e9015705725d0d1fc10117895eb661941046a8a4
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-01-25  Keith Rollin  <krollin@apple.com>
2
3         Update WebKitAdditions.xcconfig with correct order of variable definitions
4         https://bugs.webkit.org/show_bug.cgi?id=193793
5         <rdar://problem/47532439>
6
7         Reviewed by Alex Christensen.
8
9         XCBuild changes the way xcconfig variables are evaluated. In short,
10         all config file assignments are now considered in part of the
11         evaluation. When using the new build system and an .xcconfig file
12         contains multiple assignments of the same build setting:
13
14         - Later assignments using $(inherited) will inherit from earlier
15           assignments in the xcconfig file.
16         - Later assignments not using $(inherited) will take precedence over
17           earlier assignments. An assignment to a more general setting will
18           mask an earlier assignment to a less general setting. For example,
19           an assignment without a condition ('FOO = bar') will completely mask
20           an earlier assignment with a condition ('FOO[sdk=macos*] = quux').
21
22         This affects some of our .xcconfig files, in that sometimes platform-
23         or sdk-specific definitions appear before the general definitions.
24         Under the new evaluations rules, the general definitions alway take
25         effect because they always overwrite the more-specific definitions. The
26         solution is to swap the order, so that the general definitions are
27         established first, and then conditionally overwritten by the
28         more-specific definitions.
29
30         * Configurations/Version.xcconfig:
31
32 2019-01-25  Keith Rollin  <krollin@apple.com>
33
34         Update existing .xcfilelists
35         https://bugs.webkit.org/show_bug.cgi?id=193791
36         <rdar://problem/47201706>
37
38         Reviewed by Alex Christensen.
39
40         Many .xcfilelist files were added in r238824 in order to support
41         XCBuild. Update these with recent changes to the set of build files
42         and with the current generate-xcfilelist script.
43
44         * DerivedSources-input.xcfilelist:
45         * DerivedSources-output.xcfilelist:
46         * UnifiedSources-input.xcfilelist:
47         * UnifiedSources-output.xcfilelist:
48
49 2019-01-25  Jon Davis  <jond@apple.com>
50
51         Update JavaScriptCore feature status entries.
52         https://bugs.webkit.org/show_bug.cgi?id=193797
53
54         Reviewed by Mark Lam.
55         
56         Updated feature status for Async Iteration, and Object rest/spread.
57
58         * features.json:
59
60 2019-01-24  Keith Miller  <keith_miller@apple.com>
61
62         Remove usage of internal macro from private header
63         https://bugs.webkit.org/show_bug.cgi?id=193809
64
65         Reviewed by Saam Barati.
66
67         Also, add a new file to include all of our API headers to make sure
68         they don't accidentally include C++ or internal values.
69
70         * API/JSScript.h:
71         * API/tests/testIncludes.m: Added.
72         * JavaScriptCore.xcodeproj/project.pbxproj:
73
74 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
75
76         [JSC] ErrorConstructor should not have own IsoSubspace
77         https://bugs.webkit.org/show_bug.cgi?id=193800
78
79         Reviewed by Saam Barati.
80
81         Similar to r240456, sizeof(ErrorConstructor) != sizeof(InternalFunction), and that is why we have
82         IsoSubspace errorConstructorSpace in VM. But it is allocated only one-per-JSGlobalObject, and it is
83         too costly to have IsoSubspace which allocates 16KB. Since stackTraceLimit information is per
84         JSGlobalObject information, we should have m_stackTraceLimit in JSGlobalObject instead and put
85         ErrorConstructor in InternalFunction's IsoSubspace. As r230813 (moving InternalFunction and subclasses
86         into IsoSubspaces) described,
87
88             "subclasses that are the same size as InternalFunction share its subspace. I did this because the subclasses
89             appear to just override methods, which are called dynamically via the structure or class of the object.
90             So, I don't see a type confusion risk if UAF is used to allocate one kind of InternalFunction over another."
91
92         Then, putting ErrorConstructor in InternalFunction IsoSubspace is fine since it meets the above condition.
93         This patch removes m_stackTraceLimit in ErrorConstructor, and drops IsoSubspace for errorConstructorSpace.
94         This reduces the memory usage.
95
96         * interpreter/Interpreter.h:
97         * runtime/Error.cpp:
98         (JSC::getStackTrace):
99         * runtime/ErrorConstructor.cpp:
100         (JSC::ErrorConstructor::ErrorConstructor):
101         (JSC::ErrorConstructor::finishCreation):
102         (JSC::constructErrorConstructor):
103         (JSC::callErrorConstructor):
104         (JSC::ErrorConstructor::put):
105         (JSC::ErrorConstructor::deleteProperty):
106         (JSC::Interpreter::constructWithErrorConstructor): Deleted.
107         (JSC::Interpreter::callErrorConstructor): Deleted.
108         * runtime/ErrorConstructor.h:
109         * runtime/JSGlobalObject.cpp:
110         (JSC::JSGlobalObject::JSGlobalObject):
111         (JSC::JSGlobalObject::init):
112         (JSC::JSGlobalObject::visitChildren):
113         * runtime/JSGlobalObject.h:
114         (JSC::JSGlobalObject::stackTraceLimit const):
115         (JSC::JSGlobalObject::setStackTraceLimit):
116         (JSC::JSGlobalObject::errorConstructor const): Deleted.
117         * runtime/VM.cpp:
118         (JSC::VM::VM):
119         * runtime/VM.h:
120
121 2019-01-24  Joseph Pecoraro  <pecoraro@apple.com>
122
123         Web Inspector: CPU Usage Timeline
124         https://bugs.webkit.org/show_bug.cgi?id=193730
125         <rdar://problem/46797201>
126
127         Reviewed by Devin Rousso.
128
129         * CMakeLists.txt:
130         * DerivedSources-input.xcfilelist:
131         * DerivedSources.make:
132         New files.
133
134         * inspector/protocol/CPUProfiler.json: Added.
135         New domain that follows the pattern of Memory/ScriptProfiler.
136
137         * inspector/protocol/Timeline.json:
138         New enum to auto-start a CPU instrument in the backend.
139
140 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
141
142         [JSC] SharedArrayBufferConstructor and ArrayBufferConstructor should not have their own IsoSubspace
143         https://bugs.webkit.org/show_bug.cgi?id=193774
144
145         Reviewed by Mark Lam.
146
147         We put all the instances of InternalFunction and its subclasses in IsoSubspace to make safer from UAF.
148         But since IsoSubspace requires the memory layout of instances is the same, we created different IsoSubspace
149         for subclasses of InternalFunction if sizeof(subclass) != sizeof(InternalFunction). One example is
150         ArrayBufferConstructor and SharedArrayBufferConstructor. But it is too costly to allocate 16KB page just
151         for these two constructor instances. They are only two instances per JSGlobalObject.
152
153         This patch makes sizeof(ArrayBufferConstructor) == sizeof(InternalFunction) so that they can use IsoSubspace
154         of InternalFunction. We introduce JSGenericArrayBufferConstructor, and it takes ArrayBufferSharingMode as
155         its template parameter. We define JSArrayBufferConstructor as JSGenericArrayBufferConstructor<ArrayBufferSharingMode::Default>
156         and JSSharedArrayBufferConstructor as JSGenericArrayBufferConstructor<ArrayBufferSharingMode::Shared> so that
157         we do not need to hold ArrayBufferSharingMode in the field of the constructor. This change removes IsoSubspace
158         for ArrayBufferConstructors, and reduces the memory usage.
159
160         * runtime/JSArrayBufferConstructor.cpp:
161         (JSC::JSGenericArrayBufferConstructor<sharingMode>::JSGenericArrayBufferConstructor):
162         (JSC::JSGenericArrayBufferConstructor<sharingMode>::finishCreation):
163         (JSC::JSGenericArrayBufferConstructor<sharingMode>::constructArrayBuffer):
164         (JSC::JSGenericArrayBufferConstructor<sharingMode>::createStructure):
165         (JSC::JSGenericArrayBufferConstructor<sharingMode>::info):
166         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor): Deleted.
167         (JSC::JSArrayBufferConstructor::finishCreation): Deleted.
168         (JSC::JSArrayBufferConstructor::create): Deleted.
169         (JSC::JSArrayBufferConstructor::createStructure): Deleted.
170         (JSC::constructArrayBuffer): Deleted.
171         * runtime/JSArrayBufferConstructor.h:
172         * runtime/JSGlobalObject.cpp:
173         (JSC::JSGlobalObject::init):
174         * runtime/JSGlobalObject.h:
175         * runtime/VM.cpp:
176         (JSC::VM::VM):
177         * runtime/VM.h:
178
179 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
180
181         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
182         https://bugs.webkit.org/show_bug.cgi?id=190693
183
184         Reviewed by Michael Saboff.
185
186         JITStubRoutine's fields are marked only when JITStubRoutine::m_mayBeExecuting is true.
187         This becomes true when we find the executable address in our conservative roots, which
188         means that we could be executing it right now. This means that object liveness in
189         JITStubRoutine depends on the information gathered in ConservativeRoots. However, our
190         constraints are separated, "Conservative Scan" and "JIT Stub Routines". They can even
191         be executed concurrently, so that "JIT Stub Routines" may miss to mark the actually
192         executing JITStubRoutine because "Conservative Scan" finds it later.
193         When finalizing the GC, we delete the dead JITStubRoutines. At that time, since
194         "Conservative Scan" already finishes, we do not delete some JITStubRoutines which do not
195         mark the depending objects. Then, in the next cycle, we find JITStubRoutines still live,
196         attempt to mark the depending objects, and encounter the dead objects which are collected
197         in the previous cycles.
198
199         This patch removes "JIT Stub Routines" and merge it to "Conservative Scan". Since
200         "Conservative Scan" and "JIT Stub Routines" need to be executed only when the execution
201         happens (ensured by GreyedByExecution and CollectionPhase check), this change is OK for
202         GC stop time.
203
204         * heap/ConservativeRoots.h:
205         (JSC::ConservativeRoots::roots const):
206         (JSC::ConservativeRoots::roots): Deleted.
207         * heap/Heap.cpp:
208         (JSC::Heap::addCoreConstraints):
209         * heap/SlotVisitor.cpp:
210         (JSC::SlotVisitor::append):
211         * heap/SlotVisitor.h:
212         * jit/GCAwareJITStubRoutine.cpp:
213         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
214         * jit/GCAwareJITStubRoutine.h:
215
216 2019-01-24  Saam Barati  <sbarati@apple.com>
217
218         Update ARM64EHash
219         https://bugs.webkit.org/show_bug.cgi?id=193776
220         <rdar://problem/47526457>
221
222         Reviewed by Mark Lam.
223
224         See radar for details.
225
226         * assembler/AssemblerBuffer.h:
227         (JSC::ARM64EHash::update):
228         (JSC::ARM64EHash::finalHash const):
229
230 2019-01-24  Saam Barati  <sbarati@apple.com>
231
232         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
233         https://bugs.webkit.org/show_bug.cgi?id=193751
234         <rdar://problem/47280215>
235
236         Reviewed by Michael Saboff.
237
238         The Object Allocation Sinking phase may move allocations around inside
239         of the program. However, it was not ensuring that it's still possible 
240         to walk the stack at the point in the program that it moved the allocation to.
241         Certain InlineCallFrames rely on data in the stack when taking a stack trace.
242         All allocation sites can do a stack walk (we do a stack walk when we GC).
243         Conservatively, this patch says we're ok to move this allocation if we are
244         moving within the same InlineCallFrame. We could be more precise and do an
245         analysis of stack writes. However, this scenario is so rare that we just
246         take the conservative-and-straight-forward approach of checking that the place
247         we're moving to is the same InlineCallFrame as the allocation site.
248         
249         In general, this issue arises anytime we do any kind of code motion.
250         Interestingly, LICM gets this right. It gets it right because the only
251         InlineCallFrames we can't move out of are the InlineCallFrames that
252         have metadata stored on the stack (callee for closure calls and argument
253         count for varargs calls). LICM doesn't have this issue because it relies
254         on Clobberize for doing its effects analysis. In clobberize, we model every
255         node within an InlineCallFrame that meets the above criteria as reading
256         from those stack fields. Consequently, LICM won't hoist any node in that
257         InlineCallFrame past the beginning of the InlineCallFrame since the IR
258         we generate to set up such an InlineCallFrame contains writes to that
259         stack location.
260
261         * dfg/DFGObjectAllocationSinkingPhase.cpp:
262
263 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
264
265         [JSC] Reenable baseline JIT on mips
266         https://bugs.webkit.org/show_bug.cgi?id=192983
267
268         Reviewed by Mark Lam.
269
270         Use $s0 as metadata register and make sure it's properly saved and
271         restored.
272
273         * jit/GPRInfo.h:
274         * jit/RegisterSet.cpp:
275         (JSC::RegisterSet::vmCalleeSaveRegisters):
276         (JSC::RegisterSet::llintBaselineCalleeSaveRegisters):
277         * llint/LowLevelInterpreter.asm:
278         * offlineasm/mips.rb:
279
280 2019-01-24  Carlos Garcia Campos  <cgarcia@igalia.com>
281
282         [GLIB] Expose JavaScriptCore options in GLib public API
283         https://bugs.webkit.org/show_bug.cgi?id=188742
284
285         Reviewed by Michael Catanzaro.
286
287         Add new API to set, get and iterate JSC options.
288
289         * API/glib/JSCOptions.cpp: Added.
290         (valueFromGValue):
291         (valueToGValue):
292         (jscOptionsSetValue):
293         (jscOptionsGetValue):
294         (jsc_options_set_boolean):
295         (jsc_options_get_boolean):
296         (jsc_options_set_int):
297         (jsc_options_get_int):
298         (jsc_options_set_uint):
299         (jsc_options_get_uint):
300         (jsc_options_set_size):
301         (jsc_options_get_size):
302         (jsc_options_set_double):
303         (jsc_options_get_double):
304         (jsc_options_set_string):
305         (jsc_options_get_string):
306         (jsc_options_set_range_string):
307         (jsc_options_get_range_string):
308         (jscOptionsType):
309         (jsc_options_foreach):
310         (setOptionEntry):
311         (jsc_options_get_option_group):
312         * API/glib/JSCOptions.h: Added.
313         * API/glib/docs/jsc-glib-4.0-sections.txt:
314         * API/glib/docs/jsc-glib-docs.sgml:
315         * API/glib/jsc.h:
316         * GLib.cmake:
317
318 2019-01-23  Mark Lam  <mark.lam@apple.com>
319
320         ARM64E should not ENABLE(SEPARATED_WX_HEAP).
321         https://bugs.webkit.org/show_bug.cgi?id=193744
322         <rdar://problem/46262952>
323
324         Reviewed by Saam Barati.
325
326         * assembler/LinkBuffer.cpp:
327         (JSC::LinkBuffer::copyCompactAndLinkCode):
328
329 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
330
331         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
332         https://bugs.webkit.org/show_bug.cgi?id=193711
333         <rdar://problem/47250262>
334
335         Reviewed by Saam Barati.
336
337         When pruning OSR Availability based on bytecode liveness, we accidentally clear the Availability (making it DeadFlush) instead of
338         making it Availability::unavailable() (Making it ConflictingFlush). In OSRAvailabilityAnalysisPhase, we perform forward analysis.
339         We first clear all the availability of basic blocks DeadFlush, which is an empty set. And then, we set operands in the root block
340         ConflictingFlush. In this forward analysis, DeadFlush is BOTTOM, and ConflictingFlush is TOP. Then, we propagate information by
341         merging availability until we reach to the fixed-point. As an optimization, we perform "pruning" of the availability in the head
342         of the basic blocks. We remove availabilities of operands which are not live in the bytecode liveness at the head of the basic block.
343         The problem is, when removing availabilities, we set DeadFlush for them instead of ConflictingFlush. Basically, it means that we set
344         BOTTOM (an empty set) instead of TOP. Let's consider the following simple example. We have 6 basic blocks, and they are connected
345         as follows.
346
347             BB0 -> BB1 -> BB2 -> BB4
348              |        \        ^
349              v          > BB3 /
350             BB5
351
352         And consider about loc1 in FTL, which is required to be recovered in BB4's OSR exit.
353
354             BB0 does nothing
355                 head: loc1 is dead
356                 tail: loc1 is dead
357
358             BB1 has MovHint @1, loc1
359                 head: loc1 is dead
360                 tail: loc1 is live
361
362             BB2 does nothing
363                 head: loc1 is live
364                 tail: loc1 is live
365
366             BB3 has PutStack @1, loc1
367                 head: loc1 is live
368                 tail: loc1 is live
369
370             BB4 has OSR exit using loc1
371                 head: loc1 is live
372                 tail: loc1 is live (in bytecode)
373
374             BB5 does nothing
375                 head: loc1 is dead
376                 tail: loc1 is dead
377
378         In our OSR Availability analysis, we always prune loc1 result in BB1's head since its head says "loc1 is dead".
379         But at that time, we clear the availability for loc1, which makes it DeadFlush, instead of making it ConflictingFlush.
380
381         So, the flush format of loc1 in each tail of BB is like this.
382
383             BB0
384                 ConflictingFlush (because all the local operands are initialized with ConflictingFlush)
385             BB1
386                 DeadFlush+@1 (pruning clears it)
387             BB2
388                 DeadFlush+@1 (since it is propagated from BB1)
389             BB3
390                 FlushedJSValue+@1 with loc1 (since it has PutStack)
391             BB4
392                 FlushedJSValue+@1 with loc1 (since MERGE(DeadFlush, FlushedJSValue) = FlushedJSValue)
393             BB5
394                 DeadFlush (pruning clears it)
395
396         Then, if we go the path BB0->BB1->BB2->BB4, we read the value from the stack while it is not flushed.
397         The correct fix is making availability "unavailable" when pruning based on bytecode liveness.
398
399         * dfg/DFGAvailabilityMap.cpp:
400         (JSC::DFG::AvailabilityMap::pruneByLiveness): When pruning availability, we first set all the operands Availability::unavailable(),
401         and copy the calculated value from the current availability map.
402         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
403         (JSC::DFG::OSRAvailabilityAnalysisPhase::run): Add logging things for debugging.
404
405 2019-01-23  David Kilzer  <ddkilzer@apple.com>
406
407         [JSC] Duplicate global variables: JSC::opcodeLengths
408         <https://webkit.org/b/193714>
409         <rdar://problem/47340200>
410
411         Reviewed by Mark Lam.
412
413         * bytecode/Opcode.cpp:
414         (JSC::opcodeLengths): Move array implementation here and mark
415         const.
416         * bytecode/Opcode.h:
417         (JSC::opcodeLengths): Change to extern declaration.
418
419 2019-01-23  Carlos Garcia Campos  <cgarcia@igalia.com>
420
421         [GLIB] Remote Inspector: no data displayed
422         https://bugs.webkit.org/show_bug.cgi?id=193569
423
424         Reviewed by Michael Catanzaro.
425
426         Release the remote inspector mutex before using RemoteConnectionToTarget in RemoteInspector::setup() to avoid a
427         deadlock.
428
429         * inspector/remote/glib/RemoteInspectorGlib.cpp:
430         (Inspector::RemoteInspector::receivedSetupMessage):
431         (Inspector::RemoteInspector::setup):
432
433 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
434
435         Unreviewed, fix initial global lexical binding epoch
436         https://bugs.webkit.org/show_bug.cgi?id=193603
437         <rdar://problem/47380869>
438
439         * bytecode/CodeBlock.cpp:
440         (JSC::CodeBlock::finishCreation):
441
442 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
443
444         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
445         https://bugs.webkit.org/show_bug.cgi?id=193709
446         <rdar://problem/47363838>
447
448         Unreviewed, rollout to watch the tests.
449
450         * JavaScriptCore.xcodeproj/project.pbxproj:
451         * dfg/DFGAbstractInterpreterInlines.h:
452         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
453         * dfg/DFGByteCodeParser.cpp:
454         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
455         * dfg/DFGClobberize.h:
456         (JSC::DFG::clobberize):
457         * dfg/DFGDoesGC.cpp:
458         (JSC::DFG::doesGC):
459         * dfg/DFGFixupPhase.cpp:
460         (JSC::DFG::FixupPhase::fixupNode):
461         (JSC::DFG::FixupPhase::fixupObjectToString): Deleted.
462         * dfg/DFGNodeType.h:
463         * dfg/DFGOperations.cpp:
464         * dfg/DFGOperations.h:
465         * dfg/DFGPredictionPropagationPhase.cpp:
466         * dfg/DFGSafeToExecute.h:
467         (JSC::DFG::safeToExecute):
468         * dfg/DFGSpeculativeJIT.cpp:
469         (JSC::DFG::SpeculativeJIT::compileObjectToString): Deleted.
470         * dfg/DFGSpeculativeJIT.h:
471         * dfg/DFGSpeculativeJIT32_64.cpp:
472         (JSC::DFG::SpeculativeJIT::compile):
473         * dfg/DFGSpeculativeJIT64.cpp:
474         (JSC::DFG::SpeculativeJIT::compile):
475         * ftl/FTLAbstractHeapRepository.h:
476         * ftl/FTLCapabilities.cpp:
477         (JSC::FTL::canCompile):
478         * ftl/FTLLowerDFGToB3.cpp:
479         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
480         (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructorOrStringValueOf):
481         (JSC::FTL::DFG::LowerDFGToB3::compileObjectToString): Deleted.
482         * runtime/Intrinsic.cpp:
483         (JSC::intrinsicName):
484         * runtime/Intrinsic.h:
485         * runtime/ObjectPrototype.cpp:
486         (JSC::ObjectPrototype::finishCreation):
487         (JSC::objectProtoFuncToString):
488         * runtime/ObjectPrototype.h:
489         * runtime/ObjectPrototypeInlines.h: Removed.
490         * runtime/StructureRareData.h:
491
492 2019-01-22  Devin Rousso  <drousso@apple.com>
493
494         Web Inspector: expose Audit and Recording versions to the frontend
495         https://bugs.webkit.org/show_bug.cgi?id=193262
496         <rdar://problem/47130684>
497
498         Reviewed by Joseph Pecoraro.
499
500         * inspector/protocol/Audit.json:
501         * inspector/protocol/Recording.json:
502         Add `version` values.
503
504         * inspector/scripts/codegen/models.py:
505         (Protocol.parse_domain):
506         (Domain.__init__):
507         (Domain.version): Added.
508         (Domains):
509
510         * inspector/scripts/codegen/generator.py:
511         (Generator.version_for_domain): Added.
512
513         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
514         (CppProtocolTypesHeaderGenerator.generate_output):
515         (CppProtocolTypesHeaderGenerator._generate_versions): Added.
516
517         * inspector/scripts/codegen/generate_js_backend_commands.py:
518         (JSBackendCommandsGenerator.should_generate_domain):
519         (JSBackendCommandsGenerator.generate_domain):
520
521         * inspector/scripts/tests/generic/version.json: Added.
522         * inspector/scripts/tests/generic/expected/version.json-result: Added.
523
524         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
525         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
526         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
527         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
528         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
529         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
530         * inspector/scripts/tests/generic/expected/enum-values.json-result:
531         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
532         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
533         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
534         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
535         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
536         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
537         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
538         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
539         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
540         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
541         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
542         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
543
544 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
545
546         [JSC] Intl constructors should fit in sizeof(InternalFunction)
547         https://bugs.webkit.org/show_bug.cgi?id=193661
548
549         Reviewed by Mark Lam.
550
551         Previously all the Intl constructors have their own subspace. This is because these constructors have different size from InternalFunction.
552         But it is too costly approach in terms of the memory usage since these constructors are only one per JSGlobalObject. This patch attempts to
553         reduce the memory size consumed by these Intl objects by holding instance structures in IntlObject instead of in each Intl constructors.
554         So that we can make sizeof(Intl constructors) == sizeof(InternalFunction) and drop costly subspaces. Since this patch drops subspaces in VM,
555         it also significantly reduces the sizeof(VM), from 76696 to 74680.
556
557         This patch also includes the preparation for making Intl properties lazy. But currently it is not possible since @Collator reference exists
558         in builtin code.
559
560         * CMakeLists.txt:
561         * DerivedSources.make:
562         * runtime/IntlCollatorConstructor.cpp:
563         (JSC::IntlCollatorConstructor::create):
564         (JSC::IntlCollatorConstructor::finishCreation):
565         (JSC::constructIntlCollator):
566         (JSC::callIntlCollator):
567         (JSC::IntlCollatorConstructor::visitChildren): Deleted.
568         * runtime/IntlCollatorConstructor.h:
569         * runtime/IntlDateTimeFormatConstructor.cpp:
570         (JSC::IntlDateTimeFormatConstructor::create):
571         (JSC::IntlDateTimeFormatConstructor::finishCreation):
572         (JSC::constructIntlDateTimeFormat):
573         (JSC::callIntlDateTimeFormat):
574         (JSC::IntlDateTimeFormatConstructor::visitChildren): Deleted.
