ObjectAllocationSinkingPhase shouldn't insert hints for allocations which are no...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-10-01  Saam Barati  <sbarati@apple.com>
2
3         ObjectAllocationSinkingPhase shouldn't insert hints for allocations which are no longer valid
4         https://bugs.webkit.org/show_bug.cgi?id=199361
5         <rdar://problem/52454940>
6
7         Reviewed by Yusuke Suzuki.
8
9         In a prior fix to the object allocation sinking phase, I added code where we
10         made sure to insert PutHints over Phis for fields of an object at control flow
11         merge points. However, that code didn't consider that the base of the PutHint
12         may no longer be a valid heap location. This could cause us to emit invalid
13         SSA code by referring to a node which does not dominate the PutHint location.
14         This patch fixes the bug to only emit the PutHints when valid.
15
16         This patch also makes it so that DFGValidate actually validates that the graph
17         is in valid SSA form. E.g, any use of a node N must be dominated by N.
18
19         * dfg/DFGObjectAllocationSinkingPhase.cpp:
20         * dfg/DFGValidate.cpp:
21
22 2019-10-01  Yusuke Suzuki  <ysuzuki@apple.com>
23
24         [JSC] Place VM* in TLS
25         https://bugs.webkit.org/show_bug.cgi?id=202391
26
27         Reviewed by Mark Lam.
28
29         This patch puts VM* in TLS mainly for debugging purpose. In JSLockHolder, we put VM* and save the old VM* in TLS.
30         And JSLockHolder's destructor restores it. It is possible that we have two VMs A and B. After locking A, we enter
31         B. In this case, when B's lock is released, we should restore TLS to A. We put the old VM* in JSLockHolder::m_previousVMInTLS
32         so that we can restore it in JSLockHolder's destructor.
33
34         This patch also cleans up Lock<JSLock> / std::lock_guard<JSLock> usage in JSRunLoopTimer and JSManagedValue by introducing
35         JSLockHolder with LockIfVMIsLive tag. Previously, we are intentionally use `std::lock_guard<JSLock>` since VM* can be dead
36         at these places. JSLockHolder with LockIfVMIsLive handles this case carefully: it locks JSLock when VM* is live.
37
38         * API/JSManagedValue.mm:
39         (-[JSManagedValue value]):
40         * API/glib/JSCWeakValue.cpp:
41         (jsc_weak_value_get_value):
42         * runtime/InitializeThreading.cpp:
43         (JSC::initializeThreading):
44         * runtime/JSLock.cpp:
45         (JSC::JSLockHolder::JSLockHolder):
46         (JSC::JSLockHolder::~JSLockHolder):
47         (JSC::JSLock::DropAllLocks::DropAllLocks):
48         (JSC::JSLock::DropAllLocks::~DropAllLocks):
49         * runtime/JSLock.h:
50         (JSC::JSLockHolder::vm):
51         * runtime/JSRunLoopTimer.cpp:
52         (JSC::JSRunLoopTimer::timerDidFire):
53         * runtime/VM.cpp:
54         (JSC::VM::initializeTLS):
55         * runtime/VM.h:
56         (JSC::VM::exchange):
57         (JSC::VM::current):
58
59 2019-10-01  Michael Saboff  <msaboff@apple.com> and Paulo Matos  <pmatos@igalia.com>
60
61         [YARR] Properly handle surrogates when matching back references
62         https://bugs.webkit.org/show_bug.cgi?id=202041
63
64         Reviewed by Keith Miller.
65
66         This patch is based on a work in progress patch by Paulo Matos <pmatos@igalia.com>.
67
68         When handling back references in Unicode patterns, we can't match un-decoded surrogate characters,
69         instead we need to read and process surrogate pairs.  Changed matchBackreference() to do this,
70         including properly incrementing the back reference pattern and search indexes.
71
72         In support of this change, on X86_64 we needed to free up r10 to be used exclusively for
73         "patternIndex".  It was also used as a temp in tryReadUnicodeCharImpl().  Made a new named
74         temp register, called unicodeTemp, to take the place of regT2(r10) in tryReadUnicodeCharImpl.
75         This new temp is r14 on X86_64 and X5 on ARM64.  To free up r14 on X86_64, changed the
76         old leadingSurrogateTag to be a literal.
77
78         * yarr/YarrJIT.cpp:
79         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
80         (JSC::Yarr::YarrGenerator::matchBackreference):
81         (JSC::Yarr::YarrGenerator::generateEnter):
82         (JSC::Yarr::YarrGenerator::readCharacterDontDecodeSurrogates): Deleted.
83
84 2019-10-01  Keith Miller  <keith_miller@apple.com>
85
86         Add support for the Wasm multi-value proposal
87         https://bugs.webkit.org/show_bug.cgi?id=202250
88
89         Reviewed by Saam Barati.
90
91         The wasm multi-value proposal makes two major changes to the
92         spec. The first is that functions may now return more than one
93         value across calls. When calling to/from JS, if there is more than
94         one return type we return/receive a JSArray/Iterable,
95         respectively. In the Wasm calls JS case, if the iteratable object
96         does not vend the exact number of objects expected by the
97         signature an error is thrown.
98
99         The second major change in the multi-value proposal allows blocks
100         to have any signature type. This works in a backwards compatible
101         way by exploiting the fact that the old value-type thunk signatures
102         (where the block takes no arguments and returns just the value
103         type i.e. [] -> [type]) were always encoded as a negative
104         number. If a block has a function signature, it is encoded as a
105         positive index into the type section. When a block has a function
106         signature type then the values from the enclosing stack are popped
107         off that stack and added to the new block's stack. In the case of
108         a br/br_if to a Loop block the "argument" values should be on the
109         brancher's stack.
110
111         The biggest change in this patch is stripping down the
112         WasmCallingConventions file into one simpler API that just tells
113         you where the each argument should be located. It also now handles
114         adding or subtracting sizeof(CallerFrameAndPC) depending on
115         whether you are caller or callee. Additionally, when computing
116         locations for the callee it returns a B3::ValueRep that has the
117         offsetFromFP rather than offsetFromSP. Since the code has been
118         cleaned up I tried to also reduce code duplication in the various
119         stubs for wasm code. This patch also removes the Air specific
120         calling convention code and moves that logic into the Air IR
121         generator.
122
123         Since blocks can now have arbitrary signatures the control entries
124         now use a const signature* rather than just the return
125         type. Additionally, what used to be the result phi is now the phis
126         for all the results for non-loop blocks and the arguments for a
127         loop block. Due to the control flow restrictions of wasm
128         conveniently we don't have to worry about generating non-optimal
129         SSA, thus we can just use phis directly rather than using a
130         variable.
131
132         Lastly, to help clean up some code in the IR generators new helper
133         methods were added to create call Patchpoints. These helpers do
134         most of the boiler-plate initialization.
135
136         * JavaScriptCore.xcodeproj/project.pbxproj:
137         * assembler/AbstractMacroAssembler.h:
138         (JSC::AbstractMacroAssembler::ImplicitAddress::ImplicitAddress):
139         * assembler/LinkBuffer.cpp:
140         (JSC::shouldDumpDisassemblyFor):
141         * assembler/LinkBuffer.h:
142         * assembler/MacroAssemblerARM64.h:
143         (JSC::MacroAssemblerARM64::callOperation):
144         * assembler/MacroAssemblerX86_64.h:
145         (JSC::MacroAssemblerX86_64::callOperation):
146         * b3/B3LowerToAir.cpp:
147         * b3/B3PatchpointSpecial.cpp:
148         (JSC::B3::PatchpointSpecial::forEachArg):
149         (JSC::B3::PatchpointSpecial::isValid):
150         (JSC::B3::PatchpointSpecial::admitsStack):
151         (JSC::B3::PatchpointSpecial::generate):
152         * b3/B3Procedure.h:
153         (JSC::B3::Procedure::resultCount const):
154         (JSC::B3::Procedure::typeAtOffset const):
155         (JSC::B3::Procedure::returnCount const): Deleted.
156         * b3/B3StackmapGenerationParams.cpp:
157         (JSC::B3::StackmapGenerationParams::code const):
158         * b3/B3StackmapGenerationParams.h:
159         * b3/B3ValueRep.h:
160         * b3/air/AirHelpers.h: Added.
161         (JSC::B3::Air::moveForType):
162         (JSC::B3::Air::relaxedMoveForType):
163         * jit/AssemblyHelpers.h:
164         (JSC::AssemblyHelpers::store64FromReg):
165         (JSC::AssemblyHelpers::store32FromReg):
166         (JSC::AssemblyHelpers::load64ToReg):
167         (JSC::AssemblyHelpers::load32ToReg):
168         * runtime/JSCConfig.h:
169         * runtime/OptionsList.h:
170         * tools/JSDollarVM.cpp:
171         * tools/VMInspector.cpp:
172         (JSC::VMInspector::dumpValue):
173         * wasm/WasmAirIRGenerator.cpp:
174         (JSC::Wasm::ConstrainedTmp::operator bool const):
175         (JSC::Wasm::TypedTmp::dump const):
176         (JSC::Wasm::AirIRGenerator::ControlData::ControlData):
177         (JSC::Wasm::AirIRGenerator::ControlData::dump const):
178         (JSC::Wasm::AirIRGenerator::ControlData::blockType const):
179         (JSC::Wasm::AirIRGenerator::ControlData::signature const):
180         (JSC::Wasm::AirIRGenerator::ControlData::targetBlockForBranch):
181         (JSC::Wasm::AirIRGenerator::ControlData::convertIfToBlock):
182         (JSC::Wasm::AirIRGenerator::addEndToUnreachable):
183         (JSC::Wasm::AirIRGenerator::emitCallPatchpoint):
184         (JSC::Wasm::AirIRGenerator::validateInst):
185         (JSC::Wasm::AirIRGenerator::tmpsForSignature):
186         (JSC::Wasm::AirIRGenerator::emitPatchpoint):
187         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
188         (JSC::Wasm::AirIRGenerator::toB3ResultType):
189         (JSC::Wasm::AirIRGenerator::addBottom):
190         (JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck):
191         (JSC::Wasm::AirIRGenerator::addTopLevel):
192         (JSC::Wasm::AirIRGenerator::addLoop):
193         (JSC::Wasm::AirIRGenerator::addBlock):
194         (JSC::Wasm::AirIRGenerator::addIf):
195         (JSC::Wasm::AirIRGenerator::addElse):
196         (JSC::Wasm::AirIRGenerator::addElseToUnreachable):
197         (JSC::Wasm::AirIRGenerator::addReturn):
198         (JSC::Wasm::AirIRGenerator::addBranch):
199         (JSC::Wasm::AirIRGenerator::addSwitch):
200         (JSC::Wasm::AirIRGenerator::endBlock):
201         (JSC::Wasm::AirIRGenerator::addCall):
202         (JSC::Wasm::AirIRGenerator::addCallIndirect):
203         (JSC::Wasm::dumpExpressionStack):
204         (JSC::Wasm::AirIRGenerator::dump):
205         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF64>):
206         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF32>):
207         (JSC::Wasm::AirIRGenerator::ControlData::type const): Deleted.
208         (JSC::Wasm::AirIRGenerator::ControlData::hasNonVoidSignature const): Deleted.
209         (JSC::Wasm::AirIRGenerator::ControlData::resultForBranch const): Deleted.
210         * wasm/WasmB3IRGenerator.cpp:
211         (JSC::Wasm::B3IRGenerator::ControlData::ControlData):
212         (JSC::Wasm::B3IRGenerator::ControlData::dump const):
213         (JSC::Wasm::B3IRGenerator::ControlData::blockType const):
214         (JSC::Wasm::B3IRGenerator::ControlData::hasNonVoidresult const):
215         (JSC::Wasm::B3IRGenerator::ControlData::targetBlockForBranch):
216         (JSC::Wasm::B3IRGenerator::ControlData::convertIfToBlock):
217         (JSC::Wasm::B3IRGenerator::addEndToUnreachable):
218         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
219         (JSC::Wasm::B3IRGenerator::framePointer):
220         (JSC::Wasm::B3IRGenerator::toB3ResultType):
221         (JSC::Wasm::B3IRGenerator::addArguments):
222         (JSC::Wasm::B3IRGenerator::addGrowMemory):
223         (JSC::Wasm::B3IRGenerator::addLoop):
224         (JSC::Wasm::B3IRGenerator::addTopLevel):
225         (JSC::Wasm::B3IRGenerator::addBlock):
226         (JSC::Wasm::B3IRGenerator::addIf):
227         (JSC::Wasm::B3IRGenerator::addElse):
228         (JSC::Wasm::B3IRGenerator::addElseToUnreachable):
229         (JSC::Wasm::B3IRGenerator::addReturn):
230         (JSC::Wasm::B3IRGenerator::addBranch):
231         (JSC::Wasm::B3IRGenerator::addSwitch):
232         (JSC::Wasm::B3IRGenerator::endBlock):
233         (JSC::Wasm::B3IRGenerator::createCallPatchpoint):
234         (JSC::Wasm::B3IRGenerator::addCall):
235         (JSC::Wasm::B3IRGenerator::addCallIndirect):
236         (JSC::Wasm::B3IRGenerator::ControlData::type const): Deleted.
237         (JSC::Wasm::B3IRGenerator::ControlData::hasNonVoidSignature const): Deleted.
238         (JSC::Wasm::B3IRGenerator::ControlData::resultForBranch const): Deleted.
239         (JSC::Wasm::B3IRGenerator::createStack): Deleted.
240         * wasm/WasmBBQPlan.cpp:
241         (JSC::Wasm::BBQPlan::didReceiveFunctionData):
242         (JSC::Wasm::BBQPlan::parseAndValidateModule):
243         (JSC::Wasm::BBQPlan::complete):
244         * wasm/WasmBBQPlan.h:
245         * wasm/WasmBinding.cpp:
246         (JSC::Wasm::wasmToWasm):
247         * wasm/WasmCallingConvention.cpp:
248         (JSC::Wasm::jsCallingConvention):
249         (JSC::Wasm::wasmCallingConvention):
250         (JSC::Wasm::jscCallingConvention): Deleted.
251         (JSC::Wasm::jscCallingConventionAir): Deleted.
252         (JSC::Wasm::wasmCallingConventionAir): Deleted.
253         * wasm/WasmCallingConvention.h:
254         (JSC::Wasm::CallInformation::CallInformation):
255         (JSC::Wasm::CallInformation::computeResultsOffsetList):
256         (JSC::Wasm::WasmCallingConvention::WasmCallingConvention):
257         (JSC::Wasm::WasmCallingConvention::marshallLocationImpl const):
258         (JSC::Wasm::WasmCallingConvention::marshallLocation const):
259         (JSC::Wasm::WasmCallingConvention::callInformationFor const):
260         (JSC::Wasm::JSCallingConvention::JSCallingConvention):
261         (JSC::Wasm::JSCallingConvention::marshallLocationImpl const):
262         (JSC::Wasm::JSCallingConvention::marshallLocation const):
263         (JSC::Wasm::JSCallingConvention::callInformationFor const):
264         (JSC::Wasm::CallingConvention::CallingConvention): Deleted.
265         (JSC::Wasm::CallingConvention::marshallArgumentImpl const): Deleted.
266         (JSC::Wasm::CallingConvention::marshallArgument const): Deleted.
267         (JSC::Wasm::CallingConvention::headerSizeInBytes): Deleted.
268         (JSC::Wasm::CallingConvention::setupFrameInPrologue const): Deleted.
269         (JSC::Wasm::CallingConvention::loadArguments const): Deleted.
270         (JSC::Wasm::CallingConvention::setupCall const): Deleted.
271         (JSC::Wasm::CallingConventionAir::CallingConventionAir): Deleted.
272         (JSC::Wasm::CallingConventionAir::prologueScratch const): Deleted.
273         (JSC::Wasm::CallingConventionAir::marshallArgumentImpl const): Deleted.
274         (JSC::Wasm::CallingConventionAir::marshallArgument const): Deleted.
275         (JSC::Wasm::CallingConventionAir::headerSizeInBytes): Deleted.
276         (JSC::Wasm::CallingConventionAir::loadArguments const): Deleted.
277         (JSC::Wasm::CallingConventionAir::setupCall const): Deleted.
278         (JSC::Wasm::nextJSCOffset): Deleted.
279         * wasm/WasmFormat.h:
280         * wasm/WasmFunctionParser.h:
281         (JSC::Wasm::splitStack):
282         (JSC::Wasm::FunctionParser::signature const):
283         (JSC::Wasm::FunctionParser<Context>::FunctionParser):
284         (JSC::Wasm::FunctionParser<Context>::parseBody):
285         (JSC::Wasm::FunctionParser<Context>::parseExpression):
286         (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
287         * wasm/WasmInstance.h:
288         * wasm/WasmMemoryInformation.cpp:
289         (JSC::Wasm::getPinnedRegisters):
290         * wasm/WasmOMGForOSREntryPlan.cpp:
291         (JSC::Wasm::OMGForOSREntryPlan::work):
292         * wasm/WasmOMGPlan.cpp:
293         (JSC::Wasm::OMGPlan::work):
294         * wasm/WasmParser.h:
295         (JSC::Wasm::FailureHelper::makeString):
296         (JSC::Wasm::Parser<SuccessType>::Parser):
297         (JSC::Wasm::Parser<SuccessType>::peekInt7):
298         (JSC::Wasm::Parser<SuccessType>::parseBlockSignature):
299         (JSC::Wasm::Parser<SuccessType>::parseValueType):
300         (JSC::Wasm::Parser<SuccessType>::parseResultType): Deleted.
301         * wasm/WasmSectionParser.cpp:
302         (JSC::Wasm::SectionParser::parseType):
303         (JSC::Wasm::SectionParser::parseStart):
304         * wasm/WasmSectionParser.h:
305         * wasm/WasmSignature.cpp:
306         (JSC::Wasm::Signature::toString const):
307         (JSC::Wasm::Signature::dump const):
308         (JSC::Wasm::computeHash):
309         (JSC::Wasm::Signature::hash const):
310         (JSC::Wasm::Signature::tryCreate):
311         (JSC::Wasm::SignatureInformation::SignatureInformation):
312         (JSC::Wasm::ParameterTypes::hash):
313         (JSC::Wasm::ParameterTypes::equal):
314         (JSC::Wasm::ParameterTypes::translate):
315         (JSC::Wasm::SignatureInformation::signatureFor):
316         (JSC::Wasm::SignatureInformation::adopt): Deleted.
317         * wasm/WasmSignature.h:
318         (JSC::Wasm::Signature::Signature):
319         (JSC::Wasm::Signature::allocatedSize):
320         (JSC::Wasm::Signature::returnCount const):
321         (JSC::Wasm::Signature::returnType const):
322         (JSC::Wasm::Signature::returnsVoid const):
323         (JSC::Wasm::Signature::argument const):
324         (JSC::Wasm::Signature::operator== const):
325         (JSC::Wasm::Signature::getReturnType):
326         (JSC::Wasm::Signature::getArgument):
327         (JSC::Wasm::SignatureHash::SignatureHash):
328         (JSC::Wasm::SignatureHash::equal):
329         (JSC::Wasm::SignatureInformation::thunkFor const):
330         (JSC::Wasm::Signature::returnType): Deleted.
331         (JSC::Wasm::Signature::argument): Deleted.
332         * wasm/WasmStreamingParser.cpp:
333         (JSC::Wasm::StreamingParser::parseCodeSectionSize):
334         (JSC::Wasm::StreamingParser::parseFunctionPayload):
335         (JSC::Wasm::StreamingParser::parseSectionPayload):
336         * wasm/WasmStreamingParser.h:
337         (JSC::Wasm::StreamingParserClient::didReceiveSectionData):
338         (JSC::Wasm::StreamingParser::reportError):
339         (JSC::Wasm::StreamingParserClient::didReceiveFunctionData): Deleted.
340         * wasm/WasmThunks.cpp:
341         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
342         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
343         (JSC::Wasm::triggerOMGEntryTierUpThunkGenerator):
344         * wasm/WasmValidate.cpp:
345         (JSC::Wasm::Validate::ControlData::ControlData):
346         (JSC::Wasm::Validate::ControlData::dump const):
347         (JSC::Wasm::Validate::ControlData::blockType const):
348         (JSC::Wasm::Validate::ControlData::signature const):
349         (JSC::Wasm::Validate::ControlData::branchTargetArity const):
350         (JSC::Wasm::Validate::ControlData::branchTargetType const):
351         (JSC::Wasm::Validate::fail const):
352         (JSC::Wasm::Validate::addTableGet):
353         (JSC::Wasm::Validate::addTableGrow):
354         (JSC::Wasm::Validate::addTableFill):
355         (JSC::Wasm::Validate::addRefIsNull):
356         (JSC::Wasm::Validate::addTopLevel):
357         (JSC::Wasm::splitStack):
358         (JSC::Wasm::Validate::addBlock):
359         (JSC::Wasm::Validate::addLoop):
360         (JSC::Wasm::Validate::addIf):
361         (JSC::Wasm::Validate::addElseToUnreachable):
362         (JSC::Wasm::Validate::addReturn):
363         (JSC::Wasm::Validate::checkBranchTarget):
364         (JSC::Wasm::Validate::addSwitch):
365         (JSC::Wasm::Validate::addGrowMemory):
366         (JSC::Wasm::Validate::addEndToUnreachable):
367         (JSC::Wasm::Validate::addCall):
368         (JSC::Wasm::Validate::addCallIndirect):
369         (JSC::Wasm::Validate::unify):
370         (JSC::Wasm::Validate::ControlData::hasNonVoidSignature const): Deleted.
