Sometimes we need to user fewer CPUs in our threading calculations
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-04-12  Saam barati  <sbarati@apple.com>
2
3         Sometimes we need to user fewer CPUs in our threading calculations
4         https://bugs.webkit.org/show_bug.cgi?id=196794
5         <rdar://problem/49389497>
6
7         Reviewed by Yusuke Suzuki.
8
9         * JavaScriptCore.xcodeproj/project.pbxproj:
10         * Sources.txt:
11         * assembler/CPU.cpp: Added.
12         (JSC::isKernTCSMAvailable):
13         (JSC::enableKernTCSM):
14         (JSC::kernTCSMAwareNumberOfProcessorCores):
15         * assembler/CPU.h:
16         (JSC::isKernTCSMAvailable):
17         (JSC::enableKernTCSM):
18         (JSC::kernTCSMAwareNumberOfProcessorCores):
19         * heap/MachineStackMarker.h:
20         (JSC::MachineThreads::addCurrentThread):
21         * runtime/JSLock.cpp:
22         (JSC::JSLock::didAcquireLock):
23         * runtime/Options.cpp:
24         (JSC::computeNumberOfWorkerThreads):
25         (JSC::computePriorityDeltaOfWorkerThreads):
26         * wasm/WasmWorklist.cpp:
27         (JSC::Wasm::Worklist::Worklist):
28
29 2019-04-12  Robin Morisset  <rmorisset@apple.com>
30
31         Use padding at end of ArrayBuffer
32         https://bugs.webkit.org/show_bug.cgi?id=196823
33
34         Reviewed by Filip Pizlo.
35
36         * runtime/ArrayBuffer.h:
37
38 2019-04-11  Yusuke Suzuki  <ysuzuki@apple.com>
39
40         [JSC] op_has_indexed_property should not assume subscript part is Uint32
41         https://bugs.webkit.org/show_bug.cgi?id=196850
42
43         Reviewed by Saam Barati.
44
45         op_has_indexed_property assumed that subscript part is always Uint32. However, this is just a load from non-constant RegisterID,
46         DFG can store it in double format and can perform OSR exit. op_has_indexed_property should not assume that.
47         In this patch, instead, we check it with isAnyInt and get uint32_t from AnyInt.
48
49         * jit/JITOpcodes.cpp:
50         (JSC::JIT::emit_op_has_indexed_property):
51         * jit/JITOpcodes32_64.cpp:
52         (JSC::JIT::emit_op_has_indexed_property):
53         * jit/JITOperations.cpp:
54         * runtime/CommonSlowPaths.cpp:
55         (JSC::SLOW_PATH_DECL):
56
57 2019-04-11  Saam barati  <sbarati@apple.com>
58
59         Remove invalid assertion in operationInstanceOfCustom
60         https://bugs.webkit.org/show_bug.cgi?id=196842
61         <rdar://problem/49725493>
62
63         Reviewed by Michael Saboff.
64
65         In the generated JIT code, we go to the slow path when the incoming function
66         isn't the Node's CodeOrigin's functionProtoHasInstanceSymbolFunction. However,
67         in the JIT operation, we were asserting against exec->lexicalGlobalObject()'s
68         functionProtoHasInstanceSymbolFunction. That assertion might be wrong when
69         inlining across global objects as exec->lexicalGlobalObject() uses the machine
70         frame for procuring the global object. There is no harm when this assertion fails
71         as we just execute the slow path. This patch removes the assertion. (However, this
72         does shed light on the deficiency in our exec->lexicalGlobalObject() function with
73         respect to inlining. However, this isn't new -- we've known about this for a while.)
74
75         * jit/JITOperations.cpp:
76
77 2019-04-11  Michael Saboff  <msaboff@apple.com>
78
79         Improve the Inline Cache Stats code
80         https://bugs.webkit.org/show_bug.cgi?id=196836
81
82         Reviewed by Saam Barati.
83
84         Needed to handle the case where the Identifier could be null, for example with InstanceOfAddAccessCase
85         and InstanceOfReplaceWithJump.
86
87         Added the ability to log the location of a GetBy and PutBy property as either on self or up the
88         protocol chain.
89
90         * jit/ICStats.cpp:
91         (JSC::ICEvent::operator< const):
92         (JSC::ICEvent::dump const):
93         * jit/ICStats.h:
94         (JSC::ICEvent::ICEvent):
95         (JSC::ICEvent::hash const):
96         * jit/JITOperations.cpp:
97         * jit/Repatch.cpp:
98         (JSC::tryCacheGetByID):
99         (JSC::tryCachePutByID):
100         (JSC::tryCacheInByID):
101
102 2019-04-11  Devin Rousso  <drousso@apple.com>
103
104         Web Inspector: Timelines: can't reliably stop/start a recording
105         https://bugs.webkit.org/show_bug.cgi?id=196778
106         <rdar://problem/47606798>
107
108         Reviewed by Timothy Hatcher.
109
110         * inspector/protocol/ScriptProfiler.json:
111         * inspector/protocol/Timeline.json:
112         It is possible to determine when programmatic capturing starts/stops in the frontend based
113         on the state when the backend causes the state to change, such as if the state is "inactive"
114         when the frontend is told that the backend has started capturing.
115
116         * inspector/protocol/CPUProfiler.json:
117         * inspector/protocol/Memory.json:
118         Send an end timestamp to match other instruments.
119
120         * inspector/JSGlobalObjectConsoleClient.cpp:
121         (Inspector::JSGlobalObjectConsoleClient::startConsoleProfile):
122         (Inspector::JSGlobalObjectConsoleClient::stopConsoleProfile):
123
124         * inspector/agents/InspectorScriptProfilerAgent.h:
125         * inspector/agents/InspectorScriptProfilerAgent.cpp:
126         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
127         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStarted): Deleted.
128         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStopped): Deleted.
129
130 2019-04-11  Saam barati  <sbarati@apple.com>
131
132         Rename SetArgument to SetArgumentDefinitely
133         https://bugs.webkit.org/show_bug.cgi?id=196828
134
135         Reviewed by Yusuke Suzuki.
136
137         This is in preparation for https://bugs.webkit.org/show_bug.cgi?id=196712
138         where we will introduce a node named SetArgumentMaybe. Doing this refactoring
139         first will make reviewing that other patch easier.
140
141         * dfg/DFGAbstractInterpreterInlines.h:
142         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
143         * dfg/DFGByteCodeParser.cpp:
144         (JSC::DFG::ByteCodeParser::handleVarargsInlining):
145         (JSC::DFG::ByteCodeParser::parseBlock):
146         * dfg/DFGCPSRethreadingPhase.cpp:
147         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
148         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
149         (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
150         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
151         (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
152         (JSC::DFG::CPSRethreadingPhase::propagatePhis):
153         (JSC::DFG::CPSRethreadingPhase::computeIsFlushed):
154         * dfg/DFGClobberize.h:
155         (JSC::DFG::clobberize):
156         * dfg/DFGCommon.h:
157         * dfg/DFGDoesGC.cpp:
158         (JSC::DFG::doesGC):
159         * dfg/DFGFixupPhase.cpp:
160         (JSC::DFG::FixupPhase::fixupNode):
161         * dfg/DFGGraph.cpp:
162         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
163         * dfg/DFGGraph.h:
164         * dfg/DFGInPlaceAbstractState.cpp:
165         (JSC::DFG::InPlaceAbstractState::initialize):
166         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
167         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
168         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch):
169         * dfg/DFGMaximalFlushInsertionPhase.cpp:
170         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
171         (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
172         * dfg/DFGMayExit.cpp:
173         * dfg/DFGNode.cpp:
174         (JSC::DFG::Node::hasVariableAccessData):
175         * dfg/DFGNode.h:
176         (JSC::DFG::Node::convertPhantomToPhantomLocal):
177         * dfg/DFGNodeType.h:
178         * dfg/DFGOSREntrypointCreationPhase.cpp:
179         (JSC::DFG::OSREntrypointCreationPhase::run):
180         * dfg/DFGPhantomInsertionPhase.cpp:
181         * dfg/DFGPredictionPropagationPhase.cpp:
182         * dfg/DFGSSAConversionPhase.cpp:
183         (JSC::DFG::SSAConversionPhase::run):
184         * dfg/DFGSafeToExecute.h:
185         (JSC::DFG::safeToExecute):
186         * dfg/DFGSpeculativeJIT.cpp:
187         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
188         * dfg/DFGSpeculativeJIT32_64.cpp:
189         (JSC::DFG::SpeculativeJIT::compile):
190         * dfg/DFGSpeculativeJIT64.cpp:
191         (JSC::DFG::SpeculativeJIT::compile):
192         * dfg/DFGTypeCheckHoistingPhase.cpp:
193         (JSC::DFG::TypeCheckHoistingPhase::run):
194         * dfg/DFGValidate.cpp:
195         * ftl/FTLCapabilities.cpp:
196         (JSC::FTL::canCompile):
197
198 2019-04-11  Truitt Savell  <tsavell@apple.com>
199
200         Unreviewed, rolling out r244158.
201
202         Casued 8 inspector/timeline/ test failures.
203
204         Reverted changeset:
205
206         "Web Inspector: Timelines: can't reliably stop/start a
207         recording"
208         https://bugs.webkit.org/show_bug.cgi?id=196778
209         https://trac.webkit.org/changeset/244158
210
211 2019-04-10  Saam Barati  <sbarati@apple.com>
212
213         AbstractValue::validateOSREntryValue is wrong for Int52 constants
214         https://bugs.webkit.org/show_bug.cgi?id=196801
215         <rdar://problem/49771122>
216
217         Reviewed by Yusuke Suzuki.
218
219         validateOSREntryValue should not care about the format of the incoming
220         value for Int52s. This patch normalizes the format of m_value and
221         the incoming value when comparing them.
222
223         * dfg/DFGAbstractValue.h:
224         (JSC::DFG::AbstractValue::validateOSREntryValue const):
225
226 2019-04-10  Saam Barati  <sbarati@apple.com>
227
228         ArithSub over Int52 has shouldCheckOverflow as always true
229         https://bugs.webkit.org/show_bug.cgi?id=196796
230
231         Reviewed by Yusuke Suzuki.
232
233         AI was checking for ArithSub over Int52 if !shouldCheckOverflow. However,
234         shouldCheckOverflow is always true, so !shouldCheckOverflow is always
235         false. We shouldn't check something we assert against.
236
237         * dfg/DFGAbstractInterpreterInlines.h:
238         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
239
240 2019-04-10  Basuke Suzuki  <basuke.suzuki@sony.com>
241
242         [PlayStation] Specify byte order clearly on Remote Inspector Protocol
243         https://bugs.webkit.org/show_bug.cgi?id=196790
244
245         Reviewed by Ross Kirsling.
246
247         Original implementation lacks byte order specification. Network byte order is the
248         good candidate if there's no strong reason to choose other.
249         Currently no client exists for PlayStation remote inspector protocol, so we can
250         change the byte order without care.
251
252         * inspector/remote/playstation/RemoteInspectorMessageParserPlayStation.cpp:
253         (Inspector::MessageParser::createMessage):
254         (Inspector::MessageParser::parse):
255
256 2019-04-10  Devin Rousso  <drousso@apple.com>
257
258        Web Inspector: Inspector: lazily create the agent
259        https://bugs.webkit.org/show_bug.cgi?id=195971
260        <rdar://problem/49039645>
261
262        Reviewed by Joseph Pecoraro.
263
264        * inspector/JSGlobalObjectInspectorController.cpp:
265        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
266        (Inspector::JSGlobalObjectInspectorController::connectFrontend):
267        (Inspector::JSGlobalObjectInspectorController::appendExtraAgent):
268        (Inspector::JSGlobalObjectInspectorController::createLazyAgents):
269
270        * inspector/agents/InspectorAgent.h:
271        * inspector/agents/InspectorAgent.cpp:
272
273 2019-04-10  Saam Barati  <sbarati@apple.com>
274
275         Work around an arm64_32 LLVM miscompile bug
276         https://bugs.webkit.org/show_bug.cgi?id=196788
277
278         Reviewed by Yusuke Suzuki.
279
280         * runtime/CachedTypes.cpp:
281
282 2019-04-10  Devin Rousso  <drousso@apple.com>
283
284         Web Inspector: Timelines: can't reliably stop/start a recording
285         https://bugs.webkit.org/show_bug.cgi?id=196778
286         <rdar://problem/47606798>
287
288         Reviewed by Timothy Hatcher.
289
290         * inspector/protocol/ScriptProfiler.json:
291         * inspector/protocol/Timeline.json:
292         It is possible to determine when programmatic capturing starts/stops in the frontend based
293         on the state when the backend causes the state to change, such as if the state is "inactive"
294         when the frontend is told that the backend has started capturing.
295
296         * inspector/protocol/CPUProfiler.json:
297         * inspector/protocol/Memory.json:
298         Send an end timestamp to match other instruments.
299
300         * inspector/JSGlobalObjectConsoleClient.cpp:
301         (Inspector::JSGlobalObjectConsoleClient::startConsoleProfile):
302         (Inspector::JSGlobalObjectConsoleClient::stopConsoleProfile):
303
304         * inspector/agents/InspectorScriptProfilerAgent.h:
305         * inspector/agents/InspectorScriptProfilerAgent.cpp:
306         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
307         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStarted): Deleted.
308         (Inspector::InspectorScriptProfilerAgent::programmaticCaptureStopped): Deleted.
309
310 2019-04-10  Tadeu Zagallo  <tzagallo@apple.com>
311
312         Unreviewed, fix watch build after r244143
313         https://bugs.webkit.org/show_bug.cgi?id=195000
314
315         The result of `lseek` should be `off_t` rather than `int`.
316
317         * jsc.cpp:
318
319 2019-04-10  Tadeu Zagallo  <tzagallo@apple.com>
320
321         Add support for incremental bytecode cache updates
322         https://bugs.webkit.org/show_bug.cgi?id=195000
323
324         Reviewed by Filip Pizlo.
325
326         Add support for incremental updates to the bytecode cache. The cache
327         is constructed as follows:
328         - When the cache is empty, the initial payload can be added to the BytecodeCache
329         by calling BytecodeCache::addGlobalUpdate. This represents the encoded
330         top-level UnlinkedCodeBlock.
331         - Afterwards, updates can be added by calling BytecodeCache::addFunctionUpdate.
332         The update is applied by appending the encoded UnlinkedFunctionCodeBlock
333         to the existing cache and updating the CachedFunctionExecutableMetadata
334         and the offset of the new CachedFunctionCodeBlock in the owner CachedFunctionExecutable.
335
336         * API/JSScript.mm:
337         (-[JSScript readCache]):
338         (-[JSScript isUsingBytecodeCache]):
339         (-[JSScript init]):
340         (-[JSScript cachedBytecode]):
341         (-[JSScript writeCache:]):
342         * API/JSScriptInternal.h:
343         * API/JSScriptSourceProvider.h:
344         * API/JSScriptSourceProvider.mm:
345         (JSScriptSourceProvider::cachedBytecode const):
346         * CMakeLists.txt:
347         * JavaScriptCore.xcodeproj/project.pbxproj:
348         * Sources.txt:
349         * bytecode/UnlinkedFunctionExecutable.cpp:
350         (JSC::generateUnlinkedFunctionCodeBlock):
351         * jsc.cpp:
352         (ShellSourceProvider::~ShellSourceProvider):
353         (ShellSourceProvider::cachePath const):
354         (ShellSourceProvider::loadBytecode const):
355         (ShellSourceProvider::ShellSourceProvider):
356         (ShellSourceProvider::cacheEnabled):
357         * parser/SourceProvider.h:
358         (JSC::SourceProvider::cachedBytecode const):
359         (JSC::SourceProvider::updateCache const):
360         (JSC::SourceProvider::commitCachedBytecode const):
361         * runtime/CachePayload.cpp: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
362         (JSC::CachePayload::makeMappedPayload):
363         (JSC::CachePayload::makeMallocPayload):
364         (JSC::CachePayload::makeEmptyPayload):
365         (JSC::CachePayload::CachePayload):
366         (JSC::CachePayload::~CachePayload):
367         (JSC::CachePayload::operator=):
368         (JSC::CachePayload::freeData):
369         * runtime/CachePayload.h: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
370         (JSC::CachePayload::data const):
371         (JSC::CachePayload::size const):
372         (JSC::CachePayload::CachePayload):
373         * runtime/CacheUpdate.cpp: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
374         (JSC::CacheUpdate::CacheUpdate):
375         (JSC::CacheUpdate::operator=):
376         (JSC::CacheUpdate::isGlobal const):
377         (JSC::CacheUpdate::asGlobal const):
378         (JSC::CacheUpdate::asFunction const):
379         * runtime/CacheUpdate.h: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
380         * runtime/CachedBytecode.cpp: Added.
381         (JSC::CachedBytecode::addGlobalUpdate):
382         (JSC::CachedBytecode::addFunctionUpdate):
383         (JSC::CachedBytecode::copyLeafExecutables):
384         (JSC::CachedBytecode::commitUpdates const):
385         * runtime/CachedBytecode.h: Added.
386         (JSC::CachedBytecode::create):
387         (JSC::CachedBytecode::leafExecutables):
388         (JSC::CachedBytecode::data const):
389         (JSC::CachedBytecode::size const):
390         (JSC::CachedBytecode::hasUpdates const):
391         (JSC::CachedBytecode::sizeForUpdate const):
392         (JSC::CachedBytecode::CachedBytecode):
393         * runtime/CachedTypes.cpp:
394         (JSC::Encoder::addLeafExecutable):
395         (JSC::Encoder::release):
396         (JSC::Decoder::Decoder):
397         (JSC::Decoder::create):
398         (JSC::Decoder::size const):
399         (JSC::Decoder::offsetOf):
400         (JSC::Decoder::ptrForOffsetFromBase):
401         (JSC::Decoder::addLeafExecutable):
402         (JSC::VariableLengthObject::VariableLengthObject):
403         (JSC::VariableLengthObject::buffer const):
404         (JSC::CachedPtrOffsets::offsetOffset):
405         (JSC::CachedWriteBarrierOffsets::ptrOffset):
406         (JSC::CachedFunctionExecutable::features const):
407         (JSC::CachedFunctionExecutable::hasCapturedVariables const):
408         (JSC::CachedFunctionExecutableOffsets::codeBlockForCallOffset):
409         (JSC::CachedFunctionExecutableOffsets::codeBlockForConstructOffset):
410         (JSC::CachedFunctionExecutableOffsets::metadataOffset):
411         (JSC::CachedFunctionExecutable::encode):
412         (JSC::CachedFunctionExecutable::decode const):
413         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
414         (JSC::encodeCodeBlock):
415         (JSC::encodeFunctionCodeBlock):
416         (JSC::decodeCodeBlockImpl):
417         (JSC::isCachedBytecodeStillValid):
418         * runtime/CachedTypes.h:
419         (JSC::VariableLengthObjectBase::VariableLengthObjectBase):
420         (JSC::decodeCodeBlock):
421         * runtime/CodeCache.cpp:
422         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
423         (JSC::CodeCache::updateCache):
424         (JSC::CodeCache::write):
425         (JSC::writeCodeBlock):
426         (JSC::serializeBytecode):
427         * runtime/CodeCache.h:
428         (JSC::SourceCodeValue::SourceCodeValue):
429         (JSC::CodeCacheMap::findCacheAndUpdateAge):
430         (JSC::CodeCacheMap::fetchFromDiskImpl):
431         * runtime/Completion.cpp:
432         (JSC::generateProgramBytecode):
433         (JSC::generateModuleBytecode):
434         * runtime/Completion.h:
435         * runtime/LeafExecutable.cpp: Copied from Source/JavaScriptCore/API/JSScriptSourceProvider.mm.
436         (JSC::LeafExecutable::operator+ const):
437         * runtime/LeafExecutable.h: Copied from Source/JavaScriptCore/API/JSScriptSourceProvider.mm.
438         (JSC::LeafExecutable::LeafExecutable):
439         (JSC::LeafExecutable::base const):
440
441 2019-04-10  Michael Catanzaro  <mcatanzaro@igalia.com>
442
443         Unreviewed, rolling out r243989.
444
445         Broke i686 builds
446
447         Reverted changeset:
448
449         "[CMake] Detect SSE2 at compile time"
450         https://bugs.webkit.org/show_bug.cgi?id=196488
451         https://trac.webkit.org/changeset/243989
452
453 2019-04-10  Robin Morisset  <rmorisset@apple.com>
454
455         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
456         https://bugs.webkit.org/show_bug.cgi?id=196746
457
458         Reviewed by Yusuke Suzuki..
459
460         It should be safe as in that case we are not completing the operation, and so not going to have any buffer overflow.
461
462         * runtime/ObjectConstructor.cpp:
463         (JSC::defineProperties):
464
465 2019-04-10  Antoine Quint  <graouts@apple.com>
466
467         Enable Pointer Events on watchOS
468         https://bugs.webkit.org/show_bug.cgi?id=196771
469         <rdar://problem/49040909>
470
471         Reviewed by Dean Jackson.
472
473         * Configurations/FeatureDefines.xcconfig:
474
475 2019-04-09  Keith Rollin  <krollin@apple.com>
476
477         Unreviewed build maintenance -- update .xcfilelists.
478
479         * DerivedSources-input.xcfilelist:
480
481 2019-04-09  Ross Kirsling  <ross.kirsling@sony.com>
482
483         JSC should build successfully even with -DENABLE_UNIFIED_BUILDS=OFF
484         https://bugs.webkit.org/show_bug.cgi?id=193073
485
486         Reviewed by Keith Miller.
487
488         * bytecompiler/BytecodeGenerator.cpp:
489         (JSC::BytecodeGenerator::emitEqualityOpImpl):
490         (JSC::BytecodeGenerator::emitEqualityOp): Deleted.
491         * bytecompiler/BytecodeGenerator.h:
492         (JSC::BytecodeGenerator::emitEqualityOp):
493         Factor out the logic that uses the template parameter and keep it in the header.
494
495         * jit/JITPropertyAccess.cpp:
496         List off the template specializations needed by JITOperations.cpp.
497         This is unfortunate but at least there are only two (x2) by definition?
498         Trying to do away with this incurs a severe domino effect...
499
500         * API/JSValueRef.cpp:
501         * b3/B3OptimizeAssociativeExpressionTrees.cpp:
502         * b3/air/AirHandleCalleeSaves.cpp:
503         * builtins/BuiltinNames.cpp:
504         * bytecode/AccessCase.cpp:
505         * bytecode/BytecodeIntrinsicRegistry.cpp:
506         * bytecode/BytecodeIntrinsicRegistry.h:
507         * bytecode/BytecodeRewriter.cpp:
508         * bytecode/BytecodeUseDef.h:
509         * bytecode/CodeBlock.cpp:
510         * bytecode/InstanceOfAccessCase.cpp:
511         * bytecode/MetadataTable.cpp:
512         * bytecode/PolyProtoAccessChain.cpp:
513         * bytecode/StructureSet.cpp:
514         * bytecompiler/NodesCodegen.cpp:
515         * dfg/DFGCFAPhase.cpp:
516         * dfg/DFGPureValue.cpp:
517         * heap/GCSegmentedArray.h:
518         * heap/HeapInlines.h:
519         * heap/IsoSubspace.cpp:
520         * heap/LocalAllocator.cpp:
521         * heap/LocalAllocator.h:
522         * heap/LocalAllocatorInlines.h:
523         * heap/MarkingConstraintSolver.cpp:
524         * inspector/ScriptArguments.cpp:
525         (Inspector::ScriptArguments::isEqual const):
526         * inspector/ScriptCallStackFactory.cpp:
527         * interpreter/CallFrame.h:
528         * interpreter/Interpreter.cpp:
529         * interpreter/StackVisitor.cpp:
530         * llint/LLIntEntrypoint.cpp:
531         * runtime/ArrayIteratorPrototype.cpp:
532         * runtime/BigIntPrototype.cpp:
533         * runtime/CachedTypes.cpp:
534         * runtime/ErrorType.cpp:
535         * runtime/IndexingType.cpp:
536         * runtime/JSCellInlines.h:
537         * runtime/JSImmutableButterfly.h:
538         * runtime/Operations.h:
539         * runtime/RegExpCachedResult.cpp:
540         * runtime/RegExpConstructor.cpp:
541         * runtime/RegExpGlobalData.cpp:
542         * runtime/StackFrame.h:
543         * wasm/WasmSignature.cpp:
544         * wasm/js/JSToWasm.cpp:
545         * wasm/js/JSToWasmICCallee.cpp:
546         * wasm/js/WebAssemblyFunction.h:
547         Fix includes / forward declarations (and a couple of nearby clang warnings).
548
549 2019-04-09  Don Olmstead  <don.olmstead@sony.com>
550
551         [CMake] Apple builds should use ICU_INCLUDE_DIRS
552         https://bugs.webkit.org/show_bug.cgi?id=196720
553
554         Reviewed by Konstantin Tokarev.
555
556         * PlatformMac.cmake:
557
558 2019-04-09  Saam barati  <sbarati@apple.com>
559
560         Clean up Int52 code and some bugs in it
561         https://bugs.webkit.org/show_bug.cgi?id=196639
562         <rdar://problem/49515757>
563
564         Reviewed by Yusuke Suzuki.
565
566         This patch fixes bugs in our Int52 code. The primary change in this patch is
567         adopting a segregated type lattice for Int52. Previously, for Int52 values,
568         we represented them with SpecInt32Only and SpecInt52Only. For an Int52,
569         SpecInt32Only meant that the value is in int32 range. And SpecInt52Only meant
570         that the is outside of the int32 range.
