CodeCache should check that the UnlinkedCodeBlock was successfully created before...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-04-13  Tadeu Zagallo  <tzagallo@apple.com>
2
3         CodeCache should check that the UnlinkedCodeBlock was successfully created before caching it
4         https://bugs.webkit.org/show_bug.cgi?id=196880
5
6         Reviewed by Yusuke Suzuki.
7
8         CodeCache should not tell the SourceProvider to cache the bytecode if it failed
9         to create the UnlinkedCodeBlock.
10
11         * runtime/CodeCache.cpp:
12         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
13
14 2019-04-12  Saam barati  <sbarati@apple.com>
15
16         r244079 logically broke shouldSpeculateInt52
17         https://bugs.webkit.org/show_bug.cgi?id=196884
18
19         Reviewed by Yusuke Suzuki.
20
21         In r244079, I changed shouldSpeculateInt52 to only return true
22         when the prediction is isAnyInt52Speculation(). However, it was
23         wrong to not to include SpecInt32 in this for two reasons:
24
25         1. We diligently write code that first checks if we should speculate Int32.
26         For example:
27         if (shouldSpeculateInt32()) ... 
28         else if (shouldSpeculateInt52()) ...
29
30         It would be wrong not to fall back to Int52 if we're dealing with the union of
31         Int32 and Int52.
32
33         It would be a performance mistake to not include Int32 here because
34         data flow can easily tell us that we have variables that are the union
35         of Int32 and Int52 values. It's better to speculate Int52 than Double
36         in that situation.
37
38         2. We also write code where we ask if the inputs can be Int52, e.g, if
39         we know via profiling that an Add overflows, we may not emit an Int32 add.
40         However, we only emit such an add if both inputs can be Int52, and Int32
41         can trivially become Int52.
42
43        This patch recovers the 0.5-1% regression r244079 caused on JetStream 2.
44
45         * bytecode/SpeculatedType.h:
46         (JSC::isInt32SpeculationForArithmetic):
47         (JSC::isInt32OrBooleanSpeculationForArithmetic):
48         (JSC::isInt32OrInt52Speculation):
49         * dfg/DFGFixupPhase.cpp:
50         (JSC::DFG::FixupPhase::observeUseKindOnNode):
51         * dfg/DFGNode.h:
52         (JSC::DFG::Node::shouldSpeculateInt52):
53         * dfg/DFGPredictionPropagationPhase.cpp:
54         * dfg/DFGVariableAccessData.cpp:
55         (JSC::DFG::VariableAccessData::couldRepresentInt52Impl):
56
57 2019-04-12  Saam barati  <sbarati@apple.com>
58
59         Unreviewed. Build fix after r244233.
60
61         * assembler/CPU.cpp:
62
63 2019-04-12  Saam barati  <sbarati@apple.com>
64
65         Sometimes we need to user fewer CPUs in our threading calculations
66         https://bugs.webkit.org/show_bug.cgi?id=196794
67         <rdar://problem/49389497>
68
69         Reviewed by Yusuke Suzuki.
70
71         * JavaScriptCore.xcodeproj/project.pbxproj:
72         * Sources.txt:
73         * assembler/CPU.cpp: Added.
74         (JSC::isKernTCSMAvailable):
75         (JSC::enableKernTCSM):
76         (JSC::kernTCSMAwareNumberOfProcessorCores):
77         * assembler/CPU.h:
78         (JSC::isKernTCSMAvailable):
79         (JSC::enableKernTCSM):
80         (JSC::kernTCSMAwareNumberOfProcessorCores):
81         * heap/MachineStackMarker.h:
82         (JSC::MachineThreads::addCurrentThread):
83         * runtime/JSLock.cpp:
84         (JSC::JSLock::didAcquireLock):
85         * runtime/Options.cpp:
86         (JSC::computeNumberOfWorkerThreads):
87         (JSC::computePriorityDeltaOfWorkerThreads):
88         * wasm/WasmWorklist.cpp:
89         (JSC::Wasm::Worklist::Worklist):
90
91 2019-04-12  Robin Morisset  <rmorisset@apple.com>
92
93         Use padding at end of ArrayBuffer
94         https://bugs.webkit.org/show_bug.cgi?id=196823
95
96         Reviewed by Filip Pizlo.
97
98         * runtime/ArrayBuffer.h:
99
100 2019-04-11  Yusuke Suzuki  <ysuzuki@apple.com>
101
102         [JSC] op_has_indexed_property should not assume subscript part is Uint32
103         https://bugs.webkit.org/show_bug.cgi?id=196850
104
105         Reviewed by Saam Barati.
106
107         op_has_indexed_property assumed that subscript part is always Uint32. However, this is just a load from non-constant RegisterID,
108         DFG can store it in double format and can perform OSR exit. op_has_indexed_property should not assume that.
109         In this patch, instead, we check it with isAnyInt and get uint32_t from AnyInt.
110
111         * jit/JITOpcodes.cpp:
112         (JSC::JIT::emit_op_has_indexed_property):
113         * jit/JITOpcodes32_64.cpp:
114         (JSC::JIT::emit_op_has_indexed_property):
115         * jit/JITOperations.cpp:
116         * runtime/CommonSlowPaths.cpp:
117         (JSC::SLOW_PATH_DECL):
118
119 2019-04-11  Saam barati  <sbarati@apple.com>
120
121         Remove invalid assertion in operationInstanceOfCustom
122         https://bugs.webkit.org/show_bug.cgi?id=196842
123         <rdar://problem/49725493>
124
125         Reviewed by Michael Saboff.
126
127         In the generated JIT code, we go to the slow path when the incoming function
128         isn't the Node's CodeOrigin's functionProtoHasInstanceSymbolFunction. However,
129         in the JIT operation, we were asserting against exec->lexicalGlobalObject()'s
130         functionProtoHasInstanceSymbolFunction. That assertion might be wrong when
131         inlining across global objects as exec->lexicalGlobalObject() uses the machine
132         frame for procuring the global object. There is no harm when this assertion fails
133         as we just execute the slow path. This patch removes the assertion. (However, this
134         does shed light on the deficiency in our exec->lexicalGlobalObject() function with
135         respect to inlining. However, this isn't new -- we've known about this for a while.)
136
137         * jit/JITOperations.cpp:
138
139 2019-04-11  Michael Saboff  <msaboff@apple.com>
140
141         Improve the Inline Cache Stats code
142         https://bugs.webkit.org/show_bug.cgi?id=196836
143
144         Reviewed by Saam Barati.
145
146         Needed to handle the case where the Identifier could be null, for example with InstanceOfAddAccessCase
147         and InstanceOfReplaceWithJump.
148
149         Added the ability to log the location of a GetBy and PutBy property as either on self or up the
150         protocol chain.
151
152         * jit/ICStats.cpp:
153         (JSC::ICEvent::operator< const):
154         (JSC::ICEvent::dump const):
155         * jit/ICStats.h:
156         (JSC::ICEvent::ICEvent):
157         (JSC::ICEvent::hash const):
158         * jit/JITOperations.cpp:
159         * jit/Repatch.cpp:
160         (JSC::tryCacheGetByID):
161         (JSC::tryCachePutByID):
162         (JSC::tryCacheInByID):
163
164 2019-04-11  Devin Rousso  <drousso@apple.com>
165
166         Web Inspector: Timelines: can't reliably stop/start a recording
167         https://bugs.webkit.org/show_bug.cgi?id=196778
168         <rdar://problem/47606798>
169
170         Reviewed by Timothy Hatcher.
171
172         * inspector/protocol/ScriptProfiler.json:
173         * inspector/protocol/Timeline.json:
174         It is possible to determine when programmatic capturing starts/stops in the frontend based
175         on the state when the backend causes the state to change, such as if the state is "inactive"
176         when the frontend is told that the backend has started capturing.
177
178         * inspector/protocol/CPUProfiler.json:
179         * inspector/protocol/Memory.json:
180         Send an end timestamp to match other instruments.
181
182         * inspector/JSGlobalObjectConsoleClient.cpp:
183         (Inspector::JSGlobalObjectConsoleClient::startConsoleProfile):
184         (Inspector::JSGlobalObjectConsoleClient::stopConsoleProfile):
185
186         * inspector/agents/InspectorScriptProfilerAgent.h:
187         * inspector/agents/InspectorScriptProfilerAgent.cpp:
188         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
189         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStarted): Deleted.
190         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStopped): Deleted.
191
192 2019-04-11  Saam barati  <sbarati@apple.com>
193
194         Rename SetArgument to SetArgumentDefinitely
195         https://bugs.webkit.org/show_bug.cgi?id=196828
196
197         Reviewed by Yusuke Suzuki.
198
199         This is in preparation for https://bugs.webkit.org/show_bug.cgi?id=196712
200         where we will introduce a node named SetArgumentMaybe. Doing this refactoring
201         first will make reviewing that other patch easier.
202
203         * dfg/DFGAbstractInterpreterInlines.h:
204         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
205         * dfg/DFGByteCodeParser.cpp:
206         (JSC::DFG::ByteCodeParser::handleVarargsInlining):
207         (JSC::DFG::ByteCodeParser::parseBlock):
208         * dfg/DFGCPSRethreadingPhase.cpp:
209         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
210         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
211         (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
212         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
213         (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
214         (JSC::DFG::CPSRethreadingPhase::propagatePhis):
215         (JSC::DFG::CPSRethreadingPhase::computeIsFlushed):
216         * dfg/DFGClobberize.h:
217         (JSC::DFG::clobberize):
218         * dfg/DFGCommon.h:
219         * dfg/DFGDoesGC.cpp:
220         (JSC::DFG::doesGC):
221         * dfg/DFGFixupPhase.cpp:
222         (JSC::DFG::FixupPhase::fixupNode):
223         * dfg/DFGGraph.cpp:
224         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
225         * dfg/DFGGraph.h:
226         * dfg/DFGInPlaceAbstractState.cpp:
227         (JSC::DFG::InPlaceAbstractState::initialize):
228         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
229         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
230         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch):
231         * dfg/DFGMaximalFlushInsertionPhase.cpp:
232         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
233         (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
234         * dfg/DFGMayExit.cpp:
235         * dfg/DFGNode.cpp:
236         (JSC::DFG::Node::hasVariableAccessData):
237         * dfg/DFGNode.h:
238         (JSC::DFG::Node::convertPhantomToPhantomLocal):
239         * dfg/DFGNodeType.h:
240         * dfg/DFGOSREntrypointCreationPhase.cpp:
241         (JSC::DFG::OSREntrypointCreationPhase::run):
242         * dfg/DFGPhantomInsertionPhase.cpp:
243         * dfg/DFGPredictionPropagationPhase.cpp:
244         * dfg/DFGSSAConversionPhase.cpp:
245         (JSC::DFG::SSAConversionPhase::run):
246         * dfg/DFGSafeToExecute.h:
247         (JSC::DFG::safeToExecute):
248         * dfg/DFGSpeculativeJIT.cpp:
249         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
250         * dfg/DFGSpeculativeJIT32_64.cpp:
251         (JSC::DFG::SpeculativeJIT::compile):
252         * dfg/DFGSpeculativeJIT64.cpp:
253         (JSC::DFG::SpeculativeJIT::compile):
254         * dfg/DFGTypeCheckHoistingPhase.cpp:
255         (JSC::DFG::TypeCheckHoistingPhase::run):
256         * dfg/DFGValidate.cpp:
257         * ftl/FTLCapabilities.cpp:
258         (JSC::FTL::canCompile):
259
260 2019-04-11  Truitt Savell  <tsavell@apple.com>
261
262         Unreviewed, rolling out r244158.
263
264         Casued 8 inspector/timeline/ test failures.
265
266         Reverted changeset:
267
268         "Web Inspector: Timelines: can't reliably stop/start a
269         recording"
270         https://bugs.webkit.org/show_bug.cgi?id=196778
271         https://trac.webkit.org/changeset/244158
272
273 2019-04-10  Saam Barati  <sbarati@apple.com>
274
275         AbstractValue::validateOSREntryValue is wrong for Int52 constants
276         https://bugs.webkit.org/show_bug.cgi?id=196801
277         <rdar://problem/49771122>
278
279         Reviewed by Yusuke Suzuki.
280
281         validateOSREntryValue should not care about the format of the incoming
282         value for Int52s. This patch normalizes the format of m_value and
283         the incoming value when comparing them.
284
285         * dfg/DFGAbstractValue.h:
286         (JSC::DFG::AbstractValue::validateOSREntryValue const):
287
288 2019-04-10  Saam Barati  <sbarati@apple.com>
289
290         ArithSub over Int52 has shouldCheckOverflow as always true
291         https://bugs.webkit.org/show_bug.cgi?id=196796
292
293         Reviewed by Yusuke Suzuki.
294
295         AI was checking for ArithSub over Int52 if !shouldCheckOverflow. However,
296         shouldCheckOverflow is always true, so !shouldCheckOverflow is always
297         false. We shouldn't check something we assert against.
298
299         * dfg/DFGAbstractInterpreterInlines.h:
300         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
301
302 2019-04-10  Basuke Suzuki  <basuke.suzuki@sony.com>
303
304         [PlayStation] Specify byte order clearly on Remote Inspector Protocol
305         https://bugs.webkit.org/show_bug.cgi?id=196790
306
307         Reviewed by Ross Kirsling.
308
309         Original implementation lacks byte order specification. Network byte order is the
310         good candidate if there's no strong reason to choose other.
311         Currently no client exists for PlayStation remote inspector protocol, so we can
312         change the byte order without care.
313
314         * inspector/remote/playstation/RemoteInspectorMessageParserPlayStation.cpp:
315         (Inspector::MessageParser::createMessage):
316         (Inspector::MessageParser::parse):
317
318 2019-04-10  Devin Rousso  <drousso@apple.com>
319
320        Web Inspector: Inspector: lazily create the agent
321        https://bugs.webkit.org/show_bug.cgi?id=195971
322        <rdar://problem/49039645>
323
324        Reviewed by Joseph Pecoraro.
325
326        * inspector/JSGlobalObjectInspectorController.cpp:
327        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
328        (Inspector::JSGlobalObjectInspectorController::connectFrontend):
329        (Inspector::JSGlobalObjectInspectorController::appendExtraAgent):
330        (Inspector::JSGlobalObjectInspectorController::createLazyAgents):
331
332        * inspector/agents/InspectorAgent.h:
333        * inspector/agents/InspectorAgent.cpp:
334
335 2019-04-10  Saam Barati  <sbarati@apple.com>
336
337         Work around an arm64_32 LLVM miscompile bug
338         https://bugs.webkit.org/show_bug.cgi?id=196788
339
340         Reviewed by Yusuke Suzuki.
341
342         * runtime/CachedTypes.cpp:
343
344 2019-04-10  Devin Rousso  <drousso@apple.com>
345
346         Web Inspector: Timelines: can't reliably stop/start a recording
347         https://bugs.webkit.org/show_bug.cgi?id=196778
348         <rdar://problem/47606798>
349
350         Reviewed by Timothy Hatcher.
351
352         * inspector/protocol/ScriptProfiler.json:
353         * inspector/protocol/Timeline.json:
354         It is possible to determine when programmatic capturing starts/stops in the frontend based
355         on the state when the backend causes the state to change, such as if the state is "inactive"
356         when the frontend is told that the backend has started capturing.
357
358         * inspector/protocol/CPUProfiler.json:
359         * inspector/protocol/Memory.json:
360         Send an end timestamp to match other instruments.
361
362         * inspector/JSGlobalObjectConsoleClient.cpp:
363         (Inspector::JSGlobalObjectConsoleClient::startConsoleProfile):
364         (Inspector::JSGlobalObjectConsoleClient::stopConsoleProfile):
365
366         * inspector/agents/InspectorScriptProfilerAgent.h:
367         * inspector/agents/InspectorScriptProfilerAgent.cpp:
368         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
369         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStarted): Deleted.
370         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStopped): Deleted.
371
372 2019-04-10  Tadeu Zagallo  <tzagallo@apple.com>
373
374         Unreviewed, fix watch build after r244143
375         https://bugs.webkit.org/show_bug.cgi?id=195000
376
377         The result of `lseek` should be `off_t` rather than `int`.
378
379         * jsc.cpp:
380
381 2019-04-10  Tadeu Zagallo  <tzagallo@apple.com>
382
383         Add support for incremental bytecode cache updates
384         https://bugs.webkit.org/show_bug.cgi?id=195000
385
386         Reviewed by Filip Pizlo.
387
388         Add support for incremental updates to the bytecode cache. The cache
389         is constructed as follows:
390         - When the cache is empty, the initial payload can be added to the BytecodeCache
391         by calling BytecodeCache::addGlobalUpdate. This represents the encoded
392         top-level UnlinkedCodeBlock.
393         - Afterwards, updates can be added by calling BytecodeCache::addFunctionUpdate.
394         The update is applied by appending the encoded UnlinkedFunctionCodeBlock
395         to the existing cache and updating the CachedFunctionExecutableMetadata
396         and the offset of the new CachedFunctionCodeBlock in the owner CachedFunctionExecutable.
397
398         * API/JSScript.mm:
399         (-[JSScript readCache]):
400         (-[JSScript isUsingBytecodeCache]):
401         (-[JSScript init]):
402         (-[JSScript cachedBytecode]):
403         (-[JSScript writeCache:]):
404         * API/JSScriptInternal.h:
405         * API/JSScriptSourceProvider.h:
406         * API/JSScriptSourceProvider.mm:
407         (JSScriptSourceProvider::cachedBytecode const):
408         * CMakeLists.txt:
409         * JavaScriptCore.xcodeproj/project.pbxproj:
410         * Sources.txt:
411         * bytecode/UnlinkedFunctionExecutable.cpp:
412         (JSC::generateUnlinkedFunctionCodeBlock):
413         * jsc.cpp:
414         (ShellSourceProvider::~ShellSourceProvider):
415         (ShellSourceProvider::cachePath const):
416         (ShellSourceProvider::loadBytecode const):
417         (ShellSourceProvider::ShellSourceProvider):
418         (ShellSourceProvider::cacheEnabled):
419         * parser/SourceProvider.h:
420         (JSC::SourceProvider::cachedBytecode const):
421         (JSC::SourceProvider::updateCache const):
422         (JSC::SourceProvider::commitCachedBytecode const):
423         * runtime/CachePayload.cpp: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
424         (JSC::CachePayload::makeMappedPayload):
425         (JSC::CachePayload::makeMallocPayload):
426         (JSC::CachePayload::makeEmptyPayload):
427         (JSC::CachePayload::CachePayload):
428         (JSC::CachePayload::~CachePayload):
429         (JSC::CachePayload::operator=):
430         (JSC::CachePayload::freeData):
431         * runtime/CachePayload.h: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
432         (JSC::CachePayload::data const):
433         (JSC::CachePayload::size const):
434         (JSC::CachePayload::CachePayload):
435         * runtime/CacheUpdate.cpp: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
436         (JSC::CacheUpdate::CacheUpdate):
437         (JSC::CacheUpdate::operator=):
438         (JSC::CacheUpdate::isGlobal const):
439         (JSC::CacheUpdate::asGlobal const):
440         (JSC::CacheUpdate::asFunction const):
441         * runtime/CacheUpdate.h: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
442         * runtime/CachedBytecode.cpp: Added.
443         (JSC::CachedBytecode::addGlobalUpdate):
444         (JSC::CachedBytecode::addFunctionUpdate):
445         (JSC::CachedBytecode::copyLeafExecutables):
446         (JSC::CachedBytecode::commitUpdates const):
447         * runtime/CachedBytecode.h: Added.
448         (JSC::CachedBytecode::create):
449         (JSC::CachedBytecode::leafExecutables):
450         (JSC::CachedBytecode::data const):
451         (JSC::CachedBytecode::size const):
452         (JSC::CachedBytecode::hasUpdates const):
453         (JSC::CachedBytecode::sizeForUpdate const):
454         (JSC::CachedBytecode::CachedBytecode):
455         * runtime/CachedTypes.cpp:
456         (JSC::Encoder::addLeafExecutable):
457         (JSC::Encoder::release):
458         (JSC::Decoder::Decoder):
459         (JSC::Decoder::create):
460         (JSC::Decoder::size const):
461         (JSC::Decoder::offsetOf):
462         (JSC::Decoder::ptrForOffsetFromBase):
463         (JSC::Decoder::addLeafExecutable):
464         (JSC::VariableLengthObject::VariableLengthObject):
465         (JSC::VariableLengthObject::buffer const):
466         (JSC::CachedPtrOffsets::offsetOffset):
467         (JSC::CachedWriteBarrierOffsets::ptrOffset):
468         (JSC::CachedFunctionExecutable::features const):
469         (JSC::CachedFunctionExecutable::hasCapturedVariables const):
470         (JSC::CachedFunctionExecutableOffsets::codeBlockForCallOffset):
471         (JSC::CachedFunctionExecutableOffsets::codeBlockForConstructOffset):
472         (JSC::CachedFunctionExecutableOffsets::metadataOffset):
473         (JSC::CachedFunctionExecutable::encode):
474         (JSC::CachedFunctionExecutable::decode const):
475         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
476         (JSC::encodeCodeBlock):
477         (JSC::encodeFunctionCodeBlock):
478         (JSC::decodeCodeBlockImpl):
479         (JSC::isCachedBytecodeStillValid):
480         * runtime/CachedTypes.h:
481         (JSC::VariableLengthObjectBase::VariableLengthObjectBase):
482         (JSC::decodeCodeBlock):
483         * runtime/CodeCache.cpp:
484         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
485         (JSC::CodeCache::updateCache):
486         (JSC::CodeCache::write):
487         (JSC::writeCodeBlock):
488         (JSC::serializeBytecode):
489         * runtime/CodeCache.h:
490         (JSC::SourceCodeValue::SourceCodeValue):
491         (JSC::CodeCacheMap::findCacheAndUpdateAge):
492         (JSC::CodeCacheMap::fetchFromDiskImpl):
493         * runtime/Completion.cpp:
494         (JSC::generateProgramBytecode):
495         (JSC::generateModuleBytecode):
496         * runtime/Completion.h:
497         * runtime/LeafExecutable.cpp: Copied from Source/JavaScriptCore/API/JSScriptSourceProvider.mm.
498         (JSC::LeafExecutable::operator+ const):
499         * runtime/LeafExecutable.h: Copied from Source/JavaScriptCore/API/JSScriptSourceProvider.mm.
500         (JSC::LeafExecutable::LeafExecutable):
501         (JSC::LeafExecutable::base const):
502
503 2019-04-10  Michael Catanzaro  <mcatanzaro@igalia.com>
504
505         Unreviewed, rolling out r243989.
506
507         Broke i686 builds
508
509         Reverted changeset:
510
511         "[CMake] Detect SSE2 at compile time"
512         https://bugs.webkit.org/show_bug.cgi?id=196488
513         https://trac.webkit.org/changeset/243989
514
515 2019-04-10  Robin Morisset  <rmorisset@apple.com>
516
517         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
518         https://bugs.webkit.org/show_bug.cgi?id=196746
519
520         Reviewed by Yusuke Suzuki..
521
522         It should be safe as in that case we are not completing the operation, and so not going to have any buffer overflow.
523
524         * runtime/ObjectConstructor.cpp:
525         (JSC::defineProperties):
526
527 2019-04-10  Antoine Quint  <graouts@apple.com>
528
529         Enable Pointer Events on watchOS
530         https://bugs.webkit.org/show_bug.cgi?id=196771
531         <rdar://problem/49040909>
532
533         Reviewed by Dean Jackson.
534
535         * Configurations/FeatureDefines.xcconfig:
536
537 2019-04-09  Keith Rollin  <krollin@apple.com>
538
539         Unreviewed build maintenance -- update .xcfilelists.
540
541         * DerivedSources-input.xcfilelist:
542
543 2019-04-09  Ross Kirsling  <ross.kirsling@sony.com>
544
545         JSC should build successfully even with -DENABLE_UNIFIED_BUILDS=OFF
546         https://bugs.webkit.org/show_bug.cgi?id=193073
547
548         Reviewed by Keith Miller.
549
550         * bytecompiler/BytecodeGenerator.cpp:
551         (JSC::BytecodeGenerator::emitEqualityOpImpl):
552         (JSC::BytecodeGenerator::emitEqualityOp): Deleted.