371         (JSC::Wasm::Validate::ControlData::type const): Deleted.
372         (JSC::Wasm::Validate::ControlData::branchTargetSignature const): Deleted.
373         * wasm/generateWasmOpsHeader.py:
374         * wasm/js/JSToWasm.cpp:
375         (JSC::Wasm::boxWasmResult):
376         (JSC::Wasm::allocateResultsArray):
377         (JSC::Wasm::marshallJSResult):
378         (JSC::Wasm::createJSToWasmWrapper):
379         * wasm/js/JSToWasm.h:
380         * wasm/js/JSWebAssemblyCodeBlock.cpp:
381         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
382         * wasm/js/WasmToJS.cpp:
383         (JSC::Wasm::handleBadI64Use):
384         (JSC::Wasm::wasmToJS):
385         * wasm/js/WasmToJS.h:
386         * wasm/js/WebAssemblyFunction.cpp:
387         (JSC::callWebAssemblyFunction):
388         (JSC::WebAssemblyFunction::useTagRegisters const):
389         (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
390         * wasm/js/WebAssemblyModuleRecord.cpp:
391         (JSC::WebAssemblyModuleRecord::link):
392
393 2019-09-30  Alex Christensen  <achristensen@webkit.org>
394
395         Resurrect Mac CMake build
396         https://bugs.webkit.org/show_bug.cgi?id=202384
397
398         Rubber-stamped by Tim Horton.
399
400         * PlatformMac.cmake:
401
402 2019-09-30  Alex Christensen  <achristensen@webkit.org>
403
404         Rename JSTokenType::EXPORT to EXPORT_ to avoid naming conflict with internal header
405         https://bugs.webkit.org/show_bug.cgi?id=202385
406
407         * parser/Keywords.table:
408         * parser/Parser.cpp:
409         (JSC::Parser<LexerType>::parseModuleSourceElements):
410         (JSC::Parser<LexerType>::parseExportDeclaration):
411         * parser/ParserTokens.h:
412
413 2019-09-30  Tadeu Zagallo  <tzagallo@apple.com>
414
415         Make assertion in JSObject::putOwnDataProperty more precise
416         https://bugs.webkit.org/show_bug.cgi?id=202379
417         <rdar://problem/49515980>
418
419         Reviewed by Yusuke Suzuki.
420
421         Currently, we assert that the structure has no accessors/custom accessors, but that assertion is
422         too conservative. All we need to prove is that the property being inserted either does not exist
423         in the target object or is neither an accessor nor read-only.
424
425         * runtime/JSObject.h:
426         (JSC::JSObject::putOwnDataProperty): Deleted.
427         (JSC::JSObject::putOwnDataPropertyMayBeIndex): Deleted.
428         * runtime/JSObjectInlines.h:
429         (JSC::JSObject::validatePutOwnDataProperty):
430         (JSC::JSObject::putOwnDataProperty):
431         (JSC::JSObject::putOwnDataPropertyMayBeIndex):
432
433 2019-09-30  Yusuke Suzuki  <ysuzuki@apple.com>
434
435         [JSC] HeapSnapshotBuilder m_rootData should be protected with a lock too
436         https://bugs.webkit.org/show_bug.cgi?id=202389
437         <rdar://problem/50717564>
438
439         Reviewed by Mark Lam.
440
441         While we are protecting HeapSnapshotBuilder::m_edges with a lock, we are not protecting m_rootData, which is also concurrently modified.
442         This patch protects it.
443
444         * heap/HeapSnapshotBuilder.cpp:
445         (JSC::HeapSnapshotBuilder::setOpaqueRootReachabilityReasonForCell):
446
447 2019-09-30  Saam Barati  <sbarati@apple.com>
448
449         Inline caching is wrong for custom accessors and custom values
450         https://bugs.webkit.org/show_bug.cgi?id=201994
451         <rdar://problem/50850326>
452
453         Reviewed by Yusuke Suzuki.
454
455         There was an oversight in our inline caching code for custom accessors and
456         custom values. We used to assume that if an object O had a custom function for
457         property P, then O will forever respond to the same custom function for
458         property P.
459         
460         This assumption was very wrong. These custom accessors/values might be
461         properties in JS which are configurable, so they can be rewritten to be
462         other properties. Our inline caching code would be wrong in the scenarios
463         where these property descriptors got redefined.
464         
465         This patch makes it so that we now properly watchpoint for custom functions
466         being changed. If the custom accessor has been materialized, we place an
467         Equivalence watchpoint on the custom accessor. This patch also teaches
468         StructureStubInfo how to watchpoint on property value equivalence. Before,
469         we just watchpointed on structure transitions.
470         
471         This patch also adds a new property condition kind for when the custom function
472         exists inside the static property table. This case is really easy to test for
473         because we just need to see if the structure still has static properties and
474         the static property table has the entry for a particular property. This
475         property condition kind just needs to watch for structure transitions because
476         an entry in the static property table can't be mutated.
477         
478         This patch is neutral on the microbenchmarks I've added.
479
480         * bytecode/AccessCase.cpp:
481         (JSC::AccessCase::AccessCase):
482         (JSC::AccessCase::couldStillSucceed const):
483         (JSC::AccessCase::generateImpl):
484         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.h:
485         * bytecode/ObjectPropertyCondition.cpp:
486         (JSC::ObjectPropertyCondition::structureEnsuresValidityAssumingImpurePropertyWatchpoint const):
487         * bytecode/ObjectPropertyCondition.h:
488         (JSC::ObjectPropertyCondition::customFunctionEquivalence):
489         * bytecode/ObjectPropertyConditionSet.cpp:
490         (JSC::ObjectPropertyConditionSet::hasOneSlotBaseCondition const):
491         (JSC::ObjectPropertyConditionSet::slotBaseCondition const):
492         (JSC::generateConditionsForPrototypePropertyHitCustom):
493         * bytecode/ObjectPropertyConditionSet.h:
494         * bytecode/PolyProtoAccessChain.cpp:
495         (JSC::PolyProtoAccessChain::create):
496         * bytecode/PolymorphicAccess.cpp:
497         (JSC::AccessGenerationState::installWatchpoint):
498         (JSC::PolymorphicAccess::commit):
499         (JSC::AccessGenerationState::addWatchpoint): Deleted.
500         * bytecode/PolymorphicAccess.h:
501         * bytecode/PropertyCondition.cpp:
502         (JSC::PropertyCondition::dumpInContext const):
503         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
504         (JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint const):
505         (JSC::PropertyCondition::isStillValid const):
506         (JSC::PropertyCondition::isWatchableWhenValid const):
507         (WTF::printInternal):
508         * bytecode/PropertyCondition.h:
509         (JSC::PropertyCondition::customFunctionEquivalence):
510         (JSC::PropertyCondition::hash const):
511         (JSC::PropertyCondition::operator== const):
512         * bytecode/StructureStubClearingWatchpoint.cpp:
513         (JSC::StructureTransitionStructureStubClearingWatchpoint::fireInternal):
514         (JSC::WatchpointsOnStructureStubInfo::addWatchpoint):
515         (JSC::WatchpointsOnStructureStubInfo::ensureReferenceAndInstallWatchpoint):
516         (JSC::WatchpointsOnStructureStubInfo::ensureReferenceAndAddWatchpoint):
517         (JSC::AdaptiveValueStructureStubClearingWatchpoint::handleFire):
518         (JSC::StructureStubClearingWatchpoint::fireInternal): Deleted.
519         * bytecode/StructureStubClearingWatchpoint.h:
520         * bytecode/Watchpoint.h:
521         * jit/Repatch.cpp:
522         (JSC::tryCacheGetByID):
523         (JSC::tryCachePutByID):
524         * runtime/ClassInfo.h:
525         * runtime/JSObject.cpp:
526         (JSC::JSObject::findPropertyHashEntry const):
527         * runtime/JSObject.h:
528         * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h:
529         * runtime/Structure.cpp:
530         (JSC::Structure::findPropertyHashEntry const):
531         * runtime/Structure.h:
532         * tools/JSDollarVM.cpp:
533         (JSC::testStaticAccessorGetter):
534         (JSC::testStaticAccessorPutter):
535         (JSC::StaticCustomAccessor::StaticCustomAccessor):
536         (JSC::StaticCustomAccessor::createStructure):
537         (JSC::StaticCustomAccessor::create):
538         (JSC::StaticCustomAccessor::getOwnPropertySlot):
539         (JSC::functionCreateStaticCustomAccessor):
540         (JSC::JSDollarVM::finishCreation):
541
542 2019-09-30  Yusuke Suzuki  <ysuzuki@apple.com>
543
544         [JSC] AI folds CompareEq wrongly when it sees proven Boolean and Number
545         https://bugs.webkit.org/show_bug.cgi?id=202382
546         <rdar://problem/52669112>
547
548         Reviewed by Saam Barati.
549
550         If CompareEq(Untyped, Untyped) finds that it gets proven Boolean and Number types on its arguments,
551         we fold it to constant False. But this is wrong since `false == 0` is true in JS.
552         This patch adds leastUpperBoundOfEquivalentSpeculations, which merges Number, BigInt, and Boolean types
553         if one of them are seen.
554
555         * bytecode/SpeculatedType.cpp:
556         (JSC::leastUpperBoundOfEquivalentSpeculations):
557         (JSC::valuesCouldBeEqual):
558
559 2019-09-28  Adrian Perez de Castro  <aperez@igalia.com>
560
561         [GTK][WPE] Fix non-unified build issue caused by r250440
562         https://bugs.webkit.org/show_bug.cgi?id=202349
563
564         Reviewed by Mark Lam.
565
566         * dfg/DFGOSRExit.cpp: Add missing inclusion of the BytecodeUseDef.h header.
567
568 2019-09-27  Yusuke Suzuki  <ysuzuki@apple.com>
569
570         [JSC] Keep JSString::value(ExecState*)'s result as String instead of `const String&`
571         https://bugs.webkit.org/show_bug.cgi?id=202330
572
573         Reviewed by Saam Barati.
574
575         In toLocaleLowerCase and toLocaleUpperCase, we get `const String&` from JSString* and use it.
576         But if this string is newly created one in toLocaleLowerCase and toLocaleUpperCase (like, passing a number, and number.toString() is called
577         in C++), after getting `const String&`, our C++ code potentially does not have any reference to the owner of this `const String&`. So, this
578         JSString* can be collected by GC, while `const String&` is used. This makes `const String&` destroyed, and causes crash.
579
580         In this patch, we receive it as `String` instead of `const String&` to ref it. This ensures that this string is live even if the owner is collected.
581         I grepped the source code and make this changes conservatively to places which looks dangerous. And I added error checks more after calling `value(exec)`.
582
583         In this patch, I didn't introduce the change like that: `JSString::value(ExecState*)` returns `String` instead of `const String&`. Some of places are
584         really performance sensitive and we want to use the current behavior when we can ensure the owners are alive. We could figure out these points, and we
585         can change the default behavior of `JSString::value` function to returning `String`. But for now, I plan it as a future work.
586
587         * dfg/DFGOperations.cpp:
588         * jsc.cpp:
589         (GlobalObject::moduleLoaderImportModule):
590         * runtime/DateConstructor.cpp:
591         (JSC::constructDate):
592         * runtime/JSCJSValueInlines.h:
593         (JSC::JSValue::equalSlowCaseInline):
594         * runtime/RegExpMatchesArray.h:
595         (JSC::createRegExpMatchesArray):
596         * runtime/StringPrototype.cpp:
597         (JSC::toLocaleCase):
598         (JSC::stringProtoFuncToLocaleLowerCase):
599         (JSC::stringProtoFuncToLocaleUpperCase):
600         * tools/JSDollarVM.cpp:
601         (JSC::functionCreateBuiltin):
602
603 2019-09-27  Keith Miller  <keith_miller@apple.com>
604
605         OSR exit shouldn't bother updating get_by_id array profiles that have changed modes
606         https://bugs.webkit.org/show_bug.cgi?id=202324
607         <rdar://problem/52669110>
608
609         Reviewed by Yusuke Suzuki.
610
611         This is an optimization that avoids polluting the array profile.
612
613         * dfg/DFGOSRExit.cpp:
614         (JSC::DFG::OSRExit::executeOSRExit):
615         (JSC::DFG::OSRExit::compileExit):
616
617 2019-09-27  Alexey Shvayka  <shvaikalesh@gmail.com>
618
619         Non-standard Error properties should not be enumerable
620         https://bugs.webkit.org/show_bug.cgi?id=198975
621
622         Reviewed by Ross Kirsling.
623
624         Define non-standard Error properties "line", "column", and "sourceURL" as non-enumerable to match other engines.
625
626         * runtime/ErrorInstance.cpp:
627         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
628
629 2019-09-26  Yusuke Suzuki  <ysuzuki@apple.com>
630
631         [JSC] DFG recursive-tail-call optimization should not emit jump to call-frame with varargs
632         https://bugs.webkit.org/show_bug.cgi?id=202299
633         <rdar://problem/52669116>
634
635         Reviewed by Saam Barati.
636
637         When converting recursive-tail-call to jump to the upper call frame, we picked call-frame which is spread by LoadVarargs.
638         This is wrong since this call-frame does not know the exact number of arguments. We are using InlineCallFrame::argumentCountIncludingThis,
639         but this is maximal argumentCountIncludingThis when InlineCallFrame is Varargs call-frame. Let's see the simple example.
640
641             'use strict';
642             var count = 0;
643             function foo() {
644                 count--;
645                 if (count === 0)
646                     return 30;
647                 return foo(42, 42); // HERE
648             }
649
650             function test() {
651                 count = 100;
652                 return foo(...[42, 42]); // THERE
653             }
654             noInline(test);
655
656         In the above case, currently, we convert HERE's foo call to the jump to the prologue of the foo function inlined by "test". But since foo is called
657         in a varargs form, "test" emits LoadVarargs, and it also emits `SetArgumentMaybe` for 1st and 2nd arguments. Since HERE's foo call is actually passing
658         two arguments, we emit a Phi node which Upsilon is from SetArgumentMaybe and 42 Constant. This is wrong since SetArgumentMaybe should not be used. Later,
659         SSA conversion phase emits Upsilon with SetArgumentMaybe, and since SetArgumentMaybe is simply removed in SSA conversion phase, it ends up emitting
660         Upsilon without a child.
661
662         We are currently only performing recursive-tail-call optimization when argument count matches. Given this condition, we should not pick varargs CallFrame
663         as a jump target.
664
665         * dfg/DFGByteCodeParser.cpp:
666         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
667         * dfg/DFGSSAConversionPhase.cpp:
668         (JSC::DFG::SSAConversionPhase::run):
669
670 2019-09-26  Alexey Shvayka  <shvaikalesh@gmail.com>
671
672         toExponential, toFixed, and toPrecision should allow arguments up to 100
673         https://bugs.webkit.org/show_bug.cgi?id=199163
674
675         Reviewed by Ross Kirsling.
676
677         Previously, the spec gave fixed range of [0,20] for Number.prototype.{toExponential,toFixed} argument and
678         range of [1,21] for Number.prototype.toPrecision argument, but allowed implementations to permit a larger range.
679         Historically, only SpiderMonkey accepted a larger range, and other implementations threw a RangeError outside the range.
680         Later the spec was changed (see https://github.com/tc39/ecma262/pull/857) to specify the SpiderMonkey behavior.
681
682         * runtime/NumberPrototype.cpp:
683         (JSC::numberProtoFuncToExponential): Accept arguments between 0 and 100.
684         (JSC::numberProtoFuncToFixed): Accept arguments between 0 and 100.
685         (JSC::numberProtoFuncToPrecision): Accept arguments between 1 and 100.
686         (JSC::getIntegerArgumentInRange): Inline to improve readability.
687
688 2019-09-26  Mark Lam  <mark.lam@apple.com>
689
690         We need to initialize the Gigacage first in setJITEnabled() when disabling the JIT.
691         https://bugs.webkit.org/show_bug.cgi?id=202257
692
693         Reviewed by Saam Barati.
694
695         Because of an OS quirk, even after the JIT region has been unmapped, the OS thinks
696         that region is reserved, and as such, can cause Gigacage allocation to fail.  We
697         work around this by initializing the Gigacage first.
698
699         Note: when called, setJITEnabled() is always called extra early in the process
700         bootstrap.  Under normal operation (when setJITEnabled() isn't called at all), we
701         will naturally initialize the Gigacage before we allocate the JIT region. 
702         Hence, this workaround is merely ensuring the same behavior of allocation ordering.
703
704         This patch only applies to iOS.
705
706         * jit/ExecutableAllocator.cpp:
707         (JSC::ExecutableAllocator::setJITEnabled):
708
709 2019-09-25  Guillaume Emont  <guijemont@igalia.com>
710
711         testapi: slow devices need more time before watchdog fires
712         https://bugs.webkit.org/show_bug.cgi?id=202149
713
714         Reviewed by Mark Lam.
715
716         In testExecutionTimeLimit(), the time that we leave for the watchdog
717         to fire is often not enough on (slower) arm and mips devices, creating
718         a testapi failure.
719         This change also skips FTL-specific testing when FTL is disabled.
720
721         * API/tests/ExecutionTimeLimitTest.cpp:
722         (testExecutionTimeLimit):
723
724 2019-09-24  Christopher Reid  <chris.reid@sony.com>
725
726         [WinCairo] Start RemoteInspectorServer
727         https://bugs.webkit.org/show_bug.cgi?id=199938
728         <rdar://problem/53323048>
729
730         Reviewed by Fujii Hironori.
731
732         * inspector/remote/socket/RemoteInspectorSocket.cpp:
733         * inspector/remote/socket/win/RemoteInspectorSocketWin.cpp:
734           - Fixed some network byte order issues
735           - Need to check for POLLHUP in isReadable as closed windows sockets don't have POLLIN set
736
737 2019-09-24  Alexey Shvayka  <shvaikalesh@gmail.com>
738
739         [ES6] Come up with a test for Proxy.[[GetOwnProperty]] that tests the isExtensible error when the  result of the trap is undefined
740         https://bugs.webkit.org/show_bug.cgi?id=154376
741
742         Reviewed by Ross Kirsling.
743
744         * runtime/ProxyObject.cpp:
745         (JSC::ProxyObject::performInternalMethodGetOwnProperty): Remove resolved FIXME comments.
746
747 2019-09-24  Alexey Proskuryakov  <ap@apple.com>
748
749         JavaScriptCore (still) doesn't unlock the engineering keychain
750         https://bugs.webkit.org/show_bug.cgi?id=202123
751
752         Reviewed by Dan Bernstein.
753
754         Unlike WebKit, JavaScriptCore only defines CODE_SIGN_IDENTITY in ToolExecutable
755         configuration, not in DebugRelease. As a result, it's not defined when running
756         the script for Unlock Keychain phase.
757
758         Fix this by moving CODE_SIGN_IDENTITY to DebugRelease configuration, matching
759         WebKit. As a result, we are now using consistent signing options in all targets.
760
761         * Configurations/DebugRelease.xcconfig:
762         * Configurations/ToolExecutable.xcconfig:
763         When moving, removed a special case for Production, as that's never used with
764         DebugRelease (also, the Profile case was incorrect).
765
766 2019-09-24  Caio Lima  <ticaiolima@gmail.com>
767
768         [BigInt] Add ValueBitRShift into DFG
769         https://bugs.webkit.org/show_bug.cgi?id=192663
770
771         Reviewed by Robin Morisset.
772
773         We are introducing a new node called ValueBitRShift that is
774         responsible to handle speculation of `UntypedUse` and `BigIntUse` during
775         DFG. Following the approach of other bitwise operations, we
776         now have 2 nodes to handle ">>" operator during JIT, mainly because
777         of the introduction of BigInt, that makes this operator result into
778         Int32 or BigInt. We renamed `BitRShift` to `ArithBitRShift` and such
779         node handles Integers and Numbers speculation and can only return
780         Int32 values.
781
782         * bytecode/BytecodeList.rb:
783         * bytecode/CodeBlock.cpp:
784         (JSC::CodeBlock::finishCreation):
785         * bytecode/Opcode.h:
786
787         Adding support to ValueProfile to `op_rshift` to be used during
788         prediction propagation.
789
790         * dfg/DFGAbstractInterpreterInlines.h:
791         (JSC::DFG::AbstractInterpreter<AbstractStateType>::handleConstantBinaryBitwiseOp):
792         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
793
794         Adding support to still do constant propagation of ValueBitRShift when
795         it is `UntypedUse`.
