:
3323         * offlineasm/instructions.rb:
3324         * offlineasm/x86.rb:
3325
3326 2018-10-30  Don Olmstead  <don.olmstead@sony.com>
3327
3328         [PlayStation] Enable JavaScriptCore
3329         https://bugs.webkit.org/show_bug.cgi?id=191072
3330
3331         Reviewed by Brent Fulgham.
3332
3333         Add platform files for the PlayStation port.
3334
3335         * PlatformPlayStation.cmake: Added.
3336
3337 2018-10-30  Alexey Proskuryakov  <ap@apple.com>
3338
3339         Clean up some obsolete MAX_ALLOWED macros
3340         https://bugs.webkit.org/show_bug.cgi?id=190916
3341
3342         Reviewed by Tim Horton.
3343
3344         * API/JSManagedValue.mm:
3345         * API/JSVirtualMachine.mm:
3346         * API/JSWrapperMap.mm:
3347
3348 2018-10-30  Ross Kirsling  <ross.kirsling@sony.com>
3349
3350         useProbeOSRExit causes failures for Win64 DFG JIT
3351         https://bugs.webkit.org/show_bug.cgi?id=190656
3352
3353         Reviewed by Keith Miller.
3354
3355         * assembler/ProbeContext.cpp:
3356         (JSC::Probe::executeProbe):
3357         If lowWatermark is expected to equal lowWatermarkFromVisitingDirtyPages *regardless* of the input param,
3358         then let's just call lowWatermarkFromVisitingDirtyPages instead.
3359
3360         * dfg/DFGOSRExit.cpp:
3361         (JSC::DFG::OSRExit::executeOSRExit):
3362         The result of VariableEventStream::reconstruct appears to be inappropriate for direct use as a stack pointer offset;
3363         mimic the non-probe case and use requiredRegisterCountForExit from DFGCommonData instead.
3364         (Also, stop redundantly setting the stack pointer twice in a row.)
3365
3366 2018-10-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3367
3368         "Unreviewed, partial rolling in r237254"
3369         https://bugs.webkit.org/show_bug.cgi?id=190340
3370
3371         This only adds Parser.{cpp,h}. And it is not used in this patch.
3372         It examines that the regression is related to exact Parser changes.
3373
3374         * parser/Parser.cpp:
3375         (JSC::Parser<LexerType>::parseInner):
3376         (JSC::Parser<LexerType>::parseSingleFunction):
3377         (JSC::Parser<LexerType>::parseFunctionInfo):
3378         (JSC::Parser<LexerType>::parseFunctionDeclaration):
3379         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
3380         * parser/Parser.h:
3381         (JSC::Parser<LexerType>::parse):
3382         (JSC::parse):
3383         (JSC::parseFunctionForFunctionConstructor):
3384
3385 2018-10-29  Mark Lam  <mark.lam@apple.com>
3386
3387         Correctly detect string overflow when using the 'Function' constructor.
3388         https://bugs.webkit.org/show_bug.cgi?id=184883
3389         <rdar://problem/36320331>
3390
3391         Reviewed by Saam Barati.
3392
3393         Added StringBuilder::hasOverflowed() checks, and throwing OutOfMemoryErrors if
3394         we detect an overflow.
3395
3396         * runtime/FunctionConstructor.cpp:
3397         (JSC::constructFunctionSkippingEvalEnabledCheck):
3398         * runtime/JSGlobalObjectFunctions.cpp:
3399         (JSC::encode):
3400         (JSC::decode):
3401         * runtime/JSONObject.cpp:
3402         (JSC::Stringifier::stringify):
3403         (JSC::Stringifier::appendStringifiedValue):
3404
3405 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
3406
3407         Unreviewed, fix JSC on arm64e after r237547
3408         https://bugs.webkit.org/show_bug.cgi?id=187373
3409
3410         Unreviewed.
3411
3412         Remove unused move guarded by POINTER_PROFILING that was trashing the
3413         metadata on arm64e.
3414
3415         * llint/LowLevelInterpreter64.asm:
3416
3417 2018-10-29  Keith Miller  <keith_miller@apple.com>
3418
3419         JSC should explicitly list its modulemap file
3420         https://bugs.webkit.org/show_bug.cgi?id=191032
3421
3422         Reviewed by Saam Barati.
3423
3424         The automagically generated module map file for JSC will
3425         include headers where they may not work out of the box.
3426         This patch makes it so we now export the same modulemap
3427         that used to be provided via the legacy system.
3428
3429         * Configurations/JavaScriptCore.xcconfig:
3430         * JavaScriptCore.modulemap: Added.