575         * runtime/IntlDateTimeFormatConstructor.h:
576         * runtime/IntlNumberFormatConstructor.cpp:
577         (JSC::IntlNumberFormatConstructor::create):
578         (JSC::IntlNumberFormatConstructor::finishCreation):
579         (JSC::constructIntlNumberFormat):
580         (JSC::callIntlNumberFormat):
581         (JSC::IntlNumberFormatConstructor::visitChildren): Deleted.
582         * runtime/IntlNumberFormatConstructor.h:
583         * runtime/IntlObject.cpp:
584         (JSC::createCollatorConstructor):
585         (JSC::createNumberFormatConstructor):
586         (JSC::createDateTimeFormatConstructor):
587         (JSC::createPluralRulesConstructor):
588         (JSC::IntlObject::create):
589         (JSC::IntlObject::finishCreation):
590         (JSC::IntlObject::visitChildren):
591         * runtime/IntlObject.h:
592         * runtime/IntlPluralRulesConstructor.cpp:
593         (JSC::IntlPluralRulesConstructor::create):
594         (JSC::IntlPluralRulesConstructor::finishCreation):
595         (JSC::constructIntlPluralRules):
596         (JSC::IntlPluralRulesConstructor::visitChildren): Deleted.
597         * runtime/IntlPluralRulesConstructor.h:
598         * runtime/JSGlobalObject.cpp:
599         (JSC::JSGlobalObject::init):
600         (JSC::JSGlobalObject::visitChildren):
601         * runtime/JSGlobalObject.h:
602         (JSC::JSGlobalObject::intlObject const):
603         * runtime/VM.cpp:
604         (JSC::VM::VM):
605         * runtime/VM.h:
606
607 2019-01-22  Saam Barati  <sbarati@apple.com>
608
609         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
610
611         * dfg/DFGBackwardsPropagationPhase.cpp:
612         (JSC::DFG::BackwardsPropagationPhase::propagate):
613
614 2019-01-22  Tadeu Zagallo  <tzagallo@apple.com>
615
616         Unreviewed, restore bytecode cache-related JSC options deleted in r240254
617         https://bugs.webkit.org/show_bug.cgi?id=192782
618
619         The JSC options were committed as part of r240210, which got rolled out in
620         r240224. However, the options got re-landed in r240248  and then deleted
621         again in 240254 (immediately before the caching code code landed in 240255)
622
623         * runtime/Options.h:
624
625 2019-01-22  Tadeu Zagallo  <tzagallo@apple.com>
626
627         Cache bytecode to disk
628         https://bugs.webkit.org/show_bug.cgi?id=192782
629         <rdar://problem/46084932>
630
631         Reviewed by Keith Miller.
632
633         Add the logic to serialize and deserialize the new JSC bytecode. For now,
634         the cache is only used for tests.
635
636         Each class that can be serialized has a counterpart in CachedTypes, which
637         handles the decoding and encoding. When decoding, the cached objects are
638         mmap'd from disk, but only used for creating instances of the respective
639         in-memory version of each object. Ideally, the mmap'd objects should be
640         used at runtime in the future.
641
642         * CMakeLists.txt:
643         * JavaScriptCore.xcodeproj/project.pbxproj:
644         * Sources.txt:
645         * builtins/BuiltinNames.cpp:
646         (JSC::BuiltinNames::BuiltinNames):
647         * builtins/BuiltinNames.h:
648         * bytecode/CodeBlock.cpp:
649         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
650         * bytecode/CodeBlock.h:
651         * bytecode/HandlerInfo.h:
652         (JSC::UnlinkedHandlerInfo::UnlinkedHandlerInfo):
653         * bytecode/InstructionStream.h:
654         * bytecode/UnlinkedCodeBlock.h:
655         (JSC::UnlinkedCodeBlock::addSetConstant):
656         (JSC::UnlinkedCodeBlock::constantIdentifierSets):
657         * bytecode/UnlinkedEvalCodeBlock.h:
658         * bytecode/UnlinkedFunctionCodeBlock.h:
659         * bytecode/UnlinkedFunctionExecutable.h:
660         * bytecode/UnlinkedGlobalCodeBlock.h:
661         (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock):
662         * bytecode/UnlinkedMetadataTable.h:
663         * bytecode/UnlinkedModuleProgramCodeBlock.h:
664         * bytecode/UnlinkedProgramCodeBlock.h:
665         * interpreter/Interpreter.cpp:
666         * jsc.cpp:
667         (functionQuit):
668         (runJSC):
669         * parser/SourceCode.h:
670         * parser/SourceCodeKey.h:
671         (JSC::SourceCodeKey::operator!= const):
672         * parser/UnlinkedSourceCode.h:
673         * parser/VariableEnvironment.h:
674         * runtime/CachedTypes.cpp: Added.
675         (JSC::Encoder::Allocation::buffer const):
676         (JSC::Encoder::Allocation::offset const):
677         (JSC::Encoder::Allocation::Allocation):
678         (JSC::Encoder::Encoder):
679         (JSC::Encoder::vm):
680         (JSC::Encoder::malloc):
681         (JSC::Encoder::offsetOf):
682         (JSC::Encoder::cachePtr):
683         (JSC::Encoder::offsetForPtr):
684         (JSC::Encoder::release):
685         (JSC::Encoder::Page::Page):
686         (JSC::Encoder::Page::malloc):
687         (JSC::Encoder::Page::buffer const):
688         (JSC::Encoder::Page::size const):
689         (JSC::Encoder::Page::getOffset const):
690         (JSC::Encoder::allocateNewPage):
691         (JSC::Decoder::Decoder):
692         (JSC::Decoder::~Decoder):
693         (JSC::Decoder::vm):
694         (JSC::Decoder::offsetOf):
695         (JSC::Decoder::cacheOffset):
696         (JSC::Decoder::addFinalizer):
697         (JSC::encode):
698         (JSC::decode):
699         (JSC::VariableLengthObject::buffer const):
700         (JSC::VariableLengthObject::allocate):
701         (JSC::CachedPtr::encode):
702         (JSC::CachedPtr::decode const):
703         (JSC::CachedPtr::operator-> const):
704         (JSC::CachedPtr::get const):
705         (JSC::CachedRefPtr::encode):
706         (JSC::CachedRefPtr::decode const):
707         (JSC::CachedWriteBarrier::encode):
708         (JSC::CachedWriteBarrier::decode const):
709         (JSC::CachedVector::encode):
710         (JSC::CachedVector::decode const):
711         (JSC::CachedPair::encode):
712         (JSC::CachedPair::decode const):
713         (JSC::CachedHashMap::encode):
714         (JSC::CachedHashMap::decode const):
715         (JSC::CachedUniquedStringImpl::encode):
716         (JSC::CachedUniquedStringImpl::decode const):
717         (JSC::CachedStringImpl::encode):
718         (JSC::CachedStringImpl::decode const):
719         (JSC::CachedString::encode):
720         (JSC::CachedString::decode const):
721         (JSC::CachedIdentifier::encode):
722         (JSC::CachedIdentifier::decode const):
723         (JSC::CachedOptional::encode):
724         (JSC::CachedOptional::decode const):
725         (JSC::CachedOptional::decodeAsPtr const):
726         (JSC::CachedSimpleJumpTable::encode):
727         (JSC::CachedSimpleJumpTable::decode const):
728         (JSC::CachedStringJumpTable::encode):
729         (JSC::CachedStringJumpTable::decode const):
730         (JSC::CachedCodeBlockRareData::encode):
731         (JSC::CachedCodeBlockRareData::decode const):
732         (JSC::CachedBitVector::encode):
733         (JSC::CachedBitVector::decode const):
734         (JSC::CachedHashSet::encode):
735         (JSC::CachedHashSet::decode const):
736         (JSC::CachedConstantIdentifierSetEntry::encode):
737         (JSC::CachedConstantIdentifierSetEntry::decode const):
738         (JSC::CachedVariableEnvironment::encode):
739         (JSC::CachedVariableEnvironment::decode const):
740         (JSC::CachedArray::encode):
741         (JSC::CachedArray::decode const):
742         (JSC::CachedScopedArgumentsTable::encode):
743         (JSC::CachedScopedArgumentsTable::decode const):
744         (JSC::CachedSymbolTableEntry::encode):
745         (JSC::CachedSymbolTableEntry::decode const):
746         (JSC::CachedSymbolTable::encode):
747         (JSC::CachedSymbolTable::decode const):
748         (JSC::CachedImmutableButterfly::encode):
749         (JSC::CachedImmutableButterfly::decode const):
750         (JSC::CachedRegExp::encode):
751         (JSC::CachedRegExp::decode const):
752         (JSC::CachedTemplateObjectDescriptor::encode):
753         (JSC::CachedTemplateObjectDescriptor::decode const):
754         (JSC::CachedBigInt::encode):
755         (JSC::CachedBigInt::decode const):
756         (JSC::CachedJSValue::encode):
757         (JSC::CachedJSValue::decode const):
758         (JSC::CachedInstructionStream::encode):
759         (JSC::CachedInstructionStream::decode const):
760         (JSC::CachedMetadataTable::encode):
761         (JSC::CachedMetadataTable::decode const):
762         (JSC::CachedSourceOrigin::encode):
763         (JSC::CachedSourceOrigin::decode const):
764         (JSC::CachedTextPosition::encode):
765         (JSC::CachedTextPosition::decode const):
766         (JSC::CachedSourceProviderShape::encode):
767         (JSC::CachedSourceProviderShape::decode const):
768         (JSC::CachedStringSourceProvider::encode):
769         (JSC::CachedStringSourceProvider::decode const):
770         (JSC::CachedWebAssemblySourceProvider::encode):
771         (JSC::CachedWebAssemblySourceProvider::decode const):
772         (JSC::CachedSourceProvider::encode):
773         (JSC::CachedSourceProvider::decode const):
774         (JSC::CachedUnlinkedSourceCodeShape::encode):
775         (JSC::CachedUnlinkedSourceCodeShape::decode const):
776         (JSC::CachedSourceCode::encode):
777         (JSC::CachedSourceCode::decode const):
778         (JSC::CachedFunctionExecutable::firstLineOffset const):
779         (JSC::CachedFunctionExecutable::lineCount const):
780         (JSC::CachedFunctionExecutable::unlinkedFunctionNameStart const):
781         (JSC::CachedFunctionExecutable::unlinkedBodyStartColumn const):
782         (JSC::CachedFunctionExecutable::unlinkedBodyEndColumn const):
783         (JSC::CachedFunctionExecutable::startOffset const):
784         (JSC::CachedFunctionExecutable::sourceLength const):
785         (JSC::CachedFunctionExecutable::parametersStartOffset const):
786         (JSC::CachedFunctionExecutable::typeProfilingStartOffset const):
787         (JSC::CachedFunctionExecutable::typeProfilingEndOffset const):
788         (JSC::CachedFunctionExecutable::parameterCount const):
789         (JSC::CachedFunctionExecutable::features const):
790         (JSC::CachedFunctionExecutable::sourceParseMode const):
791         (JSC::CachedFunctionExecutable::isInStrictContext const):
792         (JSC::CachedFunctionExecutable::hasCapturedVariables const):
793         (JSC::CachedFunctionExecutable::isBuiltinFunction const):
794         (JSC::CachedFunctionExecutable::isBuiltinDefaultClassConstructor const):
795         (JSC::CachedFunctionExecutable::constructAbility const):
796         (JSC::CachedFunctionExecutable::constructorKind const):
797         (JSC::CachedFunctionExecutable::functionMode const):
798         (JSC::CachedFunctionExecutable::scriptMode const):
799         (JSC::CachedFunctionExecutable::superBinding const):
800         (JSC::CachedFunctionExecutable::derivedContextType const):
801         (JSC::CachedFunctionExecutable::name const):
802         (JSC::CachedFunctionExecutable::ecmaName const):
803         (JSC::CachedFunctionExecutable::inferredName const):
804         (JSC::CachedCodeBlock::instructions const):
805         (JSC::CachedCodeBlock::thisRegister const):
806         (JSC::CachedCodeBlock::scopeRegister const):
807         (JSC::CachedCodeBlock::globalObjectRegister const):
808         (JSC::CachedCodeBlock::sourceURLDirective const):
809         (JSC::CachedCodeBlock::sourceMappingURLDirective const):
810         (JSC::CachedCodeBlock::usesEval const):
811         (JSC::CachedCodeBlock::isStrictMode const):
812         (JSC::CachedCodeBlock::isConstructor const):
813         (JSC::CachedCodeBlock::hasCapturedVariables const):
814         (JSC::CachedCodeBlock::isBuiltinFunction const):
815         (JSC::CachedCodeBlock::superBinding const):
816         (JSC::CachedCodeBlock::scriptMode const):
817         (JSC::CachedCodeBlock::isArrowFunctionContext const):
818         (JSC::CachedCodeBlock::isClassContext const):
819         (JSC::CachedCodeBlock::wasCompiledWithDebuggingOpcodes const):
820         (JSC::CachedCodeBlock::constructorKind const):
821         (JSC::CachedCodeBlock::derivedContextType const):
822         (JSC::CachedCodeBlock::evalContextType const):
823         (JSC::CachedCodeBlock::hasTailCalls const):
824         (JSC::CachedCodeBlock::lineCount const):
825         (JSC::CachedCodeBlock::endColumn const):
826         (JSC::CachedCodeBlock::numVars const):
827         (JSC::CachedCodeBlock::numCalleeLocals const):
828         (JSC::CachedCodeBlock::numParameters const):
829         (JSC::CachedCodeBlock::features const):
830         (JSC::CachedCodeBlock::parseMode const):
831         (JSC::CachedCodeBlock::codeType const):
832         (JSC::CachedCodeBlock::rareData const):
833         (JSC::CachedProgramCodeBlock::encode):
834         (JSC::CachedProgramCodeBlock::decode const):
835         (JSC::CachedModuleCodeBlock::encode):
836         (JSC::CachedModuleCodeBlock::decode const):
837         (JSC::CachedEvalCodeBlock::encode):
838         (JSC::CachedEvalCodeBlock::decode const):
839         (JSC::CachedFunctionCodeBlock::encode):
840         (JSC::CachedFunctionCodeBlock::decode const):
841         (JSC::UnlinkedFunctionCodeBlock::UnlinkedFunctionCodeBlock):
842         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
843         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
844         (JSC::UnlinkedProgramCodeBlock::UnlinkedProgramCodeBlock):
845         (JSC::UnlinkedModuleProgramCodeBlock::UnlinkedModuleProgramCodeBlock):
846         (JSC::UnlinkedEvalCodeBlock::UnlinkedEvalCodeBlock):
847         (JSC::CachedFunctionExecutable::encode):
848         (JSC::CachedFunctionExecutable::decode const):
849         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
850         (JSC::CachedCodeBlock<CodeBlockType>::encode):
851         (JSC::CachedSourceCodeKey::encode):
852         (JSC::CachedSourceCodeKey::decode const):
853         (JSC::CacheEntry::encode):
854         (JSC::CacheEntry:: const):
855         (JSC:: const):
856         (JSC::encodeCodeBlock):
857         (JSC::decodeCodeBlockImpl):
858         * runtime/CachedTypes.h: Copied from Source/JavaScriptCore/bytecode/UnlinkedGlobalCodeBlock.h.
859         (JSC::decodeCodeBlock):
860         * runtime/CodeCache.cpp:
861         (JSC::CodeCacheMap::pruneSlowCase):
862         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
863         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
864         (JSC::CodeCache::write):
865         * runtime/CodeCache.h:
866         (JSC::CodeCacheMap::begin):
867         (JSC::CodeCacheMap::end):
868         (JSC::CodeCacheMap::fetchFromDiskImpl):
869         (JSC::CodeCacheMap::findCacheAndUpdateAge):
870         (JSC::writeCodeBlock):
871         * runtime/JSBigInt.cpp:
872         * runtime/JSBigInt.h:
873         * runtime/Options.cpp:
874         (JSC::recomputeDependentOptions):
875         * runtime/RegExp.h:
876         * runtime/ScopedArgumentsTable.h:
877         * runtime/StackFrame.h:
878         * runtime/StructureInlines.h:
879         * runtime/SymbolTable.h:
880
881 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
882
883         [JSC] Invalidate old scope operations using global lexical binding epoch
884         https://bugs.webkit.org/show_bug.cgi?id=193603
885         <rdar://problem/47380869>
886
887         Reviewed by Saam Barati.
888
889         Even if the global lexical binding does not shadow the global property at that time, we need to clear the cached information in
890         scope related operations since we may have a global property previously. Consider the following example,
891
892             foo = 0;
893             function get() { return foo; }
894             print(get()); // 0
895             print(get()); // 0
896             delete globalThis.foo;
897             $.evalScript(`const foo = 42;`);
898             print(get()); // Should be 42, but it returns 0 if the cached information in get() is not cleared.
899
900         To invalidate the cache easily, we introduce global lexical binding epoch. It is bumped every time we introduce a new lexical binding
901         into JSGlobalLexicalEnvironment, since that name could shadow the global property name previously. In op_resolve_scope, we first check
902         the epoch stored in the metadata, and go to slow path if it is not equal to the current epoch. Our slow path code convert the scope
903         operation to the appropriate one even if the resolve type is not UnresolvedProperty type. After updating the resolve type of the bytecode,
904         we update the cached epoch to the current one, so that we can use the cached information as long as we stay in the same epoch.
905
906         In op_get_from_scope and op_put_to_scope, we do not use this epoch since Structure check can do the same thing instead. If op_resolve_type
907         is updated by the epoch, and if it starts returning JSGlobalLexicalEnvironment instead JSGlobalObject, obviously the structure check fails.
908         And in the slow path, we update op_get_from_scope and op_put_to_scope appropriately.
909
910         So, the metadata for scope related bytecodes are eventually updated to the appropriate one. In DFG and FTL, we use the watchpoint based approach.
911         In DFG and FTL, we concurrently attempt to get the watchpoint for the lexical binding and look into it by using `isStillValid()` to avoid
912         infinite compile-and-fail loop.
913
914         When the global lexical binding epoch overflows we iterate all the live CodeBlock and update the op_resolve_scope's epoch. Even if the shadowing
915         happens, it is OK if we bump the epoch, since op_resolve_scope will return JSGlobalLexicalEnvironment instead of JSGlobalObject, and following
916         structure check in op_put_to_scope and op_get_from_scope fail. We do not need to update op_get_from_scope and op_put_to_scope because of the same
917         reason.
918
919         * bytecode/BytecodeList.rb:
920         * bytecode/CodeBlock.cpp:
921         (JSC::CodeBlock::finishCreation):
922         (JSC::CodeBlock::notifyLexicalBindingUpdate):
923         (JSC::CodeBlock::notifyLexicalBindingShadowing): Deleted.
924         * bytecode/CodeBlock.h:
925         * dfg/DFGByteCodeParser.cpp:
926         (JSC::DFG::ByteCodeParser::parseBlock):
927         * dfg/DFGDesiredGlobalProperties.cpp:
928         (JSC::DFG::DesiredGlobalProperties::isStillValidOnMainThread):
929         * dfg/DFGDesiredGlobalProperties.h:
930         * dfg/DFGGraph.cpp:
931         (JSC::DFG::Graph::watchGlobalProperty):
932         * dfg/DFGGraph.h:
933         * dfg/DFGPlan.cpp:
934         (JSC::DFG::Plan::isStillValidOnMainThread):
935         * jit/JITPropertyAccess.cpp:
936         (JSC::JIT::emit_op_resolve_scope):
937         * jit/JITPropertyAccess32_64.cpp:
938         (JSC::JIT::emit_op_resolve_scope):
939         * llint/LowLevelInterpreter32_64.asm:
940         * llint/LowLevelInterpreter64.asm:
941         * runtime/CommonSlowPaths.cpp:
942         (JSC::SLOW_PATH_DECL):
943         * runtime/CommonSlowPaths.h:
944         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
945         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
946         * runtime/JSGlobalObject.cpp:
947         (JSC::JSGlobalObject::bumpGlobalLexicalBindingEpoch):
948         (JSC::JSGlobalObject::getReferencedPropertyWatchpointSet):
949         (JSC::JSGlobalObject::ensureReferencedPropertyWatchpointSet):
950         (JSC::JSGlobalObject::notifyLexicalBindingShadowing): Deleted.
951         * runtime/JSGlobalObject.h:
952         (JSC::JSGlobalObject::globalLexicalBindingEpoch const):
953         (JSC::JSGlobalObject::globalLexicalBindingEpochOffset):
954         (JSC::JSGlobalObject::addressOfGlobalLexicalBindingEpoch):
955         * runtime/Options.cpp:
956         (JSC::correctOptions):
957         (JSC::Options::initialize):
958         (JSC::Options::setOptions):
959         (JSC::Options::setOptionWithoutAlias):
960         * runtime/Options.h:
961         * runtime/ProgramExecutable.cpp:
962         (JSC::ProgramExecutable::initializeGlobalProperties):
963
964 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
965
966         Unreviewed, roll out r240220 due to date-format-xparb regression
967         https://bugs.webkit.org/show_bug.cgi?id=193603
968
969         * bytecode/BytecodeList.rb:
970         * bytecode/CodeBlock.cpp:
971         (JSC::CodeBlock::notifyLexicalBindingShadowing):
972         (JSC::CodeBlock::notifyLexicalBindingUpdate): Deleted.
973         * bytecode/CodeBlock.h:
974         * dfg/DFGByteCodeParser.cpp:
975         (JSC::DFG::ByteCodeParser::parseBlock):
976         * dfg/DFGDesiredGlobalProperties.cpp:
977         (JSC::DFG::DesiredGlobalProperties::isStillValidOnMainThread):
978         * dfg/DFGDesiredGlobalProperties.h:
979         * dfg/DFGGraph.cpp:
980         (JSC::DFG::Graph::watchGlobalProperty): Deleted.
981         * dfg/DFGGraph.h:
982         * dfg/DFGPlan.cpp:
983         (JSC::DFG::Plan::isStillValidOnMainThread):
984         * jit/JITPropertyAccess.cpp:
985         (JSC::JIT::emit_op_resolve_scope):
986         * jit/JITPropertyAccess32_64.cpp:
987         (JSC::JIT::emit_op_resolve_scope):
988         * llint/LowLevelInterpreter32_64.asm:
989         * llint/LowLevelInterpreter64.asm:
990         * runtime/CommonSlowPaths.cpp:
991         (JSC::SLOW_PATH_DECL):
992         * runtime/CommonSlowPaths.h:
993         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
994         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
995         * runtime/JSGlobalObject.cpp:
996         (JSC::JSGlobalObject::notifyLexicalBindingShadowing):
997         (JSC::JSGlobalObject::getReferencedPropertyWatchpointSet):
998         (JSC::JSGlobalObject::ensureReferencedPropertyWatchpointSet):
999         (JSC::JSGlobalObject::bumpGlobalLexicalBindingEpoch): Deleted.
1000         * runtime/JSGlobalObject.h:
1001         (JSC::JSGlobalObject::globalLexicalBindingEpoch const): Deleted.
1002         (JSC::JSGlobalObject::globalLexicalBindingEpochOffset): Deleted.
1003         (JSC::JSGlobalObject::addressOfGlobalLexicalBindingEpoch): Deleted.
1004         * runtime/Options.cpp:
1005         (JSC::Options::initialize):
1006         (JSC::Options::setOptions):
1007         (JSC::Options::setOptionWithoutAlias):
1008         (JSC::correctOptions): Deleted.
1009         * runtime/Options.h:
1010         * runtime/ProgramExecutable.cpp:
1011         (JSC::ProgramExecutable::initializeGlobalProperties):
1012
1013 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1014
1015         [JSC] StrictModeTypeErrorFunction is no longer used
1016         https://bugs.webkit.org/show_bug.cgi?id=193662
1017
1018         Reviewed by Mark Lam.
1019
1020         StrictModeTypeErrorFunction is no longer used. This patch drops it. Furthermore, it also allows us to drop
1021         strictModeTypeErrorFunctionSpace from VM.
1022
1023         * runtime/Error.cpp:
1024         (JSC::StrictModeTypeErrorFunction::destroy): Deleted.
1025         * runtime/Error.h:
1026         (): Deleted.
1027         * runtime/VM.cpp:
1028         (JSC::VM::VM):
1029         * runtime/VM.h:
1030
1031 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1032
1033         DoesGC rule is wrong for nodes with BigIntUse
1034         https://bugs.webkit.org/show_bug.cgi?id=193652
1035
1036         Reviewed by Saam Barati.
1037
1038         Former rule was that ValueOp does not GC. However this is wrong, since
1039         these operations can trigger GC and mess up memory management. In the end, this
1040         will generate wrong code because we will have wrong GC epoch value during 
1041         Store Barrier Insertion phase.
1042         We changed this to consider BigIntUse for such nodes and properly return true when
1043         they are BigIntUse.
