dd47251fe0877587c00abc599f72eb0dc478d6ee
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2020-06-27  Saam Barati  <sbarati@apple.com>
2
3         Change bytecode dumping to dump the bytecode control flow graph
4         https://bugs.webkit.org/show_bug.cgi?id=213669
5
6         Reviewed by Yusuke Suzuki.
7
8         This makes the bytecode control flow graphs much easier to understand, and
9         puts bytecode dumping in more in line with how we dump other IRs.
10         
11         The new dumps look like this:
12         ```
13         foo#Ahf63N:[0x1035bc120->0x1035e5100, NoneFunctionCall, 36]: 13 instructions (0 16-bit instructions, 0 32-bit instructions, 1 instructions with metadata); 156 bytes (120 metadata bytes); 2 parameter(s); 8 callee register(s); 6 variable(s); scope at loc4
14         
15         bb#1
16         [   0] enter              
17         [   1] get_scope          loc4
18         [   3] mov                loc5, loc4
19         [   6] check_traps        
20         [   7] mov                loc6, <JSValue()>(const0)
21         [  10] mov                loc6, Undefined(const1)
22         [  13] mod                loc7, arg1, Int32: 2(const2)
23         [  17] jfalse             loc7, 8(->25)
24         Successors: [ #3 #2 ]
25         
26         bb#2
27         [  20] mov                loc6, Int32: 42(const3)
28         [  23] jmp                5(->28)
29         Successors: [ #4 ]
30         
31         bb#3
32         [  25] mov                loc6, Int32: 77(const4)
33         Successors: [ #4 ]
34         
35         bb#4
36         [  28] add                loc7, arg1, loc6, OperandTypes(126, 126)
37         [  34] ret                loc7
38         Successors: [ ]
39         ```
40
41         * bytecode/BytecodeDumper.cpp:
42         (JSC::dumpHeader):
43         (JSC::dumpFooter):
44         (JSC::CodeBlockBytecodeDumper<Block>::dumpBlock):
45         (JSC::CodeBlockBytecodeDumper<Block>::dumpGraph):
46         * bytecode/BytecodeDumper.h:
47         * bytecode/BytecodeGraph.h:
48         (JSC::BytecodeGraph::dump):
49         * bytecode/CodeBlock.cpp:
50         (JSC::CodeBlock::dumpBytecode):
51
52 2020-06-27  Stephan Szabo  <stephan.szabo@sony.com>
53
54         [PlayStation] Update test runner for changes to Options and signing
55         https://bugs.webkit.org/show_bug.cgi?id=213650
56
57         Reviewed by Don Olmstead.
58
59         * shell/playstation/Initializer.cpp: Load ICU library
60         * shell/playstation/TestShell.cpp: Update between test options reset
61
62 2020-06-26  Geoffrey Garen  <ggaren@apple.com>
63
64         Initializing the main thread should initialize the main run loop
65         https://bugs.webkit.org/show_bug.cgi?id=213637
66
67         Reviewed by Anders Carlsson.
68
69         * JavaScriptCore.order: Removed some defunct stuff.
70         * shell/playstation/TestShell.cpp:
71         (setupTestRun): Merged initializeThreading call with
72         initializeMainThread call because initializeMainThread is a superset.
73
74 2020-06-25  Yusuke Suzuki  <ysuzuki@apple.com>
75
76         REGRESSION(r263035): stress/get-prototype-of.js broken on s390x
77         https://bugs.webkit.org/show_bug.cgi?id=213307
78
79         Reviewed by Ross Kirsling.
80
81         Structure::m_outOfLineTypeFlags is uint16_t. If we access this field as 32bit field, we have different value in big endian architectures.
82         Since we do not have half-size-load branch instructions, we should load this uint16_t value via `loadh` (which zero-extends the loaded value)
83         and perform branch onto that value.
84
85         * jit/AssemblyHelpers.cpp:
86         (JSC::AssemblyHelpers::emitLoadPrototype):
87         * llint/LowLevelInterpreter64.asm:
88
89 2020-06-25  Mark Lam  <mark.lam@apple.com>
90
91         JSCell constructor needs to ensure that the passed in structure is still alive.
92         https://bugs.webkit.org/show_bug.cgi?id=213593
93         <rdar://problem/64597573>
94
95         Reviewed by Yusuke Suzuki.
96
97         Note that in the initializer list of the `JSCell(VM&, Structure*)` constructor,
98         we are only using values inside the passed in structure but not necessarily the
99         structure pointer itself.  All these values are contained inside Structure::m_blob.
100         Note also that this constructor is an inline function.  Hence, the compiler may
101         choose to pre-compute the address of structure->m_blob and discard the structure
102         pointer itself.
103
104         Here's an example:
105
106             0x10317a21e <+1054>: movq   0x18(%rsp), %rdx  // rdx:vm = &vm
107             0x10317a223 <+1059>: addq   $0x8, %r13        // r13 = &structure.m_blob  <== pre-compute address of m_blob !!!
108                                                           // r13 previously contained the structure pointer.
109                                                           // Now, there's no more references to the structure base address.
110
111             0x10317a227 <+1063>: leaq   0x48(%rdx), %rdi  // arg0:heap = &vm.heap
112             0x10317a22b <+1067>: movl   $0x10, %edx       // arg2:size = 16.
113             0x10317a230 <+1072>: movq   %rdi, 0x28(%rsp)
114             0x10317a235 <+1077>: xorl   %esi, %esi        // arg1:deferralContext = 0
115             0x10317a237 <+1079>: callq  0x10317ae60       // call JSC::allocateCell<JSC::JSArray>  <== Can GC here !!!
116
117             0x10317a23c <+1084>: movq   %rax, %rbx        // rbx:cell = rax:allocation result.
118             ...
119             0x10317a253 <+1107>: movl   (%r13), %eax      // eax = m_blob.structureID  <== Use pre-computed m_blob address here.
120
121         There's a chance that the GC may run while allocating this cell.  In the event
122         that the structure is newly instantiated just before calling this constructor, 
123         there may not be any other references to it.  As a result, the structure may get
124         collected before the cell is even constructed.  To avoid this possibility, we need
125         to ensure that the structure pointer is still alive by the time this constructor
126         is called.
127
128         I am not committing any tests for this issue because the test cases relies on:
129
130         1. Manually forcing an O3 ASan Release build.
131
132         2. Not running jsc with --useDollarVM=1.  Note: the JSC test harness automatically
133            adds --useDollarVM=1 for all test runs.
134
135         3. Memory being allocated in a specific order.  The recent Bitmap FreeList change
136            enabled this issue to manifest.  The old linked list FreeList implementation
137            would have hidden the issue.
138
139         4. Adding some logging code can also make the issue stop manifesting.
140
141         In short, the test cases will not detect any regression even if we commit them
142         because the existing automatic regression test runs will not have the necessary
143         conditions for reproducing the issue.  The tests are also somewhat fragile where
144         any changes in memory layout may stop the issue from manifesting in an observable
145         way.
146
147         * runtime/JSCellInlines.h:
148         (JSC::JSCell::JSCell):
149
150 2020-06-24  Ross Kirsling  <ross.kirsling@sony.com>
151
152         [Intl] Disprefer using ICU enums directly as instance variables
153         https://bugs.webkit.org/show_bug.cgi?id=213587
154
155         Reviewed by Yusuke Suzuki.
156
157         * runtime/IntlPluralRules.cpp:
158         (JSC::IntlPluralRules::initializePluralRules):
159         (JSC::IntlPluralRules::resolvedOptions const):
160         * runtime/IntlPluralRules.h:
161         * runtime/IntlRelativeTimeFormat.cpp:
162         (JSC::IntlRelativeTimeFormat::initializeRelativeTimeFormat):
163         (JSC::IntlRelativeTimeFormat::styleString): Renamed from JSC::styleString.
164         (JSC::IntlRelativeTimeFormat::resolvedOptions const):
165         (JSC::numericString): Deleted.
166         * runtime/IntlRelativeTimeFormat.h:
167
168 2020-06-24  Caitlin Potter  <caitp@igalia.com>
169
170         [JSC] handle Put/DefinePrivateField in resetPutByID
171         https://bugs.webkit.org/show_bug.cgi?id=213583
172
173         Reviewed by Yusuke Suzuki.
174
175         r262613 extends and uses PutByValDirect to support updating and defining private fields, in order to reuse
176         the IC machinery. The necessary resetPutByID change was erroneously omitted, and is presented here.
177
178         * jit/Repatch.cpp:
179         (JSC::resetPutByID):
180
181 2020-06-24  Yusuke Suzuki  <ysuzuki@apple.com>
182
183         [JSC] llintTrue / jitTrue can encounter native functions
184         https://bugs.webkit.org/show_bug.cgi?id=213442
185         <rdar://problem/64257914>
186
187         Reviewed by Mark Lam.
188
189         If the CallFrame is for native function, associated CodeBlock is nullptr.
190         This patch fixes this case to handle it gracefully.
191
192         * tools/JSDollarVM.cpp:
193         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
194         (JSC::CallerFrameJITTypeFunctor::operator() const):
195         (JSC::functionBaselineJITTrue):
196         (JSC::JSDollarVM::finishCreation):
197         (JSC::functionJITTrue): Deleted.
198
199 2020-06-24  Umar Iqbal  <uiqbal@apple.com>
200
201         We should resurrect the older patch that collects some statistics of web API calls
202         https://bugs.webkit.org/show_bug.cgi?id=213319
203
204         Reviewed by Brent Fulgham.
205
206         + Enabled ENABLE_WEB_API_STATISTICS flag
207
208         * Configurations/FeatureDefines.xcconfig:
209
210 2020-06-24  Alexey Shvayka  <shvaikalesh@gmail.com>
211
212         Add DFG/FTL fast path for GetPrototypeOf based on OverridesGetPrototype flag
213         https://bugs.webkit.org/show_bug.cgi?id=213191
214
215         Reviewed by Yusuke Suzuki.
216
217         This patch:
218
219         1. Introduces `loadInlineOffset` LLInt macro (64-bit only) and utilizes it in
220            `get_prototype_of` since we assert that `knownPolyProtoOffset` is an inline offset.
221
222         2. Brings baseline JIT fast path to 32-bit builds, progressing `super-getter.js`
223            microbenchmark by a factor of 10 (w/o DFG).
224
225         3. Adds GetPrototypeOf DFG/FTL fast paths that leverage OverridesGetPrototype type
226            info flag, advancing provided rare objects microbenchmark by ~46% (~37% w/o FTL).
227            Also, cleans up existing DFG fast path by using AssemblyHelpers::loadValue().
228
229         4. Extracts AssemblyHelpers::emitLoadPrototype() and uses it in baseline JIT, DFG, and
230            InstanceOfGeneric access case. With this change, `instanceof` access case handles all
231            [[GetPrototypeOf]] overrides (before: only Proxy objects), which is more correct, yet
232            not observable enough to provide a test case. `instanceof` microbenchmarks are neutral.
233
234         * bytecode/AccessCase.cpp:
235         (JSC::AccessCase::generateWithGuard):
236         * dfg/DFGSpeculativeJIT.cpp:
237         (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf):
238         * ftl/FTLAbstractHeapRepository.h:
239         * ftl/FTLLowerDFGToB3.cpp:
240         (JSC::FTL::DFG::LowerDFGToB3::compileGetPrototypeOf):
241         * jit/AssemblyHelpers.cpp:
242         (JSC::AssemblyHelpers::emitLoadPrototype):
243         * jit/AssemblyHelpers.h:
244         * jit/JIT.cpp:
245         (JSC::JIT::privateCompileMainPass):
246         (JSC::JIT::privateCompileSlowCases):
247         * jit/JITOpcodes.cpp:
248         (JSC::JIT::emit_op_get_prototype_of):
249         * llint/LowLevelInterpreter64.asm:
250
251 2020-06-24  Yusuke Suzuki  <ysuzuki@apple.com>
252
253         [JSC] Clobberize misses `write(Heap)` report in some nodes
254         https://bugs.webkit.org/show_bug.cgi?id=213525
255         <rdar://problem/64642067>
256
257         Reviewed by Mark Lam.
258
259         In some DFG nodes, clobberize phase misses `clobberTopFunctor` call while it is `write(Heap)`,
260         which confuses clobberizing validation.
261
262         * dfg/DFGClobberize.h:
263         (JSC::DFG::clobberize):
264
265 2020-06-23  Mark Lam  <mark.lam@apple.com>
266
267         Handle string overflow in DFG graph dump while validating AI.
268         https://bugs.webkit.org/show_bug.cgi?id=213524
269         <rdar://problem/64635620>
270
271         Not reviewed.
272
273         Applying refinement suggested by Darin in https://bugs.webkit.org/show_bug.cgi?id=213524#c3.
274
275         * ftl/FTLLowerDFGToB3.cpp:
276         (JSC::FTL::DFG::LowerDFGToB3::validateAIState):
277
278 2020-06-23  Mark Lam  <mark.lam@apple.com>
279
280         Handle string overflow in DFG graph dump while validating AI.
281         https://bugs.webkit.org/show_bug.cgi?id=213524
282         <rdar://problem/64635620>
283
284         Reviewed by Saam Barati.
285
286         * ftl/FTLLowerDFGToB3.cpp:
287         (JSC::FTL::DFG::LowerDFGToB3::validateAIState):
288
289 2020-06-23  Devin Rousso  <drousso@apple.com>
290
291         Keyframe animation doesn't 't show up in the Animations timeline
292         https://bugs.webkit.org/show_bug.cgi?id=213441
293
294         Reviewed by Brian Burg.
295
296         * inspector/protocol/Animation.json:
297         An `interationCount` of `Infinity` is not JSON serializable, so represent it as `-1` instead.
298
299 2020-06-22  Saam Barati  <sbarati@apple.com>
300
301         Attempt to fix watchOS simulator build.
302
303         * assembler/FastJITPermissions.h:
304         (threadSelfRestrictRWXToRW):
305         (threadSelfRestrictRWXToRX):
306
307 2020-06-22  Saam Barati  <sbarati@apple.com>
308
309         Allow building JavaScriptCore Mac+arm64 in public SDK build
310         https://bugs.webkit.org/show_bug.cgi?id=213472
311
312         Reviewed by Sam Weinig.
313
314         We used to only builld code for fast permission switching when using the
315         Apple internal SDK. However, with arm64 on macOS, this is no longer a viable
316         implementation strategy.
317         
318         This patch makes it so we can build JSC on macOS+arm64 using the public Xcode
319         SDK.
320         
321         - ENABLE_FAST_JIT_PERMISSIONS is removed. We now use runtime checks instead.
322         - In the new suite of OS betas, pthreads has added API for fast permissions
323           switching. We now use this API instead of using the non-public SDK found in
324           the kernel headers.
325         - We fall back to the separated W/X heaps when fast permissions checking is
326           not supported. This all happens at runtime.
327
328         * CMakeLists.txt:
329         * JavaScriptCore.xcodeproj/project.pbxproj:
330         * assembler/ARM64Assembler.h:
331         (JSC::ARM64Assembler::fillNops):
332         * assembler/ARMv7Assembler.h:
333         (JSC::ARMv7Assembler::fillNops):
334         * assembler/FastJITPermissions.h: Added.
335         (useFastJITPermissions):
336         (threadSelfRestrictRWXToRW):
337         (threadSelfRestrictRWXToRX):
338         (fastJITPermissionsIsSupported):
339         * assembler/LinkBuffer.cpp:
340         (JSC::memcpyWrapper):
341         (JSC::LinkBuffer::copyCompactAndLinkCode):
342         * assembler/MIPSAssembler.h:
343         (JSC::MIPSAssembler::fillNops):
344         * assembler/MacroAssemblerARM64.h:
345         (JSC::MacroAssemblerARM64::link):
346         * assembler/MacroAssemblerARMv7.h:
347         (JSC::MacroAssemblerARMv7::link):
348         * jit/ExecutableAllocator.cpp:
349         (JSC::initializeJITPageReservation):
350         * jit/ExecutableAllocator.h:
351         (JSC::performJITMemcpy):
352         (JSC::useFastJITPermissions): Deleted.
353         * runtime/JSCConfig.h:
354         * runtime/Options.cpp:
355         (JSC::Options::recomputeDependentOptions):
356         * runtime/OptionsList.h:
357
358 2020-06-22  Tim Horton  <timothy_horton@apple.com>
359
360         Disable the JS JIT when running in a translated process
361         https://bugs.webkit.org/show_bug.cgi?id=213478
362
363         Reviewed by Saam Barati.
364
365         * runtime/Options.cpp:
366         (JSC::Options::recomputeDependentOptions):
367         Based on our performance experiements, disable the JavaScript JIT
368         (but not the regular expression, DOM, or Wasm JIT) when running
369         in a translated process.
370
371 2020-06-22  Tim Horton  <timothy_horton@apple.com>
372
373         Update macOS version macros
374         https://bugs.webkit.org/show_bug.cgi?id=213484
375
376         Reviewed by Alexey Proskuryakov.
377
378         * Configurations/Base.xcconfig:
379         * Configurations/DebugRelease.xcconfig:
380         * Configurations/Version.xcconfig:
381         * Configurations/WebKitTargetConditionals.xcconfig:
382
383 2020-06-19  Yusuke Suzuki  <ysuzuki@apple.com>
384
385         [JSC] Check Gigacage usage before launching VM
386         https://bugs.webkit.org/show_bug.cgi?id=213410
387
388         Reviewed by Mark Lam.
389
390         Since VM allocates JSBigInt from Gigacage, it is possible that VM creation fails when Gigacage is exhausted.
391         As a work-around for internal testing, we insert ad-hoc Gigacage usage check before launching a new agent.
392         If 80% of Gigacage is used, we fail to launch a new VM gracefully.
393
394         * assembler/testmasm.cpp:
395         (JSC::testCagePreservesPACFailureBit):
396         * jsc.cpp:
397         (functionDollarAgentStart):
398
399 2020-06-19  James Darpinian  <jdarpinian@chromium.org>
400
401         Typed array constructor behaves differently when length is not passed or when undefined is passed
402         https://bugs.webkit.org/show_bug.cgi?id=184232
403
404         Reviewed by Yusuke Suzuki.
405
406         Passing undefined for length should have the same effect as omitting the argument. It was being
407         treated as 0 instead.
408
409         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
410         (JSC::constructGenericTypedArrayView):
411
412 2020-06-19  Yusuke Suzuki  <ysuzuki@apple.com>
413
414         [JSC] Attempt to reduce timeout failures on Apple Watch Series 3
415         https://bugs.webkit.org/show_bug.cgi?id=213419
416
417         Reviewed by Mark Lam.
418
419         * tools/JSDollarVM.cpp:
420         (JSC::functionUseJIT):
421         (JSC::JSDollarVM::finishCreation):
422
423 2020-06-19  Mark Lam  <mark.lam@apple.com>
424
425         toString of String doesn't check integrity of structureID in one path.
426         https://bugs.webkit.org/show_bug.cgi?id=213338
427
428         Reviewed by Saam Barati.
429
430         * runtime/StringPrototype.cpp:
431         (JSC::stringProtoFuncToString):
432
433 2020-06-19  Saam Barati  <sbarati@apple.com>
434
435         Have a memory monitor thread in jsc shell when running tests using --memory-limited
436         https://bugs.webkit.org/show_bug.cgi?id=213389
437
438         Reviewed by Mark Lam.
439
440         When testing on iOS, there are times high memory usage from a JSC test
441         will jetsam our entire test runner. This makes it so we don't get any test
442         results from that test run, which can make it difficult to track testing
443         results.
444         
445         This patch introduces an optional memory monitoring thread to the JSC
446         shell. It's a best effort approach. If memory usage exceeds the passed
447         in threshold, we crash the process. Similar to how the timeout mechanism
448         works. On Cocoa platforms, we also perform this check in the low memory 
449         warning handler.
450         
451         Currently, we use this feature when running JSC stress tests in
452         "--memory-limited" mode.
453
454         * jsc.cpp:
455         (crashIfExceedingMemoryLimit):
456         (startMemoryMonitoringThreadIfNeeded):
457         (jscmain):
458
459 2020-06-19  Mark Lam  <mark.lam@apple.com>
460
461         Make $vm properties non-configurable, non-enumerable, and non-writable.
462         https://bugs.webkit.org/show_bug.cgi?id=213395
463
464         Reviewed by Saam Barati and Yusuke Suzuki.
465
466         $vm provides functions for test development and VM debugging.  There's no reason
467         for them to be configurable, enumerable, and writable.
468
469         We particularly don't want them to be enumerable as this can trip up some fuzzers.
470         Fuzzers should not be fuzzing the $vm object which doesn't exist in real world
471         uses of JavaScriptCore.
472
473         * tools/JSDollarVM.cpp:
474         (JSC::JSDollarVM::finishCreation):
475         (JSC::JSDollarVM::addFunction):
476         (JSC::JSDollarVM::addConstructibleFunction):
477
478 2020-06-19  Tuomas Karkkainen  <tuomas.webkit@apple.com>
479
480         functionCpuClflush checks that the second argument is Int32 but it actually expects it to be UInt32
481         https://bugs.webkit.org/show_bug.cgi?id=213388
482
483         Reviewed by Saam Barati.
484
485         This changes the check from isInt32() to isUInt32() so that the logic is consistent.
486
487         * tools/JSDollarVM.cpp:
488
489 2020-06-18  Mark Lam  <mark.lam@apple.com>
490
491         Unify Bitmap math loops in MarkedBlock::Handle::specializedSweep().
492         https://bugs.webkit.org/show_bug.cgi?id=213345
493
494         Reviewed by Robin Morisset and Saam Barati.
495
496         This change appears to be performance neutral.  However, we'll take the change
497         because we know that it does less work, and the new way of expressing the Bitmap
498         math in MarkedBlock::Handle::specializedSweep() does appear to be easier to
499         understand than the old code.
500
501         Also addressed feedback from Robin and Saam in https://bugs.webkit.org/show_bug.cgi?id=213071.
502
503         Changes made:
504
505         1. Use the new Bitmap::words() API to get direct access to the underlying bits
506            storage.  With this, we can do the merging of the marked and newlyAllocated
507            bits with a single pass looping thru the bitmap words.
508
509         2. In MarkedBlock::Handle::specializedSweep()'s Bitmap free list code, moved the
510            implementation of handleDeadCells lambda down to the call to freeAtoms.forEachSetBit()
511            because this is the only place it is used.
512
513         3. Fixed MarkedBlock::Handle::specializedSweep()'s Bitmap free list code to
514            handle the dead cells unconditionally.  This condition check was wrongly
515            adapted from the linked list implementation where handleDeadCell() was called
516            in 2 places depending on the destruction mode.  With the Bitmap free list,
517            there is only once place to handle the dead cells, and it should be executed
518            unconditionally.
519
520            This fixes a bug where the FreeList::originalSize() never gets computed if the
521            cells in the block does not need destruction.
522
523         4. Renamed FreeList::bitmapRows() to FreeList::bitmapRowsMinusOne().
524            Renamed FreeList::offsetOfBitmapRows() to FreeList::offsetOfBitmapRowsMinusOne().
525
526         5. Also fixed some typos in comments.
527
528         * heap/FreeList.h:
529         (JSC::FreeList::bitmapIsEmpty const):
530         (JSC::FreeList::offsetOfBitmapRowsMinusOne):
531         (JSC::FreeList::bitmapRowsMinusOne const):
532         (JSC::FreeList::offsetOfBitmapRows): Deleted.
533         (JSC::FreeList::bitmapRows const): Deleted.