3431         * JavaScriptCore.xcodeproj/project.pbxproj:
3432
3433 2018-10-29  Tim Horton  <timothy_horton@apple.com>
3434
3435         Modernize WebKit nibs and lprojs for localization's sake
3436         https://bugs.webkit.org/show_bug.cgi?id=190911
3437         <rdar://problem/45349466>
3438
3439         Reviewed by Dan Bernstein.
3440
3441         * JavaScriptCore.xcodeproj/project.pbxproj:
3442         English->en
3443
3444 2018-10-29  Commit Queue  <commit-queue@webkit.org>
3445
3446         Unreviewed, rolling out r237492.
3447         https://bugs.webkit.org/show_bug.cgi?id=191035
3448
3449         "It regresses JetStream 2 by 5% on some iOS devices"
3450         (Requested by saamyjoon on #webkit).
3451
3452         Reverted changeset:
3453
3454         "Unreviewed, partial rolling in r237254"
3455         https://bugs.webkit.org/show_bug.cgi?id=190340
3456         https://trac.webkit.org/changeset/237492
3457
3458 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
3459
3460         Add support for GetStack FlushedDouble
3461         https://bugs.webkit.org/show_bug.cgi?id=191012
3462         <rdar://problem/45265141>
3463
3464         Reviewed by Saam Barati.
3465
3466         LowerDFGToB3::compileGetStack assumed that we would not emit GetStack
3467         for doubles, but it turns out it may arise from the PutStack sinking
3468         phase: if we sink a PutStack into a successor block, other predecessors
3469         will emit a GetStack followed by a Upsilon.
3470
3471         * ftl/FTLLowerDFGToB3.cpp:
3472         (JSC::FTL::DFG::LowerDFGToB3::compileGetStack):
3473
3474 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
3475
3476         New bytecode format for JSC
3477         https://bugs.webkit.org/show_bug.cgi?id=187373
3478         <rdar://problem/44186758>
3479
3480         Reviewed by Filip Pizlo.
3481
3482         Replace unlinked and linked bytecode with a new immutable bytecode that does not embed
3483         any addresses. Instructions can be encoded as narrow (1-byte operands) or wide (4-byte
3484         operands) and might contain an extra operand, the metadataID. The metadataID is used to
3485         access the instruction's mutable data in a side table in the CodeBlock (the MetadataTable).
3486
3487         Bytecodes now must be structs declared in the new BytecodeList.rb. All bytecodes give names
3488         and types to all its operands. Additionally, reading a bytecode from the instruction stream
3489         requires decoding the whole bytecode, i.e. it's no longer possible to access arbitrary
3490         operands directly from the stream.
3491
3492
3493         * CMakeLists.txt:
3494         * DerivedSources.make:
3495         * JavaScriptCore.xcodeproj/project.pbxproj:
3496         * Sources.txt:
3497         * assembler/MacroAssemblerCodeRef.h:
3498         (JSC::ReturnAddressPtr::ReturnAddressPtr):
3499         (JSC::ReturnAddressPtr::value const):
3500         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
3501         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
3502         * bytecode/ArithProfile.h:
3503         (JSC::ArithProfile::ArithProfile):
3504         * bytecode/ArrayAllocationProfile.h:
3505         (JSC::ArrayAllocationProfile::ArrayAllocationProfile):
3506         * bytecode/ArrayProfile.h:
3507         * bytecode/BytecodeBasicBlock.cpp:
3508         (JSC::isJumpTarget):
3509         (JSC::BytecodeBasicBlock::computeImpl):
3510         (JSC::BytecodeBasicBlock::compute):
3511         * bytecode/BytecodeBasicBlock.h:
3512         (JSC::BytecodeBasicBlock::leaderOffset const):
3513         (JSC::BytecodeBasicBlock::totalLength const):
3514         (JSC::BytecodeBasicBlock::offsets const):
3515         (JSC::BytecodeBasicBlock::BytecodeBasicBlock):
3516         (JSC::BytecodeBasicBlock::addLength):
3517         * bytecode/BytecodeDumper.cpp:
3518         (JSC::BytecodeDumper<Block>::printLocationAndOp):
3519         (JSC::BytecodeDumper<Block>::dumpBytecode):
3520         (JSC::BytecodeDumper<Block>::dumpIdentifiers):
3521         (JSC::BytecodeDumper<Block>::dumpConstants):
3522         (JSC::BytecodeDumper<Block>::dumpExceptionHandlers):
3523         (JSC::BytecodeDumper<Block>::dumpSwitchJumpTables):
3524         (JSC::BytecodeDumper<Block>::dumpStringSwitchJumpTables):
3525         (JSC::BytecodeDumper<Block>::dumpBlock):
3526         * bytecode/BytecodeDumper.h:
3527         (JSC::BytecodeDumper::dumpOperand):
3528         (JSC::BytecodeDumper::dumpValue):
3529         (JSC::BytecodeDumper::BytecodeDumper):
3530         (JSC::BytecodeDumper::block const):
3531         * bytecode/BytecodeGeneratorification.cpp:
3532         (JSC::BytecodeGeneratorification::BytecodeGeneratorification):
3533         (JSC::BytecodeGeneratorification::enterPoint const):
3534         (JSC::BytecodeGeneratorification::instructions const):
3535         (JSC::GeneratorLivenessAnalysis::run):
3536         (JSC::BytecodeGeneratorification::run):
3537         (JSC::performGeneratorification):
3538         * bytecode/BytecodeGeneratorification.h:
3539         * bytecode/BytecodeGraph.h:
3540         (JSC::BytecodeGraph::blockContainsBytecodeOffset):
3541         (JSC::BytecodeGraph::findBasicBlockForBytecodeOffset):
3542         (JSC::BytecodeGraph::findBasicBlockWithLeaderOffset):
3543         (JSC::BytecodeGraph::BytecodeGraph):
3544         * bytecode/BytecodeKills.h:
3545         * bytecode/BytecodeList.json: Removed.
