WebKit has too much of its own UTF-8 code and should rely more on ICU's UTF-8 support
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-04-29  Darin Adler  <darin@apple.com>
2
3         WebKit has too much of its own UTF-8 code and should rely more on ICU's UTF-8 support
4         https://bugs.webkit.org/show_bug.cgi?id=195535
5
6         Reviewed by Alexey Proskuryakov.
7
8         * API/JSClassRef.cpp: Removed uneeded include of UTF8Conversion.h.
9
10         * API/JSStringRef.cpp:
11         (JSStringCreateWithUTF8CString): Updated for changes to convertUTF8ToUTF16.
12         (JSStringGetUTF8CString): Updated for changes to convertLatin1ToUTF8.
13         Removed unneeded "true" to get the strict version of convertUTF16ToUTF8,
14         since that is the default. Also updated for changes to CompletionResult.
15
16         * runtime/JSGlobalObjectFunctions.cpp:
17         (JSC::decode): Stop using UTF8SequenceLength, and instead use U8_COUNT_TRAIL_BYTES
18         and U8_MAX_LENGTH. Instead of decodeUTF8Sequence, use U8_NEXT. Also use U_IS_BMP,
19         U_IS_SUPPLEMENTARY, U16_LEAD, U16_TRAIL, and U_IS_SURROGATE instead of our own
20         equivalents, since these macros from ICU are correct and efficient.
21
22         * wasm/WasmParser.h:
23         (JSC::Wasm::Parser<SuccessType>::consumeUTF8String): Updated for changes to
24         convertUTF8ToUTF16.
25
26 2019-04-30  Commit Queue  <commit-queue@webkit.org>
27
28         Unreviewed, rolling out r244806.
29         https://bugs.webkit.org/show_bug.cgi?id=197446
30
31         Causing Test262 and JSC test failures on multiple builds
32         (Requested by ShawnRoberts on #webkit).
33
34         Reverted changeset:
35
36         "TypeArrays should not store properties that are canonical
37         numeric indices"
38         https://bugs.webkit.org/show_bug.cgi?id=197228
39         https://trac.webkit.org/changeset/244806
40
41 2019-04-30  Saam barati  <sbarati@apple.com>
42
43         CodeBlock::m_instructionCount is wrong
44         https://bugs.webkit.org/show_bug.cgi?id=197304
45
46         Reviewed by Yusuke Suzuki.
47
48         What we were calling instructionCount() was wrong, as evidenced by
49         us using it incorrectly both in the sampling profiler and when we
50         dumped bytecode for a given CodeBlock. Prior to the bytecode rewrite,
51         instructionCount() was probably valid to do bounds checks against.
52         However, this is no longer the case. This patch renames what we called
53         instructionCount() to bytecodeCost(). It is now only used to make decisions
54         about inlining and tier up heuristics. I've also named options related to
55         this appropriately.
56         
57         This patch also introduces instructionsSize(). The result of this method
58         is valid to do bounds checks against.
59
60         * bytecode/CodeBlock.cpp:
61         (JSC::CodeBlock::dumpAssumingJITType const):
62         (JSC::CodeBlock::CodeBlock):
63         (JSC::CodeBlock::finishCreation):
64         (JSC::CodeBlock::optimizationThresholdScalingFactor):
65         (JSC::CodeBlock::predictedMachineCodeSize):
66         * bytecode/CodeBlock.h:
67         (JSC::CodeBlock::instructionsSize const):
68         (JSC::CodeBlock::bytecodeCost const):
69         (JSC::CodeBlock::instructionCount const): Deleted.
70         * dfg/DFGByteCodeParser.cpp:
71         (JSC::DFG::ByteCodeParser::inliningCost):
72         (JSC::DFG::ByteCodeParser::getInliningBalance):
73         * dfg/DFGCapabilities.cpp:
74         (JSC::DFG::mightCompileEval):
75         (JSC::DFG::mightCompileProgram):
76         (JSC::DFG::mightCompileFunctionForCall):
77         (JSC::DFG::mightCompileFunctionForConstruct):
78         (JSC::DFG::mightInlineFunctionForCall):
79         (JSC::DFG::mightInlineFunctionForClosureCall):
80         (JSC::DFG::mightInlineFunctionForConstruct):
81         * dfg/DFGCapabilities.h:
82         (JSC::DFG::isSmallEnoughToInlineCodeInto):
83         * dfg/DFGDisassembler.cpp:
84         (JSC::DFG::Disassembler::dumpHeader):
85         * dfg/DFGDriver.cpp:
86         (JSC::DFG::compileImpl):
87         * dfg/DFGPlan.cpp:
88         (JSC::DFG::Plan::compileInThread):
89         * dfg/DFGTierUpCheckInjectionPhase.cpp:
90         (JSC::DFG::TierUpCheckInjectionPhase::run):
91         * ftl/FTLCapabilities.cpp:
92         (JSC::FTL::canCompile):
93         * ftl/FTLCompile.cpp:
94         (JSC::FTL::compile):
95         * ftl/FTLLink.cpp:
96         (JSC::FTL::link):
97         * jit/JIT.cpp:
98         (JSC::JIT::link):
99         * jit/JITDisassembler.cpp:
100         (JSC::JITDisassembler::dumpHeader):
101         * llint/LLIntSlowPaths.cpp:
102         (JSC::LLInt::shouldJIT):
103         * profiler/ProfilerBytecodes.cpp:
104         (JSC::Profiler::Bytecodes::Bytecodes):
105         * runtime/Options.h:
106         * runtime/SamplingProfiler.cpp:
107         (JSC::tryGetBytecodeIndex):
108         (JSC::SamplingProfiler::processUnverifiedStackTraces):
109
110 2019-04-30  Tadeu Zagallo  <tzagallo@apple.com>
111
112         TypeArrays should not store properties that are canonical numeric indices
113         https://bugs.webkit.org/show_bug.cgi?id=197228
114         <rdar://problem/49557381>
115
116         Reviewed by Darin Adler.
117
118         According to the spec[1], TypedArrays should not perform an ordinary GetOwnProperty/SetOwnProperty
119         if the index is a CanonicalNumericIndexString, but invalid according toIntegerIndexedElementGet
120         and similar functions. I.e., there are a few properties that should not be set in a TypedArray,
121         like NaN, Infinity and -0.
122
123         [1]: https://www.ecma-international.org/ecma-262/9.0/index.html#sec-integer-indexed-exotic-objects-defineownproperty-p-desc
124
125         * CMakeLists.txt:
126         * JavaScriptCore.xcodeproj/project.pbxproj:
127         * runtime/JSGenericTypedArrayViewInlines.h:
128         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
129         (JSC::JSGenericTypedArrayView<Adaptor>::put):
130         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
131         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
132         (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
133         * runtime/JSTypedArrays.cpp:
134         * runtime/PropertyName.h:
135         (JSC::canonicalNumericIndexString):
136
137 2019-04-30  Brian Burg  <bburg@apple.com>
138
139         Web Automation: use a more informative key to indicate automation availability
140         https://bugs.webkit.org/show_bug.cgi?id=197377
141         <rdar://problem/50258069>
142
143         Reviewed by Devin Rousso.
144
145         The existing WIRAutomationEnabledKey does not encode uncertainty.
146         Add a new key that provides an 'Unknown' state, and prefer to use it.
147
148         Since an application's initial listing is sent from a background dispatch queue
149         on Cocoa platforms, this can race with main thread initialization that sets up
150         RemoteInspector::Client. Therefore, the initial listing may not properly represent
151         the client's capabilites because the client is not yet available. Allowing for
152         an "Unknown" state that is later upgraded to Available or Not Available makes it
153         possible to work around this potential race.
154
155         * inspector/remote/RemoteInspectorConstants.h:
156         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
157         (Inspector::RemoteInspector::pushListingsNow):
158
159 2019-04-30  Keith Miller  <keith_miller@apple.com>
160
161         Fix failing ARM64E wasm tests
162         https://bugs.webkit.org/show_bug.cgi?id=197420
163
164         Reviewed by Saam Barati.
165
166         This patch fixes a bug in the slow path of our JS->Wasm IC bridge
167         where we wouldn't untag the link register before tail calling.
168
169         Additionally, this patch fixes a broken assert when using setting
170         Options::useTailCalls=false.
171
172         * bytecompiler/BytecodeGenerator.cpp:
173         (JSC::BytecodeGenerator::emitCallForwardArgumentsInTailPosition):
174         * wasm/js/WebAssemblyFunction.cpp:
175         (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
176
177 2019-04-29  Saam Barati  <sbarati@apple.com>
178
179         Make JITType an enum class
180         https://bugs.webkit.org/show_bug.cgi?id=197394
181
182         Reviewed by Yusuke Suzuki.
183
184         This makes the code more easily searchable.
185
186         * bytecode/CallLinkStatus.cpp:
187         (JSC::CallLinkStatus::computeFor):
188         * bytecode/CodeBlock.cpp:
189         (JSC::CodeBlock::dumpAssumingJITType const):
190         (JSC::CodeBlock::specialOSREntryBlockOrNull):
191         (JSC::timeToLive):
192         (JSC::CodeBlock::propagateTransitions):
193         (JSC::CodeBlock::baselineAlternative):
194         (JSC::CodeBlock::baselineVersion):
195         (JSC::CodeBlock::hasOptimizedReplacement):
196         (JSC::CodeBlock::noticeIncomingCall):
197         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
198         (JSC::CodeBlock::tallyFrequentExitSites):
199         (JSC::CodeBlock::frameRegisterCount):
200         (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):
201         * bytecode/CodeBlock.h:
202         (JSC::CodeBlock::jitType const):
203         (JSC::CodeBlock::hasBaselineJITProfiling const):
204         * bytecode/CodeBlockWithJITType.h:
205         (JSC::CodeBlockWithJITType::CodeBlockWithJITType):
206         * bytecode/DeferredSourceDump.cpp:
207         (JSC::DeferredSourceDump::DeferredSourceDump):
208         * bytecode/DeferredSourceDump.h:
209         * bytecode/ExitingJITType.h:
210         (JSC::exitingJITTypeFor):
211         * bytecode/InlineCallFrame.h:
212         (JSC::baselineCodeBlockForOriginAndBaselineCodeBlock):
213         * dfg/DFGByteCodeParser.cpp:
214         (JSC::DFG::ByteCodeParser::parseCodeBlock):
215         * dfg/DFGDisassembler.cpp:
216         (JSC::DFG::Disassembler::dumpHeader):
217         * dfg/DFGDriver.cpp:
218         (JSC::DFG::compileImpl):
219         * dfg/DFGGraph.cpp:
220         (JSC::DFG::Graph::dump):
221         * dfg/DFGJITCode.cpp:
222         (JSC::DFG::JITCode::JITCode):
223         (JSC::DFG::JITCode::checkIfOptimizationThresholdReached):
224         (JSC::DFG::JITCode::optimizeNextInvocation):
225         (JSC::DFG::JITCode::dontOptimizeAnytimeSoon):
226         (JSC::DFG::JITCode::optimizeAfterWarmUp):
227         (JSC::DFG::JITCode::optimizeSoon):
228         (JSC::DFG::JITCode::forceOptimizationSlowPathConcurrently):
229         (JSC::DFG::JITCode::setOptimizationThresholdBasedOnCompilationResult):
230         * dfg/DFGJITFinalizer.cpp:
231         (JSC::DFG::JITFinalizer::finalize):
232         (JSC::DFG::JITFinalizer::finalizeFunction):
233         * dfg/DFGOSREntry.cpp:
234         (JSC::DFG::prepareOSREntry):
235         (JSC::DFG::prepareCatchOSREntry):
236         * dfg/DFGOSRExit.cpp:
237         (JSC::DFG::OSRExit::executeOSRExit):
238         (JSC::DFG::reifyInlinedCallFrames):
239         (JSC::DFG::OSRExit::compileOSRExit):
240         * dfg/DFGOSRExitCompilerCommon.cpp:
241         (JSC::DFG::handleExitCounts):
242         (JSC::DFG::reifyInlinedCallFrames):
243         (JSC::DFG::adjustAndJumpToTarget):
244         * dfg/DFGOSRExitCompilerCommon.h:
245         (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
246         * dfg/DFGOperations.cpp:
247         * dfg/DFGThunks.cpp:
248         (JSC::DFG::osrExitGenerationThunkGenerator):
249         * dfg/DFGVariableEventStream.cpp:
250         (JSC::DFG::VariableEventStream::reconstruct const):
251         * ftl/FTLCompile.cpp:
252         (JSC::FTL::compile):
253         * ftl/FTLJITCode.cpp:
254         (JSC::FTL::JITCode::JITCode):
255         * ftl/FTLJITFinalizer.cpp:
256         (JSC::FTL::JITFinalizer::finalizeCommon):
257         * ftl/FTLLink.cpp:
258         (JSC::FTL::link):
259         * ftl/FTLOSRExitCompiler.cpp:
260         (JSC::FTL::compileFTLOSRExit):
261         * ftl/FTLThunks.cpp:
262         (JSC::FTL::genericGenerationThunkGenerator):
263         * interpreter/CallFrame.cpp:
264         (JSC::CallFrame::callSiteBitsAreBytecodeOffset const):
265         (JSC::CallFrame::callSiteBitsAreCodeOriginIndex const):
266         * interpreter/StackVisitor.cpp:
267         (JSC::StackVisitor::Frame::dump const):
268         * jit/AssemblyHelpers.h:
269         (JSC::AssemblyHelpers::AssemblyHelpers):
270         * jit/JIT.cpp:
271         (JSC::JIT::link):
272         * jit/JITCode.cpp:
273         (JSC::JITCode::typeName):
274         (WTF::printInternal):
275         * jit/JITCode.h:
276         (JSC::JITCode::bottomTierJIT):
277         (JSC::JITCode::topTierJIT):
278         (JSC::JITCode::nextTierJIT):
279         (JSC::JITCode::isExecutableScript):
280         (JSC::JITCode::couldBeInterpreted):
281         (JSC::JITCode::isJIT):
282         (JSC::JITCode::isOptimizingJIT):
283         (JSC::JITCode::isBaselineCode):
284         (JSC::JITCode::jitTypeFor):
285         * jit/JITDisassembler.cpp:
286         (JSC::JITDisassembler::dumpHeader):
287         * jit/JITOperations.cpp:
288         * jit/JITThunks.cpp:
289         (JSC::JITThunks::hostFunctionStub):
290         * jit/JITToDFGDeferredCompilationCallback.cpp:
291         (JSC::JITToDFGDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
292         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
293         * jit/JITWorklist.cpp:
294         (JSC::JITWorklist::compileLater):
295         (JSC::JITWorklist::compileNow):
296         * jit/Repatch.cpp:
297         (JSC::readPutICCallTarget):
298         (JSC::ftlThunkAwareRepatchCall):
299         * llint/LLIntEntrypoint.cpp:
300         (JSC::LLInt::setFunctionEntrypoint):
301         (JSC::LLInt::setEvalEntrypoint):
302         (JSC::LLInt::setProgramEntrypoint):
303         (JSC::LLInt::setModuleProgramEntrypoint):
304         * llint/LLIntSlowPaths.cpp:
305         (JSC::LLInt::jitCompileAndSetHeuristics):
306         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
307         * runtime/SamplingProfiler.cpp:
308         (JSC::SamplingProfiler::processUnverifiedStackTraces):
309         * runtime/SamplingProfiler.h:
310         * runtime/VM.cpp:
311         (JSC::jitCodeForCallTrampoline):
312         (JSC::jitCodeForConstructTrampoline):
313         * tools/CodeProfile.cpp:
314         (JSC::CodeProfile::sample):
315         * tools/JSDollarVM.cpp:
316         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
317         (JSC::CallerFrameJITTypeFunctor::jitType):
318         (JSC::functionLLintTrue):
319         (JSC::functionJITTrue):
320
321 2019-04-29  Yusuke Suzuki  <ysuzuki@apple.com>
322
323         Unreivewed, fix FTL implementation of r244760
324         https://bugs.webkit.org/show_bug.cgi?id=197362
325
326         Reviewed by Saam Barati.
327
328         Looked with Saam. ValueFromBlock from double case block was overridden by NaN thing now.
329
330         * ftl/FTLLowerDFGToB3.cpp:
331         (JSC::FTL::DFG::LowerDFGToB3::compileNormalizeMapKey):
332
333 2019-04-29  Yusuke Suzuki  <ysuzuki@apple.com>
334
335         normalizeMapKey should normalize NaN to one PureNaN bit pattern to make MapHash same
336         https://bugs.webkit.org/show_bug.cgi?id=197362
337
338         Reviewed by Saam Barati.
339
340         Our Map/Set's hash algorithm relies on the bit pattern of JSValue. So our Map/Set has
341         normalization of the key, which normalizes Int32 / Double etc. But we did not normalize
342         pure NaNs into one canonicalized pure NaN. So we end up having multiple different pure NaNs
343         in one Map/Set. This patch normalizes NaN into one jsNaN(), which uses PNaN for the representation.
344
345         * dfg/DFGSpeculativeJIT.cpp:
346         (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
347         * ftl/FTLLowerDFGToB3.cpp:
348         (JSC::FTL::DFG::LowerDFGToB3::compileNormalizeMapKey):
349         * runtime/HashMapImpl.h:
350         (JSC::normalizeMapKey):
351
352 2019-04-29  Alex Christensen  <achristensen@webkit.org>
353
354         <rdar://problem/50299396> Fix internal High Sierra build
355         https://bugs.webkit.org/show_bug.cgi?id=197388
356
357         * Configurations/Base.xcconfig:
358
359 2019-04-29  Yusuke Suzuki  <ysuzuki@apple.com>
360
361         JITStubRoutineSet wastes 180KB of HashTable capacity on can.com
362         https://bugs.webkit.org/show_bug.cgi?id=186732
363
364         Reviewed by Saam Barati.
365
366         Our current mechanism of JITStubRoutineSet consumes more memory than needed. Basically we have HashMap<uintptr_t, StubRoutine*> and register
367         each executable address by 16 byte to this entry. So if your StubRoutine has 128bytes, it just adds 8 entries to this hash table.
368         In Gmail, we see a ~2MB table size.
369
370         Instead, this patch uses Vector<pair<uintptr_t, StubRoutine*>> and performs binary search onto this sorted vector. Before conservative
371         scanning, we sort this vector. And doing binary search with the sorted vector to find executing stub routines from the conservative roots.
372         This vector includes uintptr_t startAddress to make binary searching fast.
373
374         Large amount of conservative scan should be filtered by range check, so I think binary search here is OK, but we can decide based on what the
375         performance bots say.
376
377         * heap/Heap.cpp:
378         (JSC::Heap::addCoreConstraints):
379         * heap/JITStubRoutineSet.cpp:
380         (JSC::JITStubRoutineSet::~JITStubRoutineSet):
381         (JSC::JITStubRoutineSet::add):
382         (JSC::JITStubRoutineSet::prepareForConservativeScan):
383         (JSC::JITStubRoutineSet::clearMarks):
384         (JSC::JITStubRoutineSet::markSlow):
385         (JSC::JITStubRoutineSet::deleteUnmarkedJettisonedStubRoutines):
386         (JSC::JITStubRoutineSet::traceMarkedStubRoutines):
387         * heap/JITStubRoutineSet.h:
388         (JSC::JITStubRoutineSet::mark):
389         (JSC::JITStubRoutineSet::prepareForConservativeScan):
390         (JSC::JITStubRoutineSet::size const): Deleted.
391         (JSC::JITStubRoutineSet::at const): Deleted.
392
393 2019-04-29  Basuke Suzuki  <Basuke.Suzuki@sony.com>
394
395         [Win] Add flag to enable version information stamping and disable by default.
396         https://bugs.webkit.org/show_bug.cgi?id=197249
397         <rdar://problem/50224412>
398
399         Reviewed by Ross Kirsling.
400
401         This feature is only used in AppleWin port. Add flag for this task and make it OFF by default.
402         Then enable it by default on AppleWin.
403
404         * CMakeLists.txt:
405
406 2019-04-26  Keith Rollin  <krollin@apple.com>
407
408         Enable new build rule for post-processing headers when using XCBuild
409         https://bugs.webkit.org/show_bug.cgi?id=197340
410         <rdar://problem/50226685>
411
412         Reviewed by Brent Fulgham.
413
414         In Bug 197116, we conditionally disabled the old method for
415         post-processing header files when we are using the new XCBuild build
416         system. This check-in conditionally enables the new post-processing
417         facility. Note that the old system is disabled and the new system
418         enabled only when the USE_NEW_BUILD_SYSTEM environment variable is set
419         to YES.
420
421         * Configurations/JavaScriptCore.xcconfig:
422
423 2019-04-26  Jessie Berlin  <jberlin@webkit.org>
424
425         Add new mac target numbers
426         https://bugs.webkit.org/show_bug.cgi?id=197313
427
428         Reviewed by Alex Christensen.
429
430         * Configurations/Version.xcconfig:
431         * Configurations/WebKitTargetConditionals.xcconfig:
432
433 2019-04-26  Commit Queue  <commit-queue@webkit.org>
434
435         Unreviewed, rolling out r244708.
436         https://bugs.webkit.org/show_bug.cgi?id=197334
437
438         "Broke the debug build" (Requested by rmorisset on #webkit).
439
440         Reverted changeset:
441
442         "All prototypes should call didBecomePrototype()"
443         https://bugs.webkit.org/show_bug.cgi?id=196315
444         https://trac.webkit.org/changeset/244708
445
446 2019-04-26  Don Olmstead  <don.olmstead@sony.com>
447
448         [CMake] Add WEBKIT_EXECUTABLE macro
449         https://bugs.webkit.org/show_bug.cgi?id=197206
450
451         Reviewed by Konstantin Tokarev.
452
453         Migrate to WEBKIT_EXECUTABLE for the jsc and test targets.
454
455         * b3/air/testair.cpp:
456         * b3/testb3.cpp:
457         * dfg/testdfg.cpp:
458         * shell/CMakeLists.txt:
459         * shell/PlatformGTK.cmake:
460         * shell/PlatformJSCOnly.cmake: Removed.
461         * shell/PlatformMac.cmake:
462         * shell/PlatformPlayStation.cmake:
463         * shell/PlatformWPE.cmake:
464         * shell/PlatformWin.cmake:
465
466 2019-04-25  Yusuke Suzuki  <ysuzuki@apple.com>
467
468         [JSC] linkPolymorphicCall now does GC
469         https://bugs.webkit.org/show_bug.cgi?id=197306
470
471         Reviewed by Saam Barati.
472
473         Previously, we assumed that linkPolymorphicCall does not perform allocations. So we put CallVariant into a Vector<>.
474         But now, WebAssemblyFunction's entrypoint generation can allocate JSToWasmICCallee and cause GC. Since CallLinkInfo
475         does not hold these cells, they can be collected, and we will see dead cells in the middle of linkPolymorphicCall.
476         We should defer GC for a while in linkPolymorphicCall. We use DeferGCForAWhile instead of DeferGC because the
477         caller "operationLinkPolymorphicCall" assumes that this function does not cause GC.
478
479         * jit/Repatch.cpp:
480         (JSC::linkPolymorphicCall):
481
482 2019-04-26  Robin Morisset  <rmorisset@apple.com>
483
484         All prototypes should call didBecomePrototype()
485         https://bugs.webkit.org/show_bug.cgi?id=196315
486
487         Reviewed by Saam Barati.
488
489         Otherwise we won't remember to run haveABadTime() when someone adds to them an indexed accessor.
490
491         I added a check used in both Structure::finishCreation() and Structure::changePrototypeTransition to make sure we don't
492         create structures with invalid prototypes.
493         It found a lot of objects that are used as prototypes in JSGlobalObject and yet were missing didBecomePrototype() in their finishCreation().