796
797         * dfg/DFGBackwardsPropagationPhase.cpp:
798         (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
799         (JSC::DFG::BackwardsPropagationPhase::propagate):
800         * dfg/DFGByteCodeParser.cpp:
801         (JSC::DFG::ByteCodeParser::parseBlock):
802         * dfg/DFGClobberize.h:
803         (JSC::DFG::clobberize):
804         * dfg/DFGDoesGC.cpp:
805         (JSC::DFG::doesGC):
806
807         `ValueBitRshift` can trigger GC when it is `BigIntUse` because the
808         operation `JSBigInt::signedRightShift` potentially allocates new
809         JSBigInts. It also can trigger GC when it is `UntypedUse` because it
810         can execute arbitrary code.
811
812         * dfg/DFGFixupPhase.cpp:
813         (JSC::DFG::FixupPhase::fixupNode):
814
815         The fixup rule of `ValueBitRShift` checks if it should fixup for
816         `BigIntUse` or `UntypedUse`. If those checks fail, we fallback to
817         `ArithBitRShift`.
818
819         * dfg/DFGNode.h:
820         (JSC::DFG::Node::hasNumericResult):
821         (JSC::DFG::Node::hasHeapPrediction):
822         * dfg/DFGNodeType.h:
823         * dfg/DFGOperations.cpp:
824         * dfg/DFGOperations.h:
825         * dfg/DFGPredictionPropagationPhase.cpp:
826
827         We are using the same rule used by `ValueBitLShift` to propagate
828         types. We try to propagate the type based on operation's input, but
829         fallback to `getHeapPrediction()` if this is not possible.
830
831         * dfg/DFGSafeToExecute.h:
832         (JSC::DFG::safeToExecute):
833         * dfg/DFGSpeculativeJIT.cpp:
834         (JSC::DFG::SpeculativeJIT::emitUntypedRightShiftBitOp):
835         (JSC::DFG::SpeculativeJIT::compileValueBitRShift):
836         (JSC::DFG::SpeculativeJIT::compileShiftOp):
837         * dfg/DFGSpeculativeJIT.h:
838         (JSC::DFG::SpeculativeJIT::shiftOp):
839         * dfg/DFGSpeculativeJIT32_64.cpp:
840         (JSC::DFG::SpeculativeJIT::compile):
841         * dfg/DFGSpeculativeJIT64.cpp:
842         (JSC::DFG::SpeculativeJIT::compile):
843         * dfg/DFGStrengthReductionPhase.cpp:
844         (JSC::DFG::StrengthReductionPhase::handleNode):
845         * ftl/FTLCapabilities.cpp:
846         (JSC::FTL::canCompile):
847         * ftl/FTLLowerDFGToB3.cpp:
848         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
849         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitRShift):
850         (JSC::FTL::DFG::LowerDFGToB3::compileArithBitRShift):
851         (JSC::FTL::DFG::LowerDFGToB3::compileBitRShift): Deleted.
852         * llint/LowLevelInterpreter64.asm:
853         * runtime/CommonSlowPaths.cpp:
854         (JSC::SLOW_PATH_DECL):
855
856 2019-09-24  Mark Lam  <mark.lam@apple.com>
857
858         Refactor cellSize() out of VMInspector::verifyCellSize().
859         https://bugs.webkit.org/show_bug.cgi?id=202132
860
861         Reviewed by Saam Barati.
862
863         * CMakeLists.txt:
864         * JavaScriptCore.xcodeproj/project.pbxproj:
865         * runtime/CellSize.h: Added.
866         (JSC::isDynamicallySizedType):
867         (JSC::cellSize):
868         * runtime/DirectArguments.h:
869         * runtime/JSBigInt.h:
870         * runtime/JSModuleNamespaceObject.h:
871         * runtime/JSType.h:
872         (JSC::isDynamicallySizedType): Deleted.
873         * tools/VMInspectorInlines.h:
874         (JSC::VMInspector::verifyCellSize):
875
876 2019-09-23  Mark Lam  <mark.lam@apple.com>
877
878         Introducing Integrity audit functions.
879         https://bugs.webkit.org/show_bug.cgi?id=202085
880
881         Reviewed by Saam Barati.
882
883         This patch's main goal is to introduce the Integrity audit functions.  They can
884         be used wherever we want to audit a cell to probabilistically ensure it is not
885         corrupted.  However, to keep this patch small, we will only introduce the audit
886         tool here with one example use in SlotVisitor.  We'll follow up later with more
887         patches to deploy this tool throughout the VM.
888
889         1. Introduced Integrity audit functions that can be configured at several
890            AuditLevels:
891                None - don't do any audits.
892                Minimal - do a minimal quick audit (minimize perf impact).
893                Full - do a full audit of the many aspects of a cell.
894                Random - randomly do a full audit with a probability dictated by
895                     Options::randomIntegrityAuditRate() between 0.0 (never audit) and
896                     1.0 (audit at every chance).
897
898            The default AuditLevel for Debug builds is Random.
899            The default AuditLevel for Release builds is None.
900            The default Options::randomIntegrityAuditRate() is 0.05.
901
902            How full audits work?
903            ====================
904            The full audit uses the VMInspector::verifyCell() template function to do its
905            job.  The reason for keeping this separate is to allow the template function
906            to be used later for debug checks that want to take some custom action on
907            verification failure instead of crashing with a RELEASE_ASSERT.
908
909            Full audit of a cell pointer includes:
910            a. Verify that a cell designated as a LargeAllocation is in the heap's
911               set of LargeAllocations.
912
913            b. Verify that a cell not designated as a LargeAllocation is actually in its
914               MarkedBlock's bounds.
915
916            c. Verify that the cell's container (LargeAllocation / MarkedBlock) actually
917               belongs to the current VM.
918
919            d. Verify that a cell in a MarkedBlock is properly aligned on the block's
920               allocation unit size.
921
922            e. If the cell is not an ImmutableButterfly, verify that it is not located in
923               the Gigacage.
924
925            f. Verify that the cell's JSType matches its StructureBlob's JSType.
926
927            g. Verify that the cell size as dictated by the cell ClassInfo does not exceed
928               the size of the allocation unit size (as expected by the container
929               MarkedBlock or LargeAllocation).
930
931               Some cells are dynamically size (see isDynamicallySizedType()).  For these
932               cells, we compute their sizes and verify that the size does not exceed the
933               allocation unit size.  Their sizes should also be greater or equal to the
934               static cell size as dictated by their ClassInfo.
935
936            h. If a cell has a butterfly, verify that the butterfly is in its the JSValue
937               Gigacage.
938
939            We can add more verifications later, or make some these more robust, but this
940            is a start for now.
941
942            How random audits work?
943            ======================
944            Random audits are triggered by the m_triggerBits bits in VM::m_integrityRandom.
945            m_triggerBits is a 64-bit bitfield.
946
947            If Options::randomIntegrityAuditRate() is 0, m_triggerBits will always be 0,
948            and no audits will be done.
949
950            If Options::randomIntegrityAuditRate() is non-zero, m_triggerBits will be
951            initialized as follows:
952
953                 | 1 reload bit | ... 63 trigger bits ... |
954
955            The reload bit is always set (more details below).
956            Each of the 63 trigger bits are randomly set depending if the following is true
957            for the bit:
958
959                 VM::random() <= Options::randomIntegrityAuditRate() * UINT_MAX
960
961            When Integrity::auditCell() is called, we take the bottom bit as the trigger
962            bit for the current cell, and shifts the rest down by 1.
963
964            If m_triggerBits is non-null after the shift, the taken trigger bit will dictate
965            whether we do a full audit on the current cell or not.
966
967            Once the reload bit reaches the bottom, we call a reload function to
968            re-initialize m_triggerBits.  The reload function also returns a bool
969            indicating whether to trigger a full audit of the current cell.
970
971            With this scheme, we only need to call the reload function once every 64 calls
972            to Integrity::auditCell(), and can efficiently determine whether to trigger
973            the audit the other 63 times with the probability specified in
974            Options::randomIntegrityAuditRate().
975
976         2. Embedded the C++ class size of JSCells into their ClassInfo.  This is used in
977            the full audits to verify cell sizes.
978
979         3. Added isDynamicallySizedType() to check if a JSType has a dynamic size allocation
980            i.e. the size of instances of this type is not determined by the static C++
981            size of its class, but rather, depends on some runtime variable.
982
983         4. Made the VMInspector a friend of several classes so that it can access their
984            private methods and fields.
985
986         5. Moved the inline function JSBigInt::allocationSize() from BigInt.cpp to its
987            header file so that we can use it in VMInspector::verifyCellSize().
988
989         6. Gave the JSModuleNamespaceObject() its own JSType so that we can identify it
990            as a dynamically sized object.
991
992         7. Increased the randomness of VM::random() (which is implemented with WeakRandom)
993            by re-seeding it with a cryptographically random number each GC.
994
995         8. Called Integrity::auditCell() on SlotVisitor::appendJSCellOrAuxiliary()'s cell
996            as an example use of auditCell().  More uses will be added in later patches to
997            follow.
998
999         * CMakeLists.txt:
1000         * JavaScriptCore.xcodeproj/project.pbxproj:
1001         * Sources.txt:
1002         * heap/Heap.cpp:
1003         (JSC::Heap::runBeginPhase):
1004         * heap/SlotVisitor.cpp:
1005         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
1006         * runtime/ClassInfo.h:
1007         * runtime/DirectArguments.h:
1008         * runtime/JSBigInt.cpp:
1009         (JSC::JSBigInt::allocationSize): Deleted.
1010         * runtime/JSBigInt.h:
1011         (JSC::JSBigInt::allocationSize):
1012         * runtime/JSModuleNamespaceObject.h:
1013         * runtime/JSType.cpp:
1014         (WTF::printInternal):
1015         * runtime/JSType.h:
1016         (JSC::isDynamicallySizedType):
1017         * runtime/Options.cpp:
1018         (JSC::recomputeDependentOptions):
1019         * runtime/OptionsList.h:
1020         * runtime/Structure.h:
1021         * runtime/VM.cpp:
1022         (JSC::VM::VM):
1023         * runtime/VM.h:
1024         (JSC::VM::random):
1025         (JSC::VM::integrityRandom):
1026         * tools/Integrity.cpp: Added.
1027         (JSC::Integrity::Random::Random):
1028         (JSC::Integrity::Random::reloadAndCheckShouldAuditSlow):
1029         (JSC::Integrity::auditCellFully):
1030         (JSC::Integrity::auditCellMinimallySlow):
1031         * tools/Integrity.h: Added.
1032         (JSC::Integrity::auditCell):
1033         * tools/IntegrityInlines.h: Added.
1034         (JSC::Integrity::Random::shouldAudit):
1035         (JSC::Integrity::auditCellMinimally):
1036         (JSC::Integrity::auditCellRandomly):
1037         * tools/VMInspector.h:
1038         (JSC::VMInspector::unusedVerifier):
1039         (JSC::VMInspector::verifyCellSize):
1040         * tools/VMInspectorInlines.h: Added.
1041         (JSC::VMInspector::verifyCellSize):
1042         (JSC::VMInspector::verifyCell):
1043
1044 2019-09-23  Commit Queue  <commit-queue@webkit.org>
1045
1046         Unreviewed, rolling out r250262.
1047         https://bugs.webkit.org/show_bug.cgi?id=202126
1048
1049         "Breaks Win64 builds because of MSVC bug" (Requested by mlam|a
1050         on #webkit).
1051
1052         Reverted changeset:
1053
1054         "Reduce the amount of memory needed to store Options."
1055         https://bugs.webkit.org/show_bug.cgi?id=202105
1056         https://trac.webkit.org/changeset/250262
1057
1058 2019-09-23  Ross Kirsling  <ross.kirsling@sony.com>
1059
1060         Array methods should throw TypeError upon attempting to modify a string
1061         https://bugs.webkit.org/show_bug.cgi?id=201910
1062
1063         Reviewed by Keith Miller.
1064
1065         We currently allow Array prototype methods to modify strings that they are called upon in certain cases.
1066         (In particular, we're inconsistent about permitting writes to the length property.)
1067
1068         According to section 22.1.3 of the ES spec, this should result in a TypeError.
1069         https://tc39.es/ecma262/#sec-properties-of-the-array-prototype-object
1070         (Test262 cases are needed, but the key is that all such methods use Set(..., true) which throws on failure.)
1071
1072         * runtime/ArrayPrototype.cpp:
1073         (JSC::putLength):
1074         (JSC::setLength):
1075         Never update the length property of a non-JSArray without checking whether we're actually allowed to.
1076
1077 2019-09-23  Mark Lam  <mark.lam@apple.com>
1078
1079         Lazy JSGlobalObject property materialization should not use putDirectWithoutTransition.
1080         https://bugs.webkit.org/show_bug.cgi?id=202122
1081         <rdar://problem/55535249>
1082
1083         Reviewed by Yusuke Suzuki.
1084
1085         * runtime/JSGlobalObject.cpp:
1086         (JSC::JSGlobalObject::init):
1087
1088 2019-09-23  Mark Lam  <mark.lam@apple.com>
1089
1090         Reduce the amount of memory needed to store Options.
1091         https://bugs.webkit.org/show_bug.cgi?id=202105
1092
1093         Reviewed by Yusuke Suzuki.
1094
1095         The size of the JSC::Config needed to store the Options is now reduced to 4K
1096         instead of 16K, enabled by constexpr template magic.
1097
1098         1. Instead of all options in a large array of OptionEntry (which is a union of
1099            all the option types), we now have separate arrays for each of the types of
1100            options.  For example,
1101
1102                 Removed g_jscConfig.options[].
1103                 Added g_jscConfig.typeBoolOptions[].
1104                 Added g_jscConfig.typeInt32Options[].
1105                 Added g_jscConfig.typeDoubleOptions[].
1106                 ...
1107
1108            We used to find the storage for the option using g_jscConfig.options[Options::ID].
1109            We now find the storage for each type of option using
1110            g_jscConfig.options[optionTypeSpecificIndex<OptionTypeID, OptionID>()].  For
1111            example, Options::useJIT() used to be implemented as:
1112
1113                inline bool& Options::useJIT()
1114                {
1115                     return g_jscConfig.options[Options::useJITID];
1116                }
1117
1118            ... which is now replaced with:
1119
1120                inline bool& Options::useJIT()
1121                {
1122                     return g_jscConfig.typeBoolOptions[optionTypeSpecificIndex<OptionTypeID::Bool, OptionID::useJIT>()];
1123                }
1124
1125         2. Introduce the optionTypeSpecificIndex() constexpr template function for
1126            computing the index of each option in their respective type specific options
1127            array.
1128
1129         3. Introduce OptionTypes, OptionTypeID, and OptionID.
1130
1131            The OptionTypes namespace replaces OptionEntry as the container of option types.
1132            The OptionID enum class replaces Options::ID.
1133            The OptionTypeID enum class is new and is used together with OptionID in
1134                constexpr templates to compute the typeSpecificIndex of options.
1135
1136         4. Removed the OptionEntry struct and OptionEntry.h.  After (1), this struct is
1137            only used in the Option class.  We just moved the union of option types (that
1138            OptionEntry embeds) into the Option class.
1139
1140            Moved class OptionRange into OptionsList.h.
1141
1142         5. Removed the large OptionEntry arrays from JSC::Config.
1143            Added type specific options arrays.
1144            Also ordered these arrays to maximize compactness and minimize internal fragmentation.
1145
1146         6. Changed scaleJITPolicy() to go directly to g_jscConfig.typeInt32Options[]
1147            instead of going through the Option wrapper object.  This allows us to simplify
1148            things and make the Option class a read only interface of options.
1149
1150         7. Changed Options::initialize() to only compute the option default value once.
1151            The default value specified in the OptionsList may not always be a constant.
1152            Sometimes, it is a function call.
1153
1154         8. The Option class now only gives read only access to the options.
1155
1156            The Option class' role is to provide an interface for reading an option at any
1157            given OptionID without first knowing about the type of the specific option.
1158            It is useful for iterating options, and is currently only used by
1159            Options::dumpOption().
1160
1161            Technically, we could merge all the Option class code into its single client.
1162            We opted not to do this because the amount of code is non-trivial, and the
1163            Option class does a good job of encapsulating this functionality.
1164
1165         * API/glib/JSCOptions.cpp:
1166         (jscOptionsSetValue):
1167         (jscOptionsGetValue):
1168         (jsc_options_foreach):
1169         (jsc_options_get_option_group):
1170         * CMakeLists.txt:
1171         * JavaScriptCore.xcodeproj/project.pbxproj:
1172         * runtime/JSCConfig.h:
1173         * runtime/OptionEntry.h: Removed.
1174         * runtime/Options.cpp:
1175         (JSC::Options::isAvailable):
1176         (JSC::overrideOptionWithHeuristic):
1177         (JSC::scaleJITPolicy):
1178         (JSC::recomputeDependentOptions):
1179         (JSC::Options::initialize):
1180         (JSC::Options::setOptionWithoutAlias):
1181         (JSC::Options::dumpAllOptions):
1182         (JSC::Options::dumpOption):
1183         (JSC::Option::Option):
1184         (JSC::Option::defaultOption const):
1185         (JSC::Option::dump const):
1186         (JSC::Option::operator== const):
1187         * runtime/Options.h:
1188         (JSC::Option::id const):
1189         (JSC::Option::name const):
1190         (JSC::Option::description const):
1191         (JSC::Option::type const):
1192         (JSC::Option::availability const):
1193         (JSC::Option::isOverridden const):
1194         (JSC::Option::Option):
1195         (JSC::Option::idIndex const):
1196         (JSC::Option::defaultOption const): Deleted.
1197         (JSC::Option::boolVal): Deleted.
1198         (JSC::Option::unsignedVal): Deleted.
1199         (JSC::Option::doubleVal): Deleted.
1200         (JSC::Option::int32Val): Deleted.
1201         (JSC::Option::optionRangeVal): Deleted.
1202         (JSC::Option::optionStringVal): Deleted.
1203         (JSC::Option::gcLogLevelVal): Deleted.
1204         * runtime/OptionsList.h:
1205         (JSC::OptionRange::operator= ):
1206         (JSC::OptionRange::rangeString const):
1207         (JSC::optionTypeSpecificIndex):
1208         (JSC::countNumberOfJSCOptionsOfType):
1209
1210 2019-09-23  Devin Rousso  <drousso@apple.com>
1211
1212         Web Inspector: Canvas: show WebGPU shader pipelines
1213         https://bugs.webkit.org/show_bug.cgi?id=201675
1214         <rdar://problem/55543450>
1215
1216         Reviewed by Joseph Pecoraro.
1217
1218         * inspector/protocol/Canvas.json:
1219         Add a `ProgramType` enum that conveys the type of shader program/pipeline when notifying the
1220         frontend of a new program
1221
1222 2019-09-23  Zan Dobersek  <zdobersek@igalia.com>
1223
1224         testmasm: integer operands loaded as unsigned values
1225         https://bugs.webkit.org/show_bug.cgi?id=202099
1226
1227         Reviewed by Mark Lam.
1228
1229         Suppress GCC warnings about comparing signed and unsigned values in
1230         test cases introduced in r247913 by using signed integer types for
1231         loading 32-bit and 64-bit integer operand values.
1232
1233         * assembler/testmasm.cpp:
1234         (JSC::testBranchTestBit32RegReg):
1235         (JSC::testBranchTestBit32RegImm):
1236         (JSC::testBranchTestBit32AddrImm):
1237         (JSC::testBranchTestBit64RegReg):
1238         (JSC::testBranchTestBit64RegImm):
1239         (JSC::testBranchTestBit64AddrImm):
1240
1241 2019-09-22  Yusuke Suzuki  <ysuzuki@apple.com>
1242
1243         [JSC] Int52Rep(DoubleRepAnyIntUse) should not call operation function
1244         https://bugs.webkit.org/show_bug.cgi?id=202072
1245
1246         Reviewed by Mark Lam.
1247
1248         Inline doubleToStrictInt52 in FTL since it is very simple function.
1249         This change improves JetStream2/stanford-crypto-sha256 by ~5%.
1250
1251         * ftl/FTLLowerDFGToB3.cpp:
1252         (JSC::FTL::DFG::LowerDFGToB3::doubleToStrictInt52):
1253         * ftl/FTLOutput.cpp:
1254         (JSC::FTL::Output::doubleToInt64):
1255         * ftl/FTLOutput.h:
1256
1257 2019-09-22  Yusuke Suzuki  <ysuzuki@apple.com>
1258
1259         Unreviewed, follow-up change after r250198
1260         https://bugs.webkit.org/show_bug.cgi?id=201633
1261
1262         * b3/testb3_5.cpp:
1263         (testCheckAddRemoveCheckWithSExt16):
1264
1265 2019-09-21  Yusuke Suzuki  <ysuzuki@apple.com>
1266
1267         [JSC] Remove CheckAdd in JetStream2/async-fs's Math.random function
1268         https://bugs.webkit.org/show_bug.cgi?id=201633
1269
1270         Reviewed by Mark Lam.
1271
1272         Int52Rep is used in DFG and FTL to calculate Int52 things faster. This is typically used when user code see uint32_t type.