3546         * bytecode/BytecodeList.rb: Added.
3547         * bytecode/BytecodeLivenessAnalysis.cpp:
3548         (JSC::BytecodeLivenessAnalysis::dumpResults):
3549         * bytecode/BytecodeLivenessAnalysis.h:
3550         * bytecode/BytecodeLivenessAnalysisInlines.h:
3551         (JSC::isValidRegisterForLiveness):
3552         (JSC::BytecodeLivenessPropagation::stepOverInstruction):
3553         * bytecode/BytecodeRewriter.cpp:
3554         (JSC::BytecodeRewriter::applyModification):
3555         (JSC::BytecodeRewriter::execute):
3556         (JSC::BytecodeRewriter::adjustJumpTargetsInFragment):
3557         (JSC::BytecodeRewriter::insertImpl):
3558         (JSC::BytecodeRewriter::adjustJumpTarget):
3559         (JSC::BytecodeRewriter::adjustJumpTargets):
3560         * bytecode/BytecodeRewriter.h:
3561         (JSC::BytecodeRewriter::InsertionPoint::InsertionPoint):
3562         (JSC::BytecodeRewriter::Fragment::Fragment):
3563         (JSC::BytecodeRewriter::Fragment::appendInstruction):
3564         (JSC::BytecodeRewriter::BytecodeRewriter):
3565         (JSC::BytecodeRewriter::insertFragmentBefore):
3566         (JSC::BytecodeRewriter::insertFragmentAfter):
3567         (JSC::BytecodeRewriter::removeBytecode):
3568         (JSC::BytecodeRewriter::adjustAbsoluteOffset):
3569         (JSC::BytecodeRewriter::adjustJumpTarget):
3570         * bytecode/BytecodeUseDef.h:
3571         (JSC::computeUsesForBytecodeOffset):
3572         (JSC::computeDefsForBytecodeOffset):
3573         * bytecode/CallLinkStatus.cpp:
3574         (JSC::CallLinkStatus::computeFromLLInt):
3575         * bytecode/CodeBlock.cpp:
3576         (JSC::CodeBlock::dumpBytecode):
3577         (JSC::CodeBlock::CodeBlock):
3578         (JSC::CodeBlock::finishCreation):
3579         (JSC::CodeBlock::estimatedSize):
3580         (JSC::CodeBlock::visitChildren):
3581         (JSC::CodeBlock::propagateTransitions):
3582         (JSC::CodeBlock::finalizeLLIntInlineCaches):
3583         (JSC::CodeBlock::addJITAddIC):
3584         (JSC::CodeBlock::addJITMulIC):
3585         (JSC::CodeBlock::addJITSubIC):
3586         (JSC::CodeBlock::addJITNegIC):
3587         (JSC::CodeBlock::stronglyVisitStrongReferences):
3588         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffset):
3589         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
3590         (JSC::CodeBlock::hasOpDebugForLineAndColumn):
3591         (JSC::CodeBlock::getArrayProfile):
3592         (JSC::CodeBlock::updateAllArrayPredictions):
3593         (JSC::CodeBlock::predictedMachineCodeSize):
3594         (JSC::CodeBlock::tryGetValueProfileForBytecodeOffset):
3595         (JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):
3596         (JSC::CodeBlock::valueProfileForBytecodeOffset):
3597         (JSC::CodeBlock::validate):
3598         (JSC::CodeBlock::outOfLineJumpOffset):
3599         (JSC::CodeBlock::outOfLineJumpTarget):
3600         (JSC::CodeBlock::arithProfileForBytecodeOffset):
3601         (JSC::CodeBlock::arithProfileForPC):
3602         (JSC::CodeBlock::couldTakeSpecialFastCase):
3603         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
3604         * bytecode/CodeBlock.h:
3605         (JSC::CodeBlock::addMathIC):
3606         (JSC::CodeBlock::outOfLineJumpOffset):
3607         (JSC::CodeBlock::bytecodeOffset):
3608         (JSC::CodeBlock::instructions const):
3609         (JSC::CodeBlock::instructionCount const):
3610         (JSC::CodeBlock::llintBaselineCalleeSaveSpaceAsVirtualRegisters):
3611         (JSC::CodeBlock::metadata):
3612         (JSC::CodeBlock::metadataSizeInBytes):
3613         (JSC::CodeBlock::numberOfNonArgumentValueProfiles):
3614         (JSC::CodeBlock::totalNumberOfValueProfiles):
3615         * bytecode/CodeBlockInlines.h: Added.