571         
572         However, this got confusing because we reused SpecInt32Only both for JSValue
573         representations and Int52 representations. This actually lead to some bugs.
574         
575         1. It's possible that roundtripping through Int52 representation would say
576         it produces the wrong type. For example, consider this program and how we
577         used to annotate types in AI:
578         a: JSConstant(10.0) => m_type is SpecAnyIntAsDouble
579         b: Int52Rep(@a) => m_type is SpecInt52Only
580         c: ValueRep(@b) => m_type is SpecAnyIntAsDouble
581         
582         In AI, for the above program, we'd say that @c produces SpecAnyIntAsDouble.
583         However, the execution semantics are such that it'd actually produce a boxed
584         Int32. This patch fixes the bug where we'd say that Int52Rep over SpecAnyIntAsDouble
585         would produce SpecInt52Only. This is clearly wrong, as SpecAnyIntAsDouble can
586         mean an int value in either int32 or int52 range.
587         
588         2. AsbstractValue::validateTypeAcceptingBoxedInt52 was wrong in how it
589         accepted Int52 values. It was wrong in two different ways:
590         a: If the AbstractValue's type was SpecInt52Only, and the incoming value
591         was a boxed double, but represented a value in int32 range, the incoming
592         value would incorrectly validate as being acceptable. However, we should
593         have rejected this value.
594         b: If the AbstractValue's type was SpecInt32Only, and the incoming value
595         was an Int32 boxed in a double, this would not validate, even though
596         it should have validated.
597         
598         Solving 2 was easiest if we segregated out the Int52 type into its own
599         lattice. This patch makes a new Int52 lattice, which is composed of
600         SpecInt32AsInt52 and SpecNonInt32AsInt52.
601         
602         The conversion rules are now really simple.
603         
604         Int52 rep => JSValue rep
605         SpecInt32AsInt52 => SpecInt32Only
606         SpecNonInt32AsInt52 => SpecAnyIntAsDouble
607         
608         JSValue rep => Int52 rep
609         SpecInt32Only => SpecInt32AsInt52
610         SpecAnyIntAsDouble => SpecInt52Any
611         
612         With these rules, the program in (1) will now correctly report that @c
613         returns SpecInt32Only | SpecAnyIntAsDouble.
614
615         * bytecode/SpeculatedType.cpp:
616         (JSC::dumpSpeculation):
617         (JSC::speculationToAbbreviatedString):
618         (JSC::int52AwareSpeculationFromValue):
619         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
620         (JSC::speculationFromString):
621         * bytecode/SpeculatedType.h:
622         (JSC::isInt32SpeculationForArithmetic):
623         (JSC::isInt32OrBooleanSpeculationForArithmetic):
624         (JSC::isAnyInt52Speculation):
625         (JSC::isIntAnyFormat):
626         (JSC::isInt52Speculation): Deleted.
627         (JSC::isAnyIntSpeculation): Deleted.
628         * dfg/DFGAbstractInterpreterInlines.h:
629         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
630         * dfg/DFGAbstractValue.cpp:
631         (JSC::DFG::AbstractValue::fixTypeForRepresentation):
632         (JSC::DFG::AbstractValue::checkConsistency const):
633         * dfg/DFGAbstractValue.h:
634         (JSC::DFG::AbstractValue::isInt52Any const):
635         (JSC::DFG::AbstractValue::validateTypeAcceptingBoxedInt52 const):
636         * dfg/DFGFixupPhase.cpp:
637         (JSC::DFG::FixupPhase::fixupArithMul):
638         (JSC::DFG::FixupPhase::fixupNode):
639         (JSC::DFG::FixupPhase::fixupGetPrototypeOf):
640         (JSC::DFG::FixupPhase::fixupToThis):
641         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
642         (JSC::DFG::FixupPhase::observeUseKindOnNode):
643         (JSC::DFG::FixupPhase::fixIntConvertingEdge):
644         (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
645         (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
646         (JSC::DFG::FixupPhase::fixupChecksInBlock):
647         * dfg/DFGGraph.h:
648         (JSC::DFG::Graph::addShouldSpeculateInt52):
649         (JSC::DFG::Graph::binaryArithShouldSpeculateInt52):
650         (JSC::DFG::Graph::unaryArithShouldSpeculateInt52):
651         (JSC::DFG::Graph::addShouldSpeculateAnyInt): Deleted.
652         (JSC::DFG::Graph::binaryArithShouldSpeculateAnyInt): Deleted.
653         (JSC::DFG::Graph::unaryArithShouldSpeculateAnyInt): Deleted.
654         * dfg/DFGNode.h:
655         (JSC::DFG::Node::shouldSpeculateInt52):
656         (JSC::DFG::Node::shouldSpeculateAnyInt): Deleted.
657         * dfg/DFGPredictionPropagationPhase.cpp:
658         * dfg/DFGSpeculativeJIT.cpp:
659         (JSC::DFG::SpeculativeJIT::setIntTypedArrayLoadResult):
660         (JSC::DFG::SpeculativeJIT::compileArithAdd):
661         (JSC::DFG::SpeculativeJIT::compileArithSub):
662         (JSC::DFG::SpeculativeJIT::compileArithNegate):
663         * dfg/DFGSpeculativeJIT64.cpp:
664         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
665         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
666         * dfg/DFGUseKind.h:
667         (JSC::DFG::typeFilterFor):
668         * dfg/DFGVariableAccessData.cpp:
669         (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
670         (JSC::DFG::VariableAccessData::couldRepresentInt52Impl):
671         * ftl/FTLLowerDFGToB3.cpp:
672         (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
673         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
674         (JSC::FTL::DFG::LowerDFGToB3::setIntTypedArrayLoadResult):
675
676 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
677
678         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
679         https://bugs.webkit.org/show_bug.cgi?id=196708
680         <rdar://problem/49556803>
681
682         Reviewed by Yusuke Suzuki.
683
684         `operationPutToScope` needs to return early if an exception is thrown while
685         checking if `hasProperty`.
686
687         * jit/JITOperations.cpp:
688
689 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
690
691         [JSC] DFG should respect node's strict flag
692         https://bugs.webkit.org/show_bug.cgi?id=196617
693
694         Reviewed by Saam Barati.
695
696         We accidentally use codeBlock->isStrictMode() directly in DFG and FTL. But this is wrong since this CodeBlock is the top level DFG/FTL CodeBlock,
697         and this code does not respect the isStrictMode flag for the inlined CodeBlocks. In this patch, we start using isStrictModeFor(CodeOrigin) consistently
698         in DFG and FTL to get the right isStrictMode flag for the DFG node.
699         And we also split compilePutDynamicVar into compilePutDynamicVarStrict and compilePutDynamicVarNonStrict since (1) it is cleaner than accessing inlined
700         callframe in the operation function, and (2) it is aligned to the other functions like operationPutByValDirectNonStrict etc.
701         This bug is discovered by RandomizingFuzzerAgent by expanding the DFG coverage.
702
703         * dfg/DFGAbstractInterpreterInlines.h:
704         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
705         * dfg/DFGConstantFoldingPhase.cpp:
706         (JSC::DFG::ConstantFoldingPhase::foldConstants):
707         * dfg/DFGFixupPhase.cpp:
708         (JSC::DFG::FixupPhase::fixupToThis):
709         * dfg/DFGOperations.cpp:
710         * dfg/DFGOperations.h:
711         * dfg/DFGPredictionPropagationPhase.cpp:
712         * dfg/DFGSpeculativeJIT.cpp:
713         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
714         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
715         (JSC::DFG::SpeculativeJIT::compilePutDynamicVar):
716         (JSC::DFG::SpeculativeJIT::compileToThis):
717         * dfg/DFGSpeculativeJIT32_64.cpp:
718         (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
719         (JSC::DFG::SpeculativeJIT::compile):
720         * dfg/DFGSpeculativeJIT64.cpp:
721         (JSC::DFG::SpeculativeJIT::compile):
722         * ftl/FTLLowerDFGToB3.cpp:
723         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
724         (JSC::FTL::DFG::LowerDFGToB3::compilePutDynamicVar):
725
726 2019-04-08  Don Olmstead  <don.olmstead@sony.com>
727
728         [CMake][WinCairo] Separate copied headers into different directories
729         https://bugs.webkit.org/show_bug.cgi?id=196655
730
731         Reviewed by Michael Catanzaro.
732
733         * CMakeLists.txt:
734         * shell/PlatformWin.cmake:
735
736 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
737
738         [JSC] isRope jump in StringSlice should not jump over register allocations
739         https://bugs.webkit.org/show_bug.cgi?id=196716
740
741         Reviewed by Saam Barati.
742
743         Jumping over the register allocation code in DFG (like the following) is wrong.
744
745             auto jump = m_jit.branchXXX();
746             {
747                 GPRTemporary reg(this);
748                 GPRReg regGPR = reg.gpr();
749                 ...
750             }
751             jump.link(&m_jit);
752
753         When GPRTemporary::gpr allocates a new register, it can flush the previous register value into the stack and make the register usable.
754         Jumping over this register allocation code skips the flushing code, and makes the DFG's stack and register content tracking inconsistent:
755         DFG thinks that the content is flushed and stored in particular stack slot even while this flushing code is skipped.
756         In this patch, we perform register allocations before jumping to the slow path based on `isRope` condition in StringSlice.
757
758         * dfg/DFGSpeculativeJIT.cpp:
759         (JSC::DFG::SpeculativeJIT::compileStringSlice):
760
761 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
762
763         [JSC] to_index_string should not assume incoming value is Uint32
764         https://bugs.webkit.org/show_bug.cgi?id=196713
765
766         Reviewed by Saam Barati.
767
768         The slow path of to_index_string assumes that incoming value is Uint32. But we should not have
769         this assumption since DFG may decide we should have it double format. This patch removes this
770         assumption, and instead, we should assume that incoming value is AnyInt and the range of this
771         is within Uint32.
772
773         * runtime/CommonSlowPaths.cpp:
774         (JSC::SLOW_PATH_DECL):
775
776 2019-04-08  Justin Fan  <justin_fan@apple.com>
777
778         [Web GPU] Fix Web GPU experimental feature on iOS
779         https://bugs.webkit.org/show_bug.cgi?id=196632
780
781         Reviewed by Myles C. Maxfield.
782
783         Properly make Web GPU available on iOS 11+.
784
785         * Configurations/FeatureDefines.xcconfig:
786         * Configurations/WebKitTargetConditionals.xcconfig:
787
788 2019-04-08  Ross Kirsling  <ross.kirsling@sony.com>
789
790         -f[no-]var-tracking-assignments is GCC-only
791         https://bugs.webkit.org/show_bug.cgi?id=196699
792
793         Reviewed by Don Olmstead.
794
795         * CMakeLists.txt:
796         Just remove the build flag altogether -- it supposedly doesn't solve the problem it was meant to
797         and said problem evidently no longer occurs as of GCC 9.
798
799 2019-04-08  Saam Barati  <sbarati@apple.com>
800
801         WebAssembly.RuntimeError missing exception check
802         https://bugs.webkit.org/show_bug.cgi?id=196700
803         <rdar://problem/49693932>
804
805         Reviewed by Yusuke Suzuki.
806
807         * wasm/js/JSWebAssemblyRuntimeError.h:
808         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
809         (JSC::constructJSWebAssemblyRuntimeError):
810
811 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
812
813         Unreviewed, rolling in r243948 with test fix
814         https://bugs.webkit.org/show_bug.cgi?id=196486
815
816         * parser/ASTBuilder.h:
817         (JSC::ASTBuilder::createString):
818         * parser/Lexer.cpp:
819         (JSC::Lexer<T>::parseMultilineComment):
820         (JSC::Lexer<T>::lexWithoutClearingLineTerminator):
821         (JSC::Lexer<T>::lex): Deleted.
822         * parser/Lexer.h:
823         (JSC::Lexer::hasLineTerminatorBeforeToken const):
824         (JSC::Lexer::setHasLineTerminatorBeforeToken):
825         (JSC::Lexer<T>::lex):
826         (JSC::Lexer::prevTerminator const): Deleted.
827         (JSC::Lexer::setTerminator): Deleted.
828         * parser/Parser.cpp:
829         (JSC::Parser<LexerType>::allowAutomaticSemicolon):
830         (JSC::Parser<LexerType>::parseSingleFunction):
831         (JSC::Parser<LexerType>::parseStatementListItem):
832         (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement):
833         (JSC::Parser<LexerType>::parseFunctionInfo):
834         (JSC::Parser<LexerType>::parseClass):
835         (JSC::Parser<LexerType>::parseExportDeclaration):
836         (JSC::Parser<LexerType>::parseAssignmentExpression):
837         (JSC::Parser<LexerType>::parseYieldExpression):
838         (JSC::Parser<LexerType>::parseProperty):
839         (JSC::Parser<LexerType>::parsePrimaryExpression):
840         (JSC::Parser<LexerType>::parseMemberExpression):
841         * parser/Parser.h:
842         (JSC::Parser::nextWithoutClearingLineTerminator):
843         (JSC::Parser::lexCurrentTokenAgainUnderCurrentContext):
844         (JSC::Parser::internalSaveLexerState):
845         (JSC::Parser::restoreLexerState):
846
847 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
848
849         Unreviewed, rolling out r243948.
850
851         Caused inspector/runtime/parse.html to fail
852
853         Reverted changeset:
854
855         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
856         https://bugs.webkit.org/show_bug.cgi?id=196486
857         https://trac.webkit.org/changeset/243948
858
859 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
860
861         Unreviewed, rolling out r243943.
862
863         Caused test262 failures.
864
865         Reverted changeset:
866
867         "[JSC] Filter DontEnum properties in
868         ProxyObject::getOwnPropertyNames()"
869         https://bugs.webkit.org/show_bug.cgi?id=176810
870         https://trac.webkit.org/changeset/243943
871
872 2019-04-08  Claudio Saavedra  <csaavedra@igalia.com>
873
874         [JSC] Partially fix the build with unified builds disabled
875         https://bugs.webkit.org/show_bug.cgi?id=196647
876
877         Reviewed by Konstantin Tokarev.
878
879         If you disable unified builds you find all kind of build
880         errors. This partially tries to fix them but there's a lot
881         more.
882
883         * API/JSBaseInternal.h:
884         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp:
885         * b3/air/AirHandleCalleeSaves.h:
886         * bytecode/ExecutableToCodeBlockEdge.cpp:
887         * bytecode/ExitFlag.h:
888         * bytecode/ICStatusUtils.h:
889         * bytecode/UnlinkedMetadataTable.h:
890         * dfg/DFGPureValue.h:
891         * heap/IsoAlignedMemoryAllocator.cpp:
892         * heap/IsoAlignedMemoryAllocator.h:
893
894 2019-04-08  Guillaume Emont  <guijemont@igalia.com>
895
896         Enable DFG on MIPS
897         https://bugs.webkit.org/show_bug.cgi?id=196689
898
899         Reviewed by Žan Doberšek.
900
901         Since the bytecode change, we enabled the baseline JIT on mips in
902         r240432, but DFG is still missing. With this change, all tests are
903         passing on a ci20 board.
904
905         * jit/RegisterSet.cpp:
906         (JSC::RegisterSet::calleeSaveRegisters):
907         Added s0, which is used in llint.
908
909 2019-04-08  Xan Lopez  <xan@igalia.com>
910
911         [CMake] Detect SSE2 at compile time
912         https://bugs.webkit.org/show_bug.cgi?id=196488
913
914         Reviewed by Carlos Garcia Campos.
915
916         * assembler/MacroAssemblerX86Common.cpp: Remove unnecessary (and
917         incorrect) static_assert.
918
919 2019-04-07  Michael Saboff  <msaboff@apple.com>
920
921         REGRESSION (r243642): Crash in reddit.com page
922         https://bugs.webkit.org/show_bug.cgi?id=196684
923
924         Reviewed by Geoffrey Garen.
925
926         In r243642, the code that saves and restores the count for non-greedy character classes
927         was inadvertently put inside an if statement.  This code should be generated for all
928         non-greedy character classes.
929
930         * yarr/YarrJIT.cpp:
931         (JSC::Yarr::YarrGenerator::generateCharacterClassNonGreedy):
932         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
933
934 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
935
936         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
937         https://bugs.webkit.org/show_bug.cgi?id=196683
938
939         Reviewed by Saam Barati.
940
941         In r243626, we stop repatching CallLinkInfo when the CallLinkInfo is held by jettisoned CodeBlock.
942         But we still need to clear the Callee or CodeBlock since they are now dead. Otherwise, CodeBlock's
943         visitWeak eventually accesses this dead cells and crashes because the owner CodeBlock of CallLinkInfo
944         can be still live.
945
946         We also move all repatching operations from CallLinkInfo.cpp to Repatch.cpp for consistency because the
947         other repatching operations in CallLinkInfo are implemented in Repatch.cpp side.
948
949         * bytecode/CallLinkInfo.cpp:
950         (JSC::CallLinkInfo::setCallee):
951         (JSC::CallLinkInfo::clearCallee):
952         * jit/Repatch.cpp:
953         (JSC::linkFor):
954         (JSC::revertCall):
955
956 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
957
958         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
959         https://bugs.webkit.org/show_bug.cgi?id=196582
960
961         Reviewed by Saam Barati.
962
963         In DFG, our ArithAdd with overflow is executed speculatively, and we recover the value when overflow flag is set.
964         The recovery is subtracting the operand from the destination to get the original two operands. Our recovery code
965         handles A + B = A, A + B = B cases. But it misses A + A = A case (here, A and B are GPRReg). Our recovery code
966         attempts to produce the original operand by performing A - A, and it always produces zero accidentally.
967
968         This patch adds the recovery code for A + A = A case. Because we know that this ArithAdd overflows, and operands were
969         same values, we can calculate the original operand from the destination value by `((int32_t)value >> 1) ^ 0x80000000`.
970
971         We also found that FTL recovery code is dead. We remove them in this patch.
972
973         * dfg/DFGOSRExit.cpp:
974         (JSC::DFG::OSRExit::executeOSRExit):
975         (JSC::DFG::OSRExit::compileExit):
976         * dfg/DFGOSRExit.h:
977         (JSC::DFG::SpeculationRecovery::SpeculationRecovery):
978         * dfg/DFGSpeculativeJIT.cpp:
979         (JSC::DFG::SpeculativeJIT::compileArithAdd):
980         * ftl/FTLExitValue.cpp:
981         (JSC::FTL::ExitValue::dataFormat const):
982         (JSC::FTL::ExitValue::dumpInContext const):
983         * ftl/FTLExitValue.h:
984         (JSC::FTL::ExitValue::isArgument const):
985         (JSC::FTL::ExitValue::hasIndexInStackmapLocations const):
986         (JSC::FTL::ExitValue::adjustStackmapLocationsIndexByOffset):
987         (JSC::FTL::ExitValue::recovery): Deleted.
988         (JSC::FTL::ExitValue::isRecovery const): Deleted.
989         (JSC::FTL::ExitValue::leftRecoveryArgument const): Deleted.
990         (JSC::FTL::ExitValue::rightRecoveryArgument const): Deleted.
991         (JSC::FTL::ExitValue::recoveryFormat const): Deleted.
992         (JSC::FTL::ExitValue::recoveryOpcode const): Deleted.
993         * ftl/FTLLowerDFGToB3.cpp:
994         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
995         (JSC::FTL::DFG::LowerDFGToB3::preparePatchpointForExceptions):
996         (JSC::FTL::DFG::LowerDFGToB3::appendOSRExit):
997         (JSC::FTL::DFG::LowerDFGToB3::exitValueForNode):
998         (JSC::FTL::DFG::LowerDFGToB3::addAvailableRecovery): Deleted.
999         * ftl/FTLOSRExitCompiler.cpp:
1000         (JSC::FTL::compileRecovery):
1001
1002 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
1003
1004         Unreviewed, rolling out r243665.
1005
1006         Caused iOS JSC tests to exit with an exception.
1007
1008         Reverted changeset:
1009
1010         "Assertion failed in JSC::createError"
1011         https://bugs.webkit.org/show_bug.cgi?id=196305
1012         https://trac.webkit.org/changeset/243665
1013
1014 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
1015
1016         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
1017         https://bugs.webkit.org/show_bug.cgi?id=196486
1018
1019         Reviewed by Saam Barati.
1020
1021         When parsing a FunctionExpression / FunctionDeclaration etc., we use SyntaxChecker for the body of the function because we do not have any interest on the nodes of the body at that time.
1022         The nodes will be parsed with the ASTBuilder when the function itself is parsed for code generation. This works well previously because all the function ends with "}" previously.
1023         SyntaxChecker lexes this "}" token, and parser restores the context back to ASTBuilder and continues parsing.
1024
1025         But now, we have ArrowFunctionExpression without braces `arrow => expr`. Let's consider the following code.
1026
1027                 arrow => expr
1028                 "string!"
1029
1030         We parse arrow function's body with SyntaxChecker. At that time, we lex "string!" token under the SyntaxChecker context. But this means that we may not build string content for this token
1031         since SyntaxChecker may not have interest on string content itself in certain case. After the parser is back to ASTBuilder, we parse "string!" as ExpressionStatement with string constant,
1032         generate StringNode with non-built identifier (nullptr), and we accidentally create StringNode with nullptr.
1033
1034         This patch fixes this problem. The root cause of this problem is that the last token lexed in the previous context is used. We add lexCurrentTokenAgainUnderCurrentContext which will re-lex
1035         the current token under the current context (may be ASTBuilder). This should be done only when the caller's context is different from SyntaxChecker, which avoids unnecessary lexing.
1036         We leverage existing SavePoint mechanism to implement lexCurrentTokenAgainUnderCurrentContext cleanly.
1037
1038         And we also fix the bug in the existing SavePoint mechanism, which is shown in the attached test script. When we save LexerState, we do not save line terminator status. This patch also introduces
1039         lexWithoutClearingLineTerminator, which lex the token without clearing line terminator status.
1040
1041         * parser/ASTBuilder.h:
1042         (JSC::ASTBuilder::createString):
1043         * parser/Lexer.cpp:
1044         (JSC::Lexer<T>::parseMultilineComment):
1045         (JSC::Lexer<T>::lexWithoutClearingLineTerminator): EOF token also should record offset information. This offset information is correctly handled in Lexer::setOffset too.