1044
1045         * dfg/DFGDoesGC.cpp:
1046         (JSC::DFG::doesGC):
1047
1048 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1049
1050         [JSC] Lazily initialize JSModuleLoader
1051         https://bugs.webkit.org/show_bug.cgi?id=193646
1052
1053         Reviewed by Keith Miller and Saam Barati.
1054
1055         Lazily initialize JSModuleLoader so that we do not need to initialize it until we need modules.
1056
1057         * runtime/JSGlobalObject.cpp:
1058         (JSC::JSGlobalObject::init):
1059         (JSC::JSGlobalObject::visitChildren):
1060         * runtime/JSGlobalObject.h:
1061         (JSC::JSGlobalObject::moduleLoader const):
1062
1063 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1064
1065         [JSC] sub op with 0 should be optimized
1066         https://bugs.webkit.org/show_bug.cgi?id=190751
1067
1068         Reviewed by Mark Lam.
1069
1070         LLInt sometimes emit `subp 0, %rxx`. For example, `maxFrameExtentForSlowPathCall` is 0 in X86_64, ARM64, and ARM64E.
1071         So `subp maxFrameExtentForSlowPathCall sp` becomes `subp 0, %rsp`. While `addp 0, %rsp` is removed in offlineasm,
1072         sub operation does not have such an optimization. This patch applies the same optimization to sub operation already
1073         done in add operation. Since the CPU flags changed in offlineasm's these operations are not considered (if these flags
1074         are required, we use special branch operations instead), this optimization is sane.
1075
1076         One problem is that zero-extension of the 32bit register in 64bit architecture. If the instruction emission is skipped,
1077         this won't be happen. Currently, we align our sub to add operation: we skip emission in this case.
1078
1079         * offlineasm/arm64.rb:
1080         * offlineasm/x86.rb:
1081
1082 2019-01-20  Saam Barati  <sbarati@apple.com>
1083
1084         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1085         https://bugs.webkit.org/show_bug.cgi?id=193644
1086         <rdar://problem/46209745>
1087
1088         Reviewed by Yusuke Suzuki.
1089
1090         This patch also makes it so we fail fast when we make this mistake.
1091         I've made this mistake more than once.
1092
1093         * dfg/DFGByteCodeParser.cpp:
1094         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1095
1096 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1097
1098         [JSC] Reduce size of SourceProvider
1099         https://bugs.webkit.org/show_bug.cgi?id=193544
1100
1101         Reviewed by Saam Barati.
1102
1103         This patch attempts to reduce the dirty memory footprint by the following 3 optimizations.
1104
1105         1. Reordering the members of SourceProvider to reduce the size. This affects on JSC, and CachedScriptSourceProvider used in WebCore.
1106
1107         2. Create one SourceProvider for all the builtin code and use substring to create builtin JS functions.
1108            This reduces # of SourceProvider created for builtins.
1109
1110         3. Drop m_validated flag in SourceProvider since nobody uses it. It also deletes dead code in Parser.cpp.
1111
1112         Unfortunately, MSVC does not accept super long C string literal. So instead, we construct combined string in a form of C array.
1113
1114         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
1115         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
1116         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
1117         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
1118         * Scripts/wkbuiltins/builtins_generate_combined_header.py:
1119         (BuiltinsCombinedHeaderGenerator.generate_output):
1120         * Scripts/wkbuiltins/builtins_generate_combined_implementation.py:
1121         (BuiltinsCombinedImplementationGenerator.generate_output):
1122         * Scripts/wkbuiltins/builtins_generate_separate_implementation.py:
1123         (BuiltinsSeparateImplementationGenerator.generate_output):
1124         * Scripts/wkbuiltins/builtins_generator.py:
1125         (BuiltinsGenerator.generate_embedded_code_data_for_function):
1126         (BuiltinsGenerator.generate_embedded_code_string_section_for_data):
1127         (BuiltinsGenerator.generate_embedded_code_string_section_for_function): Deleted.
1128         * builtins/BuiltinExecutables.cpp:
1129         (JSC::BuiltinExecutables::BuiltinExecutables):
1130         (JSC::JSC_FOREACH_BUILTIN_CODE):
1131         (JSC::BuiltinExecutables::createExecutable):
1132         * builtins/BuiltinExecutables.h:
1133         * parser/Parser.cpp:
1134         (JSC::Parser<LexerType>::Parser):
1135         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
1136         (JSC::Parser<LexerType>::shouldCheckPropertyForUnderscoreProtoDuplicate):
1137         (JSC::Parser<LexerType>::parseObjectLiteral):
1138         (JSC::Parser<LexerType>::parseUnaryExpression):
1139         * parser/Parser.h:
1140         * parser/SourceCode.h:
1141         * parser/SourceProvider.cpp:
1142         (JSC::SourceProvider::SourceProvider):
1143         * parser/SourceProvider.h:
1144         (JSC::SourceProvider::isValid const): Deleted.
1145         (JSC::SourceProvider::setValid): Deleted.
1146         * runtime/CachedTypes.cpp:
1147         (JSC::CachedSourceProviderShape::encode):
1148         (JSC::CachedSourceProviderShape::decode const):
1149
1150 2019-01-20  Michael Catanzaro  <mcatanzaro@igalia.com>
1151
1152         Unreviewed, fix -Wint-in-bool-context warning
1153         https://bugs.webkit.org/show_bug.cgi?id=193483
1154         <rdar://problem/47280522>
1155
1156         * dfg/DFGFixupPhase.cpp:
1157         (JSC::DFG::FixupPhase::addCheckStructureForOriginalStringObjectUse):
1158
1159 2019-01-20  Saam Barati  <sbarati@apple.com>
1160
1161         Rollout r240210: It broke tests on iOS
1162         https://bugs.webkit.org/show_bug.cgi?id=193640
1163
1164         Unreviewed. ~2650 tests are failing on iOS.
1165
1166         * CMakeLists.txt:
1167         * JavaScriptCore.xcodeproj/project.pbxproj:
1168         * Sources.txt:
1169         * builtins/BuiltinNames.cpp:
1170         (JSC::BuiltinNames::BuiltinNames):
1171         * builtins/BuiltinNames.h:
1172         * bytecode/CodeBlock.cpp:
1173         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
1174         * bytecode/CodeBlock.h:
1175         * bytecode/HandlerInfo.h:
1176         * bytecode/InstructionStream.h:
1177         * bytecode/UnlinkedCodeBlock.h:
1178         (JSC::UnlinkedCodeBlock::addSetConstant):
1179         (JSC::UnlinkedCodeBlock::constantIdentifierSets):
1180         * bytecode/UnlinkedEvalCodeBlock.h:
1181         * bytecode/UnlinkedFunctionCodeBlock.h:
1182         * bytecode/UnlinkedFunctionExecutable.h:
1183         * bytecode/UnlinkedGlobalCodeBlock.h:
1184         (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock):
1185         * bytecode/UnlinkedMetadataTable.h:
1186         * bytecode/UnlinkedModuleProgramCodeBlock.h:
1187         * bytecode/UnlinkedProgramCodeBlock.h:
1188         * interpreter/Interpreter.cpp:
1189         * jsc.cpp:
1190         (functionQuit):
1191         (runJSC):
1192         * parser/SourceCode.h:
1193         * parser/SourceCodeKey.h:
1194         (JSC::SourceCodeKey::operator!= const): Deleted.
1195         * parser/UnlinkedSourceCode.h:
1196         * parser/VariableEnvironment.h:
1197         * runtime/CachedTypes.cpp:
1198         (): Deleted.
1199         (JSC::Encoder::Allocation::buffer const): Deleted.
1200         (JSC::Encoder::Allocation::offset const): Deleted.
1201         (JSC::Encoder::Allocation::Allocation): Deleted.
1202         (JSC::Encoder::Encoder): Deleted.
1203         (JSC::Encoder::vm): Deleted.
1204         (JSC::Encoder::malloc): Deleted.
1205         (JSC::Encoder::offsetOf): Deleted.
1206         (JSC::Encoder::cachePtr): Deleted.
1207         (JSC::Encoder::offsetForPtr): Deleted.
1208         (JSC::Encoder::release): Deleted.
1209         (JSC::Encoder::Page::Page): Deleted.
1210         (JSC::Encoder::Page::malloc): Deleted.
1211         (JSC::Encoder::Page::buffer const): Deleted.
1212         (JSC::Encoder::Page::size const): Deleted.
1213         (JSC::Encoder::Page::getOffset const): Deleted.
1214         (JSC::Encoder::allocateNewPage): Deleted.
1215         (JSC::Decoder::Decoder): Deleted.
1216         (JSC::Decoder::~Decoder): Deleted.
1217         (JSC::Decoder::vm): Deleted.
1218         (JSC::Decoder::offsetOf): Deleted.
1219         (JSC::Decoder::cacheOffset): Deleted.
1220         (JSC::Decoder::addFinalizer): Deleted.
1221         (JSC::encode): Deleted.
1222         (JSC::decode): Deleted.
1223         (JSC::VariableLengthObject::buffer const): Deleted.
1224         (JSC::VariableLengthObject::allocate): Deleted.
1225         (JSC::CachedPtr::encode): Deleted.
1226         (JSC::CachedPtr::decode const): Deleted.
1227         (JSC::CachedPtr::operator-> const): Deleted.
1228         (JSC::CachedPtr::get const): Deleted.
1229         (JSC::CachedRefPtr::encode): Deleted.
1230         (JSC::CachedRefPtr::decode const): Deleted.
1231         (JSC::CachedWriteBarrier::encode): Deleted.
1232         (JSC::CachedWriteBarrier::decode const): Deleted.
1233         (JSC::CachedVector::encode): Deleted.
1234         (JSC::CachedVector::decode const): Deleted.
1235         (JSC::CachedPair::encode): Deleted.
1236         (JSC::CachedPair::decode const): Deleted.
1237         (JSC::CachedHashMap::encode): Deleted.
1238         (JSC::CachedHashMap::decode const): Deleted.
1239         (JSC::CachedUniquedStringImpl::encode): Deleted.
1240         (JSC::CachedUniquedStringImpl::decode const): Deleted.
1241         (JSC::CachedStringImpl::encode): Deleted.
1242         (JSC::CachedStringImpl::decode const): Deleted.
1243         (JSC::CachedString::encode): Deleted.
1244         (JSC::CachedString::decode const): Deleted.
1245         (JSC::CachedIdentifier::encode): Deleted.
1246         (JSC::CachedIdentifier::decode const): Deleted.
1247         (JSC::CachedOptional::encode): Deleted.
1248         (JSC::CachedOptional::decode const): Deleted.
1249         (JSC::CachedOptional::decodeAsPtr const): Deleted.
1250         (JSC::CachedSimpleJumpTable::encode): Deleted.
1251         (JSC::CachedSimpleJumpTable::decode const): Deleted.
1252         (JSC::CachedStringJumpTable::encode): Deleted.
1253         (JSC::CachedStringJumpTable::decode const): Deleted.
1254         (JSC::CachedCodeBlockRareData::encode): Deleted.
1255         (JSC::CachedCodeBlockRareData::decode const): Deleted.
1256         (JSC::CachedBitVector::encode): Deleted.
1257         (JSC::CachedBitVector::decode const): Deleted.
1258         (JSC::CachedHashSet::encode): Deleted.
1259         (JSC::CachedHashSet::decode const): Deleted.
1260         (JSC::CachedConstantIdentifierSetEntry::encode): Deleted.
1261         (JSC::CachedConstantIdentifierSetEntry::decode const): Deleted.
1262         (JSC::CachedVariableEnvironment::encode): Deleted.
1263         (JSC::CachedVariableEnvironment::decode const): Deleted.
1264         (JSC::CachedArray::encode): Deleted.
1265         (JSC::CachedArray::decode const): Deleted.
1266         (JSC::CachedScopedArgumentsTable::encode): Deleted.
1267         (JSC::CachedScopedArgumentsTable::decode const): Deleted.
1268         (JSC::CachedSymbolTableEntry::encode): Deleted.
1269         (JSC::CachedSymbolTableEntry::decode const): Deleted.
1270         (JSC::CachedSymbolTable::encode): Deleted.
1271         (JSC::CachedSymbolTable::decode const): Deleted.
1272         (JSC::CachedImmutableButterfly::encode): Deleted.
1273         (JSC::CachedImmutableButterfly::decode const): Deleted.
1274         (JSC::CachedRegExp::encode): Deleted.
1275         (JSC::CachedRegExp::decode const): Deleted.
1276         (JSC::CachedTemplateObjectDescriptor::encode): Deleted.
1277         (JSC::CachedTemplateObjectDescriptor::decode const): Deleted.
1278         (JSC::CachedBigInt::encode): Deleted.
1279         (JSC::CachedBigInt::decode const): Deleted.
1280         (JSC::CachedJSValue::encode): Deleted.
1281         (JSC::CachedJSValue::decode const): Deleted.
1282         (JSC::CachedInstructionStream::encode): Deleted.
1283         (JSC::CachedInstructionStream::decode const): Deleted.
1284         (JSC::CachedMetadataTable::encode): Deleted.
1285         (JSC::CachedMetadataTable::decode const): Deleted.
1286         (JSC::CachedSourceOrigin::encode): Deleted.
1287         (JSC::CachedSourceOrigin::decode const): Deleted.
1288         (JSC::CachedTextPosition::encode): Deleted.
1289         (JSC::CachedTextPosition::decode const): Deleted.
1290         (JSC::CachedSourceProviderShape::encode): Deleted.
1291         (JSC::CachedSourceProviderShape::decode const): Deleted.
1292         (JSC::CachedStringSourceProvider::encode): Deleted.
1293         (JSC::CachedStringSourceProvider::decode const): Deleted.
1294         (JSC::CachedWebAssemblySourceProvider::encode): Deleted.
1295         (JSC::CachedWebAssemblySourceProvider::decode const): Deleted.
1296         (JSC::CachedSourceProvider::encode): Deleted.
1297         (JSC::CachedSourceProvider::decode const): Deleted.
1298         (JSC::CachedUnlinkedSourceCodeShape::encode): Deleted.
1299         (JSC::CachedUnlinkedSourceCodeShape::decode const): Deleted.
1300         (JSC::CachedSourceCode::encode): Deleted.
1301         (JSC::CachedSourceCode::decode const): Deleted.
1302         (JSC::CachedFunctionExecutable::firstLineOffset const): Deleted.
1303         (JSC::CachedFunctionExecutable::lineCount const): Deleted.
1304         (JSC::CachedFunctionExecutable::unlinkedFunctionNameStart const): Deleted.
1305         (JSC::CachedFunctionExecutable::unlinkedBodyStartColumn const): Deleted.
1306         (JSC::CachedFunctionExecutable::unlinkedBodyEndColumn const): Deleted.
1307         (JSC::CachedFunctionExecutable::startOffset const): Deleted.
1308         (JSC::CachedFunctionExecutable::sourceLength const): Deleted.
1309         (JSC::CachedFunctionExecutable::parametersStartOffset const): Deleted.
1310         (JSC::CachedFunctionExecutable::typeProfilingStartOffset const): Deleted.
1311         (JSC::CachedFunctionExecutable::typeProfilingEndOffset const): Deleted.
1312         (JSC::CachedFunctionExecutable::parameterCount const): Deleted.
1313         (JSC::CachedFunctionExecutable::features const): Deleted.
1314         (JSC::CachedFunctionExecutable::sourceParseMode const): Deleted.
1315         (JSC::CachedFunctionExecutable::isInStrictContext const): Deleted.
1316         (JSC::CachedFunctionExecutable::hasCapturedVariables const): Deleted.
1317         (JSC::CachedFunctionExecutable::isBuiltinFunction const): Deleted.
1318         (JSC::CachedFunctionExecutable::isBuiltinDefaultClassConstructor const): Deleted.
1319         (JSC::CachedFunctionExecutable::constructAbility const): Deleted.
1320         (JSC::CachedFunctionExecutable::constructorKind const): Deleted.
1321         (JSC::CachedFunctionExecutable::functionMode const): Deleted.
1322         (JSC::CachedFunctionExecutable::scriptMode const): Deleted.
1323         (JSC::CachedFunctionExecutable::superBinding const): Deleted.
1324         (JSC::CachedFunctionExecutable::derivedContextType const): Deleted.
1325         (JSC::CachedFunctionExecutable::name const): Deleted.
1326         (JSC::CachedFunctionExecutable::ecmaName const): Deleted.
1327         (JSC::CachedFunctionExecutable::inferredName const): Deleted.
1328         (JSC::CachedCodeBlock::instructions const): Deleted.
1329         (JSC::CachedCodeBlock::thisRegister const): Deleted.
1330         (JSC::CachedCodeBlock::scopeRegister const): Deleted.
1331         (JSC::CachedCodeBlock::globalObjectRegister const): Deleted.
1332         (JSC::CachedCodeBlock::sourceURLDirective const): Deleted.
1333         (JSC::CachedCodeBlock::sourceMappingURLDirective const): Deleted.
1334         (JSC::CachedCodeBlock::usesEval const): Deleted.
1335         (JSC::CachedCodeBlock::isStrictMode const): Deleted.
1336         (JSC::CachedCodeBlock::isConstructor const): Deleted.
1337         (JSC::CachedCodeBlock::hasCapturedVariables const): Deleted.
1338         (JSC::CachedCodeBlock::isBuiltinFunction const): Deleted.
1339         (JSC::CachedCodeBlock::superBinding const): Deleted.
1340         (JSC::CachedCodeBlock::scriptMode const): Deleted.
1341         (JSC::CachedCodeBlock::isArrowFunctionContext const): Deleted.
1342         (JSC::CachedCodeBlock::isClassContext const): Deleted.
1343         (JSC::CachedCodeBlock::wasCompiledWithDebuggingOpcodes const): Deleted.
1344         (JSC::CachedCodeBlock::constructorKind const): Deleted.
1345         (JSC::CachedCodeBlock::derivedContextType const): Deleted.
1346         (JSC::CachedCodeBlock::evalContextType const): Deleted.
1347         (JSC::CachedCodeBlock::hasTailCalls const): Deleted.
1348         (JSC::CachedCodeBlock::lineCount const): Deleted.
1349         (JSC::CachedCodeBlock::endColumn const): Deleted.
1350         (JSC::CachedCodeBlock::numVars const): Deleted.
1351         (JSC::CachedCodeBlock::numCalleeLocals const): Deleted.
1352         (JSC::CachedCodeBlock::numParameters const): Deleted.
1353         (JSC::CachedCodeBlock::features const): Deleted.
1354         (JSC::CachedCodeBlock::parseMode const): Deleted.
1355         (JSC::CachedCodeBlock::codeType const): Deleted.
1356         (JSC::CachedCodeBlock::rareData const): Deleted.
1357         (JSC::CachedProgramCodeBlock::encode): Deleted.
1358         (JSC::CachedProgramCodeBlock::decode const): Deleted.
1359         (JSC::CachedModuleCodeBlock::encode): Deleted.
1360         (JSC::CachedModuleCodeBlock::decode const): Deleted.
1361         (JSC::CachedEvalCodeBlock::encode): Deleted.
1362         (JSC::CachedEvalCodeBlock::decode const): Deleted.
1363         (JSC::CachedFunctionCodeBlock::encode): Deleted.
1364         (JSC::CachedFunctionCodeBlock::decode const): Deleted.
1365         (JSC::UnlinkedFunctionCodeBlock::UnlinkedFunctionCodeBlock): Deleted.
1366         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): Deleted.
1367         (JSC::CachedCodeBlock<CodeBlockType>::decode const): Deleted.
1368         (JSC::UnlinkedProgramCodeBlock::UnlinkedProgramCodeBlock): Deleted.
1369         (JSC::UnlinkedModuleProgramCodeBlock::UnlinkedModuleProgramCodeBlock): Deleted.
1370         (JSC::UnlinkedEvalCodeBlock::UnlinkedEvalCodeBlock): Deleted.
1371         (JSC::CachedFunctionExecutable::encode): Deleted.
1372         (JSC::CachedFunctionExecutable::decode const): Deleted.
1373         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable): Deleted.
1374         (JSC::CachedCodeBlock<CodeBlockType>::encode): Deleted.
1375         (JSC::CachedSourceCodeKey::encode): Deleted.
1376         (JSC::CachedSourceCodeKey::decode const): Deleted.
1377         (JSC::CacheEntry::encode): Deleted.
1378         (JSC::CacheEntry:: const): Deleted.
1379         (JSC:: const): Deleted.
1380         (JSC::encodeCodeBlock): Deleted.
1381         (JSC::decodeCodeBlockImpl): Deleted.
1382         * runtime/CachedTypes.h:
1383         (JSC::decodeCodeBlock): Deleted.
1384         * runtime/CodeCache.cpp:
1385         (JSC::CodeCacheMap::pruneSlowCase):
1386         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
1387         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
1388         (JSC::CodeCache::write): Deleted.
1389         * runtime/CodeCache.h:
1390         (JSC::CodeCacheMap::findCacheAndUpdateAge):
1391         (JSC::CodeCache::clear):
1392         (JSC::CodeCacheMap::begin): Deleted.
1393         (JSC::CodeCacheMap::end): Deleted.
1394         (JSC::CodeCacheMap::fetchFromDiskImpl): Deleted.
1395         (): Deleted.
1396         (JSC::writeCodeBlock): Deleted.
1397         * runtime/JSBigInt.cpp:
1398         (JSC::JSBigInt::offsetOfData):
1399         (JSC::JSBigInt::dataStorage):
1400         * runtime/JSBigInt.h:
1401         * runtime/Options.cpp:
1402         (JSC::recomputeDependentOptions):
1403         * runtime/Options.h:
1404         * runtime/RegExp.h:
1405         * runtime/ScopedArgumentsTable.h:
1406         * runtime/StackFrame.h:
1407         * runtime/StructureInlines.h:
1408         * runtime/SymbolTable.h:
1409
1410 2019-01-20  Saam Barati  <sbarati@apple.com>
1411
1412         MovHint must merge NodeBytecodeUsesAsValue for its child in backwards propagation
1413         https://bugs.webkit.org/show_bug.cgi?id=186916
1414         <rdar://problem/41396612>
1415
1416         Reviewed by Yusuke Suzuki.
1417
1418         Otherwise, we may not think we care about the non-integral part in
1419         a division (or perhaps overflow in an add, etc). Consider a program
1420         like this:
1421         
1422         ```return a / b```
1423         
1424         That gets compiled to:
1425         ```
1426         a: ArithDiv // We don't check that the remainder is zero here.
1427         b: MovHint(@a)
1428         c: ForceOSRExit
1429         d: Unreachable
1430         ```
1431         
1432         If we don't inform @a that we care about its result in full number
1433         accuracy, it will choose to ignore its non-integral remainder. This
1434         makes sense if *everybody* that all uses of the Div only cared about
1435         the integral part. However, OSR exit is not one of those users. OSR
1436         exit cares about the fractional bits in such a Div.
1437
1438         * dfg/DFGBackwardsPropagationPhase.cpp:
1439         (JSC::DFG::BackwardsPropagationPhase::propagate):
1440
1441 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1442
1443         [JSC] Invalidate old scope operations using global lexical binding epoch
1444         https://bugs.webkit.org/show_bug.cgi?id=193603
1445         <rdar://problem/47380869>
1446
1447         Reviewed by Saam Barati.
1448
1449         Even if the global lexical binding does not shadow the global property at that time, we need to clear the cached information in
1450         scope related operations since we may have a global property previously. Consider the following example,
1451
1452             foo = 0;
1453             function get() { return foo; }
1454             print(get()); // 0
1455             print(get()); // 0
1456             delete globalThis.foo;
1457             $.evalScript(`const foo = 42;`);
1458             print(get()); // Should be 42, but it returns 0 if the cached information in get() is not cleared.
1459
1460         To invalidate the cache easily, we introduce global lexical binding epoch. It is bumped every time we introduce a new lexical binding
1461         into JSGlobalLexicalEnvironment, since that name could shadow the global property name previously. In op_resolve_scope, we first check
1462         the epoch stored in the metadata, and go to slow path if it is not equal to the current epoch. Our slow path code convert the scope
1463         operation to the appropriate one even if the resolve type is not UnresolvedProperty type. After updating the resolve type of the bytecode,
1464         we update the cached epoch to the current one, so that we can use the cached information as long as we stay in the same epoch.
1465
1466         In op_get_from_scope and op_put_to_scope, we do not use this epoch since Structure check can do the same thing instead. If op_resolve_type
1467         is updated by the epoch, and if it starts returning JSGlobalLexicalEnvironment instead JSGlobalObject, obviously the structure check fails.