1273         In JS, we handles Int32 well, but if the value exceeds Int32 range (like, using 0xffffffff), we use Int52 instead not to fallback to Double.
1274
1275         The problem is that we do not have optimizations for Int52's overflow checks. This emits many ArithAdd(Int52Rep x 2, CheckOverflow). Each
1276         of them emits OSR exit, which prevents dead-store-elimination in B3, and makes ValueToInt32(Int52) alive if it is referenced from some variable which
1277         can be seen if OSR exit occurs.
1278
1279         In this patch, we perform strength-reduction for CheckAdd, converting to Add. We already have such a thing. But the existing one does not handle instructions
1280         well emitted when Int52 is used.
1281
1282         When Int52 is used, we typically have the sequence like,
1283
1284             Int64 @78 = SExt32(@73, DFG:@67<Int52>) // Widen Int32 to Int64
1285             Int64 @81 = Shl(@78, $12(@80), DFG:@162<Int52>) // Convert Int32 to Int52
1286
1287         While we have Shl handling for integer-range optimization in B3ReduceStrength, we lack handling of SExt32 while it is very easy.
1288         This patch adds SExt8, SExt16, SExt32, and ZExt32 handling to B3ReduceStrength's integer range analysis.
1289         This converts many CheckAdd in JetStream2/async-fs's hot function to simple Add, and removes a bunch of unnecessary instructions which exist because of this OSR exit.
1290         We can see ~5% improvement in JetStream2/async-fs.
1291
1292         * b3/B3ReduceStrength.cpp:
1293         * b3/testb3.h:
1294         (int16Operands):
1295         (int8Operands):
1296         * b3/testb3_1.cpp:
1297         (run):
1298         * b3/testb3_5.cpp:
1299         (testCheckAddRemoveCheckWithSExt8):
1300         (testCheckAddRemoveCheckWithSExt16):
1301         (testCheckAddRemoveCheckWithSExt32):
1302         (testCheckAddRemoveCheckWithZExt32):
1303
1304 2019-09-21  Mark Lam  <mark.lam@apple.com>
1305
1306         Move JSLexicalEnvironment, DirectArguments, and ScopedArguments cells out of the Gigacage.
1307         https://bugs.webkit.org/show_bug.cgi?id=202082
1308
1309         Reviewed by Tadeu Zagallo.
1310
1311         They are not being caged anyway.
1312
1313         * runtime/DirectArguments.h:
1314         * runtime/JSLexicalEnvironment.h:
1315         (JSC::JSLexicalEnvironment::subspaceFor):
1316         * runtime/ScopedArguments.h:
1317         * runtime/VM.cpp:
1318         (JSC::VM::VM):
1319         * runtime/VM.h:
1320
1321 2019-09-21  Tadeu Zagallo  <tzagallo@apple.com>
1322
1323         AccessCase should strongly visit its dependencies while on stack
1324         https://bugs.webkit.org/show_bug.cgi?id=201986
1325         <rdar://problem/55521953>
1326
1327         Reviewed by Saam Barati and Yusuke Suzuki.
1328
1329         AccessCase::doesCalls is responsible for specifying the cells it depends on, so that
1330         MarkingGCAwareJITStubRoutine can strongly visit them while the stub is on stack. However,
1331         it was missing most of its dependencies, which led to it being collected while on stack.
1332         This manifested in the flaky test stress/ftl-put-by-id-setter-exception-interesting-live-state.js
1333         as the PolymorphicAccess being collected and removing its exception handler from the code
1334         block, which led to exception propagating past the try/catch.
1335
1336         In order to fix this, we abstract the dependency gathering logic from AccessCase into
1337         forEachDependentCell and use it to implement visitWeak as well as doesCalls in order to
1338         guarantee that their implementation is consistent.
1339
1340         * bytecode/AccessCase.cpp:
1341         (JSC::AccessCase::forEachDependentCell const):
1342         (JSC::AccessCase::doesCalls const):
1343         (JSC::AccessCase::visitWeak const):
1344         * bytecode/AccessCase.h:
1345         * bytecode/CallLinkInfo.cpp:
1346         (JSC::CallLinkInfo::lastSeenCallee const):
1347         (JSC::CallLinkInfo::haveLastSeenCallee const):
1348         (JSC::CallLinkInfo::lastSeenCallee): Deleted.
1349         (JSC::CallLinkInfo::haveLastSeenCallee): Deleted.
1350         * bytecode/CallLinkInfo.h:
1351         (JSC::CallLinkInfo::isDirect const):
1352         (JSC::CallLinkInfo::isLinked const):
1353         (JSC::CallLinkInfo::stub const):
1354         (JSC::CallLinkInfo::forEachDependentCell const):
1355         (JSC::CallLinkInfo::isLinked): Deleted.
1356         (JSC::CallLinkInfo::stub): Deleted.
1357         * bytecode/ObjectPropertyCondition.cpp:
1358         (JSC::ObjectPropertyCondition::isStillLive const):
1359         * bytecode/ObjectPropertyCondition.h:
1360         (JSC::ObjectPropertyCondition::forEachDependentCell const):
1361         * bytecode/ObjectPropertyConditionSet.cpp:
1362         (JSC::ObjectPropertyConditionSet::areStillLive const):
1363         * bytecode/ObjectPropertyConditionSet.h:
1364         (JSC::ObjectPropertyConditionSet::forEachDependentCell const):
1365         * bytecode/PropertyCondition.cpp:
1366         (JSC::PropertyCondition::isStillLive const):
1367         * bytecode/PropertyCondition.h:
1368         (JSC::PropertyCondition::forEachDependentCell const):
1369         * jit/PolymorphicCallStubRoutine.cpp:
1370         (JSC::PolymorphicCallStubRoutine::visitWeak):
1371         * jit/PolymorphicCallStubRoutine.h:
1372         (JSC::PolymorphicCallStubRoutine::forEachDependentCell):
1373
1374 2019-09-21  David Kilzer  <ddkilzer@apple.com>
1375
1376         clang-tidy: Fix unnecessary copy/ref churn of for loop variables in WTF/JavaScriptCore
1377         <https://webkit.org/b/202069>
1378
1379         Reviewed by Mark Lam.
1380
1381         Fix unwanted copying/ref churn of loop variables by making them
1382         const references.
1383
1384         * bytecode/CodeBlock.cpp:
1385         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
1386         * bytecompiler/BytecodeGenerator.cpp:
1387         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
1388         * dfg/DFGGraph.cpp:
1389         (JSC::DFG::Graph::dump):
1390         * inspector/agents/InspectorAgent.cpp:
1391         (Inspector::InspectorAgent::activateExtraDomains):
1392         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
1393         (Inspector::RemoteInspector::stopInternal):
1394         (Inspector::RemoteInspector::xpcConnectionFailed):
1395         (Inspector::RemoteInspector::pushListingsNow):
1396         * parser/Parser.h:
1397         (JSC::Scope::computeLexicallyCapturedVariablesAndPurgeCandidates):
1398         * runtime/ProxyObject.cpp:
1399         (JSC::ProxyObject::performGetOwnPropertyNames):
1400         * runtime/SamplingProfiler.cpp:
1401         (JSC::SamplingProfiler::registerForReportAtExit):
1402         (JSC::SamplingProfiler::reportTopFunctions):
1403         (JSC::SamplingProfiler::reportTopBytecodes):
1404         * runtime/TypeSet.cpp:
1405         (JSC::StructureShape::inspectorRepresentation):
1406         (JSC::StructureShape::merge):
1407
1408 2019-09-20  Keith Miller  <keith_miller@apple.com>
1409
1410         eliding a move in Air O0 needs to mark the dest's old reg as available
1411         https://bugs.webkit.org/show_bug.cgi?id=202066
1412
1413         Reviewed by Saam Barati.
1414
1415         Also adds a new release method that handles all the invariants of
1416         returning a register to the available register pool.
1417
1418         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp:
1419         (JSC::B3::Air::GenerateAndAllocateRegisters::release):
1420         (JSC::B3::Air::GenerateAndAllocateRegisters::spill):
1421         (JSC::B3::Air::GenerateAndAllocateRegisters::freeDeadTmpsIfNeeded):
1422         (JSC::B3::Air::GenerateAndAllocateRegisters::generate):
1423         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.h:
1424
1425 2019-09-20  Mark Lam  <mark.lam@apple.com>
1426
1427         Harden assertion in StructureIDTable::get().
1428         https://bugs.webkit.org/show_bug.cgi?id=202067
1429         <rdar://problem/55577923>
1430
1431         Reviewed by Keith Miller.
1432
1433         * runtime/StructureIDTable.h:
1434         (JSC::StructureIDTable::get):
1435
1436 2019-09-20  Truitt Savell  <tsavell@apple.com>
1437
1438         Unreviewed, rolling out r250114.
1439
1440         Broke ~16 webgpu/ tests on Mojave wk2
1441
1442         Reverted changeset:
1443
1444         "Web Inspector: Canvas: show WebGPU shader pipelines"
1445         https://bugs.webkit.org/show_bug.cgi?id=201675
1446         https://trac.webkit.org/changeset/250114
1447
1448 2019-09-20  Paulo Matos  <pmatos@igalia.com>
1449
1450         Implement memory monitoring functions for Linux OS
1451         https://bugs.webkit.org/show_bug.cgi?id=200391
1452
1453         Reviewed by Žan Doberšek.
1454
1455         * jsc.cpp:
1456
1457 2019-09-20  Devin Rousso  <drousso@apple.com>
1458
1459         ASSERT NOT REACHED in Inspector::InjectedScriptModule::ensureInjected() seen with inspector/heap/getRemoteObject.html
1460         https://bugs.webkit.org/show_bug.cgi?id=201713
1461         <rdar://problem/55290349>
1462
1463         Reviewed by Joseph Pecoraro.
1464
1465         Expose the `Exception` object by leveraging an `Expected` of `JSValue` as the return value
1466         instead of using a referenced `bool` (which wouldn't include any of the exception's info).
1467
1468         * bindings/ScriptFunctionCall.h:
1469         * bindings/ScriptFunctionCall.cpp:
1470         (Deprecated::ScriptFunctionCall::call):
1471
1472         * inspector/InjectedScript.cpp:
1473         (Inspector::InjectedScript::wrapCallFrames const):
1474         (Inspector::InjectedScript::wrapObject const):
1475         (Inspector::InjectedScript::wrapJSONString const):
1476         (Inspector::InjectedScript::wrapTable const):
1477         (Inspector::InjectedScript::previewValue const):
1478         (Inspector::InjectedScript::findObjectById const):
1479         (Inspector::InjectedScript::releaseObjectGroup):
1480
1481         * inspector/InjectedScriptBase.h:
1482         * inspector/InjectedScriptBase.cpp:
1483         (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled const):
1484         (Inspector::InjectedScriptBase::makeCall):
1485         (Inspector::InjectedScriptBase::makeAsyncCall):
1486
1487         * inspector/InjectedScriptManager.h:
1488         * inspector/InjectedScriptManager.cpp:
1489         (Inspector::InjectedScriptManager::createInjectedScript):
1490         (Inspector::InjectedScriptManager::injectedScriptFor):
1491
1492         * inspector/InjectedScriptModule.cpp:
1493         (Inspector::InjectedScriptModule::ensureInjected):
1494
1495 2019-09-19  Yusuke Suzuki  <ysuzuki@apple.com>
1496
1497         [JSC] DFG op_call_varargs should not assume that one-previous-local of freeReg is usable
1498         https://bugs.webkit.org/show_bug.cgi?id=202014
1499
1500         Reviewed by Saam Barati.
1501
1502         Let's look into the bytecode generated by the test.
1503
1504             [   0] enter
1505             [   1] get_scope          loc4
1506             [   3] mov                loc5, loc4
1507             [   6] check_traps
1508             [   7] mov                loc6, callee
1509             [  10] create_direct_arguments loc7
1510             [  12] to_this            this
1511             [  15] mov                loc8, loc7
1512             [  18] mov                loc9, loc6
1513             [  21] mov                loc12, Undefined(const0)
1514             [  24] get_by_id          loc11, loc6, 0
1515             [  29] jneq_ptr           loc11, ApplyFunction, 18(->47)
1516             [  34] mov                loc11, loc6
1517             [  37] call_varargs       loc11, loc11, this, loc8, loc13, 0
1518             [  45] jmp                17(->62)
1519             [  47] mov                loc16, loc6
1520             [  50] mov                loc15, this
1521             [  53] mov                loc14, loc8
1522             [  56] call               loc11, loc11, 3, 22
1523             ...
1524
1525         call_varargs uses loc13 as firstFreeReg (first usable bottom register in the current stack-frame to spread variadic arguments after this).
1526         This is correct. And call_varargs uses |this| as this argument for the call_varargs. This |this| argument is not in a region starting from loc13.
1527         And it is not in the previous place to loc13 (|this| is not loc12).
1528
1529         On the other hand, DFG::ByteCodeParser's inlining path is always assuming that the previous to firstFreeReg is usable and part of arguments.
1530         But this is wrong. loc12 in the above bytecode is used for `[  56] call               loc11, loc11, 3, 22`'s argument later, and this call assumes
1531         that loc12 is not clobbered by call_varargs. But DFG and FTL clobbers it.
1532
1533         The test is recursively calling the same function, and we inline the same function one-level. And stack-overflow error happens when inlined
1534         CallForwardVarargs (from op_call_varargs) is called. FTL recovers the frames, and at this point, outer function's loc12 is recovered to garbage since
1535         LoadVarargs clobbers it. And we eventually use it and crash.
1536
1537             60:<!0:-> LoadVarargs(Check:Untyped:Kill:@30, MustGen, start = loc13, count = loc15, machineStart = loc7, machineCount = loc9, offset = 0, mandatoryMinimum = 0, limit = 2, R:World, W:Stack(-16),Stack(-14),Stack(-13),Heap, Exits, ClobbersExit, bc#37, ExitValid)
1538
1539         This LoadVarargs clobbers loc12, loc13, and loc15 while loc12 is used.
1540
1541         In all the tiers, op_call_varargs first allocates enough region to hold varargs including |this|. And we store |this| value to a correct place.
1542         DFG should not assume that the previous register to firstFreeReg is used for |this|.
1543
1544         This patch fixes DFG::ByteCodeParser's stack region calculation for op_call_varargs inlining. And we rename maxNumArguments to maxArgumentCountIncludingThis to
1545         represent that `maxArgumentCountIncludingThis` includes |this| count.
1546
1547         * bytecode/CallLinkInfo.cpp:
1548         (JSC::CallLinkInfo::setMaxArgumentCountIncludingThis):
1549         (JSC::CallLinkInfo::setMaxNumArguments): Deleted.
1550         * bytecode/CallLinkInfo.h:
1551         (JSC::CallLinkInfo::addressOfMaxArgumentCountIncludingThis):
1552         (JSC::CallLinkInfo::maxArgumentCountIncludingThis):
1553         (JSC::CallLinkInfo::addressOfMaxNumArguments): Deleted.
1554         (JSC::CallLinkInfo::maxNumArguments): Deleted.
1555         * bytecode/CallLinkStatus.cpp:
1556         (JSC::CallLinkStatus::computeFor):
1557         (JSC::CallLinkStatus::dump const):
1558         * bytecode/CallLinkStatus.h:
1559         (JSC::CallLinkStatus::maxArgumentCountIncludingThis const):
1560         (JSC::CallLinkStatus::maxNumArguments const): Deleted.
1561         * dfg/DFGByteCodeParser.cpp:
1562         (JSC::DFG::ByteCodeParser::handleVarargsInlining):
1563         * dfg/DFGSpeculativeJIT32_64.cpp:
1564         (JSC::DFG::SpeculativeJIT::emitCall):
1565         * dfg/DFGSpeculativeJIT64.cpp:
1566         (JSC::DFG::SpeculativeJIT::emitCall):
1567         * ftl/FTLLowerDFGToB3.cpp:
1568         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
1569         * jit/JITCall.cpp:
1570         (JSC::JIT::compileSetupFrame):
1571         * jit/JITCall32_64.cpp:
1572         (JSC::JIT::compileSetupFrame):
1573         * jit/JITOperations.cpp:
1574
1575 2019-09-19  Devin Rousso  <drousso@apple.com>
1576
1577         Web Inspector: Canvas: show WebGPU shader pipelines
1578         https://bugs.webkit.org/show_bug.cgi?id=201675
1579
1580         Reviewed by Joseph Pecoraro.
1581
1582         * inspector/protocol/Canvas.json:
1583         Add a `ProgramType` enum that conveys the type of shader program/pipeline when notifying the
1584         frontend of a new program
1585
1586 2019-09-19  Mark Lam  <mark.lam@apple.com>
1587
1588         Rename VMInspector::m_list to m_vmList.
1589         https://bugs.webkit.org/show_bug.cgi?id=202015
1590
1591         Reviewed by Yusuke Suzuki.
1592
1593         m_vmList is more descriptive, and this rename helps grep-ability by disambiguating
1594         it from other m_lists in the code base.
1595
1596         * tools/VMInspector.cpp:
1597         (JSC::VMInspector::add):
1598         (JSC::VMInspector::remove):
1599         * tools/VMInspector.h:
1600         (JSC::VMInspector::iterate):
1601
1602 2019-09-19  Mark Lam  <mark.lam@apple.com>
1603
1604         Reduce the number of required tag bits for the JSValue.
1605         https://bugs.webkit.org/show_bug.cgi?id=201990
1606
1607         Reviewed by Yusuke Suzuki.
1608
1609         We're reducing the number of tag bits to 15.  It should just work.
1610
1611         How did we arrive at 15 bits?
1612         ============================
1613         Currently, the minimum number of top bits used by doubles is 13-bits.  The
1614         highest double bit encoding are:
1615
1616             "negative" pureNaN: starts with 0xfff8
1617             negative infinity:  starts with 0xfff0
1618             highest number:     starts with 0xffe*
1619             lowest number:      starts with 0x0000
1620
1621         Requirements:
1622         1. We need tags for 2 range of numbers: pointers (all 0s at the top), and ints
1623            (all 1s at the top).
1624
1625         2. We want to be able to add an offset to double bits and ensure that they never
1626            end up in the ranges for pointers and ints.
1627
1628         3. The int tag must be higher than whatever value is produced in the top bits
1629            when boxing a double.  We have code that relies on this relationship being
1630            true and checks if a JSValue is an int by checking if the tag bits are above
1631            or equal to the int tag.
1632
1633         4. We don't want to burn more than 2 CPU registers for tag / mask registers.
1634
1635         Based on the bit encoding of doubles, the full number range of the top 13 bits
1636         are used in valid double numbers.  This means the minimum tag bits must be greater
1637         than 13.
1638
1639         Consider a 14-bit tag.  The DoubleEncodeOffset will be 1 << 50 i.e. starts with
1640         0x0004.  With this encoding,
1641             "negative" pureNaN: maps to 0xfff8 + 0x0004 => 0xfffc
1642
1643         i.e. the top 14 bits are all set.  This conflicts with the int number range.
1644
1645         Next, consider a 15-bit tag.  The DoubleEncodeOffset will be 1 << 49 i.e. starts
1646         with 0x0002.  With this encoding:
1647             "negative" pureNaN: maps to 0xfff8 + 0x0002 => 0xfffa
1648             negative infinity:  maps to 0xfff0 + 0x0002 => 0xfff2
1649
1650         i.e. 0xfffe (top 5 bits set) is available to represent ints.  This is the encoding
1651         that we'll adopt in this patch.
1652
1653         Alternate encodings schemes to consider in the future:
1654         =====================================================
1655         1. If we're willing and able to purifyNaN at all the places that can produce a
1656            "negative" pureNaN, e.g. after a division, then we can remove the "negative"
1657            pureNaN as a valid double bit encoding.  With this, we can now box doubles
1658            with just a 14-bit tag, and DoubleEncodeOffset will be 1 << 50 i.e. starts with
1659            0x0004.
1660
1661            With this encoding, the top double, negative infinity, is encoded as follows:
1662
1663                 negative infinity:  maps to 0xfff0 + 0x0004 => 0xfff4
1664
1665            i.e. leaving 0xfffc as the tag for ints.
1666
1667            We didn't adopt this scheme at this time because it adds complexity, and may
1668            have performance impact from the extra purifyNaN checks.
1669
1670            Ref: https://bugs.webkit.org/show_bug.cgi?id=202002
1671
1672         2. If we're willing to use 3 tag registers or always materialize one of them, we
1673            can also adopt a 14-bit tag as follows:
1674
1675                Pointer {  0000:PPPP:PPPP:PPPP
1676                         / 0002:****:****:****
1677                Double  {         ...
1678                         \ FFFC:****:****:****
1679                Integer {  FFFF:0000:IIII:IIII
1680
1681            where ...
1682                NumberMask is 0xfffc: any bits set in the top 14 bits is a number.
1683                IntMask is 0xffff: value is int if value & IntMask == IntMask.
1684                NotCellMask is NumberMask | OtherTag.
1685
1686            Since the highest double is "negative" pureNaN i.e. starts with 0xfff8, adding
1687            a DoubleEncodeOffset of 1<<50 (starts with 0x0004) produces 0xfffc which is
1688            still less than 0xffff.