494         Somewhat surprisingly, some of them have names like FunctionConstructor and not only FooPrototype.
495
496         * runtime/BigIntPrototype.cpp:
497         (JSC::BigIntPrototype::finishCreation):
498         * runtime/BooleanPrototype.cpp:
499         (JSC::BooleanPrototype::finishCreation):
500         * runtime/DatePrototype.cpp:
501         (JSC::DatePrototype::finishCreation):
502         * runtime/ErrorConstructor.cpp:
503         (JSC::ErrorConstructor::finishCreation):
504         * runtime/ErrorPrototype.cpp:
505         (JSC::ErrorPrototype::finishCreation):
506         * runtime/FunctionConstructor.cpp:
507         (JSC::FunctionConstructor::finishCreation):
508         * runtime/FunctionPrototype.cpp:
509         (JSC::FunctionPrototype::finishCreation):
510         * runtime/IntlCollatorPrototype.cpp:
511         (JSC::IntlCollatorPrototype::finishCreation):
512         * runtime/IntlDateTimeFormatPrototype.cpp:
513         (JSC::IntlDateTimeFormatPrototype::finishCreation):
514         * runtime/IntlNumberFormatPrototype.cpp:
515         (JSC::IntlNumberFormatPrototype::finishCreation):
516         * runtime/IntlPluralRulesPrototype.cpp:
517         (JSC::IntlPluralRulesPrototype::finishCreation):
518         * runtime/JSArrayBufferPrototype.cpp:
519         (JSC::JSArrayBufferPrototype::finishCreation):
520         * runtime/JSDataViewPrototype.cpp:
521         (JSC::JSDataViewPrototype::finishCreation):
522         * runtime/JSGenericTypedArrayViewPrototypeInlines.h:
523         (JSC::JSGenericTypedArrayViewPrototype<ViewClass>::finishCreation):
524         * runtime/JSGlobalObject.cpp:
525         (JSC::createConsoleProperty):
526         * runtime/JSPromisePrototype.cpp:
527         (JSC::JSPromisePrototype::finishCreation):
528         * runtime/JSTypedArrayViewConstructor.cpp:
529         (JSC::JSTypedArrayViewConstructor::finishCreation):
530         * runtime/JSTypedArrayViewPrototype.cpp:
531         (JSC::JSTypedArrayViewPrototype::finishCreation):
532         * runtime/NumberPrototype.cpp:
533         (JSC::NumberPrototype::finishCreation):
534         * runtime/RegExpPrototype.cpp:
535         (JSC::RegExpPrototype::finishCreation):
536         * runtime/StringPrototype.cpp:
537         (JSC::StringPrototype::finishCreation):
538         * runtime/Structure.cpp:
539         (JSC::Structure::isValidPrototype):
540         (JSC::Structure::changePrototypeTransition):
541         * runtime/Structure.h:
542         * runtime/SymbolPrototype.cpp:
543         (JSC::SymbolPrototype::finishCreation):
544         * wasm/js/WebAssemblyCompileErrorPrototype.cpp:
545         (JSC::WebAssemblyCompileErrorPrototype::finishCreation):
546         * wasm/js/WebAssemblyInstancePrototype.cpp:
547         (JSC::WebAssemblyInstancePrototype::finishCreation):
548         * wasm/js/WebAssemblyLinkErrorPrototype.cpp:
549         (JSC::WebAssemblyLinkErrorPrototype::finishCreation):
550         * wasm/js/WebAssemblyMemoryPrototype.cpp:
551         (JSC::WebAssemblyMemoryPrototype::finishCreation):
552         * wasm/js/WebAssemblyModulePrototype.cpp:
553         (JSC::WebAssemblyModulePrototype::finishCreation):
554         * wasm/js/WebAssemblyPrototype.cpp:
555         (JSC::WebAssemblyPrototype::finishCreation):
556         * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp:
557         (JSC::WebAssemblyRuntimeErrorPrototype::finishCreation):
558         * wasm/js/WebAssemblyTablePrototype.cpp:
559         (JSC::WebAssemblyTablePrototype::finishCreation):
560
561 2019-04-26  Don Olmstead  <don.olmstead@sony.com>
562
563         Add WTF::findIgnoringASCIICaseWithoutLength to replace strcasestr
564         https://bugs.webkit.org/show_bug.cgi?id=197291
565
566         Reviewed by Konstantin Tokarev.
567
568         Replace uses of strcasestr with WTF::findIgnoringASCIICaseWithoutLength.
569
570         * API/tests/testapi.cpp:
571         * assembler/testmasm.cpp:
572         * b3/air/testair.cpp:
573         * b3/testb3.cpp:
574         * dfg/testdfg.cpp:
575         * dynbench.cpp:
576
577 2019-04-25  Fujii Hironori  <Hironori.Fujii@sony.com>
578
579         Unreviewed, rolling out r244669.
580
581         Windows ports can't clean build.
582
583         Reverted changeset:
584
585         "[Win] Add flag to enable version information stamping and
586         disable by default."
587         https://bugs.webkit.org/show_bug.cgi?id=197249
588         https://trac.webkit.org/changeset/244669
589
590 2019-04-25  Basuke Suzuki  <Basuke.Suzuki@sony.com>
591
592         [Win] Add flag to enable version information stamping and disable by default.
593         https://bugs.webkit.org/show_bug.cgi?id=197249
594
595         Reviewed by Ross Kirsling.
596
597         This feature is only used in AppleWin port. Add flag for this task and make it OFF by default.
598         Then enable it by default on AppleWin.
599
600         * CMakeLists.txt:
601
602 2019-04-25  Timothy Hatcher  <timothy@apple.com>
603
604         Disable date and time inputs on iOSMac.
605         https://bugs.webkit.org/show_bug.cgi?id=197287
606         rdar://problem/46794376
607
608         Reviewed by Wenson Hsieh.
609
610         * Configurations/FeatureDefines.xcconfig:
611
612 2019-04-25  Alex Christensen  <achristensen@webkit.org>
613
614         Fix more builds after r244653
615         https://bugs.webkit.org/show_bug.cgi?id=197131
616
617         * b3/B3Value.h:
618         There is an older system with libc++ headers that don't have std::conjunction.  Just use constexpr and && instead for the one use of it in WebKit.
619
620 2019-04-25  Basuke Suzuki  <Basuke.Suzuki@sony.com>
621
622         [RemoteInspector] Fix connection and target identifier types.
623         https://bugs.webkit.org/show_bug.cgi?id=197243
624
625         Reviewed by Ross Kirsling.
626
627         Give dedicated type for RemoteControllableTarget's identifier as Inspector::TargetID.
628
629         Also rename ClientID type used in Socket backend to ConnectionID because this is the identifier
630         socket endpoint assign to the newly created connection. The size was changed to uint32_t.
631         Enough size for managing connections.
632
633         * inspector/remote/RemoteConnectionToTarget.cpp:
634         (Inspector::RemoteConnectionToTarget::setup):
635         (Inspector::RemoteConnectionToTarget::close):
636         (Inspector::RemoteConnectionToTarget::targetIdentifier const):
637         * inspector/remote/RemoteConnectionToTarget.h:
638         * inspector/remote/RemoteControllableTarget.h:
639         * inspector/remote/RemoteInspector.cpp:
640         (Inspector::RemoteInspector::nextAvailableTargetIdentifier):
641         (Inspector::RemoteInspector::registerTarget):
642         (Inspector::RemoteInspector::unregisterTarget):
643         (Inspector::RemoteInspector::updateTarget):
644         (Inspector::RemoteInspector::setupFailed):
645         (Inspector::RemoteInspector::setupCompleted):
646         (Inspector::RemoteInspector::waitingForAutomaticInspection):
647         (Inspector::RemoteInspector::updateTargetListing):
648         * inspector/remote/RemoteInspector.h:
649         * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:
650         (Inspector::RemoteConnectionToTarget::targetIdentifier const):
651         (Inspector::RemoteConnectionToTarget::setup):
652         (Inspector::RemoteConnectionToTarget::close):
653         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
654         (Inspector::RemoteInspector::updateAutomaticInspectionCandidate):
655         (Inspector::RemoteInspector::sendMessageToRemote):
656         (Inspector::RemoteInspector::receivedSetupMessage):
657         (Inspector::RemoteInspector::receivedDataMessage):
658         (Inspector::RemoteInspector::receivedDidCloseMessage):
659         (Inspector::RemoteInspector::receivedIndicateMessage):
660         (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage):
661         * inspector/remote/glib/RemoteInspectorGlib.cpp:
662         (Inspector::RemoteInspector::updateAutomaticInspectionCandidate):
663         (Inspector::RemoteInspector::sendMessageToRemote):
664         (Inspector::RemoteInspector::receivedSetupMessage):
665         (Inspector::RemoteInspector::receivedDataMessage):
666         (Inspector::RemoteInspector::receivedCloseMessage):
667         (Inspector::RemoteInspector::setup):
668         (Inspector::RemoteInspector::sendMessageToTarget):
669         * inspector/remote/socket/RemoteInspectorConnectionClient.cpp:
670         (Inspector::RemoteInspectorConnectionClient::didReceiveWebInspectorEvent):
671         * inspector/remote/socket/RemoteInspectorConnectionClient.h:
672         (Inspector::RemoteInspectorConnectionClient::didAccept):
673         * inspector/remote/socket/RemoteInspectorMessageParser.cpp:
674         (Inspector::MessageParser::MessageParser):
675         (Inspector::MessageParser::parse):
676         * inspector/remote/socket/RemoteInspectorMessageParser.h:
677         (Inspector::MessageParser::setDidParseMessageListener):
678         * inspector/remote/socket/RemoteInspectorServer.cpp:
679         (Inspector::RemoteInspectorServer::didAccept):
680         (Inspector::RemoteInspectorServer::didClose):
681         (Inspector::RemoteInspectorServer::dispatchMap):
682         (Inspector::RemoteInspectorServer::sendWebInspectorEvent):
683         (Inspector::RemoteInspectorServer::sendCloseEvent):
684         (Inspector::RemoteInspectorServer::connectionClosed):
685         * inspector/remote/socket/RemoteInspectorServer.h:
686         * inspector/remote/socket/RemoteInspectorSocket.cpp:
687         (Inspector::RemoteInspector::didClose):
688         (Inspector::RemoteInspector::sendMessageToRemote):
689         (Inspector::RemoteInspector::setup):
690         (Inspector::RemoteInspector::sendMessageToTarget):
691         * inspector/remote/socket/RemoteInspectorSocket.h:
692         * inspector/remote/socket/RemoteInspectorSocketEndpoint.cpp:
693         (Inspector::RemoteInspectorSocketEndpoint::connectInet):
694         (Inspector::RemoteInspectorSocketEndpoint::isListening):
695         (Inspector::RemoteInspectorSocketEndpoint::workerThread):
696         (Inspector::RemoteInspectorSocketEndpoint::createClient):
697         (Inspector::RemoteInspectorSocketEndpoint::recvIfEnabled):
698         (Inspector::RemoteInspectorSocketEndpoint::sendIfEnabled):
699         (Inspector::RemoteInspectorSocketEndpoint::send):
700         (Inspector::RemoteInspectorSocketEndpoint::acceptInetSocketIfEnabled):
701         * inspector/remote/socket/RemoteInspectorSocketEndpoint.h:
702
703 2019-04-25  Alex Christensen  <achristensen@webkit.org>
704
705         Start using C++17
706         https://bugs.webkit.org/show_bug.cgi?id=197131
707
708         Reviewed by Darin Alder.
709
710         * Configurations/Base.xcconfig:
711
712 2019-04-25  Alex Christensen  <achristensen@webkit.org>
713
714         Remove DeprecatedOptional
715         https://bugs.webkit.org/show_bug.cgi?id=197161
716
717         Reviewed by Darin Adler.
718
719         We need to keep a symbol exported from JavaScriptCore for binary compatibility with iOS12.
720         We need this symbol to be in a file that doesn't include anything because libcxx's implementation of
721         std::optional is actually std::__1::optional, which has a different mangled name.  This change will
722         prevent protocol errors from being reported if you are running the iOS12 simulator with a custom build of WebKit
723         and using the web inspector with it, but it's necessary to allow us to start using C++17 in WebKit.
724
725         * JavaScriptCore.xcodeproj/project.pbxproj:
726         * inspector/InspectorBackendDispatcher.cpp:
727         * inspector/InspectorBackendDispatcher.h:
728         * inspector/InspectorBackendDispatcherCompatibility.cpp: Added.
729         (Inspector::BackendDispatcher::reportProtocolError):
730         * inspector/InspectorBackendDispatcherCompatibility.h: Added.
731
732 2019-04-24  Saam Barati  <sbarati@apple.com>
733
734         Add SPI callbacks for before and after module execution
735         https://bugs.webkit.org/show_bug.cgi?id=197244
736         <rdar://problem/50180511>
737
738         Reviewed by Yusuke Suzuki.
739
740         This is helpful for clients that want to profile execution of modules
741         in some way. E.g, if they want to time module execution time.
742
743         * API/JSAPIGlobalObject.h:
744         * API/JSAPIGlobalObject.mm:
745         (JSC::JSAPIGlobalObject::moduleLoaderEvaluate):
746         * API/JSContextPrivate.h:
747         * API/tests/testapi.mm:
748         (+[JSContextFetchDelegate contextWithBlockForFetch:]):
749         (-[JSContextFetchDelegate willEvaluateModule:]):
750         (-[JSContextFetchDelegate didEvaluateModule:]):
751         (testFetch):
752         (testFetchWithTwoCycle):
753         (testFetchWithThreeCycle):
754         (testLoaderResolvesAbsoluteScriptURL):
755         (testLoaderRejectsNilScriptURL):
756         * runtime/JSModuleLoader.cpp:
757         (JSC::JSModuleLoader::evaluate):
758         (JSC::JSModuleLoader::evaluateNonVirtual):
759         * runtime/JSModuleLoader.h:
760
761 2019-04-23  Yusuke Suzuki  <ysuzuki@apple.com>
762
763         [JSC] Shrink DFG::MinifiedNode
764         https://bugs.webkit.org/show_bug.cgi?id=197224
765
766         Reviewed by Filip Pizlo.
767
768         Since it is kept alive with compiled DFG code, we should shrink it to save memory.
769         If it is effective, we should consider minimizing these OSR exit data more aggressively.
770
771         * dfg/DFGMinifiedNode.h:
772
773 2019-04-23  Saam Barati  <sbarati@apple.com>
774
775         LICM incorrectly assumes it'll never insert a node which provably OSR exits
776         https://bugs.webkit.org/show_bug.cgi?id=196721
777         <rdar://problem/49556479> 
778
779         Reviewed by Filip Pizlo.
780
781         Previously, we assumed LICM could never hoist code that caused us
782         to provably OSR exit. This is a bad assumption, as we may very well
783         hoist such code. Obviously hoisting such code is not ideal. We shouldn't
784         hoist something we provably know will OSR exit. However, this is super rare,
785         and the phase is written in such a way where it's easier to gracefully
786         handle this case than to prevent us from hoisting such code.
787         
788         If we wanted to ensure we never hoisted code that would provably exit, we'd
789         have to teach the phase to know when it inserted code that provably exits. I
790         saw two ways to do that:
791         1: Save and restore the AI state before actually hoisting.
792         2: Write an analysis that can determine if such a node would exit.
793         
794         (1) is bad because it costs in memory and compile time. (2) will inevitably
795         have bugs as running into this condition is rare.
796         
797         So instead of (1) or (2), I opted to have LICM gracefully handle when
798         it causes a provable exit. When we encounter this, we mark all blocks
799         in the loop as !cfaHasVisited and !cfaDidFinish.
800
801         * dfg/DFGLICMPhase.cpp:
802         (JSC::DFG::LICMPhase::attemptHoist):
803
804 2019-04-23  Yusuke Suzuki  <ysuzuki@apple.com>
805
806         [JSC] Use node index as DFG::MinifiedID
807         https://bugs.webkit.org/show_bug.cgi?id=197186
808
809         Reviewed by Saam Barati.
810
811         DFG Nodes can be identified with index if the graph is given. We should use unsigned index as a DFG::MinifiedID's underlying
812         source instead of Node* to reduce the size of VariableEvent from 16 to 12. Vector<VariableEvent> is the main data in DFG's OSR
813         tracking. It is kept after DFG compilation is done to make OSR work. We saw that this is allocated with large size in GMail.
814
815         * JavaScriptCore.xcodeproj/project.pbxproj:
816         * bytecode/DataFormat.h:
817         * bytecode/ValueRecovery.h:
818         * dfg/DFGGenerationInfo.h:
819         * dfg/DFGMinifiedID.h:
820         (JSC::DFG::MinifiedID::MinifiedID):
821         (JSC::DFG::MinifiedID::operator! const):
822         (JSC::DFG::MinifiedID::operator== const):
823         (JSC::DFG::MinifiedID::operator!= const):
824         (JSC::DFG::MinifiedID::operator< const):
825         (JSC::DFG::MinifiedID::operator> const):
826         (JSC::DFG::MinifiedID::operator<= const):
827         (JSC::DFG::MinifiedID::operator>= const):
828         (JSC::DFG::MinifiedID::hash const):
829         (JSC::DFG::MinifiedID::dump const):
830         (JSC::DFG::MinifiedID::isHashTableDeletedValue const):
831         (JSC::DFG::MinifiedID::fromBits):
832         (JSC::DFG::MinifiedID::bits const):
833         (JSC::DFG::MinifiedID::invalidIndex):
834         (JSC::DFG::MinifiedID::otherInvalidIndex):
835         (JSC::DFG::MinifiedID::node const): Deleted.
836         (JSC::DFG::MinifiedID::invalidID): Deleted.
837         (JSC::DFG::MinifiedID::otherInvalidID): Deleted.
838         * dfg/DFGMinifiedIDInlines.h: Copied from Source/JavaScriptCore/dfg/DFGMinifiedNode.cpp.
839         (JSC::DFG::MinifiedID::MinifiedID):
840         * dfg/DFGMinifiedNode.cpp:
841         * dfg/DFGValueSource.h:
842         (JSC::DFG::ValueSource::ValueSource):
843         * dfg/DFGVariableEvent.h:
844         (JSC::DFG::VariableEvent::dataFormat const):
845
846 2019-04-23  Keith Rollin  <krollin@apple.com>
847
848         Add Xcode version check for Header post-processing scripts
849         https://bugs.webkit.org/show_bug.cgi?id=197116
850         <rdar://problem/50058968>
851
852         Reviewed by Brent Fulgham.
853
854         There are several places in our Xcode projects that post-process
855         header files after they've been exported. Because of XCBuild, we're
856         moving to a model where the post-processing is performed at the same
857         time the header files are exported, rather than as a distinct
858         post-processing step. This patch disables the distinct step when the
859         inline processing is available.
860
861         In practice, this means prefixing appropriate post-processing Custom
862         Build phases with:
863
864         if [ "${XCODE_VERSION_MAJOR}" -ge "1100" -a "${USE_NEW_BUILD_SYSTEM}" = "YES" ]; then
865             # In this configuration, post-processing is performed at the same time as copying in the postprocess-header-rule script, so there's no need for this separate step.
866             exit 0
867         fi
868
869         * JavaScriptCore.xcodeproj/project.pbxproj:
870
871 2019-04-23  Commit Queue  <commit-queue@webkit.org>
872
873         Unreviewed, rolling out r244558.
874         https://bugs.webkit.org/show_bug.cgi?id=197219
875
876         Causing crashes on iOS Sim Release and Debug (Requested by
877         ShawnRoberts on #webkit).
878
879         Reverted changeset:
880
881         "Remove DeprecatedOptional"
882         https://bugs.webkit.org/show_bug.cgi?id=197161
883         https://trac.webkit.org/changeset/244558
884
885 2019-04-23  Devin Rousso  <drousso@apple.com>
886
887         Web Inspector: Uncaught Exception: null is not an object (evaluating 'this.ownerDocument.frameIdentifier')
888         https://bugs.webkit.org/show_bug.cgi?id=196420
889         <rdar://problem/49444205>
890
891         Reviewed by Timothy Hatcher.
892
893         * inspector/protocol/DOM.json:
894         Modify the existing `frameId` to represent the owner frame of the node, rather than the
895         frame it holds (in the case of an `<iframe>`).
896
897 2019-04-23  Alex Christensen  <achristensen@webkit.org>
898
899         Remove DeprecatedOptional
900         https://bugs.webkit.org/show_bug.cgi?id=197161
901
902         Reviewed by Darin Adler.
903
904         * inspector/InspectorBackendDispatcher.cpp:
905         * inspector/InspectorBackendDispatcher.h:
906
907 2019-04-22  Yusuke Suzuki  <ysuzuki@apple.com>
908
909         [JSC] Use volatile load to populate backing page in MarkedBlock::Footer instead of using holdLock
910         https://bugs.webkit.org/show_bug.cgi?id=197152
911
912         Reviewed by Saam Barati.
913
914         Emit volatile load instead of using holdLock to populate backing page in MarkedBlock::Footer.
915
916         * heap/BlockDirectory.cpp:
917         (JSC::BlockDirectory::isPagedOut):
918         * heap/MarkedBlock.h:
919         (JSC::MarkedBlock::populatePage const):
920
921 2019-04-22  Yusuke Suzuki  <ysuzuki@apple.com>
922
923         [JSC] useJIT should subsume useRegExpJIT
924         https://bugs.webkit.org/show_bug.cgi?id=197153
925
926         Reviewed by Alex Christensen.
927
928         useJIT should subsume useRegExpJIT. We should immediately disable JIT feature if useJIT = false,
929         even if useRegExpJIT is true.
930
931         * dfg/DFGCapabilities.cpp:
932         (JSC::DFG::isSupported):
933         * runtime/Options.cpp:
934         (JSC::recomputeDependentOptions):
935         * runtime/RegExp.cpp:
936         (JSC::RegExp::compile):
937         (JSC::RegExp::compileMatchOnly):
938         * runtime/VM.cpp:
939         (JSC::enableAssembler):
940         (JSC::VM::canUseRegExpJIT): Deleted.
941         * runtime/VM.h:
942
943 2019-04-22  Basuke Suzuki  <basuke.suzuki@sony.com>
944
945         [PlayStation] Restructuring Remote Inspector classes to support multiple platform.
946         https://bugs.webkit.org/show_bug.cgi?id=197030
947
948         Reviewed by Don Olmstead.
949
950         Restructuring the PlayStation's RemoteInspector backend which uses native socket for the communication to be ready for WinCairo.
951
952         What we did is basically:
953         - Renamed `remote/playstation/` to `remote/socket/`. This directory is now platform independent implementation of socket backend. 
954         - Renamed `RemoteInspectorSocket` class to `RemoteInspectorSocketEndpoint`. This class is platform independent and core of the backend.
955         - Merged `RemoteInspectorSocket{Client|Server}` classes into `RemoteInspectorSocketEndpoint` class because the differences are little.
956         - Defined a new interface functions in `Inspector::Socket` (new) namespace.
957         - Moved POSIX socket implementation into `posix\RemoteInspectorSocketPOSIX.{h|cpp}`.
958
959         * PlatformPlayStation.cmake:
960         * inspector/remote/RemoteInspector.h:
961         * inspector/remote/playstation/RemoteInspectorSocketClient.h: Merged into RemoteInspectorSocketEndpoint.
962         * inspector/remote/playstation/RemoteInspectorSocketClientPlayStation.cpp: Merged into RemoteInspectorSocketEndpoint.
963         * inspector/remote/playstation/RemoteInspectorSocketPlayStation.cpp: Removed.
964         * inspector/remote/playstation/RemoteInspectorSocketServer.h: Merged into RemoteInspectorSocketEndpoint.
965         * inspector/remote/playstation/RemoteInspectorSocketServerPlayStation.cpp: Merged into RemoteInspectorSocketEndpoint.
966         * inspector/remote/socket/RemoteInspectorConnectionClient.cpp: Renamed from inspector\remote\playstation\RemoteInspectorConnectionClientPlayStation.cpp.
967         * inspector/remote/socket/RemoteInspectorConnectionClient.h: Renamed from inspector\remote\playstation\RemoteInspectorConnectionClient.h.
968         (Inspector::RemoteInspectorConnectionClient::didAccept):
969         * inspector/remote/socket/RemoteInspectorMessageParser.cpp: Renamed from inspector\remote\playstation\RemoteInspectorMessageParserPlayStation.cpp.