1468         And in the slow path, we update op_get_from_scope and op_put_to_scope appropriately.
1469
1470         So, the metadata for scope related bytecodes are eventually updated to the appropriate one. In DFG and FTL, we use the watchpoint based approach.
1471         In DFG and FTL, we concurrently attempt to get the watchpoint for the lexical binding and look into it by using `isStillValid()` to avoid
1472         infinite compile-and-fail loop.
1473
1474         When the global lexical binding epoch overflows we iterate all the live CodeBlock and update the op_resolve_scope's epoch. Even if the shadowing
1475         happens, it is OK if we bump the epoch, since op_resolve_scope will return JSGlobalLexicalEnvironment instead of JSGlobalObject, and following
1476         structure check in op_put_to_scope and op_get_from_scope fail. We do not need to update op_get_from_scope and op_put_to_scope because of the same
1477         reason.
1478
1479         * bytecode/BytecodeList.rb:
1480         * bytecode/CodeBlock.cpp:
1481         (JSC::CodeBlock::notifyLexicalBindingUpdate):
1482         (JSC::CodeBlock::notifyLexicalBindingShadowing): Deleted.
1483         * bytecode/CodeBlock.h:
1484         * dfg/DFGByteCodeParser.cpp:
1485         (JSC::DFG::ByteCodeParser::parseBlock):
1486         * dfg/DFGDesiredGlobalProperties.cpp:
1487         (JSC::DFG::DesiredGlobalProperties::isStillValidOnMainThread):
1488         * dfg/DFGDesiredGlobalProperties.h:
1489         * dfg/DFGGraph.cpp:
1490         (JSC::DFG::Graph::watchGlobalProperty):
1491         * dfg/DFGGraph.h:
1492         * dfg/DFGPlan.cpp:
1493         (JSC::DFG::Plan::isStillValidOnMainThread):
1494         * jit/JITPropertyAccess.cpp:
1495         (JSC::JIT::emit_op_resolve_scope):
1496         * jit/JITPropertyAccess32_64.cpp:
1497         (JSC::JIT::emit_op_resolve_scope):
1498         * llint/LowLevelInterpreter32_64.asm:
1499         * llint/LowLevelInterpreter64.asm:
1500         * runtime/CommonSlowPaths.cpp:
1501         (JSC::SLOW_PATH_DECL):
1502         * runtime/CommonSlowPaths.h:
1503         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
1504         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
1505         * runtime/JSGlobalObject.cpp:
1506         (JSC::JSGlobalObject::bumpGlobalLexicalBindingEpoch):
1507         (JSC::JSGlobalObject::getReferencedPropertyWatchpointSet):
1508         (JSC::JSGlobalObject::ensureReferencedPropertyWatchpointSet):
1509         (JSC::JSGlobalObject::notifyLexicalBindingShadowing): Deleted.
1510         * runtime/JSGlobalObject.h:
1511         (JSC::JSGlobalObject::globalLexicalBindingEpoch const):
1512         (JSC::JSGlobalObject::globalLexicalBindingEpochOffset):
1513         (JSC::JSGlobalObject::addressOfGlobalLexicalBindingEpoch):
1514         * runtime/Options.cpp:
1515         (JSC::correctOptions):
1516         (JSC::Options::initialize):
1517         (JSC::Options::setOptions):
1518         (JSC::Options::setOptionWithoutAlias):
1519         * runtime/Options.h:
1520         * runtime/ProgramExecutable.cpp:
1521         (JSC::ProgramExecutable::initializeGlobalProperties):
1522
1523 2019-01-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1524
1525         [JSC] Shrink data structure size in JSC/heap
1526         https://bugs.webkit.org/show_bug.cgi?id=193612
1527
1528         Reviewed by Saam Barati.
1529
1530         This patch reduces the size of data structures in JSC/heap. Basically, we reorder the members to remove paddings.
1531
1532         For Subspace, we drop CellAttributes `m_attributes`. Instead, we use `heapCellType->attributes()`. And we use
1533         FreeList::cellSize() instead of holding m_cellSize in LocalAllocator.
1534
1535         This change reduces the size of JSC::VM too since it includes JSC::Heap. The size of VM becomes from 78208 to 76696.
1536
1537         * heap/BlockDirectory.cpp:
1538         * heap/BlockDirectory.h:
1539         * heap/CollectionScope.h:
1540         * heap/CompleteSubspace.cpp:
1541         (JSC::CompleteSubspace::allocatorForSlow):
1542         * heap/FreeList.h:
1543         (JSC::FreeList::offsetOfCellSize):
1544         (JSC::FreeList::cellSize const):
1545         * heap/Heap.cpp:
1546         (JSC::Heap::Heap):
1547         (JSC::Heap::updateObjectCounts):
1548         (JSC::Heap::addToRememberedSet):
1549         (JSC::Heap::runBeginPhase):
1550         (JSC::Heap::willStartCollection):
1551         (JSC::Heap::pruneStaleEntriesFromWeakGCMaps):
1552         (JSC::Heap::deleteSourceProviderCaches):
1553         (JSC::Heap::notifyIncrementalSweeper):
1554         (JSC::Heap::updateAllocationLimits):
1555         * heap/Heap.h:
1556         * heap/IsoAlignedMemoryAllocator.h:
1557         * heap/LargeAllocation.cpp:
1558         * heap/LocalAllocator.cpp:
1559         (JSC::LocalAllocator::LocalAllocator):
1560         * heap/LocalAllocator.h:
1561         (JSC::LocalAllocator::cellSize const):
1562         (JSC::LocalAllocator::offsetOfCellSize):
1563         * heap/MarkedSpace.cpp:
1564         (JSC::MarkedSpace::MarkedSpace):
1565         * heap/MarkedSpace.h:
1566         * heap/MarkingConstraint.h:
1567         * heap/Subspace.cpp:
1568         (JSC::Subspace::initialize):
1569         * heap/Subspace.h:
1570         (JSC::Subspace::attributes const): Deleted.
1571         * heap/SubspaceInlines.h:
1572         (JSC::Subspace::forEachMarkedCell):
1573         (JSC::Subspace::forEachMarkedCellInParallel):
1574         (JSC::Subspace::forEachLiveCell):
1575         (JSC::Subspace::attributes const):
1576
1577 2019-01-20  Tadeu Zagallo  <tzagallo@apple.com>
1578
1579         Cache bytecode to disk
1580         https://bugs.webkit.org/show_bug.cgi?id=192782
1581         <rdar://problem/46084932>
1582
1583         Reviewed by Keith Miller.
1584
1585         Add the logic to serialize and deserialize the new JSC bytecode. For now,
1586         the cache is only used for tests.
1587
1588         Each class that can be serialized has a counterpart in CachedTypes, which
1589         handles the decoding and encoding. When decoding, the cached objects are
1590         mmap'd from disk, but only used for creating instances of the respective
1591         in-memory version of each object. Ideally, the mmap'd objects should be
1592         used at runtime in the future.
1593
1594         * CMakeLists.txt:
1595         * JavaScriptCore.xcodeproj/project.pbxproj:
1596         * Sources.txt:
1597         * builtins/BuiltinNames.cpp:
1598         (JSC::BuiltinNames::BuiltinNames):
1599         * builtins/BuiltinNames.h:
1600         * bytecode/CodeBlock.cpp:
1601         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
1602         * bytecode/CodeBlock.h:
1603         * bytecode/HandlerInfo.h:
1604         (JSC::UnlinkedHandlerInfo::UnlinkedHandlerInfo):
1605         * bytecode/InstructionStream.h:
1606         * bytecode/UnlinkedCodeBlock.h:
1607         (JSC::UnlinkedCodeBlock::addSetConstant):
1608         (JSC::UnlinkedCodeBlock::constantIdentifierSets):
1609         * bytecode/UnlinkedEvalCodeBlock.h:
1610         * bytecode/UnlinkedFunctionCodeBlock.h:
1611         * bytecode/UnlinkedFunctionExecutable.h:
1612         * bytecode/UnlinkedGlobalCodeBlock.h:
1613         (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock):
1614         * bytecode/UnlinkedMetadataTable.h:
1615         * bytecode/UnlinkedModuleProgramCodeBlock.h:
1616         * bytecode/UnlinkedProgramCodeBlock.h:
1617         * interpreter/Interpreter.cpp:
1618         * jsc.cpp:
1619         (functionQuit):
1620         (runJSC):
1621         * parser/SourceCode.h:
1622         * parser/SourceCodeKey.h:
1623         (JSC::SourceCodeKey::operator!= const):
1624         * parser/UnlinkedSourceCode.h:
1625         * parser/VariableEnvironment.h:
1626         * runtime/CachedTypes.cpp: Added.
1627         (JSC::Encoder::Allocation::buffer const):
1628         (JSC::Encoder::Allocation::offset const):
1629         (JSC::Encoder::Allocation::Allocation):
1630         (JSC::Encoder::Encoder):
1631         (JSC::Encoder::vm):
1632         (JSC::Encoder::malloc):
1633         (JSC::Encoder::offsetOf):
1634         (JSC::Encoder::cachePtr):
1635         (JSC::Encoder::offsetForPtr):
1636         (JSC::Encoder::release):
1637         (JSC::Encoder::Page::Page):
1638         (JSC::Encoder::Page::malloc):
1639         (JSC::Encoder::Page::buffer const):
1640         (JSC::Encoder::Page::size const):
1641         (JSC::Encoder::Page::getOffset const):
1642         (JSC::Encoder::allocateNewPage):
1643         (JSC::Decoder::Decoder):
1644         (JSC::Decoder::~Decoder):
1645         (JSC::Decoder::vm):
1646         (JSC::Decoder::offsetOf):
1647         (JSC::Decoder::cacheOffset):
1648         (JSC::Decoder::addFinalizer):
1649         (JSC::encode):
1650         (JSC::decode):
1651         (JSC::VariableLengthObject::buffer const):
1652         (JSC::VariableLengthObject::allocate):
1653         (JSC::CachedPtr::encode):
1654         (JSC::CachedPtr::decode const):
1655         (JSC::CachedPtr::operator-> const):
1656         (JSC::CachedPtr::get const):
1657         (JSC::CachedRefPtr::encode):
1658         (JSC::CachedRefPtr::decode const):
1659         (JSC::CachedWriteBarrier::encode):
1660         (JSC::CachedWriteBarrier::decode const):
1661         (JSC::CachedVector::encode):
1662         (JSC::CachedVector::decode const):
1663         (JSC::CachedPair::encode):
1664         (JSC::CachedPair::decode const):
1665         (JSC::CachedHashMap::encode):
1666         (JSC::CachedHashMap::decode const):
1667         (JSC::CachedUniquedStringImpl::encode):
1668         (JSC::CachedUniquedStringImpl::decode const):
1669         (JSC::CachedStringImpl::encode):
1670         (JSC::CachedStringImpl::decode const):
1671         (JSC::CachedString::encode):
1672         (JSC::CachedString::decode const):
1673         (JSC::CachedIdentifier::encode):
1674         (JSC::CachedIdentifier::decode const):
1675         (JSC::CachedOptional::encode):
1676         (JSC::CachedOptional::decode const):
1677         (JSC::CachedOptional::decodeAsPtr const):
1678         (JSC::CachedSimpleJumpTable::encode):
1679         (JSC::CachedSimpleJumpTable::decode const):
1680         (JSC::CachedStringJumpTable::encode):
1681         (JSC::CachedStringJumpTable::decode const):
1682         (JSC::CachedCodeBlockRareData::encode):
1683         (JSC::CachedCodeBlockRareData::decode const):
1684         (JSC::CachedBitVector::encode):
1685         (JSC::CachedBitVector::decode const):
1686         (JSC::CachedHashSet::encode):
1687         (JSC::CachedHashSet::decode const):
1688         (JSC::CachedConstantIdentifierSetEntry::encode):
1689         (JSC::CachedConstantIdentifierSetEntry::decode const):
1690         (JSC::CachedVariableEnvironment::encode):
1691         (JSC::CachedVariableEnvironment::decode const):
1692         (JSC::CachedArray::encode):
1693         (JSC::CachedArray::decode const):
1694         (JSC::CachedScopedArgumentsTable::encode):
1695         (JSC::CachedScopedArgumentsTable::decode const):
1696         (JSC::CachedSymbolTableEntry::encode):
1697         (JSC::CachedSymbolTableEntry::decode const):
1698         (JSC::CachedSymbolTable::encode):
1699         (JSC::CachedSymbolTable::decode const):
1700         (JSC::CachedImmutableButterfly::encode):
1701         (JSC::CachedImmutableButterfly::decode const):
1702         (JSC::CachedRegExp::encode):
1703         (JSC::CachedRegExp::decode const):
1704         (JSC::CachedTemplateObjectDescriptor::encode):
1705         (JSC::CachedTemplateObjectDescriptor::decode const):
1706         (JSC::CachedBigInt::encode):
1707         (JSC::CachedBigInt::decode const):
1708         (JSC::CachedJSValue::encode):
1709         (JSC::CachedJSValue::decode const):
1710         (JSC::CachedInstructionStream::encode):
1711         (JSC::CachedInstructionStream::decode const):
1712         (JSC::CachedMetadataTable::encode):
1713         (JSC::CachedMetadataTable::decode const):
1714         (JSC::CachedSourceOrigin::encode):
1715         (JSC::CachedSourceOrigin::decode const):
1716         (JSC::CachedTextPosition::encode):
1717         (JSC::CachedTextPosition::decode const):
1718         (JSC::CachedSourceProviderShape::encode):
1719         (JSC::CachedSourceProviderShape::decode const):
1720         (JSC::CachedStringSourceProvider::encode):
1721         (JSC::CachedStringSourceProvider::decode const):
1722         (JSC::CachedWebAssemblySourceProvider::encode):
1723         (JSC::CachedWebAssemblySourceProvider::decode const):
1724         (JSC::CachedSourceProvider::encode):
1725         (JSC::CachedSourceProvider::decode const):
1726         (JSC::CachedUnlinkedSourceCodeShape::encode):
1727         (JSC::CachedUnlinkedSourceCodeShape::decode const):
1728         (JSC::CachedSourceCode::encode):
1729         (JSC::CachedSourceCode::decode const):
1730         (JSC::CachedFunctionExecutable::firstLineOffset const):
1731         (JSC::CachedFunctionExecutable::lineCount const):
1732         (JSC::CachedFunctionExecutable::unlinkedFunctionNameStart const):
1733         (JSC::CachedFunctionExecutable::unlinkedBodyStartColumn const):
1734         (JSC::CachedFunctionExecutable::unlinkedBodyEndColumn const):
1735         (JSC::CachedFunctionExecutable::startOffset const):
1736         (JSC::CachedFunctionExecutable::sourceLength const):
1737         (JSC::CachedFunctionExecutable::parametersStartOffset const):
1738         (JSC::CachedFunctionExecutable::typeProfilingStartOffset const):
1739         (JSC::CachedFunctionExecutable::typeProfilingEndOffset const):
1740         (JSC::CachedFunctionExecutable::parameterCount const):
1741         (JSC::CachedFunctionExecutable::features const):
1742         (JSC::CachedFunctionExecutable::sourceParseMode const):
1743         (JSC::CachedFunctionExecutable::isInStrictContext const):
1744         (JSC::CachedFunctionExecutable::hasCapturedVariables const):
1745         (JSC::CachedFunctionExecutable::isBuiltinFunction const):
1746         (JSC::CachedFunctionExecutable::isBuiltinDefaultClassConstructor const):
1747         (JSC::CachedFunctionExecutable::constructAbility const):
1748         (JSC::CachedFunctionExecutable::constructorKind const):
1749         (JSC::CachedFunctionExecutable::functionMode const):
1750         (JSC::CachedFunctionExecutable::scriptMode const):
1751         (JSC::CachedFunctionExecutable::superBinding const):
1752         (JSC::CachedFunctionExecutable::derivedContextType const):
1753         (JSC::CachedFunctionExecutable::name const):
1754         (JSC::CachedFunctionExecutable::ecmaName const):
1755         (JSC::CachedFunctionExecutable::inferredName const):
1756         (JSC::CachedCodeBlock::instructions const):
1757         (JSC::CachedCodeBlock::thisRegister const):
1758         (JSC::CachedCodeBlock::scopeRegister const):
1759         (JSC::CachedCodeBlock::globalObjectRegister const):
1760         (JSC::CachedCodeBlock::sourceURLDirective const):
1761         (JSC::CachedCodeBlock::sourceMappingURLDirective const):
1762         (JSC::CachedCodeBlock::usesEval const):
1763         (JSC::CachedCodeBlock::isStrictMode const):
1764         (JSC::CachedCodeBlock::isConstructor const):
1765         (JSC::CachedCodeBlock::hasCapturedVariables const):
1766         (JSC::CachedCodeBlock::isBuiltinFunction const):
1767         (JSC::CachedCodeBlock::superBinding const):
1768         (JSC::CachedCodeBlock::scriptMode const):
1769         (JSC::CachedCodeBlock::isArrowFunctionContext const):
1770         (JSC::CachedCodeBlock::isClassContext const):
1771         (JSC::CachedCodeBlock::wasCompiledWithDebuggingOpcodes const):
1772         (JSC::CachedCodeBlock::constructorKind const):
1773         (JSC::CachedCodeBlock::derivedContextType const):
1774         (JSC::CachedCodeBlock::evalContextType const):
1775         (JSC::CachedCodeBlock::hasTailCalls const):
1776         (JSC::CachedCodeBlock::lineCount const):
1777         (JSC::CachedCodeBlock::endColumn const):
1778         (JSC::CachedCodeBlock::numVars const):
1779         (JSC::CachedCodeBlock::numCalleeLocals const):
1780         (JSC::CachedCodeBlock::numParameters const):
1781         (JSC::CachedCodeBlock::features const):
1782         (JSC::CachedCodeBlock::parseMode const):
1783         (JSC::CachedCodeBlock::codeType const):
1784         (JSC::CachedCodeBlock::rareData const):
1785         (JSC::CachedProgramCodeBlock::encode):
1786         (JSC::CachedProgramCodeBlock::decode const):
1787         (JSC::CachedModuleCodeBlock::encode):
1788         (JSC::CachedModuleCodeBlock::decode const):
1789         (JSC::CachedEvalCodeBlock::encode):
1790         (JSC::CachedEvalCodeBlock::decode const):
1791         (JSC::CachedFunctionCodeBlock::encode):
1792         (JSC::CachedFunctionCodeBlock::decode const):
1793         (JSC::UnlinkedFunctionCodeBlock::UnlinkedFunctionCodeBlock):
1794         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1795         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
1796         (JSC::UnlinkedProgramCodeBlock::UnlinkedProgramCodeBlock):
1797         (JSC::UnlinkedModuleProgramCodeBlock::UnlinkedModuleProgramCodeBlock):
1798         (JSC::UnlinkedEvalCodeBlock::UnlinkedEvalCodeBlock):
1799         (JSC::CachedFunctionExecutable::encode):
1800         (JSC::CachedFunctionExecutable::decode const):
1801         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1802         (JSC::CachedCodeBlock<CodeBlockType>::encode):
1803         (JSC::CachedSourceCodeKey::encode):
1804         (JSC::CachedSourceCodeKey::decode const):
1805         (JSC::CacheEntry::encode):
1806         (JSC::CacheEntry:: const):
1807         (JSC:: const):
1808         (JSC::encodeCodeBlock):
1809         (JSC::decodeCodeBlockImpl):
1810         * runtime/CachedTypes.h: Copied from Source/JavaScriptCore/bytecode/UnlinkedGlobalCodeBlock.h.
1811         (JSC::decodeCodeBlock):
1812         * runtime/CodeCache.cpp:
1813         (JSC::CodeCacheMap::pruneSlowCase):
1814         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
1815         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
1816         (JSC::CodeCache::write):
1817         * runtime/CodeCache.h:
1818         (JSC::CodeCacheMap::begin):
1819         (JSC::CodeCacheMap::end):
1820         (JSC::CodeCacheMap::fetchFromDiskImpl):
1821         (JSC::CodeCacheMap::findCacheAndUpdateAge):
1822         (JSC::writeCodeBlock):
1823         * runtime/JSBigInt.cpp:
1824         * runtime/JSBigInt.h:
1825         * runtime/Options.cpp:
1826         (JSC::recomputeDependentOptions):
1827         * runtime/Options.h:
1828         * runtime/RegExp.h:
1829         * runtime/ScopedArgumentsTable.h:
1830         * runtime/StackFrame.h:
1831         * runtime/StructureInlines.h:
1832         * runtime/SymbolTable.h:
1833
1834 2019-01-20  Antoine Quint  <graouts@apple.com>
1835
1836         Add a POINTER_EVENTS feature flag
1837         https://bugs.webkit.org/show_bug.cgi?id=193577
1838         <rdar://problem/47408511>
1839
1840         Unreviewed. Also enable Pointer Events for iosmac.
1841
1842         * Configurations/FeatureDefines.xcconfig:
1843
1844 2019-01-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1845
1846         [JSC] Reorder JSSegmentedVariableObject member for preparation of JSGlobalObject memory reduction
1847         https://bugs.webkit.org/show_bug.cgi?id=193609
1848
1849         Reviewed by Sam Weinig.
1850
1851         Basically, we should order the members in large => small order not to add paddings.
1852
1853         * runtime/JSSegmentedVariableObject.h:
1854
1855 2019-01-19  Antoine Quint  <graouts@apple.com>
1856
1857         Add a POINTER_EVENTS feature flag
1858         https://bugs.webkit.org/show_bug.cgi?id=193577
1859
1860         Reviewed by Dean Jackson.
1861
1862         * Configurations/FeatureDefines.xcconfig:
1863
1864 2019-01-18  Keith Miller  <keith_miller@apple.com>
1865
1866         JSScript API should only take ascii files.
1867         https://bugs.webkit.org/show_bug.cgi?id=193420
1868
1869         Reviewed by Saam Barati.
1870
1871         This patch leaves the UTF8 method for binary compatablity, which
1872         will be removed later.
1873
1874         * API/JSScript.h:
1875         * API/JSScript.mm:
1876         (fillBufferWithContentsOfFile):
1877         (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
1878         (+[JSScript scriptFromUTF8File:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
1879         * API/tests/testapi.mm:
1880         (-[JSContextFileLoaderDelegate context:fetchModuleForIdentifier:withResolveHandler:andRejectHandler:]):
1881
1882 2019-01-18  David Kilzer  <ddkilzer@apple.com>
1883
1884         Follow-up: Gigacages should start allocations from a slide
1885         <https://bugs.webkit.org/show_bug.cgi?id=193523>
1886         <rdar://problem/44958707>
1887
1888         * ftl/FTLLowerDFGToB3.cpp:
1889         (JSC::FTL::DFG::LowerDFGToB3::caged): Add UNUSED_PARAM(kind) to
1890         fix the build.
1891
1892 2019-01-18  Jer Noble  <jer.noble@apple.com>
1893
1894         SDK_VARIANT build destinations should be separate from non-SDK_VARIANT builds
1895         https://bugs.webkit.org/show_bug.cgi?id=189553
1896
1897         Reviewed by Tim Horton.
1898
1899         * Configurations/Base.xcconfig:
1900         * Configurations/SDKVariant.xcconfig: Added.
1901
1902 2019-01-18  Keith Miller  <keith_miller@apple.com>
1903
1904         Gigacages should start allocations from a slide
1905         https://bugs.webkit.org/show_bug.cgi?id=193523
1906
1907         Reviewed by Mark Lam.
1908
1909         This patch changes some macros into constants since macros are the
1910         devil.
1911
1912         * ftl/FTLLowerDFGToB3.cpp:
1913         (JSC::FTL::DFG::LowerDFGToB3::caged):
1914         * llint/LowLevelInterpreter64.asm:
1915
1916 2019-01-18  Matt Lewis  <jlewis3@apple.com>
1917
1918         Unreviewed, rolling out r240160.
1919
1920         This broke multiple internal builds.
1921
1922         Reverted changeset:
1923
1924         "Gigacages should start allocations from a slide"
1925         https://bugs.webkit.org/show_bug.cgi?id=193523
1926         https://trac.webkit.org/changeset/240160
1927
1928 2019-01-18  Keith Miller  <keith_miller@apple.com>
1929
1930         Gigacages should start allocations from a slide
1931         https://bugs.webkit.org/show_bug.cgi?id=193523
1932
1933         Reviewed by Mark Lam.
1934
1935         This patch changes some macros into constants since macros are the
1936         devil.
1937
1938         * llint/LowLevelInterpreter64.asm:
1939
1940 2019-01-17  Mark Lam  <mark.lam@apple.com>
1941
1942         Audit bytecode fields and ensure that LLInt instructions for accessing them are appropriate.
1943         https://bugs.webkit.org/show_bug.cgi?id=193557
1944         <rdar://problem/47369125>
1945
1946         Reviewed by Yusuke Suzuki.
1947
1948         1. Rename some bytecode fields so that it's easier to discern whether the LLInt
1949            is accessing them the right way:
1950            - distinguish between targetVirtualRegister and targetLabel.