553         * bytecompiler/BytecodeGenerator.h:
554         (JSC::BytecodeGenerator::emitEqualityOp):
555         Factor out the logic that uses the template parameter and keep it in the header.
556
557         * jit/JITPropertyAccess.cpp:
558         List off the template specializations needed by JITOperations.cpp.
559         This is unfortunate but at least there are only two (x2) by definition?
560         Trying to do away with this incurs a severe domino effect...
561
562         * API/JSValueRef.cpp:
563         * b3/B3OptimizeAssociativeExpressionTrees.cpp:
564         * b3/air/AirHandleCalleeSaves.cpp:
565         * builtins/BuiltinNames.cpp:
566         * bytecode/AccessCase.cpp:
567         * bytecode/BytecodeIntrinsicRegistry.cpp:
568         * bytecode/BytecodeIntrinsicRegistry.h:
569         * bytecode/BytecodeRewriter.cpp:
570         * bytecode/BytecodeUseDef.h:
571         * bytecode/CodeBlock.cpp:
572         * bytecode/InstanceOfAccessCase.cpp:
573         * bytecode/MetadataTable.cpp:
574         * bytecode/PolyProtoAccessChain.cpp:
575         * bytecode/StructureSet.cpp:
576         * bytecompiler/NodesCodegen.cpp:
577         * dfg/DFGCFAPhase.cpp:
578         * dfg/DFGPureValue.cpp:
579         * heap/GCSegmentedArray.h:
580         * heap/HeapInlines.h:
581         * heap/IsoSubspace.cpp:
582         * heap/LocalAllocator.cpp:
583         * heap/LocalAllocator.h:
584         * heap/LocalAllocatorInlines.h:
585         * heap/MarkingConstraintSolver.cpp:
586         * inspector/ScriptArguments.cpp:
587         (Inspector::ScriptArguments::isEqual const):
588         * inspector/ScriptCallStackFactory.cpp:
589         * interpreter/CallFrame.h:
590         * interpreter/Interpreter.cpp:
591         * interpreter/StackVisitor.cpp:
592         * llint/LLIntEntrypoint.cpp:
593         * runtime/ArrayIteratorPrototype.cpp:
594         * runtime/BigIntPrototype.cpp:
595         * runtime/CachedTypes.cpp:
596         * runtime/ErrorType.cpp:
597         * runtime/IndexingType.cpp:
598         * runtime/JSCellInlines.h:
599         * runtime/JSImmutableButterfly.h:
600         * runtime/Operations.h:
601         * runtime/RegExpCachedResult.cpp:
602         * runtime/RegExpConstructor.cpp:
603         * runtime/RegExpGlobalData.cpp:
604         * runtime/StackFrame.h:
605         * wasm/WasmSignature.cpp:
606         * wasm/js/JSToWasm.cpp:
607         * wasm/js/JSToWasmICCallee.cpp:
608         * wasm/js/WebAssemblyFunction.h:
609         Fix includes / forward declarations (and a couple of nearby clang warnings).
610
611 2019-04-09  Don Olmstead  <don.olmstead@sony.com>
612
613         [CMake] Apple builds should use ICU_INCLUDE_DIRS
614         https://bugs.webkit.org/show_bug.cgi?id=196720
615
616         Reviewed by Konstantin Tokarev.
617
618         * PlatformMac.cmake:
619
620 2019-04-09  Saam barati  <sbarati@apple.com>
621
622         Clean up Int52 code and some bugs in it
623         https://bugs.webkit.org/show_bug.cgi?id=196639
624         <rdar://problem/49515757>
625
626         Reviewed by Yusuke Suzuki.
627
628         This patch fixes bugs in our Int52 code. The primary change in this patch is
629         adopting a segregated type lattice for Int52. Previously, for Int52 values,
630         we represented them with SpecInt32Only and SpecInt52Only. For an Int52,
631         SpecInt32Only meant that the value is in int32 range. And SpecInt52Only meant
632         that the is outside of the int32 range.
633         
634         However, this got confusing because we reused SpecInt32Only both for JSValue
635         representations and Int52 representations. This actually lead to some bugs.
636         
637         1. It's possible that roundtripping through Int52 representation would say
638         it produces the wrong type. For example, consider this program and how we
639         used to annotate types in AI:
640         a: JSConstant(10.0) => m_type is SpecAnyIntAsDouble
641         b: Int52Rep(@a) => m_type is SpecInt52Only
642         c: ValueRep(@b) => m_type is SpecAnyIntAsDouble
643         
644         In AI, for the above program, we'd say that @c produces SpecAnyIntAsDouble.
645         However, the execution semantics are such that it'd actually produce a boxed
646         Int32. This patch fixes the bug where we'd say that Int52Rep over SpecAnyIntAsDouble
647         would produce SpecInt52Only. This is clearly wrong, as SpecAnyIntAsDouble can
648         mean an int value in either int32 or int52 range.
649         
650         2. AsbstractValue::validateTypeAcceptingBoxedInt52 was wrong in how it
651         accepted Int52 values. It was wrong in two different ways:
652         a: If the AbstractValue's type was SpecInt52Only, and the incoming value
653         was a boxed double, but represented a value in int32 range, the incoming
654         value would incorrectly validate as being acceptable. However, we should
655         have rejected this value.
656         b: If the AbstractValue's type was SpecInt32Only, and the incoming value
657         was an Int32 boxed in a double, this would not validate, even though
658         it should have validated.
659         
660         Solving 2 was easiest if we segregated out the Int52 type into its own
661         lattice. This patch makes a new Int52 lattice, which is composed of
662         SpecInt32AsInt52 and SpecNonInt32AsInt52.
663         
664         The conversion rules are now really simple.
665         
666         Int52 rep => JSValue rep
667         SpecInt32AsInt52 => SpecInt32Only
668         SpecNonInt32AsInt52 => SpecAnyIntAsDouble
669         
670         JSValue rep => Int52 rep
671         SpecInt32Only => SpecInt32AsInt52
672         SpecAnyIntAsDouble => SpecInt52Any
673         
674         With these rules, the program in (1) will now correctly report that @c
675         returns SpecInt32Only | SpecAnyIntAsDouble.
676
677         * bytecode/SpeculatedType.cpp:
678         (JSC::dumpSpeculation):
679         (JSC::speculationToAbbreviatedString):
680         (JSC::int52AwareSpeculationFromValue):
681         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
682         (JSC::speculationFromString):
683         * bytecode/SpeculatedType.h:
684         (JSC::isInt32SpeculationForArithmetic):
685         (JSC::isInt32OrBooleanSpeculationForArithmetic):
686         (JSC::isAnyInt52Speculation):
687         (JSC::isIntAnyFormat):
688         (JSC::isInt52Speculation): Deleted.
689         (JSC::isAnyIntSpeculation): Deleted.
690         * dfg/DFGAbstractInterpreterInlines.h:
691         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
692         * dfg/DFGAbstractValue.cpp:
693         (JSC::DFG::AbstractValue::fixTypeForRepresentation):
694         (JSC::DFG::AbstractValue::checkConsistency const):
695         * dfg/DFGAbstractValue.h:
696         (JSC::DFG::AbstractValue::isInt52Any const):
697         (JSC::DFG::AbstractValue::validateTypeAcceptingBoxedInt52 const):
698         * dfg/DFGFixupPhase.cpp:
699         (JSC::DFG::FixupPhase::fixupArithMul):
700         (JSC::DFG::FixupPhase::fixupNode):
701         (JSC::DFG::FixupPhase::fixupGetPrototypeOf):
702         (JSC::DFG::FixupPhase::fixupToThis):
703         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
704         (JSC::DFG::FixupPhase::observeUseKindOnNode):
705         (JSC::DFG::FixupPhase::fixIntConvertingEdge):
706         (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
707         (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
708         (JSC::DFG::FixupPhase::fixupChecksInBlock):
709         * dfg/DFGGraph.h:
710         (JSC::DFG::Graph::addShouldSpeculateInt52):
711         (JSC::DFG::Graph::binaryArithShouldSpeculateInt52):
712         (JSC::DFG::Graph::unaryArithShouldSpeculateInt52):
713         (JSC::DFG::Graph::addShouldSpeculateAnyInt): Deleted.
714         (JSC::DFG::Graph::binaryArithShouldSpeculateAnyInt): Deleted.
715         (JSC::DFG::Graph::unaryArithShouldSpeculateAnyInt): Deleted.
716         * dfg/DFGNode.h:
717         (JSC::DFG::Node::shouldSpeculateInt52):
718         (JSC::DFG::Node::shouldSpeculateAnyInt): Deleted.
719         * dfg/DFGPredictionPropagationPhase.cpp:
720         * dfg/DFGSpeculativeJIT.cpp:
721         (JSC::DFG::SpeculativeJIT::setIntTypedArrayLoadResult):
722         (JSC::DFG::SpeculativeJIT::compileArithAdd):
723         (JSC::DFG::SpeculativeJIT::compileArithSub):
724         (JSC::DFG::SpeculativeJIT::compileArithNegate):
725         * dfg/DFGSpeculativeJIT64.cpp:
726         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
727         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
728         * dfg/DFGUseKind.h:
729         (JSC::DFG::typeFilterFor):
730         * dfg/DFGVariableAccessData.cpp:
731         (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
732         (JSC::DFG::VariableAccessData::couldRepresentInt52Impl):
733         * ftl/FTLLowerDFGToB3.cpp:
734         (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
735         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
736         (JSC::FTL::DFG::LowerDFGToB3::setIntTypedArrayLoadResult):
737
738 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
739
740         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
741         https://bugs.webkit.org/show_bug.cgi?id=196708
742         <rdar://problem/49556803>
743
744         Reviewed by Yusuke Suzuki.
745
746         `operationPutToScope` needs to return early if an exception is thrown while
747         checking if `hasProperty`.
748
749         * jit/JITOperations.cpp:
750
751 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
752
753         [JSC] DFG should respect node's strict flag
754         https://bugs.webkit.org/show_bug.cgi?id=196617
755
756         Reviewed by Saam Barati.
757
758         We accidentally use codeBlock->isStrictMode() directly in DFG and FTL. But this is wrong since this CodeBlock is the top level DFG/FTL CodeBlock,
759         and this code does not respect the isStrictMode flag for the inlined CodeBlocks. In this patch, we start using isStrictModeFor(CodeOrigin) consistently
760         in DFG and FTL to get the right isStrictMode flag for the DFG node.
761         And we also split compilePutDynamicVar into compilePutDynamicVarStrict and compilePutDynamicVarNonStrict since (1) it is cleaner than accessing inlined
762         callframe in the operation function, and (2) it is aligned to the other functions like operationPutByValDirectNonStrict etc.
763         This bug is discovered by RandomizingFuzzerAgent by expanding the DFG coverage.
764
765         * dfg/DFGAbstractInterpreterInlines.h:
766         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
767         * dfg/DFGConstantFoldingPhase.cpp:
768         (JSC::DFG::ConstantFoldingPhase::foldConstants):
769         * dfg/DFGFixupPhase.cpp:
770         (JSC::DFG::FixupPhase::fixupToThis):
771         * dfg/DFGOperations.cpp:
772         * dfg/DFGOperations.h:
773         * dfg/DFGPredictionPropagationPhase.cpp:
774         * dfg/DFGSpeculativeJIT.cpp:
775         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
776         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
777         (JSC::DFG::SpeculativeJIT::compilePutDynamicVar):
778         (JSC::DFG::SpeculativeJIT::compileToThis):
779         * dfg/DFGSpeculativeJIT32_64.cpp:
780         (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
781         (JSC::DFG::SpeculativeJIT::compile):
782         * dfg/DFGSpeculativeJIT64.cpp:
783         (JSC::DFG::SpeculativeJIT::compile):
784         * ftl/FTLLowerDFGToB3.cpp:
785         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
786         (JSC::FTL::DFG::LowerDFGToB3::compilePutDynamicVar):
787
788 2019-04-08  Don Olmstead  <don.olmstead@sony.com>
789
790         [CMake][WinCairo] Separate copied headers into different directories
791         https://bugs.webkit.org/show_bug.cgi?id=196655
792
793         Reviewed by Michael Catanzaro.
794
795         * CMakeLists.txt:
796         * shell/PlatformWin.cmake:
797
798 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
799
800         [JSC] isRope jump in StringSlice should not jump over register allocations
801         https://bugs.webkit.org/show_bug.cgi?id=196716
802
803         Reviewed by Saam Barati.
804
805         Jumping over the register allocation code in DFG (like the following) is wrong.
806
807             auto jump = m_jit.branchXXX();
808             {
809                 GPRTemporary reg(this);
810                 GPRReg regGPR = reg.gpr();
811                 ...
812             }
813             jump.link(&m_jit);
814
815         When GPRTemporary::gpr allocates a new register, it can flush the previous register value into the stack and make the register usable.
816         Jumping over this register allocation code skips the flushing code, and makes the DFG's stack and register content tracking inconsistent:
817         DFG thinks that the content is flushed and stored in particular stack slot even while this flushing code is skipped.
818         In this patch, we perform register allocations before jumping to the slow path based on `isRope` condition in StringSlice.
819
820         * dfg/DFGSpeculativeJIT.cpp:
821         (JSC::DFG::SpeculativeJIT::compileStringSlice):
822
823 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
824
825         [JSC] to_index_string should not assume incoming value is Uint32
826         https://bugs.webkit.org/show_bug.cgi?id=196713
827
828         Reviewed by Saam Barati.
829
830         The slow path of to_index_string assumes that incoming value is Uint32. But we should not have
831         this assumption since DFG may decide we should have it double format. This patch removes this
832         assumption, and instead, we should assume that incoming value is AnyInt and the range of this
833         is within Uint32.
834
835         * runtime/CommonSlowPaths.cpp:
836         (JSC::SLOW_PATH_DECL):
837
838 2019-04-08  Justin Fan  <justin_fan@apple.com>
839
840         [Web GPU] Fix Web GPU experimental feature on iOS
841         https://bugs.webkit.org/show_bug.cgi?id=196632
842
843         Reviewed by Myles C. Maxfield.
844
845         Properly make Web GPU available on iOS 11+.
846
847         * Configurations/FeatureDefines.xcconfig:
848         * Configurations/WebKitTargetConditionals.xcconfig:
849
850 2019-04-08  Ross Kirsling  <ross.kirsling@sony.com>
851
852         -f[no-]var-tracking-assignments is GCC-only
853         https://bugs.webkit.org/show_bug.cgi?id=196699
854
855         Reviewed by Don Olmstead.
856
857         * CMakeLists.txt:
858         Just remove the build flag altogether -- it supposedly doesn't solve the problem it was meant to
859         and said problem evidently no longer occurs as of GCC 9.
860
861 2019-04-08  Saam Barati  <sbarati@apple.com>
862
863         WebAssembly.RuntimeError missing exception check
864         https://bugs.webkit.org/show_bug.cgi?id=196700
865         <rdar://problem/49693932>
866
867         Reviewed by Yusuke Suzuki.
868
869         * wasm/js/JSWebAssemblyRuntimeError.h:
870         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
871         (JSC::constructJSWebAssemblyRuntimeError):
872
873 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
874
875         Unreviewed, rolling in r243948 with test fix
876         https://bugs.webkit.org/show_bug.cgi?id=196486
877
878         * parser/ASTBuilder.h:
879         (JSC::ASTBuilder::createString):
880         * parser/Lexer.cpp:
881         (JSC::Lexer<T>::parseMultilineComment):
882         (JSC::Lexer<T>::lexWithoutClearingLineTerminator):
883         (JSC::Lexer<T>::lex): Deleted.
884         * parser/Lexer.h:
885         (JSC::Lexer::hasLineTerminatorBeforeToken const):
886         (JSC::Lexer::setHasLineTerminatorBeforeToken):
887         (JSC::Lexer<T>::lex):
888         (JSC::Lexer::prevTerminator const): Deleted.
889         (JSC::Lexer::setTerminator): Deleted.
890         * parser/Parser.cpp:
891         (JSC::Parser<LexerType>::allowAutomaticSemicolon):
892         (JSC::Parser<LexerType>::parseSingleFunction):
893         (JSC::Parser<LexerType>::parseStatementListItem):
894         (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement):
895         (JSC::Parser<LexerType>::parseFunctionInfo):
896         (JSC::Parser<LexerType>::parseClass):
897         (JSC::Parser<LexerType>::parseExportDeclaration):
898         (JSC::Parser<LexerType>::parseAssignmentExpression):
899         (JSC::Parser<LexerType>::parseYieldExpression):
900         (JSC::Parser<LexerType>::parseProperty):
901         (JSC::Parser<LexerType>::parsePrimaryExpression):
902         (JSC::Parser<LexerType>::parseMemberExpression):
903         * parser/Parser.h:
904         (JSC::Parser::nextWithoutClearingLineTerminator):
905         (JSC::Parser::lexCurrentTokenAgainUnderCurrentContext):
906         (JSC::Parser::internalSaveLexerState):
907         (JSC::Parser::restoreLexerState):
908
909 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
910
911         Unreviewed, rolling out r243948.
912
913         Caused inspector/runtime/parse.html to fail
914
915         Reverted changeset:
916
917         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
918         https://bugs.webkit.org/show_bug.cgi?id=196486
919         https://trac.webkit.org/changeset/243948
920
921 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
922
923         Unreviewed, rolling out r243943.
924
925         Caused test262 failures.
926
927         Reverted changeset:
928
929         "[JSC] Filter DontEnum properties in
930         ProxyObject::getOwnPropertyNames()"
931         https://bugs.webkit.org/show_bug.cgi?id=176810
932         https://trac.webkit.org/changeset/243943
933
934 2019-04-08  Claudio Saavedra  <csaavedra@igalia.com>
935
936         [JSC] Partially fix the build with unified builds disabled
937         https://bugs.webkit.org/show_bug.cgi?id=196647
938
939         Reviewed by Konstantin Tokarev.
940
941         If you disable unified builds you find all kind of build
942         errors. This partially tries to fix them but there's a lot
943         more.
944
945         * API/JSBaseInternal.h:
946         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp:
947         * b3/air/AirHandleCalleeSaves.h:
948         * bytecode/ExecutableToCodeBlockEdge.cpp:
949         * bytecode/ExitFlag.h:
950         * bytecode/ICStatusUtils.h:
951         * bytecode/UnlinkedMetadataTable.h:
952         * dfg/DFGPureValue.h:
953         * heap/IsoAlignedMemoryAllocator.cpp:
954         * heap/IsoAlignedMemoryAllocator.h:
955
956 2019-04-08  Guillaume Emont  <guijemont@igalia.com>
957
958         Enable DFG on MIPS
959         https://bugs.webkit.org/show_bug.cgi?id=196689
960
961         Reviewed by Žan Doberšek.
962
963         Since the bytecode change, we enabled the baseline JIT on mips in
964         r240432, but DFG is still missing. With this change, all tests are
965         passing on a ci20 board.
966
967         * jit/RegisterSet.cpp:
968         (JSC::RegisterSet::calleeSaveRegisters):
969         Added s0, which is used in llint.
970
971 2019-04-08  Xan Lopez  <xan@igalia.com>
972
973         [CMake] Detect SSE2 at compile time
974         https://bugs.webkit.org/show_bug.cgi?id=196488
975
976         Reviewed by Carlos Garcia Campos.
977
978         * assembler/MacroAssemblerX86Common.cpp: Remove unnecessary (and
979         incorrect) static_assert.
980
981 2019-04-07  Michael Saboff  <msaboff@apple.com>
982
983         REGRESSION (r243642): Crash in reddit.com page
984         https://bugs.webkit.org/show_bug.cgi?id=196684
985
986         Reviewed by Geoffrey Garen.
987
988         In r243642, the code that saves and restores the count for non-greedy character classes
989         was inadvertently put inside an if statement.  This code should be generated for all
990         non-greedy character classes.
991
992         * yarr/YarrJIT.cpp:
993         (JSC::Yarr::YarrGenerator::generateCharacterClassNonGreedy):
994         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
995
996 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
997
998         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
999         https://bugs.webkit.org/show_bug.cgi?id=196683
1000
1001         Reviewed by Saam Barati.
1002
1003         In r243626, we stop repatching CallLinkInfo when the CallLinkInfo is held by jettisoned CodeBlock.
1004         But we still need to clear the Callee or CodeBlock since they are now dead. Otherwise, CodeBlock's
1005         visitWeak eventually accesses this dead cells and crashes because the owner CodeBlock of CallLinkInfo
1006         can be still live.
1007
1008         We also move all repatching operations from CallLinkInfo.cpp to Repatch.cpp for consistency because the
1009         other repatching operations in CallLinkInfo are implemented in Repatch.cpp side.
1010
1011         * bytecode/CallLinkInfo.cpp:
1012         (JSC::CallLinkInfo::setCallee):
1013         (JSC::CallLinkInfo::clearCallee):
1014         * jit/Repatch.cpp:
1015         (JSC::linkFor):
1016         (JSC::revertCall):
1017
1018 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
1019
1020         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
1021         https://bugs.webkit.org/show_bug.cgi?id=196582
1022
1023         Reviewed by Saam Barati.
1024
1025         In DFG, our ArithAdd with overflow is executed speculatively, and we recover the value when overflow flag is set.
1026         The recovery is subtracting the operand from the destination to get the original two operands. Our recovery code
1027         handles A + B = A, A + B = B cases. But it misses A + A = A case (here, A and B are GPRReg). Our recovery code
1028         attempts to produce the original operand by performing A - A, and it always produces zero accidentally.
1029
1030         This patch adds the recovery code for A + A = A case. Because we know that this ArithAdd overflows, and operands were
1031         same values, we can calculate the original operand from the destination value by `((int32_t)value >> 1) ^ 0x80000000`.
1032
1033         We also found that FTL recovery code is dead. We remove them in this patch.
1034
1035         * dfg/DFGOSRExit.cpp:
1036         (JSC::DFG::OSRExit::executeOSRExit):
1037         (JSC::DFG::OSRExit::compileExit):
1038         * dfg/DFGOSRExit.h:
1039         (JSC::DFG::SpeculationRecovery::SpeculationRecovery):
1040         * dfg/DFGSpeculativeJIT.cpp:
1041         (JSC::DFG::SpeculativeJIT::compileArithAdd):
1042         * ftl/FTLExitValue.cpp:
1043         (JSC::FTL::ExitValue::dataFormat const):
1044         (JSC::FTL::ExitValue::dumpInContext const):
1045         * ftl/FTLExitValue.h:
1046         (JSC::FTL::ExitValue::isArgument const):
1047         (JSC::FTL::ExitValue::hasIndexInStackmapLocations const):
1048         (JSC::FTL::ExitValue::adjustStackmapLocationsIndexByOffset):
1049         (JSC::FTL::ExitValue::recovery): Deleted.
1050         (JSC::FTL::ExitValue::isRecovery const): Deleted.
1051         (JSC::FTL::ExitValue::leftRecoveryArgument const): Deleted.
1052         (JSC::FTL::ExitValue::rightRecoveryArgument const): Deleted.
1053         (JSC::FTL::ExitValue::recoveryFormat const): Deleted.
1054         (JSC::FTL::ExitValue::recoveryOpcode const): Deleted.
1055         * ftl/FTLLowerDFGToB3.cpp:
1056         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1057         (JSC::FTL::DFG::LowerDFGToB3::preparePatchpointForExceptions):
1058         (JSC::FTL::DFG::LowerDFGToB3::appendOSRExit):
1059         (JSC::FTL::DFG::LowerDFGToB3::exitValueForNode):
1060         (JSC::FTL::DFG::LowerDFGToB3::addAvailableRecovery): Deleted.