3616         (JSC::CodeBlock::forEachValueProfile):
3617         (JSC::CodeBlock::forEachArrayProfile):
3618         (JSC::CodeBlock::forEachArrayAllocationProfile):
3619         (JSC::CodeBlock::forEachObjectAllocationProfile):
3620         (JSC::CodeBlock::forEachLLIntCallLinkInfo):
3621         * bytecode/Fits.h: Added.
3622         * bytecode/GetByIdMetadata.h: Copied from Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h.
3623         * bytecode/GetByIdStatus.cpp:
3624         (JSC::GetByIdStatus::computeFromLLInt):
3625         * bytecode/Instruction.h:
3626         (JSC::Instruction::Instruction):
3627         (JSC::Instruction::Impl::opcodeID const):
3628         (JSC::Instruction::opcodeID const):
3629         (JSC::Instruction::name const):
3630         (JSC::Instruction::isWide const):
3631         (JSC::Instruction::size const):
3632         (JSC::Instruction::is const):
3633         (JSC::Instruction::as const):
3634         (JSC::Instruction::cast):
3635         (JSC::Instruction::cast const):
3636         (JSC::Instruction::narrow const):
3637         (JSC::Instruction::wide const):
3638         * bytecode/InstructionStream.cpp: Copied from Source/JavaScriptCore/bytecode/SpecialPointer.cpp.
3639         (JSC::InstructionStream::InstructionStream):
3640         (JSC::InstructionStream::sizeInBytes const):
3641         * bytecode/InstructionStream.h: Added.
3642         (JSC::InstructionStream::BaseRef::BaseRef):
3643         (JSC::InstructionStream::BaseRef::operator=):
3644         (JSC::InstructionStream::BaseRef::operator-> const):
3645         (JSC::InstructionStream::BaseRef::ptr const):
3646         (JSC::InstructionStream::BaseRef::operator!= const):
3647         (JSC::InstructionStream::BaseRef::next const):
3648         (JSC::InstructionStream::BaseRef::offset const):
3649         (JSC::InstructionStream::BaseRef::isValid const):
3650         (JSC::InstructionStream::BaseRef::unwrap const):
3651         (JSC::InstructionStream::MutableRef::freeze const):
3652         (JSC::InstructionStream::MutableRef::operator->):
3653         (JSC::InstructionStream::MutableRef::ptr):
3654         (JSC::InstructionStream::MutableRef::operator Ref):
3655         (JSC::InstructionStream::MutableRef::unwrap):
3656         (JSC::InstructionStream::iterator::operator*):
3657         (JSC::InstructionStream::iterator::operator++):
3658         (JSC::InstructionStream::begin const):
3659         (JSC::InstructionStream::end const):
3660         (JSC::InstructionStream::at const):
3661         (JSC::InstructionStream::size const):
3662         (JSC::InstructionStreamWriter::InstructionStreamWriter):
3663         (JSC::InstructionStreamWriter::ref):
3664         (JSC::InstructionStreamWriter::seek):
3665         (JSC::InstructionStreamWriter::position):
3666         (JSC::InstructionStreamWriter::write):
3667         (JSC::InstructionStreamWriter::rewind):
3668         (JSC::InstructionStreamWriter::finalize):
3669         (JSC::InstructionStreamWriter::swap):
3670         (JSC::InstructionStreamWriter::iterator::operator*):
3671         (JSC::InstructionStreamWriter::iterator::operator++):
3672         (JSC::InstructionStreamWriter::begin):
3673         (JSC::InstructionStreamWriter::end):
3674         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
3675         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::LLIntPrototypeLoadAdaptiveStructureWatchpoint):
3676         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
3677         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::clearLLIntGetByIdCache):
3678         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
3679         * bytecode/MetadataTable.cpp: Copied from Source/JavaScriptCore/bytecode/SpecialPointer.cpp.