1689
1690            We didn't adopt this scheme at this time because it adds complexity and may
1691            have a performance impact from either burning another register, or materializing
1692            the 3rd mask.
1693
1694            Ref: https://bugs.webkit.org/show_bug.cgi?id=202005
1695
1696         * runtime/JSCJSValue.h:
1697
1698 2019-09-19  Mark Lam  <mark.lam@apple.com>
1699
1700         Refactoring: fix broken indentation in JSNonDestructibleProxy.h.
1701         https://bugs.webkit.org/show_bug.cgi?id=201989
1702
1703         Reviewed by Saam Barati.
1704
1705         This patch only unindent the code to get it back to compliant formatting.
1706         There is no actual code change.
1707
1708         * runtime/JSNonDestructibleProxy.h:
1709         (JSC::JSNonDestructibleProxy::subspaceFor):
1710         (JSC::JSNonDestructibleProxy::create):
1711         (JSC::JSNonDestructibleProxy::createStructure):
1712         (JSC::JSNonDestructibleProxy::JSNonDestructibleProxy):
1713
1714 2019-09-19  Tadeu Zagallo  <tzagallo@apple.com>
1715
1716         Syntax checker should report duplicate __proto__ properties
1717         https://bugs.webkit.org/show_bug.cgi?id=201897
1718         <rdar://problem/53201788>
1719
1720         Reviewed by Mark Lam.
1721
1722         Currently we have two ways of parsing object literals:
1723         - parseObjectLiteral: this is called in sloppy mode, and as an optimization for syntax checking,
1724           it doesn't allocate string literals while parsing properties. It does still allocate identifiers,
1725           but it won't store them in the Property object that it creates for each parsed property. This
1726           method backtracks and calls parseObjectStrictLiteral if it finds any getters or setters.
1727         - parseObjectStrictLiteral: this is called in strict mode, or when the object contains getters/setters
1728           as stated above. This will always allocate string literals as well as identifiers and store them in
1729           the Property object, even during syntax checking.
1730
1731         From looking at the history, it seems that there was a distinction between these two methods:
1732         parseStrictObjectLiteral was introduced in r62848 and contained an extra check for duplicate
1733         getters/setters or properties defined as both getters/setters and constants. That distinction
1734         was removed and the only distinction that remained was whether we build strings and store the
1735         strings and properties as part of the Property object created by SyntaxChecker::createProperty.
1736         However, this optimization is no longer valid, since we need to throw a SyntaxError for duplicate
1737         __proto__ properties in object literals even in sloppy mode, which means that we do need to build
1738         the strings and identifiers and store them as part of the Property objects.
1739
1740         * parser/Parser.cpp:
1741         (JSC::Parser<LexerType>::parseObjectLiteral):
1742         (JSC::Parser<LexerType>::parsePrimaryExpression):
1743         (JSC::Parser<LexerType>::parseStrictObjectLiteral): Deleted.
1744         * parser/Parser.h:
1745
1746 2019-09-19  Mark Lam  <mark.lam@apple.com>
1747
1748         Remove a now unnecessary hack to work around static const needing external linkage.
1749         https://bugs.webkit.org/show_bug.cgi?id=201988
1750
1751         Reviewed by Saam Barati.
1752
1753         MacroAssembler::dataTempRegister is now a constexpr, thereby ensuring that it's
1754         inlinable.
1755
1756         * b3/B3Common.cpp:
1757         (JSC::B3::pinnedExtendedOffsetAddrRegister):
1758
1759 2019-09-19  Mark Lam  <mark.lam@apple.com>
1760
1761         Replace JSValue #defines with static constexpr values.
1762         https://bugs.webkit.org/show_bug.cgi?id=201966
1763
1764         Reviewed by Yusuke Suzuki.
1765
1766         static constexpr is the modern C++ way to define these constants.
1767
1768         Some of the values are typed int64_t and some are int32_t.  The original #define
1769         values are int64_t.  Hence, we adopt int64_t as the default type to use here.
1770
1771         However, some of these constants are being used as 32-bit values, and the code
1772         was static_cast'ing them into int32_t.  This set of constants are all the small
1773         values that fit in an int32_t anyway.  So, we're putting these in int32_t instead
1774         so that we don't have to keep casting them.  In the few places where they are
1775         used as int64_t, they will automatically get up-casted anyway.
1776
1777         In this patch, we also did the following:
1778
1779         1. Renamed TagMask to NotCellMask, because everywhere in the code, we're
1780            basically using it to filter out cells like this:
1781
1782               if (value & NotCellMask) then goto handleNotCellCase;
1783
1784         2. Renamed TagTypeNumber to NumberTag for a shorter name.
1785
1786            Ditto for TagBitTypeOther, TagBitBool, TagBitUndefined, TagBitsWasm, and TagWasmMask.
1787            They are now OtherTag, BoolTag, UndefinedTag, WasmTag, and WasmMask.
1788
1789         3. Introduced DoubleEncodeOffsetBit so that client code do not embed this value
1790            as a literal constant.  We now define DoubleEncodeOffset based on
1791            DoubleEncodeOffsetBit ensuring consistency.
1792
1793         4. Introduced MiscTag so that clients don't have to put this set of tags together
1794            themselves.
1795
1796         5. Removed static asserts for tags in LLIntData.cpp because the offlineasm now
1797            captures these values correctly with constexpr statements.  These static
1798            asserts were holdovers from the old days back when we had to define LLInt
1799            constant values manually, and we needed a mechanism to detect when the values
1800            have changed in the source.
1801
1802         6. Replaced some runtime asserts in RegisterSet.cpp with static_asserts.
1803
1804         7. In Wasm::wasmToJS(), we were constructing the value of JSValue::DoubleEncodeOffset
1805            constant by left shifting 1 by JSValue::DoubleEncodeOffsetBit.  There's no need
1806            to do this for ARM64 because the constant can be loaded efficiently with a single
1807            MOVZ instruction.  So, we add a CPU(ARM64) case to just move the constant into
1808            the target register.
1809
1810         * assembler/AbortReason.h:
1811         * bytecode/AccessCase.cpp:
1812         (JSC::AccessCase::generateWithGuard):
1813         * dfg/DFGOSRExit.cpp:
1814         (JSC::DFG::OSRExit::executeOSRExit):
1815         (JSC::DFG::OSRExit::compileExit):
1816         * dfg/DFGSpeculativeJIT.cpp:
1817         (JSC::DFG::SpeculativeJIT::silentFill):
1818         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
1819         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1820         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
1821         (JSC::DFG::SpeculativeJIT::getIntTypedArrayStoreOperand):
1822         (JSC::DFG::SpeculativeJIT::speculateMisc):
1823         * dfg/DFGSpeculativeJIT.h:
1824         (JSC::DFG::SpeculativeJIT::spill):
1825         * dfg/DFGSpeculativeJIT64.cpp:
1826         (JSC::DFG::SpeculativeJIT::fillJSValue):
1827         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
1828         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
1829         (JSC::DFG::SpeculativeJIT::emitCall):
1830         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1831         (JSC::DFG::SpeculativeJIT::compileObjectStrictEquality):
1832         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1833         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1834         (JSC::DFG::SpeculativeJIT::compileInt52Compare):
1835         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1836         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1837         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1838         (JSC::DFG::SpeculativeJIT::emitBranch):
1839         (JSC::DFG::SpeculativeJIT::compile):
1840         (JSC::DFG::SpeculativeJIT::moveTrueTo):
1841         (JSC::DFG::SpeculativeJIT::moveFalseTo):
1842         (JSC::DFG::SpeculativeJIT::blessBoolean):
1843         * ftl/FTLLowerDFGToB3.cpp:
1844         (JSC::FTL::DFG::LowerDFGToB3::lower):
1845         (JSC::FTL::DFG::LowerDFGToB3::compileDoubleRep):
1846         (JSC::FTL::DFG::LowerDFGToB3::compileBooleanToNumber):
1847         (JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC):
1848         (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC):
1849         (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
1850         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1851         (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf):
1852         (JSC::FTL::DFG::LowerDFGToB3::compileGetArgument):
1853         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
1854         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
1855         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
1856         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
1857         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
1858         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
1859         (JSC::FTL::DFG::LowerDFGToB3::compileInById):
1860         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
1861         (JSC::FTL::DFG::LowerDFGToB3::compileGetEnumeratorStructurePname):
1862         (JSC::FTL::DFG::LowerDFGToB3::compileGetEnumeratorGenericPname):
1863         (JSC::FTL::DFG::LowerDFGToB3::getById):
1864         (JSC::FTL::DFG::LowerDFGToB3::getByIdWithThis):
1865         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1866         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
1867         (JSC::FTL::DFG::LowerDFGToB3::emitBinarySnippet):
1868         (JSC::FTL::DFG::LowerDFGToB3::emitBinaryBitOpSnippet):
1869         (JSC::FTL::DFG::LowerDFGToB3::emitRightShiftSnippet):
1870         (JSC::FTL::DFG::LowerDFGToB3::equalNullOrUndefined):
1871         (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf):
1872         (JSC::FTL::DFG::LowerDFGToB3::isInt32):
1873         (JSC::FTL::DFG::LowerDFGToB3::isNotInt32):
1874         (JSC::FTL::DFG::LowerDFGToB3::boxInt32):
1875         (JSC::FTL::DFG::LowerDFGToB3::isCellOrMisc):
1876         (JSC::FTL::DFG::LowerDFGToB3::isNotCellOrMisc):
1877         (JSC::FTL::DFG::LowerDFGToB3::unboxDouble):
1878         (JSC::FTL::DFG::LowerDFGToB3::boxDouble):
1879         (JSC::FTL::DFG::LowerDFGToB3::isNotCell):
1880         (JSC::FTL::DFG::LowerDFGToB3::isCell):
1881         (JSC::FTL::DFG::LowerDFGToB3::isNotMisc):
1882         (JSC::FTL::DFG::LowerDFGToB3::isNotBoolean):
1883         (JSC::FTL::DFG::LowerDFGToB3::boxBoolean):
1884         (JSC::FTL::DFG::LowerDFGToB3::isNotOther):
1885         (JSC::FTL::DFG::LowerDFGToB3::isOther):
1886         * ftl/FTLOSRExitCompiler.cpp:
1887         (JSC::FTL::reboxAccordingToFormat):
1888         (JSC::FTL::compileStub):
1889         * interpreter/CalleeBits.h:
1890         (JSC::CalleeBits::boxWasm):
1891         (JSC::CalleeBits::isWasm const):
1892         (JSC::CalleeBits::asWasmCallee const):
1893         * jit/AssemblyHelpers.cpp:
1894         (JSC::AssemblyHelpers::jitAssertIsJSInt32):
1895         (JSC::AssemblyHelpers::jitAssertIsJSNumber):
1896         (JSC::AssemblyHelpers::jitAssertIsJSDouble):
1897         (JSC::AssemblyHelpers::jitAssertIsCell):
1898         (JSC::AssemblyHelpers::jitAssertTagsInPlace):
1899         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
1900         * jit/AssemblyHelpers.h:
1901         (JSC::AssemblyHelpers::emitSaveThenMaterializeTagRegisters):
1902         (JSC::AssemblyHelpers::emitRestoreSavedTagRegisters):
1903         (JSC::AssemblyHelpers::emitMaterializeTagCheckRegisters):
1904         (JSC::AssemblyHelpers::branchIfNotCell):
1905         (JSC::AssemblyHelpers::branchIfCell):
1906         (JSC::AssemblyHelpers::branchIfOther):
1907         (JSC::AssemblyHelpers::branchIfNotOther):
1908         (JSC::AssemblyHelpers::branchIfInt32):
1909         (JSC::AssemblyHelpers::branchIfNotInt32):
1910         (JSC::AssemblyHelpers::branchIfNumber):
1911         (JSC::AssemblyHelpers::branchIfNotNumber):
1912         (JSC::AssemblyHelpers::branchIfNotDoubleKnownNotInt32):
1913         (JSC::AssemblyHelpers::branchIfBoolean):
1914         (JSC::AssemblyHelpers::branchIfNotBoolean):
1915         (JSC::AssemblyHelpers::boxDouble):
1916         (JSC::AssemblyHelpers::unboxDoubleWithoutAssertions):
1917         (JSC::AssemblyHelpers::boxInt52):
1918         (JSC::AssemblyHelpers::boxBooleanPayload):
1919         (JSC::AssemblyHelpers::boxInt32):
1920         * jit/CallFrameShuffleData.h:
1921         * jit/CallFrameShuffler.cpp:
1922         (JSC::CallFrameShuffler::CallFrameShuffler):
1923         (JSC::CallFrameShuffler::dump const):
1924         (JSC::CallFrameShuffler::prepareAny):
1925         * jit/CallFrameShuffler.h:
1926         (JSC::CallFrameShuffler::getFreeRegister const):
1927         * jit/CallFrameShuffler64.cpp:
1928         (JSC::CallFrameShuffler::emitBox):
1929         (JSC::CallFrameShuffler::tryAcquireNumberTagRegister):
1930         (JSC::CallFrameShuffler::tryAcquireTagTypeNumber): Deleted.
1931         * jit/GPRInfo.h:
1932         (JSC::GPRInfo::reservedRegisters):
1933         * jit/JITArithmetic.cpp:
1934         (JSC::JIT::emit_compareAndJumpSlow):
1935         * jit/JITBitAndGenerator.cpp:
1936         (JSC::JITBitAndGenerator::generateFastPath):
1937         * jit/JITBitOrGenerator.cpp:
1938         (JSC::JITBitOrGenerator::generateFastPath):
1939         * jit/JITBitXorGenerator.cpp:
1940         (JSC::JITBitXorGenerator::generateFastPath):
1941         * jit/JITCall.cpp:
1942         (JSC::JIT::compileTailCall):
1943         * jit/JITDivGenerator.cpp:
1944         (JSC::JITDivGenerator::generateFastPath):
1945         * jit/JITInlines.h:
1946         (JSC::JIT::emitPatchableJumpIfNotInt):
1947         * jit/JITLeftShiftGenerator.cpp:
1948         (JSC::JITLeftShiftGenerator::generateFastPath):
1949         * jit/JITMulGenerator.cpp:
1950         (JSC::JITMulGenerator::generateFastPath):
1951         * jit/JITOpcodes.cpp:
1952         (JSC::JIT::emit_op_overrides_has_instance):
1953         (JSC::JIT::emit_op_is_undefined):
1954         (JSC::JIT::emit_op_is_undefined_or_null):
1955         (JSC::JIT::emit_op_is_boolean):
1956         (JSC::JIT::emit_op_is_number):
1957         (JSC::JIT::emit_op_is_cell_with_type):
1958         (JSC::JIT::emit_op_is_object):
1959         (JSC::JIT::emit_op_not):
1960         (JSC::JIT::emit_op_jeq_null):
1961         (JSC::JIT::emit_op_jneq_null):
1962         (JSC::JIT::emit_op_jundefined_or_null):
1963         (JSC::JIT::emit_op_jnundefined_or_null):
1964         (JSC::JIT::emit_op_eq_null):
1965         (JSC::JIT::emit_op_neq_null):
1966         * jit/JITPropertyAccess.cpp:
1967         (JSC::JIT::emitGenericContiguousPutByVal):
1968         (JSC::JIT::emitFloatTypedArrayPutByVal):
1969         * jit/JITRightShiftGenerator.cpp:
1970         (JSC::JITRightShiftGenerator::generateFastPath):
1971         * jit/RegisterSet.cpp:
1972         (JSC::RegisterSet::runtimeTagRegisters):
1973         (JSC::RegisterSet::llintBaselineCalleeSaveRegisters):
1974         (JSC::RegisterSet::dfgCalleeSaveRegisters):
1975         (JSC::RegisterSet::ftlCalleeSaveRegisters):
1976         * jit/SpecializedThunkJIT.h:
1977         (JSC::SpecializedThunkJIT::returnDouble):
1978         (JSC::SpecializedThunkJIT::tagReturnAsInt32):
1979         * jit/ThunkGenerators.cpp:
1980         (JSC::virtualThunkFor):
1981         (JSC::nativeForGenerator):
1982         (JSC::arityFixupGenerator):
1983         (JSC::absThunkGenerator):
1984         * llint/LLIntData.cpp:
1985         (JSC::LLInt::Data::performAssertions):
1986         * llint/LowLevelInterpreter.asm:
1987         * llint/LowLevelInterpreter.cpp:
1988         (JSC::CLoop::execute):
1989         * llint/LowLevelInterpreter64.asm:
1990         * offlineasm/arm64.rb:
1991         * offlineasm/cloop.rb:
1992         * offlineasm/x86.rb:
1993         * runtime/JSCJSValue.h:
1994         * runtime/JSCJSValueInlines.h:
1995         (JSC::JSValue::isUndefinedOrNull const):
1996         (JSC::JSValue::isCell const):
1997         (JSC::JSValue::isInt32 const):
1998         (JSC::JSValue::JSValue):
1999         (JSC::JSValue::asDouble const):
2000         (JSC::JSValue::isNumber const):
2001         * wasm/js/WasmToJS.cpp:
2002         (JSC::Wasm::wasmToJS):
2003         * wasm/js/WebAssemblyFunction.cpp:
2004         (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
2005
2006 2019-09-18  Devin Rousso  <drousso@apple.com>
2007
2008         Web Inspector: Better handling for large arrays and collections in Object Trees
2009         https://bugs.webkit.org/show_bug.cgi?id=143589
2010         <rdar://problem/16135388>
2011
2012         Reviewed by Joseph Pecoraro.
2013
2014         Adds two buttons before the "Prototype" item in expanded object/collection previews:
2015          - Show %d More
2016          - Show All (%d More)
2017
2018         The default `fetchCount` increment is `100`. The first button will only be shown if there
2019         are more than `100` items remaining (haven't been shown).
2020
2021         * inspector/InjectedScriptSource.js:
2022         (InjectedScript.prototype.getProperties):
2023         (InjectedScript.prototype.getDisplayableProperties):
2024         (InjectedScript.prototype.getCollectionEntries):
2025         (InjectedScript.prototype._getProperties):
2026         (InjectedScript.prototype._internalPropertyDescriptors):
2027         (InjectedScript.prototype._propertyDescriptors):
2028         (InjectedScript.prototype._propertyDescriptors.createFakeValueDescriptor):
2029         (InjectedScript.prototype._propertyDescriptors.processProperties):
2030         (InjectedScript.prototype._getSetEntries):
2031         (InjectedScript.prototype._getMapEntries):
2032         (InjectedScript.prototype._getWeakMapEntries):
2033         (InjectedScript.prototype._getWeakSetEntries):
2034         (InjectedScript.prototype._getIteratorEntries):
2035         (InjectedScript.prototype._entries):
2036         (RemoteObject.prototype._generatePreview):
2037         (InjectedScript.prototype._propertyDescriptors.arrayIndexPropertyNames): Deleted.
2038         Don't include boolean property descriptor values if they are `false.
2039
2040         * inspector/JSInjectedScriptHost.cpp:
2041         (Inspector::JSInjectedScriptHost::weakMapEntries):
2042         (Inspector::JSInjectedScriptHost::weakSetEntries):
2043
2044         * inspector/InjectedScript.h:
2045         * inspector/InjectedScript.cpp:
2046         (Inspector::InjectedScript::getProperties):
2047         (Inspector::InjectedScript::getDisplayableProperties):
2048         (Inspector::InjectedScript::getCollectionEntries):
2049
2050         * inspector/agents/InspectorRuntimeAgent.h:
2051         * inspector/agents/InspectorRuntimeAgent.cpp:
2052         (Inspector::asInt): Added.
2053         (Inspector::InspectorRuntimeAgent::getProperties):
2054         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
2055         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
2056
2057         * inspector/protocol/Runtime.json:
2058         Add `fetchStart`/`fetchCount` to `getProperties`/`getDisplayableProperties`/`getCollectionEntries`.
2059         Mark boolean properties as optional so they can be omitted if `false`.
2060
2061 2019-09-18  Joonghun Park  <pjh0718@gmail.com>
2062
2063         Unreviewed. Remove build warning since r249976.
2064
2065         No new tests, no behavioral changes.
2066
2067         This patch removes the build warning below.
2068         warning: control reaches end of non-void function [-Wreturn-type]
2069
2070         * dfg/DFGArrayMode.cpp:
2071         (JSC::DFG::ArrayMode::alreadyChecked const):
2072
2073 2019-09-18  Saam Barati  <sbarati@apple.com>
2074
2075         TOCTOU bug in havingABadTime related assertion in DFGSpeculativeJIT
2076         https://bugs.webkit.org/show_bug.cgi?id=201953
2077         <rdar://problem/53803524>
2078
2079         Reviewed by Yusuke Suzuki.
2080
2081         We had code in DFGSpeculativeJIT like:
2082         
2083         if (!globalObject->isHavingABadTime()) {
2084             <-- here -->
2085             Structure* s = globalObject->arrayStructureForIndexingTypeDuringAllocation(node->indexingType()));
2086             assert 's' has expected indexing type
2087         }
2088         
2089         The problem is, we may have a bad time before we actually load the structure
2090         inside the if. We may have a bad time while we're at the "<-- here -->" in the
2091         above program. The fix is to first load the structure, then check if we're
2092         having a bad time. If we're still not having a bad time, it's valid to assert
2093         things about the structure.