1061         * ftl/FTLOSRExitCompiler.cpp:
1062         (JSC::FTL::compileRecovery):
1063
1064 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
1065
1066         Unreviewed, rolling out r243665.
1067
1068         Caused iOS JSC tests to exit with an exception.
1069
1070         Reverted changeset:
1071
1072         "Assertion failed in JSC::createError"
1073         https://bugs.webkit.org/show_bug.cgi?id=196305
1074         https://trac.webkit.org/changeset/243665
1075
1076 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
1077
1078         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
1079         https://bugs.webkit.org/show_bug.cgi?id=196486
1080
1081         Reviewed by Saam Barati.
1082
1083         When parsing a FunctionExpression / FunctionDeclaration etc., we use SyntaxChecker for the body of the function because we do not have any interest on the nodes of the body at that time.
1084         The nodes will be parsed with the ASTBuilder when the function itself is parsed for code generation. This works well previously because all the function ends with "}" previously.
1085         SyntaxChecker lexes this "}" token, and parser restores the context back to ASTBuilder and continues parsing.
1086
1087         But now, we have ArrowFunctionExpression without braces `arrow => expr`. Let's consider the following code.
1088
1089                 arrow => expr
1090                 "string!"
1091
1092         We parse arrow function's body with SyntaxChecker. At that time, we lex "string!" token under the SyntaxChecker context. But this means that we may not build string content for this token
1093         since SyntaxChecker may not have interest on string content itself in certain case. After the parser is back to ASTBuilder, we parse "string!" as ExpressionStatement with string constant,
1094         generate StringNode with non-built identifier (nullptr), and we accidentally create StringNode with nullptr.
1095
1096         This patch fixes this problem. The root cause of this problem is that the last token lexed in the previous context is used. We add lexCurrentTokenAgainUnderCurrentContext which will re-lex
1097         the current token under the current context (may be ASTBuilder). This should be done only when the caller's context is different from SyntaxChecker, which avoids unnecessary lexing.
1098         We leverage existing SavePoint mechanism to implement lexCurrentTokenAgainUnderCurrentContext cleanly.
1099
1100         And we also fix the bug in the existing SavePoint mechanism, which is shown in the attached test script. When we save LexerState, we do not save line terminator status. This patch also introduces
1101         lexWithoutClearingLineTerminator, which lex the token without clearing line terminator status.
1102
1103         * parser/ASTBuilder.h:
1104         (JSC::ASTBuilder::createString):
1105         * parser/Lexer.cpp:
1106         (JSC::Lexer<T>::parseMultilineComment):
1107         (JSC::Lexer<T>::lexWithoutClearingLineTerminator): EOF token also should record offset information. This offset information is correctly handled in Lexer::setOffset too.
1108         (JSC::Lexer<T>::lex): Deleted.
1109         * parser/Lexer.h:
1110         (JSC::Lexer::hasLineTerminatorBeforeToken const):
1111         (JSC::Lexer::setHasLineTerminatorBeforeToken):
1112         (JSC::Lexer<T>::lex):
1113         (JSC::Lexer::prevTerminator const): Deleted.
1114         (JSC::Lexer::setTerminator): Deleted.
1115         * parser/Parser.cpp:
1116         (JSC::Parser<LexerType>::allowAutomaticSemicolon):
1117         (JSC::Parser<LexerType>::parseSingleFunction):
1118         (JSC::Parser<LexerType>::parseStatementListItem):
1119         (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement):
1120         (JSC::Parser<LexerType>::parseFunctionInfo):
1121         (JSC::Parser<LexerType>::parseClass):
1122         (JSC::Parser<LexerType>::parseExportDeclaration):
1123         (JSC::Parser<LexerType>::parseAssignmentExpression):
1124         (JSC::Parser<LexerType>::parseYieldExpression):
1125         (JSC::Parser<LexerType>::parseProperty):
1126         (JSC::Parser<LexerType>::parsePrimaryExpression):
1127         (JSC::Parser<LexerType>::parseMemberExpression):
1128         * parser/Parser.h:
1129         (JSC::Parser::nextWithoutClearingLineTerminator):
1130         (JSC::Parser::lexCurrentTokenAgainUnderCurrentContext):
1131         (JSC::Parser::internalSaveLexerState):
1132         (JSC::Parser::restoreLexerState):
1133
1134 2019-04-05  Caitlin Potter  <caitp@igalia.com>
1135
1136         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
1137         https://bugs.webkit.org/show_bug.cgi?id=176810
1138
1139         Reviewed by Saam Barati.
1140
1141         This adds conditional logic following the invariant checks, to perform
1142         filtering in common uses of getOwnPropertyNames.
1143
1144         While this would ideally only be done in JSPropertyNameEnumerator, adding
1145         the filtering to ProxyObject::performGetOwnPropertyNames maintains the
1146         invariant that the EnumerationMode is properly followed.
1147
1148         * runtime/PropertyNameArray.h:
1149         (JSC::PropertyNameArray::reset):
1150         * runtime/ProxyObject.cpp:
1151         (JSC::ProxyObject::performGetOwnPropertyNames):
1152
1153 2019-04-05  Commit Queue  <commit-queue@webkit.org>
1154
1155         Unreviewed, rolling out r243833.
1156         https://bugs.webkit.org/show_bug.cgi?id=196645
1157
1158         This change breaks build of WPE and GTK ports (Requested by
1159         annulen on #webkit).
1160
1161         Reverted changeset:
1162
1163         "[CMake][WTF] Mirror XCode header directories"
1164         https://bugs.webkit.org/show_bug.cgi?id=191662
1165         https://trac.webkit.org/changeset/243833
1166
1167 2019-04-05  Caitlin Potter  <caitp@igalia.com>
1168
1169         [JSC] throw if ownKeys Proxy trap result contains duplicate keys
1170         https://bugs.webkit.org/show_bug.cgi?id=185211
1171
1172         Reviewed by Saam Barati.
1173
1174         Implements the normative spec change in https://github.com/tc39/ecma262/pull/833
1175
1176         This involves tracking duplicate keys returned from the ownKeys trap in yet
1177         another HashTable, and may incur a minor performance penalty in some cases. This
1178         is not expected to significantly affect web performance.
1179
1180         * runtime/ProxyObject.cpp:
1181         (JSC::ProxyObject::performGetOwnPropertyNames):
1182
1183 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
1184
1185         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
1186         https://bugs.webkit.org/show_bug.cgi?id=196631
1187
1188         Reviewed by Saam Barati.
1189
1190         makeBoundFunction assumes that "length" argument is always Int32. But this should not be done since this "length" value is calculated in builtin JS code.
1191         DFG may store this value in Double format so that we should not rely on that this value is Int32. This patch fixes makeBoundFunction function to perform
1192         toInt32 operation. We also insert a missing exception check for `JSString::value(ExecState*)` in makeBoundFunction.
1193
1194         * JavaScriptCore.xcodeproj/project.pbxproj:
1195         * Sources.txt:
1196         * interpreter/CallFrameInlines.h:
1197         * runtime/DoublePredictionFuzzerAgent.cpp: Copied from Source/JavaScriptCore/interpreter/CallFrameInlines.h.
1198         (JSC::DoublePredictionFuzzerAgent::DoublePredictionFuzzerAgent):
1199         (JSC::DoublePredictionFuzzerAgent::getPrediction):
1200         * runtime/DoublePredictionFuzzerAgent.h: Copied from Source/JavaScriptCore/interpreter/CallFrameInlines.h.
1201         * runtime/JSGlobalObject.cpp:
1202         (JSC::makeBoundFunction):
1203         * runtime/Options.h:
1204         * runtime/VM.cpp:
1205         (JSC::VM::VM):
1206
1207 2019-04-04  Robin Morisset  <rmorisset@apple.com>
1208
1209         B3ReduceStrength should know that Mul distributes over Add and Sub
1210         https://bugs.webkit.org/show_bug.cgi?id=196325
1211         <rdar://problem/49441650>
1212
1213         Reviewed by Saam Barati.
1214
1215         Fix some obviously wrong code that was due to an accidental copy-paste.
1216         It made the entire optimization dead code that never ran.
1217
1218         * b3/B3ReduceStrength.cpp:
1219
1220 2019-04-04  Saam Barati  <sbarati@apple.com>
1221
1222         Unreviewed, build fix for CLoop after r243886
1223
1224         * interpreter/Interpreter.cpp:
1225         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
1226         * interpreter/StackVisitor.cpp:
1227         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
1228         * interpreter/StackVisitor.h:
1229
1230 2019-04-04  Commit Queue  <commit-queue@webkit.org>
1231
1232         Unreviewed, rolling out r243898.
1233         https://bugs.webkit.org/show_bug.cgi?id=196624
1234
1235         `#if !ENABLE(C_LOOP) && NUMBER_OF_CALLEE_SAVES_REGISTERS > 0`
1236         does not work well (Requested by yusukesuzuki on #webkit).
1237
1238         Reverted changeset:
1239
1240         "Unreviewed, build fix for CLoop and Windows after r243886"
1241         https://bugs.webkit.org/show_bug.cgi?id=196387
1242         https://trac.webkit.org/changeset/243898
1243
1244 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
1245
1246         Unreviewed, build fix for CLoop and Windows after r243886
1247         https://bugs.webkit.org/show_bug.cgi?id=196387
1248
1249         RegisterAtOffsetList does not exist if ENABLE(ASSEMBLER) is false.
1250
1251         * interpreter/StackVisitor.cpp:
1252         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
1253         * interpreter/StackVisitor.h:
1254
1255 2019-04-04  Saam barati  <sbarati@apple.com>
1256
1257         Teach Call ICs how to call Wasm
1258         https://bugs.webkit.org/show_bug.cgi?id=196387
1259
1260         Reviewed by Filip Pizlo.
1261
1262         This patch teaches JS to call Wasm without going through the native thunk.
1263         Currently, we emit a JIT "JS" callee stub which marshals arguments from
1264         JS to Wasm. Like the native version of this, this thunk is responsible
1265         for saving and restoring the VM's current Wasm context. Instead of emitting
1266         an exception handler, we also teach the unwinder how to read the previous
1267         wasm context to restore it as it unwindws past this frame.
1268         
1269         This patch is straight forward, and leaves some areas for perf improvement:
1270         - We can teach the DFG/FTL to directly use the Wasm calling convention when
1271           it knows it's calling a single Wasm function. This way we don't shuffle
1272           registers to the stack and then back into registers.
1273         - We bail out to the slow path for mismatched arity. I opened a bug to fix
1274           optimize arity check failures: https://bugs.webkit.org/show_bug.cgi?id=196564
1275         - We bail out to the slow path Double JSValues flowing into i32 arguments.
1276           We should teach this thunk how to do that conversion directly.
1277         
1278         This patch also refactors the code to explicitly have a single pinned size register.
1279         We used pretend in some places that we could have more than one pinned size register.
1280         However, there was other code that just asserted the size was one. This patch just rips
1281         out this code since we never moved to having more than one pinned size register. Doing
1282         this refactoring cleans up the various places where we set up the size register.
1283         
1284         This patch is a 50-60% progression on JetStream 2's richards-wasm.
1285
1286         * JavaScriptCore.xcodeproj/project.pbxproj:
1287         * Sources.txt:
1288         * assembler/MacroAssemblerCodeRef.h:
1289         (JSC::MacroAssemblerCodeRef::operator=):
1290         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
1291         * interpreter/Interpreter.cpp:
1292         (JSC::UnwindFunctor::operator() const):
1293         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
1294         * interpreter/StackVisitor.cpp:
1295         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
1296         (JSC::StackVisitor::Frame::calleeSaveRegisters): Deleted.
1297         * interpreter/StackVisitor.h:
1298         * jit/JITOperations.cpp:
1299         * jit/RegisterSet.cpp:
1300         (JSC::RegisterSet::runtimeTagRegisters):
1301         (JSC::RegisterSet::specialRegisters):
1302         (JSC::RegisterSet::runtimeRegisters): Deleted.
1303         * jit/RegisterSet.h:
1304         * jit/Repatch.cpp:
1305         (JSC::linkPolymorphicCall):
1306         * runtime/JSFunction.cpp:
1307         (JSC::getCalculatedDisplayName):
1308         * runtime/JSGlobalObject.cpp:
1309         (JSC::JSGlobalObject::init):
1310         (JSC::JSGlobalObject::visitChildren):
1311         * runtime/JSGlobalObject.h:
1312         (JSC::JSGlobalObject::jsToWasmICCalleeStructure const):
1313         * runtime/VM.cpp:
1314         (JSC::VM::VM):
1315         * runtime/VM.h:
1316         * wasm/WasmAirIRGenerator.cpp:
1317         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
1318         (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
1319         (JSC::Wasm::AirIRGenerator::addCallIndirect):
1320         * wasm/WasmB3IRGenerator.cpp:
1321         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1322         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
1323         (JSC::Wasm::B3IRGenerator::addCallIndirect):
1324         * wasm/WasmBinding.cpp:
1325         (JSC::Wasm::wasmToWasm):
1326         * wasm/WasmContext.h:
1327         (JSC::Wasm::Context::pointerToInstance):
1328         * wasm/WasmContextInlines.h:
1329         (JSC::Wasm::Context::store):
1330         * wasm/WasmMemoryInformation.cpp:
1331         (JSC::Wasm::getPinnedRegisters):
1332         (JSC::Wasm::PinnedRegisterInfo::get):
1333         (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
1334         * wasm/WasmMemoryInformation.h:
1335         (JSC::Wasm::PinnedRegisterInfo::toSave const):
1336         * wasm/WasmOMGPlan.cpp:
1337         (JSC::Wasm::OMGPlan::work):
1338         * wasm/js/JSToWasm.cpp:
1339         (JSC::Wasm::createJSToWasmWrapper):
1340         * wasm/js/JSToWasmICCallee.cpp: Added.
1341         (JSC::JSToWasmICCallee::create):
1342         (JSC::JSToWasmICCallee::createStructure):
1343         (JSC::JSToWasmICCallee::visitChildren):
1344         * wasm/js/JSToWasmICCallee.h: Added.
1345         (JSC::JSToWasmICCallee::function):
1346         (JSC::JSToWasmICCallee::JSToWasmICCallee):
1347         * wasm/js/WebAssemblyFunction.cpp:
1348         (JSC::WebAssemblyFunction::useTagRegisters const):
1349         (JSC::WebAssemblyFunction::calleeSaves const):
1350         (JSC::WebAssemblyFunction::usedCalleeSaveRegisters const):
1351         (JSC::WebAssemblyFunction::previousInstanceOffset const):
1352         (JSC::WebAssemblyFunction::previousInstance):
1353         (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
1354         (JSC::WebAssemblyFunction::visitChildren):
1355         (JSC::WebAssemblyFunction::destroy):
1356         * wasm/js/WebAssemblyFunction.h:
1357         * wasm/js/WebAssemblyFunctionHeapCellType.cpp: Added.
1358         (JSC::WebAssemblyFunctionDestroyFunc::operator() const):
1359         (JSC::WebAssemblyFunctionHeapCellType::WebAssemblyFunctionHeapCellType):
1360         (JSC::WebAssemblyFunctionHeapCellType::~WebAssemblyFunctionHeapCellType):
1361         (JSC::WebAssemblyFunctionHeapCellType::finishSweep):
1362         (JSC::WebAssemblyFunctionHeapCellType::destroy):
1363         * wasm/js/WebAssemblyFunctionHeapCellType.h: Added.
1364         * wasm/js/WebAssemblyPrototype.h:
1365
1366 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
1367
1368         [JSC] Pass CodeOrigin to FuzzerAgent
1369         https://bugs.webkit.org/show_bug.cgi?id=196590
1370
1371         Reviewed by Saam Barati.
1372
1373         Pass CodeOrigin instead of bytecodeIndex. CodeOrigin includes richer information (InlineCallFrame*).
1374         We also mask prediction with SpecBytecodeTop in DFGByteCodeParser. The fuzzer can produce any SpeculatedTypes,
1375         but DFGByteCodeParser should only see predictions that can be actually produced from the bytecode execution.
1376
1377         * dfg/DFGByteCodeParser.cpp:
1378         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
1379         * runtime/FuzzerAgent.cpp:
1380         (JSC::FuzzerAgent::getPrediction):
1381         * runtime/FuzzerAgent.h:
1382         * runtime/RandomizingFuzzerAgent.cpp:
1383         (JSC::RandomizingFuzzerAgent::getPrediction):
1384         * runtime/RandomizingFuzzerAgent.h:
1385
1386 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
1387
1388         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
1389         https://bugs.webkit.org/show_bug.cgi?id=194944
1390
1391         Reviewed by Keith Miller.
1392
1393         Based on profile data collected on JetStream2, Speedometer 2 and
1394         other benchmarks, it is very rare having non-empty
1395         UnlinkedFunctionExecutable::m_parentScopeTDZVariables.
1396
1397         - Data collected from Speedometer2
1398             Total number of UnlinkedFunctionExecutable: 39463
1399             Total number of non-empty parentScopeTDZVars: 428 (~1%)
1400
1401         - Data collected from JetStream2
1402             Total number of UnlinkedFunctionExecutable: 83715
1403             Total number of non-empty parentScopeTDZVars: 5285 (~6%)
1404
1405         We also collected numbers on 6 of top 10 Alexia sites.
1406
1407         - Data collected from youtube.com
1408             Total number of UnlinkedFunctionExecutable: 29599
1409             Total number of non-empty parentScopeTDZVars: 97 (~0.3%)
1410
1411         - Data collected from twitter.com
1412             Total number of UnlinkedFunctionExecutable: 23774
1413             Total number of non-empty parentScopeTDZVars: 172 (~0.7%)
1414
1415         - Data collected from google.com
1416             Total number of UnlinkedFunctionExecutable: 33209
1417             Total number of non-empty parentScopeTDZVars: 174 (~0.5%)
1418
1419         - Data collected from amazon.com:
1420             Total number of UnlinkedFunctionExecutable: 15182
1421             Total number of non-empty parentScopeTDZVars: 166 (~1%)
1422
1423         - Data collected from facebook.com:
1424             Total number of UnlinkedFunctionExecutable: 54443
1425             Total number of non-empty parentScopeTDZVars: 269 (~0.4%)
1426
1427         - Data collected from netflix.com:
1428             Total number of UnlinkedFunctionExecutable: 39266
1429             Total number of non-empty parentScopeTDZVars: 97 (~0.2%)
1430
1431         Considering such numbers, this patch is moving `m_parentScopeTDZVariables`
1432         to RareData. This decreases sizeof(UnlinkedFunctionExecutable) by
1433         16 bytes. With this change, now UnlinkedFunctionExecutable constructors
1434         receives an `Optional<VariableEnvironmentMap::Handle>` and only stores
1435         it when `value != WTF::nullopt`. We also changed
1436         UnlinkedFunctionExecutable::parentScopeTDZVariables() and it returns
1437         `VariableEnvironment()` whenever the Executable doesn't have RareData,
1438         or VariableEnvironmentMap::Handle is unitialized. This is required
1439         because RareData is instantiated when any of its field is stored and
1440         we can have an unitialized `Handle` even on cases when parentScopeTDZVariables
1441         is `WTF::nullopt`.
1442
1443         Results on memory usage on JetStrem2 is neutral.
1444
1445             Mean of memory peak on ToT: 4258633728 bytes (confidence interval: 249720072.95)
1446             Mean of memory peak on Changes: 4367325184 bytes (confidence interval: 321285583.61)
1447
1448         * builtins/BuiltinExecutables.cpp:
1449         (JSC::BuiltinExecutables::createExecutable):
1450         * bytecode/UnlinkedFunctionExecutable.cpp:
1451         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1452         * bytecode/UnlinkedFunctionExecutable.h:
1453         * bytecompiler/BytecodeGenerator.cpp:
1454         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
1455
1456         BytecodeGenerator::getVariablesUnderTDZ now also caches if m_cachedVariablesUnderTDZ
1457         is empty, so we can properly return `WTF::nullopt` without the
1458         reconstruction of a VariableEnvironment to check if it is empty.
1459
1460         * bytecompiler/BytecodeGenerator.h:
1461         (JSC::BytecodeGenerator::makeFunction):
1462         * parser/VariableEnvironment.h:
1463         (JSC::VariableEnvironment::isEmpty const):
1464         * runtime/CachedTypes.cpp:
1465         (JSC::CachedCompactVariableMapHandle::decode const):
1466
1467         It returns an unitialized Handle when there is no
1468         CompactVariableEnvironment. This can happen when RareData is ensured
1469         because of another field.
1470
1471         (JSC::CachedFunctionExecutableRareData::encode):
1472         (JSC::CachedFunctionExecutableRareData::decode const):
1473         (JSC::CachedFunctionExecutable::encode):
1474         (JSC::CachedFunctionExecutable::decode const):
1475         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1476         * runtime/CodeCache.cpp:
1477
1478         Instead of creating a dummyVariablesUnderTDZ, we simply pass
1479         WTF::nullopt.
1480
1481         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
1482
1483 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
1484
1485         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
1486         https://bugs.webkit.org/show_bug.cgi?id=196409
1487
1488         Reviewed by Saam Barati.
1489
1490         Some of the helpers in jsc.cpp, such as `functionRunString`, were stll using
1491         using `makeSource` instead of `jscSource`, which does not use the ShellSourceProvider
1492         and therefore does not write the bytecode cache to disk.
1493
1494         Changing that revealed a bug in bytecode cache. The Encoder keeps a mapping
1495         of pointers to offsets of already cached objects, in order to avoid caching
1496         the same object twice. Similarly, the Decoder keeps a mapping from offsets
1497         to pointers, in order to avoid creating multiple objects in memory for the
1498         same cached object. The following was happening:
1499         1) A StringImpl* S was cached as CachedPtr<CachedStringImpl> at offset O. We add
1500         an entry in the Encoder mapping that S has already been encoded at O.
1501         2) We cache StringImpl* S again, but now as CachedPtr<CachedUniquedStringImpl>.
1502         We find an entry in the Encoder mapping for S, and return the offset O. However,
1503         the object cached at O is a CachedPtr<CachedStringImpl> (i.e. not Uniqued).
1504
1505         3) When decoding, there are 2 possibilities:
1506         3.1) We find S for the first time through a CachedPtr<CachedStringImpl>. In
1507         this case, everything works as expected since we add an entry in the decoder
1508         mapping from the offset O to the decoded StringImpl* S. The next time we find
1509         S through the uniqued version, we'll return the already decoded S.
1510         3.2) We find S through a CachedPtr<CachedUniquedStringImpl>. Now we have a
1511         problem, since the CachedPtr has the offset of a CachedStringImpl (not uniqued),
1512         which has a different shape and we crash.
1513
1514         We fix this by making CachedStringImpl and CachedUniquedStringImpl share the
1515         same implementation. Since it doesn't matter whether a string is uniqued for
1516         encoding, and we always decode strings as uniqued either way, they can be used
1517         interchangeably.
1518
1519         * jsc.cpp:
1520         (functionRunString):
1521         (functionLoadString):
1522         (functionDollarAgentStart):
1523         (functionCheckModuleSyntax):
1524         (runInteractive):
1525         * runtime/CachedTypes.cpp:
1526         (JSC::CachedUniquedStringImplBase::decode const):
1527         (JSC::CachedFunctionExecutable::rareData const):
1528         (JSC::CachedCodeBlock::rareData const):
1529         (JSC::CachedFunctionExecutable::encode):
1530         (JSC::CachedCodeBlock<CodeBlockType>::encode):
1531         (JSC::CachedUniquedStringImpl::encode): Deleted.
1532         (JSC::CachedUniquedStringImpl::decode const): Deleted.
1533         (JSC::CachedStringImpl::encode): Deleted.
1534         (JSC::CachedStringImpl::decode const): Deleted.