970         * inspector/remote/socket/RemoteInspectorMessageParser.h: Renamed from inspector\remote\playstation\RemoteInspectorMessageParser.h.
971         * inspector/remote/socket/RemoteInspectorServer.cpp: Renamed from inspector\remote\playstation\RemoteInspectorServerPlayStation.cpp.
972         (Inspector::RemoteInspectorServer::didAccept):
973         (Inspector::RemoteInspectorServer::start):
974         * inspector/remote/socket/RemoteInspectorServer.h: Renamed from inspector\remote\playstation\RemoteInspectorServer.h.
975         * inspector/remote/socket/RemoteInspectorSocket.cpp: Renamed from inspector\remote\playstation\RemoteInspectorPlayStation.cpp.
976         (Inspector::RemoteInspector::start):
977         * inspector/remote/socket/RemoteInspectorSocket.h: Copied from inspector\remote\playstation\RemoteInspectorSocket.h.
978         * inspector/remote/socket/RemoteInspectorSocketEndpoint.cpp: Added.
979         (Inspector::RemoteInspectorSocketEndpoint::RemoteInspectorSocketEndpoint):
980         (Inspector::RemoteInspectorSocketEndpoint::~RemoteInspectorSocketEndpoint):
981         (Inspector::RemoteInspectorSocketEndpoint::wakeupWorkerThread):
982         (Inspector::RemoteInspectorSocketEndpoint::connectInet):
983         (Inspector::RemoteInspectorSocketEndpoint::listenInet):
984         (Inspector::RemoteInspectorSocketEndpoint::isListening):
985         (Inspector::RemoteInspectorSocketEndpoint::workerThread):
986         (Inspector::RemoteInspectorSocketEndpoint::createClient):
987         (Inspector::RemoteInspectorSocketEndpoint::recvIfEnabled):
988         (Inspector::RemoteInspectorSocketEndpoint::sendIfEnabled):
989         (Inspector::RemoteInspectorSocketEndpoint::send):
990         (Inspector::RemoteInspectorSocketEndpoint::acceptInetSocketIfEnabled):
991         * inspector/remote/socket/RemoteInspectorSocketEndpoint.h: Renamed from inspector\remote\playstation\RemoteInspectorSocket.h.
992         * inspector/remote/socket/posix/RemoteInspectorSocketPOSIX.cpp: Added.
993         (Inspector::Socket::connect):
994         (Inspector::Socket::listen):
995         (Inspector::Socket::accept):
996         (Inspector::Socket::createPair):
997         (Inspector::Socket::setup):
998         (Inspector::Socket::isValid):
999         (Inspector::Socket::isListening):
1000         (Inspector::Socket::read):
1001         (Inspector::Socket::write):
1002         (Inspector::Socket::close):
1003         (Inspector::Socket::preparePolling):
1004         (Inspector::Socket::poll):
1005         (Inspector::Socket::isReadable):
1006         (Inspector::Socket::isWritable):
1007         (Inspector::Socket::markWaitingWritable):
1008         (Inspector::Socket::clearWaitingWritable):
1009
1010 2019-04-20  Yusuke Suzuki  <ysuzuki@apple.com>
1011
1012         Unreviewed, suppress warnings in non Darwin environments
1013
1014         * jit/ExecutableAllocator.cpp:
1015         (JSC::dumpJITMemory):
1016
1017 2019-04-19  Saam Barati  <sbarati@apple.com>
1018
1019         AbstractValue can represent more than int52
1020         https://bugs.webkit.org/show_bug.cgi?id=197118
1021         <rdar://problem/49969960>
1022
1023         Reviewed by Michael Saboff.
1024
1025         Let's analyze this control flow diamond:
1026         
1027         #0
1028         branch #1, #2
1029         
1030         #1:
1031         PutStack(JSValue, loc42)
1032         Jump #3
1033         
1034         #2:
1035         PutStack(Int52, loc42)
1036         Jump #3
1037         
1038         #3:
1039         ...
1040         
1041         Our abstract value for loc42 at the head of #3 will contain an abstract
1042         value that us the union of Int52 with other things. Obviously in the
1043         above program, a GetStack for loc42 would be inavlid, since it might
1044         be loading either JSValue or Int52. However, the abstract interpreter
1045         just tracks what the value could be, and it could be Int52 or JSValue.
1046         
1047         When I did the Int52 refactoring, I expected such things to never happen,
1048         but it turns out it does. We should just allow for this instead of asserting
1049         against it since it's valid IR to do the above.
1050
1051         * bytecode/SpeculatedType.cpp:
1052         (JSC::dumpSpeculation):
1053         * dfg/DFGAbstractValue.cpp:
1054         (JSC::DFG::AbstractValue::checkConsistency const):
1055         * dfg/DFGAbstractValue.h:
1056         (JSC::DFG::AbstractValue::validateTypeAcceptingBoxedInt52 const):
1057
1058 2019-04-19  Tadeu Zagallo  <tzagallo@apple.com>
1059
1060         Add option to dump JIT memory
1061         https://bugs.webkit.org/show_bug.cgi?id=197062
1062         <rdar://problem/49744332>
1063
1064         Reviewed by Saam Barati.
1065
1066         Dump all writes into JIT memory to the specified file. The format is:
1067         - 64-bit destination address for the write
1068         - 64-bit size of the content written
1069         - Copy of the data that was written to JIT memory
1070
1071         * assembler/LinkBuffer.cpp:
1072         (JSC::LinkBuffer::copyCompactAndLinkCode):
1073         * jit/ExecutableAllocator.cpp:
1074         (JSC::dumpJITMemory):
1075         * jit/ExecutableAllocator.h:
1076         (JSC::performJITMemcpy):
1077         * runtime/Options.h:
1078
1079 2019-04-19  Keith Rollin  <krollin@apple.com>
1080
1081         Add postprocess-header-rule scripts
1082         https://bugs.webkit.org/show_bug.cgi?id=197072
1083         <rdar://problem/50027299>
1084
1085         Reviewed by Brent Fulgham.
1086
1087         Several projects have post-processing build phases where exported
1088         headers are tweaked after they've been copied. This post-processing is
1089         performed via scripts called postprocess-headers.sh. For reasons
1090         related to XCBuild, we are now transitioning to a build process where
1091         the post-processing is performed at the same time as the
1092         exporting/copying. To support this process, add similar scripts named
1093         postprocess-header-rule, which are geared towards processing a single
1094         file at a time rather than all exported files at once. Also add a
1095         build rule that makes use of these scripts. These scripts and build
1096         rules are not used at the moment; they will come into use in an
1097         imminent patch.
1098
1099         Note that I've named these postprocess-header-rule rather than
1100         postprocess-header-rule.sh. Scripts in Tools/Scripts do not have
1101         suffixes indicating how the tool is implemented. Scripts in
1102         per-project Scripts folders appear to be mixed regarding the use of
1103         suffixes. I'm opting here to follow the Tools/Scripts convention, with
1104         the expectation that over time we completely standardize on that.
1105
1106         * JavaScriptCore.xcodeproj/project.pbxproj:
1107         * Scripts/postprocess-header-rule: Added.
1108
1109 2019-04-18  Saam barati  <sbarati@apple.com>
1110
1111         Remove useConcurrentBarriers option
1112         https://bugs.webkit.org/show_bug.cgi?id=197066
1113
1114         Reviewed by Michael Saboff.
1115
1116         This isn't a helpful option as it will lead us to crash when using the
1117         concurrent GC.
1118
1119         * dfg/DFGStoreBarrierClusteringPhase.cpp:
1120         * dfg/DFGStoreBarrierInsertionPhase.cpp:
1121         * jit/AssemblyHelpers.h:
1122         (JSC::AssemblyHelpers::barrierStoreLoadFence):
1123         * runtime/Options.h:
1124
1125 2019-04-17  Saam Barati  <sbarati@apple.com>
1126
1127         Remove deprecated JSScript SPI
1128         https://bugs.webkit.org/show_bug.cgi?id=194909
1129         <rdar://problem/48283499>
1130
1131         Reviewed by Keith Miller.
1132
1133         * API/JSAPIGlobalObject.mm:
1134         (JSC::JSAPIGlobalObject::moduleLoaderFetch):
1135         * API/JSScript.h:
1136         * API/JSScript.mm:
1137         (+[JSScript scriptWithSource:inVirtualMachine:]): Deleted.
1138         (fillBufferWithContentsOfFile): Deleted.
1139         (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]): Deleted.
1140         (+[JSScript scriptFromUTF8File:inVirtualMachine:withCodeSigning:andBytecodeCache:]): Deleted.
1141         (-[JSScript setSourceURL:]): Deleted.
1142         * API/JSScriptInternal.h:
1143         * API/tests/testapi.mm:
1144         (testFetch):
1145         (testFetchWithTwoCycle):
1146         (testFetchWithThreeCycle):
1147         (testLoaderResolvesAbsoluteScriptURL):
1148         (testImportModuleTwice):
1149         (-[JSContextFileLoaderDelegate context:fetchModuleForIdentifier:withResolveHandler:andRejectHandler:]):
1150
1151 2019-04-17  Keith Rollin  <krollin@apple.com>
1152
1153         Remove JSCBuiltins.cpp from Copy Headers phase
1154         https://bugs.webkit.org/show_bug.cgi?id=196981
1155         <rdar://problem/49952133>
1156
1157         Reviewed by Alex Christensen.
1158
1159         JSCBuiltins.cpp is not a header and so doesn't need to be in the Copy
1160         Headers phase. Checking its history, it seems to have been added
1161         accidentally at the same time that JSCBuiltins.h was added.
1162
1163         * JavaScriptCore.xcodeproj/project.pbxproj:
1164
1165 2019-04-16  Stephan Szabo  <stephan.szabo@sony.com>
1166
1167         [PlayStation] Update port for system library changes
1168         https://bugs.webkit.org/show_bug.cgi?id=196978
1169
1170         Reviewed by Ross Kirsling.
1171
1172         * shell/playstation/Initializer.cpp:
1173         Add reference to new posix compatibility library.
1174
1175 2019-04-16  Robin Morisset  <rmorisset@apple.com>
1176
1177         [WTF] holdLock should be marked WARN_UNUSED_RETURN
1178         https://bugs.webkit.org/show_bug.cgi?id=196922
1179
1180         Reviewed by Keith Miller.
1181
1182         There was one case where holdLock was used and the result ignored.
1183         From a comment that was deleted in https://bugs.webkit.org/attachment.cgi?id=328438&action=prettypatch, I believe that it is on purpose.
1184         So I brought back a variant of the comment, and made the ignoring of the return explicit.
1185
1186         * heap/BlockDirectory.cpp:
1187         (JSC::BlockDirectory::isPagedOut):
1188
1189 2019-04-16  Caitlin Potter  <caitp@igalia.com>
1190
1191         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
1192         https://bugs.webkit.org/show_bug.cgi?id=176810
1193
1194         Reviewed by Saam Barati.
1195
1196         This adds conditional logic following the invariant checks, to perform
1197         filtering in common uses of getOwnPropertyNames.
1198
1199         While this would ideally only be done in JSPropertyNameEnumerator, adding
1200         the filtering to ProxyObject::performGetOwnPropertyNames maintains the
1201         invariant that the EnumerationMode is properly followed.
1202
1203         This was originally rolled out in r244020, as DontEnum filtering code
1204         in ObjectConstructor.cpp's ownPropertyKeys() had not been removed. It's
1205         now redundant due to being handled in ProxyObject::getOwnPropertyNames().
1206
1207         * runtime/PropertyNameArray.h:
1208         (JSC::PropertyNameArray::reset):
1209         * runtime/ProxyObject.cpp:
1210         (JSC::ProxyObject::performGetOwnPropertyNames):
1211
1212 2019-04-15  Saam barati  <sbarati@apple.com>
1213
1214         Modify how we do SetArgument when we inline varargs calls
1215         https://bugs.webkit.org/show_bug.cgi?id=196712
1216         <rdar://problem/49605012>
1217
1218         Reviewed by Michael Saboff.
1219
1220         When we inline varargs calls, we guarantee that the number of arguments that
1221         go on the stack are somewhere between the "mandatoryMinimum" and the "limit - 1".
1222         However, we can't statically guarantee that the arguments between these two
1223         ranges was filled out by Load/ForwardVarargs. This is because in the general
1224         case we don't know the argument count statically.
1225         
1226         However, we used to always emit SetArgumentDefinitely up to "limit - 1" for
1227         all arguments, even when some arguments aren't guaranteed to be in a valid
1228         state. Emitting these SetArgumentDefinitely were helpful because they let us
1229         handle variable liveness and OSR exit metadata. However, when we converted
1230         to SSA, we ended up emitting a GetStack for each such SetArgumentDefinitely.
1231         
1232         This is wrong, as we can't guarantee such SetArgumentDefinitely nodes are
1233         actually looking at a range of the stack that are guaranteed to be initialized.
1234         This patch introduces a new form of SetArgument node: SetArgumentMaybe. In terms
1235         of OSR exit metadata and variable liveness tracking, it behaves like SetArgumentDefinitely.
1236         
1237         However, it differs in a couple key ways:
1238         1. In ThreadedCPS, GetLocal(@SetArgumentMaybe) is invalid IR, as this implies
1239         you might be loading uninitialized stack. (This same rule applies when you do
1240         the full data flow reachability analysis over CPS Phis.) If someone logically
1241         wanted to emit code like this, the correct node to emit would be GetArgument,
1242         not GetLocal. For similar reasons, PhantomLocal(@SetArgumentMaybe) is also
1243         invalid IR.
1244         2. To track liveness, Flush(@SetArgumentMaybe) is valid, and is the main user
1245         of SetArgumentMaybe.
1246         3. In SSA conversion, we don't lower SetArgumentMaybe to GetStack, as there
1247         should be no data flow user of SetArgumentMaybe.
1248         
1249         SetArgumentDefinitely guarantees that the stack slot is initialized.
1250         SetArgumentMaybe makes no such guarantee.
1251
1252         * dfg/DFGAbstractInterpreterInlines.h:
1253         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1254         * dfg/DFGByteCodeParser.cpp:
1255         (JSC::DFG::ByteCodeParser::handleVarargsInlining):
1256         * dfg/DFGCPSRethreadingPhase.cpp:
1257         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
1258         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
1259         (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
1260         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
1261         (JSC::DFG::CPSRethreadingPhase::propagatePhis):
1262         (JSC::DFG::CPSRethreadingPhase::computeIsFlushed):
1263         * dfg/DFGClobberize.h:
1264         (JSC::DFG::clobberize):
1265         * dfg/DFGCommon.h:
1266         * dfg/DFGDoesGC.cpp:
1267         (JSC::DFG::doesGC):
1268         * dfg/DFGFixupPhase.cpp:
1269         (JSC::DFG::FixupPhase::fixupNode):
1270         * dfg/DFGInPlaceAbstractState.cpp:
1271         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
1272         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
1273         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch):
1274         * dfg/DFGMaximalFlushInsertionPhase.cpp:
1275         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
1276         (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
1277         * dfg/DFGMayExit.cpp:
1278         * dfg/DFGNode.cpp:
1279         (JSC::DFG::Node::hasVariableAccessData):
1280         * dfg/DFGNodeType.h:
1281         * dfg/DFGPhantomInsertionPhase.cpp:
1282         * dfg/DFGPredictionPropagationPhase.cpp:
1283         * dfg/DFGSSAConversionPhase.cpp:
1284         (JSC::DFG::SSAConversionPhase::run):
1285         * dfg/DFGSafeToExecute.h:
1286         (JSC::DFG::safeToExecute):
1287         * dfg/DFGSpeculativeJIT32_64.cpp:
1288         (JSC::DFG::SpeculativeJIT::compile):
1289         * dfg/DFGSpeculativeJIT64.cpp:
1290         (JSC::DFG::SpeculativeJIT::compile):
1291         * dfg/DFGValidate.cpp:
1292         * ftl/FTLCapabilities.cpp:
1293         (JSC::FTL::canCompile):
1294
1295 2019-04-15  Commit Queue  <commit-queue@webkit.org>
1296
1297         Unreviewed, rolling out r243672.
1298         https://bugs.webkit.org/show_bug.cgi?id=196952
1299
1300         [JSValue release] should be thread-safe (Requested by
1301         yusukesuzuki on #webkit).
1302
1303         Reverted changeset:
1304
1305         "[JSC] JSWrapperMap should not use Objective-C Weak map
1306         (NSMapTable with NSPointerFunctionsWeakMemory) for
1307         m_cachedObjCWrappers"
1308         https://bugs.webkit.org/show_bug.cgi?id=196392
1309         https://trac.webkit.org/changeset/243672
1310
1311 2019-04-15  Saam barati  <sbarati@apple.com>
1312
1313         SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
1314         https://bugs.webkit.org/show_bug.cgi?id=196945
1315         <rdar://problem/49802750>
1316
1317         Reviewed by Filip Pizlo.
1318
1319         * dfg/DFGSafeToExecute.h:
1320         (JSC::DFG::safeToExecute):
1321
1322 2019-04-15  Robin Morisset  <rmorisset@apple.com>
1323
1324         DFG should be able to constant fold Object.create() with a constant prototype operand
1325         https://bugs.webkit.org/show_bug.cgi?id=196886
1326
1327         Reviewed by Yusuke Suzuki.
1328
1329
1330         It is a fairly simple and limited patch, as it only works when the DFG can prove the exact object used as prototype.
1331         But when it applies it can be a significant win:
1332                                                         Baseline                   Optim                                       
1333         object-create-constant-prototype              3.6082+-0.0979     ^      1.6947+-0.0756        ^ definitely 2.1292x faster
1334         object-create-null                           11.4492+-0.2510     ?     11.5030+-0.2402        ?
1335         object-create-unknown-object-prototype       15.6067+-0.1851     ?     15.7500+-0.2322        ?
1336         object-create-untyped-prototype               8.8873+-0.1240     ?      8.9806+-0.1202        ? might be 1.0105x slower
1337         <geometric>                                   8.6967+-0.1208     ^      7.2408+-0.1367        ^ definitely 1.2011x faster
1338
1339         The only subtlety is that we need to to access the StructureCache concurrently from the compiler thread (see https://bugs.webkit.org/show_bug.cgi?id=186199)
1340         I solved this with a simple lock, taken when the compiler thread tries to read it, and when the main thread tries to modify it.
1341         I expect it to be extremely low contention, but will watch the bots just in case.
1342         The lock is taken neither when the main thread is only reading the cache (it has no-one to race with), nor when the GC purges it of dead entries (it does not free anything while a compiler thread is in the middle of a phase).
1343
1344         * dfg/DFGAbstractInterpreterInlines.h:
1345         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1346         * dfg/DFGConstantFoldingPhase.cpp:
1347         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1348         * runtime/StructureCache.cpp:
1349         (JSC::StructureCache::createEmptyStructure):
1350         (JSC::StructureCache::tryEmptyObjectStructureForPrototypeFromCompilerThread):
1351         * runtime/StructureCache.h:
1352
1353 2019-04-15  Devin Rousso  <drousso@apple.com>
1354
1355         Web Inspector: fake value descriptors for promises add a catch handler, preventing "rejectionhandled" events from being fired
1356         https://bugs.webkit.org/show_bug.cgi?id=196484
1357         <rdar://problem/49114725>
1358
1359         Reviewed by Joseph Pecoraro.
1360
1361         Only add a catch handler when the promise is reachable via a native getter and is known to
1362         have rejected. A non-rejected promise doesn't need a catch handler, and any promise that
1363         isn't reachable via a getter won't actually be reached, as `InjectedScript` doesn't call any
1364         functions, instead only getting the function object itself.
1365
1366         * inspector/InjectedScriptSource.js:
1367         (InjectedScript.prototype._propertyDescriptors.createFakeValueDescriptor):
1368
1369         * inspector/JSInjectedScriptHost.h:
1370         * inspector/JSInjectedScriptHost.cpp:
1371         (Inspector::JSInjectedScriptHost::isPromiseRejectedWithNativeGetterTypeError): Added.
1372         * inspector/JSInjectedScriptHostPrototype.cpp:
1373         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
1374         (Inspector::jsInjectedScriptHostPrototypeFunctionIsPromiseRejectedWithNativeGetterTypeError): Added.
1375
1376         * runtime/ErrorInstance.h:
1377         (JSC::ErrorInstance::setNativeGetterTypeError): Added.
1378         (JSC::ErrorInstance::isNativeGetterTypeError const): Added.
1379
1380         * runtime/Error.h:
1381         (JSC::throwVMGetterTypeError): Added.
1382         * runtime/Error.cpp:
1383         (JSC::createGetterTypeError): Added.
1384         (JSC::throwGetterTypeError): Added.
1385         (JSC::throwDOMAttributeGetterTypeError):
1386
1387 2019-04-15  Robin Morisset  <rmorisset@apple.com>
1388
1389         B3::Value should have different kinds of adjacency lists
1390         https://bugs.webkit.org/show_bug.cgi?id=196091
1391
1392         Reviewed by Filip Pizlo.
1393
1394         The key idea of this optimization is to replace the Vector<Value*, 3> m_children in B3::Value (40 bytes on 64-bits platform) by one of the following:
1395         - Nothing (0 bytes)
1396         - 1 Value* (8 bytes)
1397         - 2 Value* (16 bytes)
1398         - 3 Value* (24 bytes)
1399         - A Vector<Value*, 3>
1400         after the end of the Value object, depending on the kind of the Value.
1401         So for example, when allocating an Add, we would allocate an extra 16 bytes into which to store 2 Values.
1402         This would halve the memory consumption of Const64/Const32/Nop/Identity and a bunch more kinds of values, and reduce by a more moderate amount the memory consumption of the rest of non-varargs values (e.g. Add would go from 72 to 48 bytes).
1403
1404         A few implementation points:
1405         - Even if there is no children, we must remember to allocate at least enough space for replaceWithIdentity to work later. It needs sizeof(Value) (for the object itself) + sizeof(Value*) (for the pointer to its child)
1406         - We must make sure to destroy the vector whenever we destroy a Value which is VarArgs
1407         - We must remember how many elements there are in the case where we did not allocate a Vector. We cannot do it purely by relying on the kind, both for speed reasons and because Return can have either 0 or 1 argument in B3
1408           Thankfully, we have an extra byte of padding to use in the middle of B3::Value
1409         - In order to support clone(), we must have a separate version of allocate, which extracts the opcode from the to-be-cloned object instead of from the call to the constructor
1410         - Speaking of which, we need a special templated function opcodeFromConstructor, because some of the constructors of subclasses of Value don't take an explicit Opcode as argument, typically because they match a single one.
1411         - To maximize performance, we provide specialized versions of child/lastChild/numChildren/children in the subclasses of Value, skipping checks when the actual type of the Value is already known.
1412           This is done through the B3_SPECIALIZE_VALUE_FOR_... defined at the bottom of B3Value.h
1413         - In the constructors of Value, we convert all extra children arguments to Value* eagerly. It is not required for correctness (they will be converted when put into a Vector<Value*> or a Value* in the end), but it helps limit an explosion in the number of template instantiations.
1414         - I moved DeepValueDump::dump from the .h to the .cpp, as there is no good reason to inline it, and recompiling JSC is already slow enough
1415
1416         * JavaScriptCore.xcodeproj/project.pbxproj:
1417         * b3/B3ArgumentRegValue.cpp:
1418         (JSC::B3::ArgumentRegValue::cloneImpl const): Deleted.
1419         * b3/B3ArgumentRegValue.h:
1420         * b3/B3AtomicValue.cpp:
1421         (JSC::B3::AtomicValue::AtomicValue):
1422         (JSC::B3::AtomicValue::cloneImpl const): Deleted.
1423         * b3/B3AtomicValue.h:
1424         * b3/B3BasicBlock.h:
1425         * b3/B3BasicBlockInlines.h:
1426         (JSC::B3::BasicBlock::appendNewNonTerminal): Deleted.
1427         * b3/B3CCallValue.cpp:
1428         (JSC::B3::CCallValue::appendArgs):
1429         (JSC::B3::CCallValue::cloneImpl const): Deleted.