1951            - name all StructureID fields as structureID (oldStructureID, newStructureID)
1952              instead of structure (oldStructure, newStructure).
1953
1954         2. Use bitwise_cast in struct Fits when sizeof(T) == size.
1955            This prevents potential undefined behavior issues arising from doing
1956            assignments with reinterpret_cast'ed pointers.
1957
1958         3. Make Special::Pointer an unsigned type (previously int).
1959            Make ResolveType an unsigned type (previously int).
1960
1961         4. In LowLevelInterpreter*.asm:
1962
1963            - rename the op macro argument to opcodeName or opcodeStruct respectively.
1964              This makes it clearer which argument type the macro is working with.
1965
1966            - rename the name macro argument to opcodeName.
1967
1968            - fix operator types to match the field type being accessed.  The following
1969              may have resulted in bugs before:
1970
1971              1. The following should be read with getu() instead of get() because they
1972                 are unsigned ints:
1973                     OpSwitchImm::m_tableIndex
1974                     OpSwitchChar::m_tableIndex
1975                     OpGetFromArguments::m_index
1976                     OpPutToArguments::m_index
1977                     OpGetRestLength::m_numParametersToSkip
1978
1979                 OpJneqPtr::m_specialPointer should also be read with getu() though this
1980                 wasn't a bug because it was previously an int by default, and is only
1981                 changed to an unsigned int in this patch.
1982
1983              2.The following should be read with loadi (not loadp) because they are of
1984                unsigned type (not a pointer):
1985                     OpResolveScope::Metadata::m_resolveType
1986                     CodeBlock::m_numParameters (see prepareForTailCall)
1987
1988              3. OpPutToScope::Metadata::m_operand should be read with loadp (not loadis)
1989                 because it is a uintptr_t.
1990
1991              4. The following should be read with loadi (not loadis) because they are
1992                 unsigned ints:
1993                     OpNegate::Metadata::m_arithProfile + ArithProfile::m_bits
1994                     OpPutById::Metadata::m_oldStructureID
1995                     OpPutToScope::Metadata::m_getPutInfo + GetPutInfo::m_operand
1996
1997                 These may not have manifested in bugs because the operations that follow
1998                 the load are 32-bit instructions which ignore the high word.
1999
2000         5. Give class GetPutInfo a default constructor so that we can use bitwise_cast
2001            on it.  Also befriend LLIntOffsetsExtractor so that we can take the offset of
2002            m_operand in it.
2003
2004         * bytecode/ArithProfile.h:
2005         * bytecode/BytecodeList.rb:
2006         * bytecode/BytecodeUseDef.h:
2007         (JSC::computeUsesForBytecodeOffset):
2008         (JSC::computeDefsForBytecodeOffset):
2009         * bytecode/CodeBlock.cpp:
2010         (JSC::CodeBlock::propagateTransitions):
2011         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2012         * bytecode/Fits.h:
2013         * bytecode/GetByIdMetadata.h:
2014         * bytecode/GetByIdStatus.cpp:
2015         (JSC::GetByIdStatus::computeFromLLInt):
2016         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
2017         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::clearLLIntGetByIdCache):
2018         * bytecode/PreciseJumpTargetsInlines.h:
2019         (JSC::jumpTargetForInstruction):
2020         (JSC::updateStoredJumpTargetsForInstruction):
2021         * bytecode/PutByIdStatus.cpp:
2022         (JSC::PutByIdStatus::computeFromLLInt):
2023         * bytecode/SpecialPointer.h:
2024         * bytecompiler/BytecodeGenerator.cpp:
2025         (JSC::Label::setLocation):
2026         * dfg/DFGByteCodeParser.cpp:
2027         (JSC::DFG::ByteCodeParser::parseBlock):
2028         * jit/JITArithmetic.cpp:
2029         (JSC::JIT::emit_compareAndJump):
2030         (JSC::JIT::emit_compareUnsignedAndJump):
2031         (JSC::JIT::emit_compareAndJumpSlow):
2032         * jit/JITArithmetic32_64.cpp:
2033         (JSC::JIT::emit_compareAndJump):
2034         (JSC::JIT::emit_compareUnsignedAndJump):
2035         (JSC::JIT::emit_compareAndJumpSlow):
2036         (JSC::JIT::emitBinaryDoubleOp):
2037         * jit/JITOpcodes.cpp:
2038         (JSC::JIT::emit_op_jmp):
2039         (JSC::JIT::emit_op_jfalse):
2040         (JSC::JIT::emit_op_jeq_null):
2041         (JSC::JIT::emit_op_jneq_null):
2042         (JSC::JIT::emit_op_jneq_ptr):
2043         (JSC::JIT::emit_op_jeq):
2044         (JSC::JIT::emit_op_jtrue):
2045         (JSC::JIT::emit_op_jneq):
2046         (JSC::JIT::compileOpStrictEqJump):
2047         (JSC::JIT::emitSlow_op_jstricteq):
2048         (JSC::JIT::emitSlow_op_jnstricteq):
2049         (JSC::JIT::emit_op_check_tdz):
2050         (JSC::JIT::emitSlow_op_jeq):
2051         (JSC::JIT::emitSlow_op_jneq):
2052         (JSC::JIT::emit_op_profile_type):
2053         * jit/JITOpcodes32_64.cpp:
2054         (JSC::JIT::emit_op_jmp):
2055         (JSC::JIT::emit_op_jfalse):
2056         (JSC::JIT::emit_op_jtrue):
2057         (JSC::JIT::emit_op_jeq_null):
2058         (JSC::JIT::emit_op_jneq_null):
2059         (JSC::JIT::emit_op_jneq_ptr):
2060         (JSC::JIT::emit_op_jeq):
2061         (JSC::JIT::emitSlow_op_jeq):
2062         (JSC::JIT::emit_op_jneq):
2063         (JSC::JIT::emitSlow_op_jneq):
2064         (JSC::JIT::compileOpStrictEqJump):
2065         (JSC::JIT::emitSlow_op_jstricteq):
2066         (JSC::JIT::emitSlow_op_jnstricteq):
2067         (JSC::JIT::emit_op_check_tdz):
2068         (JSC::JIT::emit_op_profile_type):
2069         * llint/LLIntSlowPaths.cpp:
2070         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2071         (JSC::LLInt::setupGetByIdPrototypeCache):
2072         * llint/LowLevelInterpreter.asm:
2073         * llint/LowLevelInterpreter32_64.asm:
2074         * llint/LowLevelInterpreter64.asm:
2075         * runtime/CommonSlowPaths.cpp:
2076         * runtime/GetPutInfo.h:
2077
2078 2019-01-17  Truitt Savell  <tsavell@apple.com>
2079
2080         Unreviewed, rolling out r240124.
2081
2082         This commit broke an internal build.
2083
2084         Reverted changeset:
2085
2086         "SDK_VARIANT build destinations should be separate from non-
2087         SDK_VARIANT builds"
2088         https://bugs.webkit.org/show_bug.cgi?id=189553
2089         https://trac.webkit.org/changeset/240124
2090
2091 2019-01-17  Jer Noble  <jer.noble@apple.com>
2092
2093         SDK_VARIANT build destinations should be separate from non-SDK_VARIANT builds
2094         https://bugs.webkit.org/show_bug.cgi?id=189553
2095
2096         Reviewed by Tim Horton.
2097
2098         * Configurations/Base.xcconfig:
2099         * Configurations/SDKVariant.xcconfig: Added.
2100
2101 2019-01-17  Saam barati  <sbarati@apple.com>
2102
2103         StringObjectUse should not be a structure check for the original string object structure
2104         https://bugs.webkit.org/show_bug.cgi?id=193483
2105         <rdar://problem/47280522>
2106
2107         Reviewed by Yusuke Suzuki.
2108
2109         Prior to this patch, the use kind for StringObjectUse implied that we
2110         do a StructureCheck on the input operand for the *original* StringObject
2111         structure. This is generally not how we use UseKinds, so it's no surprise
2112         that this is buggy. A UseKind should map to a set of SpeculatedTypes, not an
2113         actual set of structures. This patch changes the meaning of StringObjectUse
2114         to mean an object where jsDynamicCast<StringObject*> would succeed.
2115         
2116         This patch also fixes a bug that was caused by the old and weird usage of the
2117         UseKind to mean StructureCheck. Consider a program like this:
2118         ```
2119         S1 = Original StringObject structure
2120         S2 = Original StringObject structure with the field "f" added
2121         
2122         a: GetLocal()
2123         b: CheckStructure(@a, {S2})
2124         c: ToString(StringObject:@a)
2125         ```
2126         
2127         According to AI, in the above program, we would exit at @c, since
2128         StringObject:@a implies a structure check of {S1}, and the intersection
2129         of {S1} and {S2} is {}. So, we'd convert the program to be:
2130         ```
2131         a: GetLocal()
2132         b: CheckStructure(@a, {S2})
2133         c: Check(StringObject:@a)
2134         d: Unreachable
2135         ```
2136         
2137         However, AI would set the proof status of the StringObject:@a edge
2138         to be proven, since the SpeculatedType for @a is SpecStringObject.
2139         This was incorrect of AI to do because the SpeculatedType itself
2140         didn't capture the full power of StringObjectUse. However, having
2141         a UseKind mean CheckStructure is weird precisely because what AI was
2142         doing is a natural fit to how we typically we think about UseKinds.
2143         
2144         So the above program would then incorrectly be converted to this, and
2145         we'd crash when reaching the Unreachable node:
2146         ```
2147         a: GetLocal()
2148         b: CheckStructure(@a, {S2})
2149         d: Unreachable
2150         ```
2151         
2152         This patch makes it so that StringObjectUse just means that the object that
2153         filters through a StringObjectUse check must !!jsDynamicCast<StringObject*>.
2154         This is now in line with all other UseKinds. It also lets us simplify a bunch
2155         of other code that had weird checks for the StringObjectUse UseKind.
2156         
2157         This patch also makes it so that anywhere where we used to rely on
2158         StringObjectUse implying a structure check we actually emit an explicit
2159         CheckStructure node.
2160
2161         * JavaScriptCore.xcodeproj/project.pbxproj:
2162         * bytecode/ExitKind.cpp:
2163         (JSC::exitKindToString):
2164         * bytecode/ExitKind.h:
2165         * dfg/DFGAbstractInterpreterInlines.h:
2166         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2167         * dfg/DFGCSEPhase.cpp:
2168         * dfg/DFGClobberize.h:
2169         (JSC::DFG::clobberize):
2170         * dfg/DFGEdgeUsesStructure.h: Removed.
2171         * dfg/DFGFixupPhase.cpp:
2172         (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion):
2173         (JSC::DFG::FixupPhase::addCheckStructureForOriginalStringObjectUse):
2174         (JSC::DFG::FixupPhase::fixupToPrimitive):
2175         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
2176         (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
2177         (JSC::DFG::FixupPhase::isStringObjectUse): Deleted.
2178         * dfg/DFGGraph.cpp:
2179         (JSC::DFG::Graph::canOptimizeStringObjectAccess):
2180         * dfg/DFGMayExit.cpp:
2181         * dfg/DFGSpeculativeJIT.cpp:
2182         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOrStringValueOf):
2183         (JSC::DFG::SpeculativeJIT::speculateStringObject):
2184         (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
2185         * dfg/DFGSpeculativeJIT.h:
2186         (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure): Deleted.
2187         * dfg/DFGUseKind.h:
2188         (JSC::DFG::alreadyChecked):
2189         (JSC::DFG::usesStructure): Deleted.
2190         * ftl/FTLLowerDFGToB3.cpp:
2191         (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructorOrStringValueOf):
2192         (JSC::FTL::DFG::LowerDFGToB3::speculateStringObject):
2193         (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrStringObject):
2194         (JSC::FTL::DFG::LowerDFGToB3::speculateStringObjectForCell):
2195         (JSC::FTL::DFG::LowerDFGToB3::speculateStringObjectForStructureID): Deleted.
2196         * runtime/JSType.cpp:
2197         (WTF::printInternal):
2198         * runtime/JSType.h:
2199         * runtime/StringObject.h:
2200         (JSC::StringObject::createStructure):
2201         * runtime/StringPrototype.h:
2202
2203 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2204
2205         [JSC] Add generateHeapSnapshotForGCDebugging function to dump GCDebugging data
2206         https://bugs.webkit.org/show_bug.cgi?id=193526
2207
2208         Reviewed by Michael Saboff.
2209
2210         This patch adds generateHeapSnapshotForGCDebugging to JSC shell to dump heap snapshot JSON string with GCDebugging option.
2211         GCDebuggingSnapshot mode is slightly different from InspectorSnapshot in terms of both the output data and the behavior.
2212         It always takes full snapshot, and it reports internal data too. This is useful to view the live heap objects after running
2213         the code. Also, generateHeapSnapshotForGCDebugging returns String instead of parsing it to JSObject internally by calling
2214         JSON.parse. If we convert the String to bunch of objects by using JSON.parse, it is difficult to call generateHeapSnapshotForGCDebugging
2215         multiple times for debugging. Currently, it only generates a large string, which is easily distinguishable in the heap inspector tool.
2216
2217         * jsc.cpp:
2218         (GlobalObject::finishCreation):
2219         (functionGenerateHeapSnapshotForGCDebugging):
2220
2221 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2222
2223         [JSC] ToThis omission in DFGByteCodeParser is wrong
2224         https://bugs.webkit.org/show_bug.cgi?id=193513
2225         <rdar://problem/45842236>
2226
2227         Reviewed by Saam Barati.
2228
2229         DFGByteCodeParser omitted ToThis node when we have `ToThis(ToThis(value))`. This semantics is wrong if ToThis has different semantics
2230         in the sloppy mode and the strict mode. If we convert `ToThisInSloppyMode(ToThisInStrictMode(boolean))` to `ToThisInStrictMode(boolean)`,
2231         we get boolean instead of BooleanObject.
2232
2233         This optimization is introduced more than 7 years ago, and from that, we have several optimizations that can remove such ToThis nodes
2234         in BytecodeParser, AI, and Fixup. Furthermore, this optimization is simply wrong since `toThis()` function of JSCell can be defined
2235         as they want. Before ensuring all the toThis function is safe, we should not fold `ToThis(ToThis(value))` => `ToThis(value)`.
2236         This patch just removes the problematic optimization. The performance numbers look neutral.
2237
2238         * dfg/DFGAbstractInterpreterInlines.h:
2239         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2240         * dfg/DFGByteCodeParser.cpp:
2241         (JSC::DFG::ByteCodeParser::parseBlock):
2242
2243 2019-01-16  Mark Lam  <mark.lam@apple.com>
2244
2245         Refactor new bytecode structs so that the fields are prefixed with "m_".
2246         https://bugs.webkit.org/show_bug.cgi?id=193467
2247
2248         Reviewed by Saam Barati and Tadeu Zagallo.
2249
2250         This makes it easier to do a manual audit of type correctness of the LLInt
2251         instructions used to access these fields.  Without this change, it would be
2252         difficult (and error prone) to distinguish the difference between field names and
2253         macro variables.  This audit will be done after this patch lands.
2254
2255         * bytecode/BytecodeGeneratorification.cpp:
2256         (JSC::BytecodeGeneratorification::BytecodeGeneratorification):
2257         * bytecode/BytecodeUseDef.h:
2258         (JSC::computeUsesForBytecodeOffset):
2259         * bytecode/CallLinkStatus.cpp:
2260         (JSC::CallLinkStatus::computeFromLLInt):
2261         * bytecode/CodeBlock.cpp:
2262         (JSC::CodeBlock::finishCreation):
2263         (JSC::CodeBlock::propagateTransitions):
2264         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2265         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffset):
2266         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
2267         (JSC::CodeBlock::getArrayProfile):
2268         (JSC::CodeBlock::notifyLexicalBindingShadowing):
2269         (JSC::CodeBlock::tryGetValueProfileForBytecodeOffset):
2270         (JSC::CodeBlock::arithProfileForPC):
2271         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
2272         * bytecode/CodeBlockInlines.h:
2273         (JSC::CodeBlock::forEachValueProfile):
2274         (JSC::CodeBlock::forEachArrayProfile):
2275         (JSC::CodeBlock::forEachArrayAllocationProfile):
2276         (JSC::CodeBlock::forEachObjectAllocationProfile):
2277         (JSC::CodeBlock::forEachLLIntCallLinkInfo):
2278         * bytecode/GetByIdStatus.cpp:
2279         (JSC::GetByIdStatus::computeFromLLInt):
2280         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
2281         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::clearLLIntGetByIdCache):
2282         * bytecode/PreciseJumpTargetsInlines.h:
2283         (JSC::jumpTargetForInstruction):
2284         (JSC::extractStoredJumpTargetsForInstruction):
2285         (JSC::updateStoredJumpTargetsForInstruction):
2286         * bytecode/PutByIdStatus.cpp:
2287         (JSC::PutByIdStatus::computeFromLLInt):
2288         * bytecode/UnlinkedCodeBlock.cpp:
2289         (JSC::dumpLineColumnEntry):
2290         * bytecompiler/BytecodeGenerator.cpp:
2291         (JSC::BytecodeGenerator::fuseCompareAndJump):
2292         (JSC::BytecodeGenerator::fuseTestAndJmp):
2293         (JSC::BytecodeGenerator::emitEqualityOp):
2294         (JSC::BytecodeGenerator::endSwitch):
2295         (JSC::StructureForInContext::finalize):
2296         * dfg/DFGByteCodeParser.cpp:
2297         (JSC::DFG::ByteCodeParser::handleCall):
2298         (JSC::DFG::ByteCodeParser::handleVarargsCall):
2299         (JSC::DFG::ByteCodeParser::parseGetById):
2300         (JSC::DFG::ByteCodeParser::parseBlock):
2301         (JSC::DFG::ByteCodeParser::handlePutByVal):
2302         (JSC::DFG::ByteCodeParser::handlePutAccessorById):
2303         (JSC::DFG::ByteCodeParser::handlePutAccessorByVal):
2304         (JSC::DFG::ByteCodeParser::handleNewFunc):
2305         (JSC::DFG::ByteCodeParser::handleNewFuncExp):
2306         * dfg/DFGOSREntry.cpp:
2307         (JSC::DFG::prepareCatchOSREntry):
2308         * ftl/FTLOperations.cpp:
2309         (JSC::FTL::operationMaterializeObjectInOSR):
2310         * generator/Argument.rb:
2311         * generator/Metadata.rb:
2312         * generator/Opcode.rb:
2313         * jit/JIT.h:
2314         * jit/JITArithmetic.cpp:
2315         (JSC::JIT::emit_op_unsigned):
2316         (JSC::JIT::emit_compareAndJump):
2317         (JSC::JIT::emit_compareUnsignedAndJump):
2318         (JSC::JIT::emit_compareUnsigned):
2319         (JSC::JIT::emit_compareAndJumpSlow):
2320         (JSC::JIT::emit_op_inc):
2321         (JSC::JIT::emit_op_dec):
2322         (JSC::JIT::emit_op_mod):
2323         (JSC::JIT::emit_op_negate):
2324         (JSC::JIT::emitBitBinaryOpFastPath):
2325         (JSC::JIT::emit_op_bitnot):
2326         (JSC::JIT::emitRightShiftFastPath):
2327         (JSC::JIT::emit_op_add):
2328         (JSC::JIT::emitMathICFast):
2329         (JSC::JIT::emitMathICSlow):
2330         (JSC::JIT::emit_op_div):
2331         (JSC::JIT::emit_op_mul):
2332         (JSC::JIT::emit_op_sub):
2333         * jit/JITArithmetic32_64.cpp:
2334         (JSC::JIT::emit_compareAndJump):
2335         (JSC::JIT::emit_compareUnsignedAndJump):
2336         (JSC::JIT::emit_compareUnsigned):
2337         (JSC::JIT::emit_compareAndJumpSlow):
2338         (JSC::JIT::emit_op_unsigned):
2339         (JSC::JIT::emit_op_inc):
2340         (JSC::JIT::emit_op_dec):
2341         (JSC::JIT::emitBinaryDoubleOp):
2342         (JSC::JIT::emit_op_mod):
2343         * jit/JITCall.cpp:
2344         (JSC::JIT::emitPutCallResult):
2345         (JSC::JIT::compileSetupFrame):
2346         (JSC::JIT::compileCallEvalSlowCase):
2347         (JSC::JIT::compileTailCall):
2348         (JSC::JIT::compileOpCall):
2349         * jit/JITCall32_64.cpp:
2350         (JSC::JIT::emitPutCallResult):
2351         (JSC::JIT::emit_op_ret):
2352         (JSC::JIT::compileSetupFrame):
2353         (JSC::JIT::compileCallEvalSlowCase):
2354         (JSC::JIT::compileOpCall):
2355         * jit/JITInlines.h:
2356         (JSC::JIT::emitValueProfilingSiteIfProfiledOpcode):
2357         (JSC::JIT::emitValueProfilingSite):
2358         (JSC::JIT::copiedGetPutInfo):
2359         (JSC::JIT::copiedArithProfile):
2360         * jit/JITOpcodes.cpp:
2361         (JSC::JIT::emit_op_mov):
2362         (JSC::JIT::emit_op_end):
2363         (JSC::JIT::emit_op_jmp):
2364         (JSC::JIT::emit_op_new_object):
2365         (JSC::JIT::emitSlow_op_new_object):
2366         (JSC::JIT::emit_op_overrides_has_instance):
2367         (JSC::JIT::emit_op_instanceof):
2368         (JSC::JIT::emitSlow_op_instanceof):
2369         (JSC::JIT::emit_op_is_empty):
2370         (JSC::JIT::emit_op_is_undefined):
2371         (JSC::JIT::emit_op_is_undefined_or_null):
2372         (JSC::JIT::emit_op_is_boolean):
2373         (JSC::JIT::emit_op_is_number):
2374         (JSC::JIT::emit_op_is_cell_with_type):
2375         (JSC::JIT::emit_op_is_object):
2376         (JSC::JIT::emit_op_ret):
2377         (JSC::JIT::emit_op_to_primitive):
2378         (JSC::JIT::emit_op_set_function_name):
2379         (JSC::JIT::emit_op_not):
2380         (JSC::JIT::emit_op_jfalse):
2381         (JSC::JIT::emit_op_jeq_null):
2382         (JSC::JIT::emit_op_jneq_null):
2383         (JSC::JIT::emit_op_jneq_ptr):
2384         (JSC::JIT::emit_op_eq):
2385         (JSC::JIT::emit_op_jeq):
2386         (JSC::JIT::emit_op_jtrue):
2387         (JSC::JIT::emit_op_neq):
2388         (JSC::JIT::emit_op_jneq):
2389         (JSC::JIT::emit_op_throw):
2390         (JSC::JIT::compileOpStrictEq):
2391         (JSC::JIT::compileOpStrictEqJump):
2392         (JSC::JIT::emitSlow_op_jstricteq):
2393         (JSC::JIT::emitSlow_op_jnstricteq):
2394         (JSC::JIT::emit_op_to_number):
2395         (JSC::JIT::emit_op_to_string):
2396         (JSC::JIT::emit_op_to_object):
2397         (JSC::JIT::emit_op_catch):
2398         (JSC::JIT::emit_op_get_parent_scope):
2399         (JSC::JIT::emit_op_switch_imm):
2400         (JSC::JIT::emit_op_switch_char):
2401         (JSC::JIT::emit_op_switch_string):
2402         (JSC::JIT::emit_op_debug):
2403         (JSC::JIT::emit_op_eq_null):
2404         (JSC::JIT::emit_op_neq_null):
2405         (JSC::JIT::emit_op_get_scope):
2406         (JSC::JIT::emit_op_to_this):
2407         (JSC::JIT::emit_op_create_this):
2408         (JSC::JIT::emit_op_check_tdz):