1535
1536 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
1537
1538         UnlinkedCodeBlock constructor from cache should initialize m_didOptimize
1539         https://bugs.webkit.org/show_bug.cgi?id=196396
1540
1541         Reviewed by Saam Barati.
1542
1543         The UnlinkedCodeBlock constructor in CachedTypes was missing the initialization
1544         for m_didOptimize, which leads to crashes in CodeBlock::thresholdForJIT.
1545
1546         * runtime/CachedTypes.cpp:
1547         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1548
1549 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
1550
1551         Unreviewed, rolling in r243843 with the build fix
1552         https://bugs.webkit.org/show_bug.cgi?id=196586
1553
1554         * runtime/Options.cpp:
1555         (JSC::recomputeDependentOptions):
1556         * runtime/Options.h:
1557         * runtime/RandomizingFuzzerAgent.cpp:
1558         (JSC::RandomizingFuzzerAgent::getPrediction):
1559
1560 2019-04-03  Ryan Haddad  <ryanhaddad@apple.com>
1561
1562         Unreviewed, rolling out r243843.
1563
1564         Broke CLoop and Windows builds.
1565
1566         Reverted changeset:
1567
1568         "[JSC] Add dump feature for RandomizingFuzzerAgent"
1569         https://bugs.webkit.org/show_bug.cgi?id=196586
1570         https://trac.webkit.org/changeset/243843
1571
1572 2019-04-03  Robin Morisset  <rmorisset@apple.com>
1573
1574         B3 should use associativity to optimize expression trees
1575         https://bugs.webkit.org/show_bug.cgi?id=194081
1576
1577         Reviewed by Filip Pizlo.
1578
1579         This patch adds a new B3 pass, that tries to find and optimize expression trees made purely of any one associative and commutative operator (Add/Mul/BitOr/BitAnd/BitXor).
1580         The pass only runs in O2, and runs once, after lowerMacros and just before a run of B3ReduceStrength (which helps clean up the dead code it tends to leave behind).
1581         I had to separate killDeadCode out of B3ReduceStrength (as a new B3EliminateDeadCode pass) to run it before B3OptimizeAssociativeExpressionTrees, as otherwise it is stopped by high use counts
1582         inherited from CSE.
1583         This extra run of DCE is by itself a win, most notably on microbenchmarks/instanceof-always-hit-two (1.5x faster), and on microbenchmarks/licm-dragons(-out-of-bounds) (both get 1.16x speedup).
1584         I suspect it is because it runs between CSE and tail-dedup, and as a result allows a lot more tail-dedup to occur.
1585
1586         The pass is currently extremely conservative, not trying anything if it would cause _any_ code duplication.
1587         For this purpose, it starts by computing use counts for the potentially interesting nodes (those with the right opcodes), and segregate them into expression trees.
1588         The root of an expression tree is a node that is either used in multiple places, or is used by a value with a different opcode.
1589         The leaves of an expression tree are nodes that are either used in multiple places, or have a different opcode.
1590         All constant leaves of a tree are combined, as well as all leaves that are identical. What remains is then laid out into a balanced binary tree, hopefully maximizing ILP.
1591
1592         This optimization was implemented as a stand-alone pass and not as part of B3ReduceStrength mostly because it needs use counts to avoid code duplication.
1593         It also benefits from finding all tree roots first, and not trying to repeatedly optimize subtrees.
1594
1595         I added several tests to testB3 with varying patterns of trees. It is also tested in a less focused way by lots of older tests.
1596
1597         In the future this pass could be expanded to allow some bounded amount of code duplication, and merging more leaves (e.g. Mul(a, 3) and a in an Add tree, into Mul(a, 4))
1598         The latter will need exposing the peephole optimizations out of B3ReduceStrength to avoid duplicating code.
1599
1600         * JavaScriptCore.xcodeproj/project.pbxproj:
1601         * Sources.txt:
1602         * b3/B3Common.cpp:
1603         (JSC::B3::shouldDumpIR):
1604         (JSC::B3::shouldDumpIRAtEachPhase):
1605         * b3/B3Common.h:
1606         * b3/B3EliminateDeadCode.cpp: Added.
1607         (JSC::B3::EliminateDeadCode::run):
1608         (JSC::B3::eliminateDeadCode):
1609         * b3/B3EliminateDeadCode.h: Added.
1610         (JSC::B3::EliminateDeadCode::EliminateDeadCode):
1611         * b3/B3Generate.cpp:
1612         (JSC::B3::generateToAir):
1613         * b3/B3OptimizeAssociativeExpressionTrees.cpp: Added.
1614         (JSC::B3::OptimizeAssociativeExpressionTrees::OptimizeAssociativeExpressionTrees):
1615         (JSC::B3::OptimizeAssociativeExpressionTrees::neutralElement):
1616         (JSC::B3::OptimizeAssociativeExpressionTrees::isAbsorbingElement):
1617         (JSC::B3::OptimizeAssociativeExpressionTrees::combineConstants):
1618         (JSC::B3::OptimizeAssociativeExpressionTrees::emitValue):
1619         (JSC::B3::OptimizeAssociativeExpressionTrees::optimizeRootedTree):
1620         (JSC::B3::OptimizeAssociativeExpressionTrees::run):
1621         (JSC::B3::optimizeAssociativeExpressionTrees):
1622         * b3/B3OptimizeAssociativeExpressionTrees.h: Added.
1623         * b3/B3ReduceStrength.cpp:
1624         * b3/B3Value.cpp:
1625         (JSC::B3::Value::replaceWithIdentity):
1626         * b3/testb3.cpp:
1627         (JSC::B3::testBitXorTreeArgs):
1628         (JSC::B3::testBitXorTreeArgsEven):
1629         (JSC::B3::testBitXorTreeArgImm):
1630         (JSC::B3::testAddTreeArg32):
1631         (JSC::B3::testMulTreeArg32):
1632         (JSC::B3::testBitAndTreeArg32):
1633         (JSC::B3::testBitOrTreeArg32):
1634         (JSC::B3::run):
1635
1636 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
1637
1638         [JSC] Add dump feature for RandomizingFuzzerAgent
1639         https://bugs.webkit.org/show_bug.cgi?id=196586
1640
1641         Reviewed by Saam Barati.
1642
1643         Towards deterministic tests for the results from randomizing fuzzer agent, this patch adds Options::dumpRandomizingFuzzerAgentPredictions, which dumps the generated types.
1644         The results is like this.
1645
1646             getPrediction name:(#C2q9xD),bytecodeIndex:(22),original:(Array),generated:(OtherObj|Array|Float64Array|BigInt|NonIntAsDouble)
1647             getPrediction name:(makeUnwriteableUnconfigurableObject#AiEJv1),bytecodeIndex:(14),original:(OtherObj),generated:(Final|Uint8Array|Float64Array|SetObject|WeakSetObject|BigInt|NonIntAsDouble)
1648
1649         * runtime/Options.cpp:
1650         (JSC::recomputeDependentOptions):
1651         * runtime/Options.h:
1652         * runtime/RandomizingFuzzerAgent.cpp:
1653         (JSC::RandomizingFuzzerAgent::getPrediction):
1654
1655 2019-04-03  Myles C. Maxfield  <mmaxfield@apple.com>
1656
1657         -apple-trailing-word is needed for browser detection
1658         https://bugs.webkit.org/show_bug.cgi?id=196575
1659
1660         Unreviewed.
1661
1662         * Configurations/FeatureDefines.xcconfig:
1663
1664 2019-04-03  Michael Saboff  <msaboff@apple.com>
1665
1666         REGRESSION (r243642): com.apple.JavaScriptCore crash in JSC::RegExpObject::execInline
1667         https://bugs.webkit.org/show_bug.cgi?id=196477
1668
1669         Reviewed by Keith Miller.
1670
1671         The problem here is that when we advance the index by 2 for a character class that only
1672         has non-BMP characters, we might go past the end of the string.  This can happen for
1673         greedy counted character classes that are part of a alternative where there is one
1674         character to match after the greedy non-BMP character class.
1675
1676         The "do we have string left to match" check at the top of the JIT loop for the counted
1677         character class checks to see if index is not equal to the string length.  For non-BMP
1678         character classes, we need to check to see if there are at least 2 characters left.
1679         Therefore we now temporarily add 1 to the current index before comparing.  This checks
1680         to see if there are iat least 2 characters left to match, instead of 1.
1681
1682         * yarr/YarrJIT.cpp:
1683         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
1684         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
1685
1686 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
1687
1688         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
1689         https://bugs.webkit.org/show_bug.cgi?id=196574
1690
1691         Reviewed by Saam Barati.
1692
1693         This patch adds missing exception check in operationArrayIndexOfValueInt32OrContiguous.
1694
1695         * dfg/DFGOperations.cpp:
1696
1697 2019-04-03  Don Olmstead  <don.olmstead@sony.com>
1698
1699         [CMake][WTF] Mirror XCode header directories
1700         https://bugs.webkit.org/show_bug.cgi?id=191662
1701
1702         Reviewed by Konstantin Tokarev.
1703
1704         Use WTFFramework as a dependency and include frameworks/WTF.cmake for AppleWin internal
1705         builds.
1706
1707         * CMakeLists.txt:
1708         * shell/CMakeLists.txt:
1709
1710 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
1711
1712         [JSC] Add FuzzerAgent, which has a hooks to get feedback & inject fuzz data into JSC
1713         https://bugs.webkit.org/show_bug.cgi?id=196530
1714
1715         Reviewed by Saam Barati.
1716
1717         This patch adds FuzzerAgent interface and simple RandomizingFuzzerAgent to JSC.
1718         This RandomizingFuzzerAgent returns random SpeculatedType for value profiling to find
1719         the issues in JSC. The seed for randomization can be specified by seedOfRandomizingFuzzerAgent.
1720
1721         I ran this with seedOfRandomizingFuzzerAgent=1 last night and it finds 3 failures in the current JSC tests,
1722         they should be fixed in subsequent patches.
1723
1724         * CMakeLists.txt:
1725         * JavaScriptCore.xcodeproj/project.pbxproj:
1726         * Sources.txt:
1727         * dfg/DFGByteCodeParser.cpp:
1728         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
1729         * runtime/FuzzerAgent.cpp: Added.
1730         (JSC::FuzzerAgent::~FuzzerAgent):
1731         (JSC::FuzzerAgent::getPrediction):
1732         * runtime/FuzzerAgent.h: Added.
1733         * runtime/JSGlobalObjectFunctions.cpp:
1734         * runtime/Options.h:
1735         * runtime/RandomizingFuzzerAgent.cpp: Added.
1736         (JSC::RandomizingFuzzerAgent::RandomizingFuzzerAgent):
1737         (JSC::RandomizingFuzzerAgent::getPrediction):
1738         * runtime/RandomizingFuzzerAgent.h: Added.
1739         * runtime/RegExpCachedResult.h:
1740         * runtime/RegExpGlobalData.cpp:
1741         * runtime/VM.cpp:
1742         (JSC::VM::VM):
1743         * runtime/VM.h:
1744         (JSC::VM::fuzzerAgent const):
1745         (JSC::VM::setFuzzerAgent):
1746
1747 2019-04-03  Myles C. Maxfield  <mmaxfield@apple.com>
1748
1749         Remove support for -apple-trailing-word
1750         https://bugs.webkit.org/show_bug.cgi?id=196525
1751
1752         Reviewed by Zalan Bujtas.
1753
1754         This CSS property is nonstandard and not used.
1755
1756         * Configurations/FeatureDefines.xcconfig:
1757
1758 2019-04-03  Joseph Pecoraro  <pecoraro@apple.com>
1759
1760         Web Inspector: Remote Inspector indicate callback should always happen on the main thread
1761         https://bugs.webkit.org/show_bug.cgi?id=196513
1762         <rdar://problem/49498284>
1763
1764         Reviewed by Devin Rousso.
1765
1766         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
1767         (Inspector::RemoteInspector::receivedIndicateMessage):
1768         When we have a WebThread, don't just run on the WebThread,
1769         run on the MainThread with the WebThreadLock.
1770
1771 2019-04-02  Michael Saboff  <msaboff@apple.com>
1772
1773         Crash in Options::setOptions() using --configFile option and libgmalloc
1774         https://bugs.webkit.org/show_bug.cgi?id=196506
1775
1776         Reviewed by Keith Miller.
1777
1778         Changed to call CString::data() while making the call to Options::setOptions().  This keeps
1779         the implicit CString temporary alive until after setOptions() returns.
1780
1781         * runtime/ConfigFile.cpp:
1782         (JSC::ConfigFile::parse):
1783
1784 2019-04-02  Fujii Hironori  <Hironori.Fujii@sony.com>
1785
1786         [CMake] WEBKIT_MAKE_FORWARDING_HEADERS shouldn't use POST_BUILD to copy generated headers
1787         https://bugs.webkit.org/show_bug.cgi?id=182757
1788
1789         Reviewed by Don Olmstead.
1790
1791         * CMakeLists.txt: Do not use DERIVED_SOURCE_DIRECTORIES parameter
1792         of WEBKIT_MAKE_FORWARDING_HEADERS. Added generated headers to
1793         JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS.
1794
1795 2019-04-02  Saam barati  <sbarati@apple.com>
1796
1797         Add a ValueRepReduction phase
1798         https://bugs.webkit.org/show_bug.cgi?id=196234
1799
1800         Reviewed by Filip Pizlo.
1801
1802         This patch adds a ValueRepReduction phase. The main idea here is
1803         to try to reduce DoubleRep(RealNumberUse:ValueRep(DoubleRepUse:@x))
1804         to just be @x. This patch handles such above strengh reduction rules
1805         as long as we prove that all users of the ValueRep can be converted
1806         to using the incoming double value. That way we prevent introducing
1807         a parallel live range for the double value.
1808         
1809         This patch tracks the uses of the ValueRep through Phi variables,
1810         so we can convert entire Phi variables to being Double instead
1811         of JSValue if the Phi also has only double uses.
1812         
1813         This is implemented through a simple escape analysis. DoubleRep(RealNumberUse:)
1814         and OSR exit hints are not counted as escapes. All other uses are counted
1815         as escapes. Connected Phi graphs are converted to being Double only if the
1816         entire graph is ok with the result being Double.
1817         
1818         Some ways we could extend this phase in the future:
1819         - There are a lot of DoubleRep(NumberUse:@ValueRep(@x)) uses. This ensures
1820           that the result of the DoubleRep of @x is not impure NaN. We could
1821           handle this case if we introduced a PurifyNaN node and replace the DoubleRep
1822           with PurifyNaN(@x). Alternatively, we could see if certain users of this
1823           DoubleRep are okay with impure NaN flowing into them and we'd need to ensure
1824           their output type is always treated as if the input is impure NaN.
1825         - We could do sinking of ValueRep where we think it's profitable. So instead
1826           of an escape making it so we never represent the variable as a Double, we
1827           could make the escape reconstruct the JSValueRep where profitable.
1828         - We can extend this phase to handle Int52Rep if it's profitable.
1829         - We can opt other nodes into accepting incoming Doubles so we no longer
1830           treat them as escapes.
1831         
1832         This patch is somewhere between neutral and a 1% progression on JetStream 2.
1833
1834         * JavaScriptCore.xcodeproj/project.pbxproj:
1835         * Sources.txt:
1836         * dfg/DFGPlan.cpp:
1837         (JSC::DFG::Plan::compileInThreadImpl):
1838         * dfg/DFGValueRepReductionPhase.cpp: Added.
1839         (JSC::DFG::ValueRepReductionPhase::ValueRepReductionPhase):
1840         (JSC::DFG::ValueRepReductionPhase::run):
1841         (JSC::DFG::ValueRepReductionPhase::convertValueRepsToDouble):
1842         (JSC::DFG::performValueRepReduction):
1843         * dfg/DFGValueRepReductionPhase.h: Added.
1844         * runtime/Options.h:
1845
1846 2019-04-01  Yusuke Suzuki  <ysuzuki@apple.com>
1847
1848         [JSC] JSRunLoopTimer::Manager should be small
1849         https://bugs.webkit.org/show_bug.cgi?id=196425
1850
1851         Reviewed by Darin Adler.
1852
1853         Using very large Key or Value in HashMap potentially bloats memory since HashMap pre-allocates large size of
1854         memory ((sizeof(Key) + sizeof(Value)) * N) for its backing storage's array. Using std::unique_ptr<> for JSRunLoopTimer's
1855         PerVMData to keep HashMap's backing store size small.
1856
1857         * runtime/JSRunLoopTimer.cpp:
1858         (JSC::JSRunLoopTimer::Manager::timerDidFire):
1859         (JSC::JSRunLoopTimer::Manager::registerVM):
1860         (JSC::JSRunLoopTimer::Manager::scheduleTimer):
1861         (JSC::JSRunLoopTimer::Manager::cancelTimer):
1862         (JSC::JSRunLoopTimer::Manager::timeUntilFire):
1863         (JSC::JSRunLoopTimer::Manager::didChangeRunLoop):
1864         * runtime/JSRunLoopTimer.h:
1865
1866 2019-04-01  Stephan Szabo  <stephan.szabo@sony.com>
1867
1868         [PlayStation] Add initialization for JSC shell for PlayStation port
1869         https://bugs.webkit.org/show_bug.cgi?id=195411
1870
1871         Reviewed by Ross Kirsling.
1872
1873         Add ps options
1874
1875         * shell/PlatformPlayStation.cmake: Added.
1876         * shell/playstation/Initializer.cpp: Added.
1877         (initializer):
1878
1879 2019-04-01  Michael Catanzaro  <mcatanzaro@igalia.com>
1880
1881         Stop trying to support building JSC with clang 3.8
1882         https://bugs.webkit.org/show_bug.cgi?id=195947
1883         <rdar://problem/49069219>
1884
1885         Reviewed by Darin Adler.
1886
1887         It seems WebKit hasn't built with clang 3.8 in a while, no devs are using this compiler, we
1888         don't know how much effort it would be to make JSC work again, and it's making the code
1889         worse. Remove my hacks to support clang 3.8 from JSC.
1890
1891         * bindings/ScriptValue.cpp:
1892         (Inspector::jsToInspectorValue):
1893         * bytecode/GetterSetterAccessCase.cpp:
1894         (JSC::GetterSetterAccessCase::create):
1895         (JSC::GetterSetterAccessCase::clone const):
1896         * bytecode/InstanceOfAccessCase.cpp:
1897         (JSC::InstanceOfAccessCase::clone const):
1898         * bytecode/IntrinsicGetterAccessCase.cpp:
1899         (JSC::IntrinsicGetterAccessCase::clone const):
1900         * bytecode/ModuleNamespaceAccessCase.cpp:
1901         (JSC::ModuleNamespaceAccessCase::clone const):
1902         * bytecode/ProxyableAccessCase.cpp:
1903         (JSC::ProxyableAccessCase::clone const):
1904
1905 2019-03-31  Yusuke Suzuki  <ysuzuki@apple.com>
1906
1907         [JSC] Butterfly allocation from LargeAllocation should try "realloc" behavior if collector thread is not active
1908         https://bugs.webkit.org/show_bug.cgi?id=196160
1909
1910         Reviewed by Saam Barati.
1911
1912         "realloc" can be effective in terms of peak/current memory footprint when realloc succeeds because,
1913
1914         1. It does not allocate additional memory while expanding a vector
1915         2. It does not deallocate an old memory, just reusing the current memory by expanding, so that memory footprint is tight even before scavenging
1916
1917         We found that we can "realloc" large butterflies in certain conditions are met because,
1918
1919         1. If it goes to LargeAllocation, this memory region is never reused until GC sweeps it.
1920         2. Butterflies are owned by owner JSObjects, so we know the lifetime of Butterflies.
1921
1922         This patch attempts to use "realloc" onto butterflies if,
1923
1924         1. Butterflies are allocated in LargeAllocation kind
1925         2. Concurrent collector is not active
1926         3. Butterflies do not have property storage
1927
1928         The condition (2) is required to avoid deallocating butterflies while the concurrent collector looks into it. The condition (3) is
1929         also required to avoid deallocating butterflies while the concurrent compiler looks into it.
1930
1931         We also change LargeAllocation mechanism to using "malloc" and "free" instead of "posix_memalign". This allows us to use "realloc"
1932         safely in all the platforms. Since LargeAllocation uses alignment to distinguish LargeAllocation and MarkedBlock, we manually adjust
1933         16B alignment by allocating 8B more memory in "malloc".
1934
1935         Speedometer2 and JetStream2 are neutral. RAMification shows about 1% progression (even in some of JIT tests).
1936
1937         * heap/AlignedMemoryAllocator.h:
1938         * heap/CompleteSubspace.cpp:
1939         (JSC::CompleteSubspace::tryAllocateSlow):
1940         (JSC::CompleteSubspace::reallocateLargeAllocationNonVirtual):
1941         * heap/CompleteSubspace.h:
1942         * heap/FastMallocAlignedMemoryAllocator.cpp:
1943         (JSC::FastMallocAlignedMemoryAllocator::tryAllocateMemory):
1944         (JSC::FastMallocAlignedMemoryAllocator::freeMemory):
1945         (JSC::FastMallocAlignedMemoryAllocator::tryReallocateMemory):
1946         * heap/FastMallocAlignedMemoryAllocator.h:
1947         * heap/GigacageAlignedMemoryAllocator.cpp:
1948         (JSC::GigacageAlignedMemoryAllocator::tryAllocateMemory):
1949         (JSC::GigacageAlignedMemoryAllocator::freeMemory):
1950         (JSC::GigacageAlignedMemoryAllocator::tryReallocateMemory):
1951         * heap/GigacageAlignedMemoryAllocator.h:
1952         * heap/IsoAlignedMemoryAllocator.cpp:
1953         (JSC::IsoAlignedMemoryAllocator::tryAllocateMemory):
1954         (JSC::IsoAlignedMemoryAllocator::freeMemory):
1955         (JSC::IsoAlignedMemoryAllocator::tryReallocateMemory):
1956         * heap/IsoAlignedMemoryAllocator.h:
1957         * heap/LargeAllocation.cpp:
1958         (JSC::isAlignedForLargeAllocation):
1959         (JSC::LargeAllocation::tryCreate):
1960         (JSC::LargeAllocation::tryReallocate):
1961         (JSC::LargeAllocation::LargeAllocation):
1962         (JSC::LargeAllocation::destroy):
1963         * heap/LargeAllocation.h:
1964         (JSC::LargeAllocation::indexInSpace):
1965         (JSC::LargeAllocation::setIndexInSpace):
1966         (JSC::LargeAllocation::basePointer const):
1967         * heap/MarkedSpace.cpp:
1968         (JSC::MarkedSpace::sweepLargeAllocations):
1969         (JSC::MarkedSpace::prepareForConservativeScan):
1970         * heap/WeakSet.h:
1971         (JSC::WeakSet::isTriviallyDestructible const):
1972         * runtime/Butterfly.h:
1973         * runtime/ButterflyInlines.h:
1974         (JSC::Butterfly::reallocArrayRightIfPossible):
1975         * runtime/JSObject.cpp:
1976         (JSC::JSObject::ensureLengthSlow):
1977
1978 2019-03-31  Sam Weinig  <weinig@apple.com>
1979
1980         Remove more i386 specific configurations
1981         https://bugs.webkit.org/show_bug.cgi?id=196430
1982
1983         Reviewed by Alexey Proskuryakov.
1984
1985         * Configurations/FeatureDefines.xcconfig:
1986         ENABLE_WEB_AUTHN_macosx can now be enabled unconditionally on macOS.
1987
1988         * Configurations/ToolExecutable.xcconfig:
1989         ARC can be enabled unconditionally now.
1990
1991 2019-03-29  Yusuke Suzuki  <ysuzuki@apple.com>
1992
1993         [JSC] JSWrapperMap should not use Objective-C Weak map (NSMapTable with NSPointerFunctionsWeakMemory) for m_cachedObjCWrappers
1994         https://bugs.webkit.org/show_bug.cgi?id=196392
1995
1996         Reviewed by Saam Barati.
1997
1998         Weak representation in Objective-C is surprisingly costly in terms of memory. We can see that very easy program shows 10KB memory consumption due to
1999         this weak wrapper map in JavaScriptCore.framework. But we do not need this weak map since Objective-C JSValue has a dealloc. We can unregister itself
2000         from the map when it is deallocated without using Objective-C weak mechanism. And since Objective-C JSValue is tightly coupled to a specific JSContext,
2001         and wrapper map is created per JSContext, JSValue wrapper and actual JavaScriptCore value is one-on-one, and [JSValue dealloc] knows which JSContext's
2002         wrapper map holds itself.