534         * heap/FreeListInlines.h:
535         (JSC::FreeList::allocate):
536         (JSC::FreeList::forEach const):
537         * heap/MarkedBlockInlines.h:
538         (JSC::MarkedBlock::Handle::specializedSweep):
539         * jit/AssemblyHelpers.cpp:
540         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
541
542 2020-06-18  Yusuke Suzuki  <ysuzuki@apple.com>
543
544         [JSC] Remove dead non-ICU locale Date code since we are always using ICU version
545         https://bugs.webkit.org/show_bug.cgi?id=213362
546
547         Reviewed by Ross Kirsling.
548
549         There are old non-ICU version of Date locale code. But this is now dead code since we are always using ICU version,
550         which is invoked from builtin JS DatePrototype.js. We should remove these dead code.
551
552         * runtime/DatePrototype.cpp:
553         (JSC::DatePrototype::finishCreation):
554         (): Deleted.
555         (JSC::styleFromArgString): Deleted.
556         (JSC::formatLocaleDate): Deleted.
557         (JSC::dateProtoFuncToLocaleString): Deleted.
558         (JSC::dateProtoFuncToLocaleDateString): Deleted.
559         (JSC::dateProtoFuncToLocaleTimeString): Deleted.
560
561 2020-06-18  Ross Kirsling  <ross.kirsling@sony.com>
562
563         Unreviewed, address Darin's feedback on r263227.
564
565         * runtime/IntlRelativeTimeFormat.cpp:
566         (JSC::IntlRelativeTimeFormat::UNumberFormatDeleter::operator() const):
567         (JSC::IntlRelativeTimeFormat::initializeRelativeTimeFormat):
568         (JSC::IntlRelativeTimeFormat::formatToParts const):
569         * runtime/IntlRelativeTimeFormat.h:
570         Keep ownership over our UNumberFormat instance after all,
571         to avoid relying on behavior ICU isn't explicitly guaranteeing.
572
573 2020-06-18  Ross Kirsling  <ross.kirsling@sony.com>
574
575         [Intl] Enable RelativeTimeFormat and Locale by default
576         https://bugs.webkit.org/show_bug.cgi?id=213324
577
578         Reviewed by Yusuke Suzuki.
579
580         * runtime/IntlObject.cpp:
581         (JSC::createDateTimeFormatConstructor):
582         (JSC::createLocaleConstructor):
583         (JSC::createNumberFormatConstructor):
584         (JSC::createRelativeTimeFormatConstructor):
585         (JSC::IntlObject::finishCreation):
586         Unconditionalize creation of RelativeTimeFormat and Locale constructors.
587
588         * runtime/IntlRelativeTimeFormat.cpp:
589         (JSC::IntlRelativeTimeFormat::initializeRelativeTimeFormat):
590         (JSC::IntlRelativeTimeFormat::formatToParts const):
591         (JSC::IntlRelativeTimeFormat::UNumberFormatDeleter::operator() const): Deleted.
592         * runtime/IntlRelativeTimeFormat.h:
593         Fix an actual bug -- URelativeDateTimeFormatter *adopts* the UNumberFormat it's instantiated with,
594         so we can't keep a unique_ptr to it.
595
596         * runtime/OptionsList.h:
597         Remove feature flags.
598
599 2020-06-18  Alexey Shvayka  <shvaikalesh@gmail.com>
600
601         Promise built-in functions should be anonymous non-constructors
602         https://bugs.webkit.org/show_bug.cgi?id=213317
603
604         Reviewed by Darin Adler.
605
606         This patch makes userland-exposed Promise built-in functions
607         non-constructors and sets their "name" properties to empty strings
608         as per spec [1], aligning JSC with V8 and SpiderMonkey.
609
610         @createResolvingFunctionsWithoutPromise change is covered by test262's
611         async-generator/yield-thenable-create-resolving-functions-*.js cases.
612
613         Promise microbenchmarks are neutral. Promise constructors bytecode is
614         unchanged, while @createResolvingFunctions* bytecode is reduced by 2
615         instructions.
616
617         [1]: https://tc39.es/ecma262/#sec-ecmascript-standard-built-in-objects
618
619         * builtins/PromiseConstructor.js:
620         (nakedConstructor.Promise):
621         (nakedConstructor.InternalPromise):
622         * builtins/PromiseOperations.js:
623         (globalPrivate.newPromiseCapabilitySlow):
624         (globalPrivate.createResolvingFunctions):
625         (globalPrivate.createResolvingFunctionsWithoutPromise):
626         (globalPrivate.createResolvingFunctions.resolve): Deleted.
627         (globalPrivate.createResolvingFunctions.reject): Deleted.
628         (resolve): Deleted.
629         (reject): Deleted.
630         * builtins/PromisePrototype.js:
631         (globalPrivate.getThenFinally):
632         (globalPrivate.getCatchFinally):
633         (valueThunk): Deleted.
634         (thrower): Deleted.
635
636 2020-06-18  Alexey Shvayka  <shvaikalesh@gmail.com>
637
638         TypedArray.prototype.set is incorrect with primitives
639         https://bugs.webkit.org/show_bug.cgi?id=212730
640
641         Reviewed by Yusuke Suzuki.
642
643         This change implements step 14 of %TypedArray%.prototype.set [1],
644         which coerces primitives to objects instead of throwing an error,
645         aligning JSC with V8 and SpiderMonkey.
646
647         [1]: https://tc39.es/ecma262/#sec-%typedarray%.prototype.set-array-offset
648
649         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
650         (JSC::genericTypedArrayViewProtoFuncSet):
651
652 2020-06-17  Mark Lam  <mark.lam@apple.com>
653
654         Replace JSC::FreeList linked list with a Bitmap.
655         https://bugs.webkit.org/show_bug.cgi?id=213071
656
657         Reviewed by Filip Pizlo.
658
659         Implement an alternative to the linked list FreeList.  This alternative uses
660         a Bitmap to record which atom in the block is available for allocation.
661
662         The intuition here is that allocation using the Bitmap implementation will do:
663             2 loads - m_currentRowBitmap, m_currentMarkedBlockRowAddress
664             1 store - m_currentRowBitmap
665
666         whereas the linked list implementation will do:
667             3 loads - m_scrambledHead, m_secret, result->scrambledNext
668             1 store - m_scrambledHead
669
670         and result->scrambledNext is from a different region of code and therefore not
671         in the same cache line.
672
673         The downside of the Bitmap implementation is that it uses more instructions.
674
675         This change is currently only enabled for x86_64, which shows about a 0.8%
676         progression on Speedometer 2.
677
678         It appears to be about a 1% regression on ARM64E.  Hence, for now, we keep the
679         linked list implementation for ARM64 builds.
680
681         This is how the Bitmap FreeList works:
682
683         1. The Bitmap implementation only replaces the linked list implementation.  It
684            does not replace the bump allocator.
685
686         2. The Bitmap allocator keeps a m_bitmap that is initialized in
687            MarkedBlock::Handle::specializedSweep() to have a bit set for each atom
688            location that is available for allocation (i.e. is free).  Note that a cell
689            is usually allocated using more than 1 atom.  Only the bit corresponding to
690            the first atom (in that cell length range of free atoms) will be set.
691
692            This is consistent with how bits in MarkedBlock::Footer::m_marks and
693            MarkedBlock::Footer::m_newlyAllocated are set i.e. only the bit for the first
694            atom in the cell can be set.
695
696         3. The allocation algorithm thinks of the MarkedBlock as consisting of rows
697            of atoms, where the number of atoms in a row equals the number of bits in
698            a AtomsBitmap::Word.  On 64-bit CPUs, this would be 64.
699
700            We will start allocating from the last (highest numbered) row down to the
701            first (row 0).  As we allocate, we will only update m_currentRowIndex and
702            m_currentRowBitmap.  m_bitmap will not be updated.  This is so in order to
703            reduce the number of instructions executed during an allocation.
704
705            When m_currentRowIndex points to N, the AtomsBitmap::Word for row N in
706            m_bitmap will have been copied into m_currentRowBitmap.  This is the row
707            that we will be allocating from until the row is exhausted.
708
709            This is how we know whether an atom is available for allocation or not:
710              i. Atoms in any rows above m_currentRowIndex are guaranteed to be
711                 allocated already (because we allocate downwards), and hence, are not
712                 available.
713             ii. For row m_currentRowIndex, m_currentRowBitmap is the source of truth
714                 on which atoms in the row are available for allocation.
715            iii. For rows below m_currentRowIndex, m_bitmap is the source of truth on
716                 which atoms are available for allocation.
717
718            When m_currentRowIndex reaches 0, the info in m_bitmap is completely
719            obsoleted, and m_currentRowBitmap holds the availability info for row 0.
720            When both m_currentRowIndex and m_currentRowBitmap are 0, then we have
721            completely exhausted the block and no more atoms are available for
722            allocation.
723
724         4. Allocation happens in 3 paths: fast, middle, slow.
725
726            The fast path checks m_currentRowBitmap.  If it's not 0, then we compute the
727            bit number of the lowest set bit in it.  That bit number will be used together
728            with m_currentMarkedBlockRowAddress to compute the address of the atom
729            location available for allocation.  m_currentRowBitmap will be updated to clear
730            the bit for the atom that has just ben allocated.
731
732            If m_currentRowBitmap is 0, then we'll go to the middle path.
733
734            The middle path checks m_currentRowIndex to see if we have more rows to allocate
735            from.  For each m_currentRowIndex, we check its corresponding AtomsBitmap::Word
736            in m_bitmap.  If the word is non-zero, we copy it to m_currentRowBitmap and
737            jump to the fast path to do the allocation.  The middle path will update
738            m_currentRowIndex to point to the current row we're allocating from.
739
740            If we have decremented m_currentRowIndex down to 0 but still can't find a
741            non-zero AtomsBitmap::Word in m_bitmap, then the block has been exhausted, and
742            we'll go to the slow path.
743
744            The slow path is analogous to the old slow path i.e. we try to refill the
745            LocalAllocator with a new MarkedBlock.
746
747         5. On the layout of fields in FreeList (see changes in FreeList.h), we try to
748            preserve the positions of the bump allocator fields.  The only change we made
749            there is in the location of m_cellSize.  It is now moved up next to m_remaining,
750            and m_originalSize is moved down.  This is because m_originalSize is only
751            accessed in the slow path, and m_cellSize is accessed in the bump allocation
752            path.
753
754            Next, we try to put Bitmap allocation fields where the linked list fields
755            would have been.  The one bit of trickiness is that we'll put
756            m_currentMarkedBlockRowAddress in a union with m_payloadEnd.  This is because
757            m_payloadEnd is only used in the bump allocation path.  If m_remaining is 0,
758            then we can reuse this location for m_currentMarkedBlockRowAddress.
759
760            With this, we would have 4 bytes of padding after m_currentRowIndex.  For
761            compactness, we put m_originalSize there in that space.  For builds that use
762            the linked list implementation, m_originalSize will be located below after
763            m_cellSize.
764
765         * ftl/FTLLowerDFGToB3.cpp:
766         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
767         * heap/FreeList.cpp:
768         (JSC::FreeList::clear):
769         (JSC::FreeList::initializeAtomsBitmap):
770         (JSC::FreeList::initializeBump):
771         (JSC::FreeList::contains const):
772         (JSC::FreeList::dump const):
773         * heap/FreeList.h:
774         (JSC::FreeList::bitmapIsEmpty const):
775         (JSC::FreeList::allocationWillFail const):
776         (JSC::FreeList::offsetOfCurrentRowBitmap):
777         (JSC::FreeList::offsetOfBitmapRows):
778         (JSC::FreeList::offsetOfCurrentRowIndex):
779         (JSC::FreeList::offsetOfCurrentMarkedBlockRowAddress):
780         (JSC::FreeList::offsetOfRemaining):
781         (JSC::FreeList::atomsBitmap):
782         (JSC::FreeList::bitmapRows const):
783         (JSC::FreeList::offsetOfOriginalSize): Deleted.
784         * heap/FreeListInlines.h:
785         (JSC::FreeList::allocate):
786         (JSC::FreeList::forEach const):
787         * heap/LocalAllocator.cpp:
788         (JSC::LocalAllocator::isFreeListedCell const):
789         * heap/MarkedBlock.h:
790         (JSC::MarkedBlock::Handle::atomAt const):
791         * heap/MarkedBlockInlines.h:
792         (JSC::MarkedBlock::Handle::specializedSweep):
793         * jit/AssemblyHelpers.cpp:
794         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
795         * jit/AssemblyHelpers.h:
796         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
797
798 2020-06-17  Mark Lam  <mark.lam@apple.com>
799
800         StructureIDTable::validate() doesn't work when compiled with GCC.
801         https://bugs.webkit.org/show_bug.cgi?id=213302
802         <rdar://problem/64452172>
803
804         Reviewed by Yusuke Suzuki.
805
806         I was previously using ensureStillAliveHere() to force the validation load to
807         not be elided.  However, this is not how ensureStillAliveHere() works.  The proper
808         way to force the load is to use a volatile pointer instead, which is applied in
809         this patch.
810
811         With Clang, the ensureStillAliveHere() happened to do what I expected, but with
812         GCC it did not.  The compiler is at liberty to elide the load because there is
813         no memory clobbering operation between the load and the call to
814         ensureStillAliveHere().  Switching to using the volatile pointer solution.
815
816         * runtime/StructureIDTable.h:
817         (JSC::StructureIDTable::validate):
818
819 2020-06-17  Yusuke Suzuki  <ysuzuki@apple.com>
820
821         [JSC] Freeze JSBigInt when setting it as a constant in AI
822         https://bugs.webkit.org/show_bug.cgi?id=213310
823         <rdar://problem/64450410>
824
825         Reviewed by Mark Lam.
826
827         JSCells should be explicitly frozen via DFG::Graph::freeze or DFG::Graph::freezeStrong. And heap JSBigInt is JSCell.
828         We should freeze it before setting it as a parameter of setConstant in AI. We use DFG::Graph::freeze since we know
829         that this is coming from somewhere in DFG graph: this ToNumeric node itself is not newly producing this JSBigInt.
830
831         * dfg/DFGAbstractInterpreterInlines.h:
832         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
833
834 2020-06-17  Keith Miller  <keith_miller@apple.com>
835
836         $vm.haveABadTime/isHavingABadTime should work with non-globalObject parameters
837         https://bugs.webkit.org/show_bug.cgi?id=213304
838
839         Reviewed by Mark Lam.
840
841         Previously, $vm.haveABadTime would crash if passed a
842         non-globalObject object as the first parameter because it was
843         missing a `return` in front the error handling case. This patch
844         resolves that issue but also extends the semantics of
845         haveABadTime/isHavingABadTime to either use the global object of
846         the first parameter even if it's not a JSGlobalObject. If no
847         argument is passed, haveABadTime/isHavingABadTime instead use the
848         global object of the callee.
849
850         * tools/JSDollarVM.cpp:
851         (JSC::functionHaveABadTime):
852         (JSC::functionIsHavingABadTime):
853
854 2020-06-17  Mark Lam  <mark.lam@apple.com>
855
856         Gardening: move some unused data inside ENABLE(JIT) to unbreak the CLoop build.
857         https://bugs.webkit.org/show_bug.cgi?id=213255
858
859         Not reviewed.
860
861         * assembler/testmasm.cpp:
862
863 2020-06-17  Yusuke Suzuki  <ysuzuki@apple.com>
864
865         Unreviewed, avoid node access in link-task
866         https://bugs.webkit.org/show_bug.cgi?id=213266
867         <rdar://problem/64453001>
868
869         * ftl/FTLLowerDFGToB3.cpp:
870         (JSC::FTL::DFG::LowerDFGToB3::compileCheckJSCast):
871
872 2020-06-17  Mark Lam  <mark.lam@apple.com>
873
874         Add a shiftAndAdd() emitter in AssemblyHelpers.
875         https://bugs.webkit.org/show_bug.cgi?id=213255
876
877         Reviewed by Michael Saboff.
878
879         void shiftAndAdd(RegisterID base, RegisterID index, uint8_t shift, RegisterID dest, Optional<RegisterID> = { });
880
881         Emits code to compute: dest = base + index << shift.
882
883         * assembler/testmasm.cpp:
884         (doubleOperands):
885         (floatOperands):
886         (int32Operands):
887         (int64Operands):
888         (JSC::testShiftAndAdd):
889         (JSC::run):
890         (JSC::doubleOperands): Deleted.
891         (JSC::floatOperands): Deleted.
892         (JSC::int32Operands): Deleted.
893         (JSC::int64Operands): Deleted.
894         * jit/AssemblyHelpers.h:
895         (JSC::AssemblyHelpers::shiftAndAdd):
896
897 2020-06-17  Michael Saboff  <msaboff@apple.com>
898
899         [Wasm] Reduce the amount of memory used by the Air register coloring allocator
900         https://bugs.webkit.org/show_bug.cgi?id=212106
901
902         Reviewed by Yusuke Suzuki.
903
904         Changed InterferenceEdge to be a templated class so we can instantiate an unsigned
905         short version to cut memory in half for code that has less than 2^16 temps.
906         Through instrumentation, my testing showed that almost all compilations use the
907         16bit implementation.  Although this change is for all B3/Air compilations at O2,
908         Wasm compilations are usally larger and therefore get the greatest benefit.
909
910         This allowed increasing the default value for the option webAssemblyBBQFallbackSize,
911         with a small increase in memory usage.
912
913         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
914         * runtime/OptionsList.h:
915
916 2020-06-16  Yusuke Suzuki  <ysuzuki@apple.com>
917
918         [JSC] Check NullSetterFunction under strict-mode context since structure / PropertyCondition are unaware of this
919         https://bugs.webkit.org/show_bug.cgi?id=213266
920
921         Reviewed by Mark Lam.
922
923         Our PropertyCondition is tracking the shape of Structure. This is enough for IC except for one case: throwing an error when invoking null setters in strict code.
924
925             "use strict";
926             var object = { get value() { return 42; } }
927             object.value = 42;
928
929         In the above case, we need to throw an error. Let's consider the following scenario.
930
931             1. Object has valid setter.
932             2. IC is buffering OPC which includes (1)'s object in [[Prototype]] hit.
933             3. IC commits buffered AccessCase with OPC. And PropertyCondition says Object + setter-offset => Presence.
934             4. Object deletes its setter.
935             5. Just after (4), DFG concurrently reads buffered committed OPCs.
936             6. DFG see that PropertyCondition is valid even after (4) since accessor property does exist.
937             7. Set up DFG sequence `GetSetter, Call`.
938             8. DFG calls null-setter under strict code, which is not assumed to be called.
939
940         In this patch, we insert NullSetterFunction check before setter invocation under strict mode. In IC, if we see NullSetterFunction,
941         we replace the calling target with special function which throws an error. In DFG / FTL, we emit `CheckNotJSCast` DFG node which
942         ensures that this setter is not null setter.
943
944         In IC code, we already have null-setter checking code before. So this change does not have any impact in terms of performance.
945         In DFG / FTL code, we only insert this check when we do not inline this setter. This is because inlining emits `CheckCell` anyway so
946         we can know that this is not NullSetterFunction. And this means that DFG Call opcode exists after CheckNotJSCast. Since Call opcode
947         loads the fields of call target anyway, this also does not affect on performance.
948
949         * bytecode/AccessCase.cpp:
950         (JSC::AccessCase::generateImpl):
951         * bytecode/PolymorphicAccess.cpp:
952         (JSC::PolymorphicAccess::regenerate):
953         * bytecode/PolymorphicAccess.h:
954         (JSC::AccessGenerationState::AccessGenerationState):
955         * bytecode/StructureStubInfo.cpp:
956         (JSC::StructureStubInfo::addAccessCase):
957         * bytecode/StructureStubInfo.h:
958         * dfg/DFGAbstractInterpreterInlines.h:
959         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
960         * dfg/DFGByteCodeParser.cpp:
961         (JSC::DFG::ByteCodeParser::handleCall):
962         (JSC::DFG::ByteCodeParser::handleInlining):
963         (JSC::DFG::ByteCodeParser::handlePutById):
964         * dfg/DFGClobberize.h:
965         (JSC::DFG::clobberize):
966         * dfg/DFGConstantFoldingPhase.cpp:
967         (JSC::DFG::ConstantFoldingPhase::foldConstants):
968         * dfg/DFGDoesGC.cpp:
969         (JSC::DFG::doesGC):
970         * dfg/DFGFixupPhase.cpp:
971         (JSC::DFG::FixupPhase::fixupNode):
972         * dfg/DFGNode.h:
973         (JSC::DFG::Node::hasClassInfo const):
974         * dfg/DFGNodeType.h:
975         * dfg/DFGPredictionPropagationPhase.cpp:
976         * dfg/DFGSafeToExecute.h:
977         (JSC::DFG::safeToExecute):
978         * dfg/DFGSpeculativeJIT.cpp:
979         (JSC::DFG::SpeculativeJIT::compileCheckJSCast):
980         * dfg/DFGSpeculativeJIT32_64.cpp:
981         (JSC::DFG::SpeculativeJIT::compile):
982         * dfg/DFGSpeculativeJIT64.cpp:
983         (JSC::DFG::SpeculativeJIT::compile):
984         * dfg/DFGStructureAbstractValue.cpp:
985         (JSC::DFG::StructureAbstractValue::isNotSubClassOf const):
986         * dfg/DFGStructureAbstractValue.h:
987         * ftl/FTLCapabilities.cpp:
988         (JSC::FTL::canCompile):
989         * ftl/FTLLowerDFGToB3.cpp:
990         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
991         (JSC::FTL::DFG::LowerDFGToB3::compileCheckJSCast):
992         * jit/Repatch.cpp:
993         (JSC::tryCacheGetBy):
994         (JSC::tryCacheArrayGetByVal):
995         (JSC::tryCachePutByID):
996         (JSC::tryCacheDeleteBy):
997         (JSC::tryCacheInByID):
998         (JSC::tryCacheInstanceOf):
999         * jit/ThunkGenerators.cpp:
1000         (JSC::virtualThunkFor):
1001         * runtime/InternalFunction.cpp:
1002         (JSC::InternalFunction::finishCreation):
1003         * runtime/JSCast.h:
1004         * runtime/JSGlobalObject.cpp:
1005         (JSC::JSGlobalObject::init):
1006         (JSC::JSGlobalObject::visitChildren):
1007         * runtime/JSGlobalObject.h:
1008         (JSC::JSGlobalObject::nullSetterStrictFunction const):
1009         * runtime/JSType.cpp:
1010         (WTF::printInternal):
1011         * runtime/JSType.h:
1012         * runtime/NullSetterFunction.cpp:
1013         (JSC::NullSetterFunctionInternal::callThrowError):
1014         (JSC::NullSetterFunction::NullSetterFunction):
1015         * runtime/NullSetterFunction.h:
1016
1017 2020-06-16  Mark Lam  <mark.lam@apple.com>
1018
1019         Make Options::useJIT() be the canonical source of truth on whether we should use the JIT.
1020         https://bugs.webkit.org/show_bug.cgi?id=212556
1021         <rdar://problem/63780436>
1022
1023         Reviewed by Saam Barati.
1024
1025         After r263055, Options::useJIT() always equals VM::canUseJIT() after canUseJIT()
1026         has been computed.  This patch removes VM::canUseJIT(), and replaces all calls to
1027         it with calls to Options::useJIT().
1028
1029         In the old code, VM::canUseJIT() would assert s_canUseJITIsSet to ensure that
1030         its clients will not access s_canUseJIT before it is initialized.  We not have an
1031         equivalent mechanism with Options.  This is how it works:
1032
1033         1. There are 2 new Options flags in the g_jscConfig:
1034                 g_jscConfig.options.isFinalized
1035                 g_jscConfig.options.allowUnfinalizedAccess
1036
1037            g_jscConfig.options.isFinalized means that all Options values are finalized
1038            i.e. initialization is complete and ready to be frozen in the Config.
1039
1040            g_jscConfig.options.isFinalized is set by initializeThreading() by calling
1041            Options::finalize() once options initialization is complete.
1042
1043            g_jscConfig.options.allowUnfinalizedAccess is an allowance for clients to
1044            access Options values before they are finalized.  This is only needed in
1045            options initialization code where Options values are read and written to.