3680         (JSC::MetadataTable::MetadataTable):
3681         (JSC::DeallocTable::withOpcodeType):
3682         (JSC::MetadataTable::~MetadataTable):
3683         (JSC::MetadataTable::sizeInBytes):
3684         * bytecode/MetadataTable.h: Copied from Source/JavaScriptCore/runtime/Watchdog.h.
3685         (JSC::MetadataTable::get):
3686         (JSC::MetadataTable::forEach):
3687         (JSC::MetadataTable::getImpl):
3688         * bytecode/Opcode.cpp:
3689         (JSC::metadataSize):
3690         * bytecode/Opcode.h:
3691         (JSC::padOpcodeName):
3692         * bytecode/OpcodeInlines.h:
3693         (JSC::isOpcodeShape):
3694         (JSC::getOpcodeType):
3695         * bytecode/OpcodeSize.h: Copied from Source/JavaScriptCore/bytecode/SpecialPointer.cpp.
3696         * bytecode/PreciseJumpTargets.cpp:
3697         (JSC::getJumpTargetsForInstruction):
3698         (JSC::computePreciseJumpTargetsInternal):
3699         (JSC::computePreciseJumpTargets):
3700         (JSC::recomputePreciseJumpTargets):
3701         (JSC::findJumpTargetsForInstruction):
3702         * bytecode/PreciseJumpTargets.h:
3703         * bytecode/PreciseJumpTargetsInlines.h:
3704         (JSC::jumpTargetForInstruction):
3705         (JSC::extractStoredJumpTargetsForInstruction):
3706         (JSC::updateStoredJumpTargetsForInstruction):
3707         * bytecode/PutByIdStatus.cpp:
3708         (JSC::PutByIdStatus::computeFromLLInt):
3709         * bytecode/SpecialPointer.cpp:
3710         (WTF::printInternal):
3711         * bytecode/SpecialPointer.h:
3712         * bytecode/UnlinkedCodeBlock.cpp:
3713         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
3714         (JSC::UnlinkedCodeBlock::visitChildren):
3715         (JSC::UnlinkedCodeBlock::estimatedSize):
3716         (JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset):
3717         (JSC::dumpLineColumnEntry):
3718         (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset const):
3719         (JSC::UnlinkedCodeBlock::setInstructions):
3720         (JSC::UnlinkedCodeBlock::instructions const):
3721         (JSC::UnlinkedCodeBlock::applyModification):
3722         (JSC::UnlinkedCodeBlock::addOutOfLineJumpTarget):
3723         (JSC::UnlinkedCodeBlock::outOfLineJumpOffset):
3724         * bytecode/UnlinkedCodeBlock.h:
3725         (JSC::UnlinkedCodeBlock::addPropertyAccessInstruction):
3726         (JSC::UnlinkedCodeBlock::propertyAccessInstructions const):
3727         (JSC::UnlinkedCodeBlock::addOpProfileControlFlowBytecodeOffset):
3728         (JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets const):
3729         (JSC::UnlinkedCodeBlock::metadata):
3730         (JSC::UnlinkedCodeBlock::metadataSizeInBytes):
3731         (JSC::UnlinkedCodeBlock::outOfLineJumpOffset):
3732         (JSC::UnlinkedCodeBlock::replaceOutOfLineJumpTargets):
3733         * bytecode/UnlinkedInstructionStream.cpp: Removed.
3734         * bytecode/UnlinkedInstructionStream.h: Removed.
3735         * bytecode/UnlinkedMetadataTable.h: Copied from Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h.
3736         * bytecode/UnlinkedMetadataTableInlines.h: Added.