2003
2004         1. We do not use Objective-C weak mechanism. We use WTF::HashSet instead. When JSValue is allocated, we register it to JSWrapperMap's HashSet. And unregister
2005            JSValue from this map when JSValue is deallocated.
2006         2. We use HashSet<JSValue> (logically) instead of HashMap<JSValueRef, JSValue> to keep JSValueRef and JSValue relationship. We can achieve it because JSValue
2007            holds JSValueRef inside it.
2008
2009         * API/JSContext.mm:
2010         (-[JSContext removeWrapper:]):
2011         * API/JSContextInternal.h:
2012         * API/JSValue.mm:
2013         (-[JSValue dealloc]):
2014         (-[JSValue initWithValue:inContext:]):
2015         * API/JSWrapperMap.h:
2016         * API/JSWrapperMap.mm:
2017         (WrapperKey::hashTableDeletedValue):
2018         (WrapperKey::WrapperKey):
2019         (WrapperKey::isHashTableDeletedValue const):
2020         (WrapperKey::Hash::hash):
2021         (WrapperKey::Hash::equal):
2022         (WrapperKey::Traits::isEmptyValue):
2023         (WrapperKey::Translator::hash):
2024         (WrapperKey::Translator::equal):
2025         (WrapperKey::Translator::translate):
2026         (-[JSWrapperMap initWithGlobalContextRef:]):
2027         (-[JSWrapperMap dealloc]):
2028         (-[JSWrapperMap objcWrapperForJSValueRef:inContext:]):
2029         (-[JSWrapperMap removeWrapper:]):
2030         * API/tests/testapi.mm:
2031         (testObjectiveCAPIMain):
2032
2033 2019-03-29  Robin Morisset  <rmorisset@apple.com>
2034
2035         B3ReduceStrength should know that Mul distributes over Add and Sub
2036         https://bugs.webkit.org/show_bug.cgi?id=196325
2037
2038         Reviewed by Michael Saboff.
2039
2040         In this patch I add the following patterns to B3ReduceStrength:
2041         - Turn this: Integer Neg(Mul(value, c))
2042           Into this: Mul(value, -c), as long as -c does not overflow
2043         - Turn these: Integer Mul(value, Neg(otherValue)) and Integer Mul(Neg(value), otherValue)
2044           Into this: Neg(Mul(value, otherValue))
2045         - For Op==Add or Sub, turn any of these:
2046              Op(Mul(x1, x2), Mul(x1, x3))
2047              Op(Mul(x2, x1), Mul(x1, x3))
2048              Op(Mul(x1, x2), Mul(x3, x1))
2049              Op(Mul(x2, x1), Mul(x3, x1))
2050           Into this: Mul(x1, Op(x2, x3))
2051
2052         Also includes a trivial change: a similar reduction for the distributivity of BitAnd over BitOr/BitXor now
2053         emits the arguments to BitAnd in the other order, to minimize the probability that we'll spend a full fixpoint step just to flip them.
2054
2055         * b3/B3ReduceStrength.cpp:
2056         * b3/testb3.cpp:
2057         (JSC::B3::testAddMulMulArgs):
2058         (JSC::B3::testMulArgNegArg):
2059         (JSC::B3::testMulNegArgArg):
2060         (JSC::B3::testNegMulArgImm):
2061         (JSC::B3::testSubMulMulArgs):
2062         (JSC::B3::run):
2063
2064 2019-03-29  Yusuke Suzuki  <ysuzuki@apple.com>
2065
2066         [JSC] Remove distancing for LargeAllocation
2067         https://bugs.webkit.org/show_bug.cgi?id=196335
2068
2069         Reviewed by Saam Barati.
2070
2071         In r230226, we removed distancing feature from our GC. This patch removes remaining distancing thing in LargeAllocation.
2072
2073         * heap/HeapCell.h:
2074         * heap/LargeAllocation.cpp:
2075         (JSC::LargeAllocation::tryCreate):
2076         * heap/MarkedBlock.h:
2077
2078 2019-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
2079
2080         Delete WebMetal implementation in favor of WebGPU
2081         https://bugs.webkit.org/show_bug.cgi?id=195418
2082
2083         Reviewed by Dean Jackson.
2084
2085         * Configurations/FeatureDefines.xcconfig:
2086         * inspector/protocol/Canvas.json:
2087         * inspector/scripts/codegen/generator.py:
2088
2089 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
2090
2091         Assertion failed in JSC::createError
2092         https://bugs.webkit.org/show_bug.cgi?id=196305
2093         <rdar://problem/49387382>
2094
2095         Reviewed by Saam Barati.
2096
2097         JSC::createError assumes that `errorDescriptionForValue` will either
2098         throw an exception or return a valid description string. However, that
2099         is not true if the value is a rope string and we successfully resolve it,
2100         but later fail to wrap the string in quotes with `tryMakeString`.
2101
2102         * runtime/ExceptionHelpers.cpp:
2103         (JSC::createError):
2104
2105 2019-03-29  Devin Rousso  <drousso@apple.com>
2106
2107         Web Inspector: add fast returns for instrumentation hooks that have no affect before a frontend is connected
2108         https://bugs.webkit.org/show_bug.cgi?id=196382
2109         <rdar://problem/49403417>
2110
2111         Reviewed by Joseph Pecoraro.
2112
2113         Ensure that all instrumentation hooks use `FAST_RETURN_IF_NO_FRONTENDS` or check that
2114         `developerExtrasEnabled`. There should be no activity to/from any inspector objects until
2115         developer extras are enabled.
2116
2117         * inspector/agents/InspectorConsoleAgent.cpp:
2118         (Inspector::InspectorConsoleAgent::startTiming):
2119         (Inspector::InspectorConsoleAgent::stopTiming):
2120         (Inspector::InspectorConsoleAgent::count):
2121         (Inspector::InspectorConsoleAgent::addConsoleMessage):
2122
2123 2019-03-29  Cathie Chen  <cathiechen@igalia.com>
2124
2125         Implement ResizeObserver.
2126         https://bugs.webkit.org/show_bug.cgi?id=157743
2127
2128         Reviewed by Simon Fraser.
2129
2130         Add ENABLE_RESIZE_OBSERVER.
2131
2132         * Configurations/FeatureDefines.xcconfig:
2133
2134 2019-03-28  Michael Saboff  <msaboff@apple.com>
2135
2136         [YARR] Precompute BMP / non-BMP status when constructing character classes
2137         https://bugs.webkit.org/show_bug.cgi?id=196296
2138
2139         Reviewed by Keith Miller.
2140
2141         Changed CharacterClass::m_hasNonBMPCharacters into a character width bit field which
2142         indicateis if the class includes characters from either BMP, non-BMP or both ranges.
2143         This allows the recognizing code to eliminate checks for the width of a matched
2144         characters when the class has only one width.  The character width is needed to
2145         determine if we advance 1 or 2 character.  Also, the pre-computed width of character
2146         classes that contains either all BMP or all non-BMP characters allows the parser to
2147         use fixed widths for terms using those character classes.  Changed both the code gen
2148         scripts and Yarr compiler to compute this bit field during the construction of
2149         character classes.
2150
2151         For JIT'ed code of character classes that contain either all BMP or all non-BMP
2152         characters, we can eliminate the generic check we were doing do compute how much
2153         to advance after sucessfully matching a character in the class.
2154
2155                 Generic isBMP check      BMP only            non-BMP only
2156                 --------------           --------------      --------------
2157                 inc %r9d                 inc %r9d            add $0x2, %r9d
2158                 cmp $0x10000, %eax
2159                 jl isBMP
2160                 cmp %edx, %esi
2161                 jz atEndOfString
2162                 inc %r9d
2163                 inc %esi
2164          isBMP:
2165
2166         For character classes that contained non-BMP characters, we were always generating
2167         the code in the left column.  The middle column is the code we generate for character
2168         classes that contain only BMP characters.  The right column is the code we now
2169         generate if the character class has only non-BMP characters.  In the fix width cases,
2170         we can eliminate both the isBMP check as well as the atEndOfString check.  The
2171         atEndOfstring check is eliminated since we know how many characters this character
2172         class requires and that check can be factored out to the beginning of the current
2173         alternative.  For character classes that contain both BMP and non-BMP characters,
2174         we still generate the generic left column.
2175
2176         This change is a ~8% perf progression on UniPoker and a ~2% improvement on RexBench
2177         as a whole.
2178
2179         * runtime/RegExp.cpp:
2180         (JSC::RegExp::matchCompareWithInterpreter):
2181         * runtime/RegExpInlines.h:
2182         (JSC::RegExp::matchInline):
2183         * yarr/YarrInterpreter.cpp:
2184         (JSC::Yarr::Interpreter::checkCharacterClassDontAdvanceInputForNonBMP):
2185         (JSC::Yarr::Interpreter::matchCharacterClass):
2186         * yarr/YarrJIT.cpp:
2187         (JSC::Yarr::YarrGenerator::optimizeAlternative):
2188         (JSC::Yarr::YarrGenerator::matchCharacterClass):
2189         (JSC::Yarr::YarrGenerator::advanceIndexAfterCharacterClassTermMatch):
2190         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
2191         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
2192         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
2193         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
2194         (JSC::Yarr::YarrGenerator::backtrackCharacterClassGreedy):
2195         (JSC::Yarr::YarrGenerator::generateCharacterClassNonGreedy):
2196         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
2197         (JSC::Yarr::YarrGenerator::generateEnter):
2198         (JSC::Yarr::YarrGenerator::YarrGenerator):
2199         (JSC::Yarr::YarrGenerator::compile):
2200         * yarr/YarrPattern.cpp:
2201         (JSC::Yarr::CharacterClassConstructor::CharacterClassConstructor):
2202         (JSC::Yarr::CharacterClassConstructor::reset):
2203         (JSC::Yarr::CharacterClassConstructor::charClass):
2204         (JSC::Yarr::CharacterClassConstructor::addSorted):
2205         (JSC::Yarr::CharacterClassConstructor::addSortedRange):
2206         (JSC::Yarr::CharacterClassConstructor::hasNonBMPCharacters):
2207         (JSC::Yarr::CharacterClassConstructor::characterWidths):
2208         (JSC::Yarr::PatternTerm::dump):
2209         (JSC::Yarr::anycharCreate):
2210         * yarr/YarrPattern.h:
2211         (JSC::Yarr::operator|):
2212         (JSC::Yarr::operator&):
2213         (JSC::Yarr::operator|=):
2214         (JSC::Yarr::CharacterClass::CharacterClass):
2215         (JSC::Yarr::CharacterClass::hasNonBMPCharacters):
2216         (JSC::Yarr::CharacterClass::hasOneCharacterSize):
2217         (JSC::Yarr::CharacterClass::hasOnlyNonBMPCharacters):
2218         (JSC::Yarr::PatternTerm::invert const):
2219         (JSC::Yarr::PatternTerm::invert): Deleted.
2220         * yarr/create_regex_tables:
2221         * yarr/generateYarrUnicodePropertyTables.py:
2222
2223 2019-03-28  Saam Barati  <sbarati@apple.com>
2224
2225         BackwardsGraph needs to consider back edges as the backward's root successor
2226         https://bugs.webkit.org/show_bug.cgi?id=195991
2227
2228         Reviewed by Filip Pizlo.
2229
2230         * b3/testb3.cpp:
2231         (JSC::B3::testInfiniteLoopDoesntCauseBadHoisting):
2232         (JSC::B3::run):
2233
2234 2019-03-28  Fujii Hironori  <Hironori.Fujii@sony.com>
2235
2236         Opcode.h(159,27): warning: adding 'unsigned int' to a string does not append to the string [-Wstring-plus-int]
2237         https://bugs.webkit.org/show_bug.cgi?id=196343
2238
2239         Reviewed by Saam Barati.
2240
2241         Clang reports a compilation warning and recommend '&PADDING_STRING[PADDING_STRING_LENGTH]'
2242         instead of 'PADDING_STRING + PADDING_STRING_LENGTH'.
2243
2244         * bytecode/Opcode.cpp:
2245         (JSC::padOpcodeName): Moved padOpcodeName from Opcode.h because
2246         this function is used only in Opcode.cpp. Changed macros
2247         PADDING_STRING and PADDING_STRING_LENGTH to simple variables.
2248         (JSC::compareOpcodePairIndices): Replaced pair with std::pair.
2249         * bytecode/Opcode.h:
2250         (JSC::padOpcodeName): Moved.
2251
2252 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
2253
2254         CodeBlock::jettison() should disallow repatching its own calls
2255         https://bugs.webkit.org/show_bug.cgi?id=196359
2256         <rdar://problem/48973663>
2257
2258         Reviewed by Saam Barati.
2259
2260         CodeBlock::jettison() calls CommonData::invalidate, which replaces the `hlt`
2261         instruction with the jump to OSR exit. However, if the `hlt` was immediately
2262         followed by a call to the CodeBlock being jettisoned, we would write over the
2263         OSR exit address while unlinking all the incoming CallLinkInfos later in
2264         CodeBlock::jettison().
2265
2266         Change it so that we set a flag, `clearedByJettison`, in all the CallLinkInfos
2267         owned by the CodeBlock being jettisoned. If the flag is set, we will avoid
2268         repatching the call during unlinking. This is safe because this call will never
2269         be reachable again after the CodeBlock is jettisoned.
2270
2271         * bytecode/CallLinkInfo.cpp:
2272         (JSC::CallLinkInfo::CallLinkInfo):
2273         (JSC::CallLinkInfo::setCallee):
2274         (JSC::CallLinkInfo::clearCallee):
2275         (JSC::CallLinkInfo::setCodeBlock):
2276         (JSC::CallLinkInfo::clearCodeBlock):
2277         * bytecode/CallLinkInfo.h:
2278         (JSC::CallLinkInfo::clearedByJettison):
2279         (JSC::CallLinkInfo::setClearedByJettison):
2280         * bytecode/CodeBlock.cpp:
2281         (JSC::CodeBlock::jettison):
2282         * jit/Repatch.cpp:
2283         (JSC::revertCall):
2284
2285 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
2286
2287         [JSC] Drop VM and Context cache map in JavaScriptCore.framework
2288         https://bugs.webkit.org/show_bug.cgi?id=196341
2289
2290         Reviewed by Saam Barati.
2291
2292         Previously, we created Objective-C weak map to maintain JSVirtualMachine and JSContext wrappers corresponding to VM and JSGlobalObject.
2293         But Objective-C weak map is really memory costly. Even if the entry is only one, it consumes 2.5KB per weak map. Since we can modify
2294         JSC intrusively for JavaScriptCore.framework (and we already did it, like, holding JSWrapperMap in JSGlobalObject), we can just hold
2295         a pointer to a wrapper in VM and JSGlobalObject.
2296
2297         This patch adds void* members to VM and JSGlobalObject, which holds a non-strong reference to a wrapper. When a wrapper is gone, we
2298         clear this pointer too. This removes unnecessary two Objective-C weak maps, and save 5KB.
2299
2300         * API/JSContext.mm:
2301         (-[JSContext initWithVirtualMachine:]):
2302         (-[JSContext dealloc]):
2303         (-[JSContext initWithGlobalContextRef:]):
2304         (-[JSContext wrapperMap]):
2305         (+[JSContext contextWithJSGlobalContextRef:]):
2306         * API/JSVirtualMachine.mm:
2307         (-[JSVirtualMachine initWithContextGroupRef:]):
2308         (-[JSVirtualMachine dealloc]):
2309         (+[JSVirtualMachine virtualMachineWithContextGroupRef:]):
2310         (scanExternalObjectGraph):
2311         (scanExternalRememberedSet):
2312         (initWrapperCache): Deleted.
2313         (wrapperCache): Deleted.
2314         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]): Deleted.
2315         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]): Deleted.
2316         (-[JSVirtualMachine contextForGlobalContextRef:]): Deleted.
2317         (-[JSVirtualMachine addContext:forGlobalContextRef:]): Deleted.
2318         * API/JSVirtualMachineInternal.h:
2319         * runtime/JSGlobalObject.h:
2320         (JSC::JSGlobalObject::setAPIWrapper):
2321         (JSC::JSGlobalObject::apiWrapper const):
2322         * runtime/VM.h:
2323
2324 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
2325
2326         In-memory code cache should not share bytecode across domains
2327         https://bugs.webkit.org/show_bug.cgi?id=196321
2328
2329         Reviewed by Geoffrey Garen.
2330
2331         Use the SourceProvider's URL to make sure that the hosts match for the
2332         two SourceCodeKeys in operator==.
2333
2334         * parser/SourceCodeKey.h:
2335         (JSC::SourceCodeKey::host const):
2336         (JSC::SourceCodeKey::operator== const):
2337
2338 2019-03-28  Víctor Manuel Jáquez Leal  <vjaquez@igalia.com>
2339
2340         Silence lot of warnings when compiling with clang
2341         https://bugs.webkit.org/show_bug.cgi?id=196310
2342
2343         Reviewed by Michael Catanzaro.
2344
2345         Initialize variable with default constructor.
2346
2347         * API/glib/JSCOptions.cpp:
2348         (jsc_options_foreach):
2349
2350 2019-03-27  Saam Barati  <sbarati@apple.com>
2351
2352         validateOSREntryValue with Int52 should box the value being checked into double format
2353         https://bugs.webkit.org/show_bug.cgi?id=196313
2354         <rdar://problem/49306703>
2355
2356         Reviewed by Yusuke Suzuki.
2357
2358         * dfg/DFGOSREntry.cpp:
2359         (JSC::DFG::prepareOSREntry):
2360         * ftl/FTLLowerDFGToB3.cpp:
2361         (JSC::FTL::DFG::LowerDFGToB3::validateAIState):
2362
2363 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
2364
2365         [JSC] Owner of watchpoints should validate at GC finalizing phase
2366         https://bugs.webkit.org/show_bug.cgi?id=195827
2367
2368         Reviewed by Filip Pizlo.
2369
2370         This patch fixes JSC's watchpoint liveness issue by the following two policies.
2371
2372         1. Watchpoint should have owner cell, and "fire" operation should be gaurded with owner cell's isLive check.
2373
2374         Watchpoints should hold its owner cell, and fire procedure should be guarded by `owner->isLive()`.
2375         When the owner cell is destroyed, these watchpoints are destroyed too. But this destruction can
2376         be delayed due to incremental sweeper. So the following condition can happen.
2377
2378         When we have a watchpoint like the following.
2379
2380             class XXXWatchpoint {
2381                 ObjectPropertyCondition m_key;
2382                 JSCell* m_owner;
2383             };
2384
2385         Both m_key's cell and m_owner is now unreachable from the root. So eventually, m_owner cell's destructor
2386         is called and this watchpoint will be destroyed. But before that, m_key's cell can be destroyed. And this
2387         watchpoint's fire procedure can be called since m_owner's destructor is not called yet. In this situation,
2388         we encounter the destroyed cell held in m_key. This problem can be avoided if we guard fire procedure with
2389         `m_owner->isLive()`. Until the owner cell is destroyed, this guard avoids "fire" procedure execution. And
2390         once the destructor of m_owner is called, this watchpoint will be destroyed too.
2391
2392         2. Watchpoint liveness should be maintained by owner cell's unconditional finalizer
2393
2394         Watchpoints often hold weak references to the other cell (like, m_key in the above example). If we do not
2395         delete watchpoints with dead cells when these weak cells become dead, these watchpoints continue holding dead cells,
2396         and watchpoint's fire operation can use these dead cells accidentally. isLive / isStillLive check for these weak cells
2397         in fire operation is not useful. Because these dead cells can be reused to the other live cells eventually, and this
2398         isLive / isStillLive checks fail to see these cells are live if they are reused. Appropriate way is deleting watchpoints
2399         with dead cells when finalizing GC. In this patch, we do this in unconditional finalizers in owner cells of watchpoints.
2400         We already did this in CodeBlock etc. We add the same thing to StructureRareData which owns watchpoints for toString operations.
2401
2402         * JavaScriptCore.xcodeproj/project.pbxproj:
2403         * Sources.txt:
2404         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.h:
2405         (JSC::AdaptiveInferredPropertyValueWatchpointBase::StructureWatchpoint::StructureWatchpoint): Deleted.
2406         (JSC::AdaptiveInferredPropertyValueWatchpointBase::PropertyWatchpoint::PropertyWatchpoint): Deleted.
2407         * bytecode/CodeBlockJettisoningWatchpoint.h:
2408         (JSC::CodeBlockJettisoningWatchpoint::CodeBlockJettisoningWatchpoint): Deleted.
2409         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
2410         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::LLIntPrototypeLoadAdaptiveStructureWatchpoint):
2411         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
2412         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
2413         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::key const): Deleted.
2414         * bytecode/StructureStubClearingWatchpoint.cpp:
2415         (JSC::StructureStubClearingWatchpoint::fireInternal):
2416         (JSC::WatchpointsOnStructureStubInfo::isValid const):
2417         * bytecode/StructureStubClearingWatchpoint.h:
2418         (JSC::StructureStubClearingWatchpoint::StructureStubClearingWatchpoint): Deleted.
2419         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
2420         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::isValid const):
2421         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.h:
2422         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
2423         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
2424         * dfg/DFGAdaptiveStructureWatchpoint.h:
2425         (JSC::DFG::AdaptiveStructureWatchpoint::key const): Deleted.
2426         * dfg/DFGDesiredWatchpoints.cpp:
2427         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
2428         * heap/Heap.cpp:
2429         (JSC::Heap::finalizeUnconditionalFinalizers):
2430         * llint/LLIntSlowPaths.cpp:
2431         (JSC::LLInt::setupGetByIdPrototypeCache):
2432         * runtime/ArrayBuffer.cpp:
2433         (JSC::ArrayBuffer::notifyIncommingReferencesOfTransfer):
2434         * runtime/ArrayBufferNeuteringWatchpointSet.cpp: Renamed from Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpoint.cpp.
2435         (JSC::ArrayBufferNeuteringWatchpointSet::ArrayBufferNeuteringWatchpointSet):
2436         (JSC::ArrayBufferNeuteringWatchpointSet::destroy):
2437         (JSC::ArrayBufferNeuteringWatchpointSet::create):
2438         (JSC::ArrayBufferNeuteringWatchpointSet::createStructure):
2439         (JSC::ArrayBufferNeuteringWatchpointSet::fireAll):
2440         * runtime/ArrayBufferNeuteringWatchpointSet.h: Renamed from Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpoint.h.
2441         * runtime/FunctionRareData.h:
2442         * runtime/JSGlobalObject.cpp:
2443         (JSC::JSGlobalObject::init):
2444         (JSC::JSGlobalObject::tryInstallArraySpeciesWatchpoint):
2445         * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h:
2446         (JSC::ObjectPropertyChangeAdaptiveWatchpoint::ObjectPropertyChangeAdaptiveWatchpoint): Deleted.
2447         * runtime/StructureRareData.cpp:
2448         (JSC::StructureRareData::finalizeUnconditionally):
2449         * runtime/StructureRareData.h:
2450         * runtime/VM.cpp:
2451         (JSC::VM::VM):
2452
2453 2019-03-26  Saam Barati  <sbarati@apple.com>
2454
2455         FTL: Emit code to validate AI's state when running the compiled code
2456         https://bugs.webkit.org/show_bug.cgi?id=195924
2457         <rdar://problem/49003422>
2458
2459         Reviewed by Filip Pizlo.
2460
2461         This patch adds code that between the execution of each node that validates
2462         the types that AI proves. This option is too expensive to turn on for our
2463         regression testing, but we think it will be valuable in other types of running
2464         modes, such as when running with a fuzzer.