1046
1047            g_jscConfig.options.allowUnfinalizedAccess is set and cleared using the
1048            Options::AllowUnfinalizedAccessScope RAII object.  The few pieces of code that
1049            do options initialization will instantiate this scope object.
1050
1051         2. All Options accessors (e.g. Option::useJIT()) will now assert that either
1052            g_jscConfig.options.allowUnfinalizedAccess or g_jscConfig.options.isFinalized
1053            is set.
1054
1055         3. Since r263055, Options::recomputeDependentOptions() ensures that if useJIT() is
1056            false, all other JIT options (e.g. useBaselineJIT(), useDFTJIT(), useFTLJIT(),
1057            etc.) are also false.  This patch also adds useBBQJIT() and useOMGJIT() to that
1058            list.
1059
1060            With this, checks for useJIT() are now redundant if there's also another JIT
1061            option check, e.g. useRegExpJIT() or useDFGJIT().  When redundant, this patch
1062            elides the useJIT() check (which used to be a VM::canUseJIT() check).
1063
1064         Ideally, we should also introduce a separate abstraction for requested option
1065         values before finalization than the finalized option values that will be adopted
1066         by the system.  We'll do this as a separate exercise in a later patch.
1067
1068         * API/tests/ExecutionTimeLimitTest.cpp:
1069         (testExecutionTimeLimit):
1070         * API/tests/FunctionOverridesTest.cpp:
1071         (testFunctionOverrides):
1072         * API/tests/PingPongStackOverflowTest.cpp:
1073         (testPingPongStackOverflow):
1074         - Removed redundant calls to Options::initialize().
1075
1076         * API/tests/testapi.c:
1077         (main):
1078         - move the call to testExecutionTimeLimit() to after finalizeMultithreadedMultiVMExecutionTest()
1079           returns.  This is because testExecutionTimeLimit() modifies JIT options at runtime
1080           as part of its testing.  This can wreak havoc on the rest of the system that expects
1081           the options to be frozen.  Ideally, we'll find a way for testExecutionTimeLimit() to
1082           do its work without changing JIT options, but that is not easy to do.  For now,
1083           we'll just run it at the end as a workaround.
1084
1085         * bytecode/CodeBlock.cpp:
1086         (JSC::CodeBlock::setNumParameters):
1087         * bytecode/CodeBlock.h:
1088         (JSC::CodeBlock::numberOfArgumentValueProfiles):
1089         (JSC::CodeBlock::valueProfileForArgument):
1090         * dfg/DFGCapabilities.cpp:
1091         (JSC::DFG::isSupported):
1092         * heap/Heap.cpp:
1093         (JSC::Heap::completeAllJITPlans):
1094         (JSC::Heap::iterateExecutingAndCompilingCodeBlocks):
1095         (JSC::Heap::gatherScratchBufferRoots):
1096         (JSC::Heap::removeDeadCompilerWorklistEntries):
1097         (JSC::Heap::stopThePeriphery):
1098         (JSC::Heap::suspendCompilerThreads):
1099         (JSC::Heap::resumeCompilerThreads):
1100         (JSC::Heap::addCoreConstraints):
1101         * interpreter/AbstractPC.cpp:
1102         (JSC::AbstractPC::AbstractPC):
1103         * jit/JITThunks.cpp:
1104         (JSC::JITThunks::ctiNativeCall):
1105         (JSC::JITThunks::ctiNativeConstruct):
1106         (JSC::JITThunks::ctiNativeTailCall):
1107         (JSC::JITThunks::ctiNativeTailCallWithoutSavedTags):
1108         (JSC::JITThunks::ctiInternalFunctionCall):
1109         (JSC::JITThunks::ctiInternalFunctionConstruct):
1110         (JSC::JITThunks::hostFunctionStub):
1111         * jsc.cpp:
1112         (CommandLine::parseArguments):
1113         (jscmain):
1114         * llint/LLIntEntrypoint.cpp:
1115         (JSC::LLInt::setFunctionEntrypoint):
1116         (JSC::LLInt::setEvalEntrypoint):
1117         (JSC::LLInt::setProgramEntrypoint):
1118         (JSC::LLInt::setModuleProgramEntrypoint):
1119         * llint/LLIntSlowPaths.cpp:
1120         (JSC::LLInt::shouldJIT):
1121         (JSC::LLInt::jitCompileAndSetHeuristics):
1122         * runtime/InitializeThreading.cpp:
1123         (JSC::initializeThreading):
1124         * runtime/JSCConfig.h:
1125         * runtime/JSGlobalObject.cpp:
1126         (JSC::JSGlobalObject::init):
1127         * runtime/JSGlobalObject.h:
1128         (JSC::JSGlobalObject::numberToStringWatchpointSet):
1129         * runtime/Options.cpp:
1130         (JSC::jitEnabledByDefault):
1131         (JSC::disableAllJITOptions):
1132
1133         (JSC::Options::initialize):
1134         - Move the calls to dumpOptionsIfNeeded() and ensureOptionsAreCoherent() to the
1135           end after all the options have been initialized because this where they belong.
1136
1137         (JSC::Options::finalize):
1138         (JSC::Options::setOptions):
1139         (JSC::Options::setOption):
1140         (JSC::Options::dumpAllOptions):
1141         (JSC::Options::ensureOptionsAreCoherent):
1142         * runtime/Options.h:
1143         (JSC::Options::AllowUnfinalizedAccessScope::AllowUnfinalizedAccessScope):
1144         (JSC::Options::AllowUnfinalizedAccessScope::~AllowUnfinalizedAccessScope):
1145         * runtime/OptionsList.h:
1146         * runtime/RegExp.cpp:
1147         (JSC::RegExp::compile):
1148         (JSC::RegExp::compileMatchOnly):
1149         * runtime/SymbolTable.h:
1150         (JSC::SymbolTableEntry::isWatchable const):
1151         * runtime/VM.cpp:
1152         (JSC::VM::computeCanUseJIT):
1153         (JSC::VM::VM):
1154         (JSC::VM::getHostFunction):
1155         (JSC::VM::getCTIInternalFunctionTrampolineFor):
1156         * runtime/VM.h:
1157         (JSC::VM::isInMiniMode):
1158         (JSC::VM::canUseJIT): Deleted.
1159         * wasm/WasmCapabilities.h:
1160         (JSC::Wasm::isSupported):
1161         * wasm/WasmOperations.cpp:
1162         (JSC::Wasm::shouldJIT):
1163         * wasm/WasmSlowPaths.cpp:
1164         (JSC::LLInt::shouldJIT):
1165
1166 2020-06-16  Robin Morisset  <rmorisset@apple.com>
1167
1168         Optimize Air::TmpWidth analysis in IRC
1169         https://bugs.webkit.org/show_bug.cgi?id=152478
1170
1171         Reviewed by Filip Pizlo.
1172
1173         AirTmpWidth currently uses a HashMap to map tmps to their width.
1174         Since tmps have consecutive indices, we can instead use vectors (one for GP and one for FP tmps).
1175         As a bonus, we can just compute the width of the tmps of the bank the register allocator is currently looking at.
1176         This cuts the time spent in the register allocator in JetStream2 by about 100ms out of 3.4s
1177         (or sometimes 80ms out of 2.4, the bimodality of the time spent is due to a huge function in tagcloud-SP which usually but not always reach the FTL, I'll check later if it can be fixed by tweaking the inliner).
1178
1179         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
1180         (JSC::B3::Air::allocateRegistersByGraphColoring):
1181         * b3/air/AirTmpWidth.cpp:
1182         (JSC::B3::Air::TmpWidth::TmpWidth):
1183         (JSC::B3::Air::TmpWidth::recompute):
1184         * b3/air/AirTmpWidth.h:
1185         (JSC::B3::Air::TmpWidth::width const):
1186         (JSC::B3::Air::TmpWidth::requiredWidth):
1187         (JSC::B3::Air::TmpWidth::defWidth const):
1188         (JSC::B3::Air::TmpWidth::useWidth const):
1189         (JSC::B3::Air::TmpWidth::Widths::Widths):
1190         (JSC::B3::Air::TmpWidth::widths):
1191         (JSC::B3::Air::TmpWidth::widths const):
1192         (JSC::B3::Air::TmpWidth::addWidths):
1193         (JSC::B3::Air::TmpWidth::widthsVector):
1194
1195 2020-06-16  Fujii Hironori  <Hironori.Fujii@sony.com>
1196
1197         [CMake][Visual Studio] CombinedDomains.json is generated twice in JavaScriptCore.vcxproj and InspectorBackendCommands.vcxproj
1198         https://bugs.webkit.org/show_bug.cgi?id=213225
1199
1200         Reviewed by Don Olmstead.
1201
1202         Since r262203 (Bug 210014) added a new target
1203         InspectorBackendCommands, CombinedDomains.json is generated twice
1204         in JavaScriptCore.vcxproj and InspectorBackendCommands.vcxproj.
1205         This caused unnecessary incremental builds.
1206
1207         The fundamental issue of this issue was fixed in CMake side.
1208         <https://gitlab.kitware.com/cmake/cmake/issues/16767>
1209         However, JavaScriptCore target needs to have a direct or indirect
1210         dependency of InspectorBackendCommands target for CMake Visual
1211         Studio generator to eliminate duplicated custom commands.
1212
1213         * CMakeLists.txt: Added add_dependencies(JavaScriptCore InspectorBackendCommands).
1214
1215 2020-06-16  Mark Lam  <mark.lam@apple.com>
1216
1217         Add SIGABRT handler for non OS(DARWIN) builds to the jsc shell with the -s option.
1218         https://bugs.webkit.org/show_bug.cgi?id=213200
1219
1220         Reviewed by Michael Catanzaro.
1221
1222         This is needed because non OS(DARWIN) builds uses abort as their "CRASH"ing
1223         mechanism.
1224
1225         * jsc.cpp:
1226         (CommandLine::parseArguments):
1227
1228 2020-06-15  Michael Catanzaro  <mcatanzaro@gnome.org>
1229
1230         WTF signal machinery is guarded by #if USE(PTHREADS) && HAVE(MACHINE_CONTEXT) but does not use pthreads or machine context
1231         https://bugs.webkit.org/show_bug.cgi?id=213223
1232
1233         Reviewed by Mark Lam.
1234
1235         Use #if OS(UNIX) here too. This should fix stress/ensure-crash.js when
1236         HAVE(MACHINE_CONTEXT) is false.
1237
1238         * jsc.cpp:
1239         (printUsageStatement):
1240         (CommandLine::parseArguments):
1241
1242 2020-06-15  Pavel Feldman  <pavel.feldman@gmail.com>
1243
1244         Web Inspector: introduce request interception
1245         https://bugs.webkit.org/show_bug.cgi?id=207446
1246
1247         Reviewed by Devin Rousso.
1248
1249         This change introduces network request interception to the Network 
1250         protocol domain. It adds Network.interceptWithRequest notification that
1251         can be continued, modified or fulfilled. NetworkStage enum can now have
1252         'request' and 'response' values.
1253
1254         * inspector/protocol/Network.json:
1255
1256 2020-06-15  Tadeu Zagallo  <tzagallo@apple.com>
1257
1258         op_iterator_open getNext checkpoint needs to declare it uses m_iterator
1259         https://bugs.webkit.org/show_bug.cgi?id=213106
1260         <rdar://problem/63416838>
1261
1262          Reviewed by Keith Miller.
1263
1264         Currently, we have no way of specifying that a checkpoint uses an operand defined at an earlier
1265         point in the same bytecode, which is the case for op_iterator_open: we assume that it will have
1266         already allocated the iterator and stored it in m_iterator by the time we get to the getNext
1267         checkpoint. In order to support that, we change tmpLivenessForCheckpoint to livenessForCheckpoint
1268         and allow it to also declare the use of the operands defined within the bytecode.
1269
1270         * bytecode/BytecodeLivenessAnalysis.cpp:
1271         (JSC::livenessForCheckpoint):
1272         (JSC::tmpLivenessForCheckpoint): Deleted.
1273         * bytecode/BytecodeLivenessAnalysis.h:
1274         * bytecode/FullBytecodeLiveness.h:
1275         * dfg/DFGForAllKills.h:
1276         (JSC::DFG::forAllKilledOperands):
1277         * dfg/DFGGraph.cpp:
1278         (JSC::DFG::Graph::isLiveInBytecode):
1279         * dfg/DFGGraph.h:
1280
1281 2020-06-15  Alexey Shvayka  <shvaikalesh@gmail.com>
1282
1283         Expand JSObject::defineOwnIndexedProperty() fast path for existing properties
1284         https://bugs.webkit.org/show_bug.cgi?id=213133
1285
1286         Reviewed by Yusuke Suzuki.
1287
1288         This patch expands fast path of JSObject::defineOwnIndexedProperty() to cover existing properties
1289         if given data descriptor has no falsy attributes, preventing the object from entering SparseMode.
1290         The optimization is possible due to this invariant: indexed properties of non-SparseMode objects
1291         have attributes of PropertyAttribute::None (except for typed arrays; added assert covers it).
1292
1293         PropertyDescriptor::attributesOverridingCurrent() with PropertyAttribute::None descriptor
1294         is used to support partial descriptors like {value: 1, writable: true}.
1295
1296         This change advances Object.defineProperty microbenchmark by 35%; array read/write benchmark
1297         following property redefinition is progressed by a factor of 16 due to avoiding SparseMode.
1298
1299         * runtime/JSObject.cpp:
1300         (JSC::JSObject::defineOwnIndexedProperty):
1301
1302 2020-06-15  Robin Morisset  <rmorisset@apple.com>
1303
1304         testB3::testReportUsedRegistersLateUseFollowedByEarlyDefDoesNotMarkUseAsDead() has a validation failure in debug mode
1305         https://bugs.webkit.org/show_bug.cgi?id=196103
1306         <rdar://problem/57808549>
1307
1308         Reviewed by Keith Miller.
1309
1310         The problem was trivial: patchpoints were referring to constants that were defined after them.
1311         Just exchanging the order of the definition was enough to make this test pass.
1312
1313         * b3/testb3_1.cpp:
1314         (shouldRun):
1315         * b3/testb3_7.cpp:
1316         (testReportUsedRegistersLateUseFollowedByEarlyDefDoesNotMarkUseAsDead):
1317
1318 2020-06-15  Mark Lam  <mark.lam@apple.com>
1319
1320         Do not install the VMTraps signal handler if Options::useJIT=false.
1321         https://bugs.webkit.org/show_bug.cgi?id=212543
1322         <rdar://problem/63772519>
1323
1324         Reviewed by Keith Miller.
1325
1326         VMTraps is only needed for JITted code.  Hence, if the JIT is disabled, we should
1327         set Options::usePollingTraps() to true to indicate that we won't be using VMTraps.
1328
1329         With this change, we no longer install any signal handling machinery if
1330         Options::useJIT() is false.
1331
1332         Because we may still disable the JIT even if useJIT() is true (due to failure to
1333         allocate JIT memory or a number of other factors), we will also add a check of
1334         VM::canUseJIT() in initializeThreading(), and disable useJIT() if needed.  Of
1335         course, this also means we need to call Options::recomputeDependentOptions() to
1336         make other options consistent with useJIT() being false.
1337
1338         * runtime/InitializeThreading.cpp:
1339         (JSC::initializeThreading):
1340         * runtime/Options.cpp:
1341         (JSC::disableAllJITOptions):
1342         (JSC::Options::recomputeDependentOptions):
1343         (JSC::recomputeDependentOptions): Deleted.
1344         * runtime/Options.h:
1345         * runtime/VMTraps.cpp:
1346         (JSC::VMTraps::initializeSignals):
1347         * tools/SigillCrashAnalyzer.cpp:
1348         (JSC::SigillCrashAnalyzer::instance):
1349
1350 2020-06-15  Keith Miller  <keith_miller@apple.com>
1351
1352         CheckIsConstant should not use BadCache exit kind
1353         https://bugs.webkit.org/show_bug.cgi?id=213141
1354
1355         Reviewed by Yusuke Suzuki.
1356
1357         The BadCache exit kind causes the OSR exit compilers to try to
1358         update ArrayProfiles.  This is just incorrect for CheckIsConstant
1359         since the node's origin may not even have an
1360         ArrayProfile... BadCache also strongly assumes the value it's
1361         profiling is a cell, which is clearly not always the case for
1362         CheckIsConstant.
1363
1364         CheckIsConstant now uses the BadConstantValue (BadValue conflicts
1365         with macros exported by X11 on GTK) exit kind for all use kinds,
1366         which is just a rename of BadCell.  All existing places where we
1367         can emit a CheckIsConstant already have a story for BadConstantValue.
1368
1369         * bytecode/CallLinkStatus.cpp:
1370         (JSC::CallLinkStatus::computeFromLLInt):
1371         (JSC::CallLinkStatus::computeExitSiteData):
1372         * bytecode/ExitKind.cpp:
1373         (JSC::exitKindToString):
1374         * bytecode/ExitKind.h:
1375         * dfg/DFGAbstractInterpreterInlines.h:
1376         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1377         * dfg/DFGByteCodeParser.cpp:
1378         (JSC::DFG::ByteCodeParser::handleInlining):
1379         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1380         (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad):
1381         (JSC::DFG::ByteCodeParser::parseBlock):
1382         (JSC::DFG::ByteCodeParser::handlePutByVal):
1383         (JSC::DFG::ByteCodeParser::handleCreateInternalFieldObject):
1384         * dfg/DFGClobberize.h:
1385         (JSC::DFG::clobberize):
1386         * dfg/DFGDoesGC.cpp:
1387         (JSC::DFG::doesGC):
1388         * dfg/DFGFixupPhase.cpp:
1389         (JSC::DFG::FixupPhase::fixupNode):
1390         * dfg/DFGNode.h:
1391         (JSC::DFG::Node::isPseudoTerminal):
1392         * dfg/DFGNodeType.h:
1393         * dfg/DFGPredictionPropagationPhase.cpp:
1394         * dfg/DFGSafeToExecute.h:
1395         (JSC::DFG::safeToExecute):
1396         * dfg/DFGSpeculativeJIT.cpp:
1397         (JSC::DFG::SpeculativeJIT::compileCheckIsConstant):
1398         * dfg/DFGSpeculativeJIT32_64.cpp:
1399         (JSC::DFG::SpeculativeJIT::compile):
1400         * dfg/DFGSpeculativeJIT64.cpp:
1401         (JSC::DFG::SpeculativeJIT::compile):
1402         * ftl/FTLCapabilities.cpp:
1403         (JSC::FTL::canCompile):
1404         * ftl/FTLLowerDFGToB3.cpp:
1405         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1406         (JSC::FTL::DFG::LowerDFGToB3::compileCheckIsConstant):
1407         (JSC::FTL::DFG::LowerDFGToB3::compileCheckBadValue):
1408         (JSC::FTL::DFG::LowerDFGToB3::compileCheckBadCell): Deleted.
1409
1410 2020-06-15  Yusuke Suzuki  <ysuzuki@apple.com>
1411
1412         Webkit Feature BigInt on webkit.org
1413         https://bugs.webkit.org/show_bug.cgi?id=197546
1414
1415         Reviewed by Sam Weinig.
1416
1417         Add BigInt entry to JSC features.json.
1418
1419         * features.json:
1420
1421 2020-06-15  Keith Miller  <keith_miller@apple.com>
1422
1423         JIT thunks should work on arm64_32
1424         https://bugs.webkit.org/show_bug.cgi?id=213103
1425
1426         Reviewed by Saam Barati.
1427
1428         This patch fixes various issues when running JSC on arm64_32 with
1429         useJIT=1 and useBaselineJIT=0. In particular this patch makes the
1430         following changes:
1431
1432         1) ScalePtr is now just part of the Scale enum and is set based on
1433         the size of the address space.
1434
1435         2) MacroAssembler::*Ptr functions call 32/64 bit variants based on
1436         Address space size rather than cpu architecture. Vetting of callsites
1437         using Ptr as 64 will happen in future patches since it's hard to
1438         comprehensively vet.
1439
1440         3) Add some missing variants of functions for when pointers are 32-bit.
1441
1442         4) Add a load/storeReg function that stores a full register regardless
1443         of pointer size for storing/loading callee saves.
1444
1445         5) numberOfDFGCompiles should report a big number for
1446         useBaselineJIT=0 as some tests fail by default if useBaselineJIT=0
1447         but useJIT=1.
1448
1449         6) Assert BaseIndex has a scale of PtrSize or TimesOne (for pre-scaled
1450         values) when passed to a load/storePtr function.
1451
1452         * assembler/AbstractMacroAssembler.h:
1453         (JSC::AbstractMacroAssembler::timesPtr): Deleted.
1454         * assembler/MacroAssembler.h:
1455         (JSC::MacroAssembler::rotateRightPtr):
1456         (JSC::MacroAssembler::loadPtr):
1457         (JSC::MacroAssembler::loadPtrWithCompactAddressOffsetPatch):
1458         (JSC::MacroAssembler::branchPtr):
1459         (JSC::MacroAssembler::storePtr):
1460         (JSC::MacroAssembler::shouldBlindDouble):
1461         (JSC::MacroAssembler::moveDouble):
1462         (JSC::MacroAssembler::store64):
1463         * assembler/MacroAssemblerARM64.h:
1464         (JSC::MacroAssemblerARM64::add32):
1465         (JSC::MacroAssemblerARM64::signExtend32ToPtr):
1466         (JSC::MacroAssemblerARM64::loadPtr):
1467         (JSC::MacroAssemblerARM64::call):
1468         (JSC::MacroAssemblerARM64::farJump):
1469         * assembler/MacroAssemblerARMv7.h:
1470         (JSC::MacroAssemblerARMv7::rotateRight32):
1471         * assembler/MacroAssemblerMIPS.h:
1472         (JSC::MacroAssemblerMIPS::rotateRight32):
1473         * assembler/MacroAssemblerX86.h:
1474         * assembler/MacroAssemblerX86_64.h:
1475         * b3/B3LowerMacros.cpp:
1476         * b3/testb3_6.cpp:
1477         (testInterpreter):
1478         * dfg/DFGSpeculativeJIT.cpp:
1479         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1480         * jit/AssemblyHelpers.cpp:
1481         (JSC::AssemblyHelpers::emitLoadStructure):
1482         (JSC::AssemblyHelpers::emitAllocateVariableSized):
1483         (JSC::AssemblyHelpers::restoreCalleeSavesFromEntryFrameCalleeSavesBuffer):
1484         (JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBufferImpl):
1485         * jit/AssemblyHelpers.h:
1486         (JSC::AssemblyHelpers::storeReg):
1487         (JSC::AssemblyHelpers::loadReg):
1488         (JSC::AssemblyHelpers::emitMaterializeTagCheckRegisters):
1489         (JSC::AssemblyHelpers::emitGetFromCallFrameHeaderPtr):
1490         (JSC::AssemblyHelpers::emitGetFromCallFrameHeader32):
1491         (JSC::AssemblyHelpers::emitGetFromCallFrameHeader64):
1492         (JSC::AssemblyHelpers::emitPutToCallFrameHeader):
1493         * jit/JITOpcodes32_64.cpp:
1494         (JSC::JIT::emit_op_enumerator_structure_pname):
1495         (JSC::JIT::emit_op_enumerator_generic_pname):
1496         * jit/ThunkGenerators.cpp:
1497         (JSC::nativeForGenerator):
1498         * runtime/TestRunnerUtils.cpp:
1499         (JSC::numberOfDFGCompiles):
1500
1501 2020-06-15  Caitlin Potter  <caitp@igalia.com>
1502
1503         [JSC] add machinery to disable JIT tiers when experimental features are enabled
1504         https://bugs.webkit.org/show_bug.cgi?id=213193
1505
1506         Reviewed by Mark Lam.
1507
1508         A new macro FOR_EACH_JSC_EXPERIMENTAL_OPTION() supplies flags indicating the supported
1509         JIT tiers (or, in the future, other options) of a particular feature,
1510         in an easy to understand format. These flags are then used to
1511         recompute dependent feature flags.