3737         (JSC::UnlinkedMetadataTable::UnlinkedMetadataTable):
3738         (JSC::UnlinkedMetadataTable::~UnlinkedMetadataTable):
3739         (JSC::UnlinkedMetadataTable::addEntry):
3740         (JSC::UnlinkedMetadataTable::sizeInBytes):
3741         (JSC::UnlinkedMetadataTable::finalize):
3742         (JSC::UnlinkedMetadataTable::link):
3743         (JSC::UnlinkedMetadataTable::unlink):
3744         * bytecode/VirtualRegister.cpp:
3745         (JSC::VirtualRegister::VirtualRegister):
3746         * bytecode/VirtualRegister.h:
3747         * bytecompiler/BytecodeGenerator.cpp:
3748         (JSC::Label::setLocation):
3749         (JSC::Label::bind):
3750         (JSC::BytecodeGenerator::generate):
3751         (JSC::BytecodeGenerator::BytecodeGenerator):
3752         (JSC::BytecodeGenerator::initializeVarLexicalEnvironment):
3753         (JSC::BytecodeGenerator::emitEnter):
3754         (JSC::BytecodeGenerator::emitLoopHint):
3755         (JSC::BytecodeGenerator::emitJump):
3756         (JSC::BytecodeGenerator::emitCheckTraps):
3757         (JSC::BytecodeGenerator::rewind):
3758         (JSC::BytecodeGenerator::fuseCompareAndJump):
3759         (JSC::BytecodeGenerator::fuseTestAndJmp):
3760         (JSC::BytecodeGenerator::emitJumpIfTrue):
3761         (JSC::BytecodeGenerator::emitJumpIfFalse):
3762         (JSC::BytecodeGenerator::emitJumpIfNotFunctionCall):
3763         (JSC::BytecodeGenerator::emitJumpIfNotFunctionApply):
3764         (JSC::BytecodeGenerator::moveLinkTimeConstant):
3765         (JSC::BytecodeGenerator::moveEmptyValue):
3766         (JSC::BytecodeGenerator::emitMove):
3767         (JSC::BytecodeGenerator::emitUnaryOp):
3768         (JSC::BytecodeGenerator::emitBinaryOp):
3769         (JSC::BytecodeGenerator::emitToObject):
3770         (JSC::BytecodeGenerator::emitToNumber):
3771         (JSC::BytecodeGenerator::emitToString):
3772         (JSC::BytecodeGenerator::emitTypeOf):
3773         (JSC::BytecodeGenerator::emitInc):
3774         (JSC::BytecodeGenerator::emitDec):
3775         (JSC::BytecodeGenerator::emitEqualityOp):
3776         (JSC::BytecodeGenerator::emitProfileType):
3777         (JSC::BytecodeGenerator::emitProfileControlFlow):
3778         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
3779         (JSC::BytecodeGenerator::emitResolveScopeForHoistingFuncDeclInEval):
3780         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
3781         (JSC::BytecodeGenerator::emitOverridesHasInstance):
3782         (JSC::BytecodeGenerator::emitResolveScope):
3783         (JSC::BytecodeGenerator::emitGetFromScope):
3784         (JSC::BytecodeGenerator::emitPutToScope):
3785         (JSC::BytecodeGenerator::emitInstanceOf):
3786         (JSC::BytecodeGenerator::emitInstanceOfCustom):
3787         (JSC::BytecodeGenerator::emitInByVal):
3788         (JSC::BytecodeGenerator::emitInById):
3789         (JSC::BytecodeGenerator::emitTryGetById):
3790         (JSC::BytecodeGenerator::emitGetById):
3791         (JSC::BytecodeGenerator::emitDirectGetById):
3792         (JSC::BytecodeGenerator::emitPutById):
3793         (JSC::BytecodeGenerator::emitDirectPutById):
3794         (JSC::BytecodeGenerator::emitPutGetterById):
3795         (JSC::BytecodeGenerator::emitPutSetterById):
3796         (JSC::BytecodeGenerator::emitPutGetterSetter):
3797         (JSC::BytecodeGenerator::emitPutGetterByVal):
3798         (JSC::BytecodeGenerator::emitPutSetterByVal):
3799         (JSC::BytecodeGenerator::emitDeleteById):
3800         (JSC::BytecodeGenerator::emitGetByVal):
3801         (JSC::BytecodeGenerator::emitPutByVal):
3802         (JSC::BytecodeGenerator::emitDirectPutByVal):
3803         (JSC::BytecodeGenerator::emitDeleteByVal):
3804         (JSC::BytecodeGenerator::emitSuperSamplerBegin):
3805         (JSC::BytecodeGenerator::emitSuperSamplerEnd):
3806         (JSC::BytecodeGenerator::emitIdWithProfile):
3807         (JSC::BytecodeGenerator::emitUnreachable):
3808         (JSC::BytecodeGenerator::emitGetArgument):
3809         (JSC::BytecodeGenerator::emitCreateThis):
3810         (JSC::BytecodeGenerator::emitTDZCheck):
3811         (JSC::BytecodeGenerator::emitNewObject):
3812         (JSC::BytecodeGenerator::emitNewArrayBuffer):
3813         (JSC::BytecodeGenerator::emitNewArray):
3814         (JSC::BytecodeGenerator::emitNewArrayWithSpread):
3815         (JSC::BytecodeGenerator::emitNewArrayWithSize):
3816         (JSC::BytecodeGenerator::emitNewRegExp):
3817         (JSC::BytecodeGenerator::emitNewFunctionExpressionCommon):
3818         (JSC::BytecodeGenerator::emitNewDefaultConstructor):