2465         
2466         This patch also adds options to only probabilistically run this validation
2467         after the execution of each node. As the probability is lowered, there is
2468         less of a perf hit.
2469         
2470         This patch just adds this validation in the FTL. A follow-up patch will land
2471         it in the DFG too: https://bugs.webkit.org/show_bug.cgi?id=196219
2472
2473         * ftl/FTLLowerDFGToB3.cpp:
2474         (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
2475         (JSC::FTL::DFG::LowerDFGToB3::compileBlock):
2476         (JSC::FTL::DFG::LowerDFGToB3::validateAIState):
2477         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2478         (JSC::FTL::DFG::LowerDFGToB3::lowJSValue):
2479         * runtime/Options.h:
2480
2481 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
2482
2483         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
2484         https://bugs.webkit.org/show_bug.cgi?id=196217
2485
2486         Reviewed by Saam Barati.
2487
2488         Generalize the fix for f32.max to properly handle NaN by doing an extra GreatherThan
2489         comparison in r243446 to all min and max float operations.
2490
2491         * wasm/WasmAirIRGenerator.cpp:
2492         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Min>):
2493         (JSC::Wasm::AirIRGenerator::addFloatingPointMinOrMax):
2494         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Max>):
2495         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Min>):
2496         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Max>):
2497         * wasm/wasm.json:
2498
2499 2019-03-26  Andy VanWagoner  <andy@vanwagoner.family>
2500
2501         Intl.DateTimeFormat should obey 2-digit hour
2502         https://bugs.webkit.org/show_bug.cgi?id=195974
2503
2504         Reviewed by Keith Miller.
2505
2506         * runtime/IntlDateTimeFormat.cpp:
2507         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2508
2509 2019-03-25  Yusuke Suzuki  <ysuzuki@apple.com>
2510
2511         Heap::isMarked and friends should be instance methods
2512         https://bugs.webkit.org/show_bug.cgi?id=179988
2513
2514         Reviewed by Saam Barati.
2515
2516         Almost all the callers of Heap::isMarked have VM& reference. We should make Heap::isMarked instance function instead of static function
2517         so that we do not need to look up Heap from the cell.
2518
2519         * API/JSAPIWrapperObject.mm:
2520         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
2521         * API/JSMarkingConstraintPrivate.cpp:
2522         (JSC::isMarked):
2523         * API/glib/JSAPIWrapperObjectGLib.cpp:
2524         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
2525         * builtins/BuiltinExecutables.cpp:
2526         (JSC::BuiltinExecutables::finalizeUnconditionally):
2527         * bytecode/AccessCase.cpp:
2528         (JSC::AccessCase::visitWeak const):
2529         (JSC::AccessCase::propagateTransitions const):
2530         * bytecode/CallLinkInfo.cpp:
2531         (JSC::CallLinkInfo::visitWeak):
2532         * bytecode/CallLinkStatus.cpp:
2533         (JSC::CallLinkStatus::finalize):
2534         * bytecode/CallLinkStatus.h:
2535         * bytecode/CallVariant.cpp:
2536         (JSC::CallVariant::finalize):
2537         * bytecode/CallVariant.h:
2538         * bytecode/CodeBlock.cpp:
2539         (JSC::CodeBlock::shouldJettisonDueToWeakReference):
2540         (JSC::CodeBlock::shouldJettisonDueToOldAge):
2541         (JSC::shouldMarkTransition):
2542         (JSC::CodeBlock::propagateTransitions):
2543         (JSC::CodeBlock::determineLiveness):
2544         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2545         (JSC::CodeBlock::finalizeUnconditionally):
2546         (JSC::CodeBlock::jettison):
2547         * bytecode/CodeBlock.h:
2548         * bytecode/ExecutableToCodeBlockEdge.cpp:
2549         (JSC::ExecutableToCodeBlockEdge::visitChildren):
2550         (JSC::ExecutableToCodeBlockEdge::finalizeUnconditionally):
2551         (JSC::ExecutableToCodeBlockEdge::runConstraint):
2552         * bytecode/GetByIdStatus.cpp:
2553         (JSC::GetByIdStatus::finalize):
2554         * bytecode/GetByIdStatus.h:
2555         * bytecode/GetByIdVariant.cpp:
2556         (JSC::GetByIdVariant::finalize):
2557         * bytecode/GetByIdVariant.h:
2558         * bytecode/InByIdStatus.cpp:
2559         (JSC::InByIdStatus::finalize):
2560         * bytecode/InByIdStatus.h:
2561         * bytecode/InByIdVariant.cpp:
2562         (JSC::InByIdVariant::finalize):
2563         * bytecode/InByIdVariant.h:
2564         * bytecode/ObjectPropertyCondition.cpp:
2565         (JSC::ObjectPropertyCondition::isStillLive const):
2566         * bytecode/ObjectPropertyCondition.h:
2567         * bytecode/ObjectPropertyConditionSet.cpp:
2568         (JSC::ObjectPropertyConditionSet::areStillLive const):
2569         * bytecode/ObjectPropertyConditionSet.h:
2570         * bytecode/PolymorphicAccess.cpp:
2571         (JSC::PolymorphicAccess::visitWeak const):
2572         * bytecode/PropertyCondition.cpp:
2573         (JSC::PropertyCondition::isStillLive const):
2574         * bytecode/PropertyCondition.h:
2575         * bytecode/PutByIdStatus.cpp:
2576         (JSC::PutByIdStatus::finalize):
2577         * bytecode/PutByIdStatus.h:
2578         * bytecode/PutByIdVariant.cpp:
2579         (JSC::PutByIdVariant::finalize):
2580         * bytecode/PutByIdVariant.h:
2581         * bytecode/RecordedStatuses.cpp:
2582         (JSC::RecordedStatuses::finalizeWithoutDeleting):
2583         (JSC::RecordedStatuses::finalize):
2584         * bytecode/RecordedStatuses.h:
2585         * bytecode/StructureSet.cpp:
2586         (JSC::StructureSet::isStillAlive const):
2587         * bytecode/StructureSet.h:
2588         * bytecode/StructureStubInfo.cpp:
2589         (JSC::StructureStubInfo::visitWeakReferences):
2590         * dfg/DFGPlan.cpp:
2591         (JSC::DFG::Plan::finalizeInGC):
2592         (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
2593         * heap/GCIncomingRefCounted.h:
2594         * heap/GCIncomingRefCountedInlines.h:
2595         (JSC::GCIncomingRefCounted<T>::filterIncomingReferences):
2596         * heap/GCIncomingRefCountedSet.h:
2597         * heap/GCIncomingRefCountedSetInlines.h:
2598         (JSC::GCIncomingRefCountedSet<T>::lastChanceToFinalize):
2599         (JSC::GCIncomingRefCountedSet<T>::sweep):
2600         (JSC::GCIncomingRefCountedSet<T>::removeAll): Deleted.
2601         (JSC::GCIncomingRefCountedSet<T>::removeDead): Deleted.
2602         * heap/Heap.cpp:
2603         (JSC::Heap::addToRememberedSet):
2604         (JSC::Heap::runEndPhase):
2605         (JSC::Heap::sweepArrayBuffers):
2606         (JSC::Heap::addCoreConstraints):
2607         * heap/Heap.h:
2608         * heap/HeapInlines.h:
2609         (JSC::Heap::isMarked):
2610         * heap/HeapSnapshotBuilder.cpp:
2611         (JSC::HeapSnapshotBuilder::appendNode):
2612         * heap/SlotVisitor.cpp:
2613         (JSC::SlotVisitor::appendToMarkStack):
2614         (JSC::SlotVisitor::visitChildren):
2615         * jit/PolymorphicCallStubRoutine.cpp:
2616         (JSC::PolymorphicCallStubRoutine::visitWeak):
2617         * runtime/ErrorInstance.cpp:
2618         (JSC::ErrorInstance::finalizeUnconditionally):
2619         * runtime/InferredValueInlines.h:
2620         (JSC::InferredValue::finalizeUnconditionally):
2621         * runtime/StackFrame.h:
2622         (JSC::StackFrame::isMarked const):
2623         * runtime/Structure.cpp:
2624         (JSC::Structure::isCheapDuringGC):
2625         (JSC::Structure::markIfCheap):
2626         * runtime/Structure.h:
2627         * runtime/TypeProfiler.cpp:
2628         (JSC::TypeProfiler::invalidateTypeSetCache):
2629         * runtime/TypeProfiler.h:
2630         * runtime/TypeSet.cpp:
2631         (JSC::TypeSet::invalidateCache):
2632         * runtime/TypeSet.h:
2633         * runtime/WeakMapImpl.cpp:
2634         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitOutputConstraints):
2635         * runtime/WeakMapImplInlines.h:
2636         (JSC::WeakMapImpl<WeakMapBucket>::finalizeUnconditionally):
2637
2638 2019-03-25  Keith Miller  <keith_miller@apple.com>
2639
2640         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
2641         https://bugs.webkit.org/show_bug.cgi?id=196176
2642
2643         Reviewed by Saam Barati.
2644
2645         convertToCompareEqPtr should allow for either CompareStrictEq or
2646         the SameValue DFG node. This fixes the old assertion that only
2647         allowed CompareStrictEq.
2648
2649         * dfg/DFGNode.h:
2650         (JSC::DFG::Node::convertToCompareEqPtr):
2651
2652 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
2653
2654         WebAssembly: f32.max with NaN generates incorrect result
2655         https://bugs.webkit.org/show_bug.cgi?id=175691
2656         <rdar://problem/33952228>
2657
2658         Reviewed by Saam Barati.
2659
2660         Fix the B3 and Air compilation for f32.max. In order to handle the NaN
2661         case, we need an extra GreaterThan comparison on top of the existing
2662         Equal and LessThan ones.
2663
2664         * wasm/WasmAirIRGenerator.cpp:
2665         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Max>):
2666         * wasm/wasm.json:
2667
2668 2019-03-25  Yusuke Suzuki  <ysuzuki@apple.com>
2669
2670         Unreviewed, speculative fix for CLoop build on CPU(UNKNOWN)
2671         https://bugs.webkit.org/show_bug.cgi?id=195982
2672
2673         * jit/ExecutableAllocator.h:
2674         (JSC::ExecutableAllocator::initializeUnderlyingAllocator):
2675
2676 2019-03-25  Gyuyoung Kim  <gyuyoung.kim@webkit.org>
2677
2678         Remove NavigatorContentUtils in WebCore/Modules
2679         https://bugs.webkit.org/show_bug.cgi?id=196070
2680
2681         Reviewed by Alex Christensen.
2682
2683         NavigatorContentUtils was to support the custom scheme spec [1].
2684         However, in WebKit side, no port has supported the feature in
2685         WebKit layer after EFL port was removed. So there has been the
2686         only IDL implementation of the NavigatorContentUtils in WebCore.
2687         So we don't need to keep the implementation in WebCore anymore.
2688
2689         [1] https://html.spec.whatwg.org/multipage/system-state.html#custom-handlers
2690
2691         * Configurations/FeatureDefines.xcconfig:
2692
2693 2019-03-23  Mark Lam  <mark.lam@apple.com>
2694
2695         Rolling out r243032 and r243071 because the fix is incorrect.
2696         https://bugs.webkit.org/show_bug.cgi?id=195892
2697         <rdar://problem/48981239>
2698
2699         Not reviewed.
2700
2701         The fix is incorrect: it relies on being able to determine liveness of an object
2702         in an ObjectPropertyCondition based on the state of the object's MarkedBit.
2703         However, there's no guarantee that GC has run and that the MarkedBit is already
2704         set even if the object is live.  As a result, we may not re-install adaptive
2705         watchpoints based on presumed dead objects which are actually live.
2706
2707         I'm rolling this out, and will implement a more comprehensive fix to handle
2708         watchpoint liveness later.
2709
2710         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
2711         (JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):
2712         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
2713         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
2714         * bytecode/ObjectPropertyCondition.cpp:
2715         (JSC::ObjectPropertyCondition::dumpInContext const):
2716         * bytecode/StructureStubClearingWatchpoint.cpp:
2717         (JSC::StructureStubClearingWatchpoint::fireInternal):
2718         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
2719         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
2720         * runtime/StructureRareData.cpp:
2721         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
2722
2723 2019-03-23  Keith Miller  <keith_miller@apple.com>
2724
2725         Refactor clz/ctz and fix getLSBSet.
2726         https://bugs.webkit.org/show_bug.cgi?id=196162
2727
2728         Reviewed by Saam Barati.
2729
2730         Refactor references of clz32/64 and ctz32 to use clz and ctz,
2731         respectively.
2732
2733         * dfg/DFGAbstractInterpreterInlines.h:
2734         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2735         * dfg/DFGOperations.cpp:
2736         * runtime/JSBigInt.cpp:
2737         (JSC::JSBigInt::digitDiv):
2738         (JSC::JSBigInt::absoluteDivWithBigIntDivisor):
2739         (JSC::JSBigInt::calculateMaximumCharactersRequired):
2740         (JSC::JSBigInt::toStringBasePowerOfTwo):
2741         (JSC::JSBigInt::compareToDouble):
2742         * runtime/MathObject.cpp:
2743         (JSC::mathProtoFuncClz32):
2744
2745 2019-03-23  Yusuke Suzuki  <ysuzuki@apple.com>
2746
2747         [JSC] Shrink sizeof(RegExp)
2748         https://bugs.webkit.org/show_bug.cgi?id=196133
2749
2750         Reviewed by Mark Lam.
2751
2752         Some applications have many RegExp cells. But RegExp cells are very large (144B).
2753         This patch reduces the size from 144B to 48B by,
2754
2755         1. Allocate Yarr::YarrCodeBlock in non-GC heap. We can avoid this allocation if JIT is disabled.
2756         2. m_captureGroupNames and m_namedGroupToParenIndex are moved to RareData. They are only used when RegExp has named capture groups.
2757
2758         * runtime/RegExp.cpp:
2759         (JSC::RegExp::finishCreation):
2760         (JSC::RegExp::estimatedSize):
2761         (JSC::RegExp::compile):
2762         (JSC::RegExp::matchConcurrently):
2763         (JSC::RegExp::compileMatchOnly):
2764         (JSC::RegExp::deleteCode):
2765         (JSC::RegExp::printTraceData):
2766         * runtime/RegExp.h:
2767         * runtime/RegExpInlines.h:
2768         (JSC::RegExp::hasCodeFor):
2769         (JSC::RegExp::matchInline):
2770         (JSC::RegExp::hasMatchOnlyCodeFor):
2771
2772 2019-03-22  Keith Rollin  <krollin@apple.com>
2773
2774         Enable ThinLTO support in Production builds
2775         https://bugs.webkit.org/show_bug.cgi?id=190758
2776         <rdar://problem/45413233>
2777
2778         Reviewed by Daniel Bates.
2779
2780         Tweak JavaScriptCore's Base.xcconfig to be more in-line with other
2781         .xcconfig files with regards to LTO settings. However, don't actually
2782         enable LTO for JavaScriptCore. LTO is not enabled for JavaScriptCore
2783         due to <rdar://problem/24543547>.
2784
2785         * Configurations/Base.xcconfig:
2786
2787 2019-03-22  Mark Lam  <mark.lam@apple.com>
2788
2789         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
2790         https://bugs.webkit.org/show_bug.cgi?id=196154
2791         <rdar://problem/49145307>
2792
2793         Reviewed by Filip Pizlo.
2794
2795         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2796         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
2797
2798 2019-03-22  Mark Lam  <mark.lam@apple.com>
2799
2800         Placate exception check validation in constructJSWebAssemblyLinkError().
2801         https://bugs.webkit.org/show_bug.cgi?id=196152
2802         <rdar://problem/49145257>
2803
2804         Reviewed by Michael Saboff.
2805
2806         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
2807         (JSC::constructJSWebAssemblyLinkError):
2808
2809 2019-03-22  Timothy Hatcher  <timothy@apple.com>
2810
2811         Change macosx() to macos() in WK_API... and JSC_API... macros.
2812         https://bugs.webkit.org/show_bug.cgi?id=196106
2813
2814         Reviewed by Brian Burg.
2815
2816         * API/JSBasePrivate.h:
2817         * API/JSContext.h:
2818         * API/JSContextPrivate.h:
2819         * API/JSContextRef.h:
2820         * API/JSContextRefInternal.h:
2821         * API/JSContextRefPrivate.h:
2822         * API/JSManagedValue.h:
2823         * API/JSObjectRef.h:
2824         * API/JSObjectRefPrivate.h:
2825         * API/JSRemoteInspector.h:
2826         * API/JSScript.h:
2827         * API/JSTypedArray.h:
2828         * API/JSValue.h:
2829         * API/JSValuePrivate.h:
2830         * API/JSValueRef.h:
2831         * API/JSVirtualMachinePrivate.h:
2832
2833 2019-03-22  Yusuke Suzuki  <ysuzuki@apple.com>
2834
2835         Unreviewed, build fix for Windows
2836         https://bugs.webkit.org/show_bug.cgi?id=196122
2837
2838         * runtime/FunctionExecutable.cpp:
2839
2840 2019-03-21  Yusuke Suzuki  <ysuzuki@apple.com>
2841
2842         [JSC] Shrink sizeof(FunctionExecutable) by 16bytes
2843         https://bugs.webkit.org/show_bug.cgi?id=196122
2844
2845         Reviewed by Saam Barati.
2846
2847         This patch reduces sizeof(FunctionExecutable) by 16 bytes.
2848
2849         1. ScriptExecutable::m_numParametersForCall and ScriptExecutable::m_numParametersForConstruct are not used in a meaningful way. Removed them.
2850         2. ScriptExecutable::m_lastLine and ScriptExecutable::m_endColumn can be calculated from UnlinkedFunctionExecutable. So FunctionExecutable does not need to hold it.
2851            This patch adds GlobalExecutable, which are non-function ScriptExecutables, and move m_lastLine and m_endColumn to this class.
2852         3. FunctionExecutable still needs to have the feature overriding m_lastLine and m_endColumn. We move overridden data in FunctionExecutable::RareData.
2853
2854         * CMakeLists.txt:
2855         * JavaScriptCore.xcodeproj/project.pbxproj:
2856         * Sources.txt:
2857         * bytecode/UnlinkedFunctionExecutable.cpp:
2858         (JSC::UnlinkedFunctionExecutable::link):
2859         * runtime/EvalExecutable.cpp:
2860         (JSC::EvalExecutable::EvalExecutable):
2861         * runtime/EvalExecutable.h:
2862         * runtime/FunctionExecutable.cpp:
2863         (JSC::FunctionExecutable::FunctionExecutable):
2864         (JSC::FunctionExecutable::ensureRareDataSlow):
2865         (JSC::FunctionExecutable::overrideInfo):
2866         * runtime/FunctionExecutable.h:
2867         * runtime/GlobalExecutable.cpp: Copied from Source/JavaScriptCore/tools/FunctionOverrides.h.
2868         * runtime/GlobalExecutable.h: Copied from Source/JavaScriptCore/tools/FunctionOverrides.h.
2869         (JSC::GlobalExecutable::lastLine const):
2870         (JSC::GlobalExecutable::endColumn const):
2871         (JSC::GlobalExecutable::recordParse):
2872         (JSC::GlobalExecutable::GlobalExecutable):
2873         * runtime/ModuleProgramExecutable.cpp:
2874         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
2875         * runtime/ModuleProgramExecutable.h:
2876         * runtime/ProgramExecutable.cpp:
2877         (JSC::ProgramExecutable::ProgramExecutable):
2878         * runtime/ProgramExecutable.h:
2879         * runtime/ScriptExecutable.cpp:
2880         (JSC::ScriptExecutable::clearCode):
2881         (JSC::ScriptExecutable::installCode):
2882         (JSC::ScriptExecutable::hasClearableCode const):
2883         (JSC::ScriptExecutable::newCodeBlockFor):
2884         (JSC::ScriptExecutable::typeProfilingEndOffset const):
2885         (JSC::ScriptExecutable::recordParse):
2886         (JSC::ScriptExecutable::lastLine const):
2887         (JSC::ScriptExecutable::endColumn const):
2888         * runtime/ScriptExecutable.h:
2889         (JSC::ScriptExecutable::hasJITCodeForCall const):
2890         (JSC::ScriptExecutable::hasJITCodeForConstruct const):
2891         (JSC::ScriptExecutable::recordParse):
2892         (JSC::ScriptExecutable::lastLine const): Deleted.
2893         (JSC::ScriptExecutable::endColumn const): Deleted.
2894         * tools/FunctionOverrides.h:
2895
2896 2019-03-21  Yusuke Suzuki  <ysuzuki@apple.com>
2897
2898         [JSC] Shrink sizeof(RegExpObject)
2899         https://bugs.webkit.org/show_bug.cgi?id=196130
2900
2901         Reviewed by Saam Barati.
2902
2903         sizeof(RegExpObject) is 48B due to one bool flag. We should compress this flag into lower bit of RegExp* field so that we can make RegExpObject 32B.
2904         It saves memory footprint 1.3% in RAMification's regexp.
2905
2906         * dfg/DFGSpeculativeJIT.cpp:
2907         (JSC::DFG::SpeculativeJIT::compileNewRegexp):
2908         (JSC::DFG::SpeculativeJIT::compileSetRegExpObjectLastIndex):
2909         * ftl/FTLAbstractHeapRepository.h:
2910         * ftl/FTLLowerDFGToB3.cpp:
2911         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
2912         (JSC::FTL::DFG::LowerDFGToB3::compileSetRegExpObjectLastIndex):
2913         * runtime/RegExpObject.cpp:
2914         (JSC::RegExpObject::RegExpObject):
2915         (JSC::RegExpObject::visitChildren):
2916         (JSC::RegExpObject::getOwnPropertySlot):
2917         (JSC::RegExpObject::defineOwnProperty):
2918         * runtime/RegExpObject.h:
2919
2920 2019-03-21  Tomas Popela  <tpopela@redhat.com>
2921
2922         [JSC] Fix build after r243232 on unsupported 64bit architectures
2923         https://bugs.webkit.org/show_bug.cgi?id=196072
2924
2925         Reviewed by Keith Miller.
2926
2927         As Keith suggested we already expect 16 free bits at the top of any
2928         pointer for JSValue even for the unsupported 64 bit arches.
2929
2930         * bytecode/CodeOrigin.h:
2931
2932 2019-03-21  Mark Lam  <mark.lam@apple.com>
2933
2934         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
2935         https://bugs.webkit.org/show_bug.cgi?id=196116
2936         <rdar://problem/48976951>
2937
2938         Reviewed by Filip Pizlo.
2939
2940         The DFG backend should not make assumptions about what optimizations the front end
2941         will or will not do.  The assertion asserts that the operand cannot be known to be
2942         a cell.  However, it is not guaranteed that the front end will fold away this case.
2943         Also, the DFG backend is perfectly capable of generating code to handle the case
2944         where the operand is a cell.
2945
2946         The attached test case demonstrates a case where the operand can be a known cell.
2947         The test needs to be run with the concurrent JIT and GC, and is racy.  It used to
2948         trip up this assertion about once every 10 runs or so.
2949
2950         * dfg/DFGSpeculativeJIT64.cpp:
2951         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
2952
2953 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
2954
2955         JSC::createError should clear exception thrown by errorDescriptionForValue
2956         https://bugs.webkit.org/show_bug.cgi?id=196089
2957
2958         Reviewed by Mark Lam.
2959
2960         errorDescriptionForValue returns a nullString in case of failure, but it
2961         might also throw an OOM exception when resolving a rope string. We need
2962         to clear any potential exceptions thrown by errorDescriptionForValue
2963         before returning the OOM from JSC::createError.