1430         * b3/B3CCallValue.h:
1431         * b3/B3CheckValue.cpp:
1432         (JSC::B3::CheckValue::cloneImpl const): Deleted.
1433         * b3/B3CheckValue.h:
1434         * b3/B3Const32Value.cpp:
1435         (JSC::B3::Const32Value::cloneImpl const): Deleted.
1436         * b3/B3Const32Value.h:
1437         * b3/B3Const64Value.cpp:
1438         (JSC::B3::Const64Value::cloneImpl const): Deleted.
1439         * b3/B3Const64Value.h:
1440         * b3/B3ConstDoubleValue.cpp:
1441         (JSC::B3::ConstDoubleValue::cloneImpl const): Deleted.
1442         * b3/B3ConstDoubleValue.h:
1443         * b3/B3ConstFloatValue.cpp:
1444         (JSC::B3::ConstFloatValue::cloneImpl const): Deleted.
1445         * b3/B3ConstFloatValue.h:
1446         * b3/B3ConstPtrValue.h:
1447         (JSC::B3::ConstPtrValue::opcodeFromConstructor):
1448         * b3/B3FenceValue.cpp:
1449         (JSC::B3::FenceValue::FenceValue):
1450         (JSC::B3::FenceValue::cloneImpl const): Deleted.
1451         * b3/B3FenceValue.h:
1452         * b3/B3MemoryValue.cpp:
1453         (JSC::B3::MemoryValue::MemoryValue):
1454         (JSC::B3::MemoryValue::cloneImpl const): Deleted.
1455         * b3/B3MemoryValue.h:
1456         * b3/B3MoveConstants.cpp:
1457         * b3/B3PatchpointValue.cpp:
1458         (JSC::B3::PatchpointValue::cloneImpl const): Deleted.
1459         * b3/B3PatchpointValue.h:
1460         (JSC::B3::PatchpointValue::opcodeFromConstructor):
1461         * b3/B3Procedure.cpp:
1462         * b3/B3Procedure.h:
1463         * b3/B3ProcedureInlines.h:
1464         (JSC::B3::Procedure::add):
1465         * b3/B3SlotBaseValue.cpp:
1466         (JSC::B3::SlotBaseValue::cloneImpl const): Deleted.
1467         * b3/B3SlotBaseValue.h:
1468         * b3/B3StackmapSpecial.cpp:
1469         (JSC::B3::StackmapSpecial::forEachArgImpl):
1470         (JSC::B3::StackmapSpecial::isValidImpl):
1471         * b3/B3StackmapValue.cpp:
1472         (JSC::B3::StackmapValue::append):
1473         (JSC::B3::StackmapValue::StackmapValue):
1474         * b3/B3StackmapValue.h:
1475         * b3/B3SwitchValue.cpp:
1476         (JSC::B3::SwitchValue::SwitchValue):
1477         (JSC::B3::SwitchValue::cloneImpl const): Deleted.
1478         * b3/B3SwitchValue.h:
1479         (JSC::B3::SwitchValue::opcodeFromConstructor):
1480         * b3/B3UpsilonValue.cpp:
1481         (JSC::B3::UpsilonValue::cloneImpl const): Deleted.
1482         * b3/B3UpsilonValue.h:
1483         * b3/B3Value.cpp:
1484         (JSC::B3::DeepValueDump::dump const):
1485         (JSC::B3::Value::~Value):
1486         (JSC::B3::Value::replaceWithIdentity):
1487         (JSC::B3::Value::replaceWithNopIgnoringType):
1488         (JSC::B3::Value::replaceWithPhi):
1489         (JSC::B3::Value::replaceWithJump):
1490         (JSC::B3::Value::replaceWithOops):
1491         (JSC::B3::Value::replaceWith):
1492         (JSC::B3::Value::invertedCompare const):
1493         (JSC::B3::Value::returnsBool const):
1494         (JSC::B3::Value::cloneImpl const): Deleted.
1495         * b3/B3Value.h:
1496         (JSC::B3::DeepValueDump::dump const): Deleted.
1497         * b3/B3ValueInlines.h:
1498         (JSC::B3::Value::adjacencyListOffset const):
1499         (JSC::B3::Value::cloneImpl const):
1500         * b3/B3VariableValue.cpp:
1501         (JSC::B3::VariableValue::VariableValue):
1502         (JSC::B3::VariableValue::cloneImpl const): Deleted.
1503         * b3/B3VariableValue.h:
1504         * b3/B3WasmAddressValue.cpp:
1505         (JSC::B3::WasmAddressValue::WasmAddressValue):
1506         (JSC::B3::WasmAddressValue::cloneImpl const): Deleted.
1507         * b3/B3WasmAddressValue.h:
1508         * b3/B3WasmBoundsCheckValue.cpp:
1509         (JSC::B3::WasmBoundsCheckValue::WasmBoundsCheckValue):
1510         (JSC::B3::WasmBoundsCheckValue::cloneImpl const): Deleted.
1511         * b3/B3WasmBoundsCheckValue.h:
1512         (JSC::B3::WasmBoundsCheckValue::accepts):
1513         (JSC::B3::WasmBoundsCheckValue::opcodeFromConstructor):
1514         * b3/testb3.cpp:
1515         (JSC::B3::testCallFunctionWithHellaArguments):
1516         (JSC::B3::testCallFunctionWithHellaArguments2):
1517         (JSC::B3::testCallFunctionWithHellaArguments3):
1518         (JSC::B3::testCallFunctionWithHellaDoubleArguments):
1519         (JSC::B3::testCallFunctionWithHellaFloatArguments):
1520         * ftl/FTLOutput.h:
1521         (JSC::FTL::Output::call):
1522
1523 2019-04-15  Tadeu Zagallo  <tzagallo@apple.com>
1524
1525         Bytecode cache should not encode the SourceProvider for UnlinkedFunctionExecutable's classSource
1526         https://bugs.webkit.org/show_bug.cgi?id=196878
1527
1528         Reviewed by Saam Barati.
1529
1530         Every time we encode an (Unlinked)SourceCode, we encode its SourceProvider,
1531         including the full source if it's a StringSourceProvider. This wasn't an issue,
1532         since the SourceCode contains a RefPtr to the SourceProvider, and the Encoder
1533         would avoid encoding the provider multiple times. With the addition of the
1534         incremental cache, each UnlinkedFunctionCodeBlock is encoded in isolation, which
1535         means we can no longer deduplicate it and the full program text was being encoded
1536         multiple times in the cache.
1537         As a work around, this patch adds a custom cached type for encoding the SourceCode
1538         without its provider, and later injects the SourceProvider through the Decoder.
1539
1540         * parser/SourceCode.h:
1541         * parser/UnlinkedSourceCode.h:
1542         (JSC::UnlinkedSourceCode::provider const):
1543         * runtime/CachedTypes.cpp:
1544         (JSC::Decoder::Decoder):
1545         (JSC::Decoder::create):
1546         (JSC::Decoder::provider const):
1547         (JSC::CachedSourceCodeWithoutProvider::encode):
1548         (JSC::CachedSourceCodeWithoutProvider::decode const):
1549         (JSC::decodeCodeBlockImpl):
1550         * runtime/CachedTypes.h:
1551
1552 2019-04-15  Robin Morisset  <rmorisset@apple.com>
1553
1554         MarkedSpace.cpp is not in the Xcode workspace
1555         https://bugs.webkit.org/show_bug.cgi?id=196928
1556
1557         Reviewed by Saam Barati.
1558
1559         * JavaScriptCore.xcodeproj/project.pbxproj:
1560
1561 2019-04-15  Tadeu Zagallo  <tzagallo@apple.com>
1562
1563         Incremental bytecode cache should not append function updates when loaded from memory
1564         https://bugs.webkit.org/show_bug.cgi?id=196865
1565
1566         Reviewed by Filip Pizlo.
1567
1568         Function updates hold the assumption that a function can only be executed/cached
1569         after its containing code block has already been cached. This assumptions does
1570         not hold if the UnlinkedCodeBlock is loaded from memory by the CodeCache, since
1571         we might have two independent SourceProviders executing different paths of the
1572         code and causing the same UnlinkedCodeBlock to be modified in memory.
1573         Use a RefPtr instead of Ref for m_cachedBytecode in ShellSourceProvider to distinguish
1574         between a new, empty cache and a cache that was not loaded and therefore cannot be updated.
1575
1576         * jsc.cpp:
1577         (ShellSourceProvider::ShellSourceProvider):
1578
1579 2019-04-15  Saam barati  <sbarati@apple.com>
1580
1581         mergeOSREntryValue is wrong when the incoming value does not match up with the flush format
1582         https://bugs.webkit.org/show_bug.cgi?id=196918
1583
1584         Reviewed by Yusuke Suzuki.
1585
1586         r244238 lead to some debug failures because we were calling checkConsistency()
1587         before doing fixTypeForRepresentation when merging in must handle values in
1588         CFA. This patch fixes that.
1589         
1590         However, as I was reading over mergeOSREntryValue, I realized it was wrong. It
1591         was possible it could merge in a value/type outside of the variable's flushed type.
1592         Once the flush format types are locked in, we can't introduce a type out of
1593         that range. This probably never lead to any crashes as our profiling injection
1594         and speculation decision code is solid. However, what we were doing is clearly
1595         wrong, and something a fuzzer could have found if we fuzzed the must handle
1596         values inside prediction injection. We should do that fuzzing:
1597         https://bugs.webkit.org/show_bug.cgi?id=196924
1598
1599         * dfg/DFGAbstractValue.cpp:
1600         (JSC::DFG::AbstractValue::mergeOSREntryValue):
1601         * dfg/DFGAbstractValue.h:
1602         * dfg/DFGCFAPhase.cpp:
1603         (JSC::DFG::CFAPhase::injectOSR):
1604
1605 2019-04-15  Robin Morisset  <rmorisset@apple.com>
1606
1607         Several structures and enums in the Yarr interpreter can be shrunk
1608         https://bugs.webkit.org/show_bug.cgi?id=196923
1609
1610         Reviewed by Saam Barati.
1611
1612         YarrOp: 88 -> 80
1613         RegularExpression: 40 -> 32
1614         ByteTerm: 56 -> 48
1615         PatternTerm: 56 -> 48
1616
1617         * yarr/RegularExpression.cpp:
1618         * yarr/YarrInterpreter.h:
1619         * yarr/YarrJIT.cpp:
1620         (JSC::Yarr::YarrGenerator::YarrOp::YarrOp):
1621         * yarr/YarrParser.h:
1622         * yarr/YarrPattern.h:
1623
1624 2019-04-15  Devin Rousso  <drousso@apple.com>
1625
1626         Web Inspector: REGRESSION(r244172): crash when trying to add extra domain while inspecting JSContext
1627         https://bugs.webkit.org/show_bug.cgi?id=196925
1628         <rdar://problem/49873994>
1629
1630         Reviewed by Joseph Pecoraro.
1631
1632         Move the logic for creating the `InspectorAgent` and `InspectorDebuggerAgent` into separate
1633         functions so that callers can be guaranteed to have a valid instance of the agent.
1634
1635         * inspector/JSGlobalObjectInspectorController.h:
1636         * inspector/JSGlobalObjectInspectorController.cpp:
1637         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
1638         (Inspector::JSGlobalObjectInspectorController::frontendInitialized):
1639         (Inspector::JSGlobalObjectInspectorController::appendExtraAgent):
1640         (Inspector::JSGlobalObjectInspectorController::ensureInspectorAgent): Added.
1641         (Inspector::JSGlobalObjectInspectorController::ensureDebuggerAgent): Added.
1642         (Inspector::JSGlobalObjectInspectorController::createLazyAgents):
1643
1644 2019-04-14  Don Olmstead  <don.olmstead@sony.com>
1645
1646         [CMake] JavaScriptCore derived sources should only be referenced inside JavaScriptCore
1647         https://bugs.webkit.org/show_bug.cgi?id=196742
1648
1649         Reviewed by Konstantin Tokarev.
1650
1651         Migrate to using JavaScriptCore_DERIVED_SOURCES_DIR instead of DERIVED_SOURCES_JAVASCRIPTCORE_DIR
1652         to support moving the JavaScriptCore derived sources outside of a shared directory.
1653
1654         Also use JavaScriptCore_DERIVED_SOURCES_DIR instead of DERIVED_SOUCES_DIR.
1655
1656         * CMakeLists.txt:
1657
1658 2019-04-13  Tadeu Zagallo  <tzagallo@apple.com>
1659
1660         CodeCache should check that the UnlinkedCodeBlock was successfully created before caching it
1661         https://bugs.webkit.org/show_bug.cgi?id=196880
1662
1663         Reviewed by Yusuke Suzuki.
1664
1665         CodeCache should not tell the SourceProvider to cache the bytecode if it failed
1666         to create the UnlinkedCodeBlock.
1667
1668         * runtime/CodeCache.cpp:
1669         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
1670
1671 2019-04-12  Saam barati  <sbarati@apple.com>
1672
1673         r244079 logically broke shouldSpeculateInt52
1674         https://bugs.webkit.org/show_bug.cgi?id=196884
1675
1676         Reviewed by Yusuke Suzuki.
1677
1678         In r244079, I changed shouldSpeculateInt52 to only return true
1679         when the prediction is isAnyInt52Speculation(). However, it was
1680         wrong to not to include SpecInt32 in this for two reasons:
1681
1682         1. We diligently write code that first checks if we should speculate Int32.
1683         For example:
1684         if (shouldSpeculateInt32()) ... 
1685         else if (shouldSpeculateInt52()) ...
1686
1687         It would be wrong not to fall back to Int52 if we're dealing with the union of
1688         Int32 and Int52.
1689
1690         It would be a performance mistake to not include Int32 here because
1691         data flow can easily tell us that we have variables that are the union
1692         of Int32 and Int52 values. It's better to speculate Int52 than Double
1693         in that situation.
1694
1695         2. We also write code where we ask if the inputs can be Int52, e.g, if
1696         we know via profiling that an Add overflows, we may not emit an Int32 add.
1697         However, we only emit such an add if both inputs can be Int52, and Int32
1698         can trivially become Int52.
1699
1700        This patch recovers the 0.5-1% regression r244079 caused on JetStream 2.
1701
1702         * bytecode/SpeculatedType.h:
1703         (JSC::isInt32SpeculationForArithmetic):
1704         (JSC::isInt32OrBooleanSpeculationForArithmetic):
1705         (JSC::isInt32OrInt52Speculation):
1706         * dfg/DFGFixupPhase.cpp:
1707         (JSC::DFG::FixupPhase::observeUseKindOnNode):
1708         * dfg/DFGNode.h:
1709         (JSC::DFG::Node::shouldSpeculateInt52):
1710         * dfg/DFGPredictionPropagationPhase.cpp:
1711         * dfg/DFGVariableAccessData.cpp:
1712         (JSC::DFG::VariableAccessData::couldRepresentInt52Impl):
1713
1714 2019-04-12  Saam barati  <sbarati@apple.com>
1715
1716         Unreviewed. Build fix after r244233.
1717
1718         * assembler/CPU.cpp:
1719
1720 2019-04-12  Saam barati  <sbarati@apple.com>
1721
1722         Sometimes we need to user fewer CPUs in our threading calculations
1723         https://bugs.webkit.org/show_bug.cgi?id=196794
1724         <rdar://problem/49389497>
1725
1726         Reviewed by Yusuke Suzuki.
1727
1728         * JavaScriptCore.xcodeproj/project.pbxproj:
1729         * Sources.txt:
1730         * assembler/CPU.cpp: Added.
1731         (JSC::isKernTCSMAvailable):
1732         (JSC::enableKernTCSM):
1733         (JSC::kernTCSMAwareNumberOfProcessorCores):
1734         * assembler/CPU.h:
1735         (JSC::isKernTCSMAvailable):
1736         (JSC::enableKernTCSM):
1737         (JSC::kernTCSMAwareNumberOfProcessorCores):
1738         * heap/MachineStackMarker.h:
1739         (JSC::MachineThreads::addCurrentThread):
1740         * runtime/JSLock.cpp:
1741         (JSC::JSLock::didAcquireLock):
1742         * runtime/Options.cpp:
1743         (JSC::computeNumberOfWorkerThreads):
1744         (JSC::computePriorityDeltaOfWorkerThreads):
1745         * wasm/WasmWorklist.cpp:
1746         (JSC::Wasm::Worklist::Worklist):
1747
1748 2019-04-12  Robin Morisset  <rmorisset@apple.com>
1749
1750         Use padding at end of ArrayBuffer
1751         https://bugs.webkit.org/show_bug.cgi?id=196823
1752
1753         Reviewed by Filip Pizlo.
1754
1755         * runtime/ArrayBuffer.h:
1756
1757 2019-04-11  Yusuke Suzuki  <ysuzuki@apple.com>
1758
1759         [JSC] op_has_indexed_property should not assume subscript part is Uint32
1760         https://bugs.webkit.org/show_bug.cgi?id=196850
1761
1762         Reviewed by Saam Barati.
1763
1764         op_has_indexed_property assumed that subscript part is always Uint32. However, this is just a load from non-constant RegisterID,
1765         DFG can store it in double format and can perform OSR exit. op_has_indexed_property should not assume that.
1766         In this patch, instead, we check it with isAnyInt and get uint32_t from AnyInt.
1767
1768         * jit/JITOpcodes.cpp:
1769         (JSC::JIT::emit_op_has_indexed_property):
1770         * jit/JITOpcodes32_64.cpp:
1771         (JSC::JIT::emit_op_has_indexed_property):
1772         * jit/JITOperations.cpp:
1773         * runtime/CommonSlowPaths.cpp:
1774         (JSC::SLOW_PATH_DECL):
1775
1776 2019-04-11  Saam barati  <sbarati@apple.com>
1777
1778         Remove invalid assertion in operationInstanceOfCustom
1779         https://bugs.webkit.org/show_bug.cgi?id=196842
1780         <rdar://problem/49725493>
1781
1782         Reviewed by Michael Saboff.
1783
1784         In the generated JIT code, we go to the slow path when the incoming function
1785         isn't the Node's CodeOrigin's functionProtoHasInstanceSymbolFunction. However,
1786         in the JIT operation, we were asserting against exec->lexicalGlobalObject()'s
1787         functionProtoHasInstanceSymbolFunction. That assertion might be wrong when
1788         inlining across global objects as exec->lexicalGlobalObject() uses the machine
1789         frame for procuring the global object. There is no harm when this assertion fails
1790         as we just execute the slow path. This patch removes the assertion. (However, this
1791         does shed light on the deficiency in our exec->lexicalGlobalObject() function with
1792         respect to inlining. However, this isn't new -- we've known about this for a while.)
1793
1794         * jit/JITOperations.cpp:
1795
1796 2019-04-11  Michael Saboff  <msaboff@apple.com>
1797
1798         Improve the Inline Cache Stats code
1799         https://bugs.webkit.org/show_bug.cgi?id=196836
1800
1801         Reviewed by Saam Barati.
1802
1803         Needed to handle the case where the Identifier could be null, for example with InstanceOfAddAccessCase
1804         and InstanceOfReplaceWithJump.
1805
1806         Added the ability to log the location of a GetBy and PutBy property as either on self or up the
1807         protocol chain.
1808
1809         * jit/ICStats.cpp:
1810         (JSC::ICEvent::operator< const):
1811         (JSC::ICEvent::dump const):
1812         * jit/ICStats.h:
1813         (JSC::ICEvent::ICEvent):
1814         (JSC::ICEvent::hash const):
1815         * jit/JITOperations.cpp:
1816         * jit/Repatch.cpp:
1817         (JSC::tryCacheGetByID):
1818         (JSC::tryCachePutByID):
1819         (JSC::tryCacheInByID):
1820
1821 2019-04-11  Devin Rousso  <drousso@apple.com>
1822
1823         Web Inspector: Timelines: can't reliably stop/start a recording
1824         https://bugs.webkit.org/show_bug.cgi?id=196778
1825         <rdar://problem/47606798>
1826
1827         Reviewed by Timothy Hatcher.
1828
1829         * inspector/protocol/ScriptProfiler.json:
1830         * inspector/protocol/Timeline.json:
1831         It is possible to determine when programmatic capturing starts/stops in the frontend based
1832         on the state when the backend causes the state to change, such as if the state is "inactive"
1833         when the frontend is told that the backend has started capturing.
1834
1835         * inspector/protocol/CPUProfiler.json:
1836         * inspector/protocol/Memory.json:
1837         Send an end timestamp to match other instruments.
1838
1839         * inspector/JSGlobalObjectConsoleClient.cpp:
1840         (Inspector::JSGlobalObjectConsoleClient::startConsoleProfile):
1841         (Inspector::JSGlobalObjectConsoleClient::stopConsoleProfile):
1842
1843         * inspector/agents/InspectorScriptProfilerAgent.h:
1844         * inspector/agents/InspectorScriptProfilerAgent.cpp:
1845         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
1846         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStarted): Deleted.
1847         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStopped): Deleted.
1848
1849 2019-04-11  Saam barati  <sbarati@apple.com>
1850
1851         Rename SetArgument to SetArgumentDefinitely
1852         https://bugs.webkit.org/show_bug.cgi?id=196828
1853
1854         Reviewed by Yusuke Suzuki.
1855
1856         This is in preparation for https://bugs.webkit.org/show_bug.cgi?id=196712
1857         where we will introduce a node named SetArgumentMaybe. Doing this refactoring
1858         first will make reviewing that other patch easier.
1859
1860         * dfg/DFGAbstractInterpreterInlines.h:
1861         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1862         * dfg/DFGByteCodeParser.cpp:
1863         (JSC::DFG::ByteCodeParser::handleVarargsInlining):
1864         (JSC::DFG::ByteCodeParser::parseBlock):
1865         * dfg/DFGCPSRethreadingPhase.cpp:
1866         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
1867         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
1868         (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
1869         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
1870         (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
1871         (JSC::DFG::CPSRethreadingPhase::propagatePhis):
1872         (JSC::DFG::CPSRethreadingPhase::computeIsFlushed):
1873         * dfg/DFGClobberize.h:
1874         (JSC::DFG::clobberize):
1875         * dfg/DFGCommon.h:
1876         * dfg/DFGDoesGC.cpp:
1877         (JSC::DFG::doesGC):
1878         * dfg/DFGFixupPhase.cpp:
1879         (JSC::DFG::FixupPhase::fixupNode):
1880         * dfg/DFGGraph.cpp:
1881         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
1882         * dfg/DFGGraph.h:
1883         * dfg/DFGInPlaceAbstractState.cpp:
1884         (JSC::DFG::InPlaceAbstractState::initialize):
1885         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
1886         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
1887         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch):
1888         * dfg/DFGMaximalFlushInsertionPhase.cpp:
1889         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
1890         (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
1891         * dfg/DFGMayExit.cpp:
1892         * dfg/DFGNode.cpp:
1893         (JSC::DFG::Node::hasVariableAccessData):
1894         * dfg/DFGNode.h:
1895         (JSC::DFG::Node::convertPhantomToPhantomLocal):
1896         * dfg/DFGNodeType.h:
1897         * dfg/DFGOSREntrypointCreationPhase.cpp:
1898         (JSC::DFG::OSREntrypointCreationPhase::run):
1899         * dfg/DFGPhantomInsertionPhase.cpp:
1900         * dfg/DFGPredictionPropagationPhase.cpp:
1901         * dfg/DFGSSAConversionPhase.cpp:
1902         (JSC::DFG::SSAConversionPhase::run):
1903         * dfg/DFGSafeToExecute.h:
1904         (JSC::DFG::safeToExecute):
1905         * dfg/DFGSpeculativeJIT.cpp:
1906         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
1907         * dfg/DFGSpeculativeJIT32_64.cpp:
1908         (JSC::DFG::SpeculativeJIT::compile):
1909         * dfg/DFGSpeculativeJIT64.cpp:
1910         (JSC::DFG::SpeculativeJIT::compile):
1911         * dfg/DFGTypeCheckHoistingPhase.cpp:
1912         (JSC::DFG::TypeCheckHoistingPhase::run):
1913         * dfg/DFGValidate.cpp:
1914         * ftl/FTLCapabilities.cpp:
1915         (JSC::FTL::canCompile):
1916
1917 2019-04-11  Truitt Savell  <tsavell@apple.com>
1918
1919         Unreviewed, rolling out r244158.
1920
1921         Casued 8 inspector/timeline/ test failures.
1922
1923         Reverted changeset:
1924
1925         "Web Inspector: Timelines: can't reliably stop/start a
1926         recording"
1927         https://bugs.webkit.org/show_bug.cgi?id=196778
1928         https://trac.webkit.org/changeset/244158
1929
1930 2019-04-10  Saam Barati  <sbarati@apple.com>
1931
1932         AbstractValue::validateOSREntryValue is wrong for Int52 constants
1933         https://bugs.webkit.org/show_bug.cgi?id=196801
1934         <rdar://problem/49771122>
1935
1936         Reviewed by Yusuke Suzuki.
1937
1938         validateOSREntryValue should not care about the format of the incoming
1939         value for Int52s. This patch normalizes the format of m_value and
1940         the incoming value when comparing them.