1512
1513         This should simplify the incremental development of language features.
1514
1515         * dfg/DFGCapabilities.cpp:
1516         (JSC::DFG::capabilityLevel):
1517         * runtime/Options.cpp:
1518         (JSC::recomputeDependentOptions):
1519         * runtime/OptionsList.h:
1520
1521 2020-06-15  Keith Miller  <keith_miller@apple.com>
1522
1523         Signal handlers should have a two phase installation.
1524         https://bugs.webkit.org/show_bug.cgi?id=213160
1525
1526         Reviewed by Mark Lam.
1527
1528         * jsc.cpp:
1529         (CommandLine::parseArguments):
1530         (jscmain):
1531         * runtime/InitializeThreading.cpp:
1532         (JSC::initializeThreading):
1533         * runtime/VMTraps.cpp:
1534         * tools/SigillCrashAnalyzer.cpp:
1535         (JSC::installCrashHandler):
1536         * wasm/WasmFaultSignalHandler.cpp:
1537         (JSC::Wasm::enableFastMemory):
1538         (JSC::Wasm::prepareFastMemory):
1539         * wasm/WasmFaultSignalHandler.h:
1540
1541 2020-06-15  Yusuke Suzuki  <ysuzuki@apple.com>
1542
1543         Unreviewed, fix LLInt
1544         https://bugs.webkit.org/show_bug.cgi?id=157972
1545
1546         loadi only takes address.
1547
1548         * llint/LowLevelInterpreter64.asm:
1549
1550 2020-06-15  Alexey Shvayka  <shvaikalesh@gmail.com>
1551
1552         super should not depend on __proto__
1553         https://bugs.webkit.org/show_bug.cgi?id=157972
1554
1555         Reviewed by Saam Barati.
1556
1557         Before this change, both super() call [1] and super.property [2] relied on
1558         Object.prototype.__proto__ to acquire super base, which was observable and
1559         incorrect if __proto__ gets removed.
1560
1561         This patch introduces get_prototype_of bytecode, ensuring returned values
1562         are profiled so the op can be wired to existing DFG and FTL implementations.
1563         In order to avoid performance regression w/o DFG (__proto__ is optimized via
1564         IntrinsicGetterAccessCase), fast paths for LLInt and baseline JIT are added
1565         (64-bit only), utilizing OverridesGetPrototypeOutOfLine type info flag.
1566
1567         This change aligns JSC with V8 and SpiderMonkey, progressing microbenchmarks/
1568         super-get-by-{id,val}-with-this-monomorphic.js by 7-10%. SixSpeed is neutral.
1569
1570         Also, extracts JSValue::getPrototype() method to avoid code duplication and
1571         utilizes it in objectConstructorGetPrototypeOf(), advancing provided
1572         microbenchmark by 40%.
1573
1574         [1]: https://tc39.es/ecma262/#sec-getsuperconstructor (step 5)
1575         [2]: https://tc39.es/ecma262/#sec-getsuperbase (step 5)
1576
1577         * builtins/BuiltinNames.h:
1578         * bytecode/BytecodeIntrinsicRegistry.h:
1579         * bytecode/BytecodeList.rb:
1580         * bytecode/BytecodeUseDef.cpp:
1581         (JSC::computeUsesForBytecodeIndexImpl):
1582         (JSC::computeDefsForBytecodeIndexImpl):
1583         * bytecode/CodeBlock.cpp:
1584         (JSC::CodeBlock::finishCreation):
1585         * bytecode/Opcode.h:
1586         * bytecompiler/BytecodeGenerator.cpp:
1587         (JSC::BytecodeGenerator::emitGetPrototypeOf):
1588         * bytecompiler/BytecodeGenerator.h:
1589         * bytecompiler/NodesCodegen.cpp:
1590         (JSC::emitSuperBaseForCallee):
1591         (JSC::emitGetSuperFunctionForConstruct):
1592         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getPrototypeOf):
1593         * dfg/DFGAbstractInterpreterInlines.h:
1594         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1595         * dfg/DFGByteCodeParser.cpp:
1596         (JSC::DFG::ByteCodeParser::handleIntrinsicGetter):
1597         (JSC::DFG::ByteCodeParser::parseBlock):
1598         * dfg/DFGCapabilities.cpp:
1599         (JSC::DFG::capabilityLevel):
1600         * dfg/DFGOperations.cpp:
1601         * jit/IntrinsicEmitter.cpp:
1602         (JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter):
1603         * jit/JIT.cpp:
1604         (JSC::JIT::privateCompileMainPass):
1605         (JSC::JIT::privateCompileSlowCases):
1606         * jit/JIT.h:
1607         * jit/JITOpcodes.cpp:
1608         (JSC::JIT::emit_op_get_prototype_of):
1609         * llint/LowLevelInterpreter.asm:
1610         * llint/LowLevelInterpreter64.asm:
1611         * runtime/CommonSlowPaths.cpp:
1612         (JSC::SLOW_PATH_DECL):
1613         * runtime/CommonSlowPaths.h:
1614         * runtime/JSCJSValue.h:
1615         * runtime/JSCJSValueInlines.h:
1616         (JSC::JSValue::getPrototype const):
1617         * runtime/JSGlobalObjectFunctions.cpp:
1618         (JSC::globalFuncProtoGetter):
1619         * runtime/JSObject.cpp:
1620         (JSC::JSObject::calculatedClassName):
1621         * runtime/JSObject.h:
1622         (JSC::JSObject::getPrototype):
1623         * runtime/JSObjectInlines.h:
1624         (JSC::JSObject::canPerformFastPutInlineExcludingProto):
1625         (JSC::JSObject::getPropertySlot):
1626         (JSC::JSObject::getNonIndexPropertySlot):
1627         * runtime/JSProxy.h:
1628         * runtime/JSTypeInfo.h:
1629         (JSC::TypeInfo::overridesGetPrototype const):
1630         * runtime/ObjectConstructor.cpp:
1631         (JSC::objectConstructorGetPrototypeOf):
1632         * runtime/ProxyObject.h:
1633         * runtime/Structure.h:
1634         * runtime/Structure.cpp:
1635         (JSC::Structure::validateFlags):
1636
1637 2020-06-13  Devin Rousso  <drousso@apple.com>
1638
1639         Make `errors` an own property of `AggregateError` instead of a prototype accessor
1640         https://bugs.webkit.org/show_bug.cgi?id=212677
1641
1642         Reviewed by Yusuke Suzuki.
1643
1644         * runtime/AggregateError.h:
1645         (JSC::AggregateError::destroy): Deleted.
1646         (JSC::AggregateError::subspaceFor): Deleted.
1647         (JSC::AggregateError::errors): Deleted.
1648         * runtime/AggregateError.cpp:
1649         (JSC::AggregateError::AggregateError):
1650         (JSC::AggregateError::finishCreation): Added.
1651         (JSC::AggregateError::visitChildren): Deleted.
1652
1653         * runtime/AggregateErrorPrototype.h:
1654         * runtime/AggregateErrorPrototype.cpp:
1655         (JSC::AggregateErrorPrototype::finishCreation):
1656         (JSC::aggregateErrorPrototypeAccessorErrors): Deleted.
1657         * runtime/JSGlobalObject.cpp:
1658         (JSC::JSGlobalObject::initializeAggregateErrorConstructor):
1659
1660         * runtime/VM.h:
1661         * runtime/VM.cpp:
1662         (JSC::VM::VM):
1663         * heap/Heap.cpp:
1664         (JSC::Heap::finalizeUnconditionalFinalizers):
1665         Remove `aggregateErrorSpace` since `AggregateError` doesn't add any new member variables.
1666         Ensure that it can share an `IsoSubspace` with `ErrorInstance`.
1667
1668         * runtime/CommonIdentifiers.h:
1669         Add `errors`.
1670
1671 2020-06-12  Robin Morisset  <rmorisset@apple.com>
1672
1673         The ||= operator (and similar ones) should produce valid bytecode even if the right side is a static error
1674         https://bugs.webkit.org/show_bug.cgi?id=213154
1675
1676         Reviewed by Devin Rousso.
1677
1678         There were two minor issues here that interacted:
1679         - emitThrowReferenceError did not take an optional `dst` argument like everything else, and instead always returned a new temporary.
1680           As a result, the various functions that sometimes did "return emitThrowReferenceError(..);" could return a different RegisterID than the one
1681           provided to them through `dst`, breaking the invariant stated at the top of the file.
1682         - ShortCircuitReadModifyResolveNode::emitBytecode used the result of such a function, unnecessarily, and (correctly) relied on the invariant being upheld.
1683         The combination of these led to the bytecode trying to do a move of a temporary that was only defined in one of the predecessors of the basic block it was on,
1684         which was caught by validateBytecode.
1685
1686         I fixed both issues, and verified that either fix is enough to stop the bug.
1687         I fixed the first because other code may depend on that invariant in more subtle ways.
1688         I fixed the second because it was just unnecessary complexity and made the code misleading.
1689
1690         I also reworded the comment at the top of NodesCodegen.cpp based on Keith's explanation and Mark's advice to make it less cryptic.
1691
1692         * bytecompiler/NodesCodegen.cpp:
1693         (JSC::ThrowableExpressionData::emitThrowReferenceError):
1694         (JSC::PostfixNode::emitBytecode):
1695         (JSC::DeleteBracketNode::emitBytecode):
1696         (JSC::DeleteDotNode::emitBytecode):
1697         (JSC::PrefixNode::emitBytecode):
1698         (JSC::ShortCircuitReadModifyResolveNode::emitBytecode):
1699         (JSC::AssignErrorNode::emitBytecode):
1700         * parser/Nodes.h:
1701
1702 2020-06-12  Yusuke Suzuki  <ysuzuki@apple.com>
1703
1704         [JSC] el(Greek) characters' upper-case conversion is locale-sensitive
1705         https://bugs.webkit.org/show_bug.cgi?id=213155
1706         <rdar://problem/55018467>
1707
1708         Reviewed by Darin Adler.
1709
1710         CLDR defines 4 locales which has language-sensitive case conversions. "az", "el", "lt", and "tr", where,
1711
1712             az = Azerbaijani
1713             el = Greek
1714             lt = Lithuanian
1715             tr = Turkish
1716
1717         We can ensure it easily like this.
1718
1719             1. Download CLDR data
1720             2. `ls common/transforms/*Upper.xml`
1721
1722                 common/transforms/az-Upper.xml
1723                 common/transforms/el-Upper.xml
1724                 common/transforms/lt-Upper.xml
1725                 common/transforms/tr-Upper.xml
1726
1727         And ECMA-402 String.prototype.{toLocaleLowerCase,toLocaleUpperCase} requires these locales are listed as `availableLocales`.
1728
1729             > 7. Let availableLocales be a List with language tags that includes the languages for which the Unicode Character
1730             >    Database contains language sensitive case mappings. Implementations may add additional language tags if they
1731             >    support case mapping for additional locales.
1732
1733             https://tc39.es/ecma402/#sup-string.prototype.tolocalelowercase
1734
1735         This patch adds "el" to our maintained availableLocales list. Previously we only had "az", "lt", and "tr".
1736
1737         * runtime/StringPrototype.cpp:
1738         (JSC::toLocaleCase):
1739         (JSC::stringProtoFuncToLocaleUpperCase):
1740
1741 2020-06-12  Keith Miller  <keith_miller@apple.com>
1742
1743         Tests expecting a crash should use a signal handler in the JSC CLI process
1744         https://bugs.webkit.org/show_bug.cgi?id=212479
1745
1746         Reviewed by Yusuke Suzuki.
1747
1748         Have the -s option use WTF::Signals and make sure it adds breakpoint catching
1749         as well.
1750
1751         * jsc.cpp:
1752         (printUsageStatement):
1753         (CommandLine::parseArguments):
1754         * tools/SigillCrashAnalyzer.cpp:
1755         (JSC::installCrashHandler):
1756
1757 2020-06-12  Alexey Shvayka  <shvaikalesh@gmail.com>
1758
1759         AsyncGenerator should await "return" completions
1760         https://bugs.webkit.org/show_bug.cgi?id=212774
1761
1762         Reviewed by Ross Kirsling.
1763
1764         This patch fixes 2 spec discrepancies, observable with async generators if the
1765         value of "return" completion is a Promise, aligning JSC with V8 and SpiderMonkey.
1766
1767         * builtins/AsyncGeneratorPrototype.js:
1768         (onFulfilled):
1769         This change implements step 8 of AsyncGeneratorYield [1], that is executed after
1770         step 15 of AsyncGeneratorResumeNext [2] (implemented as @doAsyncGeneratorBodyCall).
1771         We are safe to rely on [[AsyncGeneratorState]] being "suspendedYield" (set in
1772         step 6 of AsyncGeneratorYield [1]) instead of adding extra field to AsyncGenerator:
1773         AsyncGeneratorResumeNext [2] does not overwrite "suspendedYield" state.
1774         This change fixes most of test262 cases.
1775
1776         [1]: https://tc39.es/ecma262/#sec-asyncgeneratoryield
1777         [2]: https://tc39.es/ecma262/#sec-asyncgeneratorresumenext
1778
1779         * bytecompiler/BytecodeGenerator.cpp:
1780         (JSC::BytecodeGenerator::emitDelegateYield):
1781         This change implements step 7.c.iii.1 of yield* runtime semantics [3], that is
1782         observable only if [[Value]] has userland "then" getter. Awaited result is discarded.
1783         This change fixes async-generator/yield-star-return-then-getter-ticks.js test262 case.
1784
1785         [3]: https://tc39.es/ecma262/#sec-generator-function-definitions-runtime-semantics-evaluation
1786
1787 2020-06-12  Ross Kirsling  <ross.kirsling@sony.com>
1788
1789         Unreviewed, address Darin's feedback on r262890.
1790
1791         * runtime/IntlObject.cpp:
1792         (JSC::addScriptlessLocaleIfNeeded):
1793         Use != instead of < for clarity.
1794
1795 2020-06-12  Adrian Perez de Castro  <aperez@igalia.com>
1796
1797         Build is broken with EVENT_LOOP_TYPE=GLib
1798         https://bugs.webkit.org/show_bug.cgi?id=212987
1799
1800         Reviewed by Konstantin Tokarev.
1801
1802         * PlatformJSCOnly.cmake: Add sources needed to support the remote inspector to
1803         JavaScriptCore_SOURCES.
1804
1805 2020-06-11  Saam Barati  <sbarati@apple.com>
1806
1807         Linear Scan uses the wrong Interval for spills for tmps with roles of early def or late use
1808         https://bugs.webkit.org/show_bug.cgi?id=213055
1809         <rdar://problem/59874018>
1810
1811         Reviewed by Yusuke Suzuki.
1812
1813         There was a bug in linear scan when computing the live range interval for
1814         spill tmps that had early defs or late uses.  When linear scan spills a
1815         tmp, it creates a new tmp that it loads to and stores from, and replaces the old tmp
1816         with the new tmp, and emits stores/loads around pertinent instructions. The live
1817         interval for such tmps is small by nature, it's contained in the interval for the
1818         instruction itself. However, we'd build this interval purely based off the
1819         original tmp's arg timing. So, for example, let's consider a program like this:
1820         
1821         RandoInsn: LateUse:Tmp1, Use:Tmp2, [early = N, late = N+1]
1822         Let's say that Tmp1's last use is RandoInsn, and it had a def before
1823         RandoInsn, therefore, its live range will be something like:
1824         [J where J < N, N+1]
1825         
1826         and now imagine we spilled Tmp1 for some reason, and rewrote the
1827         program to be:
1828         Move Addr(spill for Tmp1), TmpSpill
1829         RandoInsn: LateUse:TmpSpill, Use:Tmp2, [early = N, late = N+1]
1830         
1831         We used to incorrectly mark the live range for TmpSpill to just be [N+1, N+2).
1832         However, the bug here is that we neglected that TmpSpill actually had an earlier
1833         def at [N, N+1). So, the live range for TmpSpill was wrong. This could incorrectly
1834         lead us to allocate Tmp2 and TmpSpill to the same register, since their live
1835         ranges may not intersect if Tmp2 dies at RandoInsn.
1836         
1837         We also had the symmetric bug for EarlyDefs: we wouldn't account for the
1838         store-spill that'd happen after something like RandoInsn.
1839         
1840         The fix is to account for the loads/stores of spill tmps when assigning
1841         them a live range.
1842         
1843         This patch contains a standalone test in testair. It also fixes crashes we had when
1844         running B3O1 tests using typed arrays on arm64e since we had patchpoints that utilized
1845         LateUse for signing and auth.
1846
1847         * b3/B3Procedure.h:
1848         * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
1849         * b3/air/testair.cpp:
1850
1851 2020-06-11  Saam Barati  <sbarati@apple.com>
1852
1853         Replace uses of black/white list with block/allow list
1854         https://bugs.webkit.org/show_bug.cgi?id=213084
1855
1856         Reviewed by Keith Miller.
1857
1858         We should be using racially neutral names in our code. From Chromium style guide:
1859         
1860         "Terms such as 'blacklist' and 'whitelist' reinforce the notion that
1861         black==bad and white==good."
1862
1863         * JavaScriptCore.xcodeproj/project.pbxproj:
1864         * Sources.txt:
1865         * b3/air/AirLowerAfterRegAlloc.cpp:
1866         (JSC::B3::Air::lowerAfterRegAlloc):
1867         * dfg/DFGDriver.cpp:
1868         (JSC::DFG::ensureGlobalDFGAllowlist):
1869         (JSC::DFG::compileImpl):
1870         (JSC::DFG::ensureGlobalDFGWhitelist): Deleted.
1871         * dfg/DFGTierUpCheckInjectionPhase.cpp:
1872         (JSC::DFG::ensureGlobalFTLAllowlist):
1873         (JSC::DFG::TierUpCheckInjectionPhase::run):
1874         (JSC::DFG::ensureGlobalFTLWhitelist): Deleted.
1875         * heap/MachineStackMarker.cpp:
1876         * inspector/scripts/codegen/objc_generator.py:
1877         (ObjCGenerator.should_generate_types_for_domain):
1878         (ObjCGenerator.should_generate_commands_for_domain):
1879         (ObjCGenerator.should_generate_events_for_domain):
1880         * llint/LLIntSlowPaths.cpp:
1881         (JSC::LLInt::ensureGlobalJITAllowlist):
1882         (JSC::LLInt::shouldJIT):
1883         (JSC::LLInt::ensureGlobalJITWhitelist): Deleted.
1884         * runtime/OptionsList.h:
1885         * tools/FunctionAllowlist.cpp: Copied from Source/JavaScriptCore/tools/FunctionWhitelist.cpp.
1886         (JSC::FunctionAllowlist::FunctionAllowlist):
1887         (JSC::FunctionAllowlist::contains const):
1888         (JSC::FunctionWhitelist::FunctionWhitelist): Deleted.
1889         (JSC::FunctionWhitelist::contains const): Deleted.
1890         * tools/FunctionAllowlist.h: Copied from Source/JavaScriptCore/tools/FunctionWhitelist.h.
1891         * tools/FunctionWhitelist.cpp: Removed.
1892         * tools/FunctionWhitelist.h: Removed.
1893
1894 2020-06-11  Yusuke Suzuki  <ysuzuki@apple.com>
1895
1896         [JSC] Return DisposableCallSiteIndex when destroying GCAwareJITStubRoutineWithExceptionHandler
1897         https://bugs.webkit.org/show_bug.cgi?id=213069
1898         <rdar://problem/64205186>
1899
1900         Reviewed by Saam Barati.
1901
1902         Inside GCAwareJITStubRoutineWithExceptionHandler::observeZeroRefCount, we are returning DisposableCallSiteIndex to freelist.
1903         However, GCAwareJITStubRoutineWithExceptionHandler::observeZeroRefCount can be called even if the code of GCAwareJITStubRoutineWithExceptionHandler is
1904         on the stack. Let's consider the following scenario.
1905
1906             1. Execute GCAwareJITStubRoutineWithExceptionHandler's code. Set CallSiteIndex to the stack.
1907             2. Execute more code. (1)'s GCAwareJITStubRoutineWithExceptionHandler's code is on the stack.
1908             3. (1)'s GCAwareJITStubRoutineWithExceptionHandler's refcount becomes zero.
1909             4. CallSiteIndex of GCAwareJITStubRoutineWithExceptionHandler is returned.
1910             5. Execute StackVisitor to construct frames. But we cannot find CodeOrigin corresponding to CallSiteIndex stored in (1) since it is already returned.
1911
1912         DisposableCallSiteIndex should be returned after ensuring that GCAwareJITStubRoutineWithExceptionHandler's code is not on the stack. Detecting this is the functionality
1913         what GCAwareJITStubRoutineWithExceptionHandler can offer. It is destroyed after ensuring that GCAwareJITStubRoutineWithExceptionHandler's code is not on the stack.
1914
1915         This patch delays DisposableCallSiteIndex returning until we destroy owner GCAwareJITStubRoutineWithExceptionHandler. But it is possible that CodeBlock* corresponding to
1916         GCAwareJITStubRoutineWithExceptionHandler is already destroyed. To avoid this condition, we extract CodeOrigins vector as Ref<DFG::CodeOriginPool> and keep it alive from
1917         GCAwareJITStubRoutineWithExceptionHandler too. And since CodeOrigin addition / removal happens only from the main thread after finishing the compilation, and
1918         GCAwareJITStubRoutineWithExceptionHandler's destructor is called from the Heap's finalizer, which must be executed from the main thread, we can just modify it without a lock.
1919
1920         * CMakeLists.txt:
1921         * JavaScriptCore.xcodeproj/project.pbxproj:
1922         * Sources.txt:
1923         * bytecode/CodeBlock.cpp:
1924         (JSC::CodeBlock::newExceptionHandlingCallSiteIndex):
1925         (JSC::CodeBlock::codeOrigins):
1926         * bytecode/CodeBlock.h:
1927         (JSC::CodeBlock::codeOrigin):
1928         * dfg/DFGCodeOriginPool.cpp: Added.
1929         (JSC::DFG::CodeOriginPool::addCodeOrigin):
1930         (JSC::DFG::CodeOriginPool::addUniqueCallSiteIndex):
1931         (JSC::DFG::CodeOriginPool::lastCallSite const):
1932         (JSC::DFG::CodeOriginPool::addDisposableCallSiteIndex):
1933         (JSC::DFG::CodeOriginPool::removeDisposableCallSiteIndex):
1934         (JSC::DFG::CodeOriginPool::shrinkToFit):
1935         * dfg/DFGCodeOriginPool.h: Added.
1936         (JSC::DFG::CodeOriginPool::create):
1937         (JSC::DFG::CodeOriginPool::get):
1938         (JSC::DFG::CodeOriginPool::size const):
1939         * dfg/DFGCommonData.cpp:
1940         (JSC::DFG::CommonData::shrinkToFit):
1941         (JSC::DFG::CommonData::addCodeOrigin): Deleted.
1942         (JSC::DFG::CommonData::addUniqueCallSiteIndex): Deleted.
1943         (JSC::DFG::CommonData::lastCallSite const): Deleted.
1944         (JSC::DFG::CommonData::addDisposableCallSiteIndex): Deleted.
1945         (JSC::DFG::CommonData::removeDisposableCallSiteIndex): Deleted.