2964
2965         * runtime/ExceptionHelpers.cpp:
2966         (JSC::createError):
2967
2968 2019-03-21  Robin Morisset  <rmorisset@apple.com>
2969
2970         B3::Opcode can fit in a single byte, shrinking B3Value by 8 bytes
2971         https://bugs.webkit.org/show_bug.cgi?id=196014
2972
2973         Reviewed by Keith Miller.
2974
2975         B3::Opcode has less than one hundred cases, so it can easily fit in one byte (from two currently)
2976         This shrinks B3::Kind from 4 bytes to 2 (by removing the byte of padding at the end).
2977         This in turns eliminate padding from B3::Value, shrinking it by 8 bytes (out of 80).
2978
2979         * b3/B3Opcode.h:
2980
2981 2019-03-21  Michael Catanzaro  <mcatanzaro@igalia.com>
2982
2983         Unreviewed, more clang 3.8 build fixes
2984         https://bugs.webkit.org/show_bug.cgi?id=195947
2985         <rdar://problem/49069219>
2986
2987         In the spirit of making our code worse to please old compilers....
2988
2989         * bindings/ScriptValue.cpp:
2990         (Inspector::jsToInspectorValue):
2991         * bytecode/GetterSetterAccessCase.cpp:
2992         (JSC::GetterSetterAccessCase::create):
2993         (JSC::GetterSetterAccessCase::clone const):
2994         * bytecode/InstanceOfAccessCase.cpp:
2995         (JSC::InstanceOfAccessCase::clone const):
2996         * bytecode/IntrinsicGetterAccessCase.cpp:
2997         (JSC::IntrinsicGetterAccessCase::clone const):
2998         * bytecode/ModuleNamespaceAccessCase.cpp:
2999         (JSC::ModuleNamespaceAccessCase::clone const):
3000         * bytecode/ProxyableAccessCase.cpp:
3001         (JSC::ProxyableAccessCase::clone const):
3002
3003 2019-03-21  Yusuke Suzuki  <ysuzuki@apple.com>
3004
3005         [JSC] Do not create JIT related data under non-JIT mode
3006         https://bugs.webkit.org/show_bug.cgi?id=195982
3007
3008         Reviewed by Mark Lam.
3009
3010         We avoid creations of JIT related data structures under non-JIT mode.
3011         This patch removes the following allocations.
3012
3013         1. JITThunks
3014         2. FTLThunks
3015         3. FixedVMPoolExecutableAllocator
3016         4. noJITValueProfileSingleton since it is no longer used
3017         5. ARM disassembler should be initialized when it is used
3018         6. Wasm related data structures are accidentally allocated if VM::canUseJIT() == false &&
3019            Options::useWebAssembly() == true. Add Wasm::isSupported() function to check the both conditions.
3020
3021         * CMakeLists.txt:
3022         * JavaScriptCore.xcodeproj/project.pbxproj:
3023         * heap/Heap.cpp:
3024         (JSC::Heap::runEndPhase):
3025         * jit/ExecutableAllocator.cpp:
3026         (JSC::FixedVMPoolExecutableAllocator::~FixedVMPoolExecutableAllocator):
3027         (JSC::ExecutableAllocator::initializeUnderlyingAllocator):
3028         (JSC::ExecutableAllocator::isValid const):
3029         (JSC::ExecutableAllocator::underMemoryPressure):
3030         (JSC::ExecutableAllocator::memoryPressureMultiplier):
3031         (JSC::ExecutableAllocator::allocate):
3032         (JSC::ExecutableAllocator::isValidExecutableMemory):
3033         (JSC::ExecutableAllocator::getLock const):
3034         (JSC::ExecutableAllocator::committedByteCount):
3035         (JSC::ExecutableAllocator::dumpProfile):
3036         (JSC::startOfFixedExecutableMemoryPoolImpl):
3037         (JSC::endOfFixedExecutableMemoryPoolImpl):
3038         (JSC::ExecutableAllocator::initialize):
3039         (JSC::ExecutableAllocator::initializeAllocator): Deleted.
3040         (JSC::ExecutableAllocator::ExecutableAllocator): Deleted.
3041         (JSC::ExecutableAllocator::~ExecutableAllocator): Deleted.
3042         * jit/ExecutableAllocator.h:
3043         (JSC::ExecutableAllocatorBase::isValid const):
3044         (JSC::ExecutableAllocatorBase::underMemoryPressure):
3045         (JSC::ExecutableAllocatorBase::memoryPressureMultiplier):
3046         (JSC::ExecutableAllocatorBase::dumpProfile):
3047         (JSC::ExecutableAllocatorBase::allocate):
3048         (JSC::ExecutableAllocatorBase::setJITEnabled):
3049         (JSC::ExecutableAllocatorBase::isValidExecutableMemory):
3050         (JSC::ExecutableAllocatorBase::committedByteCount):
3051         (JSC::ExecutableAllocatorBase::getLock const):
3052         (JSC::ExecutableAllocator::isValid const): Deleted.
3053         (JSC::ExecutableAllocator::underMemoryPressure): Deleted.
3054         (JSC::ExecutableAllocator::memoryPressureMultiplier): Deleted.
3055         (JSC::ExecutableAllocator::allocate): Deleted.
3056         (JSC::ExecutableAllocator::setJITEnabled): Deleted.
3057         (JSC::ExecutableAllocator::isValidExecutableMemory): Deleted.
3058         (JSC::ExecutableAllocator::committedByteCount): Deleted.
3059         (JSC::ExecutableAllocator::getLock const): Deleted.
3060         * jsc.cpp:
3061         (functionWebAssemblyMemoryMode):
3062         * runtime/InitializeThreading.cpp:
3063         (JSC::initializeThreading):
3064         * runtime/JSGlobalObject.cpp:
3065         (JSC::JSGlobalObject::init):
3066         * runtime/JSLock.cpp:
3067         (JSC::JSLock::didAcquireLock):
3068         * runtime/Options.cpp:
3069         (JSC::recomputeDependentOptions):
3070         * runtime/VM.cpp:
3071         (JSC::enableAssembler):
3072         (JSC::VM::canUseAssembler):
3073         (JSC::VM::VM):
3074         * runtime/VM.h:
3075         * wasm/WasmCapabilities.h: Added.
3076         (JSC::Wasm::isSupported):
3077         * wasm/WasmFaultSignalHandler.cpp:
3078         (JSC::Wasm::enableFastMemory):
3079
3080 2019-03-21  Yusuke Suzuki  <ysuzuki@apple.com>
3081
3082         [JSC] Fix JSC build with newer ICU
3083         https://bugs.webkit.org/show_bug.cgi?id=196098
3084
3085         Reviewed by Keith Miller.
3086
3087         IntlDateTimeFormat and IntlNumberFormat have switch statement over ICU's enums. However it lacks "default" clause so that
3088         the compile error occurs when a new enum value is added in ICU side. We should have "default" clause which just fallbacks
3089         "unknown"_s case. The behavior is not changed since we already have `return "unknown"_s;` statement anyway after the
3090         switch statement. This patch just suppresses a compile error.
3091
3092         * runtime/IntlDateTimeFormat.cpp:
3093         (JSC::IntlDateTimeFormat::partTypeString):
3094         * runtime/IntlNumberFormat.cpp:
3095         (JSC::IntlNumberFormat::partTypeString):
3096
3097 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
3098
3099         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
3100         https://bugs.webkit.org/show_bug.cgi?id=196078
3101         <rdar://problem/35925380>
3102
3103         Reviewed by Mark Lam.
3104
3105         Unlike the other variations of putByIndex, it only checked if the index
3106         was larger than MIN_SPARSE_ARRAY_INDEX when the indexingType was
3107         ALL_BLANK_INDEXING_TYPES. This resulted in a huge butterfly being
3108         allocated for object literals (e.g. `{[9e4]: ...}`) and objects parsed
3109         from JSON.
3110
3111         * runtime/JSObject.cpp:
3112         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
3113
3114 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
3115
3116         CachedUnlinkedSourceCodeShape::m_provider should be a CachedRefPtr
3117         https://bugs.webkit.org/show_bug.cgi?id=196079
3118
3119         Reviewed by Saam Barati.
3120
3121         It was mistakenly cached as CachedPtr, which was leaking the decoded SourceProvider.
3122
3123         * runtime/CachedTypes.cpp:
3124         (JSC::CachedUnlinkedSourceCodeShape::encode):
3125
3126 2019-03-21  Mark Lam  <mark.lam@apple.com>
3127
3128         Placate exception check validation in operationArrayIndexOfString().
3129         https://bugs.webkit.org/show_bug.cgi?id=196067
3130         <rdar://problem/49056572>
3131
3132         Reviewed by Michael Saboff.
3133
3134         * dfg/DFGOperations.cpp:
3135
3136 2019-03-21  Xan Lopez  <xan@igalia.com>
3137
3138         [JSC][x86] Drop support for x87 floating point
3139         https://bugs.webkit.org/show_bug.cgi?id=194853
3140
3141         Reviewed by Don Olmstead.
3142
3143         Require SSE2 throughout the codebase, and remove x87 support where
3144         it was optionally available. SSE2 detection happens at compile
3145         time through a static_assert.
3146
3147         * assembler/MacroAssemblerX86.h:
3148         (JSC::MacroAssemblerX86::storeDouble):
3149         (JSC::MacroAssemblerX86::moveDoubleToInts):
3150         (JSC::MacroAssemblerX86::supportsFloatingPoint):
3151         (JSC::MacroAssemblerX86::supportsFloatingPointTruncate):
3152         (JSC::MacroAssemblerX86::supportsFloatingPointSqrt):
3153         (JSC::MacroAssemblerX86::supportsFloatingPointAbs):
3154         * assembler/MacroAssemblerX86Common.cpp:
3155         * assembler/MacroAssemblerX86Common.h:
3156         (JSC::MacroAssemblerX86Common::moveDouble):
3157         (JSC::MacroAssemblerX86Common::loadDouble):
3158         (JSC::MacroAssemblerX86Common::loadFloat):
3159         (JSC::MacroAssemblerX86Common::storeDouble):
3160         (JSC::MacroAssemblerX86Common::storeFloat):
3161         (JSC::MacroAssemblerX86Common::convertDoubleToFloat):
3162         (JSC::MacroAssemblerX86Common::convertFloatToDouble):
3163         (JSC::MacroAssemblerX86Common::addDouble):
3164         (JSC::MacroAssemblerX86Common::addFloat):
3165         (JSC::MacroAssemblerX86Common::divDouble):
3166         (JSC::MacroAssemblerX86Common::divFloat):
3167         (JSC::MacroAssemblerX86Common::subDouble):
3168         (JSC::MacroAssemblerX86Common::subFloat):
3169         (JSC::MacroAssemblerX86Common::mulDouble):
3170         (JSC::MacroAssemblerX86Common::mulFloat):
3171         (JSC::MacroAssemblerX86Common::convertInt32ToDouble):
3172         (JSC::MacroAssemblerX86Common::convertInt32ToFloat):
3173         (JSC::MacroAssemblerX86Common::branchDouble):
3174         (JSC::MacroAssemblerX86Common::branchFloat):
3175         (JSC::MacroAssemblerX86Common::compareDouble):
3176         (JSC::MacroAssemblerX86Common::compareFloat):
3177         (JSC::MacroAssemblerX86Common::branchTruncateDoubleToInt32):
3178         (JSC::MacroAssemblerX86Common::truncateDoubleToInt32):
3179         (JSC::MacroAssemblerX86Common::truncateFloatToInt32):
3180         (JSC::MacroAssemblerX86Common::branchConvertDoubleToInt32):
3181         (JSC::MacroAssemblerX86Common::branchDoubleNonZero):
3182         (JSC::MacroAssemblerX86Common::branchDoubleZeroOrNaN):
3183         (JSC::MacroAssemblerX86Common::lshiftPacked):
3184         (JSC::MacroAssemblerX86Common::rshiftPacked):
3185         (JSC::MacroAssemblerX86Common::orPacked):
3186         (JSC::MacroAssemblerX86Common::move32ToFloat):
3187         (JSC::MacroAssemblerX86Common::moveFloatTo32):
3188         (JSC::MacroAssemblerX86Common::moveConditionallyDouble):
3189         (JSC::MacroAssemblerX86Common::moveConditionallyFloat):
3190         * offlineasm/x86.rb:
3191         * runtime/MathCommon.cpp:
3192         (JSC::operationMathPow):
3193
3194 2019-03-21  Carlos Garcia Campos  <cgarcia@igalia.com>
3195
3196         [GLIB] User data not correctly passed to callback of functions and constructors with no parameters
3197         https://bugs.webkit.org/show_bug.cgi?id=196073
3198
3199         Reviewed by Michael Catanzaro.
3200
3201         This is because GClosure always expects a first parameter as instance. In case of functions or constructors with
3202         no parameters we insert a fake instance which is just a null pointer that is ignored by the callback. But
3203         if the function/constructor has user data the callback will expect one parameter for the user data. In that case
3204         we can simply swap instance/user data so that the fake instance will be the second argument and user data the
3205         first one.
3206
3207         * API/glib/JSCClass.cpp:
3208         (jscClassCreateConstructor): Use g_cclosure_new_swap() if parameters is empty and user data was provided.
3209         * API/glib/JSCValue.cpp:
3210         (jscValueFunctionCreate): Ditto.
3211
3212 2019-03-21  Pablo Saavedra  <psaavedra@igalia.com>
3213
3214         [JSC][32-bit] Build failure after r243232
3215         https://bugs.webkit.org/show_bug.cgi?id=196068
3216
3217         Reviewed by Mark Lam.
3218
3219         * dfg/DFGOSRExit.cpp:
3220         (JSC::DFG::reifyInlinedCallFrames):
3221         * dfg/DFGOSRExitCompilerCommon.cpp:
3222         (JSC::DFG::reifyInlinedCallFrames):
3223
3224 2019-03-21  Carlos Garcia Campos  <cgarcia@igalia.com>
3225
3226         [GLib] Returning G_TYPE_OBJECT from a method does not work
3227         https://bugs.webkit.org/show_bug.cgi?id=195574
3228
3229         Reviewed by Michael Catanzaro.
3230
3231         Add more documentation to clarify the ownership of wrapped objects when created and when returned by functions.
3232
3233         * API/glib/JSCCallbackFunction.cpp:
3234         (JSC::JSCCallbackFunction::construct): Also allow to return boxed types from a constructor.
3235         * API/glib/JSCClass.cpp:
3236         * API/glib/JSCValue.cpp:
3237
3238 2019-03-21  Mark Lam  <mark.lam@apple.com>
3239
3240         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
3241         https://bugs.webkit.org/show_bug.cgi?id=196055
3242         <rdar://problem/49067448>
3243
3244         Reviewed by Yusuke Suzuki.
3245
3246         We are doing this because:
3247         1. We expect the array to be densely packed.
3248         2. SpeculativeJIT::compileAllocateNewArrayWithSize() (and the FTL equivalent)
3249            expects the array length to be less than MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH
3250            if we don't want to use an ArrayStorage shape.
3251         3. There's no reason why an array with spread needs to be that large anyway.
3252            MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH is plenty.
3253
3254         In this patch, we also add a debug assert in compileAllocateNewArrayWithSize() and
3255         emitAllocateButterfly() to check for overflows.
3256
3257         * assembler/AbortReason.h:
3258         * dfg/DFGOperations.cpp:
3259         * dfg/DFGSpeculativeJIT.cpp:
3260         (JSC::DFG::SpeculativeJIT::compileCreateRest):
3261         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
3262         (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
3263         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
3264         * ftl/FTLLowerDFGToB3.cpp:
3265         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
3266         * runtime/ArrayConventions.h:
3267         * runtime/CommonSlowPaths.cpp:
3268         (JSC::SLOW_PATH_DECL):
3269
3270 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
3271
3272         [JSC] Use finalizer in JSGlobalLexicalEnvironment and JSGlobalObject
3273         https://bugs.webkit.org/show_bug.cgi?id=195992
3274
3275         Reviewed by Keith Miller and Mark Lam.
3276
3277         JSGlobalLexicalEnvironment and JSGlobalObject have their own CompleteSubspace to call destructors while they are not inheriting JSDestructibleObject.
3278         But it is too costly since (1) it requires CompleteSubspace in VM, (2) both objects allocate MarkedBlocks while # of them are really small.
3279
3280         Instead of using CompleteSubspace, we just set finalizers for them. Since these objects are rarely allocated, setting finalizers does not show
3281         memory / performance problems (actually, previously we used finalizer for ArrayPrototype due to the same reason, and it does not show any problems).
3282
3283         And we also add following two changes to JSSegmentedVariableObject.
3284
3285         1. Remove one boolean used for debugging in Release build. It enlarges sizeof(JSSegmentedVariableObject) and allocates one more MarkedBlock.
3286         2. Use cellLock() instead.
3287
3288         * CMakeLists.txt:
3289         * JavaScriptCore.xcodeproj/project.pbxproj:
3290         * Sources.txt:
3291         * runtime/JSSegmentedVariableObject.cpp:
3292         (JSC::JSSegmentedVariableObject::findVariableIndex):
3293         (JSC::JSSegmentedVariableObject::addVariables):
3294         (JSC::JSSegmentedVariableObject::visitChildren):
3295         (JSC::JSSegmentedVariableObject::~JSSegmentedVariableObject):
3296         (JSC::JSSegmentedVariableObject::finishCreation):
3297         * runtime/JSSegmentedVariableObject.h:
3298         (JSC::JSSegmentedVariableObject::subspaceFor): Deleted.
3299         * runtime/JSSegmentedVariableObjectHeapCellType.cpp: Removed.
3300         * runtime/JSSegmentedVariableObjectHeapCellType.h: Removed.
3301         * runtime/StringIteratorPrototype.cpp:
3302         * runtime/VM.cpp:
3303         (JSC::VM::VM):
3304         * runtime/VM.h:
3305
3306 2019-03-20  Saam Barati  <sbarati@apple.com>
3307
3308         DFG::AbstractValue::validateOSREntry is wrong when isHeapTop and the incoming value is Empty
3309         https://bugs.webkit.org/show_bug.cgi?id=195721
3310
3311         Reviewed by Filip Pizlo.
3312
3313         There was a check in AbstractValue::validateOSREntry where it checked
3314         if isHeapTop(), and if so, just returned true. However, this is wrong
3315         if the value we're checking against is the empty value, since HeapTop
3316         does not include the Empty value. Instead, this check should be
3317         isBytecodeTop(), which does account for the empty value.
3318         
3319         This patch also does a couple of other things:
3320         - For our OSR entry AbstractValues, we were using HeapTop to mark
3321          a dead value. That is now changed to BytecodeTop. (The idea here
3322          is just to have validateOSREntry return early.)
3323         - It wasn't obvious to me how I could make this fail in JS code.
3324          The symptom we'd end up seeing is something like a nullptr derefernece
3325          from forgetting to do a TDZ check. Instead, I've added a unit test.
3326          This unit test lives in a new test file: testdfg. testdfg is similar
3327          to testb3/testair/testapi.
3328
3329         * JavaScriptCore.xcodeproj/project.pbxproj:
3330         * bytecode/SpeculatedType.h:
3331         * dfg/DFGAbstractValue.h:
3332         (JSC::DFG::AbstractValue::isBytecodeTop const):
3333         (JSC::DFG::AbstractValue::validateOSREntryValue const):
3334         * dfg/testdfg.cpp: Added.
3335         (hiddenTruthBecauseNoReturnIsStupid):
3336         (usage):
3337         (JSC::DFG::testEmptyValueDoesNotValidateWithHeapTop):
3338         (JSC::DFG::run):
3339         (run):
3340         (main):
3341         * shell/CMakeLists.txt:
3342
3343 2019-03-20  Saam Barati  <sbarati@apple.com>
3344
3345         typeOfDoubleSum is wrong for when NaN can be produced
3346         https://bugs.webkit.org/show_bug.cgi?id=196030
3347
3348         Reviewed by Filip Pizlo.
3349
3350         We were using typeOfDoubleSum(SpeculatedType, SpeculatedType) for add/sub/mul.
3351         It assumed that the only way the resulting type could be NaN is if one of
3352         the inputs were NaN. However, this is wrong. NaN can be produced in at least
3353         these cases:
3354           Infinity - Infinity
3355           Infinity + (-Infinity)
3356           Infinity * 0
3357
3358         * bytecode/SpeculatedType.cpp:
3359         (JSC::typeOfDoubleSumOrDifferenceOrProduct):
3360         (JSC::typeOfDoubleSum):
3361         (JSC::typeOfDoubleDifference):
3362         (JSC::typeOfDoubleProduct):
3363
3364 2019-03-20  Simon Fraser  <simon.fraser@apple.com>
3365
3366         Rename ENABLE_ACCELERATED_OVERFLOW_SCROLLING macro to ENABLE_OVERFLOW_SCROLLING_TOUCH
3367         https://bugs.webkit.org/show_bug.cgi?id=196049
3368
3369         Reviewed by Tim Horton.
3370
3371         This macro is about the -webkit-overflow-scrolling CSS property, not accelerated
3372         overflow scrolling in general, so rename it.
3373
3374         * Configurations/FeatureDefines.xcconfig:
3375
3376 2019-03-20  Saam Barati  <sbarati@apple.com>
3377
3378         GetCallee does not report the correct type in AI
3379         https://bugs.webkit.org/show_bug.cgi?id=195981
3380
3381         Reviewed by Yusuke Suzuki.
3382
3383         I found this as part of my work in:
3384         https://bugs.webkit.org/show_bug.cgi?id=195924
3385         
3386         I'm not sure how to write a test for it.
3387         
3388         GetCallee was always reporting that the result is SpecFunction. However,
3389         for eval, it may result in just a JSCallee object, which is not a JSFunction.
3390
3391         * dfg/DFGAbstractInterpreterInlines.h:
3392         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3393
3394 2019-03-20  Mark Lam  <mark.lam@apple.com>
3395
3396         Open source arm64e code.
3397         https://bugs.webkit.org/show_bug.cgi?id=196012
3398         <rdar://problem/49066237>
3399
3400         Reviewed by Keith Miller.
3401
3402         * JavaScriptCore.xcodeproj/project.pbxproj:
3403         * Sources.txt:
3404         * assembler/ARM64EAssembler.h: Added.
3405         (JSC::ARM64EAssembler::encodeGroup1):
3406         (JSC::ARM64EAssembler::encodeGroup2):
3407         (JSC::ARM64EAssembler::encodeGroup4):
3408         (JSC::ARM64EAssembler::pacia1716):
3409         (JSC::ARM64EAssembler::pacib1716):
3410         (JSC::ARM64EAssembler::autia1716):
3411         (JSC::ARM64EAssembler::autib1716):
3412         (JSC::ARM64EAssembler::paciaz):
3413         (JSC::ARM64EAssembler::paciasp):
3414         (JSC::ARM64EAssembler::pacibz):
3415         (JSC::ARM64EAssembler::pacibsp):
3416         (JSC::ARM64EAssembler::autiaz):
3417         (JSC::ARM64EAssembler::autiasp):
3418         (JSC::ARM64EAssembler::autibz):
3419         (JSC::ARM64EAssembler::autibsp):
3420         (JSC::ARM64EAssembler::xpaclri):
3421         (JSC::ARM64EAssembler::pacia):
3422         (JSC::ARM64EAssembler::pacib):
3423         (JSC::ARM64EAssembler::pacda):
3424         (JSC::ARM64EAssembler::pacdb):
3425         (JSC::ARM64EAssembler::autia):
3426         (JSC::ARM64EAssembler::autib):
3427         (JSC::ARM64EAssembler::autda):
3428         (JSC::ARM64EAssembler::autdb):
3429         (JSC::ARM64EAssembler::paciza):
3430         (JSC::ARM64EAssembler::pacizb):
3431         (JSC::ARM64EAssembler::pacdza):
3432         (JSC::ARM64EAssembler::pacdzb):
3433         (JSC::ARM64EAssembler::autiza):
3434         (JSC::ARM64EAssembler::autizb):
3435         (JSC::ARM64EAssembler::autdza):
3436         (JSC::ARM64EAssembler::autdzb):
3437         (JSC::ARM64EAssembler::xpaci):
3438         (JSC::ARM64EAssembler::xpacd):
3439         (JSC::ARM64EAssembler::pacga):
3440         (JSC::ARM64EAssembler::braa):
3441         (JSC::ARM64EAssembler::brab):
3442         (JSC::ARM64EAssembler::blraa):
3443         (JSC::ARM64EAssembler::blrab):
3444         (JSC::ARM64EAssembler::braaz):
3445         (JSC::ARM64EAssembler::brabz):
3446         (JSC::ARM64EAssembler::blraaz):
3447         (JSC::ARM64EAssembler::blrabz):
3448         (JSC::ARM64EAssembler::retaa):
3449         (JSC::ARM64EAssembler::retab):
3450         (JSC::ARM64EAssembler::eretaa):
3451         (JSC::ARM64EAssembler::eretab):
3452         (JSC::ARM64EAssembler::linkPointer):
3453         (JSC::ARM64EAssembler::repatchPointer):
3454         (JSC::ARM64EAssembler::setPointer):
3455         (JSC::ARM64EAssembler::readPointer):
3456         (JSC::ARM64EAssembler::readCallTarget):
3457         (JSC::ARM64EAssembler::ret):
3458         * assembler/MacroAssembler.cpp:
3459         * assembler/MacroAssembler.h:
3460         * assembler/MacroAssemblerARM64.cpp:
3461         * assembler/MacroAssemblerARM64E.h: Added.