2094
2095         * dfg/DFGSpeculativeJIT.cpp:
2096         (JSC::DFG::SpeculativeJIT::compileNewArray):
2097
2098 2019-09-18  Chris Dumez  <cdumez@apple.com>
2099
2100         Stop calling WTF::initializeMainThread() in JSGlobalContextCreate*()
2101         https://bugs.webkit.org/show_bug.cgi?id=201947
2102         <rdar://problem/55453612>
2103
2104         Reviewed by Mark Lam.
2105
2106         Stop calling WTF::initializeMainThread() in JSGlobalContextCreate*(). I started doing so in <https://trac.webkit.org/changeset/248533>
2107         but it is causing crashes for apps using this JS API on background threads. It is also no longer necessary as of
2108         <https://trac.webkit.org/changeset/249064>.
2109
2110         * API/JSContextRef.cpp:
2111         (JSContextGroupCreate):
2112         (JSGlobalContextCreate):
2113         (JSGlobalContextCreateInGroup):
2114
2115 2019-09-18  Saam Barati  <sbarati@apple.com>
2116
2117         Phantom insertion phase may disagree with arguments forwarding about live ranges
2118         https://bugs.webkit.org/show_bug.cgi?id=200715
2119         <rdar://problem/54301717>
2120
2121         Reviewed by Yusuke Suzuki.
2122
2123         The issue is that Phantom insertion phase was disagreeing about live ranges
2124         from the arguments forwarding phase. The effect is that Phantom insertion
2125         would insert a Phantom creating a longer live range than what arguments
2126         forwarding was analyzing. Arguments forwarding will look for the last DFG
2127         use or the last bytecode use of a variable it wants to eliminate. It then
2128         does an interference analysis to ensure that nothing clobbers other variables
2129         it needs to recover the sunken allocation during OSR exit.
2130         
2131         Phantom insertion works by ordering the program into OSR exit epochs. If a value was used
2132         in the current epoch, there is no need to insert a phantom for it. We
2133         determine where we might need a Phantom by looking at bytecode kills. In this
2134         analysis, we have a mapping from bytecode local to DFG node. However, we
2135         sometimes forgot to remove the entry when a local is killed. So, if the first
2136         kill of a variable is in the same OSR exit epoch, we won't insert a Phantom by design.
2137         However, if the variable gets killed again, we might errantly insert a Phantom
2138         for the prior variable which should've already been killed. The solution is to
2139         clear the entry in our mapping when a variable is killed.
2140         
2141         The program in question was like this:
2142         
2143         1: DirectArguments
2144         ...
2145         2: MovHint(@1, loc1) // arguments forwarding treats this as the final kill for @1
2146         ...
2147         clobber things needed for recovery
2148         ...
2149         
2150         Arguments elimination would transform the program since between @1 and
2151         @2, nothing clobbers values needed for exit and nothing escapes @1. The
2152         program becomes:
2153         
2154         1: PhantomDirectArguments
2155         ...
2156         2: MovHint(@1, loc1) // arguments forwarding treats this as the final kill for @1
2157         ...
2158         clobber things needed for recovery of @1
2159         ...
2160         
2161         
2162         Phantom insertion would then transform the program into:
2163         
2164         1: PhantomDirectArguments
2165         ...
2166         2: MovHint(@1, loc1) // arguments forwarding treats this as the final kill for @1
2167         ...
2168         clobber things needed for recovery of @1
2169         ...
2170         3: Phantom(@1)
2171         ...
2172         
2173         This is wrong because Phantom insertion and arguments forwarding must agree on live
2174         ranges, otherwise the interference analysis performed by arguments forwarding will
2175         not correctly analyze up until where the value might be recovered.
2176
2177         * dfg/DFGPhantomInsertionPhase.cpp:
2178
2179 2019-09-18  Commit Queue  <commit-queue@webkit.org>
2180
2181         Unreviewed, rolling out r250002.
2182         https://bugs.webkit.org/show_bug.cgi?id=201943
2183
2184         Patching of the callee and call is not atomic (Requested by
2185         tadeuzagallo on #webkit).
2186
2187         Reverted changeset:
2188
2189         "Change WebAssembly calling conventions"
2190         https://bugs.webkit.org/show_bug.cgi?id=201799
2191         https://trac.webkit.org/changeset/250002
2192
2193 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
2194
2195         [JSC] Generator should have internal fields
2196         https://bugs.webkit.org/show_bug.cgi?id=201159
2197
2198         Reviewed by Keith Miller.
2199
2200         This patch makes generator's internal states InternalField instead of private properties.
2201         Each generator function produces a generator with different [[Prototype]], which makes generators have different Structures.
2202         As a result, Generator.prototype.next etc.'s implementation becomes megamorphic even if it is not necessary.
2203
2204         If we make these structures adaptively poly-proto, some generators get poly-proto structures while others are not, resulting
2205         in megamorphic lookup in Generator.prototype.next. If we make all the generator's structure poly-proto, it makes Generator.prototype.next
2206         lookup suboptimal for now.
2207
2208         In this patch, we start with a relatively simple solution. This patch introduces JSGenerator class, and it has internal fields for generator's internal
2209         states. We extend promise-internal-field access bytecodes to access to these fields from bytecode so that Generator.prototype.next can access
2210         these fields without using megamorphic get_by_id_direct.
2211
2212         And we attach JSGeneratorType to JSGenerator so that we can efficiently implement `@isGenerator()` check in bytecode.
2213
2214         We reserve the offset = 0 slot for the future poly-proto extension for JSGenerator. By reserving this slot, non-poly-proto JSGenerator and poly-proto
2215         JSGenerator still can offer the way to access to the same Generator internal fields with the same offset while poly-proto JSGenerator can get offset = 0
2216         inline-storage slot for PolyProto implementation.
2217
2218         This patch adds op_create_generator since it is distinct from op_create_promise once we add PolyProto support.
2219         In the future when we introduce some kind of op_create_async_generator we will probably share only one bytecode for both generator and async generator.
2220
2221         This patch offers around 10% improvement in JetStream2/Basic. And this patch is the basis of optimization of JetStream2/async-fs which leverages async generators significantly.
2222
2223         This patch includes several design decisions.
2224
2225             1. We add a new JSGenerator instead of leveraging JSFinalObject. The main reason is that we would like to have JSGeneratorType to quickly query `@isGenerator`.
2226             2. This patch currently does not include object-allocation-sinking support for JSGenerator, but it is trivial, and will be added. And this patch also does not include poly-proto
2227                support for JSGenerator. The main reason is simply because this patch is already large enough, and I do not want to make this patch larger and larger.
2228             3. We can support arbitrary sized inline-storage: Reserving 0-5 offsets for internal fields, and start putting all the other things to the subsequent internal fields. But for now,
2229                we are not taking this approach just because I'm not sure this is necessary. If we found such a pattern, we can easily extend the current one but for now, I would like to keep
2230                this patch simple.
2231
2232         * JavaScriptCore.xcodeproj/project.pbxproj:
2233         * Sources.txt:
2234         * builtins/AsyncFunctionPrototype.js:
2235         (globalPrivate.asyncFunctionResume):
2236         * builtins/GeneratorPrototype.js:
2237         (globalPrivate.generatorResume):
2238         (next):
2239         (return):
2240         (throw):
2241         * bytecode/BytecodeGeneratorification.cpp:
2242         (JSC::BytecodeGeneratorification::run):
2243         * bytecode/BytecodeIntrinsicRegistry.cpp:
2244         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
2245         * bytecode/BytecodeIntrinsicRegistry.h:
2246         * bytecode/BytecodeList.rb:
2247         * bytecode/BytecodeUseDef.h:
2248         (JSC::computeUsesForBytecodeOffset):
2249         (JSC::computeDefsForBytecodeOffset):
2250         * bytecode/CodeBlock.cpp:
2251         (JSC::CodeBlock::finishCreation):
2252         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2253         * bytecode/SpeculatedType.cpp:
2254         (JSC::speculationFromJSType):
2255         * bytecode/SpeculatedType.h:
2256         * bytecompiler/BytecodeGenerator.cpp:
2257         (JSC::BytecodeGenerator::BytecodeGenerator):
2258         (JSC::BytecodeGenerator::emitPutGeneratorFields):
2259         (JSC::BytecodeGenerator::emitCreateGenerator):
2260         (JSC::BytecodeGenerator::emitNewGenerator):
2261         (JSC::BytecodeGenerator::emitYield):
2262         (JSC::BytecodeGenerator::emitDelegateYield):
2263         (JSC::BytecodeGenerator::emitGeneratorStateChange):
2264         * bytecompiler/BytecodeGenerator.h:
2265         (JSC::BytecodeGenerator::emitIsGenerator):
2266         (JSC::BytecodeGenerator::generatorStateRegister):
2267         (JSC::BytecodeGenerator::generatorValueRegister):
2268         (JSC::BytecodeGenerator::generatorResumeModeRegister):
2269         (JSC::BytecodeGenerator::generatorFrameRegister):
2270         * bytecompiler/NodesCodegen.cpp:
2271         (JSC::generatorInternalFieldIndex):
2272         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getGeneratorInternalField):
2273         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putGeneratorInternalField):
2274         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isGenerator):
2275         (JSC::FunctionNode::emitBytecode):
2276         * dfg/DFGAbstractInterpreterInlines.h:
2277         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2278         * dfg/DFGByteCodeParser.cpp:
2279         (JSC::DFG::ByteCodeParser::parseBlock):
2280         * dfg/DFGCapabilities.cpp:
2281         (JSC::DFG::capabilityLevel):
2282         * dfg/DFGClobberize.h:
2283         (JSC::DFG::clobberize):
2284         * dfg/DFGClobbersExitState.cpp:
2285         (JSC::DFG::clobbersExitState):
2286         * dfg/DFGConstantFoldingPhase.cpp:
2287         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2288         * dfg/DFGDoesGC.cpp:
2289         (JSC::DFG::doesGC):
2290         * dfg/DFGFixupPhase.cpp:
2291         (JSC::DFG::FixupPhase::fixupNode):
2292         (JSC::DFG::FixupPhase::fixupIsCellWithType):
2293         * dfg/DFGGraph.cpp:
2294         (JSC::DFG::Graph::dump):
2295         * dfg/DFGNode.h:
2296         (JSC::DFG::Node::convertToNewGenerator):
2297         (JSC::DFG::Node::speculatedTypeForQuery):
2298         (JSC::DFG::Node::hasStructure):
2299         * dfg/DFGNodeType.h:
2300         * dfg/DFGOperations.cpp:
2301         * dfg/DFGOperations.h:
2302         * dfg/DFGPredictionPropagationPhase.cpp:
2303         * dfg/DFGSafeToExecute.h:
2304         (JSC::DFG::safeToExecute):
2305         * dfg/DFGSpeculativeJIT.cpp:
2306         (JSC::DFG::SpeculativeJIT::compileCreatePromise):
2307         (JSC::DFG::SpeculativeJIT::compileCreateGenerator):
2308         (JSC::DFG::SpeculativeJIT::compileNewGenerator):
2309         * dfg/DFGSpeculativeJIT.h:
2310         * dfg/DFGSpeculativeJIT32_64.cpp:
2311         (JSC::DFG::SpeculativeJIT::compile):
2312         * dfg/DFGSpeculativeJIT64.cpp:
2313         (JSC::DFG::SpeculativeJIT::compile):
2314         * dfg/DFGStoreBarrierInsertionPhase.cpp:
2315         * ftl/FTLCapabilities.cpp:
2316         (JSC::FTL::canCompile):
2317         * ftl/FTLLowerDFGToB3.cpp:
2318         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2319         (JSC::FTL::DFG::LowerDFGToB3::compileNewGenerator):
2320         (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
2321         (JSC::FTL::DFG::LowerDFGToB3::compileCreateGenerator):
2322         (JSC::FTL::DFG::LowerDFGToB3::isCellWithType):
2323         * jit/JIT.cpp:
2324         (JSC::JIT::privateCompileMainPass):
2325         (JSC::JIT::privateCompileSlowCases):
2326         * jit/JITOperations.cpp:
2327         * jit/JITOperations.h:
2328         * jit/JITPropertyAccess.cpp:
2329         (JSC::JIT::emit_op_get_internal_field):
2330         (JSC::JIT::emit_op_put_internal_field):
2331         * llint/LowLevelInterpreter.asm:
2332         * runtime/CommonSlowPaths.cpp:
2333         (JSC::SLOW_PATH_DECL):
2334         * runtime/CommonSlowPaths.h:
2335         * runtime/InternalFunction.cpp:
2336         (JSC::InternalFunction::createSubclassStructureSlow):
2337         * runtime/InternalFunction.h:
2338         (JSC::InternalFunction::createSubclassStructure):
2339         * runtime/JSGenerator.cpp: Added.
2340         (JSC::JSGenerator::create):
2341         (JSC::JSGenerator::createStructure):
2342         (JSC::JSGenerator::JSGenerator):
2343         (JSC::JSGenerator::finishCreation):
2344         (JSC::JSGenerator::visitChildren):
2345         * runtime/JSGenerator.h: Copied from Source/JavaScriptCore/runtime/JSGeneratorFunction.h.
2346         * runtime/JSGeneratorFunction.h:
2347         * runtime/JSGlobalObject.cpp:
2348         (JSC::JSGlobalObject::init):
2349         (JSC::JSGlobalObject::visitChildren):
2350         * runtime/JSGlobalObject.h:
2351         (JSC::JSGlobalObject::generatorStructure const):
2352         * runtime/JSType.cpp:
2353         (WTF::printInternal):
2354         * runtime/JSType.h:
2355
2356 2019-09-17  Keith Miller  <keith_miller@apple.com>
2357
2358         Move comment explaining our Options to OptionsList.h
2359         https://bugs.webkit.org/show_bug.cgi?id=201891
2360
2361         Rubber-stamped by Mark Lam.
2362
2363         We moved the list so we should move the comment.
2364
2365         * runtime/Options.h:
2366         * runtime/OptionsList.h:
2367
2368 2019-09-17  Keith Miller  <keith_miller@apple.com>
2369
2370         Elide unnecessary moves in Air O0
2371         https://bugs.webkit.org/show_bug.cgi?id=201703
2372
2373         Reviewed by Saam Barati.
2374
2375         This patch also removes the code that would try to reuse temps in
2376         WasmAirIRGenerator. That code makes it hard to accurately
2377         determine where a temp dies as it could be reused again
2378         later. Thus every temp, may appear to live for a long time in the
2379         global ordering.
2380
2381         This appears to be a minor progression on the overall score of
2382         wasm subtests in JS2 and a 10% wasm-JIT memory usage reduction.
2383
2384         This patch also fixes an issue where we didn't ask Patchpoints
2385         for early clobber registers when determining what callee saves
2386         were used by the program.
2387
2388         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp:
2389         (JSC::B3::Air::GenerateAndAllocateRegisters::generate):
2390         * b3/air/AirBasicBlock.h:
2391         * b3/air/AirCode.h:
2392         * b3/air/AirHandleCalleeSaves.cpp:
2393         (JSC::B3::Air::handleCalleeSaves):
2394         * b3/air/testair.cpp:
2395         * wasm/WasmAirIRGenerator.cpp:
2396         (JSC::Wasm::AirIRGenerator::didKill): Deleted.
2397         * wasm/WasmB3IRGenerator.cpp:
2398         (JSC::Wasm::B3IRGenerator::didKill): Deleted.
2399         * wasm/WasmFunctionParser.h:
2400         (JSC::Wasm::FunctionParser<Context>::parseBody):
2401         (JSC::Wasm::FunctionParser<Context>::parseExpression):
2402         * wasm/WasmValidate.cpp:
2403         (JSC::Wasm::Validate::didKill): Deleted.
2404
2405 2019-09-17  Mark Lam  <mark.lam@apple.com>
2406
2407         Use constexpr instead of const in symbol definitions that are obviously constexpr.
2408         https://bugs.webkit.org/show_bug.cgi?id=201879
2409
2410         Rubber-stamped by Joseph Pecoraro.
2411
2412         const may require external storage  (at the compiler's whim) though these
2413         currently do not.  constexpr makes it clear that the value is a literal constant
2414         that can be inlined.  In most cases in the code, when we say static const, we
2415         actually mean static constexpr.  I'm changing the code to reflect this.