1046         (JSC::Lexer<T>::lex): Deleted.
1047         * parser/Lexer.h:
1048         (JSC::Lexer::hasLineTerminatorBeforeToken const):
1049         (JSC::Lexer::setHasLineTerminatorBeforeToken):
1050         (JSC::Lexer<T>::lex):
1051         (JSC::Lexer::prevTerminator const): Deleted.
1052         (JSC::Lexer::setTerminator): Deleted.
1053         * parser/Parser.cpp:
1054         (JSC::Parser<LexerType>::allowAutomaticSemicolon):
1055         (JSC::Parser<LexerType>::parseSingleFunction):
1056         (JSC::Parser<LexerType>::parseStatementListItem):
1057         (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement):
1058         (JSC::Parser<LexerType>::parseFunctionInfo):
1059         (JSC::Parser<LexerType>::parseClass):
1060         (JSC::Parser<LexerType>::parseExportDeclaration):
1061         (JSC::Parser<LexerType>::parseAssignmentExpression):
1062         (JSC::Parser<LexerType>::parseYieldExpression):
1063         (JSC::Parser<LexerType>::parseProperty):
1064         (JSC::Parser<LexerType>::parsePrimaryExpression):
1065         (JSC::Parser<LexerType>::parseMemberExpression):
1066         * parser/Parser.h:
1067         (JSC::Parser::nextWithoutClearingLineTerminator):
1068         (JSC::Parser::lexCurrentTokenAgainUnderCurrentContext):
1069         (JSC::Parser::internalSaveLexerState):
1070         (JSC::Parser::restoreLexerState):
1071
1072 2019-04-05  Caitlin Potter  <caitp@igalia.com>
1073
1074         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
1075         https://bugs.webkit.org/show_bug.cgi?id=176810
1076
1077         Reviewed by Saam Barati.
1078
1079         This adds conditional logic following the invariant checks, to perform
1080         filtering in common uses of getOwnPropertyNames.
1081
1082         While this would ideally only be done in JSPropertyNameEnumerator, adding
1083         the filtering to ProxyObject::performGetOwnPropertyNames maintains the
1084         invariant that the EnumerationMode is properly followed.
1085
1086         * runtime/PropertyNameArray.h:
1087         (JSC::PropertyNameArray::reset):
1088         * runtime/ProxyObject.cpp:
1089         (JSC::ProxyObject::performGetOwnPropertyNames):
1090
1091 2019-04-05  Commit Queue  <commit-queue@webkit.org>
1092
1093         Unreviewed, rolling out r243833.
1094         https://bugs.webkit.org/show_bug.cgi?id=196645
1095
1096         This change breaks build of WPE and GTK ports (Requested by
1097         annulen on #webkit).
1098
1099         Reverted changeset:
1100
1101         "[CMake][WTF] Mirror XCode header directories"
1102         https://bugs.webkit.org/show_bug.cgi?id=191662
1103         https://trac.webkit.org/changeset/243833
1104
1105 2019-04-05  Caitlin Potter  <caitp@igalia.com>
1106
1107         [JSC] throw if ownKeys Proxy trap result contains duplicate keys
1108         https://bugs.webkit.org/show_bug.cgi?id=185211
1109
1110         Reviewed by Saam Barati.
1111
1112         Implements the normative spec change in https://github.com/tc39/ecma262/pull/833
1113
1114         This involves tracking duplicate keys returned from the ownKeys trap in yet
1115         another HashTable, and may incur a minor performance penalty in some cases. This
1116         is not expected to significantly affect web performance.
1117
1118         * runtime/ProxyObject.cpp:
1119         (JSC::ProxyObject::performGetOwnPropertyNames):
1120
1121 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
1122
1123         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
1124         https://bugs.webkit.org/show_bug.cgi?id=196631
1125
1126         Reviewed by Saam Barati.
1127
1128         makeBoundFunction assumes that "length" argument is always Int32. But this should not be done since this "length" value is calculated in builtin JS code.
1129         DFG may store this value in Double format so that we should not rely on that this value is Int32. This patch fixes makeBoundFunction function to perform
1130         toInt32 operation. We also insert a missing exception check for `JSString::value(ExecState*)` in makeBoundFunction.
1131
1132         * JavaScriptCore.xcodeproj/project.pbxproj:
1133         * Sources.txt:
1134         * interpreter/CallFrameInlines.h:
1135         * runtime/DoublePredictionFuzzerAgent.cpp: Copied from Source/JavaScriptCore/interpreter/CallFrameInlines.h.
1136         (JSC::DoublePredictionFuzzerAgent::DoublePredictionFuzzerAgent):
1137         (JSC::DoublePredictionFuzzerAgent::getPrediction):
1138         * runtime/DoublePredictionFuzzerAgent.h: Copied from Source/JavaScriptCore/interpreter/CallFrameInlines.h.
1139         * runtime/JSGlobalObject.cpp:
1140         (JSC::makeBoundFunction):
1141         * runtime/Options.h:
1142         * runtime/VM.cpp:
1143         (JSC::VM::VM):
1144
1145 2019-04-04  Robin Morisset  <rmorisset@apple.com>
1146
1147         B3ReduceStrength should know that Mul distributes over Add and Sub
1148         https://bugs.webkit.org/show_bug.cgi?id=196325
1149         <rdar://problem/49441650>
1150
1151         Reviewed by Saam Barati.
1152
1153         Fix some obviously wrong code that was due to an accidental copy-paste.
1154         It made the entire optimization dead code that never ran.
1155
1156         * b3/B3ReduceStrength.cpp:
1157
1158 2019-04-04  Saam Barati  <sbarati@apple.com>
1159
1160         Unreviewed, build fix for CLoop after r243886
1161
1162         * interpreter/Interpreter.cpp:
1163         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
1164         * interpreter/StackVisitor.cpp:
1165         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
1166         * interpreter/StackVisitor.h:
1167
1168 2019-04-04  Commit Queue  <commit-queue@webkit.org>
1169
1170         Unreviewed, rolling out r243898.
1171         https://bugs.webkit.org/show_bug.cgi?id=196624
1172
1173         `#if !ENABLE(C_LOOP) && NUMBER_OF_CALLEE_SAVES_REGISTERS > 0`
1174         does not work well (Requested by yusukesuzuki on #webkit).
1175
1176         Reverted changeset:
1177
1178         "Unreviewed, build fix for CLoop and Windows after r243886"
1179         https://bugs.webkit.org/show_bug.cgi?id=196387
1180         https://trac.webkit.org/changeset/243898
1181
1182 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
1183
1184         Unreviewed, build fix for CLoop and Windows after r243886
1185         https://bugs.webkit.org/show_bug.cgi?id=196387
1186
1187         RegisterAtOffsetList does not exist if ENABLE(ASSEMBLER) is false.
1188
1189         * interpreter/StackVisitor.cpp:
1190         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
1191         * interpreter/StackVisitor.h:
1192
1193 2019-04-04  Saam barati  <sbarati@apple.com>
1194
1195         Teach Call ICs how to call Wasm
1196         https://bugs.webkit.org/show_bug.cgi?id=196387
1197
1198         Reviewed by Filip Pizlo.
1199
1200         This patch teaches JS to call Wasm without going through the native thunk.
1201         Currently, we emit a JIT "JS" callee stub which marshals arguments from
1202         JS to Wasm. Like the native version of this, this thunk is responsible
1203         for saving and restoring the VM's current Wasm context. Instead of emitting
1204         an exception handler, we also teach the unwinder how to read the previous
1205         wasm context to restore it as it unwindws past this frame.
1206         
1207         This patch is straight forward, and leaves some areas for perf improvement:
1208         - We can teach the DFG/FTL to directly use the Wasm calling convention when
1209           it knows it's calling a single Wasm function. This way we don't shuffle
1210           registers to the stack and then back into registers.
1211         - We bail out to the slow path for mismatched arity. I opened a bug to fix
1212           optimize arity check failures: https://bugs.webkit.org/show_bug.cgi?id=196564
1213         - We bail out to the slow path Double JSValues flowing into i32 arguments.
1214           We should teach this thunk how to do that conversion directly.
1215         
1216         This patch also refactors the code to explicitly have a single pinned size register.
1217         We used pretend in some places that we could have more than one pinned size register.
1218         However, there was other code that just asserted the size was one. This patch just rips
1219         out this code since we never moved to having more than one pinned size register. Doing
1220         this refactoring cleans up the various places where we set up the size register.
1221         
1222         This patch is a 50-60% progression on JetStream 2's richards-wasm.
1223
1224         * JavaScriptCore.xcodeproj/project.pbxproj:
1225         * Sources.txt:
1226         * assembler/MacroAssemblerCodeRef.h:
1227         (JSC::MacroAssemblerCodeRef::operator=):
1228         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
1229         * interpreter/Interpreter.cpp:
1230         (JSC::UnwindFunctor::operator() const):
1231         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
1232         * interpreter/StackVisitor.cpp:
1233         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
1234         (JSC::StackVisitor::Frame::calleeSaveRegisters): Deleted.
1235         * interpreter/StackVisitor.h:
1236         * jit/JITOperations.cpp:
1237         * jit/RegisterSet.cpp:
1238         (JSC::RegisterSet::runtimeTagRegisters):
1239         (JSC::RegisterSet::specialRegisters):
1240         (JSC::RegisterSet::runtimeRegisters): Deleted.
1241         * jit/RegisterSet.h:
1242         * jit/Repatch.cpp:
1243         (JSC::linkPolymorphicCall):
1244         * runtime/JSFunction.cpp:
1245         (JSC::getCalculatedDisplayName):
1246         * runtime/JSGlobalObject.cpp:
1247         (JSC::JSGlobalObject::init):
1248         (JSC::JSGlobalObject::visitChildren):
1249         * runtime/JSGlobalObject.h:
1250         (JSC::JSGlobalObject::jsToWasmICCalleeStructure const):
1251         * runtime/VM.cpp:
1252         (JSC::VM::VM):
1253         * runtime/VM.h:
1254         * wasm/WasmAirIRGenerator.cpp:
1255         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
1256         (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
1257         (JSC::Wasm::AirIRGenerator::addCallIndirect):
1258         * wasm/WasmB3IRGenerator.cpp:
1259         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1260         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
1261         (JSC::Wasm::B3IRGenerator::addCallIndirect):
1262         * wasm/WasmBinding.cpp:
1263         (JSC::Wasm::wasmToWasm):
1264         * wasm/WasmContext.h:
1265         (JSC::Wasm::Context::pointerToInstance):
1266         * wasm/WasmContextInlines.h:
1267         (JSC::Wasm::Context::store):
1268         * wasm/WasmMemoryInformation.cpp:
1269         (JSC::Wasm::getPinnedRegisters):
1270         (JSC::Wasm::PinnedRegisterInfo::get):
1271         (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
1272         * wasm/WasmMemoryInformation.h:
1273         (JSC::Wasm::PinnedRegisterInfo::toSave const):
1274         * wasm/WasmOMGPlan.cpp:
1275         (JSC::Wasm::OMGPlan::work):
1276         * wasm/js/JSToWasm.cpp:
1277         (JSC::Wasm::createJSToWasmWrapper):
1278         * wasm/js/JSToWasmICCallee.cpp: Added.
1279         (JSC::JSToWasmICCallee::create):
1280         (JSC::JSToWasmICCallee::createStructure):
1281         (JSC::JSToWasmICCallee::visitChildren):
1282         * wasm/js/JSToWasmICCallee.h: Added.
1283         (JSC::JSToWasmICCallee::function):
1284         (JSC::JSToWasmICCallee::JSToWasmICCallee):
1285         * wasm/js/WebAssemblyFunction.cpp:
1286         (JSC::WebAssemblyFunction::useTagRegisters const):
1287         (JSC::WebAssemblyFunction::calleeSaves const):
1288         (JSC::WebAssemblyFunction::usedCalleeSaveRegisters const):
1289         (JSC::WebAssemblyFunction::previousInstanceOffset const):
1290         (JSC::WebAssemblyFunction::previousInstance):
1291         (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
1292         (JSC::WebAssemblyFunction::visitChildren):
1293         (JSC::WebAssemblyFunction::destroy):
1294         * wasm/js/WebAssemblyFunction.h:
1295         * wasm/js/WebAssemblyFunctionHeapCellType.cpp: Added.
1296         (JSC::WebAssemblyFunctionDestroyFunc::operator() const):
1297         (JSC::WebAssemblyFunctionHeapCellType::WebAssemblyFunctionHeapCellType):
1298         (JSC::WebAssemblyFunctionHeapCellType::~WebAssemblyFunctionHeapCellType):
1299         (JSC::WebAssemblyFunctionHeapCellType::finishSweep):
1300         (JSC::WebAssemblyFunctionHeapCellType::destroy):
1301         * wasm/js/WebAssemblyFunctionHeapCellType.h: Added.
1302         * wasm/js/WebAssemblyPrototype.h:
1303
1304 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
1305
1306         [JSC] Pass CodeOrigin to FuzzerAgent
1307         https://bugs.webkit.org/show_bug.cgi?id=196590
1308
1309         Reviewed by Saam Barati.
1310
1311         Pass CodeOrigin instead of bytecodeIndex. CodeOrigin includes richer information (InlineCallFrame*).
1312         We also mask prediction with SpecBytecodeTop in DFGByteCodeParser. The fuzzer can produce any SpeculatedTypes,
1313         but DFGByteCodeParser should only see predictions that can be actually produced from the bytecode execution.
1314
1315         * dfg/DFGByteCodeParser.cpp:
1316         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
1317         * runtime/FuzzerAgent.cpp:
1318         (JSC::FuzzerAgent::getPrediction):
1319         * runtime/FuzzerAgent.h:
1320         * runtime/RandomizingFuzzerAgent.cpp:
1321         (JSC::RandomizingFuzzerAgent::getPrediction):
1322         * runtime/RandomizingFuzzerAgent.h:
1323
1324 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
1325
1326         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
1327         https://bugs.webkit.org/show_bug.cgi?id=194944
1328
1329         Reviewed by Keith Miller.
1330
1331         Based on profile data collected on JetStream2, Speedometer 2 and
1332         other benchmarks, it is very rare having non-empty
1333         UnlinkedFunctionExecutable::m_parentScopeTDZVariables.
1334
1335         - Data collected from Speedometer2
1336             Total number of UnlinkedFunctionExecutable: 39463
1337             Total number of non-empty parentScopeTDZVars: 428 (~1%)
1338
1339         - Data collected from JetStream2
1340             Total number of UnlinkedFunctionExecutable: 83715
1341             Total number of non-empty parentScopeTDZVars: 5285 (~6%)
1342
1343         We also collected numbers on 6 of top 10 Alexia sites.
1344
1345         - Data collected from youtube.com
1346             Total number of UnlinkedFunctionExecutable: 29599
1347             Total number of non-empty parentScopeTDZVars: 97 (~0.3%)
1348
1349         - Data collected from twitter.com
1350             Total number of UnlinkedFunctionExecutable: 23774
1351             Total number of non-empty parentScopeTDZVars: 172 (~0.7%)
1352
1353         - Data collected from google.com
1354             Total number of UnlinkedFunctionExecutable: 33209
1355             Total number of non-empty parentScopeTDZVars: 174 (~0.5%)
1356
1357         - Data collected from amazon.com:
1358             Total number of UnlinkedFunctionExecutable: 15182
1359             Total number of non-empty parentScopeTDZVars: 166 (~1%)
1360
1361         - Data collected from facebook.com:
1362             Total number of UnlinkedFunctionExecutable: 54443
1363             Total number of non-empty parentScopeTDZVars: 269 (~0.4%)
1364
1365         - Data collected from netflix.com:
1366             Total number of UnlinkedFunctionExecutable: 39266
1367             Total number of non-empty parentScopeTDZVars: 97 (~0.2%)
1368
1369         Considering such numbers, this patch is moving `m_parentScopeTDZVariables`
1370         to RareData. This decreases sizeof(UnlinkedFunctionExecutable) by
1371         16 bytes. With this change, now UnlinkedFunctionExecutable constructors
1372         receives an `Optional<VariableEnvironmentMap::Handle>` and only stores
1373         it when `value != WTF::nullopt`. We also changed
1374         UnlinkedFunctionExecutable::parentScopeTDZVariables() and it returns
1375         `VariableEnvironment()` whenever the Executable doesn't have RareData,
1376         or VariableEnvironmentMap::Handle is unitialized. This is required
1377         because RareData is instantiated when any of its field is stored and
1378         we can have an unitialized `Handle` even on cases when parentScopeTDZVariables
1379         is `WTF::nullopt`.
1380
1381         Results on memory usage on JetStrem2 is neutral.
1382
1383             Mean of memory peak on ToT: 4258633728 bytes (confidence interval: 249720072.95)
1384             Mean of memory peak on Changes: 4367325184 bytes (confidence interval: 321285583.61)
1385
1386         * builtins/BuiltinExecutables.cpp:
1387         (JSC::BuiltinExecutables::createExecutable):
1388         * bytecode/UnlinkedFunctionExecutable.cpp:
1389         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1390         * bytecode/UnlinkedFunctionExecutable.h:
1391         * bytecompiler/BytecodeGenerator.cpp:
1392         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
1393
1394         BytecodeGenerator::getVariablesUnderTDZ now also caches if m_cachedVariablesUnderTDZ
1395         is empty, so we can properly return `WTF::nullopt` without the
1396         reconstruction of a VariableEnvironment to check if it is empty.
1397
1398         * bytecompiler/BytecodeGenerator.h:
1399         (JSC::BytecodeGenerator::makeFunction):
1400         * parser/VariableEnvironment.h:
1401         (JSC::VariableEnvironment::isEmpty const):
1402         * runtime/CachedTypes.cpp:
1403         (JSC::CachedCompactVariableMapHandle::decode const):
1404
1405         It returns an unitialized Handle when there is no
1406         CompactVariableEnvironment. This can happen when RareData is ensured
1407         because of another field.
1408
1409         (JSC::CachedFunctionExecutableRareData::encode):
1410         (JSC::CachedFunctionExecutableRareData::decode const):
1411         (JSC::CachedFunctionExecutable::encode):
1412         (JSC::CachedFunctionExecutable::decode const):
1413         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1414         * runtime/CodeCache.cpp:
1415
1416         Instead of creating a dummyVariablesUnderTDZ, we simply pass
1417         WTF::nullopt.
1418
1419         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
1420
1421 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
1422
1423         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
1424         https://bugs.webkit.org/show_bug.cgi?id=196409
1425
1426         Reviewed by Saam Barati.
1427
1428         Some of the helpers in jsc.cpp, such as `functionRunString`, were stll using
1429         using `makeSource` instead of `jscSource`, which does not use the ShellSourceProvider
1430         and therefore does not write the bytecode cache to disk.
1431
1432         Changing that revealed a bug in bytecode cache. The Encoder keeps a mapping
1433         of pointers to offsets of already cached objects, in order to avoid caching
1434         the same object twice. Similarly, the Decoder keeps a mapping from offsets
1435         to pointers, in order to avoid creating multiple objects in memory for the
1436         same cached object. The following was happening:
1437         1) A StringImpl* S was cached as CachedPtr<CachedStringImpl> at offset O. We add
1438         an entry in the Encoder mapping that S has already been encoded at O.
1439         2) We cache StringImpl* S again, but now as CachedPtr<CachedUniquedStringImpl>.
1440         We find an entry in the Encoder mapping for S, and return the offset O. However,
1441         the object cached at O is a CachedPtr<CachedStringImpl> (i.e. not Uniqued).
1442
1443         3) When decoding, there are 2 possibilities:
1444         3.1) We find S for the first time through a CachedPtr<CachedStringImpl>. In
1445         this case, everything works as expected since we add an entry in the decoder
1446         mapping from the offset O to the decoded StringImpl* S. The next time we find
1447         S through the uniqued version, we'll return the already decoded S.
1448         3.2) We find S through a CachedPtr<CachedUniquedStringImpl>. Now we have a
1449         problem, since the CachedPtr has the offset of a CachedStringImpl (not uniqued),
1450         which has a different shape and we crash.
1451
1452         We fix this by making CachedStringImpl and CachedUniquedStringImpl share the
1453         same implementation. Since it doesn't matter whether a string is uniqued for
1454         encoding, and we always decode strings as uniqued either way, they can be used
1455         interchangeably.
1456
1457         * jsc.cpp:
1458         (functionRunString):
1459         (functionLoadString):
1460         (functionDollarAgentStart):
1461         (functionCheckModuleSyntax):
1462         (runInteractive):
1463         * runtime/CachedTypes.cpp:
1464         (JSC::CachedUniquedStringImplBase::decode const):
1465         (JSC::CachedFunctionExecutable::rareData const):
1466         (JSC::CachedCodeBlock::rareData const):
1467         (JSC::CachedFunctionExecutable::encode):
1468         (JSC::CachedCodeBlock<CodeBlockType>::encode):
1469         (JSC::CachedUniquedStringImpl::encode): Deleted.
1470         (JSC::CachedUniquedStringImpl::decode const): Deleted.
1471         (JSC::CachedStringImpl::encode): Deleted.
1472         (JSC::CachedStringImpl::decode const): Deleted.
1473
1474 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
1475
1476         UnlinkedCodeBlock constructor from cache should initialize m_didOptimize
1477         https://bugs.webkit.org/show_bug.cgi?id=196396
1478
1479         Reviewed by Saam Barati.
1480
1481         The UnlinkedCodeBlock constructor in CachedTypes was missing the initialization
1482         for m_didOptimize, which leads to crashes in CodeBlock::thresholdForJIT.
1483
1484         * runtime/CachedTypes.cpp:
1485         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1486
1487 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
1488
1489         Unreviewed, rolling in r243843 with the build fix
1490         https://bugs.webkit.org/show_bug.cgi?id=196586
1491
1492         * runtime/Options.cpp:
1493         (JSC::recomputeDependentOptions):
1494         * runtime/Options.h:
1495         * runtime/RandomizingFuzzerAgent.cpp:
1496         (JSC::RandomizingFuzzerAgent::getPrediction):
1497
1498 2019-04-03  Ryan Haddad  <ryanhaddad@apple.com>
1499
1500         Unreviewed, rolling out r243843.
1501
1502         Broke CLoop and Windows builds.
1503
1504         Reverted changeset:
1505
1506         "[JSC] Add dump feature for RandomizingFuzzerAgent"
1507         https://bugs.webkit.org/show_bug.cgi?id=196586
1508         https://trac.webkit.org/changeset/243843
1509
1510 2019-04-03  Robin Morisset  <rmorisset@apple.com>
1511
1512         B3 should use associativity to optimize expression trees
1513         https://bugs.webkit.org/show_bug.cgi?id=194081
1514
1515         Reviewed by Filip Pizlo.
1516
1517         This patch adds a new B3 pass, that tries to find and optimize expression trees made purely of any one associative and commutative operator (Add/Mul/BitOr/BitAnd/BitXor).
1518         The pass only runs in O2, and runs once, after lowerMacros and just before a run of B3ReduceStrength (which helps clean up the dead code it tends to leave behind).
1519         I had to separate killDeadCode out of B3ReduceStrength (as a new B3EliminateDeadCode pass) to run it before B3OptimizeAssociativeExpressionTrees, as otherwise it is stopped by high use counts
1520         inherited from CSE.
1521         This extra run of DCE is by itself a win, most notably on microbenchmarks/instanceof-always-hit-two (1.5x faster), and on microbenchmarks/licm-dragons(-out-of-bounds) (both get 1.16x speedup).
1522         I suspect it is because it runs between CSE and tail-dedup, and as a result allows a lot more tail-dedup to occur.
1523
1524         The pass is currently extremely conservative, not trying anything if it would cause _any_ code duplication.
1525         For this purpose, it starts by computing use counts for the potentially interesting nodes (those with the right opcodes), and segregate them into expression trees.