3819         (JSC::BytecodeGenerator::emitNewFunction):
3820         (JSC::BytecodeGenerator::emitSetFunctionNameIfNeeded):
3821         (JSC::BytecodeGenerator::emitCall):
3822         (JSC::BytecodeGenerator::emitCallInTailPosition):
3823         (JSC::BytecodeGenerator::emitCallEval):
3824         (JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
3825         (JSC::BytecodeGenerator::emitCallVarargs):
3826         (JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
3827         (JSC::BytecodeGenerator::emitConstructVarargs):
3828         (JSC::BytecodeGenerator::emitCallForwardArgumentsInTailPosition):
3829         (JSC::BytecodeGenerator::emitLogShadowChickenPrologueIfNecessary):
3830         (JSC::BytecodeGenerator::emitLogShadowChickenTailIfNecessary):
3831         (JSC::BytecodeGenerator::emitCallDefineProperty):
3832         (JSC::BytecodeGenerator::emitReturn):
3833         (JSC::BytecodeGenerator::emitEnd):
3834         (JSC::BytecodeGenerator::emitConstruct):
3835         (JSC::BytecodeGenerator::emitStrcat):
3836         (JSC::BytecodeGenerator::emitToPrimitive):
3837         (JSC::BytecodeGenerator::emitGetScope):
3838         (JSC::BytecodeGenerator::emitPushWithScope):
3839         (JSC::BytecodeGenerator::emitGetParentScope):
3840         (JSC::BytecodeGenerator::emitDebugHook):
3841         (JSC::BytecodeGenerator::emitCatch):
3842         (JSC::BytecodeGenerator::emitThrow):
3843         (JSC::BytecodeGenerator::emitArgumentCount):
3844         (JSC::BytecodeGenerator::emitThrowStaticError):
3845         (JSC::BytecodeGenerator::beginSwitch):
3846         (JSC::prepareJumpTableForSwitch):
3847         (JSC::prepareJumpTableForStringSwitch):
3848         (JSC::BytecodeGenerator::endSwitch):
3849         (JSC::BytecodeGenerator::emitGetEnumerableLength):
3850         (JSC::BytecodeGenerator::emitHasGenericProperty):
3851         (JSC::BytecodeGenerator::emitHasIndexedProperty):
3852         (JSC::BytecodeGenerator::emitHasStructureProperty):
3853         (JSC::BytecodeGenerator::emitGetPropertyEnumerator):
3854         (JSC::BytecodeGenerator::emitEnumeratorStructurePropertyName):
3855         (JSC::BytecodeGenerator::emitEnumeratorGenericPropertyName):
3856         (JSC::BytecodeGenerator::emitToIndexString):
3857         (JSC::BytecodeGenerator::emitIsCellWithType):
3858         (JSC::BytecodeGenerator::emitIsObject):
3859         (JSC::BytecodeGenerator::emitIsNumber):
3860         (JSC::BytecodeGenerator::emitIsUndefined):
3861         (JSC::BytecodeGenerator::emitIsEmpty):
3862         (JSC::BytecodeGenerator::emitRestParameter):
3863         (JSC::BytecodeGenerator::emitRequireObjectCoercible):
3864         (JSC::BytecodeGenerator::emitYieldPoint):
3865         (JSC::BytecodeGenerator::emitYield):
3866         (JSC::BytecodeGenerator::emitGetAsyncIterator):
3867         (JSC::BytecodeGenerator::emitDelegateYield):
3868         (JSC::BytecodeGenerator::emitFinallyCompletion):
3869         (JSC::BytecodeGenerator::emitJumpIf):
3870         (JSC::ForInContext::finalize):
3871         (JSC::StructureForInContext::finalize):
3872         (JSC::IndexedForInContext::finalize):
3873         (JSC::StaticPropertyAnalysis::record):
3874         (JSC::BytecodeGenerator::emitToThis):
3875         * bytecompiler/BytecodeGenerator.h:
3876         (JSC::StructureForInContext::addGetInst):
3877         (JSC::BytecodeGenerator::recordOpcode):
3878         (JSC::BytecodeGenerator::addMetadataFor):
3879         (JSC::BytecodeGenerator::emitUnaryOp):
3880         (JSC::BytecodeGenerator::kill):
3881         (JSC::BytecodeGenerator::instructions const):
3882         (JSC::BytecodeGenerator::write):
3883         (JSC::BytecodeGenerator::withWriter):
3884         * bytecompiler/Label.h:
3885         (JSC::Label::Label):
3886         (JSC::Label::bind):
3887         * bytecompiler/NodesCodegen.cpp:
3888         (JSC::ArrayNode::emitBytecode):
3889         (JSC::BytecodeIntrinsicNode::emit_intrinsic_argumentCount):
3890         (JSC::ApplyFunctionCallDotNode::emitBytecode):
3891         (JSC::BitwiseNotNode::emitBytecode):
3892         (JSC::BinaryOpNode::emitBytecode):
3893         (JSC::EqualNode::emitBytecode):
3894         (JSC::StrictEqualNode::emitBytecode):
3895         (JSC::emitReadModifyAssignment):
3896         (JSC::ForInNode::emitBytecode):
3897         (JSC::CaseBlockNode::emitBytecodeForBlock):
3898         (JSC::FunctionNode::emitBytecode):
3899         (JSC::ClassExprNode::emitBytecode):
3900         * bytecompiler/ProfileTypeBytecodeFlag.cpp: Copied from Source/JavaScriptCore/bytecode/VirtualRegister.cpp.