1941
1942         * dfg/DFGAbstractValue.h:
1943         (JSC::DFG::AbstractValue::validateOSREntryValue const):
1944
1945 2019-04-10  Saam Barati  <sbarati@apple.com>
1946
1947         ArithSub over Int52 has shouldCheckOverflow as always true
1948         https://bugs.webkit.org/show_bug.cgi?id=196796
1949
1950         Reviewed by Yusuke Suzuki.
1951
1952         AI was checking for ArithSub over Int52 if !shouldCheckOverflow. However,
1953         shouldCheckOverflow is always true, so !shouldCheckOverflow is always
1954         false. We shouldn't check something we assert against.
1955
1956         * dfg/DFGAbstractInterpreterInlines.h:
1957         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1958
1959 2019-04-10  Basuke Suzuki  <basuke.suzuki@sony.com>
1960
1961         [PlayStation] Specify byte order clearly on Remote Inspector Protocol
1962         https://bugs.webkit.org/show_bug.cgi?id=196790
1963
1964         Reviewed by Ross Kirsling.
1965
1966         Original implementation lacks byte order specification. Network byte order is the
1967         good candidate if there's no strong reason to choose other.
1968         Currently no client exists for PlayStation remote inspector protocol, so we can
1969         change the byte order without care.
1970
1971         * inspector/remote/playstation/RemoteInspectorMessageParserPlayStation.cpp:
1972         (Inspector::MessageParser::createMessage):
1973         (Inspector::MessageParser::parse):
1974
1975 2019-04-10  Devin Rousso  <drousso@apple.com>
1976
1977        Web Inspector: Inspector: lazily create the agent
1978        https://bugs.webkit.org/show_bug.cgi?id=195971
1979        <rdar://problem/49039645>
1980
1981        Reviewed by Joseph Pecoraro.
1982
1983        * inspector/JSGlobalObjectInspectorController.cpp:
1984        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1985        (Inspector::JSGlobalObjectInspectorController::connectFrontend):
1986        (Inspector::JSGlobalObjectInspectorController::appendExtraAgent):
1987        (Inspector::JSGlobalObjectInspectorController::createLazyAgents):
1988
1989        * inspector/agents/InspectorAgent.h:
1990        * inspector/agents/InspectorAgent.cpp:
1991
1992 2019-04-10  Saam Barati  <sbarati@apple.com>
1993
1994         Work around an arm64_32 LLVM miscompile bug
1995         https://bugs.webkit.org/show_bug.cgi?id=196788
1996
1997         Reviewed by Yusuke Suzuki.
1998
1999         * runtime/CachedTypes.cpp:
2000
2001 2019-04-10  Devin Rousso  <drousso@apple.com>
2002
2003         Web Inspector: Timelines: can't reliably stop/start a recording
2004         https://bugs.webkit.org/show_bug.cgi?id=196778
2005         <rdar://problem/47606798>
2006
2007         Reviewed by Timothy Hatcher.
2008
2009         * inspector/protocol/ScriptProfiler.json:
2010         * inspector/protocol/Timeline.json:
2011         It is possible to determine when programmatic capturing starts/stops in the frontend based
2012         on the state when the backend causes the state to change, such as if the state is "inactive"
2013         when the frontend is told that the backend has started capturing.
2014
2015         * inspector/protocol/CPUProfiler.json:
2016         * inspector/protocol/Memory.json:
2017         Send an end timestamp to match other instruments.
2018
2019         * inspector/JSGlobalObjectConsoleClient.cpp:
2020         (Inspector::JSGlobalObjectConsoleClient::startConsoleProfile):
2021         (Inspector::JSGlobalObjectConsoleClient::stopConsoleProfile):
2022
2023         * inspector/agents/InspectorScriptProfilerAgent.h:
2024         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2025         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
2026         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStarted): Deleted.
2027         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStopped): Deleted.
2028
2029 2019-04-10  Tadeu Zagallo  <tzagallo@apple.com>
2030
2031         Unreviewed, fix watch build after r244143
2032         https://bugs.webkit.org/show_bug.cgi?id=195000
2033
2034         The result of `lseek` should be `off_t` rather than `int`.
2035
2036         * jsc.cpp:
2037
2038 2019-04-10  Tadeu Zagallo  <tzagallo@apple.com>
2039
2040         Add support for incremental bytecode cache updates
2041         https://bugs.webkit.org/show_bug.cgi?id=195000
2042
2043         Reviewed by Filip Pizlo.
2044
2045         Add support for incremental updates to the bytecode cache. The cache
2046         is constructed as follows:
2047         - When the cache is empty, the initial payload can be added to the BytecodeCache
2048         by calling BytecodeCache::addGlobalUpdate. This represents the encoded
2049         top-level UnlinkedCodeBlock.
2050         - Afterwards, updates can be added by calling BytecodeCache::addFunctionUpdate.
2051         The update is applied by appending the encoded UnlinkedFunctionCodeBlock
2052         to the existing cache and updating the CachedFunctionExecutableMetadata
2053         and the offset of the new CachedFunctionCodeBlock in the owner CachedFunctionExecutable.
2054
2055         * API/JSScript.mm:
2056         (-[JSScript readCache]):
2057         (-[JSScript isUsingBytecodeCache]):
2058         (-[JSScript init]):
2059         (-[JSScript cachedBytecode]):
2060         (-[JSScript writeCache:]):
2061         * API/JSScriptInternal.h:
2062         * API/JSScriptSourceProvider.h:
2063         * API/JSScriptSourceProvider.mm:
2064         (JSScriptSourceProvider::cachedBytecode const):
2065         * CMakeLists.txt:
2066         * JavaScriptCore.xcodeproj/project.pbxproj:
2067         * Sources.txt:
2068         * bytecode/UnlinkedFunctionExecutable.cpp:
2069         (JSC::generateUnlinkedFunctionCodeBlock):
2070         * jsc.cpp:
2071         (ShellSourceProvider::~ShellSourceProvider):
2072         (ShellSourceProvider::cachePath const):
2073         (ShellSourceProvider::loadBytecode const):
2074         (ShellSourceProvider::ShellSourceProvider):
2075         (ShellSourceProvider::cacheEnabled):
2076         * parser/SourceProvider.h:
2077         (JSC::SourceProvider::cachedBytecode const):
2078         (JSC::SourceProvider::updateCache const):
2079         (JSC::SourceProvider::commitCachedBytecode const):
2080         * runtime/CachePayload.cpp: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
2081         (JSC::CachePayload::makeMappedPayload):
2082         (JSC::CachePayload::makeMallocPayload):
2083         (JSC::CachePayload::makeEmptyPayload):
2084         (JSC::CachePayload::CachePayload):
2085         (JSC::CachePayload::~CachePayload):
2086         (JSC::CachePayload::operator=):
2087         (JSC::CachePayload::freeData):
2088         * runtime/CachePayload.h: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
2089         (JSC::CachePayload::data const):
2090         (JSC::CachePayload::size const):
2091         (JSC::CachePayload::CachePayload):
2092         * runtime/CacheUpdate.cpp: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
2093         (JSC::CacheUpdate::CacheUpdate):
2094         (JSC::CacheUpdate::operator=):
2095         (JSC::CacheUpdate::isGlobal const):
2096         (JSC::CacheUpdate::asGlobal const):
2097         (JSC::CacheUpdate::asFunction const):
2098         * runtime/CacheUpdate.h: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
2099         * runtime/CachedBytecode.cpp: Added.
2100         (JSC::CachedBytecode::addGlobalUpdate):
2101         (JSC::CachedBytecode::addFunctionUpdate):
2102         (JSC::CachedBytecode::copyLeafExecutables):
2103         (JSC::CachedBytecode::commitUpdates const):
2104         * runtime/CachedBytecode.h: Added.
2105         (JSC::CachedBytecode::create):
2106         (JSC::CachedBytecode::leafExecutables):
2107         (JSC::CachedBytecode::data const):
2108         (JSC::CachedBytecode::size const):
2109         (JSC::CachedBytecode::hasUpdates const):
2110         (JSC::CachedBytecode::sizeForUpdate const):
2111         (JSC::CachedBytecode::CachedBytecode):
2112         * runtime/CachedTypes.cpp:
2113         (JSC::Encoder::addLeafExecutable):
2114         (JSC::Encoder::release):
2115         (JSC::Decoder::Decoder):
2116         (JSC::Decoder::create):
2117         (JSC::Decoder::size const):
2118         (JSC::Decoder::offsetOf):
2119         (JSC::Decoder::ptrForOffsetFromBase):
2120         (JSC::Decoder::addLeafExecutable):
2121         (JSC::VariableLengthObject::VariableLengthObject):
2122         (JSC::VariableLengthObject::buffer const):
2123         (JSC::CachedPtrOffsets::offsetOffset):
2124         (JSC::CachedWriteBarrierOffsets::ptrOffset):
2125         (JSC::CachedFunctionExecutable::features const):
2126         (JSC::CachedFunctionExecutable::hasCapturedVariables const):
2127         (JSC::CachedFunctionExecutableOffsets::codeBlockForCallOffset):
2128         (JSC::CachedFunctionExecutableOffsets::codeBlockForConstructOffset):
2129         (JSC::CachedFunctionExecutableOffsets::metadataOffset):
2130         (JSC::CachedFunctionExecutable::encode):
2131         (JSC::CachedFunctionExecutable::decode const):
2132         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2133         (JSC::encodeCodeBlock):
2134         (JSC::encodeFunctionCodeBlock):
2135         (JSC::decodeCodeBlockImpl):
2136         (JSC::isCachedBytecodeStillValid):
2137         * runtime/CachedTypes.h:
2138         (JSC::VariableLengthObjectBase::VariableLengthObjectBase):
2139         (JSC::decodeCodeBlock):
2140         * runtime/CodeCache.cpp:
2141         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
2142         (JSC::CodeCache::updateCache):
2143         (JSC::CodeCache::write):
2144         (JSC::writeCodeBlock):
2145         (JSC::serializeBytecode):
2146         * runtime/CodeCache.h:
2147         (JSC::SourceCodeValue::SourceCodeValue):
2148         (JSC::CodeCacheMap::findCacheAndUpdateAge):
2149         (JSC::CodeCacheMap::fetchFromDiskImpl):
2150         * runtime/Completion.cpp:
2151         (JSC::generateProgramBytecode):
2152         (JSC::generateModuleBytecode):
2153         * runtime/Completion.h:
2154         * runtime/LeafExecutable.cpp: Copied from Source/JavaScriptCore/API/JSScriptSourceProvider.mm.
2155         (JSC::LeafExecutable::operator+ const):
2156         * runtime/LeafExecutable.h: Copied from Source/JavaScriptCore/API/JSScriptSourceProvider.mm.
2157         (JSC::LeafExecutable::LeafExecutable):
2158         (JSC::LeafExecutable::base const):
2159
2160 2019-04-10  Michael Catanzaro  <mcatanzaro@igalia.com>
2161
2162         Unreviewed, rolling out r243989.
2163
2164         Broke i686 builds
2165
2166         Reverted changeset:
2167
2168         "[CMake] Detect SSE2 at compile time"
2169         https://bugs.webkit.org/show_bug.cgi?id=196488
2170         https://trac.webkit.org/changeset/243989
2171
2172 2019-04-10  Robin Morisset  <rmorisset@apple.com>
2173
2174         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
2175         https://bugs.webkit.org/show_bug.cgi?id=196746
2176
2177         Reviewed by Yusuke Suzuki..
2178
2179         It should be safe as in that case we are not completing the operation, and so not going to have any buffer overflow.
2180
2181         * runtime/ObjectConstructor.cpp:
2182         (JSC::defineProperties):
2183
2184 2019-04-10  Antoine Quint  <graouts@apple.com>
2185
2186         Enable Pointer Events on watchOS
2187         https://bugs.webkit.org/show_bug.cgi?id=196771
2188         <rdar://problem/49040909>
2189
2190         Reviewed by Dean Jackson.
2191
2192         * Configurations/FeatureDefines.xcconfig:
2193
2194 2019-04-09  Keith Rollin  <krollin@apple.com>
2195
2196         Unreviewed build maintenance -- update .xcfilelists.
2197
2198         * DerivedSources-input.xcfilelist:
2199
2200 2019-04-09  Ross Kirsling  <ross.kirsling@sony.com>
2201
2202         JSC should build successfully even with -DENABLE_UNIFIED_BUILDS=OFF
2203         https://bugs.webkit.org/show_bug.cgi?id=193073
2204
2205         Reviewed by Keith Miller.
2206
2207         * bytecompiler/BytecodeGenerator.cpp:
2208         (JSC::BytecodeGenerator::emitEqualityOpImpl):
2209         (JSC::BytecodeGenerator::emitEqualityOp): Deleted.
2210         * bytecompiler/BytecodeGenerator.h:
2211         (JSC::BytecodeGenerator::emitEqualityOp):
2212         Factor out the logic that uses the template parameter and keep it in the header.
2213
2214         * jit/JITPropertyAccess.cpp:
2215         List off the template specializations needed by JITOperations.cpp.
2216         This is unfortunate but at least there are only two (x2) by definition?
2217         Trying to do away with this incurs a severe domino effect...
2218
2219         * API/JSValueRef.cpp:
2220         * b3/B3OptimizeAssociativeExpressionTrees.cpp:
2221         * b3/air/AirHandleCalleeSaves.cpp:
2222         * builtins/BuiltinNames.cpp:
2223         * bytecode/AccessCase.cpp:
2224         * bytecode/BytecodeIntrinsicRegistry.cpp:
2225         * bytecode/BytecodeIntrinsicRegistry.h:
2226         * bytecode/BytecodeRewriter.cpp:
2227         * bytecode/BytecodeUseDef.h:
2228         * bytecode/CodeBlock.cpp:
2229         * bytecode/InstanceOfAccessCase.cpp:
2230         * bytecode/MetadataTable.cpp:
2231         * bytecode/PolyProtoAccessChain.cpp:
2232         * bytecode/StructureSet.cpp:
2233         * bytecompiler/NodesCodegen.cpp:
2234         * dfg/DFGCFAPhase.cpp:
2235         * dfg/DFGPureValue.cpp:
2236         * heap/GCSegmentedArray.h:
2237         * heap/HeapInlines.h:
2238         * heap/IsoSubspace.cpp:
2239         * heap/LocalAllocator.cpp:
2240         * heap/LocalAllocator.h:
2241         * heap/LocalAllocatorInlines.h:
2242         * heap/MarkingConstraintSolver.cpp:
2243         * inspector/ScriptArguments.cpp:
2244         (Inspector::ScriptArguments::isEqual const):
2245         * inspector/ScriptCallStackFactory.cpp:
2246         * interpreter/CallFrame.h:
2247         * interpreter/Interpreter.cpp:
2248         * interpreter/StackVisitor.cpp:
2249         * llint/LLIntEntrypoint.cpp:
2250         * runtime/ArrayIteratorPrototype.cpp:
2251         * runtime/BigIntPrototype.cpp:
2252         * runtime/CachedTypes.cpp:
2253         * runtime/ErrorType.cpp:
2254         * runtime/IndexingType.cpp:
2255         * runtime/JSCellInlines.h:
2256         * runtime/JSImmutableButterfly.h:
2257         * runtime/Operations.h:
2258         * runtime/RegExpCachedResult.cpp:
2259         * runtime/RegExpConstructor.cpp:
2260         * runtime/RegExpGlobalData.cpp:
2261         * runtime/StackFrame.h:
2262         * wasm/WasmSignature.cpp:
2263         * wasm/js/JSToWasm.cpp:
2264         * wasm/js/JSToWasmICCallee.cpp:
2265         * wasm/js/WebAssemblyFunction.h:
2266         Fix includes / forward declarations (and a couple of nearby clang warnings).
2267
2268 2019-04-09  Don Olmstead  <don.olmstead@sony.com>
2269
2270         [CMake] Apple builds should use ICU_INCLUDE_DIRS
2271         https://bugs.webkit.org/show_bug.cgi?id=196720
2272
2273         Reviewed by Konstantin Tokarev.
2274
2275         * PlatformMac.cmake:
2276
2277 2019-04-09  Saam barati  <sbarati@apple.com>
2278
2279         Clean up Int52 code and some bugs in it
2280         https://bugs.webkit.org/show_bug.cgi?id=196639
2281         <rdar://problem/49515757>
2282
2283         Reviewed by Yusuke Suzuki.
2284
2285         This patch fixes bugs in our Int52 code. The primary change in this patch is
2286         adopting a segregated type lattice for Int52. Previously, for Int52 values,
2287         we represented them with SpecInt32Only and SpecInt52Only. For an Int52,
2288         SpecInt32Only meant that the value is in int32 range. And SpecInt52Only meant
2289         that the is outside of the int32 range.
2290         
2291         However, this got confusing because we reused SpecInt32Only both for JSValue
2292         representations and Int52 representations. This actually lead to some bugs.
2293         
2294         1. It's possible that roundtripping through Int52 representation would say
2295         it produces the wrong type. For example, consider this program and how we
2296         used to annotate types in AI:
2297         a: JSConstant(10.0) => m_type is SpecAnyIntAsDouble
2298         b: Int52Rep(@a) => m_type is SpecInt52Only
2299         c: ValueRep(@b) => m_type is SpecAnyIntAsDouble
2300         
2301         In AI, for the above program, we'd say that @c produces SpecAnyIntAsDouble.
2302         However, the execution semantics are such that it'd actually produce a boxed
2303         Int32. This patch fixes the bug where we'd say that Int52Rep over SpecAnyIntAsDouble
2304         would produce SpecInt52Only. This is clearly wrong, as SpecAnyIntAsDouble can
2305         mean an int value in either int32 or int52 range.
2306         
2307         2. AsbstractValue::validateTypeAcceptingBoxedInt52 was wrong in how it
2308         accepted Int52 values. It was wrong in two different ways:
2309         a: If the AbstractValue's type was SpecInt52Only, and the incoming value
2310         was a boxed double, but represented a value in int32 range, the incoming
2311         value would incorrectly validate as being acceptable. However, we should
2312         have rejected this value.
2313         b: If the AbstractValue's type was SpecInt32Only, and the incoming value
2314         was an Int32 boxed in a double, this would not validate, even though
2315         it should have validated.
2316         
2317         Solving 2 was easiest if we segregated out the Int52 type into its own
2318         lattice. This patch makes a new Int52 lattice, which is composed of
2319         SpecInt32AsInt52 and SpecNonInt32AsInt52.
2320         
2321         The conversion rules are now really simple.
2322         
2323         Int52 rep => JSValue rep
2324         SpecInt32AsInt52 => SpecInt32Only
2325         SpecNonInt32AsInt52 => SpecAnyIntAsDouble
2326         
2327         JSValue rep => Int52 rep
2328         SpecInt32Only => SpecInt32AsInt52
2329         SpecAnyIntAsDouble => SpecInt52Any
2330         
2331         With these rules, the program in (1) will now correctly report that @c
2332         returns SpecInt32Only | SpecAnyIntAsDouble.
2333
2334         * bytecode/SpeculatedType.cpp:
2335         (JSC::dumpSpeculation):
2336         (JSC::speculationToAbbreviatedString):
2337         (JSC::int52AwareSpeculationFromValue):
2338         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
2339         (JSC::speculationFromString):
2340         * bytecode/SpeculatedType.h:
2341         (JSC::isInt32SpeculationForArithmetic):
2342         (JSC::isInt32OrBooleanSpeculationForArithmetic):
2343         (JSC::isAnyInt52Speculation):
2344         (JSC::isIntAnyFormat):
2345         (JSC::isInt52Speculation): Deleted.
2346         (JSC::isAnyIntSpeculation): Deleted.
2347         * dfg/DFGAbstractInterpreterInlines.h:
2348         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2349         * dfg/DFGAbstractValue.cpp:
2350         (JSC::DFG::AbstractValue::fixTypeForRepresentation):
2351         (JSC::DFG::AbstractValue::checkConsistency const):
2352         * dfg/DFGAbstractValue.h:
2353         (JSC::DFG::AbstractValue::isInt52Any const):
2354         (JSC::DFG::AbstractValue::validateTypeAcceptingBoxedInt52 const):
2355         * dfg/DFGFixupPhase.cpp:
2356         (JSC::DFG::FixupPhase::fixupArithMul):
2357         (JSC::DFG::FixupPhase::fixupNode):
2358         (JSC::DFG::FixupPhase::fixupGetPrototypeOf):
2359         (JSC::DFG::FixupPhase::fixupToThis):
2360         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
2361         (JSC::DFG::FixupPhase::observeUseKindOnNode):
2362         (JSC::DFG::FixupPhase::fixIntConvertingEdge):
2363         (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
2364         (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
2365         (JSC::DFG::FixupPhase::fixupChecksInBlock):
2366         * dfg/DFGGraph.h:
2367         (JSC::DFG::Graph::addShouldSpeculateInt52):
2368         (JSC::DFG::Graph::binaryArithShouldSpeculateInt52):
2369         (JSC::DFG::Graph::unaryArithShouldSpeculateInt52):
2370         (JSC::DFG::Graph::addShouldSpeculateAnyInt): Deleted.
2371         (JSC::DFG::Graph::binaryArithShouldSpeculateAnyInt): Deleted.
2372         (JSC::DFG::Graph::unaryArithShouldSpeculateAnyInt): Deleted.
2373         * dfg/DFGNode.h:
2374         (JSC::DFG::Node::shouldSpeculateInt52):
2375         (JSC::DFG::Node::shouldSpeculateAnyInt): Deleted.
2376         * dfg/DFGPredictionPropagationPhase.cpp:
2377         * dfg/DFGSpeculativeJIT.cpp:
2378         (JSC::DFG::SpeculativeJIT::setIntTypedArrayLoadResult):
2379         (JSC::DFG::SpeculativeJIT::compileArithAdd):
2380         (JSC::DFG::SpeculativeJIT::compileArithSub):
2381         (JSC::DFG::SpeculativeJIT::compileArithNegate):
2382         * dfg/DFGSpeculativeJIT64.cpp:
2383         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2384         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
2385         * dfg/DFGUseKind.h:
2386         (JSC::DFG::typeFilterFor):
2387         * dfg/DFGVariableAccessData.cpp:
2388         (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
2389         (JSC::DFG::VariableAccessData::couldRepresentInt52Impl):
2390         * ftl/FTLLowerDFGToB3.cpp:
2391         (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
2392         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
2393         (JSC::FTL::DFG::LowerDFGToB3::setIntTypedArrayLoadResult):
2394
2395 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
2396
2397         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
2398         https://bugs.webkit.org/show_bug.cgi?id=196708
2399         <rdar://problem/49556803>
2400
2401         Reviewed by Yusuke Suzuki.
2402
2403         `operationPutToScope` needs to return early if an exception is thrown while
2404         checking if `hasProperty`.