1946         * dfg/DFGCommonData.h:
1947         (JSC::DFG::CommonData::CommonData):
1948         * dfg/DFGJITCompiler.cpp:
1949         (JSC::DFG::JITCompiler::exceptionCheck):
1950         * dfg/DFGJITCompiler.h:
1951         (JSC::DFG::JITCompiler::addCallSite):
1952         * ftl/FTLLowerDFGToB3.cpp:
1953         (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
1954         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1955         (JSC::FTL::DFG::LowerDFGToB3::compileDelBy):
1956         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
1957         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
1958         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
1959         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
1960         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
1961         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
1962         (JSC::FTL::DFG::LowerDFGToB3::compileInById):
1963         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
1964         (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenTail):
1965         (JSC::FTL::DFG::LowerDFGToB3::getById):
1966         (JSC::FTL::DFG::LowerDFGToB3::getByIdWithThis):
1967         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
1968         (JSC::FTL::DFG::LowerDFGToB3::callPreflight):
1969         * ftl/FTLSlowPathCall.cpp:
1970         (JSC::FTL::callSiteIndexForCodeOrigin):
1971         * jit/GCAwareJITStubRoutine.cpp:
1972         (JSC::GCAwareJITStubRoutineWithExceptionHandler::GCAwareJITStubRoutineWithExceptionHandler):
1973         (JSC::GCAwareJITStubRoutineWithExceptionHandler::~GCAwareJITStubRoutineWithExceptionHandler):
1974         (JSC::GCAwareJITStubRoutineWithExceptionHandler::aboutToDie):
1975         (JSC::GCAwareJITStubRoutineWithExceptionHandler::observeZeroRefCount):
1976         * jit/GCAwareJITStubRoutine.h:
1977
1978 2020-06-11  Alexey Shvayka  <shvaikalesh@gmail.com>
1979
1980         RegExp.prototype getters should throw on cross-realm access
1981         https://bugs.webkit.org/show_bug.cgi?id=213075
1982
1983         Reviewed by Saam Barati.
1984
1985         This patch makes RegExp.prototype getters throw TypeError when called on
1986         RegExp.prototype object from another realm, aligning JSC with V8 and SpiderMonkey.
1987
1988         The spec [1] allows same-realm access to avoid breaking the web, while makes
1989         RegExp.prototype an ordinary object (rather than RegExp instance) where possible.
1990
1991         [1]: https://tc39.es/ecma262/#sec-get-regexp.prototype.global (step 3.a)
1992
1993         * runtime/RegExpPrototype.cpp:
1994         (JSC::regExpProtoGetterGlobal):
1995         (JSC::regExpProtoGetterIgnoreCase):
1996         (JSC::regExpProtoGetterMultiline):
1997         (JSC::regExpProtoGetterDotAll):
1998         (JSC::regExpProtoGetterSticky):
1999         (JSC::regExpProtoGetterUnicode):
2000         (JSC::regExpProtoGetterSource):
2001
2002 2020-06-11  Paulo Matos  <pmatos@igalia.com>
2003
2004         Add missing include to JSONObject.cpp - non-unified build
2005         https://bugs.webkit.org/show_bug.cgi?id=213073
2006
2007         Reviewed by Adrian Perez de Castro.
2008
2009         * runtime/JSONObject.cpp:
2010
2011 2020-06-10  Ross Kirsling  <ross.kirsling@sony.com>
2012
2013         REGRESSION(r260697): [Intl] "missing script" locales like zh-TW are no longer mapped
2014         https://bugs.webkit.org/show_bug.cgi?id=213007
2015
2016         Reviewed by Darin Adler.
2017
2018         addMissingScriptLocales was removed from IntlObject when changing our locale resolution to depend more directly
2019         on ICU, but apparently even latest ICU won't perform this legacy "region implies script" mapping for us.
2020
2021         ICU 65+ does have uloc_openAvailableByType which will do the trick, so perhaps we should use this in the future,
2022         but it still doesn't seem to help us with Collator, which has its own separate set of "available locales".
2023
2024         The exact set of locales which should be mapped is currently under discussion here:
2025         https://github.com/tc39/ecma402/issues/159
2026         But the crux seems to be that we should ensure we have an xx-ZZ alias for all available xx-Yyyy-ZZ locales.
2027
2028         * runtime/IntlObject.cpp:
2029         (JSC::addScriptlessLocaleIfNeeded):
2030         (JSC::intlAvailableLocales):
2031         (JSC::intlCollatorAvailableLocales):
2032
2033 2020-06-10  Yusuke Suzuki  <ysuzuki@apple.com>
2034
2035         [JSC] JSCallbackObject::deleteProperty should redirect to Parent::deletePropertyByIndex if propertyName is index
2036         https://bugs.webkit.org/show_bug.cgi?id=213041
2037         <rdar://problem/64204300>
2038
2039         Reviewed by Darin Adler.
2040
2041         We have an infinite recursion here.
2042
2043         -> JSCallbackObject::deletePropertyByIndex
2044             -> JSCell::deleteProperty
2045                 -> JSCallbackObject::deleteProperty
2046                     -> JSObject::deleteProperty
2047                         -> JSCallbackObject::deletePropertyByIndex
2048
2049         When propertyName in JSCallbackObject::deleteProperty is an index, we should go to JSObject::deletePropertyByIndex instead of JSObject::deleteProperty.
2050
2051         * API/JSCallbackObjectFunctions.h:
2052         (JSC::JSCallbackObject<Parent>::deleteProperty):
2053
2054 2020-06-09  Mark Lam  <mark.lam@apple.com>
2055
2056         Stringifier::appendStringifiedValue() should not assume it is always safe to recurse.
2057         https://bugs.webkit.org/show_bug.cgi?id=213006
2058         <rdar://problem/64154840>
2059
2060         Reviewed by Keith Miller.
2061
2062         In r262727, I suggested that Alexey Shvayka add an assertion in
2063         Stringifier::appendStringifiedValue() to assert that it is safe to recurse because
2064         we don't expect it to recurse into itself.  Turns out this is a bad idea because
2065         a client may be doing the recursing before calling Stringifier::appendStringifiedValue().
2066         As a result, Stringifier::appendStringifiedValue() ends up being executed with
2067         the stack pointer already in the reserved zone.  This is legal, and is what the
2068         reserved zone is intended for as long as we don't recurse from here.  However,
2069         this also means that asserting vm.isSafeToRecurseSoft() here will surely fail
2070         because we are already in the reserved zone area.  The fix is simply to remove
2071         this faulty assertion.
2072
2073         * runtime/JSONObject.cpp:
2074         (JSC::Stringifier::appendStringifiedValue):
2075
2076 2020-06-09  Mark Lam  <mark.lam@apple.com>
2077
2078         Disambiguate the OverridesGetPropertyNames structure flag
2079         https://bugs.webkit.org/show_bug.cgi?id=212909
2080         <rdar://problem/63823557>
2081
2082         Reviewed by Saam Barati.
2083
2084         Previously, the OverridesGetPropertyNames structure flag could mean 2 different
2085         things:
2086         1. the getPropertyNames() method is overridden, or
2087         2. any of the forms of getPropertyName() is overridden:
2088            getPropertyName, getOwnPropertyNames, getOwnNonIndexPropertyNames
2089
2090         Some parts of the code expects one definition while other parts expect the other.
2091         This patch disambiguates between the 2 by introducing OverridesAnyFormOfGetPropertyNames
2092         for definition (2).  OverridesGetPropertyNames now only means definition (1).
2093
2094         Note: we could have implemented overridesGetPropertyNames() by doing a comparison
2095         of the getPropertyNames pointer in the MethodTable.  This is a little slower than
2096         checking a TypeInfo flag, but probably doesn't matter a lot in the code paths
2097         where overridesGetPropertyNames() is called.  However, we have bits in TypeInfo
2098         left.  So, we'll might as well use it.
2099
2100         This ambiguity resulted in JSObject::getPropertyNames() recursing infinitely
2101         when it didn't think it could recurse.  This is demonstrated in
2102         JSTests/stress/unexpected-stack-overflow-below-JSObject-getPropertyNames.js as
2103         follows:
2104
2105         1. The test case invokes JSObject::getPropertyNames on a JSArray.
2106
2107         2. In the while loop at the bottom of JSObject::getPropertynames(), we check
2108            `if (prototype->structure(vm)->typeInfo().overridesGetPropertyNames()) {`.
2109
2110         3. The test overrides proto as follows:
2111            `arg0.__proto__ = arr1` where both arg0 and arr1 are JArrays.
2112
2113         4. In the old code, JSArray sets OverridesGetPropertyNames but does not override
2114            getPropertyNames().  It actually meant to set OverridesAnyFormOfGetPropertyNames
2115            (after we disambiguated it) because JSArray overrides getOwnNonIndexPropertyNames().
2116
2117         5. When we get to the check at (2), we ask if the prototype overridesGetPropertyNames().
2118            Since JSArray sets OverridesGetPropertyNames, the answer is yes / true.
2119
2120            JSObject::getPropertynames() then proceeds to invoke
2121            `prototype->methodTable(vm)->getPropertyNames(prototype, globalObject, propertyNames, mode);`
2122
2123            But because JSArray does not actually overrides getPropertyNames(), we're
2124            actually invoking JSObject::getPropertyNames() here.  Viola!  Infinite loop.
2125
2126         With this patch, JSArray is disambiguated to set OverridesAnyFormOfGetPropertyNames
2127         instead of OverridesGetPropertyNames, and this infinite loop no longer exists.
2128
2129         This patch also made the following changes:
2130
2131         1. Templatized TypeInfo::isSetOnFlags1() and TypeInfo::isSetOnFlags2() so that
2132            we can used static_asserts instead of a debug ASSERT to verify the integrity of
2133            the flag we're checking against.
2134
2135         2. Added a Structure::validateFlags() called from the Structure constructor.
2136            validateFlags() will verify the following:
2137            a. OverridesGetOwnPropertySlot must be set in the flags if getOwnPropertySlot
2138               is overridden in the MethodTable.
2139            b. InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero must be set in
2140               the flags if getOwnPropertySlotByIndex is overridden in the MethodTable.
2141            c. HasPutPropertySecurityCheck must be set in the flags if doPutPropertySecurityCheck
2142               is overridden in the MethodTable.
2143            d. OverridesGetPropertyNames must be set in the flags if getPropertyNames
2144               is overridden in the MethodTable.
2145            e. OverridesAnyFormOfGetPropertyNames must be set in the flags if any of
2146               getPropertyNames, getOwnPropertyNames, or getOwnNonIndexPropertyNames are
2147               overridden in the MethodTable.
2148
2149            An alternate solution would be to automatically set these flags if we detect
2150            their corresponding methods are overridden.  However, this alternate solution
2151            requires this laundry list to be checked every time a structure is constructed.
2152            The current implementation of having the required flags already pre-determined
2153            as a constant is more efficient in terms of performance and code space.
2154
2155            Also, it only takes one instantiation of the structure to verify that the flags
2156            are valid.  Since we only write JSCell / JSObject classes when we need them
2157            and we always write tests to exercise new code (especially such classes), we're
2158            guaranteed the flags validation will be exercised.
2159
2160         3. Made JSObject::getOwnPropertySlot() and JSObject::doPutPropertySecurityCheck()
2161            not inlined when ASSERT_ENABLED.  This is needed in order for Structure::validateFlags()
2162            to do its checks using function pointer comparisons.  Otherwise, the inline
2163            functions can result in multiple instantiations of these functions.  For
2164            example, WebCore can get its own copy of JSObject::getOwnPropertySlot() and
2165            the comparisons will think the function is overridden even when it's not.
2166
2167         4. Structure::validateFlags() found the following problems which are now fixed:
2168
2169            GetterSetter was not using its StructureFlags.  As a result, it was missing the
2170            OverridesGetOwnPropertySlot flag.
2171
2172            JSDataView did not define its StructureFlags.  It was missing the
2173            OverridesGetOwnPropertySlot and OverridesAnyFormOfGetPropertyNames flags.
2174
2175         5. Changed a TypeInfo constructor to not have a default argument for the flags value.
2176            Also grepped for all uses of this constructor to make sure that it is passed
2177            the StructureFlags field.  This exercise found the following issue:
2178
2179            JSAPIValueWrapper was not using its StructureFlags when creating its structure.
2180            Previously, it was just ignoring the StructureIsImmortal flag in StructureFlags.
2181
2182         6. Hardened the assertions for hasReadOnlyOrGetterSetterPropertiesExcludingProto()
2183            and hasGetterSetterProperties() in the Structure constructor.
2184
2185            Previously, if the flag is set, it verifies that the ClassInfo has the
2186            appropriate data expected by the flag.  However, it does not assert the reverse
2187            i.e. that if the ClassInfo data exists, then the flag must also be set.
2188            The new assertions now checks both.
2189
2190            Moved the overridesGetCallData() assertion into Structure::validateFlags()
2191            because it concerns the OverridesGetCallData flag.  This assertion has also
2192            ben hardened.
2193
2194         * API/JSAPIValueWrapper.h:
2195         * API/JSCallbackObject.h:
2196         * debugger/DebuggerScope.h:
2197         * inspector/JSInjectedScriptHostPrototype.h:
2198         * inspector/JSJavaScriptCallFramePrototype.h:
2199         * runtime/ClonedArguments.h:
2200         * runtime/ErrorInstance.h:
2201         * runtime/GenericArguments.h:
2202         * runtime/GetterSetter.h:
2203         * runtime/JSArray.h:
2204         * runtime/JSDataView.h:
2205         * runtime/JSFunction.h:
2206         * runtime/JSGenericTypedArrayView.h:
2207         * runtime/JSGlobalObject.h:
2208         * runtime/JSLexicalEnvironment.h:
2209         * runtime/JSModuleEnvironment.h:
2210         * runtime/JSModuleNamespaceObject.h:
2211         * runtime/JSObject.cpp:
2212         (JSC::JSObject::doPutPropertySecurityCheck):
2213         (JSC::JSObject::getOwnPropertySlot):
2214         * runtime/JSObject.h:
2215         (JSC::JSObject::getOwnPropertySlotImpl):
2216         (JSC::JSObject::getOwnPropertySlot):
2217         * runtime/JSProxy.h:
2218         * runtime/JSString.h:
2219         * runtime/JSSymbolTableObject.h:
2220         * runtime/JSTypeInfo.h:
2221         (JSC::TypeInfo::TypeInfo):
2222         (JSC::TypeInfo::masqueradesAsUndefined const):
2223         (JSC::TypeInfo::implementsHasInstance const):
2224         (JSC::TypeInfo::implementsDefaultHasInstance const):
2225         (JSC::TypeInfo::overridesGetCallData const):
2226         (JSC::TypeInfo::overridesToThis const):
2227         (JSC::TypeInfo::structureIsImmortal const):
2228         (JSC::TypeInfo::overridesGetPropertyNames const):
2229         (JSC::TypeInfo::overridesAnyFormOfGetPropertyNames const):
2230         (JSC::TypeInfo::prohibitsPropertyCaching const):
2231         (JSC::TypeInfo::getOwnPropertySlotIsImpure const):
2232         (JSC::TypeInfo::getOwnPropertySlotIsImpureForPropertyAbsence const):
2233         (JSC::TypeInfo::hasPutPropertySecurityCheck const):
2234         (JSC::TypeInfo::newImpurePropertyFiresWatchpoints const):
2235         (JSC::TypeInfo::isImmutablePrototypeExoticObject const):
2236         (JSC::TypeInfo::interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero const):
2237         (JSC::TypeInfo::isSetOnFlags1 const):
2238         (JSC::TypeInfo::isSetOnFlags2 const):
2239         * runtime/ObjectConstructor.cpp:
2240         (JSC::objectConstructorAssign):
2241         * runtime/ProxyObject.h:
2242         * runtime/RegExpObject.h:
2243         * runtime/StringObject.h:
2244         * runtime/Structure.cpp:
2245         (JSC::Structure::validateFlags):
2246         (JSC::Structure::Structure):
2247         * runtime/Structure.h:
2248         * runtime/StructureInlines.h:
2249         (JSC::Structure::canCacheOwnKeys const):
2250         * tools/JSDollarVM.cpp:
2251
2252 2020-06-09  Jonathan Bedard  <jbedard@apple.com>
2253
2254         JavaScriptCore: Support tvOS and watchOS builds with the public SDK
2255         https://bugs.webkit.org/show_bug.cgi?id=212788
2256         <rdar://problem/64000087>
2257
2258         Reviewed by Tim Horton.
2259
2260         * Configurations/Base.xcconfig: Link to tvOS and watchOS framework stubs.
2261         * Configurations/JavaScriptCore.xcconfig: Use iOS flags for all embedded platforms.
2262
2263 2020-06-09  Yusuke Suzuki  <ysuzuki@apple.com>
2264
2265         [JSC] Shrink __DATA,(__data,__bss,__common) more
2266         https://bugs.webkit.org/show_bug.cgi?id=212863
2267
2268         Reviewed by Sam Weinig.
2269
2270         1. Use `unsigned` instead of `size_t` in GC size-class array. We know that this number never exceeds largeCutoff,
2271            which must be much maller than UINT32_MAX.
2272         2. Add missing const to various variables to put them DATA,__const instead of DATA,__data etc.
2273
2274         * heap/MarkedSpace.cpp:
2275         (JSC::MarkedSpace::initializeSizeClassForStepSize):
2276         * heap/MarkedSpace.h:
2277         * heap/VisitRaceKey.cpp:
2278         * heap/VisitRaceKey.h:
2279         * inspector/agents/InspectorDebuggerAgent.cpp:
2280         * inspector/agents/InspectorDebuggerAgent.h:
2281         * runtime/PropertyDescriptor.cpp:
2282         * runtime/PropertyDescriptor.h:
2283
2284 2020-06-08  Keith Miller  <keith_miller@apple.com>
2285
2286         Removed unneeded POINTER_WIDTH macro from b3
2287         https://bugs.webkit.org/show_bug.cgi?id=212927
2288
2289         Reviewed by Yusuke Suzuki.
2290
2291         C++20 has real constexpr functions so we don't need the
2292         POINTER_WIDTH macro anymore.
2293
2294         * b3/B3Width.h:
2295         (JSC::B3::pointerWidth):
2296         * b3/air/opcode_generator.rb:
2297
2298 2020-06-08  Alexey Shvayka  <shvaikalesh@gmail.com>
2299
2300         JSON.stringify should throw stack overflow error
2301         https://bugs.webkit.org/show_bug.cgi?id=143511
2302
2303         Reviewed by Ross Kirsling and Mark Lam.
2304
2305         This change adds m_holderStack.size() check, reusing the limit of JSON.parse,
2306         and throws StackOverflowError if exceeded, aligning JSC with V8 and SpiderMonkey.
2307         Even with all the cyclic structure checks in place, excess is possible due to
2308         very deeply nested object, user-provided "toJSON" method or functional replacer.
2309
2310         While Stringifier::appendStringifiedValue() and Holder::appendNextProperty()
2311         mutually call each other, recursion is avoided by !holderStackWasEmpty check and
2312         do/while loop at the end of appendStringifiedValue(), as well as cyclic structure
2313         check as per spec [1].
2314
2315         [1]: https://tc39.es/ecma262/#sec-serializejsonobject (step 1)
2316
2317         * runtime/JSONObject.cpp:
2318         (JSC::Stringifier::appendStringifiedValue):
2319         (JSC::Walker::walk):
2320
2321 2020-06-08  Jonathan Bedard  <jbedard@apple.com>
2322
2323         JavaScriptCore: Fix PLATFORM(TVOS) macro
2324         https://bugs.webkit.org/show_bug.cgi?id=212900
2325         <rdar://problem/64118879>
2326
2327         Unreviewed build fix.
2328
2329         * tools/JSDollarVM.cpp:
2330         (JSC::functionIsMemoryLimited): PLATFORM(TVOS) should be PLATFORM(APPLETV).
2331
2332 2020-06-07  Philippe Normand  <pnormand@igalia.com>
2333
2334         Remove ENABLE_VIDEO_TRACK ifdef guards
2335         https://bugs.webkit.org/show_bug.cgi?id=212568
2336
2337         Reviewed by Youenn Fablet.
2338
2339         * Configurations/FeatureDefines.xcconfig: Remove ENABLE_VIDEO_TRACK, which is now enabled by
2340         default under the ENABLE_VIDEO guard.
2341
2342 2020-06-07  Yusuke Suzuki  <ysuzuki@apple.com>
2343
2344         [JSC] Checksum for generated files should be emitted at the end of the files
2345         https://bugs.webkit.org/show_bug.cgi?id=212875
2346
2347         Reviewed by Mark Lam.
2348
2349         If the offlineasm file generation is interrupted in the middle of the generation, it already emitted checksum.
2350         So next file generation can accept this broken file as a result of offlineasm and skip file generation.
2351         We should emit checksum at the end of files. For now, this patch takes a quick way: just iterating lines, getting
2352         a last line and use it for checksum comparison.
2353
2354         * generator/GeneratedFile.rb:
2355         * offlineasm/asm.rb:
2356
2357 2020-06-06  Mark Lam  <mark.lam@apple.com>
2358
2359         Make CodeBlockHash robust against unreasonably long source code.
2360         https://bugs.webkit.org/show_bug.cgi?id=212847
2361         <rdar://problem/64024279>
2362
2363         Reviewed by Saam Barati.
2364
2365         This patch adds a heuristic to avoid trying to compute the CodeBlockHash on
2366         unreasonably long source code strings.  This is done by first applying a length
2367         check and, if needed, computing the hash with an alternate method.
2368
2369         This is OK to do because:
2370         1. CodeBlockHash is not a critical hash.
2371         2. In practice, reasonable source code are not that long.
2372         3. And if they are that long, then we are still diversifying the hash on their
2373            length. But if they do collide, it's OK.
2374
2375         The only invariant here is that we should always produce the same hash for the
2376         same source string.  Since the algorithm is deterministic, this invariant is not
2377         violated.
2378
2379         * bytecode/CodeBlockHash.cpp:
2380         (JSC::CodeBlockHash::CodeBlockHash):
2381
2382 2020-06-06  Devin Rousso  <drousso@apple.com>
2383
2384         Web Inspector: unify the naming scheme for agents used by instrumentation
2385         https://bugs.webkit.org/show_bug.cgi?id=212859
2386
2387         Reviewed by Timothy Hatcher.
2388
2389         Inspector agents fall into one of three categories:
2390          - "persistent" when Web Inspector is connected
2391          - "enabled" when that agent is `enable`d, such as if the corresponding tab is visible
2392          - "tracking" when that agent is part of a timeline recording.
2393
2394         The only exception to this is the Console agent, as that exists regardless of whether Web
2395         Inspector is connected as it needs to preserve messages logged before Web Inspector connects.
2396
2397         Also remove the "Inspector" prefix from getter/setter methods as it adds confusion if that
2398         agent also has subclasses (e.g. `InspectorRuntimeAgent` and `PageRuntimeAgent`).
2399
2400         * inspector/JSGlobalObjectConsoleClient.h:
2401         * inspector/JSGlobalObjectInspectorController.cpp:
2402         * inspector/agents/InspectorConsoleAgent.h:
2403
2404 2020-06-05  Michael Saboff  <msaboff@apple.com>
2405
2406         Make FAST_JIT_PERMISSIONS check in LinkBuffer::copyCompactAndLinkCode a runtime check
2407         https://bugs.webkit.org/show_bug.cgi?id=212825
2408
2409         Reviewed by Saam Barati.
2410
2411         Added useFastJITPermissions() for runtime checks of FAST_JIT_PERMISSIONS
2412         including the cases where it is conditional on OS settings. This is now
2413         used in a few places to declutter the code.
2414
2415         When using the fast JIT permissions path, the JIT memory is the direct output
2416         of the linking. Modified BranchCompactionLinkBuffer to hold a pointer to that
2417         output "buffer" or a temporarily allocated buffer depending on if fast JIT
2418         permissions are enabled.