3901         (WTF::printInternal):
3902         * bytecompiler/ProfileTypeBytecodeFlag.h: Copied from Source/JavaScriptCore/bytecode/SpecialPointer.cpp.
3903         * bytecompiler/RegisterID.h:
3904         * bytecompiler/StaticPropertyAnalysis.h:
3905         (JSC::StaticPropertyAnalysis::create):
3906         (JSC::StaticPropertyAnalysis::StaticPropertyAnalysis):
3907         * bytecompiler/StaticPropertyAnalyzer.h:
3908         (JSC::StaticPropertyAnalyzer::createThis):
3909         (JSC::StaticPropertyAnalyzer::newObject):
3910         (JSC::StaticPropertyAnalyzer::putById):
3911         (JSC::StaticPropertyAnalyzer::mov):
3912         (JSC::StaticPropertyAnalyzer::kill):
3913         * dfg/DFGByteCodeParser.cpp:
3914         (JSC::DFG::ByteCodeParser::addCall):
3915         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
3916         (JSC::DFG::ByteCodeParser::getArrayMode):
3917         (JSC::DFG::ByteCodeParser::handleCall):
3918         (JSC::DFG::ByteCodeParser::handleVarargsCall):
3919         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
3920         (JSC::DFG::ByteCodeParser::inlineCall):
3921         (JSC::DFG::ByteCodeParser::handleCallVariant):
3922         (JSC::DFG::ByteCodeParser::handleVarargsInlining):
3923         (JSC::DFG::ByteCodeParser::handleInlining):
3924         (JSC::DFG::ByteCodeParser::handleMinMax):
3925         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3926         (JSC::DFG::ByteCodeParser::handleDOMJITCall):
3927         (JSC::DFG::ByteCodeParser::handleIntrinsicGetter):
3928         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
3929         (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad):
3930         (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
3931         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
3932         (JSC::DFG::ByteCodeParser::handleGetById):
3933         (JSC::DFG::ByteCodeParser::handlePutById):
3934         (JSC::DFG::ByteCodeParser::parseGetById):
3935         (JSC::DFG::ByteCodeParser::parseBlock):
3936         (JSC::DFG::ByteCodeParser::parseCodeBlock):
3937         (JSC::DFG::ByteCodeParser::handlePutByVal):
3938         (JSC::DFG::ByteCodeParser::handlePutAccessorById):
3939         (JSC::DFG::ByteCodeParser::handlePutAccessorByVal):
3940         (JSC::DFG::ByteCodeParser::handleNewFunc):
3941         (JSC::DFG::ByteCodeParser::handleNewFuncExp):
3942         (JSC::DFG::ByteCodeParser::parse):
3943         * dfg/DFGCapabilities.cpp:
3944         (JSC::DFG::capabilityLevel):
3945         * dfg/DFGCapabilities.h:
3946         (JSC::DFG::capabilityLevel):
3947         * dfg/DFGOSREntry.cpp:
3948         (JSC::DFG::prepareCatchOSREntry):
3949         * dfg/DFGSpeculativeJIT.cpp:
3950         (JSC::DFG::SpeculativeJIT::compileValueAdd):
3951         (JSC::DFG::SpeculativeJIT::compileValueSub):
3952         (JSC::DFG::SpeculativeJIT::compileValueNegate):
3953         (JSC::DFG::SpeculativeJIT::compileArithMul):
3954         * ftl/FTLLowerDFGToB3.cpp:
3955         (J