1526         The root of an expression tree is a node that is either used in multiple places, or is used by a value with a different opcode.
1527         The leaves of an expression tree are nodes that are either used in multiple places, or have a different opcode.
1528         All constant leaves of a tree are combined, as well as all leaves that are identical. What remains is then laid out into a balanced binary tree, hopefully maximizing ILP.
1529
1530         This optimization was implemented as a stand-alone pass and not as part of B3ReduceStrength mostly because it needs use counts to avoid code duplication.
1531         It also benefits from finding all tree roots first, and not trying to repeatedly optimize subtrees.
1532
1533         I added several tests to testB3 with varying patterns of trees. It is also tested in a less focused way by lots of older tests.
1534
1535         In the future this pass could be expanded to allow some bounded amount of code duplication, and merging more leaves (e.g. Mul(a, 3) and a in an Add tree, into Mul(a, 4))
1536         The latter will need exposing the peephole optimizations out of B3ReduceStrength to avoid duplicating code.
1537
1538         * JavaScriptCore.xcodeproj/project.pbxproj:
1539         * Sources.txt:
1540         * b3/B3Common.cpp:
1541         (JSC::B3::shouldDumpIR):
1542         (JSC::B3::shouldDumpIRAtEachPhase):
1543         * b3/B3Common.h:
1544         * b3/B3EliminateDeadCode.cpp: Added.
1545         (JSC::B3::EliminateDeadCode::run):
1546         (JSC::B3::eliminateDeadCode):
1547         * b3/B3EliminateDeadCode.h: Added.
1548         (JSC::B3::EliminateDeadCode::EliminateDeadCode):
1549         * b3/B3Generate.cpp:
1550         (JSC::B3::generateToAir):
1551         * b3/B3OptimizeAssociativeExpressionTrees.cpp: Added.
1552         (JSC::B3::OptimizeAssociativeExpressionTrees::OptimizeAssociativeExpressionTrees):
1553         (JSC::B3::OptimizeAssociativeExpressionTrees::neutralElement):
1554         (JSC::B3::OptimizeAssociativeExpressionTrees::isAbsorbingElement):
1555         (JSC::B3::OptimizeAssociativeExpressionTrees::combineConstants):
1556         (JSC::B3::OptimizeAssociativeExpressionTrees::emitValue):
1557         (JSC::B3::OptimizeAssociativeExpressionTrees::optimizeRootedTree):
1558         (JSC::B3::OptimizeAssociativeExpressionTrees::run):
1559         (JSC::B3::optimizeAssociativeExpressionTrees):
1560         * b3/B3OptimizeAssociativeExpressionTrees.h: Added.
1561         * b3/B3ReduceStrength.cpp:
1562         * b3/B3Value.cpp:
1563         (JSC::B3::Value::replaceWithIdentity):
1564         * b3/testb3.cpp:
1565         (JSC::B3::testBitXorTreeArgs):
1566         (JSC::B3::testBitXorTreeArgsEven):
1567         (JSC::B3::testBitXorTreeArgImm):
1568         (JSC::B3::testAddTreeArg32):
1569         (JSC::B3::testMulTreeArg32):
1570         (JSC::B3::testBitAndTreeArg32):
1571         (JSC::B3::testBitOrTreeArg32):
1572         (JSC::B3::run):
1573
1574 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
1575
1576         [JSC] Add dump feature for RandomizingFuzzerAgent
1577         https://bugs.webkit.org/show_bug.cgi?id=196586
1578
1579         Reviewed by Saam Barati.
1580
1581         Towards deterministic tests for the results from randomizing fuzzer agent, this patch adds Options::dumpRandomizingFuzzerAgentPredictions, which dumps the generated types.
1582         The results is like this.
1583
1584             getPrediction name:(#C2q9xD),bytecodeIndex:(22),original:(Array),generated:(OtherObj|Array|Float64Array|BigInt|NonIntAsDouble)
1585             getPrediction name:(makeUnwriteableUnconfigurableObject#AiEJv1),bytecodeIndex:(14),original:(OtherObj),generated:(Final|Uint8Array|Float64Array|SetObject|WeakSetObject|BigInt|NonIntAsDouble)
1586
1587         * runtime/Options.cpp:
1588         (JSC::recomputeDependentOptions):
1589         * runtime/Options.h:
1590         * runtime/RandomizingFuzzerAgent.cpp:
1591         (JSC::RandomizingFuzzerAgent::getPrediction):
1592
1593 2019-04-03  Myles C. Maxfield  <mmaxfield@apple.com>
1594
1595         -apple-trailing-word is needed for browser detection
1596         https://bugs.webkit.org/show_bug.cgi?id=196575
1597
1598         Unreviewed.
1599
1600         * Configurations/FeatureDefines.xcconfig:
1601
1602 2019-04-03  Michael Saboff  <msaboff@apple.com>
1603
1604         REGRESSION (r243642): com.apple.JavaScriptCore crash in JSC::RegExpObject::execInline
1605         https://bugs.webkit.org/show_bug.cgi?id=196477
1606
1607         Reviewed by Keith Miller.
1608
1609         The problem here is that when we advance the index by 2 for a character class that only
1610         has non-BMP characters, we might go past the end of the string.  This can happen for
1611         greedy counted character classes that are part of a alternative where there is one
1612         character to match after the greedy non-BMP character class.
1613
1614         The "do we have string left to match" check at the top of the JIT loop for the counted
1615         character class checks to see if index is not equal to the string length.  For non-BMP
1616         character classes, we need to check to see if there are at least 2 characters left.
1617         Therefore we now temporarily add 1 to the current index before comparing.  This checks
1618         to see if there are iat least 2 characters left to match, instead of 1.
1619
1620         * yarr/YarrJIT.cpp:
1621         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
1622         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
1623
1624 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
1625
1626         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
1627         https://bugs.webkit.org/show_bug.cgi?id=196574
1628
1629         Reviewed by Saam Barati.
1630
1631         This patch adds missing exception check in operationArrayIndexOfValueInt32OrContiguous.
1632
1633         * dfg/DFGOperations.cpp:
1634
1635 2019-04-03  Don Olmstead  <don.olmstead@sony.com>
1636
1637         [CMake][WTF] Mirror XCode header directories
1638         https://bugs.webkit.org/show_bug.cgi?id=191662
1639
1640         Reviewed by Konstantin Tokarev.
1641
1642         Use WTFFramework as a dependency and include frameworks/WTF.cmake for AppleWin internal
1643         builds.
1644
1645         * CMakeLists.txt:
1646         * shell/CMakeLists.txt:
1647
1648 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
1649
1650         [JSC] Add FuzzerAgent, which has a hooks to get feedback & inject fuzz data into JSC
1651         https://bugs.webkit.org/show_bug.cgi?id=196530
1652
1653         Reviewed by Saam Barati.
1654
1655         This patch adds FuzzerAgent interface and simple RandomizingFuzzerAgent to JSC.
1656         This RandomizingFuzzerAgent returns random SpeculatedType for value profiling to find
1657         the issues in JSC. The seed for randomization can be specified by seedOfRandomizingFuzzerAgent.
1658
1659         I ran this with seedOfRandomizingFuzzerAgent=1 last night and it finds 3 failures in the current JSC tests,
1660         they should be fixed in subsequent patches.
1661
1662         * CMakeLists.txt:
1663         * JavaScriptCore.xcodeproj/project.pbxproj:
1664         * Sources.txt:
1665         * dfg/DFGByteCodeParser.cpp:
1666         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
1667         * runtime/FuzzerAgent.cpp: Added.
1668         (JSC::FuzzerAgent::~FuzzerAgent):
1669         (JSC::FuzzerAgent::getPrediction):
1670         * runtime/FuzzerAgent.h: Added.
1671         * runtime/JSGlobalObjectFunctions.cpp:
1672         * runtime/Options.h:
1673         * runtime/RandomizingFuzzerAgent.cpp: Added.
1674         (JSC::RandomizingFuzzerAgent::RandomizingFuzzerAgent):
1675         (JSC::RandomizingFuzzerAgent::getPrediction):
1676         * runtime/RandomizingFuzzerAgent.h: Added.
1677         * runtime/RegExpCachedResult.h:
1678         * runtime/RegExpGlobalData.cpp:
1679         * runtime/VM.cpp:
1680         (JSC::VM::VM):
1681         * runtime/VM.h:
1682         (JSC::VM::fuzzerAgent const):
1683         (JSC::VM::setFuzzerAgent):
1684
1685 2019-04-03  Myles C. Maxfield  <mmaxfield@apple.com>
1686
1687         Remove support for -apple-trailing-word
1688         https://bugs.webkit.org/show_bug.cgi?id=196525
1689
1690         Reviewed by Zalan Bujtas.
1691
1692         This CSS property is nonstandard and not used.
1693
1694         * Configurations/FeatureDefines.xcconfig:
1695
1696 2019-04-03  Joseph Pecoraro  <pecoraro@apple.com>
1697
1698         Web Inspector: Remote Inspector indicate callback should always happen on the main thread
1699         https://bugs.webkit.org/show_bug.cgi?id=196513
1700         <rdar://problem/49498284>
1701
1702         Reviewed by Devin Rousso.
1703
1704         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
1705         (Inspector::RemoteInspector::receivedIndicateMessage):
1706         When we have a WebThread, don't just run on the WebThread,
1707         run on the MainThread with the WebThreadLock.
1708
1709 2019-04-02  Michael Saboff  <msaboff@apple.com>
1710
1711         Crash in Options::setOptions() using --configFile option and libgmalloc
1712         https://bugs.webkit.org/show_bug.cgi?id=196506
1713
1714         Reviewed by Keith Miller.
1715
1716         Changed to call CString::data() while making the call to Options::setOptions().  This keeps
1717         the implicit CString temporary alive until after setOptions() returns.
1718
1719         * runtime/ConfigFile.cpp:
1720         (JSC::ConfigFile::parse):
1721
1722 2019-04-02  Fujii Hironori  <Hironori.Fujii@sony.com>
1723
1724         [CMake] WEBKIT_MAKE_FORWARDING_HEADERS shouldn't use POST_BUILD to copy generated headers
1725         https://bugs.webkit.org/show_bug.cgi?id=182757
1726
1727         Reviewed by Don Olmstead.
1728
1729         * CMakeLists.txt: Do not use DERIVED_SOURCE_DIRECTORIES parameter
1730         of WEBKIT_MAKE_FORWARDING_HEADERS. Added generated headers to
1731         JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS.
1732
1733 2019-04-02  Saam barati  <sbarati@apple.com>
1734
1735         Add a ValueRepReduction phase
1736         https://bugs.webkit.org/show_bug.cgi?id=196234
1737
1738         Reviewed by Filip Pizlo.
1739
1740         This patch adds a ValueRepReduction phase. The main idea here is
1741         to try to reduce DoubleRep(RealNumberUse:ValueRep(DoubleRepUse:@x))
1742         to just be @x. This patch handles such above strengh reduction rules
1743         as long as we prove that all users of the ValueRep can be converted
1744         to using the incoming double value. That way we prevent introducing
1745         a parallel live range for the double value.
1746         
1747         This patch tracks the uses of the ValueRep through Phi variables,
1748         so we can convert entire Phi variables to being Double instead
1749         of JSValue if the Phi also has only double uses.
1750         
1751         This is implemented through a simple escape analysis. DoubleRep(RealNumberUse:)
1752         and OSR exit hints are not counted as escapes. All other uses are counted
1753         as escapes. Connected Phi graphs are converted to being Double only if the
1754         entire graph is ok with the result being Double.
1755         
1756         Some ways we could extend this phase in the future:
1757         - There are a lot of DoubleRep(NumberUse:@ValueRep(@x)) uses. This ensures
1758           that the result of the DoubleRep of @x is not impure NaN. We could
1759           handle this case if we introduced a PurifyNaN node and replace the DoubleRep
1760           with PurifyNaN(@x). Alternatively, we could see if certain users of this
1761           DoubleRep are okay with impure NaN flowing into them and we'd need to ensure
1762           their output type is always treated as if the input is impure NaN.
1763         - We could do sinking of ValueRep where we think it's profitable. So instead
1764           of an escape making it so we never represent the variable as a Double, we
1765           could make the escape reconstruct the JSValueRep where profitable.
1766         - We can extend this phase to handle Int52Rep if it's profitable.
1767         - We can opt other nodes into accepting incoming Doubles so we no longer
1768           treat them as escapes.
1769         
1770         This patch is somewhere between neutral and a 1% progression on JetStream 2.
1771
1772         * JavaScriptCore.xcodeproj/project.pbxproj:
1773         * Sources.txt:
1774         * dfg/DFGPlan.cpp:
1775         (JSC::DFG::Plan::compileInThreadImpl):
1776         * dfg/DFGValueRepReductionPhase.cpp: Added.
1777         (JSC::DFG::ValueRepReductionPhase::ValueRepReductionPhase):
1778         (JSC::DFG::ValueRepReductionPhase::run):
1779         (JSC::DFG::ValueRepReductionPhase::convertValueRepsToDouble):
1780         (JSC::DFG::performValueRepReduction):
1781         * dfg/DFGValueRepReductionPhase.h: Added.
1782         * runtime/Options.h:
1783
1784 2019-04-01  Yusuke Suzuki  <ysuzuki@apple.com>
1785
1786         [JSC] JSRunLoopTimer::Manager should be small
1787         https://bugs.webkit.org/show_bug.cgi?id=196425
1788
1789         Reviewed by Darin Adler.
1790
1791         Using very large Key or Value in HashMap potentially bloats memory since HashMap pre-allocates large size of
1792         memory ((sizeof(Key) + sizeof(Value)) * N) for its backing storage's array. Using std::unique_ptr<> for JSRunLoopTimer's
1793         PerVMData to keep HashMap's backing store size small.
1794
1795         * runtime/JSRunLoopTimer.cpp:
1796         (JSC::JSRunLoopTimer::Manager::timerDidFire):
1797         (JSC::JSRunLoopTimer::Manager::registerVM):
1798         (JSC::JSRunLoopTimer::Manager::scheduleTimer):
1799         (JSC::JSRunLoopTimer::Manager::cancelTimer):
1800         (JSC::JSRunLoopTimer::Manager::timeUntilFire):
1801         (JSC::JSRunLoopTimer::Manager::didChangeRunLoop):
1802         * runtime/JSRunLoopTimer.h:
1803
1804 2019-04-01  Stephan Szabo  <stephan.szabo@sony.com>
1805
1806         [PlayStation] Add initialization for JSC shell for PlayStation port
1807         https://bugs.webkit.org/show_bug.cgi?id=195411
1808
1809         Reviewed by Ross Kirsling.
1810
1811         Add ps options
1812
1813         * shell/PlatformPlayStation.cmake: Added.
1814         * shell/playstation/Initializer.cpp: Added.
1815         (initializer):
1816
1817 2019-04-01  Michael Catanzaro  <mcatanzaro@igalia.com>
1818
1819         Stop trying to support building JSC with clang 3.8
1820         https://bugs.webkit.org/show_bug.cgi?id=195947
1821         <rdar://problem/49069219>
1822
1823         Reviewed by Darin Adler.
1824
1825         It seems WebKit hasn't built with clang 3.8 in a while, no devs are using this compiler, we
1826         don't know how much effort it would be to make JSC work again, and it's making the code
1827         worse. Remove my hacks to support clang 3.8 from JSC.
1828
1829         * bindings/ScriptValue.cpp:
1830         (Inspector::jsToInspectorValue):
1831         * bytecode/GetterSetterAccessCase.cpp:
1832         (JSC::GetterSetterAccessCase::create):
1833         (JSC::GetterSetterAccessCase::clone const):
1834         * bytecode/InstanceOfAccessCase.cpp:
1835         (JSC::InstanceOfAccessCase::clone const):
1836         * bytecode/IntrinsicGetterAccessCase.cpp:
1837         (JSC::IntrinsicGetterAccessCase::clone const):
1838         * bytecode/ModuleNamespaceAccessCase.cpp:
1839         (JSC::ModuleNamespaceAccessCase::clone const):
1840         * bytecode/ProxyableAccessCase.cpp:
1841         (JSC::ProxyableAccessCase::clone const):
1842
1843 2019-03-31  Yusuke Suzuki  <ysuzuki@apple.com>
1844
1845         [JSC] Butterfly allocation from LargeAllocation should try "realloc" behavior if collector thread is not active
1846         https://bugs.webkit.org/show_bug.cgi?id=196160
1847
1848         Reviewed by Saam Barati.
1849
1850         "realloc" can be effective in terms of peak/current memory footprint when realloc succeeds because,
1851
1852         1. It does not allocate additional memory while expanding a vector
1853         2. It does not deallocate an old memory, just reusing the current memory by expanding, so that memory footprint is tight even before scavenging
1854
1855         We found that we can "realloc" large butterflies in certain conditions are met because,
1856
1857         1. If it goes to LargeAllocation, this memory region is never reused until GC sweeps it.
1858         2. Butterflies are owned by owner JSObjects, so we know the lifetime of Butterflies.
1859
1860         This patch attempts to use "realloc" onto butterflies if,
1861
1862         1. Butterflies are allocated in LargeAllocation kind
1863         2. Concurrent collector is not active
1864         3. Butterflies do not have property storage
1865
1866         The condition (2) is required to avoid deallocating butterflies while the concurrent collector looks into it. The condition (3) is
1867         also required to avoid deallocating butterflies while the concurrent compiler looks into it.
1868
1869         We also change LargeAllocation mechanism to using "malloc" and "free" instead of "posix_memalign". This allows us to use "realloc"
1870         safely in all the platforms. Since LargeAllocation uses alignment to distinguish LargeAllocation and MarkedBlock, we manually adjust
1871         16B alignment by allocating 8B more memory in "malloc".
1872
1873         Speedometer2 and JetStream2 are neutral. RAMification shows about 1% progression (even in some of JIT tests).
1874
1875         * heap/AlignedMemoryAllocator.h:
1876         * heap/CompleteSubspace.cpp:
1877         (JSC::CompleteSubspace::tryAllocateSlow):
1878         (JSC::CompleteSubspace::reallocateLargeAllocationNonVirtual):
1879         * heap/CompleteSubspace.h:
1880         * heap/FastMallocAlignedMemoryAllocator.cpp:
1881         (JSC::FastMallocAlignedMemoryAllocator::tryAllocateMemory):
1882         (JSC::FastMallocAlignedMemoryAllocator::freeMemory):
1883         (JSC::FastMallocAlignedMemoryAllocator::tryReallocateMemory):
1884         * heap/FastMallocAlignedMemoryAllocator.h:
1885         * heap/GigacageAlignedMemoryAllocator.cpp:
1886         (JSC::GigacageAlignedMemoryAllocator::tryAllocateMemory):
1887         (JSC::GigacageAlignedMemoryAllocator::freeMemory):
1888         (JSC::GigacageAlignedMemoryAllocator::tryReallocateMemory):
1889         * heap/GigacageAlignedMemoryAllocator.h:
1890         * heap/IsoAlignedMemoryAllocator.cpp:
1891         (JSC::IsoAlignedMemoryAllocator::tryAllocateMemory):
1892         (JSC::IsoAlignedMemoryAllocator::freeMemory):
1893         (JSC::IsoAlignedMemoryAllocator::tryReallocateMemory):
1894         * heap/IsoAlignedMemoryAllocator.h:
1895         * heap/LargeAllocation.cpp:
1896         (JSC::isAlignedForLargeAllocation):
1897         (JSC::LargeAllocation::tryCreate):
1898         (JSC::LargeAllocation::tryReallocate):
1899         (JSC::LargeAllocation::LargeAllocation):
1900         (JSC::LargeAllocation::destroy):
1901         * heap/LargeAllocation.h:
1902         (JSC::LargeAllocation::indexInSpace):
1903         (JSC::LargeAllocation::setIndexInSpace):
1904         (JSC::LargeAllocation::basePointer const):
1905         * heap/MarkedSpace.cpp:
1906         (JSC::MarkedSpace::sweepLargeAllocations):
1907         (JSC::MarkedSpace::prepareForConservativeScan):
1908         * heap/WeakSet.h:
1909         (JSC::WeakSet::isTriviallyDestructible const):
1910         * runtime/Butterfly.h:
1911         * runtime/ButterflyInlines.h:
1912         (JSC::Butterfly::reallocArrayRightIfPossible):
1913         * runtime/JSObject.cpp:
1914         (JSC::JSObject::ensureLengthSlow):
1915
1916 2019-03-31  Sam Weinig  <weinig@apple.com>
1917
1918         Remove more i386 specific configurations
1919         https://bugs.webkit.org/show_bug.cgi?id=196430
1920
1921         Reviewed by Alexey Proskuryakov.
1922
1923         * Configurations/FeatureDefines.xcconfig:
1924         ENABLE_WEB_AUTHN_macosx can now be enabled unconditionally on macOS.
1925
1926         * Configurations/ToolExecutable.xcconfig:
1927         ARC can be enabled unconditionally now.
1928
1929 2019-03-29  Yusuke Suzuki  <ysuzuki@apple.com>
1930
1931         [JSC] JSWrapperMap should not use Objective-C Weak map (NSMapTable with NSPointerFunctionsWeakMemory) for m_cachedObjCWrappers
1932         https://bugs.webkit.org/show_bug.cgi?id=196392
1933
1934         Reviewed by Saam Barati.
1935
1936         Weak representation in Objective-C is surprisingly costly in terms of memory. We can see that very easy program shows 10KB memory consumption due to
1937         this weak wrapper map in JavaScriptCore.framework. But we do not need this weak map since Objective-C JSValue has a dealloc. We can unregister itself
1938         from the map when it is deallocated without using Objective-C weak mechanism. And since Objective-C JSValue is tightly coupled to a specific JSContext,
1939         and wrapper map is created per JSContext, JSValue wrapper and actual JavaScriptCore value is one-on-one, and [JSValue dealloc] knows which JSContext's
1940         wrapper map holds itself.
1941
1942         1. We do not use Objective-C weak mechanism. We use WTF::HashSet instead. When JSValue is allocated, we register it to JSWrapperMap's HashSet. And unregister
1943            JSValue from this map when JSValue is deallocated.
1944         2. We use HashSet<JSValue> (logically) instead of HashMap<JSValueRef, JSValue> to keep JSValueRef and JSValue relationship. We can achieve it because JSValue
1945            holds JSValueRef inside it.
1946
1947         * API/JSContext.mm:
1948         (-[JSContext removeWrapper:]):
1949         * API/JSContextInternal.h:
1950         * API/JSValue.mm:
1951         (-[JSValue dealloc]):
1952         (-[JSValue initWithValue:inContext:]):
1953         * API/JSWrapperMap.h:
1954         * API/JSWrapperMap.mm:
1955         (WrapperKey::hashTableDeletedValue):
1956         (WrapperKey::WrapperKey):
1957         (WrapperKey::isHashTableDeletedValue const):
1958         (WrapperKey::Hash::hash):
1959         (WrapperKey::Hash::equal):
1960         (WrapperKey::Traits::isEmptyValue):
1961         (WrapperKey::Translator::hash):
1962         (WrapperKey::Translator::equal):
1963         (WrapperKey::Translator::translate):
1964         (-[JSWrapperMap initWithGlobalContextRef:]):
1965         (-[JSWrapperMap dealloc]):
1966         (-[JSWrapperMap objcWrapperForJSValueRef:inContext:]):
1967         (-[JSWrapperMap removeWrapper:]):
1968         * API/tests/testapi.mm:
1969         (testObjectiveCAPIMain):
1970
1971 2019-03-29  Robin Morisset  <rmorisset@apple.com>
1972
1973         B3ReduceStrength should know that Mul distributes over Add and Sub
1974         https://bugs.webkit.org/show_bug.cgi?id=196325
1975
1976         Reviewed by Michael Saboff.
1977
1978         In this patch I add the following patterns to B3ReduceStrength:
1979         - Turn this: Integer Neg(Mul(value, c))
1980           Into this: Mul(value, -c), as long as -c does not overflow
1981         - Turn these: Integer Mul(value, Neg(otherValue)) and Integer Mul(Neg(value), otherValue)
1982           Into this: Neg(Mul(value, otherValue))
1983         - For Op==Add or Sub, turn any of these:
1984              Op(Mul(x1, x2), Mul(x1, x3))
1985              Op(Mul(x2, x1), Mul(x1, x3))
1986              Op(Mul(x1, x2), Mul(x3, x1))
1987              Op(Mul(x2, x1), Mul(x3, x1))
1988           Into this: Mul(x1, Op(x2, x3))
1989
1990         Also includes a trivial change: a similar reduction for the distributivity of BitAnd over BitOr/BitXor now
1991         emits the arguments to BitAnd in the other order, to minimize the probability that we'll spend a full fixpoint step just to flip them.