2405
2406         * jit/JITOperations.cpp:
2407
2408 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
2409
2410         [JSC] DFG should respect node's strict flag
2411         https://bugs.webkit.org/show_bug.cgi?id=196617
2412
2413         Reviewed by Saam Barati.
2414
2415         We accidentally use codeBlock->isStrictMode() directly in DFG and FTL. But this is wrong since this CodeBlock is the top level DFG/FTL CodeBlock,
2416         and this code does not respect the isStrictMode flag for the inlined CodeBlocks. In this patch, we start using isStrictModeFor(CodeOrigin) consistently
2417         in DFG and FTL to get the right isStrictMode flag for the DFG node.
2418         And we also split compilePutDynamicVar into compilePutDynamicVarStrict and compilePutDynamicVarNonStrict since (1) it is cleaner than accessing inlined
2419         callframe in the operation function, and (2) it is aligned to the other functions like operationPutByValDirectNonStrict etc.
2420         This bug is discovered by RandomizingFuzzerAgent by expanding the DFG coverage.
2421
2422         * dfg/DFGAbstractInterpreterInlines.h:
2423         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2424         * dfg/DFGConstantFoldingPhase.cpp:
2425         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2426         * dfg/DFGFixupPhase.cpp:
2427         (JSC::DFG::FixupPhase::fixupToThis):
2428         * dfg/DFGOperations.cpp:
2429         * dfg/DFGOperations.h:
2430         * dfg/DFGPredictionPropagationPhase.cpp:
2431         * dfg/DFGSpeculativeJIT.cpp:
2432         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
2433         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
2434         (JSC::DFG::SpeculativeJIT::compilePutDynamicVar):
2435         (JSC::DFG::SpeculativeJIT::compileToThis):
2436         * dfg/DFGSpeculativeJIT32_64.cpp:
2437         (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
2438         (JSC::DFG::SpeculativeJIT::compile):
2439         * dfg/DFGSpeculativeJIT64.cpp:
2440         (JSC::DFG::SpeculativeJIT::compile):
2441         * ftl/FTLLowerDFGToB3.cpp:
2442         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
2443         (JSC::FTL::DFG::LowerDFGToB3::compilePutDynamicVar):
2444
2445 2019-04-08  Don Olmstead  <don.olmstead@sony.com>
2446
2447         [CMake][WinCairo] Separate copied headers into different directories
2448         https://bugs.webkit.org/show_bug.cgi?id=196655
2449
2450         Reviewed by Michael Catanzaro.
2451
2452         * CMakeLists.txt:
2453         * shell/PlatformWin.cmake:
2454
2455 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
2456
2457         [JSC] isRope jump in StringSlice should not jump over register allocations
2458         https://bugs.webkit.org/show_bug.cgi?id=196716
2459
2460         Reviewed by Saam Barati.
2461
2462         Jumping over the register allocation code in DFG (like the following) is wrong.
2463
2464             auto jump = m_jit.branchXXX();
2465             {
2466                 GPRTemporary reg(this);
2467                 GPRReg regGPR = reg.gpr();
2468                 ...
2469             }
2470             jump.link(&m_jit);
2471
2472         When GPRTemporary::gpr allocates a new register, it can flush the previous register value into the stack and make the register usable.
2473         Jumping over this register allocation code skips the flushing code, and makes the DFG's stack and register content tracking inconsistent:
2474         DFG thinks that the content is flushed and stored in particular stack slot even while this flushing code is skipped.
2475         In this patch, we perform register allocations before jumping to the slow path based on `isRope` condition in StringSlice.
2476
2477         * dfg/DFGSpeculativeJIT.cpp:
2478         (JSC::DFG::SpeculativeJIT::compileStringSlice):
2479
2480 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
2481
2482         [JSC] to_index_string should not assume incoming value is Uint32
2483         https://bugs.webkit.org/show_bug.cgi?id=196713
2484
2485         Reviewed by Saam Barati.
2486
2487         The slow path of to_index_string assumes that incoming value is Uint32. But we should not have
2488         this assumption since DFG may decide we should have it double format. This patch removes this
2489         assumption, and instead, we should assume that incoming value is AnyInt and the range of this
2490         is within Uint32.
2491
2492         * runtime/CommonSlowPaths.cpp:
2493         (JSC::SLOW_PATH_DECL):
2494
2495 2019-04-08  Justin Fan  <justin_fan@apple.com>
2496
2497         [Web GPU] Fix Web GPU experimental feature on iOS
2498         https://bugs.webkit.org/show_bug.cgi?id=196632
2499
2500         Reviewed by Myles C. Maxfield.
2501
2502         Properly make Web GPU available on iOS 11+.
2503
2504         * Configurations/FeatureDefines.xcconfig:
2505         * Configurations/WebKitTargetConditionals.xcconfig:
2506
2507 2019-04-08  Ross Kirsling  <ross.kirsling@sony.com>
2508
2509         -f[no-]var-tracking-assignments is GCC-only
2510         https://bugs.webkit.org/show_bug.cgi?id=196699
2511
2512         Reviewed by Don Olmstead.
2513
2514         * CMakeLists.txt:
2515         Just remove the build flag altogether -- it supposedly doesn't solve the problem it was meant to
2516         and said problem evidently no longer occurs as of GCC 9.
2517
2518 2019-04-08  Saam Barati  <sbarati@apple.com>
2519
2520         WebAssembly.RuntimeError missing exception check
2521         https://bugs.webkit.org/show_bug.cgi?id=196700
2522         <rdar://problem/49693932>
2523
2524         Reviewed by Yusuke Suzuki.
2525
2526         * wasm/js/JSWebAssemblyRuntimeError.h:
2527         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
2528         (JSC::constructJSWebAssemblyRuntimeError):
2529
2530 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
2531
2532         Unreviewed, rolling in r243948 with test fix
2533         https://bugs.webkit.org/show_bug.cgi?id=196486
2534
2535         * parser/ASTBuilder.h:
2536         (JSC::ASTBuilder::createString):
2537         * parser/Lexer.cpp:
2538         (JSC::Lexer<T>::parseMultilineComment):
2539         (JSC::Lexer<T>::lexWithoutClearingLineTerminator):
2540         (JSC::Lexer<T>::lex): Deleted.
2541         * parser/Lexer.h:
2542         (JSC::Lexer::hasLineTerminatorBeforeToken const):
2543         (JSC::Lexer::setHasLineTerminatorBeforeToken):
2544         (JSC::Lexer<T>::lex):
2545         (JSC::Lexer::prevTerminator const): Deleted.
2546         (JSC::Lexer::setTerminator): Deleted.
2547         * parser/Parser.cpp:
2548         (JSC::Parser<LexerType>::allowAutomaticSemicolon):
2549         (JSC::Parser<LexerType>::parseSingleFunction):
2550         (JSC::Parser<LexerType>::parseStatementListItem):
2551         (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement):
2552         (JSC::Parser<LexerType>::parseFunctionInfo):
2553         (JSC::Parser<LexerType>::parseClass):
2554         (JSC::Parser<LexerType>::parseExportDeclaration):
2555         (JSC::Parser<LexerType>::parseAssignmentExpression):
2556         (JSC::Parser<LexerType>::parseYieldExpression):
2557         (JSC::Parser<LexerType>::parseProperty):
2558         (JSC::Parser<LexerType>::parsePrimaryExpression):
2559         (JSC::Parser<LexerType>::parseMemberExpression):
2560         * parser/Parser.h:
2561         (JSC::Parser::nextWithoutClearingLineTerminator):
2562         (JSC::Parser::lexCurrentTokenAgainUnderCurrentContext):
2563         (JSC::Parser::internalSaveLexerState):
2564         (JSC::Parser::restoreLexerState):
2565
2566 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
2567
2568         Unreviewed, rolling out r243948.
2569
2570         Caused inspector/runtime/parse.html to fail
2571
2572         Reverted changeset:
2573
2574         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
2575         https://bugs.webkit.org/show_bug.cgi?id=196486
2576         https://trac.webkit.org/changeset/243948
2577
2578 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
2579
2580         Unreviewed, rolling out r243943.
2581
2582         Caused test262 failures.
2583
2584         Reverted changeset:
2585
2586         "[JSC] Filter DontEnum properties in
2587         ProxyObject::getOwnPropertyNames()"
2588         https://bugs.webkit.org/show_bug.cgi?id=176810
2589         https://trac.webkit.org/changeset/243943
2590
2591 2019-04-08  Claudio Saavedra  <csaavedra@igalia.com>
2592
2593         [JSC] Partially fix the build with unified builds disabled
2594         https://bugs.webkit.org/show_bug.cgi?id=196647
2595
2596         Reviewed by Konstantin Tokarev.
2597
2598         If you disable unified builds you find all kind of build
2599         errors. This partially tries to fix them but there's a lot
2600         more.
2601
2602         * API/JSBaseInternal.h:
2603         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp:
2604         * b3/air/AirHandleCalleeSaves.h:
2605         * bytecode/ExecutableToCodeBlockEdge.cpp:
2606         * bytecode/ExitFlag.h:
2607         * bytecode/ICStatusUtils.h:
2608         * bytecode/UnlinkedMetadataTable.h:
2609         * dfg/DFGPureValue.h:
2610         * heap/IsoAlignedMemoryAllocator.cpp:
2611         * heap/IsoAlignedMemoryAllocator.h:
2612
2613 2019-04-08  Guillaume Emont  <guijemont@igalia.com>
2614
2615         Enable DFG on MIPS
2616         https://bugs.webkit.org/show_bug.cgi?id=196689
2617
2618         Reviewed by Žan Doberšek.
2619
2620         Since the bytecode change, we enabled the baseline JIT on mips in
2621         r240432, but DFG is still missing. With this change, all tests are
2622         passing on a ci20 board.
2623
2624         * jit/RegisterSet.cpp:
2625         (JSC::RegisterSet::calleeSaveRegisters):
2626         Added s0, which is used in llint.
2627
2628 2019-04-08  Xan Lopez  <xan@igalia.com>
2629
2630         [CMake] Detect SSE2 at compile time
2631         https://bugs.webkit.org/show_bug.cgi?id=196488
2632
2633         Reviewed by Carlos Garcia Campos.
2634
2635         * assembler/MacroAssemblerX86Common.cpp: Remove unnecessary (and
2636         incorrect) static_assert.
2637
2638 2019-04-07  Michael Saboff  <msaboff@apple.com>
2639
2640         REGRESSION (r243642): Crash in reddit.com page
2641         https://bugs.webkit.org/show_bug.cgi?id=196684
2642
2643         Reviewed by Geoffrey Garen.
2644
2645         In r243642, the code that saves and restores the count for non-greedy character classes
2646         was inadvertently put inside an if statement.  This code should be generated for all
2647         non-greedy character classes.
2648
2649         * yarr/YarrJIT.cpp:
2650         (JSC::Yarr::YarrGenerator::generateCharacterClassNonGreedy):
2651         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
2652
2653 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
2654
2655         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
2656         https://bugs.webkit.org/show_bug.cgi?id=196683
2657
2658         Reviewed by Saam Barati.
2659
2660         In r243626, we stop repatching CallLinkInfo when the CallLinkInfo is held by jettisoned CodeBlock.
2661         But we still need to clear the Callee or CodeBlock since they are now dead. Otherwise, CodeBlock's
2662         visitWeak eventually accesses this dead cells and crashes because the owner CodeBlock of CallLinkInfo
2663         can be still live.
2664
2665         We also move all repatching operations from CallLinkInfo.cpp to Repatch.cpp for consistency because the
2666         other repatching operations in CallLinkInfo are implemented in Repatch.cpp side.
2667
2668         * bytecode/CallLinkInfo.cpp:
2669         (JSC::CallLinkInfo::setCallee):
2670         (JSC::CallLinkInfo::clearCallee):
2671         * jit/Repatch.cpp:
2672         (JSC::linkFor):
2673         (JSC::revertCall):
2674
2675 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
2676
2677         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
2678         https://bugs.webkit.org/show_bug.cgi?id=196582
2679
2680         Reviewed by Saam Barati.
2681
2682         In DFG, our ArithAdd with overflow is executed speculatively, and we recover the value when overflow flag is set.
2683         The recovery is subtracting the operand from the destination to get the original two operands. Our recovery code
2684         handles A + B = A, A + B = B cases. But it misses A + A = A case (here, A and B are GPRReg). Our recovery code
2685         attempts to produce the original operand by performing A - A, and it always produces zero accidentally.
2686
2687         This patch adds the recovery code for A + A = A case. Because we know that this ArithAdd overflows, and operands were
2688         same values, we can calculate the original operand from the destination value by `((int32_t)value >> 1) ^ 0x80000000`.
2689
2690         We also found that FTL recovery code is dead. We remove them in this patch.
2691
2692         * dfg/DFGOSRExit.cpp:
2693         (JSC::DFG::OSRExit::executeOSRExit):
2694         (JSC::DFG::OSRExit::compileExit):
2695         * dfg/DFGOSRExit.h:
2696         (JSC::DFG::SpeculationRecovery::SpeculationRecovery):
2697         * dfg/DFGSpeculativeJIT.cpp:
2698         (JSC::DFG::SpeculativeJIT::compileArithAdd):
2699         * ftl/FTLExitValue.cpp:
2700         (JSC::FTL::ExitValue::dataFormat const):
2701         (JSC::FTL::ExitValue::dumpInContext const):
2702         * ftl/FTLExitValue.h:
2703         (JSC::FTL::ExitValue::isArgument const):
2704         (JSC::FTL::ExitValue::hasIndexInStackmapLocations const):
2705         (JSC::FTL::ExitValue::adjustStackmapLocationsIndexByOffset):
2706         (JSC::FTL::ExitValue::recovery): Deleted.
2707         (JSC::FTL::ExitValue::isRecovery const): Deleted.
2708         (JSC::FTL::ExitValue::leftRecoveryArgument const): Deleted.
2709         (JSC::FTL::ExitValue::rightRecoveryArgument const): Deleted.
2710         (JSC::FTL::ExitValue::recoveryFormat const): Deleted.
2711         (JSC::FTL::ExitValue::recoveryOpcode const): Deleted.
2712         * ftl/FTLLowerDFGToB3.cpp:
2713         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2714         (JSC::FTL::DFG::LowerDFGToB3::preparePatchpointForExceptions):
2715         (JSC::FTL::DFG::LowerDFGToB3::appendOSRExit):
2716         (JSC::FTL::DFG::LowerDFGToB3::exitValueForNode):
2717         (JSC::FTL::DFG::LowerDFGToB3::addAvailableRecovery): Deleted.
2718         * ftl/FTLOSRExitCompiler.cpp:
2719         (JSC::FTL::compileRecovery):
2720
2721 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
2722
2723         Unreviewed, rolling out r243665.
2724
2725         Caused iOS JSC tests to exit with an exception.
2726
2727         Reverted changeset:
2728
2729         "Assertion failed in JSC::createError"
2730         https://bugs.webkit.org/show_bug.cgi?id=196305
2731         https://trac.webkit.org/changeset/243665
2732
2733 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
2734
2735         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
2736         https://bugs.webkit.org/show_bug.cgi?id=196486
2737
2738         Reviewed by Saam Barati.
2739
2740         When parsing a FunctionExpression / FunctionDeclaration etc., we use SyntaxChecker for the body of the function because we do not have any interest on the nodes of the body at that time.
2741         The nodes will be parsed with the ASTBuilder when the function itself is parsed for code generation. This works well previously because all the function ends with "}" previously.
2742         SyntaxChecker lexes this "}" token, and parser restores the context back to ASTBuilder and continues parsing.
2743
2744         But now, we have ArrowFunctionExpression without braces `arrow => expr`. Let's consider the following code.
2745
2746                 arrow => expr
2747                 "string!"
2748
2749         We parse arrow function's body with SyntaxChecker. At that time, we lex "string!" token under the SyntaxChecker context. But this means that we may not build string content for this token
2750         since SyntaxChecker may not have interest on string content itself in certain case. After the parser is back to ASTBuilder, we parse "string!" as ExpressionStatement with string constant,
2751         generate StringNode with non-built identifier (nullptr), and we accidentally create StringNode with nullptr.
2752
2753         This patch fixes this problem. The root cause of this problem is that the last token lexed in the previous context is used. We add lexCurrentTokenAgainUnderCurrentContext which will re-lex
2754         the current token under the current context (may be ASTBuilder). This should be done only when the caller's context is different from SyntaxChecker, which avoids unnecessary lexing.
2755         We leverage existing SavePoint mechanism to implement lexCurrentTokenAgainUnderCurrentContext cleanly.
2756
2757         And we also fix the bug in the existing SavePoint mechanism, which is shown in the attached test script. When we save LexerState, we do not save line terminator status. This patch also introduces
2758         lexWithoutClearingLineTerminator, which lex the token without clearing line terminator status.
2759
2760         * parser/ASTBuilder.h:
2761         (JSC::ASTBuilder::createString):
2762         * parser/Lexer.cpp:
2763         (JSC::Lexer<T>::parseMultilineComment):
2764         (JSC::Lexer<T>::lexWithoutClearingLineTerminator): EOF token also should record offset information. This offset information is correctly handled in Lexer::setOffset too.
2765         (JSC::Lexer<T>::lex): Deleted.
2766         * parser/Lexer.h:
2767         (JSC::Lexer::hasLineTerminatorBeforeToken const):
2768         (JSC::Lexer::setHasLineTerminatorBeforeToken):
2769         (JSC::Lexer<T>::lex):
2770         (JSC::Lexer::prevTerminator const): Deleted.
2771         (JSC::Lexer::setTerminator): Deleted.
2772         * parser/Parser.cpp:
2773         (JSC::Parser<LexerType>::allowAutomaticSemicolon):
2774         (JSC::Parser<LexerType>::parseSingleFunction):
2775         (JSC::Parser<LexerType>::parseStatementListItem):
2776         (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement):
2777         (JSC::Parser<LexerType>::parseFunctionInfo):
2778         (JSC::Parser<LexerType>::parseClass):
2779         (JSC::Parser<LexerType>::parseExportDeclaration):
2780         (JSC::Parser<LexerType>::parseAssignmentExpression):
2781         (JSC::Parser<LexerType>::parseYieldExpression):
2782         (JSC::Parser<LexerType>::parseProperty):
2783         (JSC::Parser<LexerType>::parsePrimaryExpression):
2784         (JSC::Parser<LexerType>::parseMemberExpression):
2785         * parser/Parser.h:
2786         (JSC::Parser::nextWithoutClearingLineTerminator):
2787         (JSC::Parser::lexCurrentTokenAgainUnderCurrentContext):
2788         (JSC::Parser::internalSaveLexerState):
2789         (JSC::Parser::restoreLexerState):
2790
2791 2019-04-05  Caitlin Potter  <caitp@igalia.com>
2792
2793         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
2794         https://bugs.webkit.org/show_bug.cgi?id=176810
2795
2796         Reviewed by Saam Barati.
2797
2798         This adds conditional logic following the invariant checks, to perform
2799         filtering in common uses of getOwnPropertyNames.
2800
2801         While this would ideally only be done in JSPropertyNameEnumerator, adding
2802         the filtering to ProxyObject::performGetOwnPropertyNames maintains the
2803         invariant that the EnumerationMode is properly followed.
2804
2805         * runtime/PropertyNameArray.h:
2806         (JSC::PropertyNameArray::reset):
2807         * runtime/ProxyObject.cpp:
2808         (JSC::ProxyObject::performGetOwnPropertyNames):
2809
2810 2019-04-05  Commit Queue  <commit-queue@webkit.org>
2811
2812         Unreviewed, rolling out r243833.
2813         https://bugs.webkit.org/show_bug.cgi?id=196645
2814
2815         This change breaks build of WPE and GTK ports (Requested by
2816         annulen on #webkit).
2817
2818         Reverted changeset:
2819
2820         "[CMake][WTF] Mirror XCode header directories"
2821         https://bugs.webkit.org/show_bug.cgi?id=191662
2822         https://trac.webkit.org/changeset/243833
2823
2824 2019-04-05  Caitlin Potter  <caitp@igalia.com>
2825
2826         [JSC] throw if ownKeys Proxy trap result contains duplicate keys
2827         https://bugs.webkit.org/show_bug.cgi?id=185211
2828
2829         Reviewed by Saam Barati.
2830
2831         Implements the normative spec change in https://github.com/tc39/ecma262/pull/833
2832
2833         This involves tracking duplicate keys returned from the ownKeys trap in yet
2834         another HashTable, and may incur a minor performance penalty in some cases. This
2835         is not expected to significantly affect web performance.
2836
2837         * runtime/ProxyObject.cpp:
2838         (JSC::ProxyObject::performGetOwnPropertyNames):
2839
2840 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
2841
2842         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
2843         https://bugs.webkit.org/show_bug.cgi?id=196631
2844
2845         Reviewed by Saam Barati.
2846
2847         makeBoundFunction assumes that "length" argument is always Int32. But this should not be done since this "length" value is calculated in builtin JS code.
2848         DFG may store this value in Double format so that we should not rely on that this value is Int32. This patch fixes makeBoundFunction function to perform
2849         toInt32 operation. We also insert a missing exception check for `JSString::value(ExecState*)` in makeBoundFunction.
2850
2851         * JavaScriptCore.xcodeproj/project.pbxproj:
2852         * Sources.txt:
2853         * interpreter/CallFrameInlines.h:
2854         * runtime/DoublePredictionFuzzerAgent.cpp: Copied from Source/JavaScriptCore/interpreter/CallFrameInlines.h.
2855         (JSC::DoublePredictionFuzzerAgent::DoublePredictionFuzzerAgent):
2856         (JSC::DoublePredictionFuzzerAgent::getPrediction):
2857         * runtime/DoublePredictionFuzzerAgent.h: Copied from Source/JavaScriptCore/interpreter/CallFrameInlines.h.
2858         * runtime/JSGlobalObject.cpp:
2859         (JSC::makeBoundFunction):
2860         * runtime/Options.h:
2861         * runtime/VM.cpp:
2862         (JSC::VM::VM):
2863
2864 2019-04-04  Robin Morisset  <rmorisset@apple.com>
2865
2866         B3ReduceStrength should know that Mul distributes over Add and Sub
2867         https://bugs.webkit.org/show_bug.cgi?id=196325
2868         <rdar://problem/49441650>
2869
2870         Reviewed by Saam Barati.
2871
2872         Fix some obviously wrong code that was due to an accidental copy-paste.
2873         It made the entire optimization dead code that never ran.
2874
2875         * b3/B3ReduceStrength.cpp:
2876
2877 2019-04-04  Saam Barati  <sbarati@apple.com>
2878
2879         Unreviewed, build fix for CLoop after r243886
2880
2881         * interpreter/Interpreter.cpp:
2882         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
2883         * interpreter/StackVisitor.cpp:
2884         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
2885         * interpreter/StackVisitor.h:
2886
2887 2019-04-04  Commit Queue  <commit-queue@webkit.org>
2888
2889         Unreviewed, rolling out r243898.
2890         https://bugs.webkit.org/show_bug.cgi?id=196624
2891
2892         `#if !ENABLE(C_LOOP) && NUMBER_OF_CALLEE_SAVES_REGISTERS > 0`
2893         does not work well (Requested by yusukesuzuki on #webkit).
2894
2895         Reverted changeset:
2896
2897         "Unreviewed, build fix for CLoop and Windows after r243886"
2898         https://bugs.webkit.org/show_bug.cgi?id=196387
2899         https://trac.webkit.org/changeset/243898
2900
2901 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
2902
2903         Unreviewed, build fix for CLoop and Windows after r243886
2904         https://bugs.webkit.org/show_bug.cgi?id=196387
2905
2906         RegisterAtOffsetList does not exist if ENABLE(ASSEMBLER) is false.
2907
2908         * interpreter/StackVisitor.cpp:
2909         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
2910         * interpreter/StackVisitor.h:
2911
2912 2019-04-04  Saam barati  <sbarati@apple.com>
2913
2914         Teach Call ICs how to call Wasm
2915         https://bugs.webkit.org/show_bug.cgi?id=196387
2916
2917         Reviewed by Filip Pizlo.
2918
2919         This patch teaches JS to call Wasm without going through the native thunk.
2920         Currently, we emit a JIT "JS" callee stub which marshals arguments from
2921         JS to Wasm. Like the native version of this, this thunk is responsible
2922         for saving and restoring the VM's current Wasm context. Instead of emitting
2923         an exception handler, we also teach the unwinder how to read the previous
2924         wasm context to restore it as it unwindws past this frame.