2409         (JSC::JIT::emitSlow_op_eq):
2410         (JSC::JIT::emitSlow_op_neq):
2411         (JSC::JIT::emitSlow_op_jeq):
2412         (JSC::JIT::emitSlow_op_jneq):
2413         (JSC::JIT::emitSlow_op_instanceof_custom):
2414         (JSC::JIT::emit_op_new_regexp):
2415         (JSC::JIT::emitNewFuncCommon):
2416         (JSC::JIT::emitNewFuncExprCommon):
2417         (JSC::JIT::emit_op_new_array):
2418         (JSC::JIT::emit_op_new_array_with_size):
2419         (JSC::JIT::emit_op_has_structure_property):
2420         (JSC::JIT::emit_op_has_indexed_property):
2421         (JSC::JIT::emitSlow_op_has_indexed_property):
2422         (JSC::JIT::emit_op_get_direct_pname):
2423         (JSC::JIT::emit_op_enumerator_structure_pname):
2424         (JSC::JIT::emit_op_enumerator_generic_pname):
2425         (JSC::JIT::emit_op_profile_type):
2426         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
2427         (JSC::JIT::emit_op_log_shadow_chicken_tail):
2428         (JSC::JIT::emit_op_profile_control_flow):
2429         (JSC::JIT::emit_op_argument_count):
2430         (JSC::JIT::emit_op_get_rest_length):
2431         (JSC::JIT::emit_op_get_argument):
2432         * jit/JITOpcodes32_64.cpp:
2433         (JSC::JIT::emit_op_mov):
2434         (JSC::JIT::emit_op_end):
2435         (JSC::JIT::emit_op_jmp):
2436         (JSC::JIT::emit_op_new_object):
2437         (JSC::JIT::emitSlow_op_new_object):
2438         (JSC::JIT::emit_op_overrides_has_instance):
2439         (JSC::JIT::emit_op_instanceof):
2440         (JSC::JIT::emitSlow_op_instanceof):
2441         (JSC::JIT::emitSlow_op_instanceof_custom):
2442         (JSC::JIT::emit_op_is_empty):
2443         (JSC::JIT::emit_op_is_undefined):
2444         (JSC::JIT::emit_op_is_undefined_or_null):
2445         (JSC::JIT::emit_op_is_boolean):
2446         (JSC::JIT::emit_op_is_number):
2447         (JSC::JIT::emit_op_is_cell_with_type):
2448         (JSC::JIT::emit_op_is_object):
2449         (JSC::JIT::emit_op_to_primitive):
2450         (JSC::JIT::emit_op_set_function_name):
2451         (JSC::JIT::emit_op_not):
2452         (JSC::JIT::emit_op_jfalse):
2453         (JSC::JIT::emit_op_jtrue):
2454         (JSC::JIT::emit_op_jeq_null):
2455         (JSC::JIT::emit_op_jneq_null):
2456         (JSC::JIT::emit_op_jneq_ptr):
2457         (JSC::JIT::emit_op_eq):
2458         (JSC::JIT::emitSlow_op_eq):
2459         (JSC::JIT::emit_op_jeq):
2460         (JSC::JIT::emitSlow_op_jeq):
2461         (JSC::JIT::emit_op_neq):
2462         (JSC::JIT::emitSlow_op_neq):
2463         (JSC::JIT::emit_op_jneq):
2464         (JSC::JIT::emitSlow_op_jneq):
2465         (JSC::JIT::compileOpStrictEq):
2466         (JSC::JIT::compileOpStrictEqJump):
2467         (JSC::JIT::emitSlow_op_jstricteq):
2468         (JSC::JIT::emitSlow_op_jnstricteq):
2469         (JSC::JIT::emit_op_eq_null):
2470         (JSC::JIT::emit_op_neq_null):
2471         (JSC::JIT::emit_op_throw):
2472         (JSC::JIT::emit_op_to_number):
2473         (JSC::JIT::emit_op_to_string):
2474         (JSC::JIT::emit_op_to_object):
2475         (JSC::JIT::emit_op_catch):
2476         (JSC::JIT::emit_op_get_parent_scope):
2477         (JSC::JIT::emit_op_switch_imm):
2478         (JSC::JIT::emit_op_switch_char):
2479         (JSC::JIT::emit_op_switch_string):
2480         (JSC::JIT::emit_op_debug):
2481         (JSC::JIT::emit_op_get_scope):
2482         (JSC::JIT::emit_op_create_this):
2483         (JSC::JIT::emit_op_to_this):
2484         (JSC::JIT::emit_op_check_tdz):
2485         (JSC::JIT::emit_op_has_structure_property):
2486         (JSC::JIT::emit_op_has_indexed_property):
2487         (JSC::JIT::emitSlow_op_has_indexed_property):
2488         (JSC::JIT::emit_op_get_direct_pname):
2489         (JSC::JIT::emit_op_enumerator_structure_pname):
2490         (JSC::JIT::emit_op_enumerator_generic_pname):
2491         (JSC::JIT::emit_op_profile_type):
2492         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
2493         (JSC::JIT::emit_op_log_shadow_chicken_tail):
2494         * jit/JITOperations.cpp:
2495         * jit/JITPropertyAccess.cpp:
2496         (JSC::JIT::emit_op_get_by_val):
2497         (JSC::JIT::emitGetByValWithCachedId):
2498         (JSC::JIT::emitSlow_op_get_by_val):
2499         (JSC::JIT::emit_op_put_by_val):
2500         (JSC::JIT::emitGenericContiguousPutByVal):
2501         (JSC::JIT::emitArrayStoragePutByVal):
2502         (JSC::JIT::emitPutByValWithCachedId):
2503         (JSC::JIT::emitSlow_op_put_by_val):
2504         (JSC::JIT::emit_op_put_getter_by_id):
2505         (JSC::JIT::emit_op_put_setter_by_id):
2506         (JSC::JIT::emit_op_put_getter_setter_by_id):
2507         (JSC::JIT::emit_op_put_getter_by_val):
2508         (JSC::JIT::emit_op_put_setter_by_val):
2509         (JSC::JIT::emit_op_del_by_id):
2510         (JSC::JIT::emit_op_del_by_val):
2511         (JSC::JIT::emit_op_try_get_by_id):
2512         (JSC::JIT::emitSlow_op_try_get_by_id):
2513         (JSC::JIT::emit_op_get_by_id_direct):
2514         (JSC::JIT::emitSlow_op_get_by_id_direct):
2515         (JSC::JIT::emit_op_get_by_id):
2516         (JSC::JIT::emit_op_get_by_id_with_this):
2517         (JSC::JIT::emitSlow_op_get_by_id):
2518         (JSC::JIT::emitSlow_op_get_by_id_with_this):
2519         (JSC::JIT::emit_op_put_by_id):
2520         (JSC::JIT::emitSlow_op_put_by_id):
2521         (JSC::JIT::emit_op_in_by_id):
2522         (JSC::JIT::emitSlow_op_in_by_id):
2523         (JSC::JIT::emit_op_resolve_scope):
2524         (JSC::JIT::emit_op_get_from_scope):
2525         (JSC::JIT::emitSlow_op_get_from_scope):
2526         (JSC::JIT::emit_op_put_to_scope):
2527         (JSC::JIT::emit_op_get_from_arguments):
2528         (JSC::JIT::emit_op_put_to_arguments):
2529         (JSC::JIT::emitIntTypedArrayPutByVal):
2530         (JSC::JIT::emitFloatTypedArrayPutByVal):
2531         * jit/JITPropertyAccess32_64.cpp:
2532         (JSC::JIT::emit_op_put_getter_by_id):
2533         (JSC::JIT::emit_op_put_setter_by_id):
2534         (JSC::JIT::emit_op_put_getter_setter_by_id):
2535         (JSC::JIT::emit_op_put_getter_by_val):
2536         (JSC::JIT::emit_op_put_setter_by_val):
2537         (JSC::JIT::emit_op_del_by_id):
2538         (JSC::JIT::emit_op_del_by_val):
2539         (JSC::JIT::emit_op_get_by_val):
2540         (JSC::JIT::emitGetByValWithCachedId):
2541         (JSC::JIT::emitSlow_op_get_by_val):
2542         (JSC::JIT::emit_op_put_by_val):
2543         (JSC::JIT::emitGenericContiguousPutByVal):
2544         (JSC::JIT::emitArrayStoragePutByVal):
2545         (JSC::JIT::emitPutByValWithCachedId):
2546         (JSC::JIT::emitSlow_op_put_by_val):
2547         (JSC::JIT::emit_op_try_get_by_id):
2548         (JSC::JIT::emitSlow_op_try_get_by_id):
2549         (JSC::JIT::emit_op_get_by_id_direct):
2550         (JSC::JIT::emitSlow_op_get_by_id_direct):
2551         (JSC::JIT::emit_op_get_by_id):
2552         (JSC::JIT::emitSlow_op_get_by_id):
2553         (JSC::JIT::emit_op_get_by_id_with_this):
2554         (JSC::JIT::emitSlow_op_get_by_id_with_this):
2555         (JSC::JIT::emit_op_put_by_id):
2556         (JSC::JIT::emitSlow_op_put_by_id):
2557         (JSC::JIT::emit_op_in_by_id):
2558         (JSC::JIT::emitSlow_op_in_by_id):
2559         (JSC::JIT::emit_op_resolve_scope):
2560         (JSC::JIT::emit_op_get_from_scope):
2561         (JSC::JIT::emitSlow_op_get_from_scope):
2562         (JSC::JIT::emit_op_put_to_scope):
2563         (JSC::JIT::emit_op_get_from_arguments):
2564         (JSC::JIT::emit_op_put_to_arguments):
2565         * llint/LLIntSlowPaths.cpp:
2566         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2567         (JSC::LLInt::setupGetByIdPrototypeCache):
2568         (JSC::LLInt::getByVal):
2569         (JSC::LLInt::genericCall):
2570         (JSC::LLInt::varargsSetup):
2571         (JSC::LLInt::commonCallEval):
2572         * llint/LowLevelInterpreter.asm:
2573         * llint/LowLevelInterpreter32_64.asm:
2574         * llint/LowLevelInterpreter64.asm:
2575         * runtime/CommonSlowPaths.cpp:
2576         (JSC::SLOW_PATH_DECL):
2577         (JSC::updateArithProfileForUnaryArithOp):
2578         * runtime/CommonSlowPaths.h:
2579         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
2580         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
2581
2582 2019-01-15  Mark Lam  <mark.lam@apple.com>
2583
2584         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
2585         https://bugs.webkit.org/show_bug.cgi?id=193423
2586         <rdar://problem/46209355>
2587
2588         Reviewed by Saam Barati.
2589
2590         JSFunction::canUseAllocationProfile() should return false for most builtins
2591         because the majority of them have no prototype property.  The only exception to
2592         this is the few builtin functions that are explicitly used as constructors.
2593
2594         For these builtin constructors, JSFunction::canUseAllocationProfile() should also
2595         return false if the prototype property is a getter or custom getter because
2596         getting the prototype would then be effectful.
2597
2598         * dfg/DFGOperations.cpp:
2599         * runtime/CommonSlowPaths.cpp:
2600         (JSC::SLOW_PATH_DECL):
2601         * runtime/JSFunctionInlines.h:
2602         (JSC::JSFunction::canUseAllocationProfile):
2603         * runtime/PropertySlot.h:
2604
2605 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2606
2607         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
2608         https://bugs.webkit.org/show_bug.cgi?id=193438
2609         <rdar://problem/45581249>
2610
2611         Reviewed by Saam Barati and Keith Miller.
2612
2613         GetByVal(Array::String) emits Check(String) before that. But AI can broaden type constraint in the second run.
2614         After the first run removes Check(String), it would happen that AI starts saying the type of 1st child is not String.
2615         To claim that it *is* a String type, we should use KnownStringUse here.
2616
2617         * dfg/DFGFixupPhase.cpp:
2618         (JSC::DFG::FixupPhase::fixupNode): StringCharAt and GetByVal(Array::String) share the underlying compiler code. We should
2619         change StringUse => KnownStringUse for StringCharAt too. And StringCharAt and StringCharCodeAt potentially have the same
2620         problem. This patch fixes it too.
2621         * dfg/DFGSSALoweringPhase.cpp:
2622         (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
2623         * ftl/FTLLowerDFGToB3.cpp:
2624         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
2625         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
2626
2627 2019-01-15  Saam Barati  <sbarati@apple.com>
2628
2629         Try ripping out inferred types because it might be a performance improvement
2630         https://bugs.webkit.org/show_bug.cgi?id=190906
2631
2632         Reviewed by Yusuke Suzuki.
2633
2634         This patch removes inferred types from JSC. Initial evidence shows that
2635         this might be around a ~1% speedup on Speedometer2 and JetStream2.
2636
2637         * JavaScriptCore.xcodeproj/project.pbxproj:
2638         * Sources.txt:
2639         * bytecode/AccessCase.cpp:
2640         (JSC::AccessCase::generateImpl):
2641         * bytecode/Fits.h:
2642         * bytecode/PutByIdFlags.cpp:
2643         (WTF::printInternal):
2644         * bytecode/PutByIdFlags.h:
2645         * bytecode/PutByIdStatus.cpp:
2646         (JSC::PutByIdStatus::computeFromLLInt):
2647         (JSC::PutByIdStatus::computeForStubInfo):
2648         (JSC::PutByIdStatus::computeFor):
2649         * bytecode/PutByIdVariant.cpp:
2650         (JSC::PutByIdVariant::operator=):
2651         (JSC::PutByIdVariant::replace):
2652         (JSC::PutByIdVariant::transition):
2653         (JSC::PutByIdVariant::setter):
2654         (JSC::PutByIdVariant::attemptToMerge):
2655         (JSC::PutByIdVariant::dumpInContext const):
2656         * bytecode/PutByIdVariant.h:
2657         (JSC::PutByIdVariant::requiredType const): Deleted.
2658         * dfg/DFGAbstractInterpreterInlines.h:
2659         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2660         * dfg/DFGAbstractValue.cpp:
2661         (JSC::DFG::AbstractValue::isType const): Deleted.
2662         * dfg/DFGAbstractValue.h:
2663         * dfg/DFGByteCodeParser.cpp:
2664         (JSC::DFG::ByteCodeParser::handleGetByOffset):
2665         (JSC::DFG::ByteCodeParser::handlePutByOffset):
2666         (JSC::DFG::ByteCodeParser::load):
2667         (JSC::DFG::ByteCodeParser::store):
2668         (JSC::DFG::ByteCodeParser::handlePutById):
2669         (JSC::DFG::ByteCodeParser::parseBlock):
2670         * dfg/DFGConstantFoldingPhase.cpp:
2671         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2672         (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
2673         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
2674         * dfg/DFGDesiredInferredType.h: Removed.
2675         * dfg/DFGDesiredWatchpoints.cpp:
2676         (JSC::DFG::DesiredWatchpoints::reallyAdd):
2677         (JSC::DFG::DesiredWatchpoints::areStillValid const):
2678         (JSC::DFG::DesiredWatchpoints::dumpInContext const):
2679         (JSC::DFG::InferredTypeAdaptor::add): Deleted.
2680         * dfg/DFGDesiredWatchpoints.h:
2681         (JSC::DFG::DesiredWatchpoints::isWatched):
2682         (JSC::DFG::InferredTypeAdaptor::hasBeenInvalidated): Deleted.
2683         (JSC::DFG::InferredTypeAdaptor::dumpInContext): Deleted.
2684         * dfg/DFGFixupPhase.cpp:
2685         (JSC::DFG::FixupPhase::fixupNode):
2686         * dfg/DFGGraph.cpp:
2687         (JSC::DFG::Graph::dump):
2688         (JSC::DFG::Graph::inferredValueForProperty):
2689         (JSC::DFG::Graph::inferredTypeFor): Deleted.
2690         * dfg/DFGGraph.h:
2691         (JSC::DFG::Graph::registerInferredType): Deleted.
2692         (JSC::DFG::Graph::inferredTypeForProperty): Deleted.
2693         * dfg/DFGInferredTypeCheck.cpp: Removed.
2694         * dfg/DFGInferredTypeCheck.h: Removed.
2695         * dfg/DFGNode.h:
2696         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2697         * dfg/DFGSafeToExecute.h:
2698         (JSC::DFG::safeToExecute):
2699         * ftl/FTLLowerDFGToB3.cpp:
2700         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
2701         (JSC::FTL::DFG::LowerDFGToB3::checkInferredType): Deleted.
2702         * generator/DSL.rb:
2703         * heap/Heap.cpp:
2704         (JSC::Heap::finalizeUnconditionalFinalizers):
2705         * jit/AssemblyHelpers.cpp:
2706         (JSC::AssemblyHelpers::branchIfNotType): Deleted.
2707         * jit/AssemblyHelpers.h:
2708         * jit/Repatch.cpp:
2709         (JSC::tryCachePutByID):
2710         * llint/LLIntOffsetsExtractor.cpp:
2711         * llint/LLIntSlowPaths.cpp:
2712         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2713         * llint/LowLevelInterpreter.asm:
2714         * llint/LowLevelInterpreter32_64.asm:
2715         * llint/LowLevelInterpreter64.asm:
2716         * runtime/InferredStructure.cpp:
2717         (JSC::InferredStructure::InferredStructure): Deleted.
2718         * runtime/InferredStructure.h:
2719         (): Deleted.
2720         * runtime/InferredStructureWatchpoint.cpp:
2721         (JSC::InferredStructureWatchpoint::fireInternal): Deleted.
2722         * runtime/InferredType.cpp: Removed.
2723         * runtime/InferredType.h: Removed.
2724         * runtime/InferredTypeInlines.h: Removed.
2725         * runtime/InferredTypeTable.cpp: Removed.
2726         * runtime/InferredTypeTable.h: Removed.
2727         * runtime/JSObjectInlines.h:
2728         (JSC::JSObject::putDirectInternal):
2729         * runtime/Structure.cpp:
2730         (JSC::Structure::materializePropertyTable):
2731         (JSC::Structure::addNewPropertyTransition):
2732         (JSC::Structure::removePropertyTransition):
2733         (JSC::Structure::willStoreValueSlow):
2734         (JSC::Structure::visitChildren):
2735         * runtime/Structure.h:
2736         (JSC::PropertyMapEntry::PropertyMapEntry):
2737         * runtime/StructureInlines.h:
2738         (JSC::Structure::get):
2739         * runtime/VM.cpp:
2740         (JSC::VM::VM):
2741         * runtime/VM.h:
2742
2743 2019-01-15  Tomas Popela  <tpopela@redhat.com>
2744
2745         Unreviewed: Fix the -Wformat compiler warnings
2746
2747         * jsc.cpp:
2748         (jscmain):
2749
2750 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
2751
2752         DFGByteCodeParser rules for bitwise operations should consider type of their operands
2753         https://bugs.webkit.org/show_bug.cgi?id=192966
2754
2755         Reviewed by Yusuke Suzuki.
2756
2757         This patch is changing the logic how we lower bitwise operations, to
2758         consider only the type of input nodes and fix them during FixupPhase,
2759         if necessary. We are also changing the prediction propagation rules
2760         for ValueBitOp to use `getHeapPrediction()`. 
2761
2762         * dfg/DFGBackwardsPropagationPhase.cpp:
2763         (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
2764         (JSC::DFG::BackwardsPropagationPhase::propagate):
2765         * dfg/DFGByteCodeParser.cpp:
2766         (JSC::DFG::ByteCodeParser::parseBlock):
2767         * dfg/DFGFixupPhase.cpp:
2768         (JSC::DFG::FixupPhase::fixupNode):
2769         * dfg/DFGNode.h:
2770         (JSC::DFG::Node::hasInt32Result):
2771         (JSC::DFG::Node::hasNumberOrAnyIntResult):
2772         (JSC::DFG::Node::hasHeapPrediction):
2773         * dfg/DFGPredictionPropagationPhase.cpp:
2774
2775 2019-01-15  Joseph Pecoraro  <pecoraro@apple.com>
2776
2777         Web Inspector: Generate the DOMDebugger domain for Augmenting Agents (ObjC protocol)
2778         https://bugs.webkit.org/show_bug.cgi?id=193409
2779         <rdar://problem/44349411>
2780
2781         Reviewed by Devin Rousso.
2782
2783         * inspector/scripts/codegen/objc_generator.py:
2784         (ObjCGenerator):
2785         Generate DOMDebugger domain ObjC interfaces.
2786
2787 2019-01-15  Devin Rousso  <drousso@apple.com>
2788
2789         Web Inspector: Audit: create new IDL type for exposing special functionality in test context
2790         https://bugs.webkit.org/show_bug.cgi?id=193149
2791         <rdar://problem/46801218>
2792
2793         Reviewed by Joseph Pecoraro.
2794
2795         Create a new `AuditAgent` (and various subclasses for different inspection targets)
2796
2797         * inspector/protocol/Audit.json: Added.
2798         Add a `run` command that is a simpler version of `Runtime.evaluate`, except that it expects
2799         a function string instead of an arbitrary JavaScript expression.
2800         Add `setup` and `teardown` commands that create a JavaScript object that will be passed in
2801         to the test as an argument. Keep this object alive so that tests can add to the object and
2802         have later tests use what was added.
2803
2804         * inspector/agents/InspectorAuditAgent.h: Added.
2805         * inspector/agents/InspectorAuditAgent.cpp: Added.
2806         (Inspector::InspectorAuditAgent::InspectorAuditAgent):
2807         (Inspector::InspectorAuditAgent::didCreateFrontendAndBackend):
2808         (Inspector::InspectorAuditAgent::willDestroyFrontendAndBackend):
2809         (Inspector::InspectorAuditAgent::setup):
2810         (Inspector::InspectorAuditAgent::run):
2811         (Inspector::InspectorAuditAgent::teardown):
2812         (Inspector::InspectorAuditAgent::hasActiveAudit):
2813         (Inspector::InspectorAuditAgent::populateAuditObject):
2814
2815         * inspector/agents/JSGlobalObjectAuditAgent.h: Added.
2816         * inspector/agents/JSGlobalObjectAuditAgent.cpp: Added.
2817         (Inspector::JSGlobalObjectAuditAgent::JSGlobalObjectAuditAgent):
2818         (Inspector::JSGlobalObjectAuditAgent::injectedScriptForEval):
2819
2820         * inspector/JSGlobalObjectInspectorController.h:
2821         * inspector/JSGlobalObjectInspectorController.cpp:
2822         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2823         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
2824         (Inspector::JSGlobalObjectInspectorController::jsAgentContext): Added.
2825         (Inspector::JSGlobalObjectInspectorController::createLazyAgents): Added.
2826
2827         * inspector/InjectedScript.h:
2828         * inspector/InjectedScript.cpp:
2829         (Inspector::InjectedScript::execute): Added.
2830         (Inspector::InjectedScript::arrayFromVector): Added.
2831         Create a version of `evaluate` that accepts a list of values to be passed in as arguments
2832         to the function that was created by the `eval` of the given `functionString`.
2833
2834         * inspector/InjectedScriptSource.js:
2835         (InjectedScript.prototype.execute): Added.
2836         (InjectedScript.prototype.evaluate):
2837         (InjectedScript.prototype.evaluateOnCallFrame):
2838         (InjectedScript.prototype._evaluateAndWrap):
2839         (InjectedScript.prototype._wrapAndSaveCall): Added.
2840         (InjectedScript.prototype._wrapCall): Added.
2841         (InjectedScript.prototype._evaluateOn):
2842         Refactor the `eval` and `saveResult` logic to allow for more flexibility for other callers.
2843
2844         * CMakeLists.txt:
2845         * DerivedSources-input.xcfilelist:
2846         * DerivedSources.make:
2847         * JavaScriptCore.xcodeproj/project.pbxproj:
2848         * Sources.txt:
2849         * UnifiedSources-input.xcfilelist:
2850
2851 2019-01-14  Michael Saboff  <msaboff@apple.com>
2852
2853         Add option to JSC to dump memory footprint on script completion
2854         https://bugs.webkit.org/show_bug.cgi?id=193422
2855
2856         Reviewed by Mark Lam.
2857
2858         Added the --footprint option to dump peak and current memory usage.  This uses the same
2859         OS calls added in r2362362.
2860
2861         * jsc.cpp:
2862         (printUsageStatement):
2863         (CommandLine::parseArguments):
2864         (jscmain):
2865
2866 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2867
2868         [JSC] AI should check the given constant's array type when folding GetByVal into constant
2869         https://bugs.webkit.org/show_bug.cgi?id=193413
2870         <rdar://problem/46092389>
2871
2872         Reviewed by Keith Miller.
2873
2874         If GetByVal's DFG::ArrayMode's type is Array::Double, we expect that the result of GetByVal is Double, since we already performed CheckStructure or CheckArray
2875         to ensure this array type. But this assumption on the given value becomes wrong in AI, since CheckStructure may not perform filtering. And the proven AbstractValue
2876         in GetByVal would not be expected one.