1992
1993         * b3/B3ReduceStrength.cpp:
1994         * b3/testb3.cpp:
1995         (JSC::B3::testAddMulMulArgs):
1996         (JSC::B3::testMulArgNegArg):
1997         (JSC::B3::testMulNegArgArg):
1998         (JSC::B3::testNegMulArgImm):
1999         (JSC::B3::testSubMulMulArgs):
2000         (JSC::B3::run):
2001
2002 2019-03-29  Yusuke Suzuki  <ysuzuki@apple.com>
2003
2004         [JSC] Remove distancing for LargeAllocation
2005         https://bugs.webkit.org/show_bug.cgi?id=196335
2006
2007         Reviewed by Saam Barati.
2008
2009         In r230226, we removed distancing feature from our GC. This patch removes remaining distancing thing in LargeAllocation.
2010
2011         * heap/HeapCell.h:
2012         * heap/LargeAllocation.cpp:
2013         (JSC::LargeAllocation::tryCreate):
2014         * heap/MarkedBlock.h:
2015
2016 2019-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
2017
2018         Delete WebMetal implementation in favor of WebGPU
2019         https://bugs.webkit.org/show_bug.cgi?id=195418
2020
2021         Reviewed by Dean Jackson.
2022
2023         * Configurations/FeatureDefines.xcconfig:
2024         * inspector/protocol/Canvas.json:
2025         * inspector/scripts/codegen/generator.py:
2026
2027 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
2028
2029         Assertion failed in JSC::createError
2030         https://bugs.webkit.org/show_bug.cgi?id=196305
2031         <rdar://problem/49387382>
2032
2033         Reviewed by Saam Barati.
2034
2035         JSC::createError assumes that `errorDescriptionForValue` will either
2036         throw an exception or return a valid description string. However, that
2037         is not true if the value is a rope string and we successfully resolve it,
2038         but later fail to wrap the string in quotes with `tryMakeString`.
2039
2040         * runtime/ExceptionHelpers.cpp:
2041         (JSC::createError):
2042
2043 2019-03-29  Devin Rousso  <drousso@apple.com>
2044
2045         Web Inspector: add fast returns for instrumentation hooks that have no affect before a frontend is connected
2046         https://bugs.webkit.org/show_bug.cgi?id=196382
2047         <rdar://problem/49403417>
2048
2049         Reviewed by Joseph Pecoraro.
2050
2051         Ensure that all instrumentation hooks use `FAST_RETURN_IF_NO_FRONTENDS` or check that
2052         `developerExtrasEnabled`. There should be no activity to/from any inspector objects until
2053         developer extras are enabled.
2054
2055         * inspector/agents/InspectorConsoleAgent.cpp:
2056         (Inspector::InspectorConsoleAgent::startTiming):
2057         (Inspector::InspectorConsoleAgent::stopTiming):
2058         (Inspector::InspectorConsoleAgent::count):
2059         (Inspector::InspectorConsoleAgent::addConsoleMessage):
2060
2061 2019-03-29  Cathie Chen  <cathiechen@igalia.com>
2062
2063         Implement ResizeObserver.
2064         https://bugs.webkit.org/show_bug.cgi?id=157743
2065
2066         Reviewed by Simon Fraser.
2067
2068         Add ENABLE_RESIZE_OBSERVER.
2069
2070         * Configurations/FeatureDefines.xcconfig:
2071
2072 2019-03-28  Michael Saboff  <msaboff@apple.com>
2073
2074         [YARR] Precompute BMP / non-BMP status when constructing character classes
2075         https://bugs.webkit.org/show_bug.cgi?id=196296
2076
2077         Reviewed by Keith Miller.
2078
2079         Changed CharacterClass::m_hasNonBMPCharacters into a character width bit field which
2080         indicateis if the class includes characters from either BMP, non-BMP or both ranges.
2081         This allows the recognizing code to eliminate checks for the width of a matched
2082         characters when the class has only one width.  The character width is needed to
2083         determine if we advance 1 or 2 character.  Also, the pre-computed width of character
2084         classes that contains either all BMP or all non-BMP characters allows the parser to
2085         use fixed widths for terms using those character classes.  Changed both the code gen
2086         scripts and Yarr compiler to compute this bit field during the construction of
2087         character classes.
2088
2089         For JIT'ed code of character classes that contain either all BMP or all non-BMP
2090         characters, we can eliminate the generic check we were doing do compute how much
2091         to advance after sucessfully matching a character in the class.
2092
2093                 Generic isBMP check      BMP only            non-BMP only
2094                 --------------           --------------      --------------
2095                 inc %r9d                 inc %r9d            add $0x2, %r9d
2096                 cmp $0x10000, %eax
2097                 jl isBMP
2098                 cmp %edx, %esi
2099                 jz atEndOfString
2100                 inc %r9d
2101                 inc %esi
2102          isBMP:
2103
2104         For character classes that contained non-BMP characters, we were always generating
2105         the code in the left column.  The middle column is the code we generate for character
2106         classes that contain only BMP characters.  The right column is the code we now
2107         generate if the character class has only non-BMP characters.  In the fix width cases,
2108         we can eliminate both the isBMP check as well as the atEndOfString check.  The
2109         atEndOfstring check is eliminated since we know how many characters this character
2110         class requires and that check can be factored out to the beginning of the current
2111         alternative.  For character classes that contain both BMP and non-BMP characters,
2112         we still generate the generic left column.
2113
2114         This change is a ~8% perf progression on UniPoker and a ~2% improvement on RexBench
2115         as a whole.
2116
2117         * runtime/RegExp.cpp:
2118         (JSC::RegExp::matchCompareWithInterpreter):
2119         * runtime/RegExpInlines.h:
2120         (JSC::RegExp::matchInline):
2121         * yarr/YarrInterpreter.cpp:
2122         (JSC::Yarr::Interpreter::checkCharacterClassDontAdvanceInputForNonBMP):
2123         (JSC::Yarr::Interpreter::matchCharacterClass):
2124         * yarr/YarrJIT.cpp:
2125         (JSC::Yarr::YarrGenerator::optimizeAlternative):
2126         (JSC::Yarr::YarrGenerator::matchCharacterClass):
2127         (JSC::Yarr::YarrGenerator::advanceIndexAfterCharacterClassTermMatch):
2128         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
2129         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
2130         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
2131         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
2132         (JSC::Yarr::YarrGenerator::backtrackCharacterClassGreedy):
2133         (JSC::Yarr::YarrGenerator::generateCharacterClassNonGreedy):
2134         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
2135         (JSC::Yarr::YarrGenerator::generateEnter):
2136         (JSC::Yarr::YarrGenerator::YarrGenerator):
2137         (JSC::Yarr::YarrGenerator::compile):
2138         * yarr/YarrPattern.cpp:
2139         (JSC::Yarr::CharacterClassConstructor::CharacterClassConstructor):
2140         (JSC::Yarr::CharacterClassConstructor::reset):
2141         (JSC::Yarr::CharacterClassConstructor::charClass):
2142         (JSC::Yarr::CharacterClassConstructor::addSorted):
2143         (JSC::Yarr::CharacterClassConstructor::addSortedRange):
2144         (JSC::Yarr::CharacterClassConstructor::hasNonBMPCharacters):
2145         (JSC::Yarr::CharacterClassConstructor::characterWidths):
2146         (JSC::Yarr::PatternTerm::dump):
2147         (JSC::Yarr::anycharCreate):
2148         * yarr/YarrPattern.h:
2149         (JSC::Yarr::operator|):
2150         (JSC::Yarr::operator&):
2151         (JSC::Yarr::operator|=):
2152         (JSC::Yarr::CharacterClass::CharacterClass):
2153         (JSC::Yarr::CharacterClass::hasNonBMPCharacters):
2154         (JSC::Yarr::CharacterClass::hasOneCharacterSize):
2155         (JSC::Yarr::CharacterClass::hasOnlyNonBMPCharacters):
2156         (JSC::Yarr::PatternTerm::invert const):
2157         (JSC::Yarr::PatternTerm::invert): Deleted.
2158         * yarr/create_regex_tables:
2159         * yarr/generateYarrUnicodePropertyTables.py:
2160
2161 2019-03-28  Saam Barati  <sbarati@apple.com>
2162
2163         BackwardsGraph needs to consider back edges as the backward's root successor
2164         https://bugs.webkit.org/show_bug.cgi?id=195991
2165
2166         Reviewed by Filip Pizlo.
2167
2168         * b3/testb3.cpp:
2169         (JSC::B3::testInfiniteLoopDoesntCauseBadHoisting):
2170         (JSC::B3::run):
2171
2172 2019-03-28  Fujii Hironori  <Hironori.Fujii@sony.com>
2173
2174         Opcode.h(159,27): warning: adding 'unsigned int' to a string does not append to the string [-Wstring-plus-int]
2175         https://bugs.webkit.org/show_bug.cgi?id=196343
2176
2177         Reviewed by Saam Barati.
2178
2179         Clang reports a compilation warning and recommend '&PADDING_STRING[PADDING_STRING_LENGTH]'
2180         instead of 'PADDING_STRING + PADDING_STRING_LENGTH'.
2181
2182         * bytecode/Opcode.cpp:
2183         (JSC::padOpcodeName): Moved padOpcodeName from Opcode.h because
2184         this function is used only in Opcode.cpp. Changed macros
2185         PADDING_STRING and PADDING_STRING_LENGTH to simple variables.
2186         (JSC::compareOpcodePairIndices): Replaced pair with std::pair.
2187         * bytecode/Opcode.h:
2188         (JSC::padOpcodeName): Moved.
2189
2190 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
2191
2192         CodeBlock::jettison() should disallow repatching its own calls
2193         https://bugs.webkit.org/show_bug.cgi?id=196359
2194         <rdar://problem/48973663>
2195
2196         Reviewed by Saam Barati.
2197
2198         CodeBlock::jettison() calls CommonData::invalidate, which replaces the `hlt`
2199         instruction with the jump to OSR exit. However, if the `hlt` was immediately
2200         followed by a call to the CodeBlock being jettisoned, we would write over the
2201         OSR exit address while unlinking all the incoming CallLinkInfos later in
2202         CodeBlock::jettison().
2203
2204         Change it so that we set a flag, `clearedByJettison`, in all the CallLinkInfos
2205         owned by the CodeBlock being jettisoned. If the flag is set, we will avoid
2206         repatching the call during unlinking. This is safe because this call will never
2207         be reachable again after the CodeBlock is jettisoned.
2208
2209         * bytecode/CallLinkInfo.cpp:
2210         (JSC::CallLinkInfo::CallLinkInfo):
2211         (JSC::CallLinkInfo::setCallee):
2212         (JSC::CallLinkInfo::clearCallee):
2213         (JSC::CallLinkInfo::setCodeBlock):
2214         (JSC::CallLinkInfo::clearCodeBlock):
2215         * bytecode/CallLinkInfo.h:
2216         (JSC::CallLinkInfo::clearedByJettison):
2217         (JSC::CallLinkInfo::setClearedByJettison):
2218         * bytecode/CodeBlock.cpp:
2219         (JSC::CodeBlock::jettison):
2220         * jit/Repatch.cpp:
2221         (JSC::revertCall):
2222
2223 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
2224
2225         [JSC] Drop VM and Context cache map in JavaScriptCore.framework
2226         https://bugs.webkit.org/show_bug.cgi?id=196341
2227
2228         Reviewed by Saam Barati.
2229
2230         Previously, we created Objective-C weak map to maintain JSVirtualMachine and JSContext wrappers corresponding to VM and JSGlobalObject.
2231         But Objective-C weak map is really memory costly. Even if the entry is only one, it consumes 2.5KB per weak map. Since we can modify
2232         JSC intrusively for JavaScriptCore.framework (and we already did it, like, holding JSWrapperMap in JSGlobalObject), we can just hold
2233         a pointer to a wrapper in VM and JSGlobalObject.
2234
2235         This patch adds void* members to VM and JSGlobalObject, which holds a non-strong reference to a wrapper. When a wrapper is gone, we
2236         clear this pointer too. This removes unnecessary two Objective-C weak maps, and save 5KB.
2237
2238         * API/JSContext.mm:
2239         (-[JSContext initWithVirtualMachine:]):
2240         (-[JSContext dealloc]):
2241         (-[JSContext initWithGlobalContextRef:]):
2242         (-[JSContext wrapperMap]):
2243         (+[JSContext contextWithJSGlobalContextRef:]):
2244         * API/JSVirtualMachine.mm:
2245         (-[JSVirtualMachine initWithContextGroupRef:]):
2246         (-[JSVirtualMachine dealloc]):
2247         (+[JSVirtualMachine virtualMachineWithContextGroupRef:]):
2248         (scanExternalObjectGraph):
2249         (scanExternalRememberedSet):
2250         (initWrapperCache): Deleted.
2251         (wrapperCache): Deleted.
2252         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]): Deleted.
2253         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]): Deleted.
2254         (-[JSVirtualMachine contextForGlobalContextRef:]): Deleted.
2255         (-[JSVirtualMachine addContext:forGlobalContextRef:]): Deleted.
2256         * API/JSVirtualMachineInternal.h:
2257         * runtime/JSGlobalObject.h:
2258         (JSC::JSGlobalObject::setAPIWrapper):
2259         (JSC::JSGlobalObject::apiWrapper const):
2260         * runtime/VM.h:
2261
2262 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
2263
2264         In-memory code cache should not share bytecode across domains
2265         https://bugs.webkit.org/show_bug.cgi?id=196321
2266
2267         Reviewed by Geoffrey Garen.
2268
2269         Use the SourceProvider's URL to make sure that the hosts match for the
2270         two SourceCodeKeys in operator==.
2271
2272         * parser/SourceCodeKey.h:
2273         (JSC::SourceCodeKey::host const):
2274         (JSC::SourceCodeKey::operator== const):
2275
2276 2019-03-28  Víctor Manuel Jáquez Leal  <vjaquez@igalia.com>
2277
2278         Silence lot of warnings when compiling with clang
2279         https://bugs.webkit.org/show_bug.cgi?id=196310
2280
2281         Reviewed by Michael Catanzaro.
2282
2283         Initialize variable with default constructor.
2284
2285         * API/glib/JSCOptions.cpp:
2286         (jsc_options_foreach):
2287
2288 2019-03-27  Saam Barati  <sbarati@apple.com>
2289
2290         validateOSREntryValue with Int52 should box the value being checked into double format
2291         https://bugs.webkit.org/show_bug.cgi?id=196313
2292         <rdar://problem/49306703>
2293
2294         Reviewed by Yusuke Suzuki.
2295
2296         * dfg/DFGOSREntry.cpp:
2297         (JSC::DFG::prepareOSREntry):
2298         * ftl/FTLLowerDFGToB3.cpp:
2299         (JSC::FTL::DFG::LowerDFGToB3::validateAIState):
2300
2301 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
2302
2303         [JSC] Owner of watchpoints should validate at GC finalizing phase
2304         https://bugs.webkit.org/show_bug.cgi?id=195827
2305
2306         Reviewed by Filip Pizlo.
2307
2308         This patch fixes JSC's watchpoint liveness issue by the following two policies.
2309
2310         1. Watchpoint should have owner cell, and "fire" operation should be gaurded with owner cell's isLive check.
2311
2312         Watchpoints should hold its owner cell, and fire procedure should be guarded by `owner->isLive()`.
2313         When the owner cell is destroyed, these watchpoints are destroyed too. But this destruction can
2314         be delayed due to incremental sweeper. So the following condition can happen.
2315
2316         When we have a watchpoint like the following.
2317
2318             class XXXWatchpoint {
2319                 ObjectPropertyCondition m_key;
2320                 JSCell* m_owner;
2321             };
2322
2323         Both m_key's cell and m_owner is now unreachable from the root. So eventually, m_owner cell's destructor
2324         is called and this watchpoint will be destroyed. But before that, m_key's cell can be destroyed. And this
2325         watchpoint's fire procedure can be called since m_owner's destructor is not called yet. In this situation,
2326         we encounter the destroyed cell held in m_key. This problem can be avoided if we guard fire procedure with
2327         `m_owner->isLive()`. Until the owner cell is destroyed, this guard avoids "fire" procedure execution. And
2328         once the destructor of m_owner is called, this watchpoint will be destroyed too.
2329
2330         2. Watchpoint liveness should be maintained by owner cell's unconditional finalizer
2331
2332         Watchpoints often hold weak references to the other cell (like, m_key in the above example). If we do not
2333         delete watchpoints with dead cells when these weak cells become dead, these watchpoints continue holding dead cells,
2334         and watchpoint's fire operation can use these dead cells accidentally. isLive / isStillLive check for these weak cells
2335         in fire operation is not useful. Because these dead cells can be reused to the other live cells eventually, and this
2336         isLive / isStillLive checks fail to see these cells are live if they are reused. Appropriate way is deleting watchpoints
2337         with dead cells when finalizing GC. In this patch, we do this in unconditional finalizers in owner cells of watchpoints.
2338         We already did this in CodeBlock etc. We add the same thing to StructureRareData which owns watchpoints for toString operations.
2339
2340         * JavaScriptCore.xcodeproj/project.pbxproj:
2341         * Sources.txt:
2342         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.h:
2343         (JSC::AdaptiveInferredPropertyValueWatchpointBase::StructureWatchpoint::StructureWatchpoint): Deleted.
2344         (JSC::AdaptiveInferredPropertyValueWatchpointBase::PropertyWatchpoint::PropertyWatchpoint): Deleted.
2345         * bytecode/CodeBlockJettisoningWatchpoint.h:
2346         (JSC::CodeBlockJettisoningWatchpoint::CodeBlockJettisoningWatchpoint): Deleted.
2347         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
2348         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::LLIntPrototypeLoadAdaptiveStructureWatchpoint):
2349         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
2350         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
2351         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::key const): Deleted.
2352         * bytecode/StructureStubClearingWatchpoint.cpp:
2353         (JSC::StructureStubClearingWatchpoint::fireInternal):
2354         (JSC::WatchpointsOnStructureStubInfo::isValid const):
2355         * bytecode/StructureStubClearingWatchpoint.h:
2356         (JSC::StructureStubClearingWatchpoint::StructureStubClearingWatchpoint): Deleted.
2357         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
2358         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::isValid const):
2359         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.h:
2360         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
2361         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
2362         * dfg/DFGAdaptiveStructureWatchpoint.h:
2363         (JSC::DFG::AdaptiveStructureWatchpoint::key const): Deleted.
2364         * dfg/DFGDesiredWatchpoints.cpp:
2365         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
2366         * heap/Heap.cpp:
2367         (JSC::Heap::finalizeUnconditionalFinalizers):
2368         * llint/LLIntSlowPaths.cpp:
2369         (JSC::LLInt::setupGetByIdPrototypeCache):
2370         * runtime/ArrayBuffer.cpp:
2371         (JSC::ArrayBuffer::notifyIncommingReferencesOfTransfer):
2372         * runtime/ArrayBufferNeuteringWatchpointSet.cpp: Renamed from Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpoint.cpp.
2373         (JSC::ArrayBufferNeuteringWatchpointSet::ArrayBufferNeuteringWatchpointSet):
2374         (JSC::ArrayBufferNeuteringWatchpointSet::destroy):
2375         (JSC::ArrayBufferNeuteringWatchpointSet::create):
2376         (JSC::ArrayBufferNeuteringWatchpointSet::createStructure):
2377         (JSC::ArrayBufferNeuteringWatchpointSet::fireAll):
2378         * runtime/ArrayBufferNeuteringWatchpointSet.h: Renamed from Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpoint.h.
2379         * runtime/FunctionRareData.h:
2380         * runtime/JSGlobalObject.cpp:
2381         (JSC::JSGlobalObject::init):
2382         (JSC::JSGlobalObject::tryInstallArraySpeciesWatchpoint):
2383         * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h:
2384         (JSC::ObjectPropertyChangeAdaptiveWatchpoint::ObjectPropertyChangeAdaptiveWatchpoint): Deleted.
2385         * runtime/StructureRareData.cpp:
2386         (JSC::StructureRareData::finalizeUnconditionally):
2387         * runtime/StructureRareData.h:
2388         * runtime/VM.cpp:
2389         (JSC::VM::VM):
2390
2391 2019-03-26  Saam Barati  <sbarati@apple.com>
2392
2393         FTL: Emit code to validate AI's state when running the compiled code
2394         https://bugs.webkit.org/show_bug.cgi?id=195924
2395         <rdar://problem/49003422>
2396
2397         Reviewed by Filip Pizlo.
2398
2399         This patch adds code that between the execution of each node that validates
2400         the types that AI proves. This option is too expensive to turn on for our
2401         regression testing, but we think it will be valuable in other types of running
2402         modes, such as when running with a fuzzer.
2403         
2404         This patch also adds options to only probabilistically run this validation
2405         after the execution of each node. As the probability is lowered, there is
2406         less of a perf hit.
2407         
2408         This patch just adds this validation in the FTL. A follow-up patch will land
2409         it in the DFG too: https://bugs.webkit.org/show_bug.cgi?id=196219
2410
2411         * ftl/FTLLowerDFGToB3.cpp:
2412         (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
2413         (JSC::FTL::DFG::LowerDFGToB3::compileBlock):
2414         (JSC::FTL::DFG::LowerDFGToB3::validateAIState):
2415         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2416         (JSC::FTL::DFG::LowerDFGToB3::lowJSValue):
2417         * runtime/Options.h:
2418
2419 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
2420
2421         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
2422         https://bugs.webkit.org/show_bug.cgi?id=196217
2423
2424         Reviewed by Saam Barati.
2425
2426         Generalize the fix for f32.max to properly handle NaN by doing an extra GreatherThan
2427         comparison in r243446 to all min and max float operations.
2428
2429         * wasm/WasmAirIRGenerator.cpp:
2430         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Min>):
2431         (JSC::Wasm::AirIRGenerator::addFloatingPointMinOrMax):
2432         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Max>):
2433         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Min>):
2434         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Max>):
2435         * wasm/wasm.json:
2436
2437 2019-03-26  Andy VanWagoner  <andy@vanwagoner.family>
2438
2439         Intl.DateTimeFormat should obey 2-digit hour
2440         https://bugs.webkit.org/show_bug.cgi?id=195974
2441
2442         Reviewed by Keith Miller.
2443
2444         * runtime/IntlDateTimeFormat.cpp:
2445         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2446
2447 2019-03-25  Yusuke Suzuki  <ysuzuki@apple.com>
2448
2449         Heap::isMarked and friends should be instance methods
2450         https://bugs.webkit.org/show_bug.cgi?id=179988
2451
2452         Reviewed by Saam Barati.
2453
2454         Almost all the callers of Heap::isMarked have VM& reference. We should make Heap::isMarked instance function instead of static function
2455         so that we do not need to look up Heap from the cell.