2416
2417         * API/JSAPIValueWrapper.h:
2418         * API/JSCallbackConstructor.h:
2419         * API/JSCallbackObject.h:
2420         * API/JSContextRef.cpp:
2421         * API/JSWrapperMap.mm:
2422         * API/tests/CompareAndSwapTest.cpp:
2423         * API/tests/TypedArrayCTest.cpp:
2424         * API/tests/testapi.mm:
2425         (testObjectiveCAPIMain):
2426         * KeywordLookupGenerator.py:
2427         (Trie.printAsC):
2428         * assembler/ARMv7Assembler.h:
2429         * assembler/AssemblerBuffer.h:
2430         * assembler/AssemblerCommon.h:
2431         * assembler/MacroAssembler.h:
2432         * assembler/MacroAssemblerARM64.h:
2433         * assembler/MacroAssemblerARM64E.h:
2434         * assembler/MacroAssemblerARMv7.h:
2435         * assembler/MacroAssemblerCodeRef.h:
2436         * assembler/MacroAssemblerMIPS.h:
2437         * assembler/MacroAssemblerX86.h:
2438         * assembler/MacroAssemblerX86Common.h:
2439         (JSC::MacroAssemblerX86Common::absDouble):
2440         (JSC::MacroAssemblerX86Common::negateDouble):
2441         * assembler/MacroAssemblerX86_64.h:
2442         * assembler/X86Assembler.h:
2443         * b3/B3Bank.h:
2444         * b3/B3CheckSpecial.h:
2445         * b3/B3DuplicateTails.cpp:
2446         * b3/B3EliminateCommonSubexpressions.cpp:
2447         * b3/B3FixSSA.cpp:
2448         * b3/B3FoldPathConstants.cpp:
2449         * b3/B3InferSwitches.cpp:
2450         * b3/B3Kind.h:
2451         * b3/B3LowerToAir.cpp:
2452         * b3/B3NativeTraits.h:
2453         * b3/B3ReduceDoubleToFloat.cpp:
2454         * b3/B3ReduceLoopStrength.cpp:
2455         * b3/B3ReduceStrength.cpp:
2456         * b3/B3ValueKey.h:
2457         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
2458         * b3/air/AirAllocateStackByGraphColoring.cpp:
2459         * b3/air/AirArg.h:
2460         * b3/air/AirCCallSpecial.h:
2461         * b3/air/AirEmitShuffle.cpp:
2462         * b3/air/AirFixObviousSpills.cpp:
2463         * b3/air/AirFormTable.h:
2464         * b3/air/AirLowerAfterRegAlloc.cpp:
2465         * b3/air/AirPrintSpecial.h:
2466         * b3/air/AirStackAllocation.cpp:
2467         * b3/air/AirTmp.h:
2468         * b3/testb3_6.cpp:
2469         (testInterpreter):
2470         * bytecode/AccessCase.cpp:
2471         * bytecode/CallLinkStatus.cpp:
2472         * bytecode/CallVariant.h:
2473         * bytecode/CodeBlock.h:
2474         * bytecode/CodeOrigin.h:
2475         * bytecode/DFGExitProfile.h:
2476         * bytecode/DirectEvalCodeCache.h:
2477         * bytecode/ExecutableToCodeBlockEdge.h:
2478         * bytecode/GetterSetterAccessCase.cpp:
2479         * bytecode/LazyOperandValueProfile.h:
2480         * bytecode/ObjectPropertyCondition.h:
2481         * bytecode/ObjectPropertyConditionSet.cpp:
2482         * bytecode/PolymorphicAccess.cpp:
2483         * bytecode/PropertyCondition.h:
2484         * bytecode/SpeculatedType.h:
2485         * bytecode/StructureStubInfo.cpp:
2486         * bytecode/UnlinkedCodeBlock.cpp:
2487         (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset):
2488         * bytecode/UnlinkedCodeBlock.h:
2489         * bytecode/UnlinkedEvalCodeBlock.h:
2490         * bytecode/UnlinkedFunctionCodeBlock.h:
2491         * bytecode/UnlinkedFunctionExecutable.h:
2492         * bytecode/UnlinkedModuleProgramCodeBlock.h:
2493         * bytecode/UnlinkedProgramCodeBlock.h:
2494         * bytecode/ValueProfile.h:
2495         * bytecode/VirtualRegister.h:
2496         * bytecode/Watchpoint.h:
2497         * bytecompiler/BytecodeGenerator.h:
2498         * bytecompiler/Label.h:
2499         * bytecompiler/NodesCodegen.cpp:
2500         (JSC::ThisNode::emitBytecode):
2501         * bytecompiler/RegisterID.h:
2502         * debugger/Breakpoint.h:
2503         * debugger/DebuggerParseData.cpp:
2504         * debugger/DebuggerPrimitives.h:
2505         * debugger/DebuggerScope.h:
2506         * dfg/DFGAbstractHeap.h:
2507         * dfg/DFGAbstractValue.h:
2508         * dfg/DFGArgumentsEliminationPhase.cpp:
2509         * dfg/DFGByteCodeParser.cpp:
2510         * dfg/DFGCSEPhase.cpp:
2511         * dfg/DFGCommon.h:
2512         * dfg/DFGCompilationKey.h:
2513         * dfg/DFGDesiredGlobalProperty.h:
2514         * dfg/DFGEdgeDominates.h:
2515         * dfg/DFGEpoch.h:
2516         * dfg/DFGForAllKills.h:
2517         (JSC::DFG::forAllKilledNodesAtNodeIndex):
2518         * dfg/DFGGraph.cpp:
2519         (JSC::DFG::Graph::isLiveInBytecode):
2520         * dfg/DFGHeapLocation.h:
2521         * dfg/DFGInPlaceAbstractState.cpp:
2522         * dfg/DFGIntegerCheckCombiningPhase.cpp:
2523         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
2524         * dfg/DFGInvalidationPointInjectionPhase.cpp:
2525         * dfg/DFGLICMPhase.cpp:
2526         * dfg/DFGLazyNode.h:
2527         * dfg/DFGMinifiedID.h:
2528         * dfg/DFGMovHintRemovalPhase.cpp:
2529         * dfg/DFGNodeFlowProjection.h:
2530         * dfg/DFGNodeType.h:
2531         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2532         * dfg/DFGPhantomInsertionPhase.cpp:
2533         * dfg/DFGPromotedHeapLocation.h:
2534         * dfg/DFGPropertyTypeKey.h:
2535         * dfg/DFGPureValue.h:
2536         * dfg/DFGPutStackSinkingPhase.cpp:
2537         * dfg/DFGRegisterBank.h:
2538         * dfg/DFGSSAConversionPhase.cpp:
2539         * dfg/DFGSSALoweringPhase.cpp:
2540         * dfg/DFGSpeculativeJIT.cpp:
2541         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
2542         (JSC::DFG::compileClampDoubleToByte):
2543         (JSC::DFG::SpeculativeJIT::compileArithRounding):
2544         (JSC::DFG::compileArithPowIntegerFastPath):
2545         (JSC::DFG::SpeculativeJIT::compileArithPow):
2546         (JSC::DFG::SpeculativeJIT::emitBinarySwitchStringRecurse):
2547         * dfg/DFGStackLayoutPhase.cpp:
2548         * dfg/DFGStoreBarrierInsertionPhase.cpp:
2549         * dfg/DFGStrengthReductionPhase.cpp:
2550         * dfg/DFGStructureAbstractValue.h:
2551         * dfg/DFGVarargsForwardingPhase.cpp:
2552         * dfg/DFGVariableEventStream.cpp:
2553         (JSC::DFG::VariableEventStream::reconstruct const):
2554         * dfg/DFGWatchpointCollectionPhase.cpp:
2555         * disassembler/ARM64/A64DOpcode.h:
2556         * ftl/FTLLocation.h:
2557         * ftl/FTLLowerDFGToB3.cpp:
2558         (JSC::FTL::DFG::LowerDFGToB3::compileArithRandom):
2559         * ftl/FTLSlowPathCall.cpp:
2560         * ftl/FTLSlowPathCallKey.h:
2561         * heap/CellContainer.h:
2562         * heap/CellState.h:
2563         * heap/ConservativeRoots.h:
2564         * heap/GCSegmentedArray.h:
2565         * heap/HandleBlock.h:
2566         * heap/Heap.cpp:
2567         (JSC::Heap::updateAllocationLimits):
2568         * heap/Heap.h:
2569         * heap/HeapSnapshot.h:
2570         * heap/HeapUtil.h:
2571         (JSC::HeapUtil::findGCObjectPointersForMarking):
2572         * heap/IncrementalSweeper.cpp:
2573         * heap/LargeAllocation.h:
2574         * heap/MarkedBlock.cpp:
2575         * heap/Strong.h:
2576         * heap/VisitRaceKey.h:
2577         * heap/Weak.h:
2578         * heap/WeakBlock.h:
2579         * inspector/JSInjectedScriptHost.h:
2580         * inspector/JSInjectedScriptHostPrototype.h:
2581         * inspector/JSJavaScriptCallFrame.h:
2582         * inspector/JSJavaScriptCallFramePrototype.h:
2583         * inspector/agents/InspectorConsoleAgent.cpp:
2584         * inspector/agents/InspectorRuntimeAgent.cpp:
2585         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
2586         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2587         (CppProtocolTypesHeaderGenerator._generate_versions):
2588         * inspector/scripts/tests/generic/expected/version.json-result:
2589         * interpreter/Interpreter.h:
2590         * interpreter/ShadowChicken.cpp:
2591         * jit/BinarySwitch.cpp:
2592         * jit/CallFrameShuffler.h:
2593         * jit/ExecutableAllocator.h:
2594         * jit/FPRInfo.h:
2595         * jit/GPRInfo.h:
2596         * jit/ICStats.h:
2597         * jit/JITThunks.h:
2598         * jit/Reg.h:
2599         * jit/RegisterSet.h:
2600         * jit/TempRegisterSet.h:
2601         * jsc.cpp:
2602         * parser/ASTBuilder.h:
2603         * parser/Nodes.h:
2604         * parser/SourceCodeKey.h:
2605         * parser/SyntaxChecker.h:
2606         * parser/VariableEnvironment.h:
2607         * profiler/ProfilerOrigin.h:
2608         * profiler/ProfilerOriginStack.h:
2609         * profiler/ProfilerUID.h:
2610         * runtime/AbstractModuleRecord.cpp:
2611         * runtime/ArrayBufferNeuteringWatchpointSet.h:
2612         * runtime/ArrayConstructor.h:
2613         * runtime/ArrayConventions.h:
2614         * runtime/ArrayIteratorPrototype.h:
2615         * runtime/ArrayPrototype.cpp:
2616         (JSC::setLength):
2617         * runtime/AsyncFromSyncIteratorPrototype.h:
2618         * runtime/AsyncGeneratorFunctionPrototype.h:
2619         * runtime/AsyncGeneratorPrototype.h:
2620         * runtime/AsyncIteratorPrototype.h:
2621         * runtime/AtomicsObject.cpp:
2622         * runtime/BigIntConstructor.h:
2623         * runtime/BigIntPrototype.h:
2624         * runtime/BooleanPrototype.h:
2625         * runtime/ClonedArguments.h:
2626         * runtime/CodeCache.h:
2627         * runtime/ControlFlowProfiler.h:
2628         * runtime/CustomGetterSetter.h:
2629         * runtime/DateConstructor.h:
2630         * runtime/DatePrototype.h:
2631         * runtime/DefinePropertyAttributes.h:
2632         * runtime/ErrorPrototype.h:
2633         * runtime/EvalExecutable.h:
2634         * runtime/Exception.h:
2635         * runtime/ExceptionHelpers.cpp:
2636         (JSC::invalidParameterInSourceAppender):
2637         (JSC::invalidParameterInstanceofSourceAppender):
2638         * runtime/ExceptionHelpers.h:
2639         * runtime/ExecutableBase.h:
2640         * runtime/FunctionExecutable.h:
2641         * runtime/FunctionRareData.h:
2642         * runtime/GeneratorPrototype.h:
2643         * runtime/GenericArguments.h:
2644         * runtime/GenericOffset.h:
2645         * runtime/GetPutInfo.h:
2646         * runtime/GetterSetter.h:
2647         * runtime/GlobalExecutable.h:
2648         * runtime/Identifier.h:
2649         * runtime/InspectorInstrumentationObject.h:
2650         * runtime/InternalFunction.h:
2651         * runtime/IntlCollatorConstructor.h:
2652         * runtime/IntlCollatorPrototype.h:
2653         * runtime/IntlDateTimeFormatConstructor.h:
2654         * runtime/IntlDateTimeFormatPrototype.h:
2655         * runtime/IntlNumberFormatConstructor.h:
2656         * runtime/IntlNumberFormatPrototype.h:
2657         * runtime/IntlObject.h:
2658         * runtime/IntlPluralRulesConstructor.h:
2659         * runtime/IntlPluralRulesPrototype.h:
2660         * runtime/IteratorPrototype.h:
2661         * runtime/JSArray.cpp:
2662         (JSC::JSArray::tryCreateUninitializedRestricted):
2663         * runtime/JSArray.h:
2664         * runtime/JSArrayBuffer.h:
2665         * runtime/JSArrayBufferView.h:
2666         * runtime/JSBigInt.h:
2667         * runtime/JSCJSValue.h:
2668         * runtime/JSCell.h:
2669         * runtime/JSCustomGetterSetterFunction.h:
2670         * runtime/JSDataView.h:
2671         * runtime/JSDataViewPrototype.h:
2672         * runtime/JSDestructibleObject.h:
2673         * runtime/JSFixedArray.h:
2674         * runtime/JSGenericTypedArrayView.h:
2675         * runtime/JSGlobalLexicalEnvironment.h:
2676         * runtime/JSGlobalObject.h:
2677         * runtime/JSImmutableButterfly.h:
2678         * runtime/JSInternalPromiseConstructor.h:
2679         * runtime/JSInternalPromiseDeferred.h:
2680         * runtime/JSInternalPromisePrototype.h:
2681         * runtime/JSLexicalEnvironment.h:
2682         * runtime/JSModuleEnvironment.h:
2683         * runtime/JSModuleLoader.h:
2684         * runtime/JSModuleNamespaceObject.h:
2685         * runtime/JSNonDestructibleProxy.h:
2686         * runtime/JSONObject.cpp:
2687         * runtime/JSONObject.h:
2688         * runtime/JSObject.h:
2689         * runtime/JSPromiseConstructor.h:
2690         * runtime/JSPromiseDeferred.h:
2691         * runtime/JSPromisePrototype.h:
2692         * runtime/JSPropertyNameEnumerator.h:
2693         * runtime/JSProxy.h:
2694         * runtime/JSScope.h:
2695         * runtime/JSScriptFetchParameters.h:
2696         * runtime/JSScriptFetcher.h:
2697         * runtime/JSSegmentedVariableObject.h:
2698         * runtime/JSSourceCode.h:
2699         * runtime/JSString.cpp:
2700         * runtime/JSString.h:
2701         * runtime/JSSymbolTableObject.h:
2702         * runtime/JSTemplateObjectDescriptor.h:
2703         * runtime/JSTypeInfo.h:
2704         * runtime/MapPrototype.h:
2705         * runtime/MinimumReservedZoneSize.h:
2706         * runtime/ModuleProgramExecutable.h:
2707         * runtime/NativeExecutable.h:
2708         * runtime/NativeFunction.h:
2709         * runtime/NativeStdFunctionCell.h:
2710         * runtime/NumberConstructor.h:
2711         * runtime/NumberPrototype.h:
2712         * runtime/ObjectConstructor.h:
2713         * runtime/ObjectPrototype.h:
2714         * runtime/ProgramExecutable.h:
2715         * runtime/PromiseDeferredTimer.cpp:
2716         * runtime/PropertyMapHashTable.h:
2717         * runtime/PropertyNameArray.h:
2718         (JSC::PropertyNameArray::add):
2719         * runtime/PrototypeKey.h:
2720         * runtime/ProxyConstructor.h:
2721         * runtime/ProxyObject.cpp:
2722         (JSC::ProxyObject::performGetOwnPropertyNames):
2723         * runtime/ProxyRevoke.h:
2724         * runtime/ReflectObject.h:
2725         * runtime/RegExp.h:
2726         * runtime/RegExpCache.h:
2727         * runtime/RegExpConstructor.h:
2728         * runtime/RegExpKey.h:
2729         * runtime/RegExpObject.h:
2730         * runtime/RegExpPrototype.h:
2731         * runtime/RegExpStringIteratorPrototype.h:
2732         * runtime/SamplingProfiler.cpp:
2733         * runtime/ScopedArgumentsTable.h:
2734         * runtime/ScriptExecutable.h:
2735         * runtime/SetPrototype.h:
2736         * runtime/SmallStrings.h:
2737         * runtime/SparseArrayValueMap.h:
2738         * runtime/StringConstructor.h:
2739         * runtime/StringIteratorPrototype.h:
2740         * runtime/StringObject.h:
2741         * runtime/StringPrototype.h:
2742         * runtime/Structure.h:
2743         * runtime/StructureChain.h:
2744         * runtime/StructureRareData.h:
2745         * runtime/StructureTransitionTable.h:
2746         * runtime/Symbol.h:
2747         * runtime/SymbolConstructor.h:
2748         * runtime/SymbolPrototype.h:
2749         * runtime/SymbolTable.h:
2750         * runtime/TemplateObjectDescriptor.h:
2751         * runtime/TypeProfiler.cpp:
2752         * runtime/TypeProfiler.h:
2753         * runtime/TypeProfilerLog.cpp:
2754         * runtime/VarOffset.h:
2755         * testRegExp.cpp:
2756         * tools/HeapVerifier.cpp:
2757         (JSC::HeapVerifier::checkIfRecorded):
2758         * tools/JSDollarVM.cpp:
2759         * wasm/WasmB3IRGenerator.cpp:
2760         * wasm/WasmBBQPlan.cpp:
2761         * wasm/WasmFaultSignalHandler.cpp:
2762         * wasm/WasmFunctionParser.h:
2763         * wasm/WasmOMGForOSREntryPlan.cpp:
2764         * wasm/WasmOMGPlan.cpp:
2765         * wasm/WasmPlan.cpp:
2766         * wasm/WasmSignature.cpp:
2767         * wasm/WasmSignature.h:
2768         * wasm/WasmWorklist.cpp:
2769         * wasm/js/JSWebAssembly.h:
2770         * wasm/js/JSWebAssemblyCodeBlock.h:
2771         * wasm/js/WebAssemblyCompileErrorConstructor.h:
2772         * wasm/js/WebAssemblyCompileErrorPrototype.h:
2773         * wasm/js/WebAssemblyFunction.h:
2774         * wasm/js/WebAssemblyInstanceConstructor.h:
2775         * wasm/js/WebAssemblyInstancePrototype.h:
2776         * wasm/js/WebAssemblyLinkErrorConstructor.h:
2777         * wasm/js/WebAssemblyLinkErrorPrototype.h:
2778         * wasm/js/WebAssemblyMemoryConstructor.h:
2779         * wasm/js/WebAssemblyMemoryPrototype.h:
2780         * wasm/js/WebAssemblyModuleConstructor.h:
2781         * wasm/js/WebAssemblyModulePrototype.h:
2782         * wasm/js/WebAssemblyRuntimeErrorConstructor.h:
2783         * wasm/js/WebAssemblyRuntimeErrorPrototype.h:
2784         * wasm/js/WebAssemblyTableConstructor.h:
2785         * wasm/js/WebAssemblyTablePrototype.h:
2786         * wasm/js/WebAssemblyToJSCallee.h:
2787         * yarr/Yarr.h:
2788         * yarr/YarrParser.h:
2789         * yarr/generateYarrCanonicalizeUnicode:
2790
2791 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
2792
2793         Follow-up after String.codePointAt optimization
2794         https://bugs.webkit.org/show_bug.cgi?id=201889
2795
2796         Reviewed by Saam Barati.
2797
2798         Follow-up after string.codePointAt DFG / FTL optimizations,
2799
2800         1. Gracefully accept arguments more than expected for intrinsics
2801         2. Check BadType in String.codePointAt, String.charAt, and String.charCodeAt.
2802
2803         * dfg/DFGByteCodeParser.cpp:
2804         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2805
2806 2019-09-17  Tadeu Zagallo  <tzagallo@apple.com>
2807
2808         Change WebAssembly calling conventions
2809         https://bugs.webkit.org/show_bug.cgi?id=201799
2810
2811         Reviewed by Saam Barati.
2812
2813         Currently, the Wasm::Callee writes itself to CallFrameSlot::callee. However, this won't work when
2814         we have the Wasm interpreter, since we need the callee in order to know which function are we executing.
2815         This patch changes the calling conventions in preparation for the interpreter, so that the caller
2816         becomes responsible for writing the callee into the call frame.
2817         However, there are exceptions to this rule: stubs can still write to the callee slot, since they are individually
2818         generated and will still be present in the interpreter. We keep this design to avoid emitting unnecessary
2819         code when we know statically who is the callee:
2820         - Caller writes to call frame: intra-module direct wasm calls, indirect wasm calls, JS-to-wasm stub (new frame), JS-to-wasm IC.
2821         - Callee writes to call frame: inter-module wasm-to-wasm stub, JS-to-wasm stub (callee frame), wasm-to-JS stub, OMG osr entry
2822
2823         Additionally, this patch also changes it so that the callee keeps track of its callers, instead of having a global mapping
2824         of calls in the Wasm::CodeBlock. This makes it easier to repatch all callers of a given Callee when it tiers up.
2825
2826         * CMakeLists.txt:
2827         * JavaScriptCore.xcodeproj/project.pbxproj:
2828         * wasm/WasmAirIRGenerator.cpp:
2829         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
2830         (JSC::Wasm::AirIRGenerator::addCall):
2831         (JSC::Wasm::AirIRGenerator::addCallIndirect):
2832         (JSC::Wasm::parseAndCompileAir):
2833         * wasm/WasmAirIRGenerator.h:
2834         * wasm/WasmB3IRGenerator.cpp:
2835         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2836         (JSC::Wasm::B3IRGenerator::addCall):
2837         (JSC::Wasm::B3IRGenerator::addCallIndirect):
2838         (JSC::Wasm::parseAndCompile):
2839         * wasm/WasmB3IRGenerator.h:
2840         * wasm/WasmBBQPlan.cpp:
2841         (JSC::Wasm::BBQPlan::BBQPlan):
2842         (JSC::Wasm::BBQPlan::prepare):
2843         (JSC::Wasm::BBQPlan::compileFunctions):
2844         (JSC::Wasm::BBQPlan::complete):
2845         * wasm/WasmBBQPlan.h:
2846         * wasm/WasmBBQPlanInlines.h:
2847         (JSC::Wasm::BBQPlan::initializeCallees):
2848         * wasm/WasmBinding.cpp:
2849         (JSC::Wasm::wasmToWasm):
2850         * wasm/WasmCallee.cpp:
2851         (JSC::Wasm::Callee::Callee):
2852         (JSC::Wasm::repatchMove):
2853         (JSC::Wasm::repatchCall):
2854         (JSC::Wasm::BBQCallee::addCaller):
2855         (JSC::Wasm::BBQCallee::addAndLinkCaller):
2856         (JSC::Wasm::BBQCallee::repatchCallers):
2857         * wasm/WasmCallee.h:
2858         (JSC::Wasm::Callee::entrypoint):
2859         (JSC::Wasm::Callee::code const):
2860         (JSC::Wasm::Callee::calleeSaveRegisters):
2861         * wasm/WasmCallingConvention.h:
2862         (JSC::Wasm::CallingConvention::setupFrameInPrologue const):
2863         * wasm/WasmCodeBlock.cpp:
2864         (JSC::Wasm::CodeBlock::CodeBlock):
2865         * wasm/WasmCodeBlock.h:
2866         (JSC::Wasm::CodeBlock::embedderEntrypointCalleeFromFunctionIndexSpace):
2867         (JSC::Wasm::CodeBlock::wasmBBQCalleeFromFunctionIndexSpace):
2868         (JSC::Wasm::CodeBlock::entrypointLoadLocationFromFunctionIndexSpace):
2869         (JSC::Wasm::CodeBlock::boxedCalleeLoadLocationFromFunctionIndexSpace):
2870         * wasm/WasmEmbedder.h:
2871         * wasm/WasmFormat.h:
2872         (JSC::Wasm::WasmToWasmImportableFunction::offsetOfBoxedCalleeLoadLocation):
2873         * wasm/WasmInstance.h:
2874         (JSC::Wasm::Instance::offsetOfBoxedCalleeLoadLocation):
2875         * wasm/WasmOMGForOSREntryPlan.cpp:
2876         (JSC::Wasm::OMGForOSREntryPlan::OMGForOSREntryPlan):
2877         (JSC::Wasm::OMGForOSREntryPlan::work):
2878         * wasm/WasmOMGForOSREntryPlan.h:
2879         * wasm/WasmOMGPlan.cpp:
2880         (JSC::Wasm::OMGPlan::OMGPlan):
2881         (JSC::Wasm::OMGPlan::work):
2882         * wasm/WasmOMGPlan.h:
2883         * wasm/WasmOperations.cpp:
2884         (JSC::Wasm::triggerOMGReplacementCompile):
2885         (JSC::Wasm::doOSREntry):
2886         (JSC::Wasm::triggerOSREntryNow):
2887         * wasm/js/JSToWasm.cpp:
2888         (JSC::Wasm::createJSToWasmWrapper):
2889         * wasm/js/JSToWasm.h:
2890         * wasm/js/WebAssemblyFunction.cpp:
2891         (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
2892         (JSC::WebAssemblyFunction::create):
2893         (JSC::WebAssemblyFunction::WebAssemblyFunction):
2894         * wasm/js/WebAssemblyFunction.h:
2895         * wasm/js/WebAssemblyModuleRecord.cpp:
2896         (JSC::WebAssemblyModuleRecord::link):
2897         (JSC::WebAssemblyModuleRecord::evaluate):
2898         * wasm/js/WebAssemblyWrapperFunction.cpp:
2899         (JSC::WebAssemblyWrapperFunction::create):
2900
2901 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
2902
2903         [JSC] CheckArray+NonArray is not filtering out Array in AI
2904         https://bugs.webkit.org/show_bug.cgi?id=201857
2905         <rdar://problem/54194820>
2906
2907         Reviewed by Keith Miller.
2908
2909         The code of DFG::ArrayMode::alreadyChecked is different from SpeculativeJIT's CheckArray / CheckStructure.
2910         While we assume CheckArray+NonArray ensures it only passes non-array inputs, DFG::ArrayMode::alreadyChecked
2911         accepts arrays too. So CheckArray+NonArray is removed in AI if the input is proven that it is an array.