2877
2878         We have the graph before performing constant folding.
2879
2880         53:<!0:->     GetLocal(Check:Untyped:@77, JS|MustGen|UseAsOther, Array, arg2(C<Array>/FlushedCell), R:Stack(7), bc#37, ExitValid)  predicting Array
2881         54:< 1:->     JSConstant(JS|PureNum|UseAsOther|UseAsInt|ReallyWantsInt, BoolInt32, Int32: 0, bc#37, ExitValid)
2882         93:<!0:->     CheckStructure(Cell:@53, MustGen, [%C7:Array], R:JSCell_structureID, Exits, bc#37, ExitValid)
2883         94:< 1:->     GetButterfly(Check:Cell:@53, Storage|PureInt, R:JSObject_butterfly, Exits, bc#37, ExitValid)
2884         55:<!0:->     GetByVal(Check:KnownCell:@53, Check:Int32:@54, Check:Untyped:@94, Double|MustGen|VarArgs|PureInt, AnyIntAsDouble|NonIntAsdouble, Double+OriginalCopyOnWriteArray+SaneChain+AsIs+Read, R:Butterfly_publicLength,IndexedDoubleProperties, Exits, bc#37, ExitValid)  predicting StringIdent|NonIntAsdouble
2885
2886         And 53 is converted to JSConstant in the constant folding. It leads to constant folding attempt in GetByVal.
2887
2888         53:< 1:->     JSConstant(JS|UseAsOther, Array, Weak:Object: 0x117fb4370 with butterfly 0x8000e4050 (Structure %BV:Array), StructureID: 104, bc#37, ExitValid)
2889         54:< 1:->     JSConstant(JS|PureNum|UseAsOther|UseAsInt|ReallyWantsInt, BoolInt32, Int32: 0, bc#37, ExitValid)
2890         93:<!0:->     CheckStructure(Cell:@53, MustGen, [%C7:Array], R:JSCell_structureID, Exits, bc#37, ExitValid)
2891         94:< 1:->     GetButterfly(Check:Cell:@53, Storage|PureInt, R:JSObject_butterfly, Exits, bc#37, ExitValid)
2892         55:<!0:->     GetByVal(Check:KnownCell:@53, Check:Int32:@54, Check:Untyped:@94, Double|MustGen|VarArgs|PureInt, AnyIntAsDouble|NonIntAsdouble, Double+OriginalCopyOnWriteArray+SaneChain+AsIs+Read, R:Butterfly_publicLength,IndexedDoubleProperties, Exits, bc#37, ExitValid)  predicting StringIdent|NonIntAsdouble
2893
2894         GetByVal gets constant Array from @53, and attempt to perform constant folding by leverating CoW state: if the given array's butterfly is CoW and we performed CoW array check for this GetByVal, the array would not be changed as long as the check works.
2895         However, CheckStructure for @53 does not filter anything at AI. So, if @53 is CopyOnWrite | Contiguous array (not CopyOnWrite | Double array!), GetByVal will get a JSValue. But it does not meet the requirement of GetByVal since it has Double Array mode, and says it returns Double.
2896         Here, CheckStructure is valid because structure of the constant object would be changed. What we should do is additional CoW & ArrayShape check in GetByVal when folding since this node leverages CoW's interesting feature,
2897         "If CoW array check (CheckStructure etc.) is emitted by GetByVal's DFG::ArrayMode, the content is not changed from the creation!".
2898
2899         This patch adds ArrayShape check in addition to CoW status check in GetByVal.
2900
2901         Unfortunately, this crash is very flaky. In the above case, if @53 stays GetLocal after the constant folding phase, this issue does not occur. We can see this crash in r238109, but it is really hard to reproduce it in the current ToT.
2902         I verified this fix works in r238109 with the attached test.
2903
2904         * dfg/DFGAbstractInterpreterInlines.h:
2905         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2906         * dfg/DFGAbstractValue.cpp:
2907         (JSC::DFG::AbstractValue::fixTypeForRepresentation):
2908
2909 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
2910
2911         [BigInt] Literal parsing is crashing when used inside a Object Literal
2912         https://bugs.webkit.org/show_bug.cgi?id=193404
2913
2914         Reviewed by Yusuke Suzuki.
2915
2916         Former implementation was relying into token.m_data.radix after the
2917         call of `next()` into Parser.cpp. This is not safe because next
2918         clobbers token.m_data.radix in some cases (e.g is CLOSEBRACE).
2919         Now we get radix value before calling `next()` into parser and store
2920         in a local variable.
2921
2922         * parser/Parser.cpp:
2923         (JSC::Parser<LexerType>::parsePrimaryExpression):
2924
2925 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2926
2927         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
2928         https://bugs.webkit.org/show_bug.cgi?id=193372
2929
2930         Reviewed by Saam Barati.
2931
2932         When RegisteredStructureSet is filtered with AbstractValue, we use structure, SpeculationType, and ArrayModes.
2933         However, we use asArrayModes() function with IndexingMode to compute the ArrayModes in AbstractValue. This is
2934         wrong since this discards TypedArray ArrayModes. As a result, if RegisteredStructureSet with TypedArrays is
2935         filtered with ArrayModes of AbstractValue populated from TypedArrays, we filter all the structures out since
2936         AbstractValue's ArrayModes become NonArray, which is wrong with the TypedArrays' ArrayModes. This leads to
2937         incorrect FTL code generation with MultiGetByOffset etc. nodes because,
2938
2939         1. AI think that this MultiGetByOffset never succeeds since all the values of RegisteredStructureSet are filtered out by the AbstractValue.
2940         2. AI says the state of MultiGetByOffset is invalid since AI think it never succeeds.
2941         3. So subsequent code becomes FTL crash code since AI think the execution should do OSR exit.
2942         4. Then, FTL emits the code for MultiGetByOffset, and emits crash after that.
2943         5. But in reality, the incoming value can match to the one of the RegisteredStructureSet value since (1)'s structures are incorrectly filtered by the incorrect ArrayModes.
2944         6. Then, the execution goes on, and falls into the FTL crash.
2945
2946         This patch fixes the incorrect ArrayModes calculation by the following changes
2947
2948         1. Rename asArrayModes to asArrayModesIgnoringTypedArrays.
2949         2. Fix incorrect asArrayModesIgnoringTypedArrays use in our code. Use arrayModesFromStructure instead.
2950         3. Fix OSR exit code which stores incorrect ArrayModes to the profiles.
2951
2952         * bytecode/ArrayProfile.cpp:
2953         (JSC::dumpArrayModes):
2954         (JSC::ArrayProfile::computeUpdatedPrediction):
2955         * bytecode/ArrayProfile.h:
2956         (JSC::asArrayModesIgnoringTypedArrays):
2957         (JSC::arrayModesFromStructure):
2958         (JSC::arrayModesIncludeIgnoringTypedArrays):
2959         (JSC::shouldUseSlowPutArrayStorage):
2960         (JSC::shouldUseFastArrayStorage):
2961         (JSC::shouldUseContiguous):
2962         (JSC::shouldUseDouble):
2963         (JSC::shouldUseInt32):
2964         (JSC::asArrayModes): Deleted.
2965         (JSC::arrayModeFromStructure): Deleted.
2966         (JSC::arrayModesInclude): Deleted.
2967         * dfg/DFGAbstractValue.cpp:
2968         (JSC::DFG::AbstractValue::observeTransitions):
2969         (JSC::DFG::AbstractValue::set):
2970         (JSC::DFG::AbstractValue::mergeOSREntryValue):
2971         (JSC::DFG::AbstractValue::contains const):
2972         * dfg/DFGAbstractValue.h:
2973         (JSC::DFG::AbstractValue::observeTransition):
2974         (JSC::DFG::AbstractValue::validate const):
2975         (JSC::DFG::AbstractValue::observeIndexingTypeTransition):
2976         * dfg/DFGArrayMode.cpp:
2977         (JSC::DFG::ArrayMode::fromObserved):
2978         (JSC::DFG::ArrayMode::alreadyChecked const):
2979         * dfg/DFGArrayMode.h:
2980         (JSC::DFG::ArrayMode::structureWouldPassArrayModeFiltering):
2981         (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
2982         (JSC::DFG::ArrayMode::arrayModesWithIndexingShape const):
2983         * dfg/DFGOSRExit.cpp:
2984         (JSC::DFG::OSRExit::executeOSRExit):
2985         (JSC::DFG::OSRExit::compileExit):
2986         * dfg/DFGRegisteredStructureSet.cpp:
2987         (JSC::DFG::RegisteredStructureSet::filterArrayModes):
2988         (JSC::DFG::RegisteredStructureSet::arrayModesFromStructures const):
2989         * ftl/FTLOSRExitCompiler.cpp:
2990         (JSC::FTL::compileStub):
2991         * jit/JITInlines.h:
2992         (JSC::JIT::chooseArrayMode):
2993         (JSC::arrayProfileSaw): Deleted.
2994         * runtime/JSType.h:
2995         (JSC::isTypedArrayType):
2996
2997 2019-01-14  Mark Lam  <mark.lam@apple.com>
2998
2999         Re-enable ability to build --cloop builds.
3000         https://bugs.webkit.org/show_bug.cgi?id=192955
3001         <rdar://problem/46882363>
3002
3003         Reviewed by Saam barati and Keith Miller.
3004
3005         * Configurations/FeatureDefines.xcconfig:
3006
3007 2019-01-14  Mark Lam  <mark.lam@apple.com>
3008
3009         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
3010         https://bugs.webkit.org/show_bug.cgi?id=193402
3011         <rdar://problem/46012309>
3012
3013         Reviewed by Keith Miller.
3014
3015         The CLoop builds via build-jsc were previously completely disabled after our
3016         change to enable ASM LLInt build without the JIT.  As a result, JSC tests have
3017         regressed on CLoop builds.  The CLoop builds and tests will be re-enabled when
3018         the fix for https://bugs.webkit.org/show_bug.cgi?id=192955 lands.  This patch
3019         fixes all the regressions (and some old bugs) so that the CLoop test bots won't
3020         be red when CLoop build gets re-enabled.
3021
3022         In this patch, we do the following:
3023
3024         1. Change CLoopStack::grow() to set the new CLoop stack top at the maximum
3025            allocated capacity (after discounting the reserved zone) as opposed to setting
3026            it only at the level that the client requested.
3027
3028            This fixes a small performance bug that I happened to noticed when I was
3029            debugging a stack issue.  It does not affect correctness.
3030
3031         2. In LowLevelInterpreter32_64.asm:
3032
3033            1. Fix loadConstantOrVariableTag() to use subi for computing the constant
3034               index because the VirtualRegister offset and FirstConstantRegisterIndex
3035               values it is operating on are both signed ints.  This is just to be
3036               pedantic.  The previous use of subu will still produce a correct value.
3037
3038            2. Fix llintOpWithReturn() to use getu (instead of get) for reading
3039               OpIsCellWithType::type because it is of type JSType, which is a uint8_t.
3040
3041            3. Fix llintOpWithMetadata() to use loadis for loading
3042               OpGetById::Metadata::modeMetadata.protoLoadMode.cachedOffset[t5] because it
3043               is of type PropertyOffset, which is a signed int.
3044
3045            4. Fix commonCallOp() to use getu for loading fields argv and argc because they
3046               are  of type unsigned for OpCall, OpConstruct, and OpTailCall, which are the
3047               clients of commonCallOp.
3048
3049            5. Fix llintOpWithMetadata() and getClosureVar() to use loadp for loading
3050               OpGetFromScope::Metadata::operand because it is of type uintptr_t.
3051
3052         3. In LowLevelInterpreter64.asm:
3053
3054            1. Fix llintOpWithReturn() to use getu for reading OpIsCellWithType::type
3055               because it is of type JSType, which is a uint8_t.
3056
3057            2. Fix llintOpWithMetadata() to use loadi for loading
3058               OpGetById::Metadata::modeMetadata.protoLoadMode.structure[t2] because it is
3059               of type StructureID, which is a uint32_t.
3060
3061               Fix llintOpWithMetadata() to use loadis for loading
3062               OpGetById::Metadata::modeMetadata.protoLoadMode.cachedOffset[t2] because it
3063               is of type PropertyOffset, which is a signed int.
3064
3065            3. commonOp() should reload the metadataTable for op_catch because unlike
3066               for the ASM LLInt, the exception unwinding code is not able to restore
3067               "callee saved registers" for the CLoop interpreter because the CLoop uses
3068               pseudo-registers (see the CLoopRegister class).
3069
3070               This was the source of many exotic Cloop failures after the bytecode format
3071               change (which introduced the metadataTable callee saved register).  Hence,
3072               we fix it by reloading metadataTable's value on re-entry via op_catch for
3073               exception handling.  We already take care of restoring it in op_ret.
3074
3075            4. Fix llintOpWithMetadata() and getClosureVar() to use loadp for loading
3076               OpGetFromScope::Metadata::operand because it is of type uintptr_t.
3077
3078         4. In LowLevelInterpreter.asm:
3079
3080            Fix metadata() to use loadi for loading metadataTable offsets because they are
3081            of type unsigned.  This was also a source of many exotic CLoop test failures.
3082
3083         5. Change CLoopRegister into a class with a uintptr_t as its storage element.
3084            Previously, we were using a union to convert between various value types that
3085            we would store in this pseudo-register.  This method of type conversion is
3086            undefined behavior according to the C++ spec.  As a result, the C++ compiler
3087            may choose to elide some CLoop statements, thereby resulting in some exotic
3088            bugs.
3089
3090            We fix this by now always using accessor methods and assignment operators to
3091            ensure that we use bitwise_cast to do the type conversions.  Since bitwise_cast
3092            uses a memcpy, this ensures that there's no undefined behavior, and that CLoop
3093            statements won't get elided willy-nilly by the compiler.
3094
3095            Ditto for the CloopDobleRegisters.
3096
3097            Similarly, use bitwise_cast for ints2Double() and double2Ints() utility
3098            functions.
3099
3100            Also use bitwise_cast (instead of reinterpret_cast) for the CLoop CAST macro.
3101
3102         6. Fix cloop.rb to use the new CLoopRegister and CLoopDoubleRegister classes.
3103
3104            Add a clLValue accessor for offlineasm operand types to distinguish
3105            LValue use of the operands from RValue uses.
3106
3107            Replace the use of clearHighWord() with simply casting to uint32_t.  This is
3108            more efficient for the C++ compiler (and help speed up debug build runs).
3109
3110            Also fix 32-bit arithmetic operations to only set the lower 32-bit value of
3111            the pseudo registers.  This fixes some CLoop JSC test failures.
3112
3113         This patch has been manually tested with the JSC tests on the following builds:
3114         64bit X86 ASM LLLint (without JIT), 64bit and 32bit X86 CLoop, and ARMv7 Cloop.
3115
3116         * interpreter/CLoopStack.cpp:
3117         (JSC::CLoopStack::grow):
3118         * llint/LowLevelInterpreter.asm:
3119         * llint/LowLevelInterpreter.cpp:
3120         (JSC::CLoopRegister::i const):
3121         (JSC::CLoopRegister::u const):
3122         (JSC::CLoopRegister::i32 const):
3123         (JSC::CLoopRegister::u32 const):
3124         (JSC::CLoopRegister::i8 const):
3125         (JSC::CLoopRegister::u8 const):
3126         (JSC::CLoopRegister::ip const):
3127         (JSC::CLoopRegister::i8p const):
3128         (JSC::CLoopRegister::vp const):
3129         (JSC::CLoopRegister::cvp const):
3130         (JSC::CLoopRegister::callFrame const):
3131         (JSC::CLoopRegister::execState const):
3132         (JSC::CLoopRegister::instruction const):
3133         (JSC::CLoopRegister::vm const):
3134         (JSC::CLoopRegister::cell const):
3135         (JSC::CLoopRegister::protoCallFrame const):
3136         (JSC::CLoopRegister::nativeFunc const):
3137         (JSC::CLoopRegister::i64 const):
3138         (JSC::CLoopRegister::u64 const):
3139         (JSC::CLoopRegister::encodedJSValue const):
3140         (JSC::CLoopRegister::opcode const):
3141         (JSC::CLoopRegister::operator ExecState*):
3142         (JSC::CLoopRegister::operator const Instruction*):
3143         (JSC::CLoopRegister::operator JSCell*):
3144         (JSC::CLoopRegister::operator ProtoCallFrame*):
3145         (JSC::CLoopRegister::operator Register*):
3146         (JSC::CLoopRegister::operator VM*):
3147         (JSC::CLoopRegister::operator=):
3148         (JSC::CLoopRegister::bitsAsDouble const):
3149         (JSC::CLoopRegister::bitsAsInt64 const):
3150         (JSC::CLoopDoubleRegister::operator T const):
3151         (JSC::CLoopDoubleRegister::d const):
3152         (JSC::CLoopDoubleRegister::bitsAsInt64 const):
3153         (JSC::CLoopDoubleRegister::operator=):
3154         (JSC::LLInt::ints2Double):
3155         (JSC::LLInt::double2Ints):
3156         (JSC::LLInt::decodeResult):
3157         (JSC::CLoop::execute):
3158         (JSC::LLInt::Ints2Double): Deleted.
3159         (JSC::LLInt::Double2Ints): Deleted.
3160         (JSC::CLoopRegister::CLoopRegister): Deleted.
3161         (JSC::CLoopRegister::clearHighWord): Deleted.
3162         * llint/LowLevelInterpreter32_64.asm:
3163         * llint/LowLevelInterpreter64.asm:
3164         * offlineasm/cloop.rb:
3165
3166 2019-01-14  Keith Miller  <keith_miller@apple.com>
3167
3168         JSC should have a module loader API
3169         https://bugs.webkit.org/show_bug.cgi?id=191121
3170
3171         Reviewed by Michael Saboff.
3172
3173         This patch adds a new delegate to JSContext that is called to fetch
3174         any resolved module. The resolution of a module identifier is computed
3175         as if it were a URL on the web with the caveat that it must be a file URL.
3176
3177         A new class JSScript has also been added that is similar to JSScriptRef.
3178         Right now all JSScripts are copied into memory. In the future we should
3179         mmap the provided file into memory so the OS can evict it to disk under
3180         pressure. Additionally, the API does not make use of the code signing path
3181         nor the bytecode caching path, which we will add in subsequent patches.
3182
3183         Lastly, a couple of new convenience methods have been added. C API
3184         conversion, can now toRef a JSValue with just a vm rather than
3185         requiring an ExecState. Secondly, there is now a call wrapper that
3186         does not require CallData and CallType since many places don't
3187         care about this.
3188
3189         * API/APICast.h:
3190         (toRef):
3191         * API/JSAPIGlobalObject.cpp: Copied from Source/JavaScriptCore/API/JSVirtualMachineInternal.h.
3192         * API/JSAPIGlobalObject.h: Added.
3193         (JSC::JSAPIGlobalObject::create):
3194         (JSC::JSAPIGlobalObject::createStructure):
3195         (JSC::JSAPIGlobalObject::JSAPIGlobalObject):
3196         * API/JSAPIGlobalObject.mm: Added.
3197         (JSC::JSAPIGlobalObject::moduleLoaderResolve):
3198         (JSC::JSAPIGlobalObject::moduleLoaderImportModule):
3199         (JSC::JSAPIGlobalObject::moduleLoaderFetch):
3200         (JSC::JSAPIGlobalObject::moduleLoaderCreateImportMetaProperties):
3201         * API/JSAPIValueWrapper.h:
3202         (JSC::jsAPIValueWrapper): Deleted.
3203         * API/JSContext.h:
3204         * API/JSContext.mm:
3205         (-[JSContext moduleLoaderDelegate]):
3206         (-[JSContext setModuleLoaderDelegate:]):
3207         * API/JSContextInternal.h:
3208         * API/JSContextPrivate.h:
3209         * API/JSContextRef.cpp:
3210         (JSGlobalContextCreateInGroup):
3211         * API/JSScript.h: Added.
3212         * API/JSScript.mm: Added.
3213         (+[JSScript scriptWithSource:inVirtualMachine:]):
3214         (fillBufferWithContentsOfFile):
3215         (+[JSScript scriptFromUTF8File:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
3216         (getJSScriptSourceCode):
3217         * API/JSScriptInternal.h: Copied from Source/JavaScriptCore/API/JSVirtualMachineInternal.h.
3218         * API/JSValueInternal.h:
3219         * API/JSVirtualMachineInternal.h:
3220         * API/tests/testapi.mm:
3221         (+[JSContextFetchDelegate contextWithBlockForFetch:]):
3222         (-[JSContextFetchDelegate context:fetchModuleForIdentifier:withResolveHandler:andRejectHandler:]):
3223         (checkModuleCodeRan):
3224         (checkModuleWasRejected):
3225         (testFetch):
3226         (testFetchWithTwoCycle):
3227         (testFetchWithThreeCycle):
3228         (testLoaderResolvesAbsoluteScriptURL):
3229         (testLoaderRejectsNilScriptURL):
3230         (testLoaderRejectsFailedFetch):
3231         (testImportModuleTwice):
3232         (+[JSContextFileLoaderDelegate newContext]):
3233         (resolvePathToScripts):
3234         (-[JSContextFileLoaderDelegate context:fetchModuleForIdentifier:withResolveHandler:andRejectHandler:]):
3235         (testLoadBasicFile):
3236         (testObjectiveCAPI):
3237         * API/tests/testapiScripts/basic.js: Copied from Source/JavaScriptCore/API/JSVirtualMachineInternal.h.
3238         * JavaScriptCore.xcodeproj/project.pbxproj:
3239         * Sources.txt:
3240         * SourcesCocoa.txt:
3241         * config.h:
3242         * postprocess-headers.sh:
3243         * runtime/CallData.cpp:
3244         (JSC::call):
3245         * runtime/CallData.h:
3246         * runtime/Completion.cpp:
3247         (JSC::loadAndEvaluateModule):
3248         * runtime/Completion.h:
3249         * runtime/JSCast.h:
3250         (JSC::jsSecureCast):
3251         * runtime/JSGlobalObject.cpp:
3252         (JSC::createProxyProperty):
3253
3254 2019-01-14  Dominik Infuehr  <dinfuehr@igalia.com>
3255
3256         Fix property access on ARM with the baseline JIT
3257         https://bugs.webkit.org/show_bug.cgi?id=193393
3258
3259         Reviewed by Yusuke Suzuki.
3260
3261         Code was still using currentInstruction[4] to access the instruction's metadata.
3262         Updated to use metadata.getPutInfo and metadata.resolveType.
3263
3264         * jit/JITPropertyAccess32_64.cpp:
3265         (JSC::JIT::emit_op_resolve_scope):
3266         (JSC::JIT::emit_op_get_from_scope):
3267         (JSC::JIT::emit_op_put_to_scope):
3268
3269 2019-01-12  Timothy Hatcher  <timothy@apple.com>
3270
3271         Have prefers-color-scheme: light always match on macOS versions before Mojave.
3272         https://bugs.webkit.org/show_bug.cgi?id=191655
3273         rdar://problem/46074680
3274
3275         Reviewed by Megan Gardner.
3276
3277         * Configurations/FeatureDefines.xcconfig: ENABLE_DARK_MODE_CSS_macosx for all OS versions.
3278
3279 2019-01-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3280
3281         Unreviewed, fix scope check assertions
3282         https://bugs.webkit.org/show_bug.cgi?id=193308
3283
3284         * bytecode/CodeBlock.cpp:
3285         (JSC::CodeBlock::notifyLexicalBindingShadowing):
3286         * runtime/JSGlobalObject.cpp:
3287         (JSC::JSGlobalObject::notifyLexicalBindingShadowing):
3288         * runtime/ProgramExecutable.cpp:
3289         (JSC::ProgramExecutable::initializeGlobalProperties):
3290
3291 2019-01-11  John Wilander  <wilander@apple.com>
3292
3293         Compile out Web API Statistics Collection
3294         https://bugs.webkit.org/show_bug.cgi?id=193370
3295         <rdar://problem/45388584>
3296
3297         Reviewed by Brent Fulgham.
3298
3299         * Configurations/FeatureDefines.xcconfig:
3300             Defined ENABLE_WEB_API_STATISTICS, off by default.
3301
3302 2019-01-11  Saam barati  <sbarati@apple.com>
3303
3304         DFG combined liveness can be wrong for terminal basic blocks
3305         https://bugs.webkit.org/show_bug.cgi?id=193304
3306         <rdar://problem/45268632>
3307
3308         Reviewed by Yusuke Suzuki.
3309
3310         If a block doesn't have any successors, it can't rely on the typical
3311         backwards liveness propagation that CombinedLiveness was doing. The phase
3312         first got what was live in bytecode and IR at the heads of each block. Then
3313         for each block, it made the live at tail the union of the live at head for
3314         each successor. For a terminal block though, this could be wrong. We could
3315         end up saying nothing is live even though many things may be live in bytecode.
3316         We must account for what's bytecode live at the end of the block. Consider a
3317         block that ends with:
3318         ```
3319         ForceOSRExit
3320         Unreachable
3321         ```
3322         
3323         Things may definitely be live in bytecode at the tail. However, we'll
3324         report nothing as being alive. This probably subtly breaks many analyses,
3325         but we have a test case of it breaking the interference analysis that
3326         the ArgumentsEliminationPhase performs.