2456
2457         * API/JSAPIWrapperObject.mm:
2458         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
2459         * API/JSMarkingConstraintPrivate.cpp:
2460         (JSC::isMarked):
2461         * API/glib/JSAPIWrapperObjectGLib.cpp:
2462         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
2463         * builtins/BuiltinExecutables.cpp:
2464         (JSC::BuiltinExecutables::finalizeUnconditionally):
2465         * bytecode/AccessCase.cpp:
2466         (JSC::AccessCase::visitWeak const):
2467         (JSC::AccessCase::propagateTransitions const):
2468         * bytecode/CallLinkInfo.cpp:
2469         (JSC::CallLinkInfo::visitWeak):
2470         * bytecode/CallLinkStatus.cpp:
2471         (JSC::CallLinkStatus::finalize):
2472         * bytecode/CallLinkStatus.h:
2473         * bytecode/CallVariant.cpp:
2474         (JSC::CallVariant::finalize):
2475         * bytecode/CallVariant.h:
2476         * bytecode/CodeBlock.cpp:
2477         (JSC::CodeBlock::shouldJettisonDueToWeakReference):
2478         (JSC::CodeBlock::shouldJettisonDueToOldAge):
2479         (JSC::shouldMarkTransition):
2480         (JSC::CodeBlock::propagateTransitions):
2481         (JSC::CodeBlock::determineLiveness):
2482         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2483         (JSC::CodeBlock::finalizeUnconditionally):
2484         (JSC::CodeBlock::jettison):
2485         * bytecode/CodeBlock.h:
2486         * bytecode/ExecutableToCodeBlockEdge.cpp:
2487         (JSC::ExecutableToCodeBlockEdge::visitChildren):
2488         (JSC::ExecutableToCodeBlockEdge::finalizeUnconditionally):
2489         (JSC::ExecutableToCodeBlockEdge::runConstraint):
2490         * bytecode/GetByIdStatus.cpp:
2491         (JSC::GetByIdStatus::finalize):
2492         * bytecode/GetByIdStatus.h:
2493         * bytecode/GetByIdVariant.cpp:
2494         (JSC::GetByIdVariant::finalize):
2495         * bytecode/GetByIdVariant.h:
2496         * bytecode/InByIdStatus.cpp:
2497         (JSC::InByIdStatus::finalize):
2498         * bytecode/InByIdStatus.h:
2499         * bytecode/InByIdVariant.cpp:
2500         (JSC::InByIdVariant::finalize):
2501         * bytecode/InByIdVariant.h:
2502         * bytecode/ObjectPropertyCondition.cpp:
2503         (JSC::ObjectPropertyCondition::isStillLive const):
2504         * bytecode/ObjectPropertyCondition.h:
2505         * bytecode/ObjectPropertyConditionSet.cpp:
2506         (JSC::ObjectPropertyConditionSet::areStillLive const):
2507         * bytecode/ObjectPropertyConditionSet.h:
2508         * bytecode/PolymorphicAccess.cpp:
2509         (JSC::PolymorphicAccess::visitWeak const):
2510         * bytecode/PropertyCondition.cpp:
2511         (JSC::PropertyCondition::isStillLive const):
2512         * bytecode/PropertyCondition.h:
2513         * bytecode/PutByIdStatus.cpp:
2514         (JSC::PutByIdStatus::finalize):
2515         * bytecode/PutByIdStatus.h:
2516         * bytecode/PutByIdVariant.cpp:
2517         (JSC::PutByIdVariant::finalize):
2518         * bytecode/PutByIdVariant.h:
2519         * bytecode/RecordedStatuses.cpp:
2520         (JSC::RecordedStatuses::finalizeWithoutDeleting):
2521         (JSC::RecordedStatuses::finalize):
2522         * bytecode/RecordedStatuses.h:
2523         * bytecode/StructureSet.cpp:
2524         (JSC::StructureSet::isStillAlive const):
2525         * bytecode/StructureSet.h:
2526         * bytecode/StructureStubInfo.cpp:
2527         (JSC::StructureStubInfo::visitWeakReferences):
2528         * dfg/DFGPlan.cpp:
2529         (JSC::DFG::Plan::finalizeInGC):
2530         (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
2531         * heap/GCIncomingRefCounted.h:
2532         * heap/GCIncomingRefCountedInlines.h:
2533         (JSC::GCIncomingRefCounted<T>::filterIncomingReferences):
2534         * heap/GCIncomingRefCountedSet.h:
2535         * heap/GCIncomingRefCountedSetInlines.h:
2536         (JSC::GCIncomingRefCountedSet<T>::lastChanceToFinalize):
2537         (JSC::GCIncomingRefCountedSet<T>::sweep):
2538         (JSC::GCIncomingRefCountedSet<T>::removeAll): Deleted.
2539         (JSC::GCIncomingRefCountedSet<T>::removeDead): Deleted.
2540         * heap/Heap.cpp:
2541         (JSC::Heap::addToRememberedSet):
2542         (JSC::Heap::runEndPhase):
2543         (JSC::Heap::sweepArrayBuffers):
2544         (JSC::Heap::addCoreConstraints):
2545         * heap/Heap.h:
2546         * heap/HeapInlines.h:
2547         (JSC::Heap::isMarked):
2548         * heap/HeapSnapshotBuilder.cpp:
2549         (JSC::HeapSnapshotBuilder::appendNode):
2550         * heap/SlotVisitor.cpp:
2551         (JSC::SlotVisitor::appendToMarkStack):
2552         (JSC::SlotVisitor::visitChildren):
2553         * jit/PolymorphicCallStubRoutine.cpp:
2554         (JSC::PolymorphicCallStubRoutine::visitWeak):
2555         * runtime/ErrorInstance.cpp:
2556         (JSC::ErrorInstance::finalizeUnconditionally):
2557         * runtime/InferredValueInlines.h:
2558         (JSC::InferredValue::finalizeUnconditionally):
2559         * runtime/StackFrame.h:
2560         (JSC::StackFrame::isMarked const):
2561         * runtime/Structure.cpp:
2562         (JSC::Structure::isCheapDuringGC):
2563         (JSC::Structure::markIfCheap):
2564         * runtime/Structure.h:
2565         * runtime/TypeProfiler.cpp:
2566         (JSC::TypeProfiler::invalidateTypeSetCache):
2567         * runtime/TypeProfiler.h:
2568         * runtime/TypeSet.cpp:
2569         (JSC::TypeSet::invalidateCache):
2570         * runtime/TypeSet.h:
2571         * runtime/WeakMapImpl.cpp:
2572         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitOutputConstraints):
2573         * runtime/WeakMapImplInlines.h:
2574         (JSC::WeakMapImpl<WeakMapBucket>::finalizeUnconditionally):
2575
2576 2019-03-25  Keith Miller  <keith_miller@apple.com>
2577
2578         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
2579         https://bugs.webkit.org/show_bug.cgi?id=196176
2580
2581         Reviewed by Saam Barati.
2582
2583         convertToCompareEqPtr should allow for either CompareStrictEq or
2584         the SameValue DFG node. This fixes the old assertion that only
2585         allowed CompareStrictEq.
2586
2587         * dfg/DFGNode.h:
2588         (JSC::DFG::Node::convertToCompareEqPtr):
2589
2590 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
2591
2592         WebAssembly: f32.max with NaN generates incorrect result
2593         https://bugs.webkit.org/show_bug.cgi?id=175691
2594         <rdar://problem/33952228>
2595
2596         Reviewed by Saam Barati.
2597
2598         Fix the B3 and Air compilation for f32.max. In order to handle the NaN
2599         case, we need an extra GreaterThan comparison on top of the existing
2600         Equal and LessThan ones.
2601
2602         * wasm/WasmAirIRGenerator.cpp:
2603         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Max>):
2604         * wasm/wasm.json:
2605
2606 2019-03-25  Yusuke Suzuki  <ysuzuki@apple.com>
2607
2608         Unreviewed, speculative fix for CLoop build on CPU(UNKNOWN)
2609         https://bugs.webkit.org/show_bug.cgi?id=195982
2610
2611         * jit/ExecutableAllocator.h:
2612         (JSC::ExecutableAllocator::initializeUnderlyingAllocator):
2613
2614 2019-03-25  Gyuyoung Kim  <gyuyoung.kim@webkit.org>
2615
2616         Remove NavigatorContentUtils in WebCore/Modules
2617         https://bugs.webkit.org/show_bug.cgi?id=196070
2618
2619         Reviewed by Alex Christensen.
2620
2621         NavigatorContentUtils was to support the custom scheme spec [1].
2622         However, in WebKit side, no port has supported the feature in
2623         WebKit layer after EFL port was removed. So there has been the
2624         only IDL implementation of the NavigatorContentUtils in WebCore.
2625         So we don't need to keep the implementation in WebCore anymore.
2626
2627         [1] https://html.spec.whatwg.org/multipage/system-state.html#custom-handlers
2628
2629         * Configurations/FeatureDefines.xcconfig:
2630
2631 2019-03-23  Mark Lam  <mark.lam@apple.com>
2632
2633         Rolling out r243032 and r243071 because the fix is incorrect.
2634         https://bugs.webkit.org/show_bug.cgi?id=195892
2635         <rdar://problem/48981239>
2636
2637         Not reviewed.
2638
2639         The fix is incorrect: it relies on being able to determine liveness of an object
2640         in an ObjectPropertyCondition based on the state of the object's MarkedBit.
2641         However, there's no guarantee that GC has run and that the MarkedBit is already
2642         set even if the object is live.  As a result, we may not re-install adaptive
2643         watchpoints based on presumed dead objects which are actually live.
2644
2645         I'm rolling this out, and will implement a more comprehensive fix to handle
2646         watchpoint liveness later.
2647
2648         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
2649         (JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):
2650         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
2651         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
2652         * bytecode/ObjectPropertyCondition.cpp:
2653         (JSC::ObjectPropertyCondition::dumpInContext const):
2654         * bytecode/StructureStubClearingWatchpoint.cpp:
2655         (JSC::StructureStubClearingWatchpoint::fireInternal):
2656         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
2657         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
2658         * runtime/StructureRareData.cpp:
2659         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
2660
2661 2019-03-23  Keith Miller  <keith_miller@apple.com>
2662
2663         Refactor clz/ctz and fix getLSBSet.
2664         https://bugs.webkit.org/show_bug.cgi?id=196162
2665
2666         Reviewed by Saam Barati.
2667
2668         Refactor references of clz32/64 and ctz32 to use clz and ctz,
2669         respectively.
2670
2671         * dfg/DFGAbstractInterpreterInlines.h:
2672         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2673         * dfg/DFGOperations.cpp:
2674         * runtime/JSBigInt.cpp:
2675         (JSC::JSBigInt::digitDiv):
2676         (JSC::JSBigInt::absoluteDivWithBigIntDivisor):
2677         (JSC::JSBigInt::calculateMaximumCharactersRequired):
2678         (JSC::JSBigInt::toStringBasePowerOfTwo):
2679         (JSC::JSBigInt::compareToDouble):
2680         * runtime/MathObject.cpp:
2681         (JSC::mathProtoFuncClz32):
2682
2683 2019-03-23  Yusuke Suzuki  <ysuzuki@apple.com>
2684
2685         [JSC] Shrink sizeof(RegExp)
2686         https://bugs.webkit.org/show_bug.cgi?id=196133
2687
2688         Reviewed by Mark Lam.
2689
2690         Some applications have many RegExp cells. But RegExp cells are very large (144B).
2691         This patch reduces the size from 144B to 48B by,
2692
2693         1. Allocate Yarr::YarrCodeBlock in non-GC heap. We can avoid this allocation if JIT is disabled.
2694         2. m_captureGroupNames and m_namedGroupToParenIndex are moved to RareData. They are only used when RegExp has named capture groups.
2695
2696         * runtime/RegExp.cpp:
2697         (JSC::RegExp::finishCreation):
2698         (JSC::RegExp::estimatedSize):
2699         (JSC::RegExp::compile):
2700         (JSC::RegExp::matchConcurrently):
2701         (JSC::RegExp::compileMatchOnly):
2702         (JSC::RegExp::deleteCode):
2703         (JSC::RegExp::printTraceData):
2704         * runtime/RegExp.h:
2705         * runtime/RegExpInlines.h:
2706         (JSC::RegExp::hasCodeFor):
2707         (JSC::RegExp::matchInline):
2708         (JSC::RegExp::hasMatchOnlyCodeFor):
2709
2710 2019-03-22  Keith Rollin  <krollin@apple.com>
2711
2712         Enable ThinLTO support in Production builds
2713         https://bugs.webkit.org/show_bug.cgi?id=190758
2714         <rdar://problem/45413233>
2715
2716         Reviewed by Daniel Bates.
2717
2718         Tweak JavaScriptCore's Base.xcconfig to be more in-line with other
2719         .xcconfig files with regards to LTO settings. However, don't actually
2720         enable LTO for JavaScriptCore. LTO is not enabled for JavaScriptCore
2721         due to <rdar://problem/24543547>.
2722
2723         * Configurations/Base.xcconfig:
2724
2725 2019-03-22  Mark Lam  <mark.lam@apple.com>
2726
2727         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
2728         https://bugs.webkit.org/show_bug.cgi?id=196154
2729         <rdar://problem/49145307>
2730
2731         Reviewed by Filip Pizlo.
2732
2733         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2734         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
2735
2736 2019-03-22  Mark Lam  <mark.lam@apple.com>
2737
2738         Placate exception check validation in constructJSWebAssemblyLinkError().
2739         https://bugs.webkit.org/show_bug.cgi?id=196152
2740         <rdar://problem/49145257>
2741
2742         Reviewed by Michael Saboff.
2743
2744         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
2745         (JSC::constructJSWebAssemblyLinkError):
2746
2747 2019-03-22  Timothy Hatcher  <timothy@apple.com>
2748
2749         Change macosx() to macos() in WK_API... and JSC_API... macros.
2750         https://bugs.webkit.org/show_bug.cgi?id=196106
2751
2752         Reviewed by Brian Burg.
2753
2754         * API/JSBasePrivate.h:
2755         * API/JSContext.h:
2756         * API/JSContextPrivate.h:
2757         * API/JSContextRef.h:
2758         * API/JSContextRefInternal.h:
2759         * API/JSContextRefPrivate.h:
2760         * API/JSManagedValue.h:
2761         * API/JSObjectRef.h:
2762         * API/JSObjectRefPrivate.h:
2763         * API/JSRemoteInspector.h:
2764         * API/JSScript.h:
2765         * API/JSTypedArray.h:
2766         * API/JSValue.h:
2767         * API/JSValuePrivate.h:
2768         * API/JSValueRef.h:
2769         * API/JSVirtualMachinePrivate.h:
2770
2771 2019-03-22  Yusuke Suzuki  <ysuzuki@apple.com>
2772
2773         Unreviewed, build fix for Windows
2774         https://bugs.webkit.org/show_bug.cgi?id=196122
2775
2776         * runtime/FunctionExecutable.cpp:
2777
2778 2019-03-21  Yusuke Suzuki  <ysuzuki@apple.com>
2779
2780         [JSC] Shrink sizeof(FunctionExecutable) by 16bytes
2781         https://bugs.webkit.org/show_bug.cgi?id=196122
2782
2783         Reviewed by Saam Barati.
2784
2785         This patch reduces sizeof(FunctionExecutable) by 16 bytes.
2786
2787         1. ScriptExecutable::m_numParametersForCall and ScriptExecutable::m_numParametersForConstruct are not used in a meaningful way. Removed them.
2788         2. ScriptExecutable::m_lastLine and ScriptExecutable::m_endColumn can be calculated from UnlinkedFunctionExecutable. So FunctionExecutable does not need to hold it.
2789            This patch adds GlobalExecutable, which are non-function ScriptExecutables, and move m_lastLine and m_endColumn to this class.
2790         3. FunctionExecutable still needs to have the feature overriding m_lastLine and m_endColumn. We move overridden data in FunctionExecutable::RareData.
2791
2792         * CMakeLists.txt:
2793         * JavaScriptCore.xcodeproj/project.pbxproj:
2794         * Sources.txt:
2795         * bytecode/UnlinkedFunctionExecutable.cpp:
2796         (JSC::UnlinkedFunctionExecutable::link):
2797         * runtime/EvalExecutable.cpp:
2798         (JSC::EvalExecutable::EvalExecutable):
2799         * runtime/EvalExecutable.h:
2800         * runtime/FunctionExecutable.cpp:
2801         (JSC::FunctionExecutable::FunctionExecutable):
2802         (JSC::FunctionExecutable::ensureRareDataSlow):
2803         (JSC::FunctionExecutable::overrideInfo):
2804         * runtime/FunctionExecutable.h:
2805         * runtime/GlobalExecutable.cpp: Copied from Source/JavaScriptCore/tools/FunctionOverrides.h.
2806         * runtime/GlobalExecutable.h: Copied from Source/JavaScriptCore/tools/FunctionOverrides.h.
2807         (JSC::GlobalExecutable::lastLine const):
2808         (JSC::GlobalExecutable::endColumn const):
2809         (JSC::GlobalExecutable::recordParse):
2810         (JSC::GlobalExecutable::GlobalExecutable):
2811         * runtime/ModuleProgramExecutable.cpp:
2812         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
2813         * runtime/ModuleProgramExecutable.h:
2814         * runtime/ProgramExecutable.cpp:
2815         (JSC::ProgramExecutable::ProgramExecutable):
2816         * runtime/ProgramExecutable.h:
2817         * runtime/ScriptExecutable.cpp:
2818         (JSC::ScriptExecutable::clearCode):
2819         (JSC::ScriptExecutable::installCode):
2820         (JSC::ScriptExecutable::hasClearableCode const):
2821         (JSC::ScriptExecutable::newCodeBlockFor):
2822         (JSC::ScriptExecutable::typeProfilingEndOffset const):
2823         (JSC::ScriptExecutable::recordParse):
2824         (JSC::ScriptExecutable::lastLine const):
2825         (JSC::ScriptExecutable::endColumn const):
2826         * runtime/ScriptExecutable.h:
2827         (JSC::ScriptExecutable::hasJITCodeForCall const):
2828         (JSC::ScriptExecutable::hasJITCodeForConstruct const):
2829         (JSC::ScriptExecutable::recordParse):
2830         (JSC::ScriptExecutable::lastLine const): Deleted.
2831         (JSC::ScriptExecutable::endColumn const): Deleted.
2832         * tools/FunctionOverrides.h:
2833
2834 2019-03-21  Yusuke Suzuki  <ysuzuki@apple.com>
2835
2836         [JSC] Shrink sizeof(RegExpObject)
2837         https://bugs.webkit.org/show_bug.cgi?id=196130
2838
2839         Reviewed by Saam Barati.
2840
2841         sizeof(RegExpObject) is 48B due to one bool flag. We should compress this flag into lower bit of RegExp* field so that we can make RegExpObject 32B.
2842         It saves memory footprint 1.3% in RAMification's regexp.
2843
2844         * dfg/DFGSpeculativeJIT.cpp:
2845         (JSC::DFG::SpeculativeJIT::compileNewRegexp):
2846         (JSC::DFG::SpeculativeJIT::compileSetRegExpObjectLastIndex):
2847         * ftl/FTLAbstractHeapRepository.h:
2848         * ftl/FTLLowerDFGToB3.cpp:
2849         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
2850         (JSC::FTL::DFG::LowerDFGToB3::compileSetRegExpObjectLastIndex):
2851         * runtime/RegExpObject.cpp:
2852         (JSC::RegExpObject::RegExpObject):
2853         (JSC::RegExpObject::visitChildren):
2854         (JSC::RegExpObject::getOwnPropertySlot):
2855         (JSC::RegExpObject::defineOwnProperty):
2856         * runtime/RegExpObject.h:
2857
2858 2019-03-21  Tomas Popela  <tpopela@redhat.com>
2859
2860         [JSC] Fix build after r243232 on unsupported 64bit architectures
2861         https://bugs.webkit.org/show_bug.cgi?id=196072
2862
2863         Reviewed by Keith Miller.
2864
2865         As Keith suggested we already expect 16 free bits at the top of any
2866         pointer for JSValue even for the unsupported 64 bit arches.
2867
2868         * bytecode/CodeOrigin.h:
2869
2870 2019-03-21  Mark Lam  <mark.lam@apple.com>
2871
2872         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
2873         https://bugs.webkit.org/show_bug.cgi?id=196116
2874         <rdar://problem/48976951>
2875
2876         Reviewed by Filip Pizlo.
2877
2878         The DFG backend should not make assumptions about what optimizations the front end
2879         will or will not do.  The assertion asserts that the operand cannot be known to be
2880         a cell.  However, it is not guaranteed that the front end will fold away this case.
2881         Also, the DFG backend is perfectly capable of generating code to handle the case
2882         where the operand is a cell.
2883
2884         The attached test case demonstrates a case where the operand can be a known cell.
2885         The test needs to be run with the concurrent JIT and GC, and is racy.  It used to
2886         trip up this assertion about once every 10 runs or so.
2887
2888         * dfg/DFGSpeculativeJIT64.cpp:
2889         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
2890
2891 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
2892
2893         JSC::createError should clear exception thrown by errorDescriptionForValue
2894         https://bugs.webkit.org/show_bug.cgi?id=196089
2895
2896         Reviewed by Mark Lam.
2897
2898         errorDescriptionForValue returns a nullString in case of failure, but it
2899         might also throw an OOM exception when resolving a rope string. We need
2900         to clear any potential exceptions thrown by errorDescriptionForValue
2901         before returning the OOM from JSC::createError.
2902
2903         * runtime/ExceptionHelpers.cpp:
2904         (JSC::createError):
2905
2906 2019-03-21  Robin Morisset  <rmorisset@apple.com>
2907
2908         B3::Opcode can fit in a single byte, shrinking B3Value by 8 bytes
2909         https://bugs.webkit.org/show_bug.cgi?id=196014
2910
2911         Reviewed by Keith Miller.
2912
2913         B3::Opcode has less than one hundred cases, so it can easily fit in one byte (from two currently)
2914         This shrinks B3::Kind from 4 bytes to 2 (by removing the byte of padding at the end).
2915         This in turns eliminate padding from B3::Value, shrinking it by 8 bytes (out of 80).
2916
2917         * b3/B3Opcode.h:
2918
2919 2019-03-21  Michael Catanzaro  <mcatanzaro@igalia.com>
2920
2921         Unreviewed, more clang 3.8 build fixes
2922         https://bugs.webkit.org/show_bug.cgi?id=195947
2923         <rdar://problem/49069219>
2924
2925         In the spirit of making our code worse to please old compilers....
2926
2927         * bindings/ScriptValue.cpp:
2928         (Inspector::jsToInspectorValue):
2929         * bytecode/GetterSetterAccessCase.cpp:
2930         (JSC::GetterSetterAccessCase::create):
2931         (JSC::GetterSetterAccessCase::clone const):
2932         * bytecode/InstanceOfAccessCase.cpp:
2933         (JSC::InstanceOfAccessCase::clone const):
2934         * bytecode/IntrinsicGetterAccessCase.cpp:
2935         (JSC::IntrinsicGetterAccessCase::clone const):
2936         * bytecode/ModuleNamespaceAccessCase.cpp:
2937         (JSC::ModuleNamespaceAccessCase::clone const):
2938         * bytecode/ProxyableAccessCase.cpp:
2939         (JSC::ProxyableAccessCase::clone const):
2940
2941 2019-03-21  Yusuke Suzuki  <ysuzuki@apple.com>
2942
2943         [JSC] Do not create JIT related data under non-JIT mode
2944         https://bugs.webkit.org/show_bug.cgi?id=195982
2945
2946         Reviewed by Mark Lam.
2947
2948         We avoid creations of JIT related data structures under non-JIT mode.
2949         This patch removes the following allocations.
2950
2951         1. JITThunks
2952         2. FTLThunks
2953         3. FixedVMPoolExecutableAllocator
2954         4. noJITValueProfileSingleton since it is no longer used
2955         5. ARM disassembler should be initialized when it is used
2956         6. Wasm related data structures are accidentally allocated if VM::canUseJIT() == false &&
2957            Options::useWebAssembly() == true. Add Wasm::isSupported() function to check the both conditions.
2958
2959         * CMakeLists.txt:
2960         * JavaScriptCore.xcodeproj/project.pbxproj:
2961         * heap/Heap.cpp:
2962         (JSC::Heap::runEndPhase):
2963         * jit/ExecutableAllocator.cpp:
2964         (JSC::FixedVMPoolExecutableAllocator::~FixedVMPoolExecutableAllocator):
2965         (JSC::ExecutableAllocator::initializeUnderlyingAllocator):
2966         (JSC::ExecutableAllocator::isValid const):
2967         (JSC::ExecutableAllocator::underMemoryPressure):
2968         (JSC::ExecutableAllocator::memoryPressureMultiplier):
2969         (JSC::ExecutableAllocator::allocate):
2970         (JSC::ExecutableAllocator::isValidExecutableMemory):
2971         (JSC::ExecutableAllocator::getLock const):
2972         (JSC::ExecutableAllocator::committedByteCount):
2973         (JSC::ExecutableAllocator::dumpProfile):
2974         (JSC::startOfFixedExecutableMemoryPoolImpl):
2975         (JSC::endOfFixedExecutableMemoryPoolImpl):
2976         (JSC::ExecutableAllocator::initialize):
2977         (JSC::ExecutableAllocator::initializeAllocator): Deleted.