2912         This patch aligns DFG::ArrayMode::alreadyChecked to the checks done at runtime.
2913
2914         * dfg/DFGArrayMode.cpp:
2915         (JSC::DFG::ArrayMode::alreadyChecked const):
2916
2917 2019-09-17  Saam Barati  <sbarati@apple.com>
2918
2919         CheckArray on DirectArguments/ScopedArguments does not filter out slow put array storage
2920         https://bugs.webkit.org/show_bug.cgi?id=201853
2921         <rdar://problem/53805461>
2922
2923         Reviewed by Yusuke Suzuki.
2924
2925         We were claiming CheckArray for ScopedArguments/DirectArguments was filtering
2926         out SlowPutArrayStorage. It does no such thing. We just check that the object
2927         is either ScopedArguments/DirectArguments.
2928
2929         * dfg/DFGArrayMode.h:
2930         (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
2931         (JSC::DFG::ArrayMode::arrayModesWithIndexingShapes const):
2932         (JSC::DFG::ArrayMode::arrayModesWithIndexingShape const): Deleted.
2933
2934 2019-09-16  Tadeu Zagallo  <tzagallo@apple.com>
2935
2936         Wasm StreamingParser should validate that number of functions matches number of declarations
2937         https://bugs.webkit.org/show_bug.cgi?id=201850
2938         <rdar://problem/55290186>
2939
2940         Reviewed by Yusuke Suzuki.
2941
2942         Currently, when parsing the code section, we check that the number of functions matches the number
2943         of declarations in the function section. However, that check is never performed if the module does
2944         not have a code section. To fix that, we perform the check again in StreamingParser::finalize.
2945
2946         * wasm/WasmStreamingParser.cpp:
2947         (JSC::Wasm::StreamingParser::finalize):
2948
2949 2019-09-16  Michael Saboff  <msaboff@apple.com>
2950
2951         [JSC] Perform check again when we found non-BMP characters
2952         https://bugs.webkit.org/show_bug.cgi?id=201647
2953
2954         Reviewed by Yusuke Suzuki.
2955
2956         We need to check for end of input for non-BMP characters when matching a character class that contains
2957         both BMP and non-BMP characters.  In advanceIndexAfterCharacterClassTermMatch() we were checking for
2958         end of input for both BMP and non-BMP characters.  For BMP characters, this check is redundant.
2959         After moving the check to after the "is BMP check", we need to decrement index after reaching the failure
2960         label to back out the index++ for the first surrogate of the non-BMP character.
2961
2962         Added the same kind of check in generateCharacterClassOnce().  In that case, we have pre-checked the
2963         first character (surrogate) for a non-BMP codepoint, so we just need to check for end of input before
2964         we increment for the second surrogate.
2965
2966         While writing tests, I found an off by one error in backtrackCharacterClassGreedy() and changed the
2967         loop to check the count at loop top instead of loop bottom.
2968
2969         * yarr/YarrJIT.cpp:
2970         (JSC::Yarr::YarrGenerator::advanceIndexAfterCharacterClassTermMatch):
2971         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
2972         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
2973         (JSC::Yarr::YarrGenerator::backtrackCharacterClassGreedy):
2974         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
2975
2976 2019-09-16  Ross Kirsling  <ross.kirsling@sony.com>
2977
2978         [JSC] Add missing syntax errors for await in function parameter default expressions
2979         https://bugs.webkit.org/show_bug.cgi?id=201615
2980
2981         Reviewed by Darin Adler.
2982
2983         This patch rectifies two oversights:
2984           1. We were prohibiting `async function f(x = (await) => {}) {}` but not `async function f(x = await => {}) {}`
2985              (and likewise for async arrow functions).
2986           2. We were not prohibiting `(x = await => {}) => {}` in an async context
2987              (regardless of parentheses, but note that this one *only* applies to arrow functions).
2988
2989         * parser/Parser.cpp:
2990         (JSC::Parser<LexerType>::isArrowFunctionParameters): Fix case (1).
2991         (JSC::Parser<LexerType>::parseFunctionInfo): Fix case (2).
2992         (JSC::Parser<LexerType>::parseAwaitExpression): Convert unfailing check into an ASSERT.
2993         (JSC::Parser<LexerType>::parsePrimaryExpression): Adjust error message for case (2).
2994
2995 2019-09-16  Tadeu Zagallo  <tzagallo@apple.com>
2996
2997         SamplingProfiler should hold API lock before reporting results
2998         https://bugs.webkit.org/show_bug.cgi?id=201829
2999
3000         Reviewed by Yusuke Suzuki.
3001
3002         Right now, the SamplingProfiler crashes in debug builds when trying
3003         report results if it finds a JSFunction on the stack that doesn't have
3004         RareData. It tries to allocate the function's rare data when we call
3005         getOwnPropertySlot in order to get the function's name, but that fails
3006         because we are not holding the VM's API lock. We fix it by just holding
3007         the lock before reporting the results.
3008
3009         * runtime/SamplingProfiler.cpp:
3010         (JSC::SamplingProfiler::reportDataToOptionFile):
3011
3012 2019-09-16  David Kilzer  <ddkilzer@apple.com>
3013
3014         [JSC] REGRESSION (r248938): Leak of uint32_t arrays in testFastForwardCopy32()
3015         <https://webkit.org/b/201804>
3016
3017         Reviewed by Saam Barati.
3018
3019         * b3/testb3_8.cpp:
3020         (testFastForwardCopy32): Allocate arrays using
3021         WTF::makeUniqueArray<uint32_t> to fix leaks caused by continue
3022         statements.
3023
3024 2019-09-16  Saam Barati  <sbarati@apple.com>
3025
3026         JSObject::putInlineSlow should not ignore "__proto__" for Proxy
3027         https://bugs.webkit.org/show_bug.cgi?id=200386
3028         <rdar://problem/53854946>
3029
3030         Reviewed by Yusuke Suzuki.
3031
3032         We used to ignore '__proto__' in putInlineSlow when the object in question
3033         was Proxy. There is no reason for this, and it goes against the spec. So
3034         I've removed that condition. This also has the effect that it fixes an
3035         assertion firing inside our inline caching code which dictates that for a
3036         property replace that the base value's structure must be equal to the
3037         structure when we grabbed the structure prior to the put operation.
3038         The old code caused a weird edge case where we broke this invariant.
3039
3040         * runtime/JSObject.cpp:
3041         (JSC::JSObject::putInlineSlow):
3042
3043 2019-09-15  David Kilzer  <ddkilzer@apple.com>
3044
3045         Leak of NSMapTable in -[JSVirtualMachine addManagedReference:withOwner:]
3046         <https://webkit.org/b/201803>
3047
3048         Reviewed by Dan Bernstein.
3049
3050         * API/JSVirtualMachine.mm:
3051         (-[JSVirtualMachine addManagedReference:withOwner:]): Use
3052         RetainPtr<> to fix the leak.
3053
3054 2019-09-14  Yusuke Suzuki  <ysuzuki@apple.com>
3055
3056         Retire x86 32bit JIT support
3057         https://bugs.webkit.org/show_bug.cgi?id=201790
3058
3059         Reviewed by Mark Lam.
3060
3061         Now, Xcode no longer has ability to build 32bit binary, so we cannot even test it on macOS.
3062         Fedora stops shipping x86 32bit kernel. Our x86/x86_64 JIT requires SSE2, and so such relatively modern CPUs
3063         can use JIT by switching x86 to x86_64. And these CPUs are modern enough to run CLoop at high speed.
3064         WebKit already disabled x86 JIT by default while the implementation exists. So literary, it is not tested.
3065
3066         While x86 32bit becomes less useful, x86 32bit JIT backend is very complicated and is being a major maintenance burden.
3067         This is due to very few # of registers. Which scatters a lot of isX86 / CPU(X86) in Baseline, DFG, and Yarr.
3068
3069         This patch retires x86 JIT support from JavaScriptCore and CSS JIT. We still keep MacroAssembler and GPRInfo / FPRInfo,
3070         MachineContext information since they are useful even though JIT is not supported.
3071
3072         * dfg/DFGArrayMode.cpp:
3073         (JSC::DFG::ArrayMode::refine const):
3074         * dfg/DFGByteCodeParser.cpp:
3075         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3076         (JSC::DFG::ByteCodeParser::parseBlock):
3077         * dfg/DFGFixupPhase.cpp:
3078         (JSC::DFG::FixupPhase::fixupNode):
3079         * dfg/DFGJITCompiler.cpp:
3080         (JSC::DFG::JITCompiler::compileExceptionHandlers):
3081         * dfg/DFGOSRExitCompilerCommon.cpp:
3082         (JSC::DFG::osrWriteBarrier):
3083         * dfg/DFGSpeculativeJIT.cpp:
3084         (JSC::DFG::SpeculativeJIT::compileArithDiv):
3085         (JSC::DFG::SpeculativeJIT::compileArithMod):
3086         (JSC::DFG::SpeculativeJIT::compileCreateRest):
3087         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
3088         * dfg/DFGSpeculativeJIT.h:
3089         * dfg/DFGSpeculativeJIT32_64.cpp:
3090         (JSC::DFG::SpeculativeJIT::emitCall):
3091         (JSC::DFG::SpeculativeJIT::compile):
3092         * dfg/DFGThunks.cpp:
3093         (JSC::DFG::osrExitGenerationThunkGenerator):
3094         * ftl/FTLThunks.cpp:
3095         (JSC::FTL::slowPathCallThunkGenerator):
3096         * jit/AssemblyHelpers.cpp:
3097         (JSC::AssemblyHelpers::callExceptionFuzz):
3098         (JSC::AssemblyHelpers::debugCall):
3099         * jit/AssemblyHelpers.h:
3100         (JSC::AssemblyHelpers::emitComputeButterflyIndexingMask):
3101         * jit/CCallHelpers.h:
3102         (JSC::CCallHelpers::setupArgumentsImpl):
3103         (JSC::CCallHelpers::prepareForTailCallSlow):
3104         * jit/CallFrameShuffler.cpp:
3105         (JSC::CallFrameShuffler::prepareForTailCall):
3106         * jit/JIT.cpp:
3107         (JSC::JIT::privateCompileExceptionHandlers):
3108         * jit/JITArithmetic32_64.cpp:
3109         (JSC::JIT::emit_op_mod):
3110         (JSC::JIT::emitSlow_op_mod):
3111         * jit/SlowPathCall.h:
3112         (JSC::JITSlowPathCall::call):
3113         * jit/ThunkGenerators.cpp:
3114         (JSC::nativeForGenerator):
3115         (JSC::arityFixupGenerator):
3116         * wasm/WasmAirIRGenerator.cpp:
3117         (JSC::Wasm::AirIRGenerator::emitModOrDiv):
3118         * yarr/YarrJIT.cpp:
3119         (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
3120         (JSC::Yarr::YarrGenerator::generateEnter):
3121         (JSC::Yarr::YarrGenerator::generateReturn):
3122         (JSC::Yarr::YarrGenerator::compile):
3123         * yarr/YarrJIT.h:
3124
3125 2019-09-13  Mark Lam  <mark.lam@apple.com>
3126
3127         jsc -d stopped working.
3128         https://bugs.webkit.org/show_bug.cgi?id=201787
3129
3130         Reviewed by Joseph Pecoraro.
3131
3132         The reason is because, in this case, the jsc shell is trying to set an option
3133         after the VM has been instantiated.  The fix is simply to move all options
3134         initialization before the VM is instantiated.
3135
3136         * jsc.cpp:
3137         (runWithOptions):
3138         (jscmain):
3139
3140 2019-09-13  Mark Lam  <mark.lam@apple.com>
3141
3142         watchOS requires PageSize alignment of 16K for JSC::Config.
3143         https://bugs.webkit.org/show_bug.cgi?id=201786
3144         <rdar://problem/55357890>
3145
3146         Reviewed by Yusuke Suzuki.
3147
3148         * runtime/JSCConfig.h:
3149
3150 2019-09-13  Yusuke Suzuki  <ysuzuki@apple.com>
3151
3152         Unreviewed, follow-up fix after r249842
3153         https://bugs.webkit.org/show_bug.cgi?id=201750
3154
3155         Michael reviewed this offline. When performing nearCall, we need to invalidate cache registers.
3156
3157         * assembler/MacroAssemblerARM64.h:
3158         (JSC::MacroAssemblerARM64::nearCall):
3159         (JSC::MacroAssemblerARM64::threadSafePatchableNearCall):
3160
3161 2019-09-13  Alexey Shvayka  <shvaikalesh@gmail.com>
3162
3163         Date.prototype.toJSON does not execute steps 1-2
3164         https://bugs.webkit.org/show_bug.cgi?id=105282
3165
3166         Reviewed by Ross Kirsling.
3167
3168         According to https://tc39.es/ecma262/#sec-built-in-function-objects, built-in methods must be
3169         strict mode functions. Before this change, `this` value in Date.prototype.toJSON was resolved
3170         using sloppy mode semantics, resulting in `toISOString` being called on global object if `this`
3171         value equals `null` or `undefined`.
3172
3173         * runtime/DatePrototype.cpp:
3174         (JSC::dateProtoFuncToJSON): Resolve thisValue using strict semantics and simplify std::isfinite check.
3175
3176 2019-09-13  Mark Lam  <mark.lam@apple.com>
3177
3178         performJITMemcpy() should do its !Gigacage assertion on exit.
3179         https://bugs.webkit.org/show_bug.cgi?id=201780
3180         <rdar://problem/55354867>
3181
3182         Reviewed by Robin Morisset.
3183
3184         Re-doing previous fix.
3185
3186         * jit/ExecutableAllocator.h:
3187         (JSC::performJITMemcpy):
3188         (JSC::GigacageAssertScope::GigacageAssertScope): Deleted.
3189         (JSC::GigacageAssertScope::~GigacageAssertScope): Deleted.
3190
3191 2019-09-13  Mark Lam  <mark.lam@apple.com>
3192
3193         performJITMemcpy() should do its !Gigacage assertion on exit.
3194         https://bugs.webkit.org/show_bug.cgi?id=201780
3195         <rdar://problem/55354867>
3196
3197         Reviewed by Robin Morisset.
3198
3199         * jit/ExecutableAllocator.h:
3200         (JSC::GigacageAssertScope::GigacageAssertScope):
3201         (JSC::GigacageAssertScope::~GigacageAssertScope):
3202         (JSC::performJITMemcpy):
3203
3204 2019-09-13  Yusuke Suzuki  <ysuzuki@apple.com>
3205
3206         [JSC] Micro-optimize YarrJIT's surrogate pair handling
3207         https://bugs.webkit.org/show_bug.cgi?id=201750
3208
3209         Reviewed by Michael Saboff.
3210
3211         Optimize sequence of machine code used to get code-point with unicode flag.
3212
3213         * yarr/YarrJIT.cpp:
3214         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
3215
3216 2019-09-13  Mark Lam  <mark.lam@apple.com>
3217
3218         We should assert $vm is enabled on entry and exit in its functions.
3219         https://bugs.webkit.org/show_bug.cgi?id=201762
3220         <rdar://problem/55338742>
3221
3222         Rubber-stamped by Michael Saboff.
3223
3224         1. Also do the same for FunctionOverrides.
3225         2. Added the DollarVMAssertScope and FunctionOverridesAssertScope to achieve this.
3226         3. Also added assertions to lambda functions in $vm.
3227
3228         * tools/FunctionOverrides.cpp:
3229         (JSC::FunctionOverridesAssertScope::FunctionOverridesAssertScope):
3230         (JSC::FunctionOverridesAssertScope::~FunctionOverridesAssertScope):
3231         (JSC::FunctionOverrides::overrides):
3232         (JSC::FunctionOverrides::FunctionOverrides):
3233         (JSC::FunctionOverrides::reinstallOverrides):
3234         (JSC::initializeOverrideInfo):
3235         (JSC::FunctionOverrides::initializeOverrideFor):
3236         (JSC::parseClause):
3237         (JSC::FunctionOverrides::parseOverridesInFile):
3238         * tools/JSDollarVM.cpp:
3239         (JSC::JSDollarVMCallFrame::JSDollarVMCallFrame):
3240         (JSC::JSDollarVMCallFrame::createStructure):
3241         (JSC::JSDollarVMCallFrame::create):
3242         (JSC::JSDollarVMCallFrame::finishCreation):
3243         (JSC::JSDollarVMCallFrame::addProperty):
3244         (JSC::Element::Element):
3245         (JSC::Element::create):
3246         (JSC::Element::visitChildren):
3247         (JSC::Element::createStructure):
3248         (JSC::Root::Root):
3249         (JSC::Root::setElement):
3250         (JSC::Root::create):
3251         (JSC::Root::createStructure):
3252         (JSC::Root::visitChildren):
3253         (JSC::SimpleObject::SimpleObject):
3254         (JSC::SimpleObject::create):
3255         (JSC::SimpleObject::visitChildren):
3256         (JSC::SimpleObject::createStructure):
3257         (JSC::ImpureGetter::ImpureGetter):
3258         (JSC::ImpureGetter::createStructure):
3259         (JSC::ImpureGetter::create):
3260         (JSC::ImpureGetter::finishCreation):
3261         (JSC::ImpureGetter::getOwnPropertySlot):
3262         (JSC::ImpureGetter::visitChildren):
3263         (JSC::CustomGetter::CustomGetter):
3264         (JSC::CustomGetter::createStructure):
3265         (JSC::CustomGetter::create):
3266         (JSC::CustomGetter::getOwnPropertySlot):
3267         (JSC::CustomGetter::customGetter):
3268         (JSC::CustomGetter::customGetterAcessor):
3269         (JSC::RuntimeArray::create):
3270         (JSC::RuntimeArray::destroy):
3271         (JSC::RuntimeArray::getOwnPropertySlot):
3272         (JSC::RuntimeArray::getOwnPropertySlotByIndex):
3273         (JSC::RuntimeArray::createPrototype):
3274         (JSC::RuntimeArray::createStructure):
3275         (JSC::RuntimeArray::finishCreation):
3276         (JSC::RuntimeArray::RuntimeArray):
3277         (JSC::RuntimeArray::lengthGetter):
3278         (JSC::DOMJITNode::DOMJITNode):
3279         (JSC::DOMJITNode::createStructure):
3280         (JSC::DOMJITNode::checkSubClassSnippet):
3281         (JSC::DOMJITNode::create):
3282         (JSC::DOMJITGetter::DOMJITGetter):
3283         (JSC::DOMJITGetter::createStructure):
3284         (JSC::DOMJITGetter::create):
3285         (JSC::DOMJITGetter::DOMJITAttribute::slowCall):
3286         (JSC::DOMJITGetter::DOMJITAttribute::callDOMGetter):
3287         (JSC::DOMJITGetter::customGetter):
3288         (JSC::DOMJITGetter::finishCreation):
3289         (JSC::DOMJITGetterComplex::DOMJITGetterComplex):
3290         (JSC::DOMJITGetterComplex::createStructure):
3291         (JSC::DOMJITGetterComplex::create):
3292         (JSC::DOMJITGetterComplex::DOMJITAttribute::slowCall):
3293         (JSC::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
3294         (JSC::DOMJITGetterComplex::functionEnableException):
3295         (JSC::DOMJITGetterComplex::customGetter):
3296         (JSC::DOMJITGetterComplex::finishCreation):
3297         (JSC::DOMJITFunctionObject::DOMJITFunctionObject):
3298         (JSC::DOMJITFunctionObject::createStructure):
3299         (JSC::DOMJITFunctionObject::create):
3300         (JSC::DOMJITFunctionObject::functionWithTypeCheck):
3301         (JSC::DOMJITFunctionObject::functionWithoutTypeCheck):