3327
3328         * dfg/DFGBasicBlock.h:
3329         (JSC::DFG::BasicBlock::last const):
3330         * dfg/DFGCombinedLiveness.cpp:
3331         (JSC::DFG::addBytecodeLiveness):
3332         (JSC::DFG::liveNodesAtHead):
3333         (JSC::DFG::CombinedLiveness::CombinedLiveness):
3334         * dfg/DFGCombinedLiveness.h:
3335
3336 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3337
3338         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
3339         https://bugs.webkit.org/show_bug.cgi?id=193308
3340         <rdar://problem/45546542>
3341
3342         Reviewed by Saam Barati.
3343
3344         Previously, we assumed that lexical bindings in JSGlobalLexicalEnvironment cannot shadow existing global properties.
3345         However, it is wrong. According to the spec, we can shadow global properties if a property's attribute is configurable = true.
3346         For example, we execute two scripts.
3347
3348         script1.js
3349
3350             bar = 42;
3351             function load() { return bar; }
3352             print(bar); // 42
3353             print(load()); // 42
3354
3355         script2.js
3356
3357             let bar = 0; // This lexical binding can shadow the global.bar defined in script1.js
3358             print(bar); // 0
3359             print(load()); // 0
3360
3361         In JSC, we cache GlobalProperty resolve type and its associated information in op_resolve_type, op_get_from_scope, and op_put_to_scope.
3362         They attempt to load a property from JSGlobalObject directly. However, once the newly added lexical binding starts shadowing this, our existing instructions
3363         become invalid since they do not respect JSGlobalLexicalEnvironment.
3364
3365         In this patch, we fix this issue by introducing the following mechanisms.
3366
3367         1. We have a HashMap<property name, watchpoint set> in JSGlobalObject. DFG and FTL create a watchpoint set with the property name if the generated code
3368         depends on GlobalProperty condition of op_resolve_scope etc. These watchpoint will be fired when the shadowing happens, so that our generated DFG and FTL
3369         code will be invalidated if it depends on the condition which is no longer valid.
3370
3371         2. When we detect shadowing, we iterate all the live CodeBlocks which globalObject is the target one. And we rewrite instructions in them from GlobalProperty
3372         to GlobalLexicalVar (or Dynamic precisely). So, the subsequent LLInt code just works well. "Dynamic" conversion happens when your op_put_to_scope attempts to
3373         put a value onto a const lexical binding. This fails and it should throw a type error.
3374
3375         3. GlobalProperty scope operations in Baseline JIT start checking ResolveType in metadata, and emit code for GlobalProperty and GlobalLexicalVar. Once the rewrite
3376         happens, baseline JIT continues working because it checks the rewritten metadata's ResolveType.
3377
3378         We use this mechanism (which is similar to haveABadTime() thing) because,
3379
3380         1. Shadowing should be super rare. Before r214145, we made these cases as SytaxError. Thus, before r214145, this type of code cannot be executed in WebKit.
3381         And the number of the live CodeBlocks for the given JSGlobalObject should be small. This supports introducing rather simple (but not so efficient) mechanism
3382         instead of the complicated one.
3383
3384         2. Rewriting instructions immediately forces GlobalProperty => GlobalLexicalVar / Dynamic conversion in all the possible CodeBlock. This allows us to avoid
3385         compilation failure loop in DFG and FTL: DFG and FTL codes are invalidated by the watchpoint, but we may attempt to compile the code with the invalidated watchpoint
3386         and GlobalProperty status if we do not rewrite it. One possible other implementation is having and checking a counter in instruction, and every time we introduce
3387         a new shadow binding, bump the counter. And eventually executed instruction will go to the slow path and rewrite itself. However, this way leaves the not-executed-again-yet
3388         instructions as is, and DFG and FTL repeatedly fail to compile if we just watch the invalidated watchpoint for that. Rewriting all the existing GlobalProperty immediately
3389         avoids this situation easily.
3390
3391         * JavaScriptCore.xcodeproj/project.pbxproj:
3392         * Sources.txt:
3393         * bytecode/CodeBlock.cpp:
3394         (JSC::CodeBlock::notifyLexicalBindingShadowing):
3395         * bytecode/CodeBlock.h:
3396         (JSC::CodeBlock::scriptMode const):
3397         * bytecode/Watchpoint.h:
3398         (JSC::WatchpointSet::create):
3399         * dfg/DFGByteCodeParser.cpp:
3400         (JSC::DFG::ByteCodeParser::parseBlock):
3401         * dfg/DFGDesiredGlobalProperties.cpp: Added.
3402         (JSC::DFG::DesiredGlobalProperties::isStillValidOnMainThread):
3403         (JSC::DFG::DesiredGlobalProperties::reallyAdd):
3404         * dfg/DFGDesiredGlobalProperties.h: Added.
3405         (JSC::DFG::DesiredGlobalProperties::addLazily):
3406         We need this DesiredGlobalProperties mechanism since we do not want to ref() the UniquedStringImpl in DFG and FTL thread.
3407         We keep JSGlobalObject* and identifierNumber, and materialize WatchpointSets for each JSGlobalObject's property referenced
3408         from DFG and FTL and inject CodeBlock jettison watchpoints in the main thread.
3409         * dfg/DFGDesiredGlobalProperty.h: Added.
3410         (JSC::DFG::DesiredGlobalProperty::DesiredGlobalProperty):
3411         (JSC::DFG::DesiredGlobalProperty::globalObject const):
3412         (JSC::DFG::DesiredGlobalProperty::identifierNumber const):
3413         (JSC::DFG::DesiredGlobalProperty::operator== const):
3414         (JSC::DFG::DesiredGlobalProperty::operator!= const):
3415         (JSC::DFG::DesiredGlobalProperty::isHashTableDeletedValue const):
3416         (JSC::DFG::DesiredGlobalProperty::hash const):
3417         (JSC::DFG::DesiredGlobalProperty::dumpInContext const):
3418         (JSC::DFG::DesiredGlobalProperty::dump const):
3419         (JSC::DFG::DesiredGlobalPropertyHash::hash):
3420         (JSC::DFG::DesiredGlobalPropertyHash::equal):
3421         * dfg/DFGGraph.h:
3422         (JSC::DFG::Graph::globalProperties):
3423         * dfg/DFGPlan.cpp:
3424         (JSC::DFG::Plan::reallyAdd):
3425         (JSC::DFG::Plan::isStillValidOnMainThread):
3426         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
3427         (JSC::DFG::Plan::cancel):
3428         * dfg/DFGPlan.h:
3429         (JSC::DFG::Plan::globalProperties):
3430         * jit/JITPropertyAccess.cpp:
3431         (JSC::JIT::emit_op_resolve_scope):
3432         (JSC::JIT::emit_op_get_from_scope):
3433         (JSC::JIT::emit_op_put_to_scope):
3434         * jit/JITPropertyAccess32_64.cpp:
3435         (JSC::JIT::emit_op_resolve_scope):
3436         (JSC::JIT::emit_op_get_from_scope):
3437         (JSC::JIT::emit_op_put_to_scope):
3438         * runtime/JSGlobalObject.cpp:
3439         (JSC::JSGlobalObject::addStaticGlobals):
3440         (JSC::JSGlobalObject::notifyLexicalBindingShadowing):
3441         (JSC::JSGlobalObject::getReferencedPropertyWatchpointSet):
3442         (JSC::JSGlobalObject::ensureReferencedPropertyWatchpointSet):
3443         * runtime/JSGlobalObject.h:
3444         * runtime/ProgramExecutable.cpp:
3445         (JSC::hasRestrictedGlobalProperty):
3446         (JSC::ProgramExecutable::initializeGlobalProperties):
3447
3448 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
3449
3450         Enable DFG on ARM/Linux again
3451         https://bugs.webkit.org/show_bug.cgi?id=192496
3452
3453         Reviewed by Yusuke Suzuki.
3454
3455         After changing the bytecode format DFG was disabled on all 32-bit
3456         architectures. Enable DFG now again on ARM/Linux. Do not use register
3457         r11 in compiled DFG mode since it is already used in LLInt as metadataTable
3458         register. Also clean up code since ARM traditional isn't supported anymore.
3459
3460         * dfg/DFGOSRExit.cpp:
3461         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
3462         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
3463         * jit/CallFrameShuffler.cpp:
3464         (JSC::CallFrameShuffler::CallFrameShuffler):
3465         * jit/GPRInfo.h:
3466         (JSC::GPRInfo::toIndex):
3467         * llint/LowLevelInterpreter32_64.asm:
3468         * offlineasm/arm.rb:
3469
3470 2019-01-10  Brian Burg  <bburg@apple.com>
3471
3472         Web Inspector: incorrect type signature used for protocol enums in async command results
3473         https://bugs.webkit.org/show_bug.cgi?id=193331
3474
3475         Reviewed by Devin Rousso.
3476
3477         When an enum is returned by an async command, the type signature should be that of the
3478         Inspector::Protocol::* generated enum, rather than the underlying primitive type (i.e., String).
3479
3480         * inspector/scripts/codegen/cpp_generator.py:
3481         (CppGenerator.cpp_type_for_formal_async_parameter):
3482         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
3483         Rebaseline generator test results.
3484
3485 2019-01-10  Brian Burg  <bburg@apple.com>
3486
3487         Rebaseline inspector generator test results after recent changes.
3488
3489         Unreviewed test gardening.
3490
3491         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
3492         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
3493         * inspector/scripts/tests/generic/expected/fail-on-domain-availability-value.json-error:
3494
3495 2019-01-10  Commit Queue  <commit-queue@webkit.org>
3496
3497         Unreviewed, rolling out r239825.
3498         https://bugs.webkit.org/show_bug.cgi?id=193330
3499
3500         Broke tests on armv7/linux bots (Requested by guijemont on
3501         #webkit).
3502
3503         Reverted changeset:
3504
3505         "Enable DFG on ARM/Linux again"
3506         https://bugs.webkit.org/show_bug.cgi?id=192496
3507         https://trac.webkit.org/changeset/239825
3508
3509 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
3510
3511         Enable DFG on ARM/Linux again
3512         https://bugs.webkit.org/show_bug.cgi?id=192496
3513
3514         Reviewed by Yusuke Suzuki.
3515
3516         After changing the bytecode format DFG was disabled on all 32-bit
3517         architectures. Enable DFG now again on ARM/Linux. Do not use register
3518         r11 in compiled DFG mode since it is already used in LLInt as metadataTable
3519         register. Also clean up code since ARM traditional isn't supported anymore.
3520
3521         * dfg/DFGOSRExit.cpp:
3522         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
3523         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
3524         * jit/CallFrameShuffler.cpp:
3525         (JSC::CallFrameShuffler::CallFrameShuffler):
3526         * jit/GPRInfo.h:
3527         (JSC::GPRInfo::toIndex):
3528         * llint/LowLevelInterpreter32_64.asm:
3529         * offlineasm/arm.rb:
3530
3531 2019-01-09  Mark Lam  <mark.lam@apple.com>
3532
3533         Restore bytecode dumper's ability to dump jump target as offset#(->targetBytecodeIndex#).
3534         https://bugs.webkit.org/show_bug.cgi?id=193300
3535
3536         Reviewed by Saam Barati.
3537
3538         For example, instead of:
3539             [  95] jtrue              loc11, 9
3540         We can now again (as before the bytecode format rewrite) have:
3541             [  95] jtrue              loc11, 9(->104)
3542
3543         * bytecode/BytecodeDumper.cpp:
3544         (JSC::BytecodeDumper<Block>::printLocationAndOp):
3545         * bytecode/BytecodeDumper.h:
3546         (JSC::BytecodeDumper::dumpValue):
3547
3548 2019-01-09  Mark Lam  <mark.lam@apple.com>
3549
3550         Gigacage disabling checks should handle the GIGACAGE_ALLOCATION_CAN_FAIL case properly.
3551         https://bugs.webkit.org/show_bug.cgi?id=193292
3552         <rdar://problem/46485450>
3553
3554         Reviewed by Yusuke Suzuki.
3555
3556         * runtime/VM.h:
3557         (JSC::VM::gigacageAuxiliarySpace):
3558
3559 2019-01-08  Keith Miller  <keith_miller@apple.com>
3560
3561         builtins should be able to use async/await
3562         https://bugs.webkit.org/show_bug.cgi?id=193263
3563
3564         Reviewed by Saam Barati.
3565
3566         This patch makes it possible to use async functions when writing builtin JS code.
3567
3568         * Scripts/wkbuiltins/builtins_generator.py:
3569         (BuiltinsGenerator.generate_embedded_code_string_section_for_function):
3570         * Scripts/wkbuiltins/builtins_model.py:
3571         (BuiltinFunction.__init__):
3572         (BuiltinFunction.fromString):
3573         (BuiltinFunction.__str__):
3574         * builtins/BuiltinExecutables.cpp:
3575         (JSC::BuiltinExecutables::createExecutable):
3576         * builtins/ModuleLoader.js:
3577         (requestInstantiate):
3578         (async.loadModule):
3579         (async.loadAndEvaluateModule):
3580         (async.requestImportModule):
3581         (loadModule): Deleted.
3582         (): Deleted.
3583         (loadAndEvaluateModule): Deleted.
3584         * bytecompiler/BytecodeGenerator.cpp:
3585         (JSC::BytecodeGenerator::BytecodeGenerator):
3586         * parser/Parser.cpp:
3587         (JSC::Parser<LexerType>::parseInner):
3588
3589 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3590
3591         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
3592         https://bugs.webkit.org/show_bug.cgi?id=193127
3593
3594         Reviewed by Saam Barati.
3595
3596         `== null` is frequently used idiom to check `null` or `undefined` in JS.
3597         However, it has a problem in terms of the builtin JS implementation: it
3598         returns true if masquerade-as-undefined objects (e.g. document.all) come.
3599
3600         In this patch, we introduce a convenient builtin intrinsic @isUndefinedOrNull,
3601         which is equivalent to C++ `JSValue::isUndefinedOrNull`. It does not consider
3602         about masquerade-as-undefined objects, so that we can use it instead of
3603         `value === null || value === @undefined`. We introduce is_undefined_or_null
3604         bytecode, IsUndefinedOrNull DFG node and its DFG and FTL backends. Since
3605         Null and Undefined have some bit patterns, we can implement this query
3606         very efficiently.
3607
3608         * builtins/ArrayIteratorPrototype.js:
3609         (next):
3610         * builtins/ArrayPrototype.js:
3611         (globalPrivate.arraySpeciesCreate):
3612         * builtins/GlobalOperations.js:
3613         (globalPrivate.speciesConstructor):
3614         (globalPrivate.copyDataProperties):
3615         (globalPrivate.copyDataPropertiesNoExclusions):
3616         * builtins/MapIteratorPrototype.js:
3617         (next):
3618         * builtins/SetIteratorPrototype.js:
3619         (next):
3620         * builtins/StringIteratorPrototype.js:
3621         (next):
3622         * builtins/StringPrototype.js:
3623         (match):
3624         (repeat):
3625         (padStart):
3626         (padEnd):
3627         (intrinsic.StringPrototypeReplaceIntrinsic.replace):
3628         (search):
3629         (split):
3630         (concat):
3631         (globalPrivate.createHTML):
3632         * builtins/TypedArrayPrototype.js:
3633         (globalPrivate.typedArraySpeciesConstructor):
3634         (map):
3635         (filter):
3636         * bytecode/BytecodeIntrinsicRegistry.h:
3637         * bytecode/BytecodeList.rb:
3638         * bytecode/BytecodeUseDef.h:
3639         (JSC::computeUsesForBytecodeOffset):
3640         (JSC::computeDefsForBytecodeOffset):
3641         * bytecompiler/BytecodeGenerator.cpp:
3642         (JSC::BytecodeGenerator::emitIsUndefinedOrNull):
3643         * bytecompiler/BytecodeGenerator.h:
3644         * bytecompiler/NodesCodegen.cpp:
3645         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isUndefinedOrNull):
3646         * dfg/DFGAbstractInterpreterInlines.h:
3647         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3648         * dfg/DFGByteCodeParser.cpp:
3649         (JSC::DFG::ByteCodeParser::parseBlock):
3650         * dfg/DFGCapabilities.cpp:
3651         (JSC::DFG::capabilityLevel):
3652         * dfg/DFGClobberize.h:
3653         (JSC::DFG::clobberize):
3654         * dfg/DFGDoesGC.cpp:
3655         (JSC::DFG::doesGC):
3656         * dfg/DFGFixupPhase.cpp:
3657         (JSC::DFG::FixupPhase::fixupNode):
3658         * dfg/DFGNodeType.h:
3659         * dfg/DFGPredictionPropagationPhase.cpp:
3660         * dfg/DFGSafeToExecute.h:
3661         (JSC::DFG::safeToExecute):
3662         * dfg/DFGSpeculativeJIT32_64.cpp:
3663         (JSC::DFG::SpeculativeJIT::compile):
3664         * dfg/DFGSpeculativeJIT64.cpp:
3665         (JSC::DFG::SpeculativeJIT::compile):
3666         * ftl/FTLCapabilities.cpp:
3667         (JSC::FTL::canCompile):
3668         * ftl/FTLLowerDFGToB3.cpp:
3669         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3670         (JSC::FTL::DFG::LowerDFGToB3::compileIsUndefinedOrNull):
3671         * jit/JIT.cpp:
3672         (JSC::JIT::privateCompileMainPass):
3673         * jit/JIT.h:
3674         * jit/JITOpcodes.cpp:
3675         (JSC::JIT::emit_op_is_undefined_or_null):
3676         * jit/JITOpcodes32_64.cpp:
3677         (JSC::JIT::emit_op_is_undefined_or_null):
3678         * llint/LowLevelInterpreter32_64.asm:
3679         * llint/LowLevelInterpreter64.asm:
3680
3681 2019-01-08  David Kilzer  <ddkilzer@apple.com>
3682
3683         Leak of VectorBufferBase.m_buffer (16-64 bytes) under JSC::CompactVariableEnvironment in com.apple.WebKit.WebContent running layout tests
3684         <https://webkit.org/b/193264>
3685         <rdar://problem/46651026>
3686
3687         Reviewed by Yusuke Suzuki.
3688
3689         * parser/VariableEnvironment.cpp:
3690         (JSC::CompactVariableMap::Handle::~Handle): Call delete on
3691         m_environment instead of fastFree() to make sure the destructors
3692         for the Vector instance variables are run.  This fixes the leaks
3693         because calling fastFree() would only free the
3694         CompactVariableEnvironment object, but not the heap-based
3695         buffers allocated for the Vector instance variables.
3696
3697 2019-01-08  Joseph Pecoraro  <pecoraro@apple.com>
3698
3699         ASSERT when paused in debugger and console evaluation causes exception
3700         https://bugs.webkit.org/show_bug.cgi?id=193246
3701
3702         Reviewed by Mark Lam.
3703
3704         * runtime/VM.cpp:
3705         (JSC::VM::throwException):
3706         Improve assertion to allow for the debugger's evaluate on call frame condition.
3707
3708         * runtime/JSGlobalObject.h:
3709         (JSC::JSGlobalObject::callFrameAtDebuggerEntry const):
3710         (JSC::JSGlobalObject::setCallFrameAtDebuggerEntry):
3711         Debugger call frame only used by assertions.
3712
3713         * debugger/DebuggerCallFrame.cpp:
3714         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
3715         * debugger/DebuggerEvalEnabler.h:
3716         (JSC::DebuggerEvalEnabler::DebuggerEvalEnabler):
3717         (JSC::DebuggerEvalEnabler::~DebuggerEvalEnabler):
3718         When evaluating on a call frame, set a debug GlobalObject state.
3719
3720 2019-01-08  Keith Miller  <keith_miller@apple.com>
3721
3722         Move JSValueMakeSymbol to private header
3723         https://bugs.webkit.org/show_bug.cgi?id=193254
3724
3725         Reviewed by Saam Barati.
3726
3727         When moving other functions in JSValueRef I guess I forgot to move this one.
3728
3729         * API/JSObjectRefPrivate.h:
3730         * API/JSValueRef.h:
3731
3732 2019-01-08  Mark Lam  <mark.lam@apple.com>
3733
3734         Fix some typos in comments.
3735
3736         Not reviewed.
3737
3738         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
3739
3740 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
3741
3742         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
3743         https://bugs.webkit.org/show_bug.cgi?id=193221
3744
3745         Reviewed by Mark Lam.
3746
3747         The flags are only 4 bytes, but were loaded with loadp. It used to work,
3748         since the flags were followed by a 4-byte padding, but it broke after the
3749         struct was compacted in r239626.
3750
3751         * llint/LowLevelInterpreter64.asm:
3752
3753 2019-01-07  Devin Rousso  <drousso@apple.com>
3754
3755         Web Inspector: extend XHR breakpoints to work with fetch
3756         https://bugs.webkit.org/show_bug.cgi?id=185843
3757         <rdar://problem/40431027>
3758
3759         Reviewed by Matt Baker.
3760
3761         * inspector/protocol/DOMDebugger.json:
3762         Rename `XHR` to `URL`.
3763
3764         * inspector/protocol/Debugger.json:
3765         Add `Fetch` to `reason` enum for the `Debugger.paused` event.
3766
3767 2019-01-07  Devin Rousso  <drousso@apple.com>
3768
3769         Web Inspector: Network: show secure connection details per-request
3770         https://bugs.webkit.org/show_bug.cgi?id=191539
3771         <rdar://problem/45979891>
3772
3773         Reviewed by Joseph Pecoraro.
3774
3775         * inspector/protocol/Security.json:
3776         Add `Connection` type.
3777
3778         * inspector/protocol/Network.json:
3779         Send `Security.Connection` information when request metrics become available.
3780
3781 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
3782
3783         Baseline version of get_by_id may corrupt metadata
3784         https://bugs.webkit.org/show_bug.cgi?id=193085
3785         <rdar://problem/23453006>
3786
3787         Reviewed by Saam Barati.
3788
3789         The Baseline version of get_by_id unconditionally calls `emitArrayProfilingSiteForBytecodeIndexWithCell`
3790         if the property is `length`. However, since the bytecode rewrite, get_by_id only has an ArrayProfile entry
3791         in the metadata if its mode is `GetByIdMode::ArrayLength`. That might result in one of two bad things:
3792         1) get_by_id's mode is not ArrayLength, and a duplicate, out-of-line ArrayProfile entry will be created by
3793         `CodeBlock::getOrAddArrayProfile`.
3794         2) get_by_id's mode *is* ArrayLength and we generate the array profiling code pointing to the ArrayProfile
3795         that lives in the metadata table. This works fine as long as get_by_id does not change modes. If that happens,
3796         the JIT code will write into the metadata table, overwriting the 'GetByIdModeMetadata` for another mode.
3797
3798         Add a check to the Baseline version of get_by_id so that we only do the ArrayProfiling if the get_by_id's
3799         mode is ArrayLength
3800
3801         * bytecode/BytecodeList.rb:
3802         * bytecode/CodeBlock.cpp:
3803         (JSC::CodeBlock::getArrayProfile):
3804         (JSC::CodeBlock::addArrayProfile): Deleted.
3805         (JSC::CodeBlock::getOrAddArrayProfile): Deleted.
3806         * bytecode/CodeBlock.h:
3807         (JSC::CodeBlock::numberOfArrayProfiles const): Deleted.
3808         (JSC::CodeBlock::arrayProfiles): Deleted.
3809         * bytecode/CodeBlockInlines.h:
3810         (JSC::CodeBlock::forEachArrayProfile):
3811         * jit/JIT.h:
3812         * jit/JITInlines.h:
3813         (JSC::JIT::emitArrayProfilingSiteForBytecodeIndexWithCell): Deleted.
3814         * jit/JITPropertyAccess.cpp:
3815         (JSC::JIT::emit_op_get_by_id):
3816         * jit/JITPropertyAccess32_64.cpp:
3817         (JSC::JIT::emit_op_get_by_id):
3818         * llint/LLIntSlowPaths.cpp:
3819         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3820
3821 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3822
3823         [JSC] Optimize Object.prototype.toString
3824         https://bugs.webkit.org/show_bug.cgi?id=193031
3825
3826         Reviewed by Saam Barati.
3827
3828         Object.prototype.toString is frequently used for type checking.
3829         It is called many times in wtb-lebab.js. This patch optimizes
3830         Object.prototype.toString by the following two optimizations.
3831
3832         1. We should emit code looking up cached to string in DFG and FTL.
3833
3834         toString's result is cached in the Structure. We emit a fast path code
3835         in DFG and FTL to lookup this cache.
3836
3837         2. We should not create objects for primitive values in major cases.
3838
3839         When Object.prototype.toString(primitive) is called, this primitive is converted
3840         to an object by calling ToObject. But if the result is appropriately cached in
3841         the Structure, we should get it in the fast path without creating this object.
3842         When converting primitives to objects, Structures used in these newly created objects
3843         are known (Structure for StringObject etc.). So we can first query the cached string
3844         before actuall