2978         (JSC::ExecutableAllocator::ExecutableAllocator): Deleted.
2979         (JSC::ExecutableAllocator::~ExecutableAllocator): Deleted.
2980         * jit/ExecutableAllocator.h:
2981         (JSC::ExecutableAllocatorBase::isValid const):
2982         (JSC::ExecutableAllocatorBase::underMemoryPressure):
2983         (JSC::ExecutableAllocatorBase::memoryPressureMultiplier):
2984         (JSC::ExecutableAllocatorBase::dumpProfile):
2985         (JSC::ExecutableAllocatorBase::allocate):
2986         (JSC::ExecutableAllocatorBase::setJITEnabled):
2987         (JSC::ExecutableAllocatorBase::isValidExecutableMemory):
2988         (JSC::ExecutableAllocatorBase::committedByteCount):
2989         (JSC::ExecutableAllocatorBase::getLock const):
2990         (JSC::ExecutableAllocator::isValid const): Deleted.
2991         (JSC::ExecutableAllocator::underMemoryPressure): Deleted.
2992         (JSC::ExecutableAllocator::memoryPressureMultiplier): Deleted.
2993         (JSC::ExecutableAllocator::allocate): Deleted.
2994         (JSC::ExecutableAllocator::setJITEnabled): Deleted.
2995         (JSC::ExecutableAllocator::isValidExecutableMemory): Deleted.
2996         (JSC::ExecutableAllocator::committedByteCount): Deleted.
2997         (JSC::ExecutableAllocator::getLock const): Deleted.
2998         * jsc.cpp:
2999         (functionWebAssemblyMemoryMode):
3000         * runtime/InitializeThreading.cpp:
3001         (JSC::initializeThreading):
3002         * runtime/JSGlobalObject.cpp:
3003         (JSC::JSGlobalObject::init):
3004         * runtime/JSLock.cpp:
3005         (JSC::JSLock::didAcquireLock):
3006         * runtime/Options.cpp:
3007         (JSC::recomputeDependentOptions):
3008         * runtime/VM.cpp:
3009         (JSC::enableAssembler):
3010         (JSC::VM::canUseAssembler):
3011         (JSC::VM::VM):
3012         * runtime/VM.h:
3013         * wasm/WasmCapabilities.h: Added.
3014         (JSC::Wasm::isSupported):
3015         * wasm/WasmFaultSignalHandler.cpp:
3016         (JSC::Wasm::enableFastMemory):
3017
3018 2019-03-21  Yusuke Suzuki  <ysuzuki@apple.com>
3019
3020         [JSC] Fix JSC build with newer ICU
3021         https://bugs.webkit.org/show_bug.cgi?id=196098
3022
3023         Reviewed by Keith Miller.
3024
3025         IntlDateTimeFormat and IntlNumberFormat have switch statement over ICU's enums. However it lacks "default" clause so that
3026         the compile error occurs when a new enum value is added in ICU side. We should have "default" clause which just fallbacks
3027         "unknown"_s case. The behavior is not changed since we already have `return "unknown"_s;` statement anyway after the
3028         switch statement. This patch just suppresses a compile error.
3029
3030         * runtime/IntlDateTimeFormat.cpp:
3031         (JSC::IntlDateTimeFormat::partTypeString):
3032         * runtime/IntlNumberFormat.cpp:
3033         (JSC::IntlNumberFormat::partTypeString):
3034
3035 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
3036
3037         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
3038         https://bugs.webkit.org/show_bug.cgi?id=196078
3039         <rdar://problem/35925380>
3040
3041         Reviewed by Mark Lam.
3042
3043         Unlike the other variations of putByIndex, it only checked if the index
3044         was larger than MIN_SPARSE_ARRAY_INDEX when the indexingType was
3045         ALL_BLANK_INDEXING_TYPES. This resulted in a huge butterfly being
3046         allocated for object literals (e.g. `{[9e4]: ...}`) and objects parsed
3047         from JSON.
3048
3049         * runtime/JSObject.cpp:
3050         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
3051
3052 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
3053
3054         CachedUnlinkedSourceCodeShape::m_provider should be a CachedRefPtr
3055         https://bugs.webkit.org/show_bug.cgi?id=196079
3056
3057         Reviewed by Saam Barati.
3058
3059         It was mistakenly cached as CachedPtr, which was leaking the decoded SourceProvider.
3060
3061         * runtime/CachedTypes.cpp:
3062         (JSC::CachedUnlinkedSourceCodeShape::encode):
3063
3064 2019-03-21  Mark Lam  <mark.lam@apple.com>
3065
3066         Placate exception check validation in operationArrayIndexOfString().
3067         https://bugs.webkit.org/show_bug.cgi?id=196067
3068         <rdar://problem/49056572>
3069
3070         Reviewed by Michael Saboff.
3071
3072         * dfg/DFGOperations.cpp:
3073
3074 2019-03-21  Xan Lopez  <xan@igalia.com>
3075
3076         [JSC][x86] Drop support for x87 floating point
3077         https://bugs.webkit.org/show_bug.cgi?id=194853
3078
3079         Reviewed by Don Olmstead.
3080
3081         Require SSE2 throughout the codebase, and remove x87 support where
3082         it was optionally available. SSE2 detection happens at compile
3083         time through a static_assert.
3084
3085         * assembler/MacroAssemblerX86.h:
3086         (JSC::MacroAssemblerX86::storeDouble):
3087         (JSC::MacroAssemblerX86::moveDoubleToInts):
3088         (JSC::MacroAssemblerX86::supportsFloatingPoint):
3089         (JSC::MacroAssemblerX86::supportsFloatingPointTruncate):
3090         (JSC::MacroAssemblerX86::supportsFloatingPointSqrt):
3091         (JSC::MacroAssemblerX86::supportsFloatingPointAbs):
3092         * assembler/MacroAssemblerX86Common.cpp:
3093         * assembler/MacroAssemblerX86Common.h:
3094         (JSC::MacroAssemblerX86Common::moveDouble):
3095         (JSC::MacroAssemblerX86Common::loadDouble):
3096         (JSC::MacroAssemblerX86Common::loadFloat):
3097         (JSC::MacroAssemblerX86Common::storeDouble):
3098         (JSC::MacroAssemblerX86Common::storeFloat):
3099         (JSC::MacroAssemblerX86Common::convertDoubleToFloat):
3100         (JSC::MacroAssemblerX86Common::convertFloatToDouble):
3101         (JSC::MacroAssemblerX86Common::addDouble):
3102         (JSC::MacroAssemblerX86Common::addFloat):
3103         (JSC::MacroAssemblerX86Common::divDouble):
3104         (JSC::MacroAssemblerX86Common::divFloat):
3105         (JSC::MacroAssemblerX86Common::subDouble):
3106         (JSC::MacroAssemblerX86Common::subFloat):
3107         (JSC::MacroAssemblerX86Common::mulDouble):
3108         (JSC::MacroAssemblerX86Common::mulFloat):
3109         (JSC::MacroAssemblerX86Common::convertInt32ToDouble):
3110         (JSC::MacroAssemblerX86Common::convertInt32ToFloat):
3111         (JSC::MacroAssemblerX86Common::branchDouble):
3112         (JSC::MacroAssemblerX86Common::branchFloat):
3113         (JSC::MacroAssemblerX86Common::compareDouble):
3114         (JSC::MacroAssemblerX86Common::compareFloat):
3115         (JSC::MacroAssemblerX86Common::branchTruncateDoubleToInt32):
3116         (JSC::MacroAssemblerX86Common::truncateDoubleToInt32):
3117         (JSC::MacroAssemblerX86Common::truncateFloatToInt32):
3118         (JSC::MacroAssemblerX86Common::branchConvertDoubleToInt32):
3119         (JSC::MacroAssemblerX86Common::branchDoubleNonZero):
3120         (JSC::MacroAssemblerX86Common::branchDoubleZeroOrNaN):
3121         (JSC::MacroAssemblerX86Common::lshiftPacked):
3122         (JSC::MacroAssemblerX86Common::rshiftPacked):
3123         (JSC::MacroAssemblerX86Common::orPacked):
3124         (JSC::MacroAssemblerX86Common::move32ToFloat):
3125         (JSC::MacroAssemblerX86Common::moveFloatTo32):
3126         (JSC::MacroAssemblerX86Common::moveConditionallyDouble):
3127         (JSC::MacroAssemblerX86Common::moveConditionallyFloat):
3128         * offlineasm/x86.rb:
3129         * runtime/MathCommon.cpp:
3130         (JSC::operationMathPow):
3131
3132 2019-03-21  Carlos Garcia Campos  <cgarcia@igalia.com>
3133
3134         [GLIB] User data not correctly passed to callback of functions and constructors with no parameters
3135         https://bugs.webkit.org/show_bug.cgi?id=196073
3136
3137         Reviewed by Michael Catanzaro.
3138
3139         This is because GClosure always expects a first parameter as instance. In case of functions or constructors with
3140         no parameters we insert a fake instance which is just a null pointer that is ignored by the callback. But
3141         if the function/constructor has user data the callback will expect one parameter for the user data. In that case
3142         we can simply swap instance/user data so that the fake instance will be the second argument and user data the
3143         first one.
3144
3145         * API/glib/JSCClass.cpp:
3146         (jscClassCreateConstructor): Use g_cclosure_new_swap() if parameters is empty and user data was provided.
3147         * API/glib/JSCValue.cpp:
3148         (jscValueFunctionCreate): Ditto.
3149
3150 2019-03-21  Pablo Saavedra  <psaavedra@igalia.com>
3151
3152         [JSC][32-bit] Build failure after r243232
3153         https://bugs.webkit.org/show_bug.cgi?id=196068
3154
3155         Reviewed by Mark Lam.
3156
3157         * dfg/DFGOSRExit.cpp:
3158         (JSC::DFG::reifyInlinedCallFrames):
3159         * dfg/DFGOSRExitCompilerCommon.cpp:
3160         (JSC::DFG::reifyInlinedCallFrames):
3161
3162 2019-03-21  Carlos Garcia Campos  <cgarcia@igalia.com>
3163
3164         [GLib] Returning G_TYPE_OBJECT from a method does not work
3165         https://bugs.webkit.org/show_bug.cgi?id=195574
3166
3167         Reviewed by Michael Catanzaro.
3168
3169         Add more documentation to clarify the ownership of wrapped objects when created and when returned by functions.
3170
3171         * API/glib/JSCCallbackFunction.cpp:
3172         (JSC::JSCCallbackFunction::construct): Also allow to return boxed types from a constructor.
3173         * API/glib/JSCClass.cpp:
3174         * API/glib/JSCValue.cpp:
3175
3176 2019-03-21  Mark Lam  <mark.lam@apple.com>
3177
3178         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
3179         https://bugs.webkit.org/show_bug.cgi?id=196055
3180         <rdar://problem/49067448>
3181
3182         Reviewed by Yusuke Suzuki.
3183
3184         We are doing this because:
3185         1. We expect the array to be densely packed.
3186         2. SpeculativeJIT::compileAllocateNewArrayWithSize() (and the FTL equivalent)
3187            expects the array length to be less than MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH
3188            if we don't want to use an ArrayStorage shape.
3189         3. There's no reason why an array with spread needs to be that large anyway.
3190            MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH is plenty.
3191
3192         In this patch, we also add a debug assert in compileAllocateNewArrayWithSize() and
3193         emitAllocateButterfly() to check for overflows.
3194
3195         * assembler/AbortReason.h:
3196         * dfg/DFGOperations.cpp:
3197         * dfg/DFGSpeculativeJIT.cpp:
3198         (JSC::DFG::SpeculativeJIT::compileCreateRest):
3199         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
3200         (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
3201         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
3202         * ftl/FTLLowerDFGToB3.cpp:
3203         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
3204         * runtime/ArrayConventions.h:
3205         * runtime/CommonSlowPaths.cpp:
3206         (JSC::SLOW_PATH_DECL):
3207
3208 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
3209
3210         [JSC] Use finalizer in JSGlobalLexicalEnvironment and JSGlobalObject
3211         https://bugs.webkit.org/show_bug.cgi?id=195992
3212
3213         Reviewed by Keith Miller and Mark Lam.
3214
3215         JSGlobalLexicalEnvironment and JSGlobalObject have their own CompleteSubspace to call destructors while they are not inheriting JSDestructibleObject.
3216         But it is too costly since (1) it requires CompleteSubspace in VM, (2) both objects allocate MarkedBlocks while # of them are really small.
3217
3218         Instead of using CompleteSubspace, we just set finalizers for them. Since these objects are rarely allocated, setting finalizers does not show
3219         memory / performance problems (actually, previously we used finalizer for ArrayPrototype due to the same reason, and it does not show any problems).
3220
3221         And we also add following two changes to JSSegmentedVariableObject.
3222
3223         1. Remove one boolean used for debugging in Release build. It enlarges sizeof(JSSegmentedVariableObject) and allocates one more MarkedBlock.
3224         2. Use cellLock() instead.
3225
3226         * CMakeLists.txt:
3227         * JavaScriptCore.xcodeproj/project.pbxproj:
3228         * Sources.txt:
3229         * runtime/JSSegmentedVariableObject.cpp:
3230         (JSC::JSSegmentedVariableObject::findVariableIndex):
3231         (JSC::JSSegmentedVariableObject::addVariables):
3232         (JSC::JSSegmentedVariableObject::visitChildren):
3233         (JSC::JSSegmentedVariableObject::~JSSegmentedVariableObject):
3234         (JSC::JSSegmentedVariableObject::finishCreation):
3235         * runtime/JSSegmentedVariableObject.h:
3236         (JSC::JSSegmentedVariableObject::subspaceFor): Deleted.
3237         * runtime/JSSegmentedVariableObjectHeapCellType.cpp: Removed.
3238         * runtime/JSSegmentedVariableObjectHeapCellType.h: Removed.
3239         * runtime/StringIteratorPrototype.cpp:
3240         * runtime/VM.cpp:
3241         (JSC::VM::VM):
3242         * runtime/VM.h:
3243
3244 2019-03-20  Saam Barati  <sbarati@apple.com>
3245
3246         DFG::AbstractValue::validateOSREntry is wrong when isHeapTop and the incoming value is Empty
3247         https://bugs.webkit.org/show_bug.cgi?id=195721
3248
3249         Reviewed by Filip Pizlo.
3250
3251         There was a check in AbstractValue::validateOSREntry where it checked
3252         if isHeapTop(), and if so, just returned true. However, this is wrong
3253         if the value we're checking against is the empty value, since HeapTop
3254         does not include the Empty value. Instead, this check should be
3255         isBytecodeTop(), which does account for the empty value.
3256         
3257         This patch also does a couple of other things:
3258         - For our OSR entry AbstractValues, we were using HeapTop to mark
3259          a dead value. That is now changed to BytecodeTop. (The idea here
3260          is just to have validateOSREntry return early.)
3261         - It wasn't obvious to me how I could make this fail in JS code.
3262          The symptom we'd end up seeing is something like a nullptr derefernece
3263          from forgetting to do a TDZ check. Instead, I've added a unit test.
3264          This unit test lives in a new test file: testdfg. testdfg is similar
3265          to testb3/testair/testapi.
3266
3267         * JavaScriptCore.xcodeproj/project.pbxproj:
3268         * bytecode/SpeculatedType.h:
3269         * dfg/DFGAbstractValue.h:
3270         (JSC::DFG::AbstractValue::isBytecodeTop const):
3271         (JSC::DFG::AbstractValue::validateOSREntryValue const):
3272         * dfg/testdfg.cpp: Added.
3273         (hiddenTruthBecauseNoReturnIsStupid):
3274         (usage):
3275         (JSC::DFG::testEmptyValueDoesNotValidateWithHeapTop):
3276         (JSC::DFG::run):
3277         (run):
3278         (main):
3279         * shell/CMakeLists.txt:
3280
3281 2019-03-20  Saam Barati  <sbarati@apple.com>
3282
3283         typeOfDoubleSum is wrong for when NaN can be produced
3284         https://bugs.webkit.org/show_bug.cgi?id=196030
3285
3286         Reviewed by Filip Pizlo.
3287
3288         We were using typeOfDoubleSum(SpeculatedType, SpeculatedType) for add/sub/mul.
3289         It assumed that the only way the resulting type could be NaN is if one of
3290         the inputs were NaN. However, this is wrong. NaN can be produced in at least
3291         these cases:
3292           Infinity - Infinity
3293           Infinity + (-Infinity)
3294           Infinity * 0
3295
3296         * bytecode/SpeculatedType.cpp:
3297         (JSC::typeOfDoubleSumOrDifferenceOrProduct):
3298         (JSC::typeOfDoubleSum):
3299         (JSC::typeOfDoubleDifference):
3300         (JSC::typeOfDoubleProduct):
3301
3302 2019-03-20  Simon Fraser  <simon.fraser@apple.com>
3303
3304         Rename ENABLE_ACCELERATED_OVERFLOW_SCROLLING macro to ENABLE_OVERFLOW_SCROLLING_TOUCH
3305         https://bugs.webkit.org/show_bug.cgi?id=196049
3306
3307         Reviewed by Tim Horton.
3308
3309         This macro is about the -webkit-overflow-scrolling CSS property, not accelerated
3310         overflow scrolling in general, so rename it.
3311
3312         * Configurations/FeatureDefines.xcconfig:
3313
3314 2019-03-20  Saam Barati  <sbarati@apple.com>
3315
3316         GetCallee does not report the correct type in AI
3317         https://bugs.webkit.org/show_bug.cgi?id=195981
3318
3319         Reviewed by Yusuke Suzuki.
3320
3321         I found this as part of my work in:
3322         https://bugs.webkit.org/show_bug.cgi?id=195924
3323         
3324         I'm not sure how to write a test for it.
3325         
3326         GetCallee was always reporting that the result is SpecFunction. However,
3327         for eval, it may result in just a JSCallee object, which is not a JSFunction.
3328
3329         * dfg/DFGAbstractInterpreterInlines.h:
3330         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3331
3332 2019-03-20  Mark Lam  <mark.lam@apple.com>
3333
3334         Open source arm64e code.
3335         https://bugs.webkit.org/show_bug.cgi?id=196012
3336         <rdar://problem/49066237>
3337
3338         Reviewed by Keith Miller.
3339
3340         * JavaScriptCore.xcodeproj/project.pbxproj:
3341         * Sources.txt:
3342         * assembler/ARM64EAssembler.h: Added.
3343         (JSC::ARM64EAssembler::encodeGroup1):
3344         (JSC::ARM64EAssembler::encodeGroup2):
3345         (JSC::ARM64EAssembler::encodeGroup4):
3346         (JSC::ARM64EAssembler::pacia1716):
3347         (JSC::ARM64EAssembler::pacib1716):
3348         (JSC::ARM64EAssembler::autia1716):
3349         (JSC::ARM64EAssembler::autib1716):
3350         (JSC::ARM64EAssembler::paciaz):
3351         (JSC::ARM64EAssembler::paciasp):
3352         (JSC::ARM64EAssembler::pacibz):
3353         (JSC::ARM64EAssembler::pacibsp):
3354         (JSC::ARM64EAssembler::autiaz):
3355         (JSC::ARM64EAssembler::autiasp):
3356         (JSC::ARM64EAssembler::autibz):
3357         (JSC::ARM64EAssembler::autibsp):
3358         (JSC::ARM64EAssembler::xpaclri):
3359         (JSC::ARM64EAssembler::pacia):
3360         (JSC::ARM64EAssembler::pacib):
3361         (JSC::ARM64EAssembler::pacda):
3362         (JSC::ARM64EAssembler::pacdb):
3363         (JSC::ARM64EAssembler::autia):
3364         (JSC::ARM64EAssembler::autib):
3365         (JSC::ARM64EAssembler::autda):
3366         (JSC::ARM64EAssembler::autdb):
3367         (JSC::ARM64EAssembler::paciza):
3368         (JSC::ARM64EAssembler::pacizb):
3369         (JSC::ARM64EAssembler::pacdza):
3370         (JSC::ARM64EAssembler::pacdzb):
3371         (JSC::ARM64EAssembler::autiza):
3372         (JSC::ARM64EAssembler::autizb):
3373         (JSC::ARM64EAssembler::autdza):
3374         (JSC::ARM64EAssembler::autdzb):
3375         (JSC::ARM64EAssembler::xpaci):
3376         (JSC::ARM64EAssembler::xpacd):
3377         (JSC::ARM64EAssembler::pacga):
3378         (JSC::ARM64EAssembler::braa):
3379         (JSC::ARM64EAssembler::brab):
3380         (JSC::ARM64EAssembler::blraa):
3381         (JSC::ARM64EAssembler::blrab):
3382         (JSC::ARM64EAssembler::braaz):
3383         (JSC::ARM64EAssembler::brabz):
3384         (JSC::ARM64EAssembler::blraaz):
3385         (JSC::ARM64EAssembler::blrabz):
3386         (JSC::ARM64EAssembler::retaa):
3387         (JSC::ARM64EAssembler::retab):
3388         (JSC::ARM64EAssembler::eretaa):
3389         (JSC::ARM64EAssembler::eretab):
3390         (JSC::ARM64EAssembler::linkPointer):
3391         (JSC::ARM64EAssembler::repatchPointer):
3392         (JSC::ARM64EAssembler::setPointer):
3393         (JSC::ARM64EAssembler::readPointer):
3394         (JSC::ARM64EAssembler::readCallTarget):
3395         (JSC::ARM64EAssembler::ret):
3396         * assembler/MacroAssembler.cpp:
3397         * assembler/MacroAssembler.h:
3398         * assembler/MacroAssemblerARM64.cpp:
3399         * assembler/MacroAssemblerARM64E.h: Added.
3400         (JSC::MacroAssemblerARM64E::tagReturnAddress):
3401         (JSC::MacroAssemblerARM64E::untagReturnAddress):
3402         (JSC::MacroAssemblerARM64E::tagPtr):
3403         (JSC::MacroAssemblerARM64E::untagPtr):
3404         (JSC::MacroAssemblerARM64E::removePtrTag):
3405         (JSC::MacroAssemblerARM64E::callTrustedPtr):
3406         (JSC::MacroAssemblerARM64E::call):
3407         (JSC::MacroAssemblerARM64E::callRegister):
3408         (JSC::MacroAssemblerARM64E::jump):
3409         * dfg/DFGOSRExit.cpp:
3410         (JSC::DFG::reifyInlinedCallFrames):
3411         * dfg/DFGOSRExitCompilerCommon.cpp:
3412         (JSC::DFG::reifyInlinedCallFrames):
3413         * ftl/FTLThunks.cpp:
3414         (JSC::FTL::genericGenerationThunkGenerator):
3415         * jit/CCallHelpers.h:
3416         (JSC::CCallHelpers::prepareForTailCallSlow):
3417         * jit/CallFrameShuffler.cpp:
3418         (JSC::CallFrameShuffler::prepareForTailCall):
3419         * jit/ExecutableAllocator.cpp:
3420         (JSC::ExecutableAllocator::allocate):
3421         * jit/ThunkGenerators.cpp:
3422         (JSC::arityFixupGenerator):
3423         * llint/LLIntOfflineAsmConfig.h:
3424         * llint/LowLevelInterpreter.asm:
3425         * llint/LowLevelInterpreter64.asm:
3426         * runtime/ClassInfo.h:
3427         * runtime/InitializeThreading.cpp:
3428         (JSC::initializeThreading):
3429         * runtime/JSCPtrTag.cpp: Added.