2419
2420         Broke out the "verify hash" conditionally compiled code with a file local
2421         ENABLE_VERIFY_JIT_HASH macro for readability.
2422
2423         * assembler/LinkBuffer.cpp:
2424         (JSC::BranchCompactionLinkBuffer::BranchCompactionLinkBuffer):
2425         (JSC::BranchCompactionLinkBuffer::~BranchCompactionLinkBuffer):
2426         Changed this to use a provided buffer or a malloc'ed buffer. When using
2427         a malloc'ed buffer, we put it in a thread local cache.
2428
2429         (JSC::LinkBuffer::copyCompactAndLinkCode):
2430         * jit/ExecutableAllocator.h:
2431         (JSC::useFastJITPermissions):
2432         (JSC::performJITMemcpy):
2433
2434 2020-06-05  Yusuke Suzuki  <ysuzuki@apple.com>
2435
2436         [JSC] Put dfgOpNames in __DATA,__const section instead of __DATA,__data
2437         https://bugs.webkit.org/show_bug.cgi?id=212840
2438
2439         Reviewed by Saam Barati.
2440
2441         dfgOpNames array itself is not const annotated, and the compiler makes it __DATA,__data instead of __DATA,__const.
2442         We should annotate it with const to ensure that this is compiled into __DATA,__const. We also remove unused CallFrame::describeFrame
2443         since it allocates some bss memory, while we have more sophisticated mechanism (VMInspector) for this functionality and this function
2444         is no longer used.
2445
2446         * dfg/DFGDoesGCCheck.cpp:
2447         (JSC::DFG::DoesGCCheck::verifyCanGC):
2448         * dfg/DFGGraph.cpp:
2449         * dfg/DFGGraph.h:
2450         * interpreter/CallFrame.cpp:
2451         (JSC::CallFrame::describeFrame): Deleted.
2452         * interpreter/CallFrame.h:
2453
2454 2020-06-05  Tadeu Zagallo  <tzagallo@apple.com>
2455
2456         REGRESSION(r262523): Fix testb3
2457         https://bugs.webkit.org/show_bug.cgi?id=212791
2458
2459         Reviewed by Mark Lam.
2460
2461         * b3/testb3_1.cpp:
2462         (run):
2463         (main):
2464
2465 2020-06-05  Paulo Matos  <pmatos@igalia.com>
2466
2467         Add missing ECMAMode header to fix NonUnified Build
2468         https://bugs.webkit.org/show_bug.cgi?id=212838
2469
2470         Reviewed by Darin Adler.
2471
2472         * bytecode/PutByValFlags.h:
2473
2474 2020-06-05  Saam Barati  <sbarati@apple.com>
2475
2476         Audit safe to execute
2477         https://bugs.webkit.org/show_bug.cgi?id=207075
2478         <rdar://problem/59085094>
2479
2480         Reviewed by Yusuke Suzuki.
2481
2482         This audit found one interesting case for DOMJIT nodes. We emit safety checks
2483         for CallDOM/CallDOMGetter inside fixup phase and the bytecode parser. When
2484         determining if these nodes are safe to execute, we need to also ensure that
2485         these checks hold.
2486         
2487         I've also added a helper to JSDollarVM to ensure that this patch doesn't break
2488         LICM of DOMJIT.
2489         
2490         This patch also moves some nodes we will never hoist to return false.
2491
2492         * dfg/DFGByteCodeParser.cpp:
2493         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
2494         * dfg/DFGFixupPhase.cpp:
2495         (JSC::DFG::FixupPhase::attemptToMakeCallDOM):
2496         * dfg/DFGNode.h:
2497         (JSC::DFG::Node::classInfo):
2498         (JSC::DFG::Node::requiredDOMJITClassInfo):
2499         * dfg/DFGSafeToExecute.h:
2500         (JSC::DFG::safeToExecute):
2501         * tools/JSDollarVM.cpp:
2502         (JSC::functionCreateDOMJITGetterNoEffectsObject):
2503         (JSC::JSDollarVM::finishCreation):
2504
2505 2020-06-05  Devin Rousso  <drousso@apple.com>
2506
2507         Logical Assignment: perform NamedEvaluation of anonymous functions
2508         https://bugs.webkit.org/show_bug.cgi?id=212679
2509
2510         Reviewed by Ross Kirsling.
2511
2512         * parser/ASTBuilder.h:
2513         (JSC::ASTBuilder::makeAssignNode):
2514
2515 2020-06-05  Yusuke Suzuki  <ysuzuki@apple.com>
2516
2517         DOM constructor should only accept Ref<> / ExceptionOr<Ref<>> for creation to ensure toJSNewlyCreated is always returning object
2518         https://bugs.webkit.org/show_bug.cgi?id=212767
2519
2520         Reviewed by Darin Adler.
2521
2522         * runtime/JSObject.h:
2523         (JSC::asObject):
2524
2525 2020-06-05  Andy Estes  <aestes@apple.com>
2526
2527         [Apple Pay] Remove conditionals for ENABLE_APPLE_PAY_SESSION_V(3|4)
2528         https://bugs.webkit.org/show_bug.cgi?id=212541
2529         <rdar://problem/63781452>
2530
2531         Reviewed by Darin Adler.
2532
2533         APPLE_PAY_SESSION_V(3|4) is now enabled whenever APPLE_PAY itself is enabled.
2534
2535         * Configurations/FeatureDefines.xcconfig:
2536
2537 2020-06-05  Caitlin Potter  <caitp@igalia.com>
2538
2539         [JSC] Add support for private class fields
2540         https://bugs.webkit.org/show_bug.cgi?id=206431
2541
2542         Reviewed by Saam Barati.
2543
2544         Expanding upon the earlier public class fields patch, we implement the remaining (and
2545         significant parts) of the instance fields (https://tc39.es/proposal-class-fields/).
2546
2547         There are a variety of key changes here:
2548
2549             - Parser now understands the concept of private names (Token PRIVATENAME).
2550             - 1 new opcode (op_get_private_name), one changed opcode (op_put_by_val_direct).
2551             - A method for creating Symbol objects with a null PrivateSymbolImpl is exposed as a
2552               LinkTimeConstant (@createPrivateSymbol).
2553             - Null Private Symbols are stored by name (not a valid identifier) in a JSScope, and
2554               are loaded from the outer scope whenever they are used by the modified opcodes.
2555
2556         The changes to op_put_by_val_direct include a new bytecode operand (PutByValFlags) which are
2557         used to distinguish between overwriting or defining a new private field. Specifically, when it
2558         comes to private field accesses, it's necessary to throw an exception when accessing a field
2559         which does not exist, or when attempting to define a private field which has already been
2560         defined.
2561
2562         During the evaluation of a class expression, before the class element list is evaluated (in case
2563         any computed property names expressions refer to a new private field), a new PrivateSymbol is
2564         created for each individual private field name, and stored in the class lexical scope.
2565
2566         Private field names are loaded from scope before their use. This prevents multiple evaluations
2567         of the same class source from accessing each other's private fields, because the values of the
2568         symbols loaded from the class scope would be distinct. This is required by the proposal text,
2569         and is the key reason why we use ByVal lookups rather than ById lookups.
2570
2571         To illustrate, typical private field access will look like:
2572
2573         <Field Reads>
2574         resolve_scope      <scope=>, <currentScope>, "#x", GlobalProperty, 0
2575         get_from_scope     <symbol=>, <scope>, "#x", 1050624<DoNotThrowIfNotFound|GlobalProperty|NotInitialization>, 0, 0
2576         get_private_name   <value=>, <receiver --- probably 'this'>, <symbol>
2577
2578         <Field Writes>
2579         resolve_scope      <scope=>, <currentScope>, "#x", GlobalProperty, 0
2580         get_from_scope     <symbol=>, <scope>, "#x", 1050624<DoNotThrowIfNotFound|GlobalProperty|NotInitialization>, 0, 0
2581         put_by_val_direct  <receiver, probably 'this'>, <symbol>, <value>, <PutByValPrivateName>
2582
2583         <Field Definition>
2584         resolve_scope      <scope=>, <currentScope>, "#x", GlobalProperty, 0
2585         get_from_scope     <symbol=>, <scope>, "#x", 1050624<DoNotThrowIfNotFound|GlobalProperty|NotInitialization>, 0, 0
2586         put_by_val_direct  <receiver, probably 'this'>, <symbol>, <value>, <PutByValPrivateName|PutByValThrowIfExists>
2587
2588         The feature is currently hidden behind the feature flag JSC::Options::usePrivateClassFields.
2589
2590         * CMakeLists.txt:
2591         * JavaScriptCore.xcodeproj/project.pbxproj:
2592         * Sources.txt:
2593         * builtins/BuiltinNames.h:
2594         * bytecode/BytecodeList.rb:
2595         * bytecode/BytecodeUseDef.cpp:
2596         (JSC::computeUsesForBytecodeIndexImpl):
2597         (JSC::computeDefsForBytecodeIndexImpl):
2598         * bytecode/CodeBlock.cpp:
2599         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2600         * bytecode/Fits.h:
2601         * bytecode/LinkTimeConstant.h:
2602         * bytecode/PutByValFlags.cpp: Copied from Source/JavaScriptCore/bytecode/PutKind.h.
2603         (WTF::printInternal):
2604         * bytecode/PutByValFlags.h: Added.
2605         (JSC::PutByValFlags::create):
2606         (JSC::PutByValFlags::createDirect):
2607         (JSC::PutByValFlags::createDefinePrivateField):
2608         (JSC::PutByValFlags::createPutPrivateField):
2609         (JSC::PutByValFlags::isDirect const):
2610         (JSC::PutByValFlags::ecmaMode const):
2611         (JSC::PutByValFlags::privateFieldAccessKind const):
2612         (JSC::PutByValFlags::isPrivateFieldAccess const):
2613         (JSC::PutByValFlags::isPrivateFieldPut const):
2614         (JSC::PutByValFlags::isPrivateFieldAdd const):
2615         (JSC::PutByValFlags::PutByValFlags):
2616         * bytecode/PutKind.h:
2617         * bytecode/UnlinkedFunctionExecutable.cpp:
2618         (JSC::generateUnlinkedFunctionCodeBlock):
2619         * bytecompiler/BytecodeGenerator.cpp:
2620         (JSC::BytecodeGenerator::instantiateLexicalVariables):
2621         (JSC::BytecodeGenerator::emitDirectGetByVal):
2622         (JSC::BytecodeGenerator::emitDirectPutByVal):
2623         (JSC::BytecodeGenerator::emitDefinePrivateField):
2624         (JSC::BytecodeGenerator::emitPrivateFieldPut):
2625         * bytecompiler/BytecodeGenerator.h:
2626         * bytecompiler/NodesCodegen.cpp:
2627         (JSC::PropertyListNode::emitDeclarePrivateFieldNames):
2628         (JSC::PropertyListNode::emitBytecode):
2629         (JSC::PropertyListNode::emitPutConstantProperty):
2630         (JSC::DotAccessorNode::emitBytecode):
2631         (JSC::BaseDotNode::emitGetPropertyValue):
2632         (JSC::BaseDotNode::emitPutProperty):
2633         (JSC::FunctionCallDotNode::emitBytecode):
2634         (JSC::PostfixNode::emitDot):
2635         (JSC::PrefixNode::emitDot):
2636         (JSC::AssignDotNode::emitBytecode):
2637         (JSC::ReadModifyDotNode::emitBytecode):
2638         (JSC::DefineFieldNode::emitBytecode):
2639         (JSC::ClassExprNode::emitBytecode):
2640         * dfg/DFGByteCodeParser.cpp:
2641         (JSC::DFG::ecmaMode):
2642         (JSC::DFG::ecmaMode<OpPutByValDirect>):
2643         (JSC::DFG::ByteCodeParser::handlePutByVal):
2644         * dfg/DFGCapabilities.cpp:
2645         (JSC::DFG::capabilityLevel):
2646         * dfg/DFGSpeculativeJIT.cpp:
2647         (JSC::DFG::SpeculativeJIT::cachedPutById):
2648         * ftl/FTLLowerDFGToB3.cpp:
2649         (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
2650         * generator/DSL.rb:
2651         * jit/ICStats.h:
2652         * jit/JIT.cpp:
2653         (JSC::JIT::privateCompileMainPass):
2654         * jit/JIT.h:
2655         * jit/JITInlineCacheGenerator.cpp:
2656         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
2657         (JSC::JITPutByIdGenerator::slowPathFunction):
2658         * jit/JITInlineCacheGenerator.h:
2659         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
2660         * jit/JITInlines.h:
2661         (JSC::JIT::ecmaMode):
2662         (JSC::JIT::ecmaMode<OpPutById>):
2663         (JSC::JIT::ecmaMode<OpPutByValDirect>):
2664         (JSC::JIT::privateFieldAccessKind):
2665         (JSC::JIT::privateFieldAccessKind<OpPutByValDirect>):
2666         * jit/JITOperations.cpp:
2667         (JSC::putPrivateField):
2668         (JSC::definePrivateField):
2669         * jit/JITOperations.h:
2670         * jit/JITPropertyAccess.cpp:
2671         (JSC::JIT::emitPutByValWithCachedId):
2672         (JSC::JIT::emitSlow_op_put_by_val):
2673         (JSC::JIT::emit_op_put_by_id):
2674         * jit/JITPropertyAccess32_64.cpp:
2675         (JSC::JIT::emitSlow_op_put_by_val):
2676         (JSC::JIT::emit_op_put_by_id):
2677         * jit/Repatch.cpp:
2678         (JSC::appropriateGenericPutByIdFunction):
2679         (JSC::appropriateOptimizingPutByIdFunction):
2680         (JSC::tryCachePutByID):
2681         * llint/LLIntOffsetsExtractor.cpp:
2682         * llint/LLIntSlowPaths.cpp:
2683         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2684         * llint/LLIntSlowPaths.h:
2685         * llint/LowLevelInterpreter32_64.asm:
2686         * llint/LowLevelInterpreter64.asm:
2687         * parser/ASTBuilder.h:
2688         (JSC::ASTBuilder::createDotAccess):
2689         (JSC::ASTBuilder::isPrivateLocation):
2690         (JSC::ASTBuilder::makeFunctionCallNode):
2691         (JSC::ASTBuilder::makeAssignNode):
2692         * parser/Lexer.cpp:
2693         (JSC::Lexer<LChar>::parseIdentifier):
2694         (JSC::Lexer<UChar>::parseIdentifier):
2695         (JSC::Lexer<CharacterType>::parseIdentifierSlowCase):
2696         (JSC::Lexer<T>::lexWithoutClearingLineTerminator):
2697         * parser/NodeConstructors.h:
2698         (JSC::BaseDotNode::BaseDotNode):
2699         (JSC::DotAccessorNode::DotAccessorNode):
2700         (JSC::FunctionCallDotNode::FunctionCallDotNode):
2701         (JSC::CallFunctionCallDotNode::CallFunctionCallDotNode):
2702         (JSC::ApplyFunctionCallDotNode::ApplyFunctionCallDotNode):
2703         (JSC::HasOwnPropertyFunctionCallDotNode::HasOwnPropertyFunctionCallDotNode):
2704         (JSC::AssignDotNode::AssignDotNode):
2705         (JSC::ReadModifyDotNode::ReadModifyDotNode):
2706         * parser/Nodes.cpp:
2707         (JSC::PropertyListNode::shouldCreateLexicalScopeForClass):
2708         * parser/Nodes.h:
2709         (JSC::ExpressionNode::isPrivateLocation const):
2710         (JSC::BaseDotNode::base const):
2711         (JSC::BaseDotNode::identifier const):
2712         (JSC::BaseDotNode::type const):
2713         (JSC::BaseDotNode::isPrivateField const):
2714         * parser/Parser.cpp:
2715         (JSC::Parser<LexerType>::parseVariableDeclarationList):
2716         (JSC::Parser<LexerType>::parseDestructuringPattern):
2717         (JSC::Parser<LexerType>::parseClass):
2718         (JSC::Parser<LexerType>::parseInstanceFieldInitializerSourceElements):
2719         (JSC::Parser<LexerType>::usePrivateName):
2720         (JSC::Parser<LexerType>::parseMemberExpression):
2721         (JSC::Parser<LexerType>::parseUnaryExpression):
2722         (JSC::Parser<LexerType>::printUnexpectedTokenText):
2723         * parser/Parser.h:
2724         (JSC::Scope::isPrivateNameScope const):
2725         (JSC::Scope::setIsPrivateNameScope):
2726         (JSC::Scope::hasPrivateName):
2727         (JSC::Scope::copyUndeclaredPrivateNamesTo):
2728         (JSC::Scope::hasUsedButUndeclaredPrivateNames const):
2729         (JSC::Scope::usePrivateName):
2730         (JSC::Scope::declarePrivateName):
2731         (JSC::Parser::findPrivateNameScope):
2732         (JSC::Parser::privateNameScope):
2733         (JSC::Parser::copyUndeclaredPrivateNamesToOuterScope):
2734         (JSC::Parser::matchAndUpdate):
2735         (JSC::Parser<LexerType>::parse):
2736         (JSC::parse):
2737         * parser/ParserTokens.h:
2738         * parser/SyntaxChecker.h:
2739         (JSC::SyntaxChecker::createDotAccess):
2740         (JSC::SyntaxChecker::operatorStackPop):
2741         * parser/VariableEnvironment.cpp:
2742         (JSC::VariableEnvironment::operator=):
2743         (JSC::VariableEnvironment::swap):
2744         (JSC::CompactVariableEnvironment::CompactVariableEnvironment):
2745         * parser/VariableEnvironment.h:
2746         (JSC::VariableEnvironmentEntry::isPrivateName const):
2747         (JSC::VariableEnvironmentEntry::setIsPrivateName):
2748         (JSC::PrivateNameEntry::PrivateNameEntry):
2749         (JSC::PrivateNameEntry::isUsed const):
2750         (JSC::PrivateNameEntry::isDeclared const):
2751         (JSC::PrivateNameEntry::setIsUsed):
2752         (JSC::PrivateNameEntry::setIsDeclared):
2753         (JSC::PrivateNameEntry::bits const):
2754         (JSC::PrivateNameEntry::operator== const):
2755         (JSC::VariableEnvironment::VariableEnvironment):
2756         (JSC::VariableEnvironment::size const):
2757         (JSC::VariableEnvironment::mapSize const):
2758         (JSC::VariableEnvironment::declarePrivateName):
2759         (JSC::VariableEnvironment::usePrivateName):
2760         (JSC::VariableEnvironment::privateNames const):
2761         (JSC::VariableEnvironment::privateNamesSize const):
2762         (JSC::VariableEnvironment::hasPrivateName):
2763         (JSC::VariableEnvironment::copyPrivateNamesTo const):
2764         (JSC::VariableEnvironment::copyUndeclaredPrivateNamesTo const):
2765         (JSC::VariableEnvironment::RareData::RareData):
2766         (JSC::VariableEnvironment::getOrAddPrivateName):
2767         * runtime/CachedTypes.cpp:
2768         (JSC::CachedOptional::decodeAsPtr const):
2769         (JSC::CachedVariableEnvironmentRareData::encode):
2770         (JSC::CachedVariableEnvironmentRareData::decode const):
2771         (JSC::CachedVariableEnvironment::encode):
2772         (JSC::CachedVariableEnvironment::decode const):
2773         (JSC::CachedSymbolTableRareData::encode):
2774         (JSC::CachedSymbolTableRareData::decode const):
2775         (JSC::CachedSymbolTable::encode):
2776         (JSC::CachedSymbolTable::decode const):
2777         * runtime/CodeCache.cpp:
2778         (JSC::generateUnlinkedCodeBlockImpl):
2779         * runtime/CommonIdentifiers.cpp:
2780         (JSC::CommonIdentifiers::CommonIdentifiers):
2781         * runtime/CommonIdentifiers.h:
2782         * runtime/CommonSlowPaths.cpp:
2783         (JSC::SLOW_PATH_DECL):
2784         * runtime/CommonSlowPaths.h:
2785         * runtime/ExceptionHelpers.cpp:
2786         (JSC::createInvalidPrivateNameError):
2787         (JSC::createRedefinedPrivateNameError):
2788         * runtime/ExceptionHelpers.h:
2789         * runtime/JSGlobalObject.cpp:
2790         (JSC::createPrivateSymbol):
2791         (JSC::JSGlobalObject::init):
2792         * runtime/JSObject.h:
2793         * runtime/JSObjectInlines.h:
2794         (JSC::JSObject::getPrivateFieldSlot):
2795         (JSC::JSObject::getPrivateField):
2796         (JSC::JSObject::putPrivateField):
2797         (JSC::JSObject::definePrivateField):
2798         * runtime/JSScope.cpp:
2799         (JSC::JSScope::collectClosureVariablesUnderTDZ):
2800         * runtime/OptionsList.h:
2801         * runtime/SymbolTable.cpp:
2802         (JSC::SymbolTable::cloneScopePart):
2803         * runtime/SymbolTable.h:
2804
2805 2020-06-05  Paulo Matos  <pmatos@igalia.com>
2806
2807         Fix includes to fix latest non-unified builds breakages
2808         https://bugs.webkit.org/show_bug.cgi?id=212802
2809
2810         Reviewed by Adrian Perez de Castro.
2811
2812         * dfg/DFGDoesGCCheck.cpp:
2813         * runtime/JSDateMath.h:
2814
2815 2020-06-04  Yusuke Suzuki  <ysuzuki@apple.com>
2816
2817         [JSC] Report extra memory allocation from PropertyTable
2818         https://bugs.webkit.org/show_bug.cgi?id=212793
2819
2820         Reviewed by Saam Barati.
2821
2822         This patch adds extra memory reporting from PropertyTable to make GC
2823         responsive to the increase of memory in PropertyTable.
2824
2825         * runtime/PropertyMapHashTable.h:
2826         (JSC::PropertyTable::add):
2827         (JSC::PropertyTable::remove):
2828         (JSC::PropertyTable::rehash):
2829         (JSC::PropertyTable::dataSize):
2830         * runtime/PropertyTable.cpp:
2831         (JSC::PropertyTable::finishCreation):
2832         (JSC::PropertyTable::visitChildren):
2833         * runtime/Structure.cpp:
2834         (JSC::Structure::materializePropertyTable):
2835         * runtime/StructureInlines.h:
2836         (JSC::Structure::add):
2837         (JSC::Structure::remove):
2838
2839 2020-06-04  Commit Queue  <commit-queue@webkit.org>
2840
2841         Unreviewed, reverting r262583.
2842         https://bugs.webkit.org/show_bug.cgi?id=212799
2843
2844         Internal source code has the same bug, needs to be landed
2845         after fixing internal source
2846
2847         Reverted changeset:
2848
2849         "DOM constructor should only accept Ref<> / ExceptionOr<Ref<>>
2850         for creation to ensure toJSNewlyCreated is always returning
2851         object"
2852         https://bugs.webkit.org/show_bug.cgi?id=212767
2853         https://trac.webkit.org/changeset/262583
2854
2855 2020-06-04  Michael Saboff  <msaboff@apple.com>
2856
2857         Add a Thread Specific Cache for LinkBuffer::CompactAndLinkCode()
2858         https://bugs.webkit.org/show_bug.cgi?id=212765
2859
2860         Reviewed by Saam Barati.
2861
2862         Added a thread local buffer for CPU types that use a second buffer when compacting.
2863         This is very similary to the work done in https://bugs.webkit.org/show_bug.cgi?id=212562.
2864
2865         * assembler/LinkBuffer.cpp:
2866         (JSC::threadSpecificBranchCompactionLinkBuffer):
2867         (JSC::BranchCompactionLinkBuffer::BranchCompactionLinkBuffer):
2868         (JSC::BranchCompactionLinkBuffer::~BranchCompactionLinkBuffer):
2869         (JSC::BranchCompactionLinkBuffer::data):
2870         (JSC::BranchCompactionLinkBuffer::takeBufferIfLarger):
2871         (JSC::BranchCompactionLinkBuffer::size):
2872         (JSC::LinkBuffer::copyCompactAndLinkCode):
2873
2874 2020-06-04  Mark Lam  <mark.lam@apple.com>
2875
2876         Add Options::validateDoesGC() for turning DoesGC validation on/off.
2877         https://bugs.webkit.org/show_bug.cgi?id=212773
2878
2879         Reviewed by Saam Barati.
2880
2881         It will default to on if ASSERT_ENABLED because we want testing to be done with
2882         the validation on.  When needed, we can turn it off if we need to e.g. to
2883         de-clutter disassembly dumps while debugging.