2925         
2926         This patch is straight forward, and leaves some areas for perf improvement:
2927         - We can teach the DFG/FTL to directly use the Wasm calling convention when
2928           it knows it's calling a single Wasm function. This way we don't shuffle
2929           registers to the stack and then back into registers.
2930         - We bail out to the slow path for mismatched arity. I opened a bug to fix
2931           optimize arity check failures: https://bugs.webkit.org/show_bug.cgi?id=196564
2932         - We bail out to the slow path Double JSValues flowing into i32 arguments.
2933           We should teach this thunk how to do that conversion directly.
2934         
2935         This patch also refactors the code to explicitly have a single pinned size register.
2936         We used pretend in some places that we could have more than one pinned size register.
2937         However, there was other code that just asserted the size was one. This patch just rips
2938         out this code since we never moved to having more than one pinned size register. Doing
2939         this refactoring cleans up the various places where we set up the size register.
2940         
2941         This patch is a 50-60% progression on JetStream 2's richards-wasm.
2942
2943         * JavaScriptCore.xcodeproj/project.pbxproj:
2944         * Sources.txt:
2945         * assembler/MacroAssemblerCodeRef.h:
2946         (JSC::MacroAssemblerCodeRef::operator=):
2947         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
2948         * interpreter/Interpreter.cpp:
2949         (JSC::UnwindFunctor::operator() const):
2950         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
2951         * interpreter/StackVisitor.cpp:
2952         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
2953         (JSC::StackVisitor::Frame::calleeSaveRegisters): Deleted.
2954         * interpreter/StackVisitor.h:
2955         * jit/JITOperations.cpp:
2956         * jit/RegisterSet.cpp:
2957         (JSC::RegisterSet::runtimeTagRegisters):
2958         (JSC::RegisterSet::specialRegisters):
2959         (JSC::RegisterSet::runtimeRegisters): Deleted.
2960         * jit/RegisterSet.h:
2961         * jit/Repatch.cpp:
2962         (JSC::linkPolymorphicCall):
2963         * runtime/JSFunction.cpp:
2964         (JSC::getCalculatedDisplayName):
2965         * runtime/JSGlobalObject.cpp:
2966         (JSC::JSGlobalObject::init):
2967         (JSC::JSGlobalObject::visitChildren):
2968         * runtime/JSGlobalObject.h:
2969         (JSC::JSGlobalObject::jsToWasmICCalleeStructure const):
2970         * runtime/VM.cpp:
2971         (JSC::VM::VM):
2972         * runtime/VM.h:
2973         * wasm/WasmAirIRGenerator.cpp:
2974         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
2975         (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
2976         (JSC::Wasm::AirIRGenerator::addCallIndirect):
2977         * wasm/WasmB3IRGenerator.cpp:
2978         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2979         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
2980         (JSC::Wasm::B3IRGenerator::addCallIndirect):
2981         * wasm/WasmBinding.cpp:
2982         (JSC::Wasm::wasmToWasm):
2983         * wasm/WasmContext.h:
2984         (JSC::Wasm::Context::pointerToInstance):
2985         * wasm/WasmContextInlines.h:
2986         (JSC::Wasm::Context::store):
2987         * wasm/WasmMemoryInformation.cpp:
2988         (JSC::Wasm::getPinnedRegisters):
2989         (JSC::Wasm::PinnedRegisterInfo::get):
2990         (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
2991         * wasm/WasmMemoryInformation.h:
2992         (JSC::Wasm::PinnedRegisterInfo::toSave const):
2993         * wasm/WasmOMGPlan.cpp:
2994         (JSC::Wasm::OMGPlan::work):
2995         * wasm/js/JSToWasm.cpp:
2996         (JSC::Wasm::createJSToWasmWrapper):
2997         * wasm/js/JSToWasmICCallee.cpp: Added.
2998         (JSC::JSToWasmICCallee::create):
2999         (JSC::JSToWasmICCallee::createStructure):
3000         (JSC::JSToWasmICCallee::visitChildren):
3001         * wasm/js/JSToWasmICCallee.h: Added.
3002         (JSC::JSToWasmICCallee::function):
3003         (JSC::JSToWasmICCallee::JSToWasmICCallee):
3004         * wasm/js/WebAssemblyFunction.cpp:
3005         (JSC::WebAssemblyFunction::useTagRegisters const):
3006         (JSC::WebAssemblyFunction::calleeSaves const):
3007         (JSC::WebAssemblyFunction::usedCalleeSaveRegisters const):
3008         (JSC::WebAssemblyFunction::previousInstanceOffset const):
3009         (JSC::WebAssemblyFunction::previousInstance):
3010         (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
3011         (JSC::WebAssemblyFunction::visitChildren):
3012         (JSC::WebAssemblyFunction::destroy):
3013         * wasm/js/WebAssemblyFunction.h:
3014         * wasm/js/WebAssemblyFunctionHeapCellType.cpp: Added.
3015         (JSC::WebAssemblyFunctionDestroyFunc::operator() const):
3016         (JSC::WebAssemblyFunctionHeapCellType::WebAssemblyFunctionHeapCellType):
3017         (JSC::WebAssemblyFunctionHeapCellType::~WebAssemblyFunctionHeapCellType):
3018         (JSC::WebAssemblyFunctionHeapCellType::finishSweep):
3019         (JSC::WebAssemblyFunctionHeapCellType::destroy):
3020         * wasm/js/WebAssemblyFunctionHeapCellType.h: Added.
3021         * wasm/js/WebAssemblyPrototype.h:
3022
3023 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
3024
3025         [JSC] Pass CodeOrigin to FuzzerAgent
3026         https://bugs.webkit.org/show_bug.cgi?id=196590
3027
3028         Reviewed by Saam Barati.
3029
3030         Pass CodeOrigin instead of bytecodeIndex. CodeOrigin includes richer information (InlineCallFrame*).
3031         We also mask prediction with SpecBytecodeTop in DFGByteCodeParser. The fuzzer can produce any SpeculatedTypes,
3032         but DFGByteCodeParser should only see predictions that can be actually produced from the bytecode execution.
3033
3034         * dfg/DFGByteCodeParser.cpp:
3035         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
3036         * runtime/FuzzerAgent.cpp:
3037         (JSC::FuzzerAgent::getPrediction):
3038         * runtime/FuzzerAgent.h:
3039         * runtime/RandomizingFuzzerAgent.cpp:
3040         (JSC::RandomizingFuzzerAgent::getPrediction):
3041         * runtime/RandomizingFuzzerAgent.h:
3042
3043 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
3044
3045         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
3046         https://bugs.webkit.org/show_bug.cgi?id=194944
3047
3048         Reviewed by Keith Miller.
3049
3050         Based on profile data collected on JetStream2, Speedometer 2 and
3051         other benchmarks, it is very rare having non-empty
3052         UnlinkedFunctionExecutable::m_parentScopeTDZVariables.
3053
3054         - Data collected from Speedometer2
3055             Total number of UnlinkedFunctionExecutable: 39463
3056             Total number of non-empty parentScopeTDZVars: 428 (~1%)
3057
3058         - Data collected from JetStream2
3059             Total number of UnlinkedFunctionExecutable: 83715
3060             Total number of non-empty parentScopeTDZVars: 5285 (~6%)
3061
3062         We also collected numbers on 6 of top 10 Alexia sites.
3063
3064         - Data collected from youtube.com
3065             Total number of UnlinkedFunctionExecutable: 29599
3066             Total number of non-empty parentScopeTDZVars: 97 (~0.3%)
3067
3068         - Data collected from twitter.com
3069             Total number of UnlinkedFunctionExecutable: 23774
3070             Total number of non-empty parentScopeTDZVars: 172 (~0.7%)
3071
3072         - Data collected from google.com
3073             Total number of UnlinkedFunctionExecutable: 33209
3074             Total number of non-empty parentScopeTDZVars: 174 (~0.5%)
3075
3076         - Data collected from amazon.com:
3077             Total number of UnlinkedFunctionExecutable: 15182
3078             Total number of non-empty parentScopeTDZVars: 166 (~1%)
3079
3080         - Data collected from facebook.com:
3081             Total number of UnlinkedFunctionExecutable: 54443
3082             Total number of non-empty parentScopeTDZVars: 269 (~0.4%)
3083
3084         - Data collected from netflix.com:
3085             Total number of UnlinkedFunctionExecutable: 39266
3086             Total number of non-empty parentScopeTDZVars: 97 (~0.2%)
3087
3088         Considering such numbers, this patch is moving `m_parentScopeTDZVariables`
3089         to RareData. This decreases sizeof(UnlinkedFunctionExecutable) by
3090         16 bytes. With this change, now UnlinkedFunctionExecutable constructors
3091         receives an `Optional<VariableEnvironmentMap::Handle>` and only stores
3092         it when `value != WTF::nullopt`. We also changed
3093         UnlinkedFunctionExecutable::parentScopeTDZVariables() and it returns
3094         `VariableEnvironment()` whenever the Executable doesn't have RareData,
3095         or VariableEnvironmentMap::Handle is unitialized. This is required
3096         because RareData is instantiated when any of its field is stored and
3097         we can have an unitialized `Handle` even on cases when parentScopeTDZVariables
3098         is `WTF::nullopt`.
3099
3100         Results on memory usage on JetStrem2 is neutral.
3101
3102             Mean of memory peak on ToT: 4258633728 bytes (confidence interval: 249720072.95)
3103             Mean of memory peak on Changes: 4367325184 bytes (confidence interval: 321285583.61)
3104
3105         * builtins/BuiltinExecutables.cpp:
3106         (JSC::BuiltinExecutables::createExecutable):
3107         * bytecode/UnlinkedFunctionExecutable.cpp:
3108         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3109         * bytecode/UnlinkedFunctionExecutable.h:
3110         * bytecompiler/BytecodeGenerator.cpp:
3111         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
3112
3113         BytecodeGenerator::getVariablesUnderTDZ now also caches if m_cachedVariablesUnderTDZ
3114         is empty, so we can properly return `WTF::nullopt` without the
3115         reconstruction of a VariableEnvironment to check if it is empty.
3116
3117         * bytecompiler/BytecodeGenerator.h:
3118         (JSC::BytecodeGenerator::makeFunction):
3119         * parser/VariableEnvironment.h:
3120         (JSC::VariableEnvironment::isEmpty const):
3121         * runtime/CachedTypes.cpp:
3122         (JSC::CachedCompactVariableMapHandle::decode const):
3123
3124         It returns an unitialized Handle when there is no
3125         CompactVariableEnvironment. This can happen when RareData is ensured
3126         because of another field.
3127
3128         (JSC::CachedFunctionExecutableRareData::encode):
3129         (JSC::CachedFunctionExecutableRareData::decode const):
3130         (JSC::CachedFunctionExecutable::encode):
3131         (JSC::CachedFunctionExecutable::decode const):
3132         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3133         * runtime/CodeCache.cpp:
3134
3135         Instead of creating a dummyVariablesUnderTDZ, we simply pass
3136         WTF::nullopt.
3137
3138         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
3139
3140 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
3141
3142         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
3143         https://bugs.webkit.org/show_bug.cgi?id=196409
3144
3145         Reviewed by Saam Barati.
3146
3147         Some of the helpers in jsc.cpp, such as `functionRunString`, were stll using
3148         using `makeSource` instead of `jscSource`, which does not use the ShellSourceProvider
3149         and therefore does not write the bytecode cache to disk.
3150
3151         Changing that revealed a bug in bytecode cache. The Encoder keeps a mapping
3152         of pointers to offsets of already cached objects, in order to avoid caching
3153         the same object twice. Similarly, the Decoder keeps a mapping from offsets
3154         to pointers, in order to avoid creating multiple objects in memory for the
3155         same cached object. The following was happening:
3156         1) A StringImpl* S was cached as CachedPtr<CachedStringImpl> at offset O. We add
3157         an entry in the Encoder mapping that S has already been encoded at O.
3158         2) We cache StringImpl* S again, but now as CachedPtr<CachedUniquedStringImpl>.
3159         We find an entry in the Encoder mapping for S, and return the offset O. However,
3160         the object cached at O is a CachedPtr<CachedStringImpl> (i.e. not Uniqued).
3161
3162         3) When decoding, there are 2 possibilities:
3163         3.1) We find S for the first time through a CachedPtr<CachedStringImpl>. In
3164         this case, everything works as expected since we add an entry in the decoder
3165         mapping from the offset O to the decoded StringImpl* S. The next time we find
3166         S through the uniqued version, we'll return the already decoded S.
3167         3.2) We find S through a CachedPtr<CachedUniquedStringImpl>. Now we have a
3168         problem, since the CachedPtr has the offset of a CachedStringImpl (not uniqued),
3169         which has a different shape and we crash.
3170
3171         We fix this by making CachedStringImpl and CachedUniquedStringImpl share the
3172         same implementation. Since it doesn't matter whether a string is uniqued for
3173         encoding, and we always decode strings as uniqued either way, they can be used
3174         interchangeably.
3175
3176         * jsc.cpp:
3177         (functionRunString):
3178         (functionLoadString):
3179         (functionDollarAgentStart):
3180         (functionCheckModuleSyntax):
3181         (runInteractive):
3182         * runtime/CachedTypes.cpp:
3183         (JSC::CachedUniquedStringImplBase::decode const):
3184         (JSC::CachedFunctionExecutable::rareData const):
3185         (JSC::CachedCodeBlock::rareData const):
3186         (JSC::CachedFunctionExecutable::encode):
3187         (JSC::CachedCodeBlock<CodeBlockType>::encode):
3188         (JSC::CachedUniquedStringImpl::encode): Deleted.
3189         (JSC::CachedUniquedStringImpl::decode const): Deleted.
3190         (JSC::CachedStringImpl::encode): Deleted.
3191         (JSC::CachedStringImpl::decode const): Deleted.
3192
3193 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
3194
3195         UnlinkedCodeBlock constructor from cache should initialize m_didOptimize
3196         https://bugs.webkit.org/show_bug.cgi?id=196396
3197
3198         Reviewed by Saam Barati.
3199
3200         The UnlinkedCodeBlock constructor in CachedTypes was missing the initialization
3201         for m_didOptimize, which leads to crashes in CodeBlock::thresholdForJIT.
3202
3203         * runtime/CachedTypes.cpp:
3204         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
3205
3206 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
3207
3208         Unreviewed, rolling in r243843 with the build fix
3209         https://bugs.webkit.org/show_bug.cgi?id=196586
3210
3211         * runtime/Options.cpp:
3212         (JSC::recomputeDependentOptions):
3213         * runtime/Options.h:
3214         * runtime/RandomizingFuzzerAgent.cpp:
3215         (JSC::RandomizingFuzzerAgent::getPrediction):
3216
3217 2019-04-03  Ryan Haddad  <ryanhaddad@apple.com>
3218
3219         Unreviewed, rolling out r243843.
3220
3221         Broke CLoop and Windows builds.
3222
3223         Reverted changeset:
3224
3225         "[JSC] Add dump feature for RandomizingFuzzerAgent"
3226         https://bugs.webkit.org/show_bug.cgi?id=196586
3227         https://trac.webkit.org/changeset/243843
3228
3229 2019-04-03  Robin Morisset  <rmorisset@apple.com>
3230
3231         B3 should use associativity to optimize expression trees
3232         https://bugs.webkit.org/show_bug.cgi?id=194081
3233
3234         Reviewed by Filip Pizlo.
3235
3236         This patch adds a new B3 pass, that tries to find and optimize expression trees made purely of any one associative and commutative operator (Add/Mul/BitOr/BitAnd/BitXor).
3237         The pass only runs in O2, and runs once, after lowerMacros and just before a run of B3ReduceStrength (which helps clean up the dead code it tends to leave behind).
3238         I had to separate killDeadCode out of B3ReduceStrength (as a new B3EliminateDeadCode pass) to run it before B3OptimizeAssociativeExpressionTrees, as otherwise it is stopped by high use counts
3239         inherited from CSE.
3240         This extra run of DCE is by itself a win, most notably on microbenchmarks/instanceof-always-hit-two (1.5x faster), and on microbenchmarks/licm-dragons(-out-of-bounds) (both get 1.16x speedup).
3241         I suspect it is because it runs between CSE and tail-dedup, and as a result allows a lot more tail-dedup to occur.
3242
3243         The pass is currently extremely conservative, not trying anything if it would cause _any_ code duplication.
3244         For this purpose, it starts by computing use counts for the potentially interesting nodes (those with the right opcodes), and segregate them into expression trees.
3245         The root of an expression tree is a node that is either used in multiple places, or is used by a value with a different opcode.
3246         The leaves of an expression tree are nodes that are either used in multiple places, or have a different opcode.
3247         All constant leaves of a tree are combined, as well as all leaves that are identical. What remains is then laid out into a balanced binary tree, hopefully maximizing ILP.
3248
3249         This optimization was implemented as a stand-alone pass and not as part of B3ReduceStrength mostly because it needs use counts to avoid code duplication.
3250         It also benefits from finding all tree roots first, and not trying to repeatedly optimize subtrees.
3251
3252         I added several tests to testB3 with varying patterns of trees. It is also tested in a less focused way by lots of older tests.
3253
3254         In the future this pass could be expanded to allow some bounded amount of code duplication, and merging more leaves (e.g. Mul(a, 3) and a in an Add tree, into Mul(a, 4))
3255         The latter will need exposing the peephole optimizations out of B3ReduceStrength to avoid duplicating code.
3256
3257         * JavaScriptCore.xcodeproj/project.pbxproj:
3258         * Sources.txt:
3259         * b3/B3Common.cpp:
3260         (JSC::B3::shouldDumpIR):
3261         (JSC::B3::shouldDumpIRAtEachPhase):
3262         * b3/B3Common.h:
3263         * b3/B3EliminateDeadCode.cpp: Added.
3264         (JSC::B3::EliminateDeadCode::run):
3265         (JSC::B3::eliminateDeadCode):
3266         * b3/B3EliminateDeadCode.h: Added.
3267         (JSC::B3::EliminateDeadCode::EliminateDeadCode):
3268         * b3/B3Generate.cpp:
3269         (JSC::B3::generateToAir):
3270         * b3/B3OptimizeAssociativeExpressionTrees.cpp: Added.
3271         (JSC::B3::OptimizeAssociativeExpressionTrees::OptimizeAssociativeExpressionTrees):
3272         (JSC::B3::OptimizeAssociativeExpressionTrees::neutralElement):
3273         (JSC::B3::OptimizeAssociativeExpressionTrees::isAbsorbingElement):
3274         (JSC::B3::OptimizeAssociativeExpressionTrees::combineConstants):
3275         (JSC::B3::OptimizeAssociativeExpressionTrees::emitValue):
3276         (JSC::B3::OptimizeAssociativeExpressionTrees::optimizeRootedTree):
3277         (JSC::B3::OptimizeAssociativeExpressionTrees::run):
3278         (JSC::B3::optimizeAssociativeExpressionTrees):
3279         * b3/B3OptimizeAssociativeExpressionTrees.h: Added.
3280         * b3/B3ReduceStrength.cpp:
3281         * b3/B3Value.cpp:
3282         (JSC::B3::Value::replaceWithIdentity):
3283         * b3/testb3.cpp:
3284         (JSC::B3::testBitXorTreeArgs):
3285         (JSC::B3::testBitXorTreeArgsEven):
3286         (JSC::B3::testBitXorTreeArgImm):
3287         (JSC::B3::testAddTreeArg32):
3288         (JSC::B3::testMulTreeArg32):
3289         (JSC::B3::testBitAndTreeArg32):
3290         (JSC::B3::testBitOrTreeArg32):
3291         (JSC::B3::run):
3292
3293 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
3294
3295         [JSC] Add dump feature for RandomizingFuzzerAgent
3296         https://bugs.webkit.org/show_bug.cgi?id=196586
3297
3298         Reviewed by Saam Barati.
3299
3300         Towards deterministic tests for the results from randomizing fuzzer agent, this patch adds Options::dumpRandomizingFuzzerAgentPredictions, which dumps the generated types.
3301         The results is like this.
3302
3303             getPrediction name:(#C2q9xD),bytecodeIndex:(22),original:(Array),generated:(OtherObj|Array|Float64Array|BigInt|NonIntAsDouble)
3304             getPrediction name:(makeUnwriteableUnconfigurableObject#AiEJv1),bytecodeIndex:(14),original:(OtherObj),generated:(Final|Uint8Array|Float64Array|SetObject|WeakSetObject|BigInt|NonIntAsDouble)
3305
3306         * runtime/Options.cpp:
3307         (JSC::recomputeDependentOptions):
3308         * runtime/Options.h:
3309         * runtime/RandomizingFuzzerAgent.cpp:
3310         (JSC::RandomizingFuzzerAgent::getPrediction):
3311
3312 2019-04-03  Myles C. Maxfield  <mmaxfield@apple.com>
3313
3314         -apple-trailing-word is needed for browser detection
3315         https://bugs.webkit.org/show_bug.cgi?id=196575
3316
3317         Unreviewed.
3318
3319         * Configurations/FeatureDefines.xcconfig:
3320
3321 2019-04-03  Michael Saboff  <msaboff@apple.com>
3322
3323         REGRESSION (r243642): com.apple.JavaScriptCore crash in JSC::RegExpObject::execInline
3324         https://bugs.webkit.org/show_bug.cgi?id=196477
3325
3326         Reviewed by Keith Miller.
3327
3328         The problem here is that when we advance the index by 2 for a character class that only
3329         has non-BMP characters, we might go past the end of the string.  This can happen for
3330         greedy counted character classes that are part of a alternative where there is one
3331         character to match after the greedy non-BMP character class.
3332
3333         The "do we have string left to match" check at the top of the JIT loop for the counted
3334         character class checks to see if index is not equal to the string length.  For non-BMP
3335         character classes, we need to check to see if there are at least 2 characters left.
3336         Therefore we now temporarily add 1 to the current index before comparing.  This checks
3337         to see if there are iat least 2 characters left to match, instead of 1.
3338
3339         * yarr/YarrJIT.cpp:
3340         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
3341         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
3342
3343 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
3344
3345         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
3346         https://bugs.webkit.org/show_bug.cgi?id=196574
3347
3348         Reviewed by Saam Barati.
3349
3350         This patch adds missing exception check in operationArrayIndexOfValueInt32OrContiguous.
3351
3352         * dfg/DFGOperations.cpp:
3353
3354 2019-04-03  Don Olmstead  <don.olmstead@sony.com>
3355
3356         [CMake][WTF] Mirror XCode header directories
3357         https://bugs.webkit.org/show_bug.cgi?id=191662
3358
3359         Reviewed by Konstantin Tokarev.
3360
3361         Use WTFFramework as a dependency and include frameworks/WTF.cmake for AppleWin internal
3362         builds.
3363
3364         * CMakeLists.txt:
3365         * shell/CMakeLists.txt:
3366
3367 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
3368
3369         [JSC] Add FuzzerAgent, which has a hooks to get feedback & inject fuzz data into JSC
3370         https://bugs.webkit.org/show_bug.cgi?id=196530
3371
3372         Reviewed by Saam Barati.
3373
3374         This patch adds FuzzerAgent interface and simple RandomizingFuzzerAgent to JSC.
3375         This RandomizingFuzzerAgent returns random SpeculatedType for value profiling to find
3376         the issues in JSC. The seed for randomization can be specified by seedOfRandomizingFuzzerAgent.
3377
3378         I ran this with seedOfRandomizingFuzzerAgent=1 last night and it finds 3 failures in the current JSC tests,
3379         they should be fixed in subsequent patches.
3380
3381         * CMakeLists.txt:
3382         * JavaScriptCore.xcodeproj/project.pbxproj:
3383         * Sources.txt:
3384         * dfg/DFGByteCodeParser.cpp:
3385         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
3386         * runtime/FuzzerAgent.cpp: Added.
3387         (JSC::FuzzerAgent::~FuzzerAgent):
3388         (JSC::FuzzerAgent::getPrediction):
3389         * runtime/FuzzerAgent.h: Added.