3430         (JSC::tagForPtr):
3431         (JSC::ptrTagName):
3432         (JSC::initializePtrTagLookup):
3433         * runtime/JSCPtrTag.h:
3434         (JSC::initializePtrTagLookup):
3435         * runtime/Options.cpp:
3436         (JSC::recomputeDependentOptions):
3437
3438 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
3439
3440         JSC::createError needs to check for OOM in errorDescriptionForValue
3441         https://bugs.webkit.org/show_bug.cgi?id=196032
3442         <rdar://problem/46842740>
3443
3444         Reviewed by Mark Lam.
3445
3446         We were missing exceptions checks at two levels:
3447         - In errorDescriptionForValue, when the value is a string, we should
3448           check that JSString::value returns a valid string, since we might run
3449           out of memory if it is a rope and we need to resolve it.
3450         - In createError, we should check for the result of errorDescriptionForValue
3451           before concatenating it with the message provided by the caller.
3452
3453         * runtime/ExceptionHelpers.cpp:
3454         (JSC::errorDescriptionForValue):
3455         (JSC::createError):
3456         * runtime/ExceptionHelpers.h:
3457
3458 2019-03-20  Devin Rousso  <drousso@apple.com>
3459
3460         Web Inspector: DOM: include window as part of any event listener chain
3461         https://bugs.webkit.org/show_bug.cgi?id=195730
3462         <rdar://problem/48916872>
3463
3464         Reviewed by Timothy Hatcher.
3465
3466         * inspector/protocol/DOM.json:
3467         Modify `DOM.getEventListenersForNode` to not save the handler object, as that was never
3468         used by the frontend. Add an `onWindow` optional property to `DOM.EventListener` that is set
3469         when the event listener was retrieved from the `window` object.
3470
3471 2019-03-20  Devin Rousso  <drousso@apple.com>
3472
3473         Web Inspector: Runtime: lazily create the agent
3474         https://bugs.webkit.org/show_bug.cgi?id=195972
3475         <rdar://problem/49039655>
3476
3477         Reviewed by Timothy Hatcher.
3478
3479         * inspector/JSGlobalObjectInspectorController.cpp:
3480         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3481         (Inspector::JSGlobalObjectInspectorController::createLazyAgents):
3482
3483         * inspector/agents/InspectorRuntimeAgent.h:
3484         (Inspector::InspectorRuntimeAgent::enabled): Deleted.
3485         * inspector/agents/InspectorRuntimeAgent.cpp:
3486         (Inspector::InspectorRuntimeAgent::didCreateFrontendAndBackend): Added.
3487         (Inspector::InspectorRuntimeAgent::willDestroyFrontendAndBackend):
3488
3489         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
3490         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
3491         (Inspector::JSGlobalObjectRuntimeAgent::didCreateFrontendAndBackend): Deleted.
3492
3493 2019-03-20  Michael Saboff  <msaboff@apple.com>
3494
3495         JSC test crash: stress/dont-strength-reduce-regexp-with-compile-error.js.default
3496         https://bugs.webkit.org/show_bug.cgi?id=195906
3497
3498         Reviewed by Mark Lam.
3499
3500         The problem here as that we may successfully parsed a RegExp without running out of stack,
3501         but later run out of stack when trying to JIT compile the same expression.
3502
3503         Added a check for available stack space when we call into one of the parenthesis compilation
3504         functions that recurse.  When we don't have enough stack space to recurse, we fail the JIT
3505         compilation and let the interpreter handle the expression.
3506
3507         From code inspection of the YARR interpreter it has the same issue, but I couldn't cause a failure.
3508         Filed a new bug and added a FIXME comment for the Interpreter to have similar checks.
3509         Given that we can reproduce a failure, this is sufficient for now.
3510
3511         This change is covered by the previously added failing test,
3512         JSTests/stress/dont-strength-reduce-regexp-with-compile-error.js.
3513
3514         * yarr/YarrInterpreter.cpp:
3515         (JSC::Yarr::Interpreter::interpret):
3516         * yarr/YarrJIT.cpp:
3517         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
3518         (JSC::Yarr::YarrGenerator::opCompileParentheticalAssertion):
3519         (JSC::Yarr::YarrGenerator::opCompileBody):
3520         (JSC::Yarr::dumpCompileFailure):
3521         * yarr/YarrJIT.h:
3522
3523 2019-03-20  Robin Morisset  <rmorisset@apple.com>
3524
3525         DFGNodeAllocator.h is dead code
3526         https://bugs.webkit.org/show_bug.cgi?id=196019
3527
3528         Reviewed by Yusuke Suzuki.
3529
3530         As explained by Yusuke on IRC, the comment on DFG::Node saying that it cannot have a destructor is obsolete since https://trac.webkit.org/changeset/216815/webkit.
3531         This patch removes both the comment and DFGNodeAllocator.h that that patch forgot to remove.
3532
3533         * dfg/DFGNode.h:
3534         (JSC::DFG::Node::dumpChildren):
3535         * dfg/DFGNodeAllocator.h: Removed.
3536
3537 2019-03-20  Robin Morisset  <rmorisset@apple.com>
3538
3539         Compress CodeOrigin into a single word in the common case
3540         https://bugs.webkit.org/show_bug.cgi?id=195928
3541
3542         Reviewed by Saam Barati.
3543
3544         The trick is that pointers only take 48 bits on x86_64 in practice (and we can even use the bottom three bits of that thanks to alignment), and even less on ARM64.
3545         So we can shove the bytecode index in the top bits almost all the time.
3546         If the bytecodeIndex is too ginormous (1<<16 in practice on x86_64), we just set one bit at the bottom and store a pointer to some out-of-line storage instead.
3547         Finally we represent an invalid bytecodeIndex (which used to be represented by UINT_MAX) by setting the second least signifcant bit.
3548
3549         The patch looks very long, but most of it is just replacing direct accesses to inlineCallFrame and bytecodeIndex by the relevant getters.
3550
3551         End result: CodeOrigin in the common case moves from 16 bytes (8 for InlineCallFrame*, 4 for unsigned bytecodeIndex, 4 of padding) to 8.
3552         As a reference, during running JetStream2 we allocate more than 35M CodeOrigins. While they won't all be alive at the same time, it is still quite a lot of objects, so I am hoping for some small
3553         improvement to RAMification from this work.
3554
3555         The one slightly tricky part is that we must implement copy and move assignment operators and constructors to make sure that any out-of-line storage belongs to a single CodeOrigin and is destroyed exactly once.
3556
3557         * bytecode/ByValInfo.h:
3558         * bytecode/CallLinkStatus.cpp:
3559         (JSC::CallLinkStatus::computeFor):
3560         * bytecode/CodeBlock.cpp:
3561         (JSC::CodeBlock::globalObjectFor):
3562         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
3563         (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):
3564         * bytecode/CodeOrigin.cpp:
3565         (JSC::CodeOrigin::inlineDepth const):
3566         (JSC::CodeOrigin::isApproximatelyEqualTo const):
3567         (JSC::CodeOrigin::approximateHash const):
3568         (JSC::CodeOrigin::inlineStack const):
3569         (JSC::CodeOrigin::codeOriginOwner const):
3570         (JSC::CodeOrigin::stackOffset const):
3571         (JSC::CodeOrigin::dump const):
3572         (JSC::CodeOrigin::inlineDepthForCallFrame): Deleted.
3573         * bytecode/CodeOrigin.h:
3574         (JSC::OutOfLineCodeOrigin::OutOfLineCodeOrigin):
3575         (JSC::CodeOrigin::CodeOrigin):
3576         (JSC::CodeOrigin::~CodeOrigin):
3577         (JSC::CodeOrigin::isSet const):
3578         (JSC::CodeOrigin::isHashTableDeletedValue const):
3579         (JSC::CodeOrigin::bytecodeIndex const):
3580         (JSC::CodeOrigin::inlineCallFrame const):
3581         (JSC::CodeOrigin::buildCompositeValue):
3582         (JSC::CodeOrigin::hash const):
3583         (JSC::CodeOrigin::operator== const):
3584         (JSC::CodeOrigin::exitingInlineKind const): Deleted.
3585         * bytecode/DeferredSourceDump.h:
3586         * bytecode/GetByIdStatus.cpp:
3587         (JSC::GetByIdStatus::computeForStubInfo):
3588         (JSC::GetByIdStatus::computeFor):
3589         * bytecode/ICStatusMap.cpp:
3590         (JSC::ICStatusContext::isInlined const):
3591         * bytecode/InByIdStatus.cpp:
3592         (JSC::InByIdStatus::computeFor):
3593         (JSC::InByIdStatus::computeForStubInfo):
3594         * bytecode/InlineCallFrame.cpp:
3595         (JSC::InlineCallFrame::dumpInContext const):
3596         * bytecode/InlineCallFrame.h:
3597         (JSC::InlineCallFrame::computeCallerSkippingTailCalls):
3598         (JSC::InlineCallFrame::getCallerInlineFrameSkippingTailCalls):
3599         (JSC::baselineCodeBlockForOriginAndBaselineCodeBlock):
3600         (JSC::CodeOrigin::walkUpInlineStack):
3601         * bytecode/InstanceOfStatus.h:
3602         * bytecode/PutByIdStatus.cpp:
3603         (JSC::PutByIdStatus::computeForStubInfo):
3604         (JSC::PutByIdStatus::computeFor):
3605         * dfg/DFGAbstractInterpreterInlines.h:
3606         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3607         * dfg/DFGArgumentsEliminationPhase.cpp:
3608         * dfg/DFGArgumentsUtilities.cpp:
3609         (JSC::DFG::argumentsInvolveStackSlot):
3610         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
3611         * dfg/DFGArrayMode.h:
3612         * dfg/DFGByteCodeParser.cpp:
3613         (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
3614         (JSC::DFG::ByteCodeParser::setLocal):
3615         (JSC::DFG::ByteCodeParser::setArgument):
3616         (JSC::DFG::ByteCodeParser::flushForTerminalImpl):
3617         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
3618         (JSC::DFG::ByteCodeParser::parseBlock):
3619         (JSC::DFG::ByteCodeParser::parseCodeBlock):
3620         (JSC::DFG::ByteCodeParser::handlePutByVal):
3621         * dfg/DFGClobberize.h:
3622         (JSC::DFG::clobberize):
3623         * dfg/DFGConstantFoldingPhase.cpp:
3624         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3625         * dfg/DFGFixupPhase.cpp:
3626         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
3627         * dfg/DFGForAllKills.h:
3628         (JSC::DFG::forAllKilledOperands):
3629         * dfg/DFGGraph.cpp:
3630         (JSC::DFG::Graph::dumpCodeOrigin):
3631         (JSC::DFG::Graph::dump):
3632         (JSC::DFG::Graph::isLiveInBytecode):
3633         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
3634         (JSC::DFG::Graph::willCatchExceptionInMachineFrame):
3635         * dfg/DFGGraph.h:
3636         (JSC::DFG::Graph::executableFor):
3637         (JSC::DFG::Graph::isStrictModeFor):
3638         (JSC::DFG::Graph::hasExitSite):
3639         (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
3640         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
3641         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch):
3642         * dfg/DFGMinifiedNode.cpp:
3643         (JSC::DFG::MinifiedNode::fromNode):
3644         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
3645         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
3646         * dfg/DFGOSRExit.cpp:
3647         (JSC::DFG::OSRExit::executeOSRExit):
3648         (JSC::DFG::reifyInlinedCallFrames):
3649         (JSC::DFG::adjustAndJumpToTarget):
3650         (JSC::DFG::printOSRExit):
3651         (JSC::DFG::OSRExit::compileExit):
3652         * dfg/DFGOSRExitBase.cpp:
3653         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
3654         * dfg/DFGOSRExitCompilerCommon.cpp:
3655         (JSC::DFG::handleExitCounts):
3656         (JSC::DFG::reifyInlinedCallFrames):
3657         (JSC::DFG::adjustAndJumpToTarget):
3658         * dfg/DFGOSRExitPreparation.cpp:
3659         (JSC::DFG::prepareCodeOriginForOSRExit):
3660         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3661         * dfg/DFGOperations.cpp:
3662         * dfg/DFGPreciseLocalClobberize.h:
3663         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
3664         * dfg/DFGSpeculativeJIT.cpp:
3665         (JSC::DFG::SpeculativeJIT::emitGetLength):
3666         (JSC::DFG::SpeculativeJIT::emitGetCallee):
3667         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
3668         (JSC::DFG::SpeculativeJIT::compileValueAdd):
3669         (JSC::DFG::SpeculativeJIT::compileValueSub):
3670         (JSC::DFG::SpeculativeJIT::compileValueNegate):
3671         (JSC::DFG::SpeculativeJIT::compileValueMul):
3672         (JSC::DFG::SpeculativeJIT::compileForwardVarargs):
3673         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
3674         * dfg/DFGSpeculativeJIT32_64.cpp:
3675         (JSC::DFG::SpeculativeJIT::emitCall):
3676         * dfg/DFGSpeculativeJIT64.cpp:
3677         (JSC::DFG::SpeculativeJIT::emitCall):
3678         (JSC::DFG::SpeculativeJIT::compile):
3679         * dfg/DFGTierUpCheckInjectionPhase.cpp:
3680         (JSC::DFG::TierUpCheckInjectionPhase::run):
3681         (JSC::DFG::TierUpCheckInjectionPhase::canOSREnterAtLoopHint):
3682         (JSC::DFG::TierUpCheckInjectionPhase::buildNaturalLoopToLoopHintMap):
3683         * dfg/DFGTypeCheckHoistingPhase.cpp:
3684         (JSC::DFG::TypeCheckHoistingPhase::run):
3685         * dfg/DFGVariableEventStream.cpp:
3686         (JSC::DFG::VariableEventStream::reconstruct const):
3687         * ftl/FTLLowerDFGToB3.cpp:
3688         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
3689         (JSC::FTL::DFG::LowerDFGToB3::compileValueSub):
3690         (JSC::FTL::DFG::LowerDFGToB3::compileValueMul):
3691         (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
3692         (JSC::FTL::DFG::LowerDFGToB3::compileValueNegate):
3693         (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
3694         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
3695         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
3696         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
3697         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
3698         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargs):
3699         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargsWithSpread):
3700         (JSC::FTL::DFG::LowerDFGToB3::getArgumentsLength):
3701         (JSC::FTL::DFG::LowerDFGToB3::getCurrentCallee):
3702         (JSC::FTL::DFG::LowerDFGToB3::getArgumentsStart):
3703         (JSC::FTL::DFG::LowerDFGToB3::codeOriginDescriptionOfCallSite const):
3704         * ftl/FTLOSRExitCompiler.cpp:
3705         (JSC::FTL::compileStub):
3706         * ftl/FTLOperations.cpp:
3707         (JSC::FTL::operationMaterializeObjectInOSR):
3708         * interpreter/CallFrame.cpp:
3709         (JSC::CallFrame::bytecodeOffset):
3710         * interpreter/StackVisitor.cpp:
3711         (JSC::StackVisitor::unwindToMachineCodeBlockFrame):
3712         (JSC::StackVisitor::readFrame):
3713         (JSC::StackVisitor::readNonInlinedFrame):
3714         (JSC::inlinedFrameOffset):
3715         (JSC::StackVisitor::readInlinedFrame):
3716         * interpreter/StackVisitor.h:
3717         * jit/AssemblyHelpers.cpp:
3718         (JSC::AssemblyHelpers::executableFor):
3719         * jit/AssemblyHelpers.h:
3720         (JSC::AssemblyHelpers::isStrictModeFor):
3721         (JSC::AssemblyHelpers::argumentsStart):
3722         (JSC::AssemblyHelpers::argumentCount):
3723         * jit/PCToCodeOriginMap.cpp:
3724         (JSC::PCToCodeOriginMap::PCToCodeOriginMap):
3725         (JSC::PCToCodeOriginMap::findPC const):
3726         * profiler/ProfilerOriginStack.cpp:
3727         (JSC::Profiler::OriginStack::OriginStack):
3728         * profiler/ProfilerOriginStack.h:
3729         * runtime/ErrorInstance.cpp:
3730         (JSC::appendSourceToError):
3731         * runtime/SamplingProfiler.cpp:
3732         (JSC::SamplingProfiler::processUnverifiedStackTraces):
3733
3734 2019-03-20  Devin Rousso  <drousso@apple.com>
3735
3736         Web Inspector: Search: allow DOM searches to be case sensitive
3737         https://bugs.webkit.org/show_bug.cgi?id=194673
3738         <rdar://problem/48087577>
3739
3740         Reviewed by Timothy Hatcher.
3741
3742         Since `DOM.performSearch` also searches by selector and XPath, some results may appear
3743         as unexpected. As an example, searching for "BoDy" will still return the <body> as a result,
3744         as although the literal node name ("BODY") didn't match, it did match via selector/XPath.
3745
3746         * inspector/protocol/DOM.json:
3747         Allow `DOM.performSearch` to be case sensitive.
3748
3749 2019-03-20  Saam Barati  <sbarati@apple.com>
3750
3751         AI rule for ValueBitNot/ValueBitXor/ValueBitAnd/ValueBitOr is wrong
3752         https://bugs.webkit.org/show_bug.cgi?id=195980
3753
3754         Reviewed by Yusuke Suzuki.
3755
3756         They were all saying they could be type: (SpecBoolInt32, SpecBigInt)
3757         However, they should have been type: (SpecInt32Only, SpecBigInt)
3758
3759         * dfg/DFGAbstractInterpreterInlines.h:
3760         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3761
3762 2019-03-20  Michael Catanzaro  <mcatanzaro@igalia.com>
3763
3764         Remove copyRef() calls added in r243163
3765         https://bugs.webkit.org/show_bug.cgi?id=195962
3766
3767         Reviewed by Chris Dumez.
3768
3769         As best I can tell, may be a GCC 9 bug. It shouldn't warn about this case because the return
3770         value is noncopyable and the WTFMove() is absolutely required. We can avoid the warning
3771         without refcount churn by introducing an intermediate variable.
3772
3773         * inspector/scripts/codegen/cpp_generator_templates.py:
3774
3775 2019-03-20  Carlos Garcia Campos  <cgarcia@igalia.com>
3776
3777         [GLIB] Optimize jsc_value_object_define_property_data|accessor
3778         https://bugs.webkit.org/show_bug.cgi?id=195679
3779
3780         Reviewed by Saam Barati.
3781
3782         Use direct C++ call instead of using the JSC GLib API to create the descriptor object and invoke Object.defineProperty().
3783
3784         * API/glib/JSCValue.cpp:
3785         (jsc_value_object_define_property_data):
3786         (jsc_value_object_define_property_accessor):
3787
3788 2019-03-19  Devin Rousso  <drousso@apple.com>
3789
3790         Web Inspector: Debugger: lazily create the agent
3791         https://bugs.webkit.org/show_bug.cgi?id=195973
3792         <rdar://problem/49039674>
3793
3794         Reviewed by Joseph Pecoraro.
3795
3796         * inspector/JSGlobalObjectInspectorController.cpp:
3797         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3798         (Inspector::JSGlobalObjectInspectorController::frontendInitialized):
3799         (Inspector::JSGlobalObjectInspectorController::createLazyAgents):
3800
3801         * inspector/JSGlobalObjectConsoleClient.h:
3802         (Inspector::JSGlobalObjectConsoleClient::setInspectorDebuggerAgent): Added.
3803         * inspector/JSGlobalObjectConsoleClient.cpp:
3804         (Inspector::JSGlobalObjectConsoleClient::JSGlobalObjectConsoleClient):
3805         (Inspector::JSGlobalObjectConsoleClient::startConsoleProfile):
3806         (Inspector::JSGlobalObjectConsoleClient::stopConsoleProfile):
3807
3808         * inspector/agents/InspectorDebuggerAgent.h:
3809         (Inspector::InspectorDebuggerAgent::addListener): Added.
3810         (Inspector::InspectorDebuggerAgent::removeListener): Added.
3811         (Inspector::InspectorDebuggerAgent::setListener): Deleted.
3812         * inspector/agents/InspectorDebuggerAgent.cpp:
3813         (Inspector::InspectorDebuggerAgent::InspectorDebuggerAgent):
3814         (Inspector::InspectorDebuggerAgent::enable):
3815         (Inspector::InspectorDebuggerAgent::disable):
3816         (Inspector::InspectorDebuggerAgent::getScriptSource):
3817         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
3818         (Inspector::InspectorDebuggerAgent::didPause):
3819         (Inspector::InspectorDebuggerAgent::breakProgram):
3820         (Inspector::InspectorDebuggerAgent::clearBreakDetails):
3821         Drive-by: reorder some member variables for better sizing.
3822         Drive-by: rename some member variables for clarity.
3823
3824 2019-03-19  Saam barati  <sbarati@apple.com>
3825
3826         Prune code after ForceOSRExit
3827         https://bugs.webkit.org/show_bug.cgi?id=195913
3828
3829         Reviewed by Keith Miller.
3830
3831         I removed our original implementation of this in r242989 because
3832         it was not sound. It broke backwards propagation because it removed
3833         uses of a node that backwards propagation relied on to be sound.
3834         Essentially, backwards propagation relies on being able to see uses
3835         that would exist in bytecode to be sound.
3836         
3837         The rollout in r242989 was a 1% Speedometer2 regression. This patch
3838         rolls back in the optimization in a sound way.
3839         
3840         This patch augments the code we had prior to r242989 to be sound. In
3841         addition to preserving liveness, we now also convert all uses after
3842         the ForceOSRExit to be Phantom. This may pessimize the optimizations
3843         we do in backwards propagation, but it will prevent that phase from
3844         making unsound optimizations.
3845
3846         * dfg/DFGByteCodeParser.cpp:
3847         (JSC::DFG::ByteCodeParser::addToGraph):
3848         (JSC::DFG::ByteCodeParser::parse):
3849
3850 2019-03-19  Michael Catanzaro  <mcatanzaro@igalia.com>
3851
3852         Build cleanly with GCC 9
3853         https://bugs.webkit.org/show_bug.cgi?id=195920
3854
3855         Reviewed by Chris Dumez.
3856
3857         WebKit triggers three new GCC 9 warnings:
3858
3859         """
3860         -Wdeprecated-copy, implied by -Wextra, warns about the C++11 deprecation of implicitly
3861         declared copy constructor and assignment operator if one of them is user-provided.
3862         """
3863
3864         Solution is to either add a copy constructor or copy assignment operator, if required, or
3865         else remove one if it is redundant.
3866
3867         """
3868         -Wredundant-move, implied by -Wextra, warns about redundant calls to std::move.
3869         -Wpessimizing-move, implied by -Wall, warns when a call to std::move prevents copy elision.
3870         """
3871
3872         These account for most of this patch. Solution is to just remove the bad WTFMove().
3873
3874         Additionally, -Wclass-memaccess has been enhanced to catch a few cases that GCC 8 didn't.
3875         These are solved by casting nontrivial types to void* before using memcpy. (Of course, it
3876         would be safer to not use memcpy on nontrivial types, but that's too complex for this
3877         patch. Searching for memcpy used with static_cast<void*> will reveal other cases to fix.)
3878