2884
2885         If Options::validateDoesGC() is false, we turn off JIT code emission for this
2886         check, as well as skip the validation checks.  There are still places in C++
2887         code that store to DoesGC::m_value without checking Options::validateDoesGC().
2888         It doesn't hurt to just let these stores proceed, and performance-wise, it's
2889         probably cheaper to just do the store unconditionally than to gate it on a load of
2890         Options::validateDoesGC() first.
2891
2892         Also made it explicit that the check on validateDFGDoesGC is a constexpr check.
2893
2894         * dfg/DFGDoesGCCheck.cpp:
2895         (JSC::DFG::DoesGCCheck::verifyCanGC):
2896         * dfg/DFGOSRExit.cpp:
2897         (JSC::DFG::OSRExit::compileExit):
2898         * dfg/DFGSpeculativeJIT32_64.cpp:
2899         (JSC::DFG::SpeculativeJIT::compile):
2900         * dfg/DFGSpeculativeJIT64.cpp:
2901         (JSC::DFG::SpeculativeJIT::compile):
2902         * ftl/FTLLowerDFGToB3.cpp:
2903         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2904         * ftl/FTLOSRExitCompiler.cpp:
2905         (JSC::FTL::compileStub):
2906         * runtime/OptionsList.h:
2907
2908 2020-06-04  Ross Kirsling  <ross.kirsling@sony.com>
2909
2910         Intl classes should have meaningful @@toStringTag values
2911         https://bugs.webkit.org/show_bug.cgi?id=212769
2912
2913         Reviewed by Yusuke Suzuki.
2914
2915         Implementation of https://github.com/tc39/ecma402/pull/430, which achieved consensus this week.
2916         This ensures we get "[object Intl.Collator]" (etc.) instead "[object Object]" for older Intl classes.
2917
2918         * runtime/IntlCollatorPrototype.cpp:
2919         * runtime/IntlDateTimeFormatPrototype.cpp:
2920         * runtime/IntlNumberFormatPrototype.cpp:
2921         * runtime/IntlPluralRulesPrototype.cpp:
2922
2923 2020-06-04  Alexey Shvayka  <shvaikalesh@gmail.com>
2924
2925         GetMethod isn't performed properly on iterators
2926         https://bugs.webkit.org/show_bug.cgi?id=212771
2927
2928         Reviewed by Saam Barati.
2929
2930         Before this change, iterator's "return" and "throw" methods with value of `null` were
2931         considered incorrect rather than missing, causing TypeError to be thrown.
2932
2933         This patch aligns method lookup of iterators with the spec [1], V8, and SpiderMonkey
2934         by utilizing isUndefinedOrNull(), which doesn't special-case [[IsHTMLDDA]] objects [2],
2935         fixing a few Annex B tests.
2936
2937         for/of microbenchmarks are neutral.
2938
2939         [1]: https://tc39.es/ecma262/#sec-getmethod (step 3)
2940         [2]: https://tc39.es/ecma262/#sec-IsHTMLDDA-internal-slot
2941
2942         * builtins/AsyncFromSyncIteratorPrototype.js:
2943         * bytecompiler/BytecodeGenerator.cpp:
2944         (JSC::BytecodeGenerator::emitIteratorGenericClose):
2945         (JSC::BytecodeGenerator::emitGetAsyncIterator):
2946         (JSC::BytecodeGenerator::emitDelegateYield):
2947         * runtime/IteratorOperations.cpp:
2948         (JSC::iteratorClose):
2949         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2950         (JSC::constructGenericTypedArrayViewWithArguments):
2951
2952 2020-06-04  Mark Lam  <mark.lam@apple.com>
2953
2954         Reduce DFGDoesGCCheck to only storing a uint32_t.
2955         https://bugs.webkit.org/show_bug.cgi?id=212734
2956
2957         Reviewed by Saam Barati and Caio Lima.
2958
2959         This patch changes the encoding of DoesGCCheck so that it will fit better in a
2960         uint32_t.  This has the following benefits:
2961         1. speed improvement for debug builds because it now takes less instructions
2962            (especially in JITted code) to store to DoesGCCheck::m_value.
2963         2. enables this check for 32-bit platforms as well.
2964
2965         Fun fact: we currently have 373 DFG::NodeTypes.  Hence, 9 bits for nodeOp.
2966
2967         The new encoding provides 21 bis for the nodeIndex.  This gives us up to 2097152
2968         node indexes.  In my experience, I've never seen more than 3 decimal digits for
2969         the nodeIndex so far.  If we ever find that we need more than 21 bits of nodeIndex,
2970         we have 2 options to deal with it:
2971
2972         1. We can just ignore the high bits.  After all, it is the nodeOp that is the
2973            most interesting piece of data we need to debug doesGC issues.
2974
2975         2. We can make DoesGCCheck use uint64_t for storage.  This encoding automatically
2976            scales to 64-bit, while still allowing the more efficient form of storing a
2977            32-bit immediate to be used for the common cases.
2978
2979         This patch also makes ENABLE_DFG_DOES_GC_VALIDATION dependent on ENABLE(DFG_JIT).
2980         DoesGC is only relevant for the DFG and FTL JITs.
2981
2982         * dfg/DFGDoesGCCheck.cpp:
2983         (JSC::DFG::DoesGCCheck::verifyCanGC):
2984         * dfg/DFGDoesGCCheck.h:
2985         (JSC::DFG::DoesGCCheck::encode):
2986         (JSC::DFG::DoesGCCheck::expectDoesGC const):
2987         (JSC::DFG::DoesGCCheck::isSpecial const):
2988         (JSC::DFG::DoesGCCheck::special):
2989         (JSC::DFG::DoesGCCheck::nodeOp):
2990         (JSC::DFG::DoesGCCheck::nodeIndex):
2991         (JSC::DFG::DoesGCCheck::expectDoesGC): Deleted.
2992         (JSC::DFG::DoesGCCheck::isSpecial): Deleted.
2993         (JSC::DFG::DoesGCCheck::specialIndex): Deleted.
2994         (JSC::DFG::DoesGCCheck::bits): Deleted.
2995         * dfg/DFGNodeType.h:
2996         * dfg/DFGOSRExit.cpp:
2997         (JSC::DFG::OSRExit::compileExit):
2998         * dfg/DFGSpeculativeJIT32_64.cpp:
2999         (JSC::DFG::SpeculativeJIT::compile):
3000         * dfg/DFGSpeculativeJIT64.cpp:
3001         (JSC::DFG::SpeculativeJIT::compile):
3002         * ftl/FTLLowerDFGToB3.cpp:
3003         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3004         * ftl/FTLOSRExitCompiler.cpp:
3005         (JSC::FTL::compileStub):
3006         * heap/Heap.h:
3007
3008 2020-06-04  Tim Horton  <timothy_horton@apple.com>
3009
3010         Work around broken system version macro
3011         https://bugs.webkit.org/show_bug.cgi?id=212726
3012
3013         Reviewed by Dan Bernstein.
3014
3015         * Configurations/DebugRelease.xcconfig:
3016
3017 2020-06-04  Andy Estes  <aestes@apple.com>
3018
3019         [watchOS] Re-enable content filtering in the simulator build
3020         https://bugs.webkit.org/show_bug.cgi?id=212711
3021         <rdar://problem/63938350>
3022
3023         Reviewed by Wenson Hsieh.
3024
3025         * Configurations/FeatureDefines.xcconfig:
3026
3027 2020-06-04  Mark Lam  <mark.lam@apple.com>
3028
3029         SpeculativeJIT::compileDateGet()'s slow path does not need an exception check.
3030         https://bugs.webkit.org/show_bug.cgi?id=212645
3031
3032         Reviewed by Yusuke Suzuki.
3033
3034         SpeculativeJIT::compileDateGet() implements a bunch of Date intrinsics which call
3035         into a C++ operation function do their work.  However, the call to these operation
3036         functions were done using a slow path generator configured to automatically
3037         emit exception checks after the call.  These exception checks are unneeded because
3038         those functions will not throw any exceptions.
3039
3040         This issue was found with JSC stress test runs on a debug build.  The doesGC
3041         verifier was failing on the exceptionFuzz/date-format-xparb.js test.  The reason
3042         is because doesGC does not expect any these Date intrinsics to throw any exceptions,
3043         but SpeculativeJIT was emitting the unneeded exception checks there.  These
3044         exception check sites get turned into throw sites by the exceptionFuzzer, and
3045         they allocate an Error object there.  This allocation made the doesGC verifier
3046         not happy.
3047
3048         This patch fixes this issue by changing SpeculativeJIT::compileDateGet() to
3049         pass ExceptionCheckRequirement::CheckNotNeeded to the slow path generator.
3050
3051         The patch also proves that all the operation functions cannot throw any exceptions.
3052         Previously, the operations passes a VM& to the Date functions.  The purpose for
3053         doing this is so that the Date functions can work with a few date cache data
3054         structures stored as VM fields.
3055
3056         This patch refactors those VM fields into a VM::DateCache struct, and changed all
3057         those Date functions to take a VM::DateCache& instead of a VM&.  Since the Date
3058         functions no longer take a VM&, this proves that they cannot throw because they
3059         would need a VM& to make a ThrowScope in order to throw.
3060
3061         Update: Yusuke pointed out that the lack of a JSGlobalObject* argument is sufficient
3062         to guarantee that the Date functions cannot throw.  However, we'll keep this
3063         DateCache refactoring since it provides additional info that the Date functions
3064         only operate on the DateCache fields and nothing else in VM.
3065
3066         Also removed DFG::JITCompile's fastExceptionCheck() which is unused.
3067
3068         * dfg/DFGJITCompiler.h:
3069         (JSC::DFG::JITCompiler::fastExceptionCheck): Deleted.
3070         * dfg/DFGOperations.cpp:
3071         * dfg/DFGSpeculativeJIT64.cpp:
3072         (JSC::DFG::SpeculativeJIT::compileDateGet):
3073         * runtime/DateConstructor.cpp:
3074         (JSC::millisecondsFromComponents):
3075         (JSC::callDate):
3076         * runtime/DateInstance.cpp:
3077         (JSC::DateInstance::calculateGregorianDateTime const):
3078         (JSC::DateInstance::calculateGregorianDateTimeUTC const):
3079         * runtime/DateInstance.h:
3080         * runtime/DatePrototype.cpp:
3081         (JSC::formatLocaleDate):
3082         (JSC::formateDateInstance):
3083         (JSC::dateProtoFuncToISOString):
3084         (JSC::dateProtoFuncGetFullYear):
3085         (JSC::dateProtoFuncGetUTCFullYear):
3086         (JSC::dateProtoFuncGetMonth):
3087         (JSC::dateProtoFuncGetUTCMonth):
3088         (JSC::dateProtoFuncGetDate):
3089         (JSC::dateProtoFuncGetUTCDate):
3090         (JSC::dateProtoFuncGetDay):
3091         (JSC::dateProtoFuncGetUTCDay):
3092         (JSC::dateProtoFuncGetHours):
3093         (JSC::dateProtoFuncGetUTCHours):
3094         (JSC::dateProtoFuncGetMinutes):
3095         (JSC::dateProtoFuncGetUTCMinutes):
3096         (JSC::dateProtoFuncGetSeconds):
3097         (JSC::dateProtoFuncGetUTCSeconds):
3098         (JSC::dateProtoFuncGetTimezoneOffset):
3099         (JSC::setNewValueFromTimeArgs):
3100         (JSC::setNewValueFromDateArgs):
3101         (JSC::dateProtoFuncSetYear):
3102         (JSC::dateProtoFuncGetYear):
3103         * runtime/JSDateMath.cpp:
3104         (JSC::localTimeOffset):
3105         (JSC::gregorianDateTimeToMS):
3106         (JSC::msToGregorianDateTime):
3107         (JSC::parseDate):
3108         * runtime/JSDateMath.h:
3109         * runtime/VM.cpp:
3110         (JSC::VM::resetDateCache):
3111         * runtime/VM.h:
3112
3113 2020-06-04  Paulo Matos  <pmatos@igalia.com>
3114
3115         Fix 32bit build broken at r262513
3116         https://bugs.webkit.org/show_bug.cgi?id=212735
3117
3118         Unreviewed Gardening.
3119
3120         Proper fix is being worked out under https://bugs.webkit.org/show_bug.cgi?id=212734
3121
3122         * dfg/DFGOSRExit.cpp:
3123         (JSC::DFG::OSRExit::compileExit):
3124
3125 2020-06-03  Tadeu Zagallo  <tzagallo@apple.com>
3126
3127         Disable B3 hoistLoopInvariantValues by default
3128         https://bugs.webkit.org/show_bug.cgi?id=212511
3129         <rdar://problem/63813245>
3130
3131         Reviewed by Mark Lam.
3132
3133         The hoistLoopInvariantValues optimization in B3 does not calculate the cost of hoisting the candidates.
3134         For example, in the test case provided with the bug, a switch inside a loop can lead to hoisting the body
3135         of several switch cases which would never be executed. Other than leading to worse runtime, this also
3136         increases the pressure in the register allocate, leading to worse compile times (~10x worse in this case).
3137         I have added a FIXME to consider adding cost calculation and re-enabling this pass, but given that we
3138         already have LICM in DFG, it should be ok to disable it for now.
3139
3140         * b3/B3Generate.cpp:
3141         (JSC::B3::generateToAir):
3142         * runtime/OptionsList.h:
3143
3144 2020-06-03  Mark Lam  <mark.lam@apple.com>
3145
3146         Gardening: fix broken Windows debug build.
3147         https://bugs.webkit.org/show_bug.cgi?id=212680
3148
3149         Not reviewed.
3150
3151         * dfg/DFGDoesGCCheck.cpp:
3152         (JSC::DFG::DoesGCCheck::verifyCanGC):
3153         * dfg/DFGDoesGCCheck.h:
3154
3155 2020-06-03  Mark Lam  <mark.lam@apple.com>
3156
3157         [Re-landing] Enhance DoesGC verification to print more useful info when verification fails.
3158         https://bugs.webkit.org/show_bug.cgi?id=212680
3159
3160         Reviewed by Yusuke Susuki.
3161
3162         When DoesGC verification fails, the first step of debugging it would be to find
3163         out what and which DFG node resulted in the failed verification.  In pre-existing
3164         code, all we get is an assertion failure.
3165
3166         This patch makes it so that the verifier will dump useful info.  Here's an example:
3167
3168             Error: DoesGC failed @ D@34 DateGetInt32OrNaN in #DtCHMz:[0x1135bd1d0->0x1135bcab0->0x1135e5c80, DFGFunctionCall, 150 (DidTryToEnterInLoop)]
3169                 [0] frame 0x7ffee8285660 {
3170                   name: 
3171                   sourceURL: 
3172                   isInlinedFrame: false
3173                   callee: 0x1135f6820
3174                   returnPC: 0x50ce61248ae6
3175                   callerFrame: 0x7ffee82856f0
3176                   rawLocationBits: 5 0x5
3177                   codeBlock: 0x1135bd1d0 #DtCHMz:[0x1135bd1d0->0x1135bcab0->0x1135e5c80, DFGFunctionCall, 150 (DidTryToEnterInLoop)]
3178                     hasCodeOrigins: true
3179                     callSiteIndex: 5 of 13
3180                     jitCode: 0x113020200 start 0x50ce61214c60 end 0x50ce61219b00
3181                     line: 1
3182                     column: 60
3183                   EntryFrame: 0x7ffee8285860
3184                 }
3185                 [1] frame 0x7ffee82856f0 {
3186                   name: 
3187                   sourceURL: date-format-xparb.js
3188                   isInlinedFrame: false
3189                   callee: 0x1135f65a0
3190                   returnPC: 0x50ce61227e99
3191                   callerFrame: 0x7ffee8285770
3192                   rawLocationBits: 4 0x4
3193                   codeBlock: 0x1135bd0a0 #BU6Zcd:[0x1135bd0a0->0x1135bc260->0x1135e5180, DFGFunctionCall, 112 (DidTryToEnterInLoop)]
3194                     hasCodeOrigins: true
3195                     callSiteIndex: 4 of 12
3196                     jitCode: 0x113004000 start 0x50ce61212c60 end 0x50ce61214960
3197                     line: 26
3198                     column: 22
3199                   EntryFrame: 0x7ffee8285860
3200                 }
3201                 [2] frame 0x7ffee8285770 {
3202                   name: 
3203                   sourceURL: date-format-xparb.js
3204                   isInlinedFrame: false
3205                   callee: 0x1135f64e0
3206                   returnPC: 0x108058eb1
3207                   callerFrame: 0x7ffee82857e0
3208                   rawLocationBits: 1001 0x3e9
3209                   codeBlock: 0x1135bc130 #DAS9xe:[0x1135bc130->0x1135e5100, BaselineFunctionCall, 1149]
3210                     bc#1001 of 1149
3211                     line: 417
3212                     column: 38
3213                   EntryFrame: 0x7ffee8285860
3214                 }
3215                 [3] frame 0x7ffee82857e0 {
3216                   name: global code
3217                   sourceURL: date-format-xparb.js
3218                   isInlinedFrame: false
3219                   callee: 0x1130f97b8
3220                   returnPC: 0x108039043
3221                   callerFrame: 0x0
3222                   rawLocationBits: 23 0x17
3223                   codeBlock: 0x1135bc000 <global>#CukXvt:[0x1135bc000->0x1130cd768, LLIntGlobal, 81]
3224                     bc#23 of 81
3225                     line: 425
3226                     column: 3
3227                   EntryFrame: 0x7ffee8285860
3228                 }
3229
3230             ASSERTION FAILED: expectDoesGC()
3231
3232         The error message now comes with the node index, NodeType, codeBlock which this
3233         failure was found in, and the JS call stack that led to the failure.
3234
3235         Changes made:
3236
3237         1. Introduced a DoesGCCheck value that is used to encode some of the above data.
3238
3239            Previously, we only recorded whether doesGC() returns true or false for the
3240            Node.  Now, we record the nodeIndex and nodeOp as well.
3241
3242            Note that we also set DoesGC expectations for OSR exits.  So, DoesGCCheck
3243            includes Special cases for those.
3244
3245         2. Added store64(TrustedImm64 imm, const void* address) emitters for X86_64 and ARM64.
3246            Also added a test for this new emitter in testmasm.
3247
3248         * CMakeLists.txt:
3249         * JavaScriptCore.xcodeproj/project.pbxproj:
3250         * Sources.txt:
3251         * assembler/MacroAssemblerARM64.h:
3252         (JSC::MacroAssemblerARM64::store64):
3253         * assembler/MacroAssemblerX86_64.h:
3254         (JSC::MacroAssemblerX86_64::store64):
3255         * assembler/testmasm.cpp:
3256         (JSC::testStore64Imm64AddressPointer):
3257         (JSC::run):
3258         * dfg/DFGDoesGCCheck.cpp: Copied from Source/JavaScriptCore/dfg/DFGDoesGCCheck.cpp.
3259         * dfg/DFGDoesGCCheck.h: Copied from Source/JavaScriptCore/dfg/DFGDoesGCCheck.h.
3260         * dfg/DFGGraph.cpp:
3261         * dfg/DFGOSRExit.cpp:
3262         (JSC::DFG::operationCompileOSRExit):
3263         (JSC::DFG::OSRExit::compileExit):
3264         * dfg/DFGSpeculativeJIT64.cpp:
3265         (JSC::DFG::SpeculativeJIT::compile):
3266         * ftl/FTLLowerDFGToB3.cpp:
3267         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3268         * ftl/FTLOSRExitCompiler.cpp:
3269         (JSC::FTL::compileStub):
3270         (JSC::FTL::operationCompileFTLOSRExit):
3271         * heap/CompleteSubspace.cpp:
3272         (JSC::CompleteSubspace::tryAllocateSlow):
3273         (JSC::CompleteSubspace::reallocatePreciseAllocationNonVirtual):
3274         * heap/CompleteSubspaceInlines.h:
3275         (JSC::CompleteSubspace::allocateNonVirtual):
3276         * heap/DeferGC.h:
3277         (JSC::DeferGC::~DeferGC):
3278         * heap/GCDeferralContextInlines.h:
3279         (JSC::GCDeferralContext::~GCDeferralContext):
3280         * heap/Heap.cpp:
3281         (JSC::Heap::collectNow):
3282         (JSC::Heap::collectAsync):
3283         (JSC::Heap::collectSync):
3284         (JSC::Heap::stopIfNecessarySlow):
3285         (JSC::Heap::collectIfNecessaryOrDefer):
3286         * heap/Heap.h:
3287         (JSC::Heap::addressOfDoesGC):
3288         (JSC::Heap::setDoesGCExpectation):
3289         (JSC::Heap::verifyCanGC):
3290         (JSC::Heap::expectDoesGC const): Deleted.
3291         (JSC::Heap::setExpectDoesGC): Deleted.
3292         (JSC::Heap::addressOfExpectDoesGC): Deleted.
3293         * heap/HeapInlines.h:
3294         (JSC::Heap::acquireAccess):
3295         (JSC::Heap::stopIfNecessary):
3296         * heap/LocalAllocatorInlines.h:
3297         (JSC::LocalAllocator::allocate):
3298         * heap/PreciseAllocation.cpp:
3299         (JSC::PreciseAllocation::tryCreate):
3300         (JSC::PreciseAllocation::createForLowerTier):
3301         * runtime/JSString.h:
3302         (JSC::jsSingleCharacterString):
3303         (JSC::JSString::toAtomString const):
3304         (JSC::JSString::toExistingAtomString const):
3305         (JSC::JSString::value const):
3306         (JSC::JSString::tryGetValue const):
3307         (JSC::JSRopeString::unsafeView const):
3308         (JSC::JSRopeString::viewWithUnderlyingString const):
3309         (JSC::JSString::unsafeView const):
3310         * runtime/RegExpMatchesArray.h:
3311         (JSC::createRegExpMatchesArray):
3312
3313 2020-06-03  Mark Lam  <mark.lam@apple.com>
3314
3315         DFGSSAConversionPhase.cpp needs to #include OperandsInlines.h.
3316         https://bugs.webkit.org/show_bug.cgi?id=212687
3317
3318         Reviewed by Keith Miller.
3319
3320         Without this, strange build failures can happen with unified builds.
3321
3322         For example, the Windows build started failing due a linkage error in this file
3323         when the patch from https://bugs.webkit.org/show_bug.cgi?id=212680 landed.
3324         212680 introduced a new .cpp file, and that probably bumped DFGSSAConversionPhase.cpp
3325         into another unified unit, thereby depriving it from seeing the OperandsInlines.h
3326         #include'd by another .cpp.
3327
3328         * dfg/DFGSSAConversionPhase.cpp:
3329
3330 2020-06-03  Mark Lam  <mark.lam@apple.com>
3331
3332         Fix non-unified --jsc-only build.
3333         https://bugs.webkit.org/show_bug.cgi?id=212707
3334
3335         Reviewed by Yusuke Suzuki.
3336
3337         These files need JSGlobalObjectInlines.h.  But rather than adding yet another
3338         #include, we'll just remove many individual ones and just #include JSCInlines.h
3339         instead.