3462         (JSC::MacroAssemblerARM64E::tagReturnAddress):
3463         (JSC::MacroAssemblerARM64E::untagReturnAddress):
3464         (JSC::MacroAssemblerARM64E::tagPtr):
3465         (JSC::MacroAssemblerARM64E::untagPtr):
3466         (JSC::MacroAssemblerARM64E::removePtrTag):
3467         (JSC::MacroAssemblerARM64E::callTrustedPtr):
3468         (JSC::MacroAssemblerARM64E::call):
3469         (JSC::MacroAssemblerARM64E::callRegister):
3470         (JSC::MacroAssemblerARM64E::jump):
3471         * dfg/DFGOSRExit.cpp:
3472         (JSC::DFG::reifyInlinedCallFrames):
3473         * dfg/DFGOSRExitCompilerCommon.cpp:
3474         (JSC::DFG::reifyInlinedCallFrames):
3475         * ftl/FTLThunks.cpp:
3476         (JSC::FTL::genericGenerationThunkGenerator):
3477         * jit/CCallHelpers.h:
3478         (JSC::CCallHelpers::prepareForTailCallSlow):
3479         * jit/CallFrameShuffler.cpp:
3480         (JSC::CallFrameShuffler::prepareForTailCall):
3481         * jit/ExecutableAllocator.cpp:
3482         (JSC::ExecutableAllocator::allocate):
3483         * jit/ThunkGenerators.cpp:
3484         (JSC::arityFixupGenerator):
3485         * llint/LLIntOfflineAsmConfig.h:
3486         * llint/LowLevelInterpreter.asm:
3487         * llint/LowLevelInterpreter64.asm:
3488         * runtime/ClassInfo.h:
3489         * runtime/InitializeThreading.cpp:
3490         (JSC::initializeThreading):
3491         * runtime/JSCPtrTag.cpp: Added.
3492         (JSC::tagForPtr):
3493         (JSC::ptrTagName):
3494         (JSC::initializePtrTagLookup):
3495         * runtime/JSCPtrTag.h:
3496         (JSC::initializePtrTagLookup):
3497         * runtime/Options.cpp:
3498         (JSC::recomputeDependentOptions):
3499
3500 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
3501
3502         JSC::createError needs to check for OOM in errorDescriptionForValue
3503         https://bugs.webkit.org/show_bug.cgi?id=196032
3504         <rdar://problem/46842740>
3505
3506         Reviewed by Mark Lam.
3507
3508         We were missing exceptions checks at two levels:
3509         - In errorDescriptionForValue, when the value is a string, we should
3510           check that JSString::value returns a valid string, since we might run
3511           out of memory if it is a rope and we need to resolve it.
3512         - In createError, we should check for the result of errorDescriptionForValue
3513           before concatenating it with the message provided by the caller.
3514
3515         * runtime/ExceptionHelpers.cpp:
3516         (JSC::errorDescriptionForValue):
3517         (JSC::createError):
3518         * runtime/ExceptionHelpers.h:
3519
3520 2019-03-20  Devin Rousso  <drousso@apple.com>
3521
3522         Web Inspector: DOM: include window as part of any event listener chain
3523         https://bugs.webkit.org/show_bug.cgi?id=195730
3524         <rdar://problem/48916872>
3525
3526         Reviewed by Timothy Hatcher.
3527
3528         * inspector/protocol/DOM.json:
3529         Modify `DOM.getEventListenersForNode` to not save the handler object, as that was never
3530         used by the frontend. Add an `onWindow` optional property to `DOM.EventListener` that is set
3531         when the event listener was retrieved from the `window` object.
3532
3533 2019-03-20  Devin Rousso  <drousso@apple.com>
3534
3535         Web Inspector: Runtime: lazily create the agent
3536         https://bugs.webkit.org/show_bug.cgi?id=195972
3537         <rdar://problem/49039655>
3538
3539         Reviewed by Timothy Hatcher.
3540
3541         * inspector/JSGlobalObjectInspectorController.cpp:
3542         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3543         (Inspector::JSGlobalObjectInspectorController::createLazyAgents):
3544
3545         * inspector/agents/InspectorRuntimeAgent.h:
3546         (Inspector::InspectorRuntimeAgent::enabled): Deleted.
3547         * inspector/agents/InspectorRuntimeAgent.cpp:
3548         (Inspector::InspectorRuntimeAgent::didCreateFrontendAndBackend): Added.
3549         (Inspector::InspectorRuntimeAgent::willDestroyFrontendAndBackend):
3550
3551         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
3552         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
3553         (Inspector::JSGlobalObjectRuntimeAgent::didCreateFrontendAndBackend): Deleted.
3554
3555 2019-03-20  Michael Saboff  <msaboff@apple.com>
3556
3557         JSC test crash: stress/dont-strength-reduce-regexp-with-compile-error.js.default
3558         https://bugs.webkit.org/show_bug.cgi?id=195906
3559
3560         Reviewed by Mark Lam.
3561
3562         The problem here as that we may successfully parsed a RegExp without running out of stack,
3563         but later run out of stack when trying to JIT compile the same expression.
3564
3565         Added a check for available stack space when we call into one of the parenthesis compilation
3566         functions that recurse.  When we don't have enough stack space to recurse, we fail the JIT
3567         compilation and let the interpreter handle the expression.
3568
3569         From code inspection of the YARR interpreter it has the same issue, but I couldn't cause a failure.
3570         Filed a new bug and added a FIXME comment for the Interpreter to have similar checks.
3571         Given that we can reproduce a failure, this is sufficient for now.
3572
3573         This change is covered by the previously added failing test,
3574         JSTests/stress/dont-strength-reduce-regexp-with-compile-error.js.
3575
3576         * yarr/YarrInterpreter.cpp:
3577         (JSC::Yarr::Interpreter::interpret):
3578         * yarr/YarrJIT.cpp:
3579         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
3580         (JSC::Yarr::YarrGenerator::opCompileParentheticalAssertion):
3581         (JSC::Yarr::YarrGenerator::opCompileBody):
3582         (JSC::Yarr::dumpCompileFailure):
3583         * yarr/YarrJIT.h:
3584
3585 2019-03-20  Robin Morisset  <rmorisset@apple.com>
3586
3587         DFGNodeAllocator.h is dead code
3588         https://bugs.webkit.org/show_bug.cgi?id=196019
3589
3590         Reviewed by Yusuke Suzuki.
3591
3592         As explained by Yusuke on IRC, the comment on DFG::Node saying that it cannot have a destructor is obsolete since https://trac.webkit.org/changeset/216815/webkit.
3593         This patch removes both the comment and DFGNodeAllocator.h that that patch forgot to remove.
3594
3595         * dfg/DFGNode.h:
3596         (JSC::DFG::Node::dumpChildren):
3597         * dfg/DFGNodeAllocator.h: Removed.
3598
3599 2019-03-20  Robin Morisset  <rmorisset@apple.com>
3600
3601         Compress CodeOrigin into a single word in the common case
3602         https://bugs.webkit.org/show_bug.cgi?id=195928
3603
3604         Reviewed by Saam Barati.
3605
3606         The trick is that pointers only take 48 bits on x86_64 in practice (and we can even use the bottom three bits of that thanks to alignment), and even less on ARM64.
3607         So we can shove the bytecode index in the top bits almost all the time.
3608         If the bytecodeIndex is too ginormous (1<<16 in practice on x86_64), we just set one bit at the bottom and store a pointer to some out-of-line storage instead.
3609         Finally we represent an invalid bytecodeIndex (which used to be represented by UINT_MAX) by setting the second least signifcant bit.
3610
3611         The patch looks very long, but most of it is just replacing direct accesses to inlineCallFrame and bytecodeIndex by the relevant getters.
3612
3613         End result: CodeOrigin in the common case moves from 16 bytes (8 for InlineCallFrame*, 4 for unsigned bytecodeIndex, 4 of padding) to 8.
3614         As a reference, during running JetStream2 we allocate more than 35M CodeOrigins. While they won't all be alive at the same time, it is still quite a lot of objects, so I am hoping for some small
3615         improvement to RAMification from this work.
3616
3617         The one slightly tricky part is that we must implement copy and move assignment operators and constructors to make sure that any out-of-line storage belongs to a single CodeOrigin and is destroyed exactly once.
3618
3619         * bytecode/ByValInfo.h:
3620         * bytecode/CallLinkStatus.cpp:
3621         (JSC::CallLinkStatus::computeFor):
3622         * bytecode/CodeBlock.cpp:
3623         (JSC::CodeBlock::globalObjectFor):
3624         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
3625         (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):
3626         * bytecode/CodeOrigin.cpp:
3627         (JSC::CodeOrigin::inlineDepth const):
3628         (JSC::CodeOrigin::isApproximatelyEqualTo const):
3629         (JSC::CodeOrigin::approximateHash const):
3630         (JSC::CodeOrigin::inlineStack const):
3631         (JSC::CodeOrigin::codeOriginOwner const):
3632         (JSC::CodeOrigin::stackOffset const):
3633         (JSC::CodeOrigin::dump const):
3634         (JSC::CodeOrigin::inlineDepthForCallFrame): Deleted.
3635         * bytecode/CodeOrigin.h:
3636         (JSC::OutOfLineCodeOrigin::OutOfLineCodeOrigin):
3637         (JSC::CodeOrigin::CodeOrigin):
3638         (JSC::CodeOrigin::~CodeOrigin):
3639         (JSC::CodeOrigin::isSet const):
3640         (JSC::CodeOrigin::isHashTableDeletedValue const):
3641         (JSC::CodeOrigin::bytecodeIndex const):
3642         (JSC::CodeOrigin::inlineCallFrame const):
3643         (JSC::CodeOrigin::buildCompositeValue):
3644         (JSC::CodeOrigin::hash const):
3645         (JSC::CodeOrigin::operator== const):
3646         (JSC::CodeOrigin::exitingInlineKind const): Deleted.
3647         * bytecode/DeferredSourceDump.h:
3648         * bytecode/GetByIdStatus.cpp:
3649         (JSC::GetByIdStatus::computeForStubInfo):
3650         (JSC::GetByIdStatus::computeFor):
3651         * bytecode/ICStatusMap.cpp:
3652         (JSC::ICStatusContext::isInlined const):
3653         * bytecode/InByIdStatus.cpp:
3654         (JSC::InByIdStatus::computeFor):
3655         (JSC::InByIdStatus::computeForStubInfo):
3656         * bytecode/InlineCallFrame.cpp:
3657         (JSC::InlineCallFrame::dumpInContext const):
3658         * bytecode/InlineCallFrame.h:
3659         (JSC::InlineCallFrame::computeCallerSkippingTailCalls):
3660         (JSC::InlineCallFrame::getCallerInlineFrameSkippingTailCalls):
3661         (JSC::baselineCodeBlockForOriginAndBaselineCodeBlock):
3662         (JSC::CodeOrigin::walkUpInlineStack):
3663         * bytecode/InstanceOfStatus.h:
3664         * bytecode/PutByIdStatus.cpp:
3665         (JSC::PutByIdStatus::computeForStubInfo):
3666         (JSC::PutByIdStatus::computeFor):
3667         * dfg/DFGAbstractInterpreterInlines.h:
3668         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3669         * dfg/DFGArgumentsEliminationPhase.cpp:
3670         * dfg/DFGArgumentsUtilities.cpp:
3671         (JSC::DFG::argumentsInvolveStackSlot):
3672         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
3673         * dfg/DFGArrayMode.h:
3674         * dfg/DFGByteCodeParser.cpp:
3675         (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
3676         (JSC::DFG::ByteCodeParser::setLocal):
3677         (JSC::DFG::ByteCodeParser::setArgument):
3678         (JSC::DFG::ByteCodeParser::flushForTerminalImpl):
3679         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
3680         (JSC::DFG::ByteCodeParser::parseBlock):
3681         (JSC::DFG::ByteCodeParser::parseCodeBlock):
3682         (JSC::DFG::ByteCodeParser::handlePutByVal):
3683         * dfg/DFGClobberize.h:
3684         (JSC::DFG::clobberize):
3685         * dfg/DFGConstantFoldingPhase.cpp:
3686         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3687         * dfg/DFGFixupPhase.cpp:
3688         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
3689         * dfg/DFGForAllKills.h:
3690         (JSC::DFG::forAllKilledOperands):
3691         * dfg/DFGGraph.cpp:
3692         (JSC::DFG::Graph::dumpCodeOrigin):
3693         (JSC::DFG::Graph::dump):
3694         (JSC::DFG::Graph::isLiveInBytecode):
3695         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
3696         (JSC::DFG::Graph::willCatchExceptionInMachineFrame):
3697         * dfg/DFGGraph.h:
3698         (JSC::DFG::Graph::executableFor):
3699         (JSC::DFG::Graph::isStrictModeFor):
3700         (JSC::DFG::Graph::hasExitSite):
3701         (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
3702         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
3703         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch):
3704         * dfg/DFGMinifiedNode.cpp:
3705         (JSC::DFG::MinifiedNode::fromNode):
3706         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
3707         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
3708         * dfg/DFGOSRExit.cpp:
3709         (JSC::DFG::OSRExit::executeOSRExit):
3710         (JSC::DFG::reifyInlinedCallFrames):
3711         (JSC::DFG::adjustAndJumpToTarget):
3712         (JSC::DFG::printOSRExit):
3713         (JSC::DFG::OSRExit::compileExit):
3714         * dfg/DFGOSRExitBase.cpp:
3715         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
3716         * dfg/DFGOSRExitCompilerCommon.cpp:
3717         (JSC::DFG::handleExitCounts):
3718         (JSC::DFG::reifyInlinedCallFrames):
3719         (JSC::DFG::adjustAndJumpToTarget):
3720         * dfg/DFGOSRExitPreparation.cpp:
3721         (JSC::DFG::prepareCodeOriginForOSRExit):
3722         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3723         * dfg/DFGOperations.cpp:
3724         * dfg/DFGPreciseLocalClobberize.h:
3725         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
3726         * dfg/DFGSpeculativeJIT.cpp:
3727         (JSC::DFG::SpeculativeJIT::emitGetLength):
3728         (JSC::DFG::SpeculativeJIT::emitGetCallee):
3729         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
3730         (JSC::DFG::SpeculativeJIT::compileValueAdd):
3731         (JSC::DFG::SpeculativeJIT::compileValueSub):
3732         (JSC::DFG::SpeculativeJIT::compileValueNegate):
3733         (JSC::DFG::SpeculativeJIT::compileValueMul):
3734         (JSC::DFG::SpeculativeJIT::compileForwardVarargs):
3735         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
3736         * dfg/DFGSpeculativeJIT32_64.cpp:
3737         (JSC::DFG::SpeculativeJIT::emitCall):
3738         * dfg/DFGSpeculativeJIT64.cpp:
3739         (JSC::DFG::SpeculativeJIT::emitCall):
3740         (JSC::DFG::SpeculativeJIT::compile):
3741         * dfg/DFGTierUpCheckInjectionPhase.cpp:
3742         (JSC::DFG::TierUpCheckInjectionPhase::run):
3743         (JSC::DFG::TierUpCheckInjectionPhase::canOSREnterAtLoopHint):
3744         (JSC::DFG::TierUpCheckInjectionPhase::buildNaturalLoopToLoopHintMap):
3745         * dfg/DFGTypeCheckHoistingPhase.cpp:
3746         (JSC::DFG::TypeCheckHoistingPhase::run):
3747         * dfg/DFGVariableEventStream.cpp:
3748         (JSC::DFG::VariableEventStream::reconstruct const):
3749         * ftl/FTLLowerDFGToB3.cpp:
3750         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
3751         (JSC::FTL::DFG::LowerDFGToB3::compileValueSub):
3752         (JSC::FTL::DFG::LowerDFGToB3::compileValueMul):
3753         (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
3754         (JSC::FTL::DFG::LowerDFGToB3::compileValueNegate):
3755         (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
3756         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
3757         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
3758         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
3759         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
3760         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargs):
3761         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargsWithSpread):
3762         (JSC::FTL::DFG::LowerDFGToB3::getArgumentsLength):
3763         (JSC::FTL::DFG::LowerDFGToB3::getCurrentCallee):
3764         (JSC::FTL::DFG::LowerDFGToB3::getArgumentsStart):
3765         (JSC::FTL::DFG::LowerDFGToB3::codeOriginDescriptionOfCallSite const):
3766         * ftl/FTLOSRExitCompiler.cpp:
3767         (JSC::FTL::compileStub):
3768         * ftl/FTLOperations.cpp:
3769         (JSC::FTL::operationMaterializeObjectInOSR):
3770         * interpreter/CallFrame.cpp:
3771         (JSC::CallFrame::bytecodeOffset):
3772         * interpreter/StackVisitor.cpp:
3773         (JSC::StackVisitor::unwindToMachineCodeBlockFrame):
3774         (JSC::StackVisitor::readFrame):
3775         (JSC::StackVisitor::readNonInlinedFrame):
3776         (JSC::inlinedFrameOffset):
3777         (JSC::StackVisitor::readInlinedFrame):
3778         * interpreter/StackVisitor.h:
3779         * jit/AssemblyHelpers.cpp:
3780         (JSC::AssemblyHelpers::executableFor):
3781         * jit/AssemblyHelpers.h:
3782         (JSC::AssemblyHelpers::isStrictModeFor):
3783         (JSC::AssemblyHelpers::argumentsStart):
3784         (JSC::AssemblyHelpers::argumentCount):
3785         * jit/PCToCodeOriginMap.cpp:
3786         (JSC::PCToCodeOriginMap::PCToCodeOriginMap):
3787         (JSC::PCToCodeOriginMap::findPC const):
3788         * profiler/ProfilerOriginStack.cpp:
3789         (JSC::Profiler::OriginStack::OriginStack):
3790         * profiler/ProfilerOriginStack.h:
3791         * runtime/ErrorInstance.cpp:
3792         (JSC::appendSourceToError):
3793         * runtime/SamplingProfiler.cpp:
3794         (JSC::SamplingProfiler::processUnverifiedStackTraces):
3795
3796 2019-03-20  Devin Rousso  <drousso@apple.com>
3797
3798         Web Inspector: Search: allow DOM searches to be case sensitive
3799         https://bugs.webkit.org/show_bug.cgi?id=194673
3800         <rdar://problem/48087577>
3801
3802         Reviewed by Timothy Hatcher.
3803
3804         Since `DOM.performSearch` also searches by selector and XPath, some results may appear
3805         as unexpected. As an example, searching for "BoDy" will still return the <body> as a result,
3806         as although the literal node name ("BODY") didn't match, it did match via selector/XPath.
3807
3808         * inspector/protocol/DOM.json:
3809         Allow `DOM.performSearch` to be case sensitive.
3810
3811 2019-03-20  Saam Barati  <sbarati@apple.com>
3812
3813         AI rule for ValueBitNot/ValueBitXor/ValueBitAnd/ValueBitOr is wrong
3814         https://bugs.webkit.org/show_bug.cgi?id=195980
3815
3816         Reviewed by Yusuke Suzuki.
3817
3818         They were all saying they could be type: (SpecBoolInt32, SpecBigInt)
3819         However, they should have been type: (SpecInt32Only, SpecBigInt)
3820
3821         * dfg/DFGAbstractInterpreterInlines.h:
3822         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3823
3824 2019-03-20  Michael Catanzaro  <mcatanzaro@igalia.com>
3825
3826         Remove copyRef() calls added in r243163
3827         https://bugs.webkit.org/show_bug.cgi?id=195962
3828
3829         Reviewed by Chris Dumez.
3830
3831         As best I can tell, may be a GCC 9 bug. It shouldn't warn about this case because the return
3832         value is noncopyable and the WTFMove() is absolutely required. We can avoid the warning
3833         without refcount churn by introducing an intermediate variable.
3834
3835         * inspector/scripts/codegen/cpp_generator_templates.py:
3836
3837 2019-03-20  Carlos Garcia Campos  <cgarcia@igalia.com>
3838
3839         [GLIB] Optimize jsc_value_object_define_property_data|accessor
3840         https://bugs.webkit.org/show_bug.cgi?id=195679
3841
3842         Reviewed by Saam Barati.
3843
3844         Use direct C++ call instead of using the JSC GLib API to create the descriptor object and invoke Object.defineProperty().
3845
3846         * API/glib/JSCValue.cpp:
3847         (jsc_value_object_define_property_data):
3848         (jsc_value_object_define_property_accessor):
3849
3850 2019-03-19  Devin Rousso  <drousso@apple.com>
3851
3852         Web Inspector: Debugger: lazily create the agent
3853         https://bugs.webkit.org/show_bug.cgi?id=195973
3854         <rdar://problem/49039674>
3855
3856         Reviewed by Joseph Pecoraro.
3857
3858         * inspector/JSGlobalObjectInspectorController.cpp:
3859         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3860         (Inspector::JSGlobalObjectInspectorController::frontendInitialized):
3861         (Inspector::JSGlobalObjectInspectorController::createLazyAgents):
3862
3863         * inspector/JSGlobalObjectConsoleClient.h:
3864         (Inspector::JSGlobalObjectConsoleClient::setInspectorDebuggerAgent): Added.
3865         * inspector/JSGlobalObjectConsoleClient.cpp:
3866         (Inspector::JSGlobalObjectConsoleClient::JSGlobalObjectConsoleClient):
3867         (Inspector::JSGlobalObjectConsoleClient::startConsoleProfile):
3868         (Inspector::JSGlobalObjectConsoleClient::stopConsoleProfile):
3869
3870         * inspector/agents/InspectorDebuggerAgent.h:
3871         (Inspector::InspectorDebuggerAgent::addListener): Added.
3872         (Inspector::InspectorDebuggerAgent::removeListener): Added.
3873         (Inspector::InspectorDebuggerAgent::setListener): Deleted.
3874         * inspector/agents/InspectorDebuggerAgent.cpp:
3875         (Inspector::InspectorDebuggerAgent::InspectorDebuggerAgent):
3876         (Inspector::InspectorDebuggerAgent::enable):
3877         (Inspector::InspectorDebuggerAgent::disable):
3878         (Inspector::InspectorDebuggerAgent::getScriptSource):
3879         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
3880         (Inspector::InspectorDebuggerAgent::didPause):
3881         (Inspector::InspectorDebuggerAgent::breakProgram):
3882</