3390         * runtime/JSGlobalObjectFunctions.cpp:
3391         * runtime/Options.h:
3392         * runtime/RandomizingFuzzerAgent.cpp: Added.
3393         (JSC::RandomizingFuzzerAgent::RandomizingFuzzerAgent):
3394         (JSC::RandomizingFuzzerAgent::getPrediction):
3395         * runtime/RandomizingFuzzerAgent.h: Added.
3396         * runtime/RegExpCachedResult.h:
3397         * runtime/RegExpGlobalData.cpp:
3398         * runtime/VM.cpp:
3399         (JSC::VM::VM):
3400         * runtime/VM.h:
3401         (JSC::VM::fuzzerAgent const):
3402         (JSC::VM::setFuzzerAgent):
3403
3404 2019-04-03  Myles C. Maxfield  <mmaxfield@apple.com>
3405
3406         Remove support for -apple-trailing-word
3407         https://bugs.webkit.org/show_bug.cgi?id=196525
3408
3409         Reviewed by Zalan Bujtas.
3410
3411         This CSS property is nonstandard and not used.
3412
3413         * Configurations/FeatureDefines.xcconfig:
3414
3415 2019-04-03  Joseph Pecoraro  <pecoraro@apple.com>
3416
3417         Web Inspector: Remote Inspector indicate callback should always happen on the main thread
3418         https://bugs.webkit.org/show_bug.cgi?id=196513
3419         <rdar://problem/49498284>
3420
3421         Reviewed by Devin Rousso.
3422
3423         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
3424         (Inspector::RemoteInspector::receivedIndicateMessage):
3425         When we have a WebThread, don't just run on the WebThread,
3426         run on the MainThread with the WebThreadLock.
3427
3428 2019-04-02  Michael Saboff  <msaboff@apple.com>
3429
3430         Crash in Options::setOptions() using --configFile option and libgmalloc
3431         https://bugs.webkit.org/show_bug.cgi?id=196506
3432
3433         Reviewed by Keith Miller.
3434
3435         Changed to call CString::data() while making the call to Options::setOptions().  This keeps
3436         the implicit CString temporary alive until after setOptions() returns.
3437
3438         * runtime/ConfigFile.cpp:
3439         (JSC::ConfigFile::parse):
3440
3441 2019-04-02  Fujii Hironori  <Hironori.Fujii@sony.com>
3442
3443         [CMake] WEBKIT_MAKE_FORWARDING_HEADERS shouldn't use POST_BUILD to copy generated headers
3444         https://bugs.webkit.org/show_bug.cgi?id=182757
3445
3446         Reviewed by Don Olmstead.
3447
3448         * CMakeLists.txt: Do not use DERIVED_SOURCE_DIRECTORIES parameter
3449         of WEBKIT_MAKE_FORWARDING_HEADERS. Added generated headers to
3450         JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS.
3451
3452 2019-04-02  Saam barati  <sbarati@apple.com>
3453
3454         Add a ValueRepReduction phase
3455         https://bugs.webkit.org/show_bug.cgi?id=196234
3456
3457         Reviewed by Filip Pizlo.
3458
3459         This patch adds a ValueRepReduction phase. The main idea here is
3460         to try to reduce DoubleRep(RealNumberUse:ValueRep(DoubleRepUse:@x))
3461         to just be @x. This patch handles such above strengh reduction rules
3462         as long as we prove that all users of the ValueRep can be converted
3463         to using the incoming double value. That way we prevent introducing
3464         a parallel live range for the double value.
3465         
3466         This patch tracks the uses of the ValueRep through Phi variables,
3467         so we can convert entire Phi variables to being Double instead
3468         of JSValue if the Phi also has only double uses.
3469         
3470         This is implemented through a simple escape analysis. DoubleRep(RealNumberUse:)
3471         and OSR exit hints are not counted as escapes. All other uses are counted
3472         as escapes. Connected Phi graphs are converted to being Double only if the
3473         entire graph is ok with the result being Double.
3474         
3475         Some ways we could extend this phase in the future:
3476         - There are a lot of DoubleRep(NumberUse:@ValueRep(@x)) uses. This ensures
3477           that the result of the DoubleRep of @x is not impure NaN. We could
3478           handle this case if we introduced a PurifyNaN node and replace the DoubleRep
3479           with PurifyNaN(@x). Alternatively, we could see if certain users of this
3480           DoubleRep are okay with impure NaN flowing into them and we'd need to ensure
3481           their output type is always treated as if the input is impure NaN.
3482         - We could do sinking of ValueRep where we think it's profitable. So instead
3483           of an escape making it so we never represent the variable as a Double, we
3484           could make the escape reconstruct the JSValueRep where profitable.
3485         - We can extend this phase to handle Int52Rep if it's profitable.
3486         - We can opt other nodes into accepting incoming Doubles so we no longer
3487           treat them as escapes.
3488         
3489         This patch is somewhere between neutral and a 1% progression on JetStream 2.
3490
3491         * JavaScriptCore.xcodeproj/project.pbxproj:
3492         * Sources.txt:
3493         * dfg/DFGPlan.cpp:
3494         (JSC::DFG::Plan::compileInThreadImpl):
3495         * dfg/DFGValueRepReductionPhase.cpp: Added.
3496         (JSC::DFG::ValueRepReductionPhase::ValueRepReductionPhase):
3497         (JSC::DFG::ValueRepReductionPhase::run):
3498         (JSC::DFG::ValueRepReductionPhase::convertValueRepsToDouble):
3499         (JSC::DFG::performValueRepReduction):
3500         * dfg/DFGValueRepReductionPhase.h: Added.
3501         * runtime/Options.h:
3502
3503 2019-04-01  Yusuke Suzuki  <ysuzuki@apple.com>
3504
3505         [JSC] JSRunLoopTimer::Manager should be small
3506         https://bugs.webkit.org/show_bug.cgi?id=196425
3507
3508         Reviewed by Darin Adler.
3509
3510         Using very large Key or Value in HashMap potentially bloats memory since HashMap pre-allocates large size of
3511         memory ((sizeof(Key) + sizeof(Value)) * N) for its backing storage's array. Using std::unique_ptr<> for JSRunLoopTimer's
3512         PerVMData to keep HashMap's backing store size small.
3513
3514         * runtime/JSRunLoopTimer.cpp:
3515         (JSC::JSRunLoopTimer::Manager::timerDidFire):
3516         (JSC::JSRunLoopTimer::Manager::registerVM):
3517         (JSC::JSRunLoopTimer::Manager::scheduleTimer):
3518         (JSC::JSRunLoopTimer::Manager::cancelTimer):
3519         (JSC::JSRunLoopTimer::Manager::timeUntilFire):
3520         (JSC::JSRunLoopTimer::Manager::didChangeRunLoop):
3521         * runtime/JSRunLoopTimer.h:
3522
3523 2019-04-01  Stephan Szabo  <stephan.szabo@sony.com>
3524
3525         [PlayStation] Add initialization for JSC shell for PlayStation port
3526         https://bugs.webkit.org/show_bug.cgi?id=195411
3527
3528         Reviewed by Ross Kirsling.
3529
3530         Add ps options
3531
3532         * shell/PlatformPlayStation.cmake: Added.
3533         * shell/playstation/Initializer.cpp: Added.
3534         (initializer):
3535
3536 2019-04-01  Michael Catanzaro  <mcatanzaro@igalia.com>
3537
3538         Stop trying to support building JSC with clang 3.8
3539         https://bugs.webkit.org/show_bug.cgi?id=195947
3540         <rdar://problem/49069219>
3541
3542         Reviewed by Darin Adler.
3543
3544         It seems WebKit hasn't built with clang 3.8 in a while, no devs are using this compiler, we
3545         don't know how much effort it would be to make JSC work again, and it's making the code
3546         worse. Remove my hacks to support clang 3.8 from JSC.
3547
3548         * bindings/ScriptValue.cpp:
3549         (Inspector::jsToInspectorValue):
3550         * bytecode/GetterSetterAccessCase.cpp:
3551         (JSC::GetterSetterAccessCase::create):
3552         (JSC::GetterSetterAccessCase::clone const):
3553         * bytecode/InstanceOfAccessCase.cpp:
3554         (JSC::InstanceOfAccessCase::clone const):
3555         * bytecode/IntrinsicGetterAccessCase.cpp:
3556         (JSC::IntrinsicGetterAccessCase::clone const):
3557         * bytecode/ModuleNamespaceAccessCase.cpp:
3558         (JSC::ModuleNamespaceAccessCase::clone const):
3559         * bytecode/ProxyableAccessCase.cpp:
3560         (JSC::ProxyableAccessCase::clone const):
3561
3562 2019-03-31  Yusuke Suzuki  <ysuzuki@apple.com>
3563
3564         [JSC] Butterfly allocation from LargeAllocation should try "realloc" behavior if collector thread is not active
3565         https://bugs.webkit.org/show_bug.cgi?id=196160
3566
3567         Reviewed by Saam Barati.
3568
3569         "realloc" can be effective in terms of peak/current memory footprint when realloc succeeds because,
3570
3571         1. It does not allocate additional memory while expanding a vector
3572         2. It does not deallocate an old memory, just reusing the current memory by expanding, so that memory footprint is tight even before scavenging
3573
3574         We found that we can "realloc" large butterflies in certain conditions are met because,
3575
3576         1. If it goes to LargeAllocation, this memory region is never reused until GC sweeps it.
3577         2. Butterflies are owned by owner JSObjects, so we know the lifetime of Butterflies.
3578
3579         This patch attempts to use "realloc" onto butterflies if,
3580
3581         1. Butterflies are allocated in LargeAllocation kind
3582         2. Concurrent collector is not active
3583         3. Butterflies do not have property storage
3584
3585         The condition (2) is required to avoid deallocating butterflies while the concurrent collector looks into it. The condition (3) is
3586         also required to avoid deallocating butterflies while the concurrent compiler looks into it.
3587
3588         We also change LargeAllocation mechanism to using "malloc" and "free" instead of "posix_memalign". This allows us to use "realloc"
3589         safely in all the platforms. Since LargeAllocation uses alignment to distinguish LargeAllocation and MarkedBlock, we manually adjust
3590         16B alignment by allocating 8B more memory in "malloc".
3591
3592         Speedometer2 and JetStream2 are neutral. RAMification shows about 1% progression (even in some of JIT tests).
3593
3594         * heap/AlignedMemoryAllocator.h:
3595         * heap/CompleteSubspace.cpp:
3596         (JSC::CompleteSubspace::tryAllocateSlow):
3597         (JSC::CompleteSubspace::reallocateLargeAllocationNonVirtual):
3598         * heap/CompleteSubspace.h:
3599         * heap/FastMallocAlignedMemoryAllocator.cpp:
3600         (JSC::FastMallocAlignedMemoryAllocator::tryAllocateMemory):
3601         (JSC::FastMallocAlignedMemoryAllocator::freeMemory):
3602         (JSC::FastMallocAlignedMemoryAllocator::tryReallocateMemory):
3603         * heap/FastMallocAlignedMemoryAllocator.h:
3604         * heap/GigacageAlignedMemoryAllocator.cpp:
3605         (JSC::GigacageAlignedMemoryAllocator::tryAllocateMemory):
3606         (JSC::GigacageAlignedMemoryAllocator::freeMemory):
3607         (JSC::GigacageAlignedMemoryAllocator::tryReallocateMemory):
3608         * heap/GigacageAlignedMemoryAllocator.h:
3609         * heap/IsoAlignedMemoryAllocator.cpp:
3610         (JSC::IsoAlignedMemoryAllocator::tryAllocateMemory):
3611         (JSC::IsoAlignedMemoryAllocator::freeMemory):
3612         (JSC::IsoAlignedMemoryAllocator::tryReallocateMemory):
3613         * heap/IsoAlignedMemoryAllocator.h:
3614         * heap/LargeAllocation.cpp:
3615         (JSC::isAlignedForLargeAllocation):
3616         (JSC::LargeAllocation::tryCreate):
3617         (JSC::LargeAllocation::tryReallocate):
3618         (JSC::LargeAllocation::LargeAllocation):
3619         (JSC::LargeAllocation::destroy):
3620         * heap/LargeAllocation.h:
3621         (JSC::LargeAllocation::indexInSpace):
3622         (JSC::LargeAllocation::setIndexInSpace):
3623         (JSC::LargeAllocation::basePointer const):
3624         * heap/MarkedSpace.cpp:
3625         (JSC::MarkedSpace::sweepLargeAllocations):
3626         (JSC::MarkedSpace::prepareForConservativeScan):
3627         * heap/WeakSet.h:
3628         (JSC::WeakSet::isTriviallyDestructible const):
3629         * runtime/Butterfly.h:
3630         * runtime/ButterflyInlines.h:
3631         (JSC::Butterfly::reallocArrayRightIfPossible):
3632         * runtime/JSObject.cpp:
3633         (JSC::JSObject::ensureLengthSlow):
3634
3635 2019-03-31  Sam Weinig  <weinig@apple.com>
3636
3637         Remove more i386 specific configurations
3638         https://bugs.webkit.org/show_bug.cgi?id=196430
3639
3640         Reviewed by Alexey Proskuryakov.
3641
3642         * Configurations/FeatureDefines.xcconfig:
3643         ENABLE_WEB_AUTHN_macosx can now be enabled unconditionally on macOS.
3644
3645         * Configurations/ToolExecutable.xcconfig:
3646         ARC can be enabled unconditionally now.
3647
3648 2019-03-29  Yusuke Suzuki  <ysuzuki@apple.com>
3649
3650         [JSC] JSWrapperMap should not use Objective-C Weak map (NSMapTable with NSPointerFunctionsWeakMemory) for m_cachedObjCWrappers
3651         https://bugs.webkit.org/show_bug.cgi?id=196392
3652
3653         Reviewed by Saam Barati.
3654
3655         Weak representation in Objective-C is surprisingly costly in terms of memory. We can see that very easy program shows 10KB memory consumption due to
3656         this weak wrapper map in JavaScriptCore.framework. But we do not need this weak map since Objective-C JSValue has a dealloc. We can unregister itself
3657         from the map when it is deallocated without using Objective-C weak mechanism. And since Objective-C JSValue is tightly coupled to a specific JSContext,
3658         and wrapper map is created per JSContext, JSValue wrapper and actual JavaScriptCore value is one-on-one, and [JSValue dealloc] knows which JSContext's
3659         wrapper map holds itself.
3660
3661         1. We do not use Objective-C weak mechanism. We use WTF::HashSet instead. When JSValue is allocated, we register it to JSWrapperMap's HashSet. And unregister
3662            JSValue from this map when JSValue is deallocated.
3663         2. We use HashSet<JSValue> (logically) instead of HashMap<JSValueRef, JSValue> to keep JSValueRef and JSValue relationship. We can achieve it because JSValue
3664            holds JSValueRef inside it.
3665
3666         * API/JSContext.mm:
3667         (-[JSContext removeWrapper:]):
3668         * API/JSContextInternal.h:
3669         * API/JSValue.mm:
3670         (-[JSValue dealloc]):
3671         (-[JSValue initWithValue:inContext:]):
3672         * API/JSWrapperMap.h:
3673         * API/JSWrapperMap.mm:
3674         (WrapperKey::hashTableDeletedValue):
3675         (WrapperKey::WrapperKey):
3676         (WrapperKey::isHashTableDeletedValue const):
3677         (WrapperKey::Hash::hash):
3678         (WrapperKey::Hash::equal):
3679         (WrapperKey::Traits::isEmptyValue):
3680         (WrapperKey::Translator::hash):
3681         (WrapperKey::Translator::equal):
3682         (WrapperKey::Translator::translate):
3683         (-[JSWrapperMap initWithGlobalContextRef:]):
3684         (-[JSWrapperMap dealloc]):
3685         (-[JSWrapperMap objcWrapperForJSValueRef:inContext:]):
3686         (-[JSWrapperMap removeWrapper:]):
3687         * API/tests/testapi.mm:
3688         (testObjectiveCAPIMain):
3689
3690 2019-03-29  Robin Morisset  <rmorisset@apple.com>
3691
3692         B3ReduceStrength should know that Mul distributes over Add and Sub
3693         https://bugs.webkit.org/show_bug.cgi?id=196325
3694
3695         Reviewed by Michael Saboff.
3696
3697         In this patch I add the following patterns to B3ReduceStrength:
3698         - Turn this: Integer Neg(Mul(value, c))
3699           Into this: Mul(value, -c), as long as -c does not overflow
3700         - Turn these: Integer Mul(value, Neg(otherValue)) and Integer Mul(Neg(value), otherValue)
3701           Into this: Neg(Mul(value, otherValue))
3702         - For Op==Add or Sub, turn any of these:
3703              Op(Mul(x1, x2), Mul(x1, x3))
3704              Op(Mul(x2, x1), Mul(x1, x3))
3705              Op(Mul(x1, x2), Mul(x3, x1))
3706              Op(Mul(x2, x1), Mul(x3, x1))
3707           Into this: Mul(x1, Op(x2, x3))
3708
3709         Also includes a trivial change: a similar reduction for the distributivity of BitAnd over BitOr/BitXor now
3710         emits the arguments to BitAnd in the other order, to minimize the probability that we'll spend a full fixpoint step just to flip them.
3711
3712         * b3/B3ReduceStrength.cpp:
3713         * b3/testb3.cpp:
3714         (JSC::B3::testAddMulMulArgs):
3715         (JSC::B3::testMulArgNegArg):
3716         (JSC::B3::testMulNegArgArg):
3717         (JSC::B3::testNegMulArgImm):
3718         (JSC::B3::testSubMulMulArgs):
3719         (JSC::B3::run):
3720
3721 2019-03-29  Yusuke Suzuki  <ysuzuki@apple.com>
3722
3723         [JSC] Remove distancing for LargeAllocation
3724         https://bugs.webkit.org/show_bug.cgi?id=196335
3725
3726         Reviewed by Saam Barati.
3727
3728         In r230226, we removed distancing feature from our GC. This patch removes remaining distancing thing in LargeAllocation.
3729
3730         * heap/HeapCell.h:
3731         * heap/LargeAllocation.cpp:
3732         (JSC::LargeAllocation::tryCreate):
3733         * heap/MarkedBlock.h:
3734
3735 2019-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
3736
3737         Delete WebMetal implementation in favor of WebGPU
3738         https://bugs.webkit.org/show_bug.cgi?id=195418
3739
3740         Reviewed by Dean Jackson.
3741
3742         * Configurations/FeatureDefines.xcconfig:
3743         * inspector/protocol/Canvas.json:
3744         * inspector/scripts/codegen/generator.py:
3745
3746 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
3747
3748         Assertion failed in JSC::createError
3749         https://bugs.webkit.org/show_bug.cgi?id=196305
3750         <rdar://problem/49387382>
3751
3752         Reviewed by Saam Barati.
3753
3754         JSC::createError assumes that `errorDescriptionForValue` will either
3755         throw an exception or return a valid description string. However, that
3756         is not true if the value is a rope string and we successfully resolve it,
3757         but later fail to wrap the string in quotes with `tryMakeString`.
3758
3759         * runtime/ExceptionHelpers.cpp:
3760         (JSC::createError):
3761
3762 2019-03-29  Devin Rousso  <drousso@apple.com>
3763
3764         Web Inspector: add fast returns for instrumentation hooks that have no affect before a frontend is connected
3765         https://bugs.webkit.org/show_bug.cgi?id=196382
3766         <rdar://problem/49403417>
3767
3768         Reviewed by Joseph Pecoraro.
3769
3770         Ensure that all instrumentation hooks use `FAST_RETURN_IF_NO_FRONTENDS` or check that
3771         `developerExtrasEnabled`. There should be no activity to/from any inspector objects until
3772         developer extras are enabled.
3773
3774         * inspector/agents/InspectorConsoleAgent.cpp:
3775         (Inspector::InspectorConsoleAgent::startTiming):
3776         (Inspector::InspectorConsoleAgent::stopTiming):
3777         (Inspector::InspectorConsoleAgent::count):
3778         (Inspector::InspectorConsoleAgent::addConsoleMessage):
3779
3780 2019-03-29  Cathie Chen  <cathiechen@igalia.com>
3781
3782         Implement ResizeObserver.
3783         https://bugs.webkit.org/show_bug.cgi?id=157743
3784
3785         Reviewed by Simon Fraser.
3786
3787         Add ENABLE_RESIZE_OBSERVER.
3788
3789         * Configurations/FeatureDefines.xcconfig:
3790
3791 2019-03-28  Michael Saboff  <msaboff@apple.com>
3792
3793         [YARR] Precompute BMP / non-BMP status when constructing character classes
3794         https://bugs.webkit.org/show_bug.cgi?id=196296
3795
3796         Reviewed by Keith Miller.
3797
3798         Changed CharacterClass::m_hasNonBMPCharacters into a character width bit field which
3799         indicateis if the class includes characters from either BMP, non-BMP or both ranges.
3800         This allows the recognizing code to eliminate checks for the width of a matched
3801         characters when the class has only one width.  The character width is needed to
3802         determine if we advance 1 or 2 character.  Also, the pre-computed width of character
3803         classes that contains either all BMP or all non-BMP characters allows the parser to
3804         use fixed widths for terms using those character classes.  Changed both the code gen
3805         scripts and Yarr compiler to compute this bit field during the construction of
3806         character classes.
3807
3808         For JIT'ed code of character classes that contain either all BMP or all non-BMP
3809         characters, we can eliminate the generic check we were doing do compute how much
3810         to advance after sucessfully matching a character in the class.
3811
3812                 Generic isBMP check      BMP only            non-BMP only
3813                 --------------           --------------      --------------
3814                 inc %r9d                 inc %r9d            add $0x2, %r9d
3815                 cmp $0x10000, %eax
3816                 jl isBMP
3817                 cmp %edx, %esi
3818                 jz atEndOfString
3819                 inc %r9d
3820                 inc %esi
3821          isBMP:
3822
3823         For character classes that contained non-BMP characters, we were always generating
3824         the code in the left column.  The middle column is the code we generate for character
3825         classes that contain only BMP characters.  The right column is the code we now
3826         generate if the character class has only non-BMP characters.  In the fix width cases,
3827         we can eliminate both the isBMP check as well as the atEndOfString check.  The
3828         atEndOfstring check is eliminated since we know how many characters this character
3829         class requires and that check can be factored out to the beginning of the current
3830         alternative.  For character classes that contain both BMP and non-BMP characters,
3831         we still generate the generic left column.
3832
3833         This change is a ~8% perf progression on UniPoker and a ~2% improvement on RexBench
3834         as a whole.
3835
3836         * runtime/RegExp.cpp:
3837         (JSC::RegExp::matchCompareWithInterpreter):
3838         * runtime/RegExpInlines.h:
3839         (JSC::RegExp::matchInline):
3840         * yarr/YarrInterpreter.cpp:
3841         (JSC::Yarr::Interpreter::checkCharacterClassDontAdvanceInputForNonBMP):
3842         (JSC::Yarr::Interpreter::matchCharacterClass):
3843         * yarr/YarrJIT.cpp:
3844         (JSC::Yarr::YarrGenerator::optimizeAlternative):
3845         (JSC::Yarr::YarrGenerator::matchCharacterClass):
3846         (JSC::Yarr::YarrGenerator::advanceIndexAfterCharacterClassTermMatch):
3847         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
3848         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
3849         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
3850         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
3851         (JSC::Yarr::YarrGenerator::backtrackCharacterClassGreedy):
3852         (JSC::Yarr::YarrGenerator::generateCharacterClassNonGreedy):
3853         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
3854         (JSC::Yarr::YarrGenerator::generateEnter):
3855         (JSC::Yarr::YarrGenerator::YarrGenerator):
3856         (JSC::Yarr::YarrGenerator::compile):
3857         * yarr/YarrPattern.cpp:
3858         (JSC::Yarr::CharacterClassConstructor::CharacterClassConstructor):
3859         (JSC::Yarr::CharacterClassConstructor::reset):
3860         (JSC::Yarr::CharacterClassConstructor::charClass):
3861         (JSC