3340
3341         * wasm/js/JSToWasmICCallee.cpp:
3342         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
3343         * wasm/js/WebAssemblyCompileErrorPrototype.cpp:
3344         * wasm/js/WebAssemblyGlobalPrototype.cpp:
3345         * wasm/js/WebAssemblyInstanceConstructor.cpp:
3346         * wasm/js/WebAssemblyInstancePrototype.cpp:
3347         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
3348         * wasm/js/WebAssemblyLinkErrorPrototype.cpp:
3349         * wasm/js/WebAssemblyModulePrototype.cpp:
3350         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
3351         * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp:
3352
3353 2020-06-03  Rob Buis  <rbuis@igalia.com>
3354
3355         Make generated C++ code use modern C++
3356         https://bugs.webkit.org/show_bug.cgi?id=190714
3357
3358         Reviewed by Jonathan Bedard.
3359
3360         Update inspector protocol generator and rebaseline the tests.
3361
3362         * inspector/scripts/codegen/cpp_generator_templates.py:
3363         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
3364         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
3365         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
3366         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
3367         * inspector/scripts/tests/expected/enum-values.json-result:
3368         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
3369         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
3370         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
3371         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
3372         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
3373         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
3374         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
3375         * yarr/generateYarrUnicodePropertyTables.py:
3376
3377 2020-06-02  Mark Lam  <mark.lam@apple.com>
3378
3379         Rolling out r262475 to unbreak Windows bot.
3380         https://bugs.webkit.org/show_bug.cgi?id=212680
3381
3382         Not reviewed.
3383
3384         * CMakeLists.txt:
3385         * JavaScriptCore.xcodeproj/project.pbxproj:
3386         * Sources.txt:
3387         * assembler/MacroAssemblerARM64.h:
3388         * assembler/MacroAssemblerX86_64.h:
3389         * assembler/testmasm.cpp:
3390         (JSC::testCountTrailingZeros64WithoutNullCheck):
3391         (JSC::run):
3392         (JSC::testStore64Imm64AddressPointer): Deleted.
3393         * dfg/DFGDoesGCCheck.cpp: Removed.
3394         * dfg/DFGDoesGCCheck.h: Removed.
3395         * dfg/DFGGraph.cpp:
3396         * dfg/DFGOSRExit.cpp:
3397         (JSC::DFG::operationCompileOSRExit):
3398         (JSC::DFG::OSRExit::compileExit):
3399         * dfg/DFGSpeculativeJIT64.cpp:
3400         (JSC::DFG::SpeculativeJIT::compile):
3401         * ftl/FTLLowerDFGToB3.cpp:
3402         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3403         * ftl/FTLOSRExitCompiler.cpp:
3404         (JSC::FTL::compileStub):
3405         (JSC::FTL::operationCompileFTLOSRExit):
3406         * heap/CompleteSubspace.cpp:
3407         (JSC::CompleteSubspace::tryAllocateSlow):
3408         (JSC::CompleteSubspace::reallocatePreciseAllocationNonVirtual):
3409         * heap/CompleteSubspaceInlines.h:
3410         (JSC::CompleteSubspace::allocateNonVirtual):
3411         * heap/DeferGC.h:
3412         (JSC::DeferGC::~DeferGC):
3413         * heap/GCDeferralContextInlines.h:
3414         (JSC::GCDeferralContext::~GCDeferralContext):
3415         * heap/Heap.cpp:
3416         (JSC::Heap::collectNow):
3417         (JSC::Heap::collectAsync):
3418         (JSC::Heap::collectSync):
3419         (JSC::Heap::stopIfNecessarySlow):
3420         (JSC::Heap::collectIfNecessaryOrDefer):
3421         * heap/Heap.h:
3422         (JSC::Heap::expectDoesGC const):
3423         (JSC::Heap::setExpectDoesGC):
3424         (JSC::Heap::addressOfExpectDoesGC):
3425         (JSC::Heap::addressOfDoesGC): Deleted.
3426         (JSC::Heap::setDoesGCExpectation): Deleted.
3427         (JSC::Heap::verifyCanGC): Deleted.
3428         * heap/HeapInlines.h:
3429         (JSC::Heap::acquireAccess):
3430         (JSC::Heap::stopIfNecessary):
3431         * heap/LocalAllocatorInlines.h:
3432         (JSC::LocalAllocator::allocate):
3433         * heap/PreciseAllocation.cpp:
3434         (JSC::PreciseAllocation::tryCreate):
3435         (JSC::PreciseAllocation::createForLowerTier):
3436         * runtime/JSString.h:
3437         (JSC::jsSingleCharacterString):
3438         (JSC::JSString::toAtomString const):
3439         (JSC::JSString::toExistingAtomString const):
3440         (JSC::JSString::value const):
3441         (JSC::JSString::tryGetValue const):
3442         (JSC::JSRopeString::unsafeView const):
3443         (JSC::JSRopeString::viewWithUnderlyingString const):
3444         (JSC::JSString::unsafeView const):
3445         * runtime/RegExpMatchesArray.h:
3446         (JSC::createRegExpMatchesArray):
3447
3448 2020-06-02  Mark Lam  <mark.lam@apple.com>
3449
3450         Enhance DoesGC verification to print more useful info when verification fails.
3451         https://bugs.webkit.org/show_bug.cgi?id=212680
3452
3453         Reviewed by Yusuke Suzuki.
3454
3455         When DoesGC verification fails, the first step of debugging it would be to find
3456         out what and which DFG node resulted in the failed verification.  In pre-existing
3457         code, all we get is an assertion failure.
3458
3459         This patch makes it so that the verifier will dump useful info.  Here's an example:
3460
3461             Error: DoesGC failed @ D@34 DateGetInt32OrNaN in #DtCHMz:[0x1135bd1d0->0x1135bcab0->0x1135e5c80, DFGFunctionCall, 150 (DidTryToEnterInLoop)]
3462                 [0] frame 0x7ffee8285660 {
3463                   name: 
3464                   sourceURL: 
3465                   isInlinedFrame: false
3466                   callee: 0x1135f6820
3467                   returnPC: 0x50ce61248ae6
3468                   callerFrame: 0x7ffee82856f0
3469                   rawLocationBits: 5 0x5
3470                   codeBlock: 0x1135bd1d0 #DtCHMz:[0x1135bd1d0->0x1135bcab0->0x1135e5c80, DFGFunctionCall, 150 (DidTryToEnterInLoop)]
3471                     hasCodeOrigins: true
3472                     callSiteIndex: 5 of 13
3473                     jitCode: 0x113020200 start 0x50ce61214c60 end 0x50ce61219b00
3474                     line: 1
3475                     column: 60
3476                   EntryFrame: 0x7ffee8285860
3477                 }
3478                 [1] frame 0x7ffee82856f0 {
3479                   name: 
3480                   sourceURL: date-format-xparb.js
3481                   isInlinedFrame: false
3482                   callee: 0x1135f65a0
3483                   returnPC: 0x50ce61227e99
3484                   callerFrame: 0x7ffee8285770
3485                   rawLocationBits: 4 0x4
3486                   codeBlock: 0x1135bd0a0 #BU6Zcd:[0x1135bd0a0->0x1135bc260->0x1135e5180, DFGFunctionCall, 112 (DidTryToEnterInLoop)]
3487                     hasCodeOrigins: true
3488                     callSiteIndex: 4 of 12
3489                     jitCode: 0x113004000 start 0x50ce61212c60 end 0x50ce61214960
3490                     line: 26
3491                     column: 22
3492                   EntryFrame: 0x7ffee8285860
3493                 }
3494                 [2] frame 0x7ffee8285770 {
3495                   name: 
3496                   sourceURL: date-format-xparb.js
3497                   isInlinedFrame: false
3498                   callee: 0x1135f64e0
3499                   returnPC: 0x108058eb1
3500                   callerFrame: 0x7ffee82857e0
3501                   rawLocationBits: 1001 0x3e9
3502                   codeBlock: 0x1135bc130 #DAS9xe:[0x1135bc130->0x1135e5100, BaselineFunctionCall, 1149]
3503                     bc#1001 of 1149
3504                     line: 417
3505                     column: 38
3506                   EntryFrame: 0x7ffee8285860
3507                 }
3508                 [3] frame 0x7ffee82857e0 {
3509                   name: global code
3510                   sourceURL: date-format-xparb.js
3511                   isInlinedFrame: false
3512                   callee: 0x1130f97b8
3513                   returnPC: 0x108039043
3514                   callerFrame: 0x0
3515                   rawLocationBits: 23 0x17
3516                   codeBlock: 0x1135bc000 <global>#CukXvt:[0x1135bc000->0x1130cd768, LLIntGlobal, 81]
3517                     bc#23 of 81
3518                     line: 425
3519                     column: 3
3520                   EntryFrame: 0x7ffee8285860
3521                 }
3522
3523             ASSERTION FAILED: expectDoesGC()
3524
3525         The error message now comes with the node index, NodeType, codeBlock which this
3526         failure was found in, and the JS call stack that led to the failure.
3527
3528         Changes made:
3529
3530         1. Introduced a DoesGCCheck value that is used to encode some of the above data.
3531
3532            Previously, we only recorded whether doesGC() returns true or false for the
3533            Node.  Now, we record the nodeIndex and nodeOp as well.
3534
3535            Note that we also set DoesGC expectations for OSR exits.  So, DoesGCCheck
3536            includes Special cases for those.
3537
3538         2. Added store64(TrustedImm64 imm, const void* address) emitters for X86_64 and ARM64.
3539            Also added a test for this new emitter in testmasm.
3540
3541         * CMakeLists.txt:
3542         * JavaScriptCore.xcodeproj/project.pbxproj:
3543         * Sources.txt:
3544         * assembler/MacroAssemblerARM64.h:
3545         (JSC::MacroAssemblerARM64::store64):
3546         * assembler/MacroAssemblerX86_64.h:
3547         (JSC::MacroAssemblerX86_64::store64):
3548         * assembler/testmasm.cpp:
3549         (JSC::testStore64Imm64AddressPointer):
3550         (JSC::run):
3551         * dfg/DFGDoesGCCheck.cpp: Added.
3552         (JSC::DFG::DoesGCCheck::verifyCanGC):
3553         * dfg/DFGDoesGCCheck.h: Added.
3554         (JSC::DFG::DoesGCCheck::DoesGCCheck):
3555         (JSC::DFG::DoesGCCheck::encode):
3556         (JSC::DFG::DoesGCCheck::set):
3557         (JSC::DFG::DoesGCCheck::expectDoesGC):
3558         (JSC::DFG::DoesGCCheck::special):
3559         (JSC::DFG::DoesGCCheck::nodeIndex):
3560         (JSC::DFG::DoesGCCheck::nodeOp):
3561         (JSC::DFG::DoesGCCheck::isSpecial):
3562         (JSC::DFG::DoesGCCheck::specialIndex):
3563         (JSC::DFG::DoesGCCheck::bits):
3564         * dfg/DFGGraph.cpp:
3565         * dfg/DFGOSRExit.cpp:
3566         (JSC::DFG::operationCompileOSRExit):
3567         (JSC::DFG::OSRExit::compileExit):
3568         * dfg/DFGSpeculativeJIT64.cpp:
3569         (JSC::DFG::SpeculativeJIT::compile):
3570         * ftl/FTLLowerDFGToB3.cpp:
3571         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3572         * ftl/FTLOSRExitCompiler.cpp:
3573         (JSC::FTL::compileStub):
3574         (JSC::FTL::operationCompileFTLOSRExit):
3575         * heap/CompleteSubspace.cpp:
3576         (JSC::CompleteSubspace::tryAllocateSlow):
3577         (JSC::CompleteSubspace::reallocatePreciseAllocationNonVirtual):
3578         * heap/CompleteSubspaceInlines.h:
3579         (JSC::CompleteSubspace::allocateNonVirtual):
3580         * heap/DeferGC.h:
3581         (JSC::DeferGC::~DeferGC):
3582         * heap/GCDeferralContextInlines.h:
3583         (JSC::GCDeferralContext::~GCDeferralContext):
3584         * heap/Heap.cpp:
3585         (JSC::Heap::collectNow):
3586         (JSC::Heap::collectAsync):
3587         (JSC::Heap::collectSync):
3588         (JSC::Heap::stopIfNecessarySlow):
3589         (JSC::Heap::collectIfNecessaryOrDefer):
3590         * heap/Heap.h:
3591         (JSC::Heap::addressOfDoesGC):
3592         (JSC::Heap::setDoesGCExpectation):
3593         (JSC::Heap::verifyCanGC):
3594         (JSC::Heap::expectDoesGC const): Deleted.
3595         (JSC::Heap::setExpectDoesGC): Deleted.
3596         (JSC::Heap::addressOfExpectDoesGC): Deleted.
3597         * heap/HeapInlines.h:
3598         (JSC::Heap::acquireAccess):
3599         (JSC::Heap::stopIfNecessary):
3600         * heap/LocalAllocatorInlines.h:
3601         (JSC::LocalAllocator::allocate):
3602         * heap/PreciseAllocation.cpp:
3603         (JSC::PreciseAllocation::tryCreate):
3604         (JSC::PreciseAllocation::createForLowerTier):
3605         * runtime/JSString.h:
3606         (JSC::jsSingleCharacterString):
3607         (JSC::JSString::toAtomString const):
3608         (JSC::JSString::toExistingAtomString const):
3609         (JSC::JSString::value const):
3610         (JSC::JSString::tryGetValue const):
3611         (JSC::JSRopeString::unsafeView const):
3612         (JSC::JSRopeString::viewWithUnderlyingString const):
3613         (JSC::JSString::unsafeView const):
3614         * runtime/RegExpMatchesArray.h:
3615         (JSC::createRegExpMatchesArray):
3616
3617 2020-06-02  Mark Lam  <mark.lam@apple.com>
3618
3619         VMInspector APIs should be taking a VM* instead of a JSGlobalObject*.
3620         https://bugs.webkit.org/show_bug.cgi?id=212676
3621
3622         Reviewed by Saam Barati and Robin Morisset.
3623
3624         This because:
3625         1. None of the functions currently taking a JSGlobalObject* actually need the
3626            globalObject.  All of them need the VM.
3627         2. The role of the VMInspector is to enable inspection of the VM.  By requiring
3628            that it be passed a JSGlobalObject*, we were actually preventing the VMInspector
3629            from being used in code that have a VM to inspect but don't have a JSGlobalObject
3630            to use.
3631
3632         The reason I'm choosing to pass VM* instead of VM& is because it makes these
3633         functions trivial to call using lldb interactively.  The VMInspector functions
3634         are also intentionally designed so that they can be used for this purpose.
3635         On occasion, I may have to cast literal numbers (addresses) to VM*.  Technically,
3636         I could cast a number to VM* and dereference it to get a VM& too.  However, at
3637         present, lldb is often buggy and not always reliable with casts.  I would like to
3638         lessen the chance that lldb fails on me when I'm deep in the middle of a debugging
3639         session, and have a need to call one of these functions.
3640
3641         * tools/JSDollarVM.cpp:
3642         (JSC::functionGC):
3643         (JSC::functionEdenGC):
3644         (JSC::functionCodeBlockForFrame):
3645         (JSC::codeBlockFromArg):
3646         (JSC::functionDumpCallFrame):
3647         (JSC::functionDumpStack):
3648         * tools/VMInspector.cpp:
3649         (JSC::VMInspector::currentThreadOwnsJSLock):
3650         (JSC::ensureCurrentThreadOwnsJSLock):
3651         (JSC::VMInspector::gc):
3652         (JSC::VMInspector::edenGC):
3653         (JSC::VMInspector::isValidCodeBlock):
3654         (JSC::VMInspector::codeBlockForFrame):
3655         (JSC::VMInspector::dumpCallFrame):
3656         (JSC::VMInspector::dumpStack):
3657         * tools/VMInspector.h:
3658
3659 2020-06-02  Keith Rollin  <krollin@apple.com>
3660
3661         Revert FEATURES_DEFINES related changes
3662         https://bugs.webkit.org/show_bug.cgi?id=212664
3663         <rdar://problem/63893033>
3664
3665         Reviewed by Andy Estes.
3666
3667         Bug 262310, Bug 262311, Bug 262318, and Bug 262331 involve changes to
3668         FEATURE_DEFINES and how the values there relate to those found in the
3669         Platform*.h files. Those changes break XCBuild (by removing the
3670         .xcfilelist related to UnifiedSources and the process for generating
3671         them), and so are being reverted.
3672
3673         * Configurations/FeatureDefines.xcconfig:
3674
3675 2020-06-02  Ryan Haddad  <ryanhaddad@apple.com>
3676
3677         Unreviewed, reverting r262424.
3678
3679         Caused webkitpy test failure
3680
3681         Reverted changeset:
3682
3683         "Make generated C++ code use modern C++"
3684         https://bugs.webkit.org/show_bug.cgi?id=190714
3685         https://trac.webkit.org/changeset/262424
3686
3687 2020-06-02  Mark Lam  <mark.lam@apple.com>
3688
3689         Change Gigacage::Config to use storage in WebConfig::g_config instead of its own.
3690         https://bugs.webkit.org/show_bug.cgi?id=212585
3691         <rdar://problem/63812487>
3692
3693         Reviewed by Yusuke Suzuki.
3694
3695         * assembler/testmasm.cpp:
3696         (JSC::testCagePreservesPACFailureBit):
3697         * dfg/DFGSpeculativeJIT.cpp:
3698         (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
3699         * ftl/FTLLowerDFGToB3.cpp:
3700         (JSC::FTL::DFG::LowerDFGToB3::caged):
3701         * jit/AssemblyHelpers.h:
3702         (JSC::AssemblyHelpers::cageConditionally):
3703         * llint/LowLevelInterpreter64.asm:
3704         * runtime/JSCConfig.h:
3705         (JSC::Config::isPermanentlyFrozen):
3706
3707 2020-06-02  Saam Barati  <sbarati@apple.com>
3708
3709         MultiDeleteByOffset should not always def
3710         https://bugs.webkit.org/show_bug.cgi?id=212621
3711         <rdar://problem/63824182>
3712
3713         Reviewed by Yusuke Suzuki.
3714
3715         Clobberize used to claim that MultiDeleteByOffset always defd a value.
3716         That's an incorrect modeling of MultiDeleteByOffset though, since it might
3717         have delete misses in its variant list. This would lead us to incorrectly
3718         CSE when we shouldn't. This patch fixes this by saying MultiDeleteByOffset
3719         only defs when all its cases write out a value (are hits).
3720
3721         * dfg/DFGClobberize.h:
3722         (JSC::DFG::clobberize):
3723         * dfg/DFGNode.cpp:
3724         (JSC::DFG::MultiDeleteByOffsetData::allVariantsStoreEmpty const):
3725         * dfg/DFGNode.h:
3726         * ftl/FTLLowerDFGToB3.cpp:
3727         (JSC::FTL::DFG::LowerDFGToB3::compileMultiDeleteByOffset):
3728
3729 2020-06-02  Rob Buis  <rbuis@igalia.com>
3730
3731         Make generated C++ code use modern C++
3732         https://bugs.webkit.org/show_bug.cgi?id=190714
3733
3734         Reviewed by Sam Weinig.
3735
3736         Update inspector protocol generator and rebaseline the tests.
3737
3738         * inspector/scripts/codegen/cpp_generator_templates.py:
3739         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
3740         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
3741         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
3742         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
3743         * inspector/scripts/tests/expected/enum-values.json-result:
3744         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
3745         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
3746         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
3747         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
3748         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
3749         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
3750         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
3751         * yarr/generateYarrUnicodePropertyTables.py:
3752
3753 2020-06-02  Paulo Matos  <pmatos@igalia.com>
3754
3755         Fix assert message formatting
3756         https://bugs.webkit.org/show_bug.cgi?id=212591
3757
3758         Reviewed by Adrian Perez de Castro.
3759
3760         Fixes warning by gcc - lineParts.size() is size_t, %zu should be used.
3761
3762         * runtime/FuzzerPredictions.cpp:
3763         (JSC::FuzzerPredictions::FuzzerPredictions):
3764
3765 2020-06-01  Devin Rousso  <drousso@apple.com>
3766
3767         Web Inspector: Graphics: should use the `id` (name) of the animation if it exists
3768         https://bugs.webkit.org/show_bug.cgi?id=212618
3769
3770         Reviewed by Timothy Hatcher.
3771
3772         * inspector/protocol/Animation.json:
3773          - added an optional `name` property to the `Animation.Animation` type
3774          - created a new `Animation.nameChanged` event
3775
3776 2020-06-01  Saam Barati  <sbarati@apple.com>
3777
3778         Correct misunderstandings on how ThreadSpecific work
3779         https://bugs.webkit.org/show_bug.cgi?id=212616
3780
3781         Reviewed by Michael Saboff.
3782
3783         There were two misunderstandings I had when writing code using ThreadSpecific
3784         when doing LLInt bytecode buffer caching in Wasm.
3785         
3786         1. For ThreadSpecific<Vector>, I was calling Vector's constructor twice
3787         unnecessarily, and incorrectly, since we ended up constructing over an
3788         already constructed Vector for the second call. When doing operator* or
3789         operator-> on a ThreadSpecific<T>, T() is called if it has not been
3790         initialized yet. So there is no need to do manually call the constructor
3791         the second time.
3792         
3793         2. There is no need to try to destroy entries for ThreadSpecific manually
3794         since we already run destructors when the thread goes away.
3795         
3796         This patch removes code for (1) and (2) both from the Wasm bytecode
3797         buffer and from AssemblerData.
3798
3799         * assembler/AssemblerBuffer.cpp:
3800         (JSC::clearAssembleDataThreadSpecificCache): Deleted.
3801         * assembler/AssemblerBuffer.h:
3802         (JSC::AssemblerBuffer::AssemblerBuffer):
3803         (JSC::AssemblerBuffer::~AssemblerBuffer):
3804         (JSC::AssemblerBuffer::getThreadSpecificAssemblerData): Deleted.
3805         * dfg/DFGWorklist.cpp:
3806         * jit/JITWorklist.cpp:
3807         * wasm/WasmLLIntGenerator.cpp:
3808         (JSC::Wasm::LLIntGenerator::LLIntGenerator):
3809         (JSC::Wasm::clearLLIntThreadSpecificCache): Deleted.
3810         * wasm/WasmLLIntGenerator.h:
3811         * wasm/WasmWorklist.cpp:
3812
3813 2020-06-01  Yusuke Suzuki  <ysuzuki@apple.com>
3814
3815         Unreviewed, fix build failure in ARMv7k
3816         https://bugs.webkit.org/show_bug.cgi?id=212595
3817
3818         * runtime/JSCJSValue.cpp:
3819         (JSC::JSValue::toThisSlowCase const):
3820
3821 2020-06-01  Yusuke Suzuki  <ysuzuki@apple.com>
3822
3823         [JSC] JSBigInt::rightTrim can miss |this| pointer and leads to incorrect GC collection
3824         https://bugs.webkit.org/show_bug.cgi?id=212601
3825
3826         Reviewed by Saam Barati.
3827
3828         This is pretty rare case. But in some optimization level, JSBigInt::rightTrim could store |this| + offset pointer into the stack instead of |this|
3829         and make conservative GC think that |this| JSBigInt is unreachable. We put ensureStillAliveHere(this) to ensure that this is alive.
3830
3831         * runtime/JSBigInt.cpp:
3832         (JSC::JSBigInt::rightTrim):
3833
3834 2020-06-01  Mark Lam  <mark.lam@apple.com>
3835
3836         x86.rb's LabelReference.x86LoadOperand()'s address operand should be a pointer type.
3837         https://bugs.webkit.org/show_bug.cgi?id=212603
3838
3839         Reviewed by Saam Barati.
3840
3841         The current implementation mistakenly sets the address type to that of the value
3842         being loaded.  I encountered this issue when I was trying to do a loadb from a
3843         global address.  Because of this bug, the emitted code was trying do a load using
3844         %al (8 byte register) as the pointer to load from.  With this fix, it now loads
3845         from %